2620: disable pdfjs scripting, v88 final

0102: add setup tag #1166
RFP & Presentation API
2025-09-01 17:38:30 +02:00 · 2021-04-23 14:25:54 +00:00 · 2021-04-17 07:12:20 +00:00 · 2021-04-15 07:10:54 +00:00 · 2021-04-08 01:21:14 +00:00 · 2021-04-08 01:19:42 +00:00
4 changed files with 151 additions and 124 deletions
--- a/scratchpad-scripts/arkenfox-clear-removed.js
+++ b/scratchpad-scripts/arkenfox-clear-removed.js
@ -1,7 +1,7 @@
 /***
 This will reset the preferences that have been removed completely from the arkenfox user.js.
- Last updated: 26-Jan-2021
+ Last updated: 07-Apr-2021
 For instructions see:
 https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@ -9,7 +9,7 @@
 (function() {
  let ops = [
-    /* removed in arkenfox user.js v52-57 */
+    /* removed in arkenfox user.js */
    /* 52-alpha */
    'browser.search.reset.enabled',
    'browser.search.reset.whitelist',
@ -26,7 +26,6 @@
    'extensions.pocket.api', // covered by extensions.pocket.enabled
    'extensions.pocket.oAuthConsumerKey', // ditto
    'extensions.pocket.site', // ditto
    /* 56-alpha: none */
    /* 57-alpha */
    'geo.wifi.xhr.timeout', // covered by geo.enabled
    'browser.search.geoip.timeout', // ditto
@ -231,9 +230,14 @@
    'security.ssl3.dhe_rsa_aes_256_sha',
    /* 84-beta */
    'browser.newtabpage.activity-stream.asrouter.providers.snippets',
    'layout.css.visited_links_enabled',
    /* 85-beta */
    'network.http.redirection-limit',
    /* 86-beta */
    'media.gmp-widevinecdm.visible',
    /* 87-beta */
    'browser.send_pings.require_same_host',
    /* 88-beta */
    'webgl.min_capability_mode',
    /* reset parrot: check your open about:config after running the script */
    '_user.js.parrot'
  ]
--- a/updater.sh
+++ b/updater.sh
@ -2,7 +2,7 @@
 ## arkenfox user.js updater for macOS and Linux
-## version: 2.9
+## version: 3.0
 ## Author: Pat Johnson (@overdodactyl)
 ## Additional contributors: @earthlng, @ema-pe, @claustromaniac
@ -103,7 +103,6 @@ Optional Arguments:
 #     File Handling     #
 #########################
 # Download files
 download_file () { # expects URL as argument ($1)
  declare -r tf=$(mktemp)
@ -122,36 +121,33 @@ open_file () { # expects one argument: file_path
 readIniFile () { # expects one argument: absolute path of profiles.ini
  declare -r inifile="$1"
  declare -r tfile=$(mktemp)
-  if [ $(grep '^\[Profile' "$inifile" | wc -l) == "1" ]; then ### only 1 profile found
+  # tempIni will contain: [ProfileX], Name=, IsRelative= and Path= (and Default= if present) of the only (if) or the selected (else) profile
-    grep '^\[Profile' -A 4 "$inifile" | grep -v '^\[Profile' > $tfile
+  if [ $(grep -c '^\[Profile' "${inifile}") -eq "1" ]; then ### only 1 profile found
    tempIni="$(grep '^\[Profile' -A 4 "${inifile}")"
  else
-    grep -E -v '^\[General\]|^StartWithLastProfile=|^IsRelative=' "$inifile"
+    echo -e "Profiles found:\n––––––––––––––––––––––––––––––"
-    echo ''
+    ## cmd-substitution to strip trailing newlines and in quotes to keep internal ones:
    echo "$(grep --color=never -E 'Default=[^1]|\[Profile[0-9]*\]|Name=|Path=|^$' "${inifile}")"
    echo '––––––––––––––––––––––––––––––'
    read -p 'Select the profile number ( 0 for Profile0, 1 for Profile1, etc ) : ' -r
    echo -e "\n"
    if [[ $REPLY =~ ^(0|[1-9][0-9]*)$ ]]; then
-      grep '^\[Profile'${REPLY} -A 4 "$inifile" | grep -v '^\[Profile'${REPLY} > $tfile
+      tempIni="$(grep "^\[Profile${REPLY}" -A 4 "${inifile}")" || {
-      if [[ "$?" != "0" ]]; then
+        echo -e "${RED}Profile${REPLY} does not exist!${NC}" && exit 1
-        echo "Profile${REPLY} does not exist!" && exit 1
+      }
      fi
    else
-      echo "Invalid selection!" && exit 1
+      echo -e "${RED}Invalid selection!${NC}" && exit 1
    fi
  fi
-  declare -r profpath=$(grep '^Path=' $tfile)
+  # extracting 0 or 1 from the "IsRelative=" line
-  declare -r pathisrel=$(grep '^IsRelative=' $tfile)
+  declare -r pathisrel=$(sed -n 's/^IsRelative=\([01]\)$/\1/p' <<< "${tempIni}")
-  rm "$tfile"
+  # extracting only the path itself, excluding "Path="
-
+  PROFILE_PATH=$(sed -n 's/^Path=\(.*\)$/\1/p' <<< "${tempIni}")
-  # update global variable
+  # update global variable if path is relative
-  if [[ ${pathisrel#*=} == "1" ]]; then
+  [[ ${pathisrel} == "1" ]] && PROFILE_PATH="$(dirname "${inifile}")/${PROFILE_PATH}"
    PROFILE_PATH="$(dirname "$inifile")/${profpath#*=}"
  else
    PROFILE_PATH="${profpath#*=}"
  fi
 }
 getProfilePath () {
@ -161,16 +157,14 @@ getProfilePath () {
  if [ "$PROFILE_PATH" = false ]; then
    PROFILE_PATH="$SCRIPT_DIR"
  elif [ "$PROFILE_PATH" = 'list' ]; then
    local ini=''
    if [[ -f "$f1" ]]; then
-      ini="$f1"
+      readIniFile "$f1" # updates PROFILE_PATH or exits on error
    elif [[ -f "$f2" ]]; then
-      ini="$f2"
+      readIniFile "$f2"
    else
      echo -e "${RED}Error: Sorry, -l is not supported for your OS${NC}"
      exit 1
    fi
    readIniFile "$ini" # updates PROFILE_PATH or exits on error
  #else
    # PROFILE_PATH already set by user with -p
  fi
@ -191,9 +185,7 @@ get_updater_version () {
 #   -d: New version will not be looked for and update will not occur
 #   -u: Check for update, if available, execute without asking
 update_updater () {
-  if [ $UPDATE = 'no' ]; then
+  [ $UPDATE = 'no' ] && return 0 # User signified not to check for updates
    return 0 # User signified not to check for updates
  fi
  declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')"
  [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed
@ -214,7 +206,6 @@ update_updater () {
  exit 0
 }
 #########################
 #    Update user.js     #
 #########################
--- a/user.js
+++ b/user.js
@ -1,7 +1,7 @@
 /******
 * name: arkenfox user.js
-* date: 28 Jan 2021
+* date: 23 April 2021
-* version 85
+* version 88
 * url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
@ -18,6 +18,7 @@
       * Some site breakage and unintended consequences will happen. Everyone's experience will differ
         e.g. some user data is erased on close (section 2800), change this to suit your needs
       * While not 100% definitive, search for "[SETUP" tags
         e.g. third party images/videos not loading on some sites? check 1603
       * Take the wiki link in step 2 and read the Troubleshooting entry
  5. Some tag info
       [SETUP-SECURITY] it's one item, read it
@ -37,7 +38,7 @@
    - If you are not using arkenfox v78... (not a definitive list)
      - 1244: HTTPS-Only mode is enabled
      - 1401: document fonts is inactive as it is now covered by RFP in FF80+
-      - 4600: some prefs may apply even if you use RFP (currently none apply as of FF84)
+      - 4600: some prefs may apply even if you use RFP
      - 9999: switch the appropriate deprecated section(s) back on
 * INDEX:
@ -82,9 +83,8 @@
 user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
 /* 0000: disable about:config warning
- * FF71-72: chrome://global/content/config.xul
+ * FF73-86: chrome://global/content/config.xhtml ***/
- * FF73+: chrome://global/content/config.xhtml ***/
+user_pref("general.warnOnAboutConfig", false); // XHTML version
 user_pref("general.warnOnAboutConfig", false); // XUL/XHTML version
 user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+]
 /*** [SECTION 0100]: STARTUP ***/
@ -92,7 +92,8 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 /* 0101: disable default browser check
 * [SETTING] General>Startup>Always check if Firefox is your default browser ***/
 user_pref("browser.shell.checkDefaultBrowser", false);
-/* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
+/* 0102: set startup page [SETUP-CHROME]
 * 0=blank, 1=home, 2=last visited page, 3=resume previous session
 * [NOTE] Session Restore is not used in PB mode (0110) and is cleared with history (2803, 2804)
 * [SETTING] General>Startup>Restore previous session ***/
 user_pref("browser.startup.page", 0);
@ -121,8 +122,6 @@ user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
 user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
 user_pref("browser.newtabpage.activity-stream.showSponsored", false);
 user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+]
 /* 0105d: disable Activity Stream recent Highlights in the Library [FF57+] ***/
   // user_pref("browser.library.activity-stream.enabled", false);
 /* 0105e: clear default topsites
 * [NOTE] This does not block you from adding your own ***/
 user_pref("browser.newtabpage.activity-stream.default.sites", "");
@ -142,13 +141,13 @@ user_pref("browser.newtabpage.activity-stream.default.sites", "");
 user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
 /** GEOLOCATION ***/
 /* 0201: disable Location-Aware Browsing
- * [NOTE] Best left at default "true", fingerprintable, is already behind a prompt (see 0202)
+ * [NOTE] Best left at default "true", fingerprintable, already behind a prompt (see 0202)
 * [1] https://www.mozilla.org/firefox/geolocation/ ***/
   // user_pref("geo.enabled", false);
 /* 0202: set a default permission for Location (see 0201) [FF58+]
 * 0=always ask (default), 1=allow, 2=block
 * [NOTE] Best left at default "always ask", fingerprintable via Permissions API
- * [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
+ * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
   // user_pref("permissions.default.geo", 2);
 /* 0203: use Mozilla geolocation service instead of Google when geolocation is enabled [FF74+]
@ -250,10 +249,10 @@ user_pref("browser.discovery.enabled", false);
 /* 0350: disable Crash Reports ***/
 user_pref("breakpad.reportURL", "");
 user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
-user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
+   // user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false]
-/* 0351: disable backlogged Crash Reports
+/* 0351: enforce no submission of backlogged Crash Reports [FF58+]
 * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports  ***/
-user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
+user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false]
 /* 0390: disable Captive Portal detection
 * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
 * [2] https://wiki.mozilla.org/Necko/CaptivePortal ***/
@ -349,9 +348,9 @@ user_pref("extensions.formautofill.available", "off"); // [FF56+]
 user_pref("extensions.formautofill.creditCards.available", false); // [FF57+]
 user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
 user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
-/* 0518: disable Web Compatibility Reporter [FF56+]
+/* 0518: enforce disabling of Web Compatibility Reporter [FF56+]
 * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
-user_pref("extensions.webcompat-reporter.enabled", false);
+user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
 /*** [SECTION 0600]: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/
 user_pref("_user.js.parrot", "0600 syntax error: the parrot's no more!");
@ -361,17 +360,16 @@ user_pref("network.prefetch-next", false);
 /* 0602: disable DNS prefetching
 * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
 user_pref("network.dns.disablePrefetch", true);
-user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
+   // user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
 /* 0603: disable predictor / prefetching ***/
 user_pref("network.predictor.enabled", false);
-user_pref("network.predictor.enable-prefetch", false); // [FF48+]
+   // user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
 /* 0605: disable link-mouseover opening connection to linked server
 * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/
 user_pref("network.http.speculative-parallel-limit", 0);
 /* 0606: enforce no "Hyperlink Auditing" (click tracking)
 * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
-user_pref("browser.send_pings", false); // [DEFAULT: false]
+   // user_pref("browser.send_pings", false); // [DEFAULT: false]
 user_pref("browser.send_pings.require_same_host", true); // defense-in-depth
 /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
@ -389,8 +387,8 @@ user_pref("network.dns.disableIPv6", true);
 /* 0702: disable HTTP2
 * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
 * enhance privacy, and opens up a number of server-side fingerprinting opportunities.
- * [WARNING] Disabling this made sense in the past, and doesn't break anything, but HTTP2 is
+ * [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
- * at 40% (December 2019) and growing [5]. Don't be that one person using HTTP1.1 on HTTP2 sites
+ * [STATS] Over 50% of sites (April 2021) and growing [5]
 * [1] https://http2.github.io/faq/
 * [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
 * [3] https://http2.github.io/http2-spec/#rfc.section.10.8
@ -414,7 +412,7 @@ user_pref("network.http.altsvc.oe", false);
 * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
 user_pref("network.proxy.socks_remote_dns", true);
 /* 0708: disable FTP [FF60+] ***/
-   // user_pref("network.ftp.enabled", false);
+   // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+]
 /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
 * [SETUP-CHROME] Can break extensions for profiles on network shares
 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
@ -455,6 +453,17 @@ user_pref("keyword.enabled", false);
 user_pref("browser.fixup.alternate.enabled", false);
 /* 0803: display all parts of the url in the location bar ***/
 user_pref("browser.urlbar.trimURLs", false);
 /* 0805: disable coloring of visited links - CSS history leak
 * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
 * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
 * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5]
 * and advanced targeted timing attacks could still produce usable results
 * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
 * [2] https://dbaron.org/mozilla/visited-privacy
 * [3] https://bugzilla.mozilla.org/1632765
 * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
 * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/
   // user_pref("layout.css.visited_links_enabled", false);
 /* 0807: disable live search suggestions
 /* [NOTE] Both must be true for the location bar to work
 * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine
@ -480,12 +489,7 @@ user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
 * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
   // user_pref("browser.urlbar.suggest.engines", false);
 /* 0850c: disable location bar dropdown
- * This value controls the total number of entries to appear in the location bar dropdown
+ * This value controls the total number of entries to appear in the location bar dropdown ***/
 * [NOTE] Items (bookmarks/history/openpages) with a high "frecency"/"bonus" will always
 * be displayed (no we do not know how these are calculated or what the threshold is),
 * and this does not affect the search by search engine suggestion (see 0807)
 * [NOTE] This setting is only useful if you want to enable search engine keywords
 * (i.e. at least one of 0850a suggestion types must be true) but you want to *limit* suggestions shown ***/
   // user_pref("browser.urlbar.maxRichResults", 0);
 /* 0850d: disable location bar autofill
 * [1] https://support.mozilla.org/en-US/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
@ -507,7 +511,7 @@ user_pref("browser.taskbar.lists.frequent.enabled", false);
 user_pref("browser.taskbar.lists.recent.enabled", false);
 user_pref("browser.taskbar.lists.tasks.enabled", false);
 /* 0871: disable Windows taskbar preview [WINDOWS] ***/
-user_pref("browser.taskbar.previews.enable", false);
+   // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false]
 /*** [SECTION 0900]: PASSWORDS ***/
 user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
@ -641,22 +645,18 @@ user_pref("security.ssl.require_safe_negotiation", true);
 * [1] https://www.ssllabs.com/ssl-pulse/ ***/
   // user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
   // user_pref("security.tls.version.max", 4);
-/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */
+/* 1203: enforce TLS 1.0 and 1.1 downgrades as session only ***/
 user_pref("security.tls.version.enable-deprecated", false);
 /* 1204: disable SSL session tracking [FF36+]
- * SSL Session IDs are unique, last up to 24hrs in Firefox, and can be used for tracking
+ * SSL Session IDs are unique and last up to 24hrs in Firefox (or longer with prolongation attacks)
- * [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
+ * [NOTE] These are not used in PB mode. In normal windows they are isolated when using FPI (4001)
- * consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
+ * and/or containers. In FF85+ they are isolated by default (privacy.partition.network_state)
- * and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
+ * [WARNING] There are perf and passive fingerprinting costs, for little to no gain. Preventing
 * tracking via this method does not address IPs, nor handle any sanitizing of current identifiers
 * [1] https://tools.ietf.org/html/rfc5077
 * [2] https://bugzilla.mozilla.org/967977
 * [3] https://arxiv.org/abs/1810.07304 ***/
-user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
+   // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
 /* 1205: disable SSL Error Reporting
 * [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/
 user_pref("security.ssl.errorReporting.automatic", false);
 user_pref("security.ssl.errorReporting.enabled", false);
 user_pref("security.ssl.errorReporting.url", "");
 /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
 * [1] https://github.com/tlswg/tls13-spec/issues/1001
 * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
@ -729,7 +729,7 @@ user_pref("security.mixed_content.block_display_content", true);
 user_pref("security.mixed_content.block_object_subrequest", true);
 /* 1244: enable HTTPS-Only mode [FF76+]
 * When "https_only_mode" (all windows) is true, "https_only_mode_pbm" (private windows only) is ignored
- * [SETTING] to add site exceptions: Page Info>HTTPS-Only mode>On/Off/Off temporarily
+ * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On/Off/Off temporarily
 * [SETTING] Privacy & Security>HTTPS-Only Mode
 * [TEST] http://example.com [upgrade]
 * [TEST] http://neverssl.org/ [no upgrade]
@ -744,6 +744,10 @@ user_pref("dom.security.https_only_mode", true); // [FF76+]
 * This is done to avoid waiting for a timeout which takes 90 seconds
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
 user_pref("dom.security.https_only_mode_send_http_background_request", false);
 /* 1247: treat .onion as a secure context [FF60+] [TOR]
 * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser
 * [1] https://bugzilla.mozilla.org/1382359 ***/
   // user_pref("dom.securecontext.whitelist_onions", true);
 /** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro]
 * These are all the ciphers still using SHA-1 and CBC which are weaker than the available alternatives. (see "Cipher Suites" in [1])
@ -845,14 +849,14 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
 * [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
 * [1] https://www.w3.org/TR/referrer-policy/
 * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
- * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
+ * [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/
-   // user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3]
+ * [4] https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/ ***/
   // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+]
   // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
-/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+]
+/* 1607: hide (not spoof) referrer when leaving a .onion domain [FF54+] [TOR]
- * [NOTE] Firefox cannot access .onion sites by default. We recommend you use
+ * [NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser
 * the Tor Browser which is specifically designed for hidden services
 * [1] https://bugzilla.mozilla.org/1305144 ***/
-user_pref("network.http.referer.hideOnionSource", true);
+   // user_pref("network.http.referer.hideOnionSource", true);
 /* 1610: ALL: enable the DNT (Do Not Track) HTTP header
 * [NOTE] DNT is enforced with Enhanced Tracking Protection regardless of this pref
 * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/
@ -889,12 +893,12 @@ user_pref("plugin.state.flash", 0);
 * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
   // user_pref("media.gmp-provider.enabled", false);
 /* 1825: disable widevine CDM (Content Decryption Module)
- * [SETUP-WEB] if you *need* CDM, e.g. Netflix, Amazon Prime, Hulu, whatever ***/
+ * [NOTE] This is covered by the EME master switch (1830) ***/
-user_pref("media.gmp-widevinecdm.visible", false);
+   // user_pref("media.gmp-widevinecdm.enabled", false);
 user_pref("media.gmp-widevinecdm.enabled", false);
 /* 1830: disable all DRM content (EME: Encryption Media Extension)
- * [SETUP-WEB] if you *need* EME, e.g. Netflix, Amazon Prime, Hulu, whatever
+ * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
 * [SETTING] General>DRM Content>Play DRM-controlled content
 * [TEST] https://bitmovin.com/demos/drm
 * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
 user_pref("media.eme.enabled", false);
@ -922,15 +926,14 @@ user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70
 user_pref("webgl.disabled", true);
 user_pref("webgl.enable-webgl2", false);
 /* 2012: limit WebGL ***/
-user_pref("webgl.min_capability_mode", true);
+user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+]
 user_pref("webgl.disable-fail-if-major-performance-caveat", true);
 /* 2022: disable screensharing ***/
 user_pref("media.getusermedia.screensharing.enabled", false);
 user_pref("media.getusermedia.browser.enabled", false);
 user_pref("media.getusermedia.audiocapture.enabled", false);
 /* 2024: set a default permission for Camera/Microphone [FF58+]
 * 0=always ask (default), 1=allow, 2=block
- * [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone
+ * [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/
   // user_pref("permissions.default.camera", 2);
   // user_pref("permissions.default.microphone", 2);
@ -966,8 +969,8 @@ user_pref("browser.link.open_newwindow.restriction", 0);
 * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/
 user_pref("dom.disable_open_during_load", true);
 /* 2212: limit events that can cause a popup [SETUP-WEB]
- * default is "change click dblclick auxclick mouseup pointerup notificationclick reset submit touchend contextmenu" ***/
+ * default FF86+: "change click dblclick auxclick mousedown mouseup pointerdown pointerup notificationclick reset submit touchend contextmenu ***/
-user_pref("dom.popup_allowed_events", "click dblclick");
+user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
 /*** [SECTION 2300]: WEB WORKERS
     A worker is a JS "background task" running in a global context, i.e. it is different from
@ -1012,7 +1015,7 @@ user_pref("dom.push.enabled", false);
 /* 2306: set a default permission for Notifications (both 2304 and 2305) [FF58+]
 * 0=always ask (default), 1=allow, 2=block
 * [NOTE] Best left at default "always ask", fingerprintable via Permissions API
- * [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications
+ * [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/
   // user_pref("permissions.default.desktop-notification", 2);
@ -1024,9 +1027,9 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!
 /* 2402: disable website access to clipboard events/content [SETUP-HARDEN]
 * [NOTE] This will break some sites' functionality e.g. Outlook, Twitter, Facebook, Wordpress
 * This applies to onCut/onCopy/onPaste events - i.e. it requires interaction with the website
- * [WARNING] If both 'middlemouse.paste' and 'general.autoScroll' are true (at least one
+ * [WARNING] In FF88 or lower, with clipboardevents enabled, if both 'middlemouse.paste' and
- * is default false) then enabling this pref can leak clipboard content [1]
+ * 'general.autoScroll' are true (at least one is default false) then the clipboard can leak [1]
- * [1] https://bugzilla.mozilla.org/1528289 */
+ * [1] https://bugzilla.mozilla.org/1528289 ***/
   // user_pref("dom.event.clipboardevents.enabled", false);
 /* 2404: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
 * this disables document.execCommand("cut"/"copy") to protect your clipboard
@ -1103,9 +1106,9 @@ user_pref("dom.webaudio.enabled", false);
   // user_pref("dom.vr.enabled", false);
 /* 2521: set a default permission for Virtual Reality (see 2520) [FF73+]
 * 0=always ask (default), 1=allow, 2=block
- * [SETTING] to add site exceptions: Page Info>Permissions>Access Virtual Reality Devices
+ * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings ***/
-   // user_pref("permissions.default.xr", 0);
+   // user_pref("permissions.default.xr", 2);
 /*** [SECTION 2600]: MISCELLANEOUS ***/
 user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
@ -1119,8 +1122,7 @@ user_pref("beacon.enabled", false);
 /* 2603: remove temp files opened with an external application
 * [1] https://bugzilla.mozilla.org/302433 ***/
 user_pref("browser.helperApps.deleteTempFileOnExit", true);
-/* 2604: disable page thumbnail collection
+/* 2604: disable page thumbnail collection ***/
 * look in profile/thumbnails directory - you may want to clean that out ***/
 user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
 /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
 user_pref("browser.uitour.enabled", false);
@ -1145,7 +1147,7 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false]
 user_pref("middlemouse.contentLoadURL", false);
 /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
 * 0 (default) or 1=allow, 2=block
- * [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts ***/
+ * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/
   // user_pref("permissions.default.shortcuts", 2);
 /* 2616: remove special permissions for certain mozilla domains [FF35+]
 * [1] resource://app/defaults/permissions ***/
@ -1161,17 +1163,18 @@ user_pref("webchannel.allowObject.urlWhitelist", "");
 * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
 * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 user_pref("network.IDN_show_punycode", true);
-/* 2620: enforce Firefox's built-in PDF reader [SETUP-CHROME]
+/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]
 * This setting controls if the option "Display in Firefox" is available in the setting below
 *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
 * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
- *   Exploits are rare (1 serious case in 4 yrs), treated seriously and patched quickly.
+ *   Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
 *   It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
 *   It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
 * CONS: You may prefer a different pdf reader for security reasons
 * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
 * [SETTING] General>Applications>Portable Document Format (PDF) ***/
 user_pref("pdfjs.disabled", false); // [DEFAULT: false]
 user_pref("pdfjs.enableScripting", false); // [FF86+]
 /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
 user_pref("network.protocol-handler.external.ms-windows-store", false);
 /* 2622: enforce no system colors; they can be fingerprinted
@ -1181,11 +1184,12 @@ user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
 * Currently applies to cross-origin geolocation, camera, mic and screen-sharing
 * permissions, and fullscreen requests. Disabling delegation means any prompts
 * for these will show/use their correct 3rd party origin
- * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion */
+ * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
 user_pref("permissions.delegation.enabled", false);
 /* 2624: enable "window.name" protection [FF82+]
 * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
- * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks ***/
+ * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
 * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
 user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+]
 /* 2625: disable bypassing 3rd party extension install prompts [FF82+]
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/
@ -1202,8 +1206,6 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false);
 user_pref("browser.download.useDownloadDir", false);
 /* 2652: disable adding downloads to the system's "recent documents" list ***/
 user_pref("browser.download.manager.addToRecentDocs", false);
 /* 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin ***/
 user_pref("browser.download.hide_plugins_without_extensions", false);
 /* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]
 * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
 * in such a way that it is forbidden to run external applications.
@ -1247,12 +1249,18 @@ user_pref("security.dialog_enable_delay", 700);
     accessible to websites except shared/service workers where the cookie setting *must* be "Allow"
 ***/
 user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
-/* 2701: disable 3rd-party cookies and site-data [SETUP-WEB]
+/* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB]
- * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies,
+ * 0 = Accept cookies and site data
- * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default)
+ * 1 = (Block) All third-party cookies
- * [NOTE] You can set exceptions under site permissions or use an extension
+ * 2 = (Block) All cookies
 * 3 = (Block) Cookies from unvisited websites
 * 4 = (Block) Cross-site tracking cookies (default)
 * 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+)
 * Option 5 with FPI enabled (4001) is ignored and not shown, and option 4 used instead
 * [NOTE] You can set cookie exceptions under site permissions or use an extension
 * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/
+ * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies
 * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/
 user_pref("network.cookie.cookieBehavior", 1);
 user_pref("browser.contentblocking.category", "custom");
 /* 2702: set third-party cookies (if enabled, see 2701) to session-only
@ -1266,7 +1274,16 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
 * [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2)
 * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/
   // user_pref("network.cookie.lifetimePolicy", 2);
-/* 2710: disable DOM (Document Object Model) Storage
+/* 2710: enable Enhanced Tracking Protection (ETP) in all windows
 * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content
 * [SETTING] to add site exceptions: Urlbar>ETP Shield
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
 user_pref("privacy.trackingprotection.enabled", true);
 /* 2711: enable various ETP lists ***/
 user_pref("privacy.trackingprotection.socialtracking.enabled", true);
   // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
   // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
 /* 2720: disable DOM (Document Object Model) Storage
 * [WARNING] This will break a LOT of sites' functionality AND extensions!
 * You are better off using an extension for more granular control ***/
   // user_pref("dom.storage.enabled", false);
@ -1294,8 +1311,8 @@ user_pref("dom.storage.next_gen", true);
 /*** [SECTION 2800]: SHUTDOWN
     You should set the values to what suits you best.
-     - "Offline Website Data" includes appCache (2730), localStorage (2710),
+     - "Offline Website Data" includes appCache (2730), localStorage (2720),
-       service worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
+       service worker cache (2740), and QuotaManager (IndexedDB, asm-cache)
     - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the
       Firefox interface as "Browsing & Download History" and their values will be synced
 ***/
@ -1418,7 +1435,7 @@ user_pref("privacy.firstparty.isolate", true);
   1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12)
   1382545 - reduce fingerprinting in Animation API
   1354633 - limit MediaError.message to a whitelist
-   1382533 - enable fingerprinting resistance for Presentation API
+   1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87)
      This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
 FF58+
    967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction
@ -1562,8 +1579,9 @@ user_pref("webgl.enable-debug-renderer-info", false);
   // 0=no-preference, 1=reduce
 user_pref("ui.prefersReducedMotion", 0); // [HIDDEN PREF]
 // FF64+
-// 4615: [2516] disable PointerEvents
+// 4615: [2516] disable PointerEvents [FF86 or lower]
   // [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent
   // [-] https://bugzilla.mozilla.org/1688105
 user_pref("dom.w3c_pointer_events.enabled", false);
 // * * * /
 // FF67+
@ -1576,7 +1594,7 @@ user_pref("ui.use_standins_for_native_colors", true);
   // 0=light, 1=dark : This overrides your OS value
 user_pref("ui.systemUsesDarkTheme", 0); // [HIDDEN PREF]
 // FF80+
-// 4618: limit font visbility (non-ANDROID) [FF79+]
+// 4618: limit font visibility (non-ANDROID) [FF79+]
   // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1]
   // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
   // [NOTE] Bundled fonts are auto-allowed
@ -1603,10 +1621,11 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow
   // user_pref("general.useragent.override", ""); // [HIDDEN PREF]
 /*** [SECTION 5000]: PERSONAL
-     Non-project related but useful. If any of these interest you, add them to your overrides ***/
+     Non-project related but useful. If any of these interest you, add them to your overrides
     To save some overrides, we've made a few active as they seem to be universally used ***/
 user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
 /* WELCOME & WHAT's NEW NOTICES ***/
-   // user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
+user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
   // user_pref("startup.homepage_welcome_url", "");
   // user_pref("startup.homepage_welcome_url.additional", "");
   // user_pref("startup.homepage_override_url", ""); // What's New page after updates
@ -1625,6 +1644,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
   // user_pref("layout.spellcheckDefault", 2); // 0=none, 1-multi-line, 2=multi-line & single-line
 /* UX BEHAVIOR ***/
   // user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing
   // user_pref("browser.quitShortcut.disabled", true); // disable Ctrl-Q quit shortcut [LINUX] [MAC] [FF87+]
   // user_pref("browser.tabs.closeWindowWithLastTab", false);
   // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+]
   // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+]
@ -1632,15 +1652,15 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
   // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
   // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under]
 /* UX FEATURES: disable and hide the icons and menus ***/
-   // user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
+user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+]
   // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
   // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART]
   // user_pref("reader.parse-on-load.enabled", false); // Reader View
 /* OTHER ***/
   // user_pref("browser.bookmarks.max_backups", 2);
-   // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+]
+user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+]
      // [SETTING] General>Browsing>Recommend extensions as you browse
-   // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+]
+user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+]
      // [SETTING] General>Browsing>Recommend features as you browse
   // user_pref("network.manage-offline-status", false); // see bugzilla 620472
   // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
@ -1661,14 +1681,26 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!");
   // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025
   // [-] https://bugzilla.mozilla.org/1603712
 user_pref("intl.charset.fallback.override", "windows-1252");
 // * * * /
 // FF82
 // 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
   // i.e. ignore all of Mozilla's various search engines in multiple locales
   // [-] https://bugzilla.mozilla.org/1619926
 user_pref("browser.search.geoSpecificDefaults", false);
 user_pref("browser.search.geoSpecificDefaults.url", "");
-// * * * /
+// FF86
 // 1205: disable SSL Error Reporting
   // [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html
   // [-] https://bugzilla.mozilla.org/1681839
 user_pref("security.ssl.errorReporting.automatic", false);
 user_pref("security.ssl.errorReporting.enabled", false);
 user_pref("security.ssl.errorReporting.url", "");
 // 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin
   // [-] https://bugzilla.mozilla.org/1581678
 user_pref("browser.download.hide_plugins_without_extensions", false);
 // FF87
 // 0105d: disable Activity Stream recent Highlights in the Library [FF57+]
   // [-] https://bugzilla.mozilla.org/1689405
   // user_pref("browser.library.activity-stream.enabled", false);
 // ***/
 /* END: internal custom pref to test for syntax errors ***/
--- a/wikipiki/parseError.png
+++ b/wikipiki/parseError.png
Author	SHA1	Message	Date
Thorin-Oakenpants	da9f912862	2620: disable pdfjs scripting, v88 final	2021-04-23 14:25:54 +00:00
Thorin-Oakenpants	9930cfbc07	0102: add setup tag #1166	2021-04-17 07:12:20 +00:00
Thorin-Oakenpants	7738e320d5	RFP & Presentation API	2021-04-15 07:10:54 +00:00
Thorin-Oakenpants	9b8735a87a	webgl.min_capability_mode	2021-04-08 01:21:14 +00:00
Thorin-Oakenpants	6c10e03ce5	2012: remove webgl.min_capability_mode as promised in `4596d721e6`	2021-04-08 01:19:42 +00:00
Thorin-Oakenpants	7ad3bb9e61	0702: use a [STATS] tag	2021-04-07 09:44:24 +00:00
Thorin-Oakenpants	5dcf639d33	oophs .. and start 88-alpha	2021-04-07 09:36:56 +00:00
Thorin-Oakenpants	2da3b0192f	update HTTP2 stats	2021-04-07 09:36:01 +00:00
Thorin-Oakenpants	ada8158caf	v87	2021-04-04 20:33:23 +00:00
Thorin-Oakenpants	2071939c5e	use [TOR] tags, add 1247 not that we recommend using tor over firefox: but at least the info is there for fiddlers	2021-04-04 14:21:24 +00:00
Thorin-Oakenpants	f082278217	1607: save one line and some bytes and make it even MOAR clear we do NOT support tor over firefox	2021-04-04 14:15:53 +00:00
Thorin-Oakenpants	abe37add6e	save some overrides, closes #1157 I do not think anyone will bemoan these four "personal" choices	2021-04-04 12:54:17 +00:00
Thorin-Oakenpants	bc07ca94c0	1830: add [TEST]	2021-04-04 12:37:17 +00:00
Thorin-Oakenpants	728c962684	2402: potential clipboard leak fixed in FF89+ Thanks @gwarser for testing, creating the bugzilla, being patient, and confirming the fix	2021-04-04 12:01:49 +00:00
Thorin-Oakenpants	ca99add006	turn ETP on everywhere It literally cannot hurt [1], and makes it easier for users to use custom mode with TCP/dFPI. Turning on socialtracking helps gain parity with strict mode [1] gorhill: https://old.reddit.com/r/firefox/comments/l7xetb/network_priority_for_firefoxs_enhanced_tracking/gl9rn9n/ > All extensions and ETP work in parallel, they all inspect network requests and all make the decision to block or not, hence if they all decide to block, they will all report that they block something. ETP is a bit different than normal extension in that it will give precedence to an extension trying to redirect to a local resource, this ensures ETP works harmoniously with normal extensions. > > Once something is not blocked, it then goes through a DNS query, and the browser waits for the response. > > I will add examples of how ETP + multiple blocker extensions work together when dealing with a network request; let's say "A" and "B" are two different blockers: > > - ETP=block, A=allow, B=allow: result=block > - ETP=allow, A=block, B=allow: result=block > - ETP=allow, A=allow, B=redirect: result=redirect > - ETP=allow, A=block, B=redirect: result=block > - ETP=block, A=allow, B=redirect: result=redirect > > So as you can see, ETP is a bit different than a normal extension in that it won't prevent redirection from happening if ever a network request is redirected by one of the normal extension.	2021-04-04 11:49:07 +00:00
Thorin-Oakenpants	f771027138	2720 was removed in FF72 https://bugzilla.mozilla.org/1488583	2021-04-04 11:18:54 +00:00
Thorin-Oakenpants	8f1c0044b9	2701: add cookie behavior 5	2021-04-04 11:07:39 +00:00
Thorin-Oakenpants	87cd828b5b	browser.send_pings.require_same_host redundant/defense-in-depth pref for `browser.send_pings` which is still at default false after six years of watching it (false is what we want)	2021-04-03 14:25:46 +00:00
Thorin-Oakenpants	46ccd9f654	cleanup 0600s three prefs are default since at least 78, and one pref is redundant for a pref that has been at our default since it was added	2021-04-03 14:20:39 +00:00
Thorin-Oakenpants	b1927f9de1	1607 make inactive Useless, since Firefox doesn't use Tor (and which we don't recommend). It was added for the info factor.	2021-03-27 18:42:52 +00:00
Thorin-Oakenpants	b592e0e592	87 deprecated It is simpler to leave the PointerEvent pref where it is, until ESR78 is EOL - FF87+ users who use RFP Alts simply add a dead pref, no harm - This way ESR78 users don't have to worry about extra char flipping: it's the same as before: 1 flip for ESR, 1 flip for RFP Alts	2021-03-27 07:49:14 +00:00
Thorin-Oakenpants	3b6cd93749	1606: default Referrer Policy default	2021-03-27 07:32:19 +00:00
Thorin-Oakenpants	3a24c01f03	0518: enforce no Web Compat Reporter only stable is false, at the time of writing. but enforcing this for all channels is good, so no-one ends up wasting mozilla resources reporting a compat problem when they've got 200 odd prefs flipped	2021-03-17 14:01:16 +00:00
Thorin-Oakenpants	b7c80841a9	tweak defaults (#1140 ) - don't differentiate between channels - both can be made inactive - webcompat requires user action: and I don't see this as a bad thing to have in non-stable - unsubmitted crashReports on Nightly is probably already covered by killing the URL, so no big deal	2021-03-14 11:21:13 +00:00
earthlng	95645f59a3	Add files via upload	2021-03-11 14:06:38 +00:00
Thorin-Oakenpants	9138e342fd	misc (#1136 ) - 0000: remove old XUL info, dropped in FF73+ - 0201: save 3 chars - 0350: add default status for unsubmittedCheck - 0351: change to enforce: has been default false going back to at least FF60, including current Beta/Dev/Nightly - along with 0602 `network.dns.disablePrefetchFromHTTPS` and 0603 `network.predictor.enable-prefetch`, I considered making them inactive, but decided it was good to leave them active for non-stable users just in case they get flipped - 0515: add default status - 0850c: remove info: out of date: doesn't work lilke that anymore and can't be assed figuring it out what with megabar and urlbar2 changes - 0871: make inactive: default false since at least FF60 - no need to enforce for non-stable in case it is flipped. It's a pretty minor shoulder-surfer privacy issue and the previews are small. If you're not sure what this pref does. On false you get one tab shown, on true you get as many as can fit across your screen. I squeezed in 15, and after that it became a list - fixup `***/` - shave off six lines and almost 400 bytes for you bastards	2021-03-10 00:06:30 +00:00
Thorin-Oakenpants	692ed70ea9	remove maintenance of this comment	2021-03-08 01:49:21 +00:00
earthlng	3430507ae4	v3.0 - improve readIniFile() (#1128 ) - grep -c equals grep \| wc -l - make output prettier - work with variable instead of temporary file + a few minor changes/cleanup	2021-03-07 13:29:33 +00:00
Thorin-Oakenpants	844f3ce9c8	tidy	2021-03-05 10:15:26 +00:00
Thorin-Oakenpants	03ffb90186	start 87-alpha, also fixes #1129 make all inactive permissions.default = same, blocked	2021-03-02 20:02:41 +00:00
Thorin-Oakenpants	5f9bb59b95	86 final	2021-02-28 20:49:57 +00:00
Thorin-Oakenpants	7163efdd1e	1825: inactive: it is redundant, fixes #1107	2021-02-28 15:57:27 +00:00
Thorin-Oakenpants	65fb24ff1b	layout.css.visited_links_enabled added back to the user.js in `612cfbf313`	2021-02-27 21:20:00 +00:00
Thorin-Oakenpants	612cfbf313	0805: re-add visited links It can still be used to mitigate social engineering attacks (e.g. using visibility and user clicks), and advanced/targeted scripts	2021-02-27 21:18:17 +00:00
Thorin-Oakenpants	4596d721e6	2012: make webgl.min_capability_mode inactive - This is too minimal to be of any use, breaks too much (e.g. zoom video) - Tor browser stopped flipping this (I think) about 5 years ago: it certainly hasn't been used in ESR60+ based TB builds, I checked - we already disable webgl, so making this inactive removes yet another pref users need to flip/troubleshoot - I will leave it in the user js for a few releases so prefsCleaner will pick it up	2021-02-26 11:39:52 +00:00
Thorin-Oakenpants	911206eed5	5000s: disable ctrl-q quit shortcut FF87+ https://bugzilla.mozilla.org/show_bug.cgi?id=52821 .. 21 years, old enough to drink and vote	2021-02-25 01:22:08 +00:00
Thorin-Oakenpants	cb5cdca99d	update adding site exceptions - https://bugzilla.mozilla.org/show_bug.cgi?id=1692553 - also HoM is not Page Info	2021-02-24 22:10:29 +00:00
Thorin-Oakenpants	e54ae46537	1204: ssl session ids inactive, closes #1110	2021-02-24 15:11:59 +00:00
Thorin-Oakenpants	7c978d4e70	0708: FTP default FF88+ https://bugzilla.mozilla.org/show_bug.cgi?id=1691890	2021-02-22 20:05:25 +00:00
Thorin-Oakenpants	d905b4387d	deprecated: put FF86 items in the right place	2021-02-21 20:52:20 +00:00
Thorin-Oakenpants	c31c825a74	2212: popup events, fixes DDG https://bugzilla.mozilla.org/show_bug.cgi?id=1686045	2021-02-18 15:50:37 +00:00
Thorin-Oakenpants	6505a9fefd	FF86 deprecated	2021-02-18 15:30:58 +00:00
Thorin-Oakenpants	de74f812ee	2012: webgl default FF86+	2021-02-18 15:00:06 +00:00
Thorin-Oakenpants	82bb3f987d	2604, closes #1111	2021-02-08 07:20:06 +00:00
Thorin-Oakenpants	a35a616de7	highlight 1603 (cross origin referer), fixes 1108 especially since we recently hardened it: also added it to the few things highlighted in the wiki	2021-02-04 07:19:28 +00:00
Thorin-Oakenpants	ecf99bf9e7	0603: add default value AFAICT: false 48-51: true 52-55.0.1/ESR52.1: false ever since	2021-02-03 16:45:34 +00:00
Thorin-Oakenpants	cfaf354fe3	oophs, better start 86-alpha	2021-02-02 04:09:50 +00:00
Thorin-Oakenpants	0b51e98d91	media.gmp-widevinecdm.visible, see #1107	2021-02-01 17:25:00 +00:00
Thorin-Oakenpants	fa51251235	remove widevine vis pref, see #1107 - It is controlled in both runtime and via user.js by the state of `media.eme.enabled`. Also, who cares about the vis of a ui option - note, there is no need to add this to the removed scratchpad list	2021-02-01 17:17:16 +00:00
Thorin-Oakenpants	21fcd0bd35	update xul/xhtml config info - the XUL version is also pre FF71 - the XHTML version was removed in FF87+	2021-02-01 05:14:46 +00:00
Thorin-Oakenpants	96d558dd0c	add window.name test	2021-01-31 07:28:05 +00:00
Thorin-Oakenpants	b6e8dcab81	fixup spelling mistake	2021-01-30 00:28:28 +00:00