84 final

`browser.newtabpage.activity-stream.asrouter.providers.snippets`

These (which landed in FF64 with snippets above) are not in the user.js, so why bother with the snippet one
- `browser.newtabpage.activity-stream.asrouter.providers.cfr`
- `browser.newtabpage.activity-stream.asrouter.providers.onboarding`

also these aren't in the user.js
- `browser.newtabpage.activity-stream.asrouter.providers.cfr-fxa`
- `browser.newtabpage.activity-stream.asrouter.providers.message-groups`
- `browser.newtabpage.activity-stream.asrouter.providers.messaging-experiments`
- `browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel`

There are no privacy concerns here. At the end of the day, what Firefox connects to and sends is E2EE and only used locally in non-web content: and you have other prefs and a UI to disable them from being displayed

.github/ISSUE_TEMPLATE/troubleshooting-help.md

@@ -15,6 +15,7 @@ Before you proceed...
   - Note: We do not support forks
 
 See also:
+  - Override Recipes [issue 1080](https://github.com/arkenfox/user.js/issues/1080)
   - Extension breakage due to prefs [issue 391](https://github.com/arkenfox/user.js/issues/391)
   - Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts [issue 350](https://github.com/arkenfox/user.js/issues/350)
 

scratchpad-scripts/arkenfox-clear-removed.js

@@ -1,7 +1,7 @@
 /***
  This will reset the preferences that have been removed completely from the arkenfox user.js.
 
- Last updated: 02-Nov-2020
+ Last updated: 30-Dec-2020
 
  For instructions see:
  https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@@ -229,6 +229,9 @@
     'privacy.partition.network_state',
     'security.ssl3.dhe_rsa_aes_128_sha',
     'security.ssl3.dhe_rsa_aes_256_sha',
+    /* 84-beta */
+    'browser.newtabpage.activity-stream.asrouter.providers.snippets',
+    'layout.css.visited_links_enabled',
     /* reset parrot: check your open about:config after running the script */
     '_user.js.parrot'
   ]

scratchpad-scripts/troubleshooter.js

@@ -1,5 +1,5 @@
 
-/*** arkenfox user.js troubleshooter.js v1.6.2 ***/
+/*** arkenfox user.js troubleshooter.js v1.6.3 ***/
 
 (function() {
 
@@ -17,9 +17,7 @@
 
     /* Storage + Cache */
     'browser.cache.offline.enable',
-    'dom.indexedDB.enabled',
     'dom.storage.enabled',
-    'browser.storageManager.enabled',
     'dom.storageManager.enabled',
 
     /* Workers, Web + Push Notifications */
@@ -34,7 +32,6 @@
     /* Fonts */
     'browser.display.use_document_fonts',
     'font.blacklist.underline_offset',
-    'gfx.downloadable_fonts.woff2.enabled',
     'gfx.font_rendering.graphite.enabled',
     'gfx.font_rendering.opentype_svg.enabled',
     'layout.css.font-loading-api.enabled',
@@ -47,12 +44,10 @@
     'dom.IntersectionObserver.enabled',
     'dom.popup_allowed_events',
     'full-screen-api.enabled',
-    'geo.wifi.uri',
     'intl.accept_languages',
     'javascript.options.asmjs',
     'javascript.options.wasm',
     'permissions.default.shortcuts',
-    'security.csp.experimentalEnabled',
 
     /* Hardware */
     'dom.vr.enabled',
@@ -60,7 +55,6 @@
 
     /* Audio + Video */
     'dom.webaudio.enabled',
-    'media.autoplay.enabled',
     'media.autoplay.default', // FF63+
     'media.autoplay.blocking_policy', // FF78+
 
@@ -89,13 +83,11 @@
 
     /* Plugins + Flash */
     'plugin.default.state',
-    'plugin.defaultXpi.state',
-    'plugin.sessionPermissionNow.intervalInMinutes',
     'plugin.state.flash',
 
     /* unlikely to cause problems */
-    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
     'dom.popup_maximum',
+    'geo.provider.network.url',
     'layout.css.visited_links_enabled',
     'mathml.disabled',
     'network.auth.subresource-http-auth-allow',
@@ -103,6 +95,7 @@
     'network.protocol-handler.external.ms-windows-store',
     'privacy.trackingprotection.enabled',
     'security.data_uri.block_toplevel_data_uri_navigations',
+    'privacy.window.name.update.enabled', // FF82+
 
     'last.one.without.comma'
   ]
@@ -168,8 +161,8 @@
     reapply(aALL);
     myreset(aTmp.slice(0, _h(aTmp)));
     while (aTmp.length) {
-      alert("NOW TEST AGAIN !");
-      if (confirm("if the problem still exists click OK, otherwise click cancel.")) {
+      alert('NOW TEST AGAIN !');
+      if (confirm('if the problem still exists click OK, otherwise click Cancel.')) {
         aTmp = aTmp.slice(_h(aTmp));
       } else {
         aTmp = aTmp.slice(0, _h(aTmp));
@@ -183,16 +176,16 @@
 
     if (aDbg.length == 1) return alert("narrowed it down to:\n\n"+aDbg[0].name+"\n");
     if (aDbg.length == aALL.length) {
-      let msg = "Failed to narrow it down beyond the initial "+aALL.length+" prefs. The problem is most likely caused by at least 2 prefs!\n\n";
-      msg += "Either those prefs are too far apart in the list or there are exactly 2 culprits and they just happen to be at the wrong place.\n\n";
-      msg += "In case it's the latter, the script can add a dummy pref and you can try again - Try again?";
+      const msg = "Failed to narrow it down beyond the initial "+aALL.length+" prefs. The problem is most likely caused by at least 2 prefs!\n\n" +
+            "Either those prefs are too far apart in the list or there are exactly 2 culprits and they just happen to be at the wrong place.\n\n" +
+            "In case it's the latter, the script can add a dummy pref and you can try again - Try again?";
       if (confirm(msg)) return _main([...aALL, oFILLER]);
     } else if (aDbg.length > 10 && confirm("Narrowed it down to "+aDbg.length+" prefs. Try narrowing it down further?")) {
       return _main(aDbg.reverse());
     }
 
     alert("Narrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
-    console.log("The problem is caused by 2 or more of these prefs:");
+    console.log('The problem is caused by 2 or more of these prefs:');
     for (const oPref of aDbg) console.log(oPref.name);
   }
 
@@ -201,14 +194,18 @@
 
   const aBAK = getMyList(aPREFS);
   //console.log(aBAK.length, "user-set prefs from our list detected and their values stored.");
+  
+  const sMsg = "all detected prefs reset.\n\n" +
+        "!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\n" +
+        "IF the problem still exists, this script can't help you - click Cancel to re-apply your values and exit.\n\n" +
+        "Click OK if your problem is fixed.";
 
   focus();
   myreset(aBAK);
-  if (!confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
+  if (!confirm(sMsg)) {
     reapply(aBAK);
     return;
   }
-
   _main(aBAK);
 
 })();

updater.sh

@@ -2,7 +2,7 @@
 
 ## arkenfox user.js updater for macOS and Linux
 
-## version: 2.8
+## version: 2.9
 ## Author: Pat Johnson (@overdodactyl)
 ## Additional contributors: @earthlng, @ema-pe, @claustromaniac
 
@@ -10,9 +10,9 @@
 
 readonly CURRDIR=$(pwd)
 
-sfp=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
-[ -z "$sfp" ] && sfp=${BASH_SOURCE[0]}
-readonly SCRIPT_DIR=$(dirname "${sfp}")
+SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
+[ -z "$SCRIPT_FILE" ] && SCRIPT_FILE=${BASH_SOURCE[0]}
+readonly SCRIPT_DIR=$(dirname "${SCRIPT_FILE}")
 
 
 #########################
@@ -198,7 +198,7 @@ update_updater () {
   declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')"
   [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed
 
-  if [[ $(get_updater_version "${SCRIPT_DIR}/updater.sh") < $(get_updater_version "${tmpfile}") ]]; then
+  if [[ $(get_updater_version "$SCRIPT_FILE") < $(get_updater_version "${tmpfile}") ]]; then
     if [ $UPDATE = 'check' ]; then
       echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}"
       read -p "" -n 1 -r
@@ -208,9 +208,9 @@ update_updater () {
   else
     return 0 # No update available
   fi
-  mv "${tmpfile}" "${SCRIPT_DIR}/updater.sh"
-  chmod u+x "${SCRIPT_DIR}/updater.sh"
-  "${SCRIPT_DIR}/updater.sh" "$@" -d
+  mv "${tmpfile}" "$SCRIPT_FILE"
+  chmod u+x "$SCRIPT_FILE"
+  "$SCRIPT_FILE" "$@" -d
   exit 0
 }
 

user.js

@@ -1,7 +1,7 @@
 /******
 * name: arkenfox user.js
-* date: 12 Nov 2020
-* version 82
+* date: 05 Jan 2021
+* version 84
 * url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
 
@@ -25,6 +25,7 @@
          [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related)
            [SETUP-PERF] may impact performance
               [WARNING] used sparingly, heed them
+  6. Override Recipes: https://github.com/arkenfox/user.js/issues/1080
 
 * RELEASES: https://github.com/arkenfox/user.js/releases
 
@@ -34,6 +35,7 @@
     - re-enable section 4600 if you don't use RFP
     ESR78
     - If you are not using arkenfox v78... (not a definitive list)
+      - 1244: HTTPS-Only mode is enabled
       - 1401: document fonts is inactive as it is now covered by RFP in FF80+
       - 4600: some prefs may apply even if you use RFP (currently none apply as of FF84)
       - 9999: switch the appropriate deprecated section(s) back on
@@ -114,7 +116,6 @@ user_pref("browser.newtabpage.activity-stream.telemetry", false);
  * Runs code received from a server (aka Remote Code Execution) and sends information back to a metrics server
  * [1] https://abouthome-snippets-service.readthedocs.io/ ***/
 user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
-user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}");
 /* 0105c: disable Activity Stream Top Stories, Pocket-based and/or sponsored content ***/
 user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
 user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
@@ -171,19 +172,17 @@ user_pref("browser.region.update.enabled", false); // [[FF79+]
  * [TEST] https://addons.mozilla.org/about ***/
 user_pref("intl.accept_languages", "en-US, en");
 /* 0211: enforce US English locale regardless of the system locale
- * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages, see [2]
- * [1] https://bugzilla.mozilla.org/867501
- * [2] https://bugzilla.mozilla.org/1629630 ***/
+ * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
 user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
 
 /*** [SECTION 0300]: QUIET FOX
-     Starting in user.js v67, we only disable the auto-INSTALL of Firefox. You still get prompts
-     to update, in one click. We have NEVER disabled auto-CHECKING, and highly discourage that.
-     Previously we also disabled auto-INSTALLING of extensions (302b).
+     We only disable the auto-INSTALL of Firefox (app) updates. You still get prompts to update,
+     and it only takes one click. We highly discourage disabling auto-CHECKING for updates.
 
-     There are many legitimate reasons to turn off auto-INSTALLS, including hijacked or monetized
-     extensions, time constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is
-     still important to do updates for security reasons, please do so manually if you make changes.
+     Legitimate reasons to disable auto-INSTALLS include hijacked/monetized extensions, time
+     constraints, legacy issues, dev/testing, and fear of breakage/bugs. It is still important
+     to do updates for security reasons, please do so manually if you make changes.
 ***/
 user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
 /* 0301b: disable auto-CHECKING for extension and theme updates ***/
@@ -216,11 +215,11 @@ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
  * IF unified=true then .enabled ONLY controls whether to record extended data
  * so make sure to have both set as false
  * [NOTE] FF58+ 'toolkit.telemetry.enabled' is now LOCKED to reflect prerelease
- * or release builds (true and false respectively), see [2]
+ * or release builds (true and false respectively) [2]
  * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
  * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
 user_pref("toolkit.telemetry.unified", false);
-user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
+user_pref("toolkit.telemetry.enabled", false); // see [NOTE]
 user_pref("toolkit.telemetry.server", "data:,");
 user_pref("toolkit.telemetry.archive.enabled", false);
 user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+]
@@ -303,7 +302,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", "");
  * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/
    // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
    // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
-/* 0419: disable 'ignore this warning' on SB warnings
+/* 0419: disable 'ignore this warning' on SB warnings [FF45+]
  * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB
  * [TEST] see github wiki APPENDIX A: Test Sites: Section 5
  * [1] https://bugzilla.mozilla.org/1226490 ***/
@@ -377,16 +376,15 @@ user_pref("browser.send_pings.require_same_host", true); // defense-in-depth
 /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
 /* 0701: disable IPv6
- * IPv6 can be abused, especially with MAC addresses, and they do not play nice with VPNs. That's
- * even assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4
- * [STATS] Firefox telemetry (June 2020) shows only 5% of all connections are IPv6
+ * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even
+ * assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4
+ * [STATS] Firefox telemetry (Dec 2020) shows ~8% of all connections are IPv6
  * [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an
  * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
  * then this won't make much difference. If you are masking your IP, then it can only help.
  * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
  * [TEST] https://ipleak.org/
- * [1] https://github.com/arkenfox/user.js/issues/437#issuecomment-403740626
- * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
+ * [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
 user_pref("network.dns.disableIPv6", true);
 /* 0702: disable HTTP2
  * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
@@ -457,14 +455,6 @@ user_pref("keyword.enabled", false);
 user_pref("browser.fixup.alternate.enabled", false);
 /* 0803: display all parts of the url in the location bar ***/
 user_pref("browser.urlbar.trimURLs", false);
-/* 0805: disable coloring of visited links - CSS history leak
- * [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's
- * only in 'certain circumstances', also see latest comments in [2]
- * [TEST] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
- * [1] https://dbaron.org/mozilla/visited-privacy
- * [2] https://bugzilla.mozilla.org/147777
- * [3] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector ***/
-user_pref("layout.css.visited_links_enabled", false);
 /* 0807: disable live search suggestions
 /* [NOTE] Both must be true for the location bar to work
  * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine
@@ -485,6 +475,10 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
    // user_pref("browser.urlbar.suggest.bookmark", false);
    // user_pref("browser.urlbar.suggest.openpage", false);
    // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]
+/* 0850b: disable tab-to-search [FF85+]
+ * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
+ * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
+   // user_pref("browser.urlbar.suggest.engines", false);
 /* 0850c: disable location bar dropdown
  * This value controls the total number of entries to appear in the location bar dropdown
  * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always
@@ -497,7 +491,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
  * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
    // user_pref("browser.urlbar.autoFill", false);
 /* 0860: disable search and form history
- * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties, see [1] [2]
+ * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
  * [NOTE] We also clear formdata on exit (see 2803)
  * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
  * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
@@ -594,7 +588,7 @@ user_pref("browser.sessionstore.privacy_level", 2);
 /* 1022: disable resuming session from crash ***/
    // user_pref("browser.sessionstore.resume_from_crash", false);
 /* 1023: set the minimum interval between session save operations
- * Increasing this can help on older machines and some websites, as well as reducing writes, see [1]
+ * Increasing this can help on older machines and some websites, as well as reducing writes [1]
  * Default is 15000 (15 secs). Try 30000 (30 secs), 60000 (1 min) etc
  * [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature:
  * i.e. the longer the interval the more chance a quick tab open/close won't be captured.
@@ -641,7 +635,6 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 user_pref("security.ssl.require_safe_negotiation", true);
 /* 1202: control TLS versions with min and max
  * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
- * [STATS] Firefox telemetry (June 2020) shows only 0.16% of SSL handshakes use 1.0 or 1.1
  * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint.
  * [1] https://www.ssllabs.com/ssl-pulse/ ***/
    // user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
@@ -716,6 +709,12 @@ user_pref("security.family_safety.mode", 0);
  * by inspecting ALL your web traffic, then leave at current default=1
  * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/
 user_pref("security.cert_pinning.enforcement_level", 2);
+/* 1224: enforce CRLite [FF73+]
+ * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985
+ * [2] https://blog.mozilla.org/security/tag/crlite/ ***/
+user_pref("security.remote_settings.crlite_filters.enabled", true);
+user_pref("security.pki.crlite_mode", 2);
 
 /** MIXED CONTENT ***/
 /* 1240: enforce no insecure active content on https pages
@@ -728,14 +727,21 @@ user_pref("security.mixed_content.block_display_content", true);
 user_pref("security.mixed_content.block_object_subrequest", true);
 /* 1244: enable HTTPS-Only mode [FF76+]
  * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored
- * [WARNING] This is experimental [1] and you can't set exceptions if FPI is enabled [2] (fixed in FF83)
- * [SETTING] to add site exceptions: Page Info>Permissions>Use insecure HTTP (FF80+)
- * [SETTING] Privacy & Security>HTTPS-Only Mode (FF80+ with browser.preferences.exposeHTTPSOnly = true)
- * [1] https://bugzilla.mozilla.org/1613063 [META]
- * [2] https://bugzilla.mozilla.org/1647829 ***/
-   // user_pref("dom.security.https_only_mode", true); // [FF76+]
+ * [SETTING] to add site exceptions: Page Info>HTTPS-Only mode>On/Off/Off temporarily
+ * [SETTING] Privacy & Security>HTTPS-Only Mode
+ * [TEST] http://example.com [upgrade]
+ * [TEST] http://neverssl.org/ [no upgrade]
+ * [1] https://bugzilla.mozilla.org/1613063 [META] ***/
+user_pref("dom.security.https_only_mode", true); // [FF76+]
    // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+]
-   // user_pref("dom.security.https_only_mode.upgrade_local", true); // [FF77+]
+/* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
+   // user_pref("dom.security.https_only_mode.upgrade_local", true);
+/* 1246: disable HTTP background requests [FF82+]
+ * When attempting to upgrade, if the server doesn't respond within 3 seconds, firefox
+ * sends HTTP requests in order to check if the server supports HTTPS or not.
+ * This is done to avoid waiting for a timeout which takes 90 seconds
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
+user_pref("dom.security.https_only_mode_send_http_background_request", false);
 
 /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro]
  * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1])
@@ -760,7 +766,7 @@ user_pref("security.mixed_content.block_object_subrequest", true);
 /** UI (User Interface) ***/
 /* 1270: display warning on the padlock for "broken security" (if 1201 is false)
  * Bug: warning padlock not indicated for subresources on a secure page! [2]
- * [STATS] SSL Labs (June 2020) reports 98.8% of sites have secure renegotiation [3]
+ * [STATS] SSL Labs (Dec 2020) reports 99.0% of sites have secure renegotiation [3]
  * [1] https://wiki.mozilla.org/Security:Renegotiation
  * [2] https://bugzilla.mozilla.org/1353705
  * [3] https://www.ssllabs.com/ssl-pulse/ ***/
@@ -794,24 +800,21 @@ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
  * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
 user_pref("gfx.font_rendering.opentype_svg.enabled", false);
 /* 1408: disable graphite
- * Graphite has had many critical security issues in the past, see [1]
+ * Graphite has had many critical security issues in the past [1]
  * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
  * [2] https://en.wikipedia.org/wiki/Graphite_(SIL) ***/
 user_pref("gfx.font_rendering.graphite.enabled", false);
 /* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
  * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed
- * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618)
  * [NOTE] In FF81+ the whitelist **overrides** RFP's font visibility (see 4618)
+ * [WARNING] **DO NOT USE**: in FF80+ RFP covers this, and non-RFP users should use font vis (4618)
  * [1] https://bugzilla.mozilla.org/1121643 ***/
    // user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
 
 /*** [SECTION 1600]: HEADERS / REFERERS
      Only *cross domain* referers need controlling: leave 1601, 1602, 1605 and 1606 alone
      ---
-            harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below)
-       harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage
-     ---
-     If you want any REAL control over referers and breakage, then use an extension
+     Expect some breakage: Use an extension if you need precise control
      ---
                     full URI: https://example.com:8888/foo/bar.html?id=1234
        scheme+host+port+path: https://example.com:8888/foo/bar.html
@@ -822,17 +825,17 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
 user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
 /* 1601: ALL: control when images/links send a referer
  * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
-   // user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2]
+   // user_pref("network.http.sendRefererHeader", 2);
 /* 1602: ALL: control the amount of information to send
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
-   // user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0]
+   // user_pref("network.http.referer.trimmingPolicy", 0);
 /* 1603: CROSS ORIGIN: control when to send a referer
  * 0=always (default), 1=only if base domains match, 2=only if hosts match
  * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/
-user_pref("network.http.referer.XOriginPolicy", 1);
+user_pref("network.http.referer.XOriginPolicy", 2);
 /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
-user_pref("network.http.referer.XOriginTrimmingPolicy", 0); // [DEFAULT: 0]
+user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
 /* 1605: ALL: disable spoofing a referer
  * [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
  * (Cross-Site Request Forgery) protections that some sites may rely on ***/
@@ -903,7 +906,7 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
  * [1] https://www.privacytools.io/#webrtc ***/
 user_pref("media.peerconnection.enabled", false);
 /* 2002: limit WebRTC IP leaks if using WebRTC
- * In FF70+ these settings match Mode 4 (Mode 3 in older versions), see [3]
+ * In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3]
  * [TEST] https://browserleaks.com/webrtc
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
  * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy
@@ -1022,7 +1025,7 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!
  * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
  * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
  * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one
- * is default false) then enabling this pref can leak clipboard content, see [1]
+ * is default false) then enabling this pref can leak clipboard content [1]
  * [1] https://bugzilla.mozilla.org/1528289 */
    // user_pref("dom.event.clipboardevents.enabled", false);
 /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
@@ -1071,7 +1074,7 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m
  * Initially a Linux issue (high precision readout) that was fixed.
  * However, it is still another metric for fingerprinting, used to raise entropy.
  * e.g. do you have a battery or not, current charging status, charge level, times remaining etc
- * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code, see [1]
+ * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code [1]
  * [1] https://bugzilla.mozilla.org/1313580 ***/
    // user_pref("dom.battery.enabled", false);
 /* 2505: disable media device enumeration [FF29+]
@@ -1268,8 +1271,10 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
  * [WARNING] This will break a LOT of sites' functionality AND extensions!
  * You are better off using an extension for more granular control ***/
    // user_pref("dom.storage.enabled", false);
-/* 2730: disable offline cache ***/
-user_pref("browser.cache.offline.enable", false);
+/* 2730: enforce no offline cache storage (appCache)
+ * The API is easily fingerprinted, use the "storage" pref instead ***/
+   // user_pref("browser.cache.offline.enable", false);
+user_pref("browser.cache.offline.storage.enable", false); // [FF71+] [DEFAULT: false FF84+]
 /* 2740: disable service worker cache and cache storage
  * [NOTE] We clear service worker cache on exiting Firefox (see 2803)
  * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
@@ -1364,19 +1369,22 @@ user_pref("privacy.sanitize.timeSpan", 0);
 user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
 /* 4001: enable First Party Isolation [FF51+]
  * [SETUP-WEB] May break cross-domain logins and site functionality until perfected
- * [1] https://bugzilla.mozilla.org/1260931
- * [2] https://bugzilla.mozilla.org/1299996 [META] ***/
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/
 user_pref("privacy.firstparty.isolate", true);
 /* 4002: enforce FPI restriction for window.opener [FF54+]
  * [NOTE] Setting this to false may reduce the breakage in 4001
  * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
- * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute, see [2],[3]
+ * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3]
  * The 2nd pref removes that limitation and will only allow communication if FPDs also match.
  * [1] https://bugzilla.mozilla.org/1319773#c22
  * [2] https://bugzilla.mozilla.org/1492607
  * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
    // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
    // user_pref("privacy.firstparty.isolate.block_post_message", true);
+/* 4003: enable scheme with FPI [FF78+]
+ * [NOTE] Experimental: existing data and site permissions are incompatible
+ * and some site exceptions may not work e.g. HTTPS-only mode (see 1244) ***/
+   // user_pref("privacy.firstparty.isolate.use_site", true);
 
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
    RFP covers a wide range of ongoing fingerprinting solutions.
@@ -1452,8 +1460,7 @@ user_pref("privacy.resistFingerprinting", true);
 /* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME]
  * Width will round down to multiples of 200s and height to 100s, to fit your screen.
  * The override values are a starting point to round from if you want some control
- * [1] https://bugzilla.mozilla.org/1330882
- * [2] https://hardware.metrics.mozilla.com/ ***/
+ * [1] https://bugzilla.mozilla.org/1330882 ***/
    // user_pref("privacy.window.maxInnerWidth", 1000);
    // user_pref("privacy.window.maxInnerHeight", 1000);
 /* 4503: disable mozAddonManager Web API [FF57+]
@@ -1461,7 +1468,7 @@ user_pref("privacy.resistFingerprinting", true);
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
 user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF]
 /* 4504: enable RFP letterboxing [FF67+]
- * Dynamically resizes the inner window by applying margins in stepped ranges, see [2]
+ * Dynamically resizes the inner window by applying margins in stepped ranges [2]
  * If you use the dimension pref, then it will only apply those resolutions. The format is
  * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900")
  * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but
@@ -1571,7 +1578,7 @@ user_pref("ui.use_standins_for_native_colors", true);
 user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
 // FF80+
 // 4618: limit font visbility (non-ANDROID) [FF79+]
-   // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts, see [1]
+   // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1]
    // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
    // [NOTE] Bundled fonts are auto-allowed
    // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc