v102 (#1477)

https://bugzilla.mozilla.org/1767099

.github/ISSUE_TEMPLATE/troubleshooting-help.md

@@ -1,29 +1,31 @@
 ---
 name: Troubleshooting help
 about: Ask for help to solve problems with user.js
-title: ''
+title: 'follow instructions or this will be closed as invalid'
 labels: ''
 assignees: ''
 
 ---
 
-Before you proceed...
+<!--
-  - Issues will be closed as invalid if you do not [troubleshoot](https://github.com/arkenfox/user.js/wiki/1.4-Troubleshooting), including
-     - confirming the problem is caused by the `user.js`
-     - searching the `[Setup` tags in the `user.js`
-  - Search the GitHub repository. The information you need is most likely here already.
-  - Note: We do not support forks
 
-See also:
+Issues will be closed as invalid if you do not troubleshoot first, or if you ignore the required info in the template.
-  - Override Recipes [issue 1080](https://github.com/arkenfox/user.js/issues/1080)
-  - Extension breakage due to prefs [issue 391](https://github.com/arkenfox/user.js/issues/391)
-  - Prefs vs Recommended Extensions: Co-Existance+Enhancement | Conflicts [issue 350](https://github.com/arkenfox/user.js/issues/350)
 
-If you still need help, help us help you by providing relevant information:
+We do not support forks or no-longer supported releases.
-  - browser version
-  - Steps to Reproduce (STR)
-  - actual result
-  - expected result
-  - anything else you deem worth mentioning
 
-Clear all of this when you're ready to type.
+-->
+
+
+🟥 https://github.com/arkenfox/user.js/wiki/5.2-Troubleshooting
+- [ ] I have read the troubleshooting guide, done the checks and confirmed this is caused by arkenfox
+   - _unchecked issues ~~may~~ will be closed as invalid_
+
+🟪 REQUIRED INFO
+  - Browser version & OS:
+  - Steps to Reproduce (STR):
+  - Expected result:
+  - Actual result:
+  - Console errors and warnings:
+  - Anything else you deem worth mentioning:
+
+---

README.md

@@ -1,5 +1,5 @@
 ### 🟪  user.js
-A `user.js` is a configuration file that can control hundreds of Firefox settings. For a more technical breakdown and explanation, you can read more on the [overview](https://github.com/arkenfox/user.js/wiki/1.1-Overview) wiki page.
+A `user.js` is a configuration file that can control Firefox settings - for a more technical breakdown and explanation, you can read more in the [wiki](https://github.com/arkenfox/user.js/wiki/2.1-User.js)
 
 ### 🟩  the arkenfox user.js
 
@@ -7,9 +7,9 @@ A `user.js` is a configuration file that can control hundreds of Firefox setting
 
 The `arkenfox user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen).
 
-Everyone, experts included, should at least read the [implementation](https://github.com/arkenfox/user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings.
+Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings.
 
-Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services.
+Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://2019.www.torproject.org/about/torusers.html) calls for it, or for accessing hidden services.
 
 Also be aware that the `arkenfox user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
 
@@ -20,6 +20,7 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef
  - [wiki](https://github.com/arkenfox/user.js/wiki)
  - [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22)
  - [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs)
+ - [common questions and answers](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Aanswered)
 
 ### 🟥  acknowledgments
 Literally thousands of sources, references and suggestions. Many thanks, and much appreciated.

scratchpad-scripts/arkenfox-cleanup.js

@@ -1,10 +1,29 @@
 /***
-  This will reset the preferences that have been removed completely from the arkenfox user.js.
+  This will reset the preferences that have been
+  - removed from the arkenfox user.js
+  - deprecated by Mozilla but listed in the arkenfox user.js in the past
 
-  Last updated: 29-August-2021
+  Last updated: 1-July-2022
+
+  Instructions:
+  - [optional] close Firefox and backup your profile
+  - [optional] disable your network connection [1]
+  - start Firefox
+  - load about:config and press Ctrl+Shift+K to open the Web Console for about:config
+    - using about:config is important, so the script has the right permissions
+  - paste this script
+  - if you edited the list of prefs in the script, make sure the last pref does not have a trailing comma
+  - hit enter
+  - check the Info output to see which prefs were reset
+  - restart
+     - some prefs require a restart
+     - a restart will reapply your user.js
+  - [optional] re-enable your network connection
+ 
+  [1] Blocking Firefox from the internet ensures it cannot act on your reset preferences in the
+  period before you restart it, such as app and extension auto-updating, or downloading unwanted
+  components (GMP etc). It depends on what you're resetting and how long before you restart.
 
-  For instructions see:
-  https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
 ***/
 
 (() => {
@@ -12,7 +31,223 @@
   if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!');
 
   const aPREFS = [
-    /* removed in arkenfox user.js */
+    /* DEPRECATED */
+    /* 92-102 */
+    'browser.urlbar.suggest.quicksuggest', // 95
+    'dom.securecontext.whitelist_onions', // 97
+    'dom.storage.next_gen', // 102
+    'network.http.spdy.enabled', // 100
+    'network.http.spdy.enabled.deps',
+    'network.http.spdy.enabled.http2',
+    'network.http.spdy.websockets',
+    'layout.css.font-visibility.level', // 94
+    'network.cookie.lifetimePolicy', // 102 [technically removed in 104]
+    'security.ask_for_password', // 102
+    'security.csp.enable', // 99
+    'security.password_lifetime', // 102
+    'security.ssl3.rsa_des_ede3_sha', // 93
+    /* 79-91 */
+    'browser.cache.offline.storage.enable',
+    'browser.download.hide_plugins_without_extensions',
+    'browser.library.activity-stream.enabled',
+    'browser.search.geoSpecificDefaults',
+    'browser.search.geoSpecificDefaults.url',
+    'dom.ipc.plugins.flash.subprocess.crashreporter.enabled',
+    'dom.ipc.plugins.reportCrashURL',
+    'dom.w3c_pointer_events.enabled',
+    'intl.charset.fallback.override',
+    'network.ftp.enabled',
+    'plugin.state.flash',
+    'security.mixed_content.block_object_subrequest',
+    'security.ssl.errorReporting.automatic',
+    'security.ssl.errorReporting.enabled',
+    'security.ssl.errorReporting.url',
+    /* 69-78 */
+    'browser.newtabpage.activity-stream.telemetry.ping.endpoint',
+    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
+    'browser.urlbar.oneOffSearches',
+    'devtools.webide.autoinstallADBExtension',
+    'devtools.webide.enabled',
+    'dom.indexedDB.enabled',
+    'extensions.blocklist.url',
+    'geo.wifi.logging.enabled',
+    'geo.wifi.uri',
+    'gfx.downloadable_fonts.woff2.enabled',
+    'media.autoplay.allow-muted',
+    'media.autoplay.enabled.user-gestures-needed',
+    'offline-apps.allow_by_default',
+    'plugins.click_to_play',
+    'privacy.userContext.longPressBehavior',
+    'toolkit.cosmeticAnimations.enabled',
+    'toolkit.telemetry.hybridContent.enabled',
+    'webgl.disable-extensions',
+    /* 61-68 */
+    'app.update.enabled',
+    'browser.aboutHomeSnippets.updateUrl',
+    'browser.chrome.errorReporter.enabled',
+    'browser.chrome.errorReporter.submitUrl',
+    'browser.chrome.favicons',
+    'browser.ctrlTab.previews',
+    'browser.fixup.hide_user_pass',
+    'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
+    'browser.newtabpage.activity-stream.disableSnippets',
+    'browser.onboarding.enabled',
+    'browser.search.countryCode',
+    'browser.urlbar.autocomplete.enabled',
+    'devtools.webide.adbAddonURL',
+    'devtools.webide.autoinstallADBHelper',
+    'dom.event.highrestimestamp.enabled',
+    'experiments.activeExperiment',
+    'experiments.enabled',
+    'experiments.manifest.uri',
+    'experiments.supported',
+    'lightweightThemes.update.enabled',
+    'media.autoplay.enabled',
+    'network.allow-experiments',
+    'network.cookie.lifetime.days',
+    'network.jar.block-remote-files',
+    'network.jar.open-unsafe-types',
+    'plugin.state.java',
+    'security.csp.enable_violation_events',
+    'security.csp.experimentalEnabled',
+    'shield.savant.enabled',
+    /* 60 or earlier */
+    'browser.bookmarks.showRecentlyBookmarked',
+    'browser.casting.enabled',
+    'browser.crashReports.unsubmittedCheck.autoSubmit',
+    'browser.formautofill.enabled',
+    'browser.formfill.saveHttpsForms',
+    'browser.fullscreen.animate',
+    'browser.history.allowPopState',
+    'browser.history.allowPushState',
+    'browser.history.allowReplaceState',
+    'browser.newtabpage.activity-stream.enabled',
+    'browser.newtabpage.directory.ping',
+    'browser.newtabpage.directory.source',
+    'browser.newtabpage.enhanced',
+    'browser.newtabpage.introShown',
+    'browser.pocket.api',
+    'browser.pocket.enabled',
+    'browser.pocket.oAuthConsumerKey',
+    'browser.pocket.site',
+    'browser.polaris.enabled',
+    'browser.safebrowsing.appRepURL',
+    'browser.safebrowsing.enabled',
+    'browser.safebrowsing.gethashURL',
+    'browser.safebrowsing.malware.reportURL',
+    'browser.safebrowsing.provider.google.appRepURL',
+    'browser.safebrowsing.reportErrorURL',
+    'browser.safebrowsing.reportGenericURL',
+    'browser.safebrowsing.reportMalwareErrorURL',
+    'browser.safebrowsing.reportMalwareMistakeURL',
+    'browser.safebrowsing.reportMalwareURL',
+    'browser.safebrowsing.reportPhishMistakeURL',
+    'browser.safebrowsing.reportURL',
+    'browser.safebrowsing.updateURL',
+    'browser.search.showOneOffButtons',
+    'browser.selfsupport.enabled',
+    'browser.selfsupport.url',
+    'browser.sessionstore.privacy_level_deferred',
+    'browser.tabs.animate',
+    'browser.trackingprotection.gethashURL',
+    'browser.trackingprotection.updateURL',
+    'browser.urlbar.unifiedcomplete',
+    'browser.usedOnWindows10.introURL',
+    'camera.control.autofocus_moving_callback.enabled',
+    'camera.control.face_detection.enabled',
+    'datareporting.healthreport.about.reportUrl',
+    'datareporting.healthreport.about.reportUrlUnified',
+    'datareporting.healthreport.documentServerURI',
+    'datareporting.healthreport.service.enabled',
+    'datareporting.policy.dataSubmissionEnabled.v2',
+    'devtools.webide.autoinstallFxdtAdapters',
+    'dom.archivereader.enabled',
+    'dom.beforeAfterKeyboardEvent.enabled',
+    'dom.disable_image_src_set',
+    'dom.disable_window_open_feature.scrollbars',
+    'dom.disable_window_status_change',
+    'dom.enable_user_timing',
+    'dom.flyweb.enabled',
+    'dom.idle-observers-api.enabled',
+    'dom.keyboardevent.code.enabled',
+    'dom.network.enabled',
+    'dom.push.udp.wakeupEnabled',
+    'dom.telephony.enabled',
+    'dom.vr.oculus050.enabled',
+    'dom.workers.enabled',
+    'dom.workers.sharedWorkers.enabled',
+    'extensions.formautofill.experimental',
+    'extensions.screenshots.system-disabled',
+    'extensions.shield-recipe-client.api_url',
+    'extensions.shield-recipe-client.enabled',
+    'full-screen-api.approval-required',
+    'general.useragent.locale',
+    'geo.security.allowinsecure',
+    'intl.locale.matchOS',
+    'loop.enabled',
+    'loop.facebook.appId',
+    'loop.facebook.enabled',
+    'loop.facebook.fallbackUrl',
+    'loop.facebook.shareUrl',
+    'loop.feedback.formURL',
+    'loop.feedback.manualFormURL',
+    'loop.logDomains',
+    'loop.server',
+    'media.block-play-until-visible',
+    'media.eme.apiVisible',
+    'media.eme.chromium-api.enabled',
+    'media.getusermedia.screensharing.allow_on_old_platforms',
+    'media.getusermedia.screensharing.allowed_domains',
+    'media.gmp-eme-adobe.autoupdate',
+    'media.gmp-eme-adobe.enabled',
+    'media.gmp-eme-adobe.visible',
+    'network.http.referer.userControlPolicy',
+    'network.http.sendSecureXSiteReferrer',
+    'network.http.spdy.enabled.http2draft',
+    'network.http.spdy.enabled.v3-1',
+    'network.websocket.enabled',
+    'pageThumbs.enabled',
+    'pfs.datasource.url',
+    'plugin.scan.Acrobat',
+    'plugin.scan.Quicktime',
+    'plugin.scan.WindowsMediaPlayer',
+    'plugins.enumerable_names',
+    'plugins.update.notifyUser',
+    'plugins.update.url',
+    'privacy.clearOnShutdown.passwords',
+    'privacy.donottrackheader.value',
+    'security.mixed_content.send_hsts_priming',
+    'security.mixed_content.use_hsts',
+    'security.ssl3.ecdhe_ecdsa_rc4_128_sha',
+    'security.ssl3.ecdhe_rsa_rc4_128_sha',
+    'security.ssl3.rsa_rc4_128_md5',
+    'security.ssl3.rsa_rc4_128_sha',
+    'security.tls.insecure_fallback_hosts.use_static_list',
+    'security.tls.unrestricted_rc4_fallback',
+    'security.xpconnect.plugin.unrestricted',
+    'social.directories',
+    'social.enabled',
+    'social.remote-install.enabled',
+    'social.share.activationPanelEnabled',
+    'social.shareDirectory',
+    'social.toast-notifications.enabled',
+    'social.whitelist',
+    'toolkit.telemetry.unifiedIsOptIn',
+
+    /* REMOVED */
+    /* 92-102 */
+    'browser.urlbar.trimURLs',
+    'dom.caches.enabled',
+    'dom.storageManager.enabled',
+    'dom.storage_access.enabled',
+    'dom.targetBlankNoOpener.enabled',
+    'network.cookie.thirdparty.sessionOnly',
+    'network.cookie.thirdparty.nonsecureSessionOnly',
+    'privacy.firstparty.isolate.block_post_message',
+    'privacy.firstparty.isolate.restrict_opener_access',
+    'privacy.firstparty.isolate.use_site',
+    'privacy.window.name.update.enabled',
+    'security.insecure_connection_text.enabled',
     /* 79-91 */
     'alerts.showFavicons',
     'browser.newtabpage.activity-stream.asrouter.providers.snippets',
@@ -68,7 +303,6 @@
     'browser.cache.disk.smart_size.first_run',
     'browser.cache.offline.insecure.enable',
     'browser.contentblocking.enabled',
-    'browser.eme.ui.enabled',
     'browser.laterrun.enabled',
     'browser.offline-apps.notify',
     'browser.rights.3.shown',
@@ -232,6 +466,8 @@
        // 'dom.ipc.plugins.sandbox-level.default',
        // 'dom.ipc.plugins.sandbox-level.flash',
        // 'security.sandbox.logging.enabled',
+
+    /* IMPORTANT: last active pref must not have a trailing comma */ 
     /* reset parrot: check your open about:config after running the script */
     '_user.js.parrot'
   ];

scratchpad-scripts/arkenfox-clear-deprecated.js

@@ -1,232 +0,0 @@
-/***
-  Version: up to and including FF/ESR91
-
-  This will reset the preferences that have been deprecated by Mozilla
-  and used in the arkenfox user.js
-
-  It is in reverse order, so feel free to remove sections that do not apply
-
-  For instructions see:
-  https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
-***/
-
-(() => {
-
-  if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!');
-
-  const aPREFS = [
-    /* deprecated */
-    /* FF79-91 */
-    'browser.cache.offline.storage.enable',
-    'browser.download.hide_plugins_without_extensions',
-    'browser.library.activity-stream.enabled',
-    'browser.search.geoSpecificDefaults',
-    'browser.search.geoSpecificDefaults.url',
-    'dom.ipc.plugins.flash.subprocess.crashreporter.enabled',
-    'dom.ipc.plugins.reportCrashURL',
-    'dom.w3c_pointer_events.enabled',
-    'intl.charset.fallback.override',
-    'network.ftp.enabled',
-    'plugin.state.flash',
-    'security.mixed_content.block_object_subrequest',
-    'security.ssl.errorReporting.automatic',
-    'security.ssl.errorReporting.enabled',
-    'security.ssl.errorReporting.url',
-    /* 69-78 */
-    'browser.newtabpage.activity-stream.telemetry.ping.endpoint',
-    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
-    'browser.urlbar.oneOffSearches',
-    'devtools.webide.autoinstallADBExtension',
-    'devtools.webide.enabled',
-    'dom.indexedDB.enabled',
-    'extensions.blocklist.url',
-    'geo.wifi.logging.enabled',
-    'geo.wifi.uri',
-    'gfx.downloadable_fonts.woff2.enabled',
-    'media.autoplay.allow-muted',
-    'media.autoplay.enabled.user-gestures-needed',
-    'offline-apps.allow_by_default',
-    'plugins.click_to_play',
-    'privacy.userContext.longPressBehavior',
-    'toolkit.cosmeticAnimations.enabled',
-    'toolkit.telemetry.hybridContent.enabled',
-    'webgl.disable-extensions',
-    /* 61-68 */
-    'app.update.enabled',
-    'browser.aboutHomeSnippets.updateUrl',
-    'browser.chrome.errorReporter.enabled',
-    'browser.chrome.errorReporter.submitUrl',
-    'browser.chrome.favicons',
-    'browser.ctrlTab.previews',
-    'browser.fixup.hide_user_pass',
-    'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
-    'browser.newtabpage.activity-stream.disableSnippets',
-    'browser.onboarding.enabled',
-    'browser.search.countryCode',
-    'browser.urlbar.autocomplete.enabled',
-    'devtools.webide.adbAddonURL',
-    'devtools.webide.autoinstallADBHelper',
-    'dom.event.highrestimestamp.enabled',
-    'experiments.activeExperiment',
-    'experiments.enabled',
-    'experiments.manifest.uri',
-    'experiments.supported',
-    'lightweightThemes.update.enabled',
-    'media.autoplay.enabled',
-    'network.allow-experiments',
-    'network.cookie.lifetime.days',
-    'network.jar.block-remote-files',
-    'network.jar.open-unsafe-types',
-    'plugin.state.java',
-    'security.csp.enable_violation_events',
-    'security.csp.experimentalEnabled',
-    'shield.savant.enabled',
-    /* 60 or earlier */
-    'browser.bookmarks.showRecentlyBookmarked',
-    'browser.casting.enabled',
-    'browser.crashReports.unsubmittedCheck.autoSubmit',
-    'browser.formautofill.enabled',
-    'browser.formfill.saveHttpsForms',
-    'browser.fullscreen.animate',
-    'browser.history.allowPopState',
-    'browser.history.allowPushState',
-    'browser.history.allowReplaceState',
-    'browser.newtabpage.activity-stream.enabled',
-    'browser.newtabpage.directory.ping',
-    'browser.newtabpage.directory.source',
-    'browser.newtabpage.enhanced',
-    'browser.newtabpage.introShown',
-    'browser.pocket.api',
-    'browser.pocket.enabled',
-    'browser.pocket.oAuthConsumerKey',
-    'browser.pocket.site',
-    'browser.polaris.enabled',
-    'browser.safebrowsing.appRepURL',
-    'browser.safebrowsing.enabled',
-    'browser.safebrowsing.gethashURL',
-    'browser.safebrowsing.malware.reportURL',
-    'browser.safebrowsing.provider.google.appRepURL',
-    'browser.safebrowsing.reportErrorURL',
-    'browser.safebrowsing.reportGenericURL',
-    'browser.safebrowsing.reportMalwareErrorURL',
-    'browser.safebrowsing.reportMalwareMistakeURL',
-    'browser.safebrowsing.reportMalwareURL',
-    'browser.safebrowsing.reportPhishMistakeURL',
-    'browser.safebrowsing.reportURL',
-    'browser.safebrowsing.updateURL',
-    'browser.search.showOneOffButtons',
-    'browser.selfsupport.enabled',
-    'browser.selfsupport.url',
-    'browser.sessionstore.privacy_level_deferred',
-    'browser.tabs.animate',
-    'browser.trackingprotection.gethashURL',
-    'browser.trackingprotection.updateURL',
-    'browser.urlbar.unifiedcomplete',
-    'browser.usedOnWindows10.introURL',
-    'camera.control.autofocus_moving_callback.enabled',
-    'camera.control.face_detection.enabled',
-    'datareporting.healthreport.about.reportUrl',
-    'datareporting.healthreport.about.reportUrlUnified',
-    'datareporting.healthreport.documentServerURI',
-    'datareporting.healthreport.service.enabled',
-    'datareporting.policy.dataSubmissionEnabled.v2',
-    'devtools.webide.autoinstallFxdtAdapters',
-    'dom.archivereader.enabled',
-    'dom.battery.enabled',
-    'dom.beforeAfterKeyboardEvent.enabled',
-    'dom.disable_image_src_set',
-    'dom.disable_window_open_feature.scrollbars',
-    'dom.disable_window_status_change',
-    'dom.enable_user_timing',
-    'dom.flyweb.enabled',
-    'dom.idle-observers-api.enabled',
-    'dom.keyboardevent.code.enabled',
-    'dom.network.enabled',
-    'dom.push.udp.wakeupEnabled',
-    'dom.telephony.enabled',
-    'dom.vr.oculus050.enabled',
-    'dom.workers.enabled',
-    'dom.workers.sharedWorkers.enabled',
-    'extensions.formautofill.experimental',
-    'extensions.screenshots.system-disabled',
-    'extensions.shield-recipe-client.api_url',
-    'extensions.shield-recipe-client.enabled',
-    'full-screen-api.approval-required',
-    'general.useragent.locale',
-    'geo.security.allowinsecure',
-    'intl.locale.matchOS',
-    'loop.enabled',
-    'loop.facebook.appId',
-    'loop.facebook.enabled',
-    'loop.facebook.fallbackUrl',
-    'loop.facebook.shareUrl',
-    'loop.feedback.formURL',
-    'loop.feedback.manualFormURL',
-    'loop.logDomains',
-    'loop.server',
-    'media.block-play-until-visible',
-    'media.eme.apiVisible',
-    'media.eme.chromium-api.enabled',
-    'media.getusermedia.screensharing.allow_on_old_platforms',
-    'media.getusermedia.screensharing.allowed_domains',
-    'media.gmp-eme-adobe.autoupdate',
-    'media.gmp-eme-adobe.enabled',
-    'media.gmp-eme-adobe.visible',
-    'network.http.referer.userControlPolicy',
-    'network.http.sendSecureXSiteReferrer',
-    'network.http.spdy.enabled.http2draft',
-    'network.http.spdy.enabled.v3-1',
-    'network.websocket.enabled',
-    'pageThumbs.enabled',
-    'pfs.datasource.url',
-    'plugin.scan.Acrobat',
-    'plugin.scan.Quicktime',
-    'plugin.scan.WindowsMediaPlayer',
-    'plugins.enumerable_names',
-    'plugins.update.notifyUser',
-    'plugins.update.url',
-    'privacy.clearOnShutdown.passwords',
-    'privacy.donottrackheader.value',
-    'security.mixed_content.send_hsts_priming',
-    'security.mixed_content.use_hsts',
-    'security.ssl3.ecdhe_ecdsa_rc4_128_sha',
-    'security.ssl3.ecdhe_rsa_rc4_128_sha',
-    'security.ssl3.rsa_rc4_128_md5',
-    'security.ssl3.rsa_rc4_128_sha',
-    'security.tls.insecure_fallback_hosts.use_static_list',
-    'security.tls.unrestricted_rc4_fallback',
-    'security.xpconnect.plugin.unrestricted',
-    'social.directories',
-    'social.enabled',
-    'social.remote-install.enabled',
-    'social.share.activationPanelEnabled',
-    'social.shareDirectory',
-    'social.toast-notifications.enabled',
-    'social.whitelist',
-    'toolkit.telemetry.unifiedIsOptIn',
-
-    /* reset parrot: check your open about:config after running the script */
-    '_user.js.parrot'
-  ];
-
-  console.clear();
-
-  let c = 0;
-  for (const sPname of aPREFS) {
-    if (Services.prefs.prefHasUserValue(sPname)) {
-      Services.prefs.clearUserPref(sPname);
-      if (!Services.prefs.prefHasUserValue(sPname)) {
-        console.info('reset', sPname);
-        c++;
-      } else console.warn('failed to reset', sPname);
-    }
-  }
-
-  focus();
-
-  const d = (c==1) ? ' pref' : ' prefs';
-  alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset');
-
-  return 'all done';
-
-})();

updater.bat

@@ -3,10 +3,10 @@ TITLE arkenfox user.js updater
 
 REM ## arkenfox user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.14
+REM ## version: 4.16
-REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts
+REM ## instructions: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-windows
 
-SET v=4.14
+SET v=4.15
 
 VERIFY ON
 CD /D "%~dp0"
@@ -23,7 +23,6 @@ IF /I "%~1"=="-merge" (SET _merge=1)
 IF /I "%~1"=="-updatebatch" (SET _updateb=1)
 IF /I "%~1"=="-singlebackup" (SET _singlebackup=1)
 IF /I "%~1"=="-esr" (SET _esr=1)
-IF /I "%~1"=="-rfpalts" (SET _rfpalts=1)
 SHIFT
 GOTO parse
 :endparse
@@ -141,10 +140,6 @@ IF EXIST user.js.new (DEL /F "user.js.new")
 CALL :message "Retrieving latest user.js file from github repository..."
 CALL :psdownload https://raw.githubusercontent.com/arkenfox/user.js/master/user.js "user.js.new"
 IF EXIST user.js.new (
-	IF DEFINED _rfpalts (
-		CALL :message "Activating RFP Alternatives section..."
-		CALL :activate user.js.new "[SETUP-non-RFP]"
-	)
 	IF DEFINED _esr (
 		CALL :message "Activating ESR section..."
 		CALL :activate user.js.new ".x still uses all the following prefs"
@@ -320,8 +315,6 @@ ECHO:     Run without user input.
 CALL :message "  -singleBackup"
 ECHO:     Use a single backup file and overwrite it on new updates, instead of
 ECHO:     cumulative backups. This was the default behaviour before v4.3.
-CALL :message "  -rfpAlts"
-ECHO:     Activate RFP Alternatives section
 CALL :message "  -updateBatch"
 ECHO:     Update the script itself on execution, before the normal routine.
 CALL :message ""

updater.sh

@@ -2,7 +2,7 @@
 
 ## arkenfox user.js updater for macOS and Linux
 
-## version: 3.2
+## version: 3.4
 ## Author: Pat Johnson (@overdodactyl)
 ## Additional contributors: @earthlng, @ema-pe, @claustromaniac
 
@@ -62,7 +62,7 @@ show_banner() {
                 ####                                                                    ####
                 ############################################################################"
   echo -e "${NC}\n"
-  echo -e "Documentation for this script is available here: ${CYAN}https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts${NC}\n"
+  echo -e "Documentation for this script is available here: ${CYAN}https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-maclinux${NC}\n"
 }
 
 #########################
@@ -106,7 +106,7 @@ Optional Arguments:
 download_file() { # expects URL as argument ($1)
   declare -r tf=$(mktemp)
 
-  $DOWNLOAD_METHOD "${tf}" "$1" && echo "$tf" || echo '' # return the temp-filename or empty string on error
+  $DOWNLOAD_METHOD "${tf}" "$1" &>/dev/null && echo "$tf" || echo '' # return the temp-filename or empty string on error
 }
 
 open_file() { # expects one argument: file_path

user.js

@@ -1,25 +1,24 @@
 /******
-* name: arkenfox user.js
+*    name: arkenfox user.js
-* date: 8 December 2021
+*    date: 1 July 2022
-* version 95
+* version: 102
-* url: https://github.com/arkenfox/user.js
+*     url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
 
 * README:
 
   1. Consider using Tor Browser if it meets your needs or fits your threat model
        * https://2019.www.torproject.org/about/torusers.html
-  2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries
+  2. Read the entire wiki
        * https://github.com/arkenfox/user.js/wiki
   3. If you skipped step 2, return to step 2
-  4. Make changes
+  4. Make changes in a user-overrides.js
        * There are often trade-offs and conflicts between security vs privacy vs anti-tracking
          and these need to be balanced against functionality & convenience & breakage
        * Some site breakage and unintended consequences will happen. Everyone's experience will differ
          e.g. some user data is erased on exit (section 2800), change this to suit your needs
        * While not 100% definitive, search for "[SETUP" tags
          e.g. third party images/videos not loading on some sites? check 1601
-       * Take the wiki link in step 2 and read the Troubleshooting entry
   5. Some tag info
        [SETUP-SECURITY] it's one item, read it
             [SETUP-WEB] can cause some websites to break
@@ -51,18 +50,16 @@
   1600: HEADERS / REFERERS
   1700: CONTAINERS
   2000: PLUGINS / MEDIA / WEBRTC
-  2300: WEB WORKERS
   2400: DOM (DOCUMENT OBJECT MODEL)
   2600: MISCELLANEOUS
-  2700: PERSISTENT STORAGE
+  2700: ETP (ENHANCED TRACKING PROTECTION)
   2800: SHUTDOWN & SANITIZING
-  4000: FPI (FIRST PARTY ISOLATION)
   4500: RFP (RESIST FINGERPRINTING)
   5000: OPTIONAL OPSEC
   5500: OPTIONAL HARDENING
   6000: DON'T TOUCH
   7000: DON'T BOTHER
-  8000: DON'T BOTHER: NON-RFP
+  8000: DON'T BOTHER: FINGERPRINTING
   9000: PERSONAL
   9999: DEPRECATED / REMOVED / LEGACY / RENAMED
 
@@ -85,7 +82,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 user_pref("browser.shell.checkDefaultBrowser", false);
 /* 0102: set startup page [SETUP-CHROME]
  * 0=blank, 1=home, 2=last visited page, 3=resume previous session
- * [NOTE] Session Restore is cleared with history (2811, 2812), and not used in Private Browsing mode
+ * [NOTE] Session Restore is cleared with history (2811, 2820), and not used in Private Browsing mode
  * [SETTING] General>Startup>Restore previous session ***/
 user_pref("browser.startup.page", 0);
 /* 0103: set HOME+NEWWINDOW page
@@ -133,35 +130,14 @@ user_pref("browser.region.update.enabled", false); // [FF79+]
  * [SETTING] General>Language and Appearance>Language>Choose your preferred language...
  * [TEST] https://addons.mozilla.org/about ***/
 user_pref("intl.accept_languages", "en-US, en");
-/* 0211: use US English locale regardless of the system locale
+/* 0211: use en-US locale regardless of the system or region locale
  * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
+ * [TEST] https://arkenfox.github.io/TZP/tests/formatting.html
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
 user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
 
 /*** [SECTION 0300]: QUIETER FOX ***/
 user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
-/** UPDATES ***/
-/* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS]
- * [NOTE] You will still get prompts to update, and should do so in a timely manner
- * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/
-user_pref("app.update.auto", false);
-/* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS]
- * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
- * [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/
-user_pref("app.update.background.scheduling.enabled", false);
-/* 0303: disable auto-CHECKING for extension and theme updates ***/
-   // user_pref("extensions.update.enabled", false);
-/* 0304: disable auto-INSTALLING extension and theme updates (after the check in 0303)
- * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
-   // user_pref("extensions.update.autoUpdateDefault", false);
-/* 0305: disable extension metadata
- * used when installing/updating an extension, and in daily background update checks:
- * when false, extension detail tabs will have no description ***/
-   // user_pref("extensions.getAddons.cache.enabled", false);
-/* 0306: disable search engine updates (e.g. OpenSearch)
- * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/
-user_pref("browser.search.update", false);
-
 /** RECOMMENDATIONS ***/
 /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/
 user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
@@ -182,7 +158,7 @@ user_pref("datareporting.policy.dataSubmissionEnabled", false);
  * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/
 user_pref("datareporting.healthreport.uploadEnabled", false);
 /* 0332: disable telemetry
- * The "unified" pref affects the behaviour of the "enabled" pref
+ * The "unified" pref affects the behavior of the "enabled" pref
  * - If "unified" is false then "enabled" controls the telemetry module
  * - If "unified" is true then "enabled" only controls whether to record extended data
  * [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease (true) or release builds (false) [2]
@@ -233,9 +209,6 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+]
 /* 0361: disable Network Connectivity checks [FF65+]
  * [1] https://bugzilla.mozilla.org/1460537 ***/
 user_pref("network.connectivity-service.enabled", false);
-/* 0362: enforce disabling of Web Compatibility Reporter [FF56+]
- * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
-user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
 
 /*** [SECTION 0400]: SAFE BROWSING (SB)
    SB has taken many steps to preserve privacy. If required, a full url is never sent
@@ -261,16 +234,16 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
  * To verify the safety of certain executable files, Firefox may submit some information about the
  * file, including the name, origin, size and a cryptographic hash of the contents, to the Google
  * Safe Browsing service which helps Firefox determine whether or not the file should be blocked
- * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override it ***/
+ * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override this ***/
 user_pref("browser.safebrowsing.downloads.remote.enabled", false);
-user_pref("browser.safebrowsing.downloads.remote.url", "");
+   // user_pref("browser.safebrowsing.downloads.remote.url", ""); // Defense-in-depth
 /* 0404: disable SB checks for unwanted software
  * [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software" ***/
    // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
    // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
 /* 0405: disable "ignore this warning" on SB warnings [FF45+]
  * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB
- * [TEST] see github wiki APPENDIX A: Test Sites: Section 5
+ * [TEST] see https://github.com/arkenfox/user.js/wiki/Appendix-A-Test-Sites#-mozilla
  * [1] https://bugzilla.mozilla.org/1226490 ***/
    // user_pref("browser.safebrowsing.allowOverride", false);
 
@@ -289,7 +262,9 @@ user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: fals
 /* 0604: disable link-mouseover opening connection to linked server
  * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/
 user_pref("network.http.speculative-parallel-limit", 0);
-/* 0605: enforce no "Hyperlink Auditing" (click tracking)
+/* 0605: disable mousedown speculative connections on bookmarks and history [FF98+] ***/
+user_pref("browser.places.speculativeConnect.enabled", false);
+/* 0610: enforce no "Hyperlink Auditing" (click tracking)
  * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
    // user_pref("browser.send_pings", false); // [DEFAULT: false]
 
@@ -315,9 +290,9 @@ user_pref("network.proxy.socks_remote_dns", true);
  * [SETUP-CHROME] Can break extensions for profiles on network shares
  * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
 user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
-/* 0704: disable GIO as a potential proxy bypass vector [FF60+]
+/* 0704: disable GIO as a potential proxy bypass vector
- * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
+ * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer,
- * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
+ * dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+)
  * [1] https://bugzilla.mozilla.org/1433507
  * [2] https://en.wikipedia.org/wiki/GVfs
  * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
@@ -327,12 +302,18 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
  * [SETUP-CHROME] If you use a proxy and you trust your extensions
  * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
    // user_pref("network.proxy.failover_direct", false);
+/* 0706: disable proxy bypass for system request failures [FF95+]
+ * RemoteSettings, UpdateService, Telemetry [1]
+ * [WARNING] If false, this will break the fallback for some security features
+ * [SETUP-CHROME] If you use a proxy and you understand the security impact
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
+   // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF FF95-96]
 /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
  * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
- * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3]
+ * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
  * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
  * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
- * [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/
+ * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
  * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
    // user_pref("network.trr.mode", 5);
 
@@ -343,8 +324,7 @@ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
  * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
  * [NOTE] This does not affect explicit user action such as using search buttons in the
  * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo)
- * [SETUP-CHROME] If you don't, or rarely, type URLs, or you use a default search
+ * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/
- * engine that respects privacy, then you probably don't need this ***/
 user_pref("keyword.enabled", false);
 /* 0802: disable location bar domain guessing
  * domain guessing intercepts DNS "hostname not found errors" and resends a
@@ -354,11 +334,9 @@ user_pref("keyword.enabled", false);
  * intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
  * and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
 user_pref("browser.fixup.alternate.enabled", false);
-/* 0803: display all parts of the url in the location bar ***/
-user_pref("browser.urlbar.trimURLs", false);
 /* 0804: disable live search suggestions
  * [NOTE] Both must be true for the location bar to work
- * [SETUP-CHROME] Change these if you trust and use a privacy respecting search engine
+ * [SETUP-CHROME] Override these if you trust and use a privacy respecting search engine
  * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/
 user_pref("browser.search.suggest.enabled", false);
 user_pref("browser.urlbar.suggest.searches", false);
@@ -411,16 +389,12 @@ user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
    [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
 ***/
 user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
-/* 0901: set when Firefox should prompt for the primary password
- * 0=once per session (default), 1=every time it's needed, 2=after n minutes (0902) ***/
-user_pref("security.ask_for_password", 2);
-/* 0902: set how long in minutes Firefox should remember the primary password (0901) ***/
-user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
 /* 0903: disable auto-filling username & password form fields
  * can leak in cross-site forms *and* be spoofed
  * [NOTE] Username & password is still available when you enter the field
  * [SETTING] Privacy & Security>Logins and Passwords>Autofill logins and passwords
- * [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ ***/
+ * [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
+ * [2] https://homes.esat.kuleuven.be/~asenol/leaky-forms/ ***/
 user_pref("signon.autofillForms", false);
 /* 0904: disable formless login capture for Password Manager [FF51+] ***/
 user_pref("signon.formlessCapture.enabled", false);
@@ -472,22 +446,23 @@ user_pref("browser.shell.shortcutFavicons", false);
 user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
 /* 1201: require safe negotiation
- * Blocks connections (SSL_ERROR_UNSAFE_NEGOTIATION) to servers that don't support RFC 5746 [2]
+ * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a
- * as they're potentially vulnerable to a MiTM attack [3]. A server without RFC 5746 can be
+ * MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations
- * safe from the attack if it disables renegotiations but the problem is that the browser can't
+ * but the problem is that the browser can't know that. Setting this pref to true is the only way for the
- * know that. Setting this pref to true is the only way for the browser to ensure there will be
+ * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
- * no unsafe renegotiations on the channel between the browser and the server.
+ * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
- * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4]
+ * [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4]
  * [1] https://wiki.mozilla.org/Security:Renegotiation
  * [2] https://datatracker.ietf.org/doc/html/rfc5746
  * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
  * [4] https://www.ssllabs.com/ssl-pulse/ ***/
 user_pref("security.ssl.require_safe_negotiation", true);
-/* 1203: reset TLS 1.0 and 1.1 downgrades i.e. session only ***/
-user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
 /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
+ * This data is not forward secret, as it is encrypted solely under keys derived using
+ * the offered PSK. There are no guarantees of non-replay between connections
  * [1] https://github.com/tlswg/tls13-spec/issues/1001
- * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
+ * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt
+ * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
 user_pref("security.tls.enable_0rtt_data", false);
 
 /** OCSP (Online Certificate Status Protocol)
@@ -512,14 +487,6 @@ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
 user_pref("security.OCSP.require", true);
 
 /** CERTS / HPKP (HTTP Public Key Pinning) ***/
-/* 1220: disable or limit SHA-1 certificates
- * 0 = allow all
- * 1 = block all
- * 3 = only allow locally-added roots (e.g. anti-virus) (default)
- * 4 = only allow locally-added roots or for certs in 2015 and earlier
- * [SETUP-CHROME] If you have problems, update your software: SHA-1 is obsolete
- * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
-user_pref("security.pki.sha1_enforcement_level", 1);
 /* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
  * 0=disable detecting Family Safety mode and importing the root
  * 1=only attempt to detect Family Safety mode (don't import the root)
@@ -533,8 +500,11 @@ user_pref("security.family_safety.mode", 0);
  * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/
 user_pref("security.cert_pinning.enforcement_level", 2);
 /* 1224: enable CRLite [FF73+]
- * In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP
+ * 0 = disabled
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985
+ * 1 = consult CRLite but only collect telemetry
+ * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
+ * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (FF99+, default FF100+)
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
  * [2] https://blog.mozilla.org/security/tag/crlite/ ***/
 user_pref("security.remote_settings.crlite_filters.enabled", true);
 user_pref("security.pki.crlite_mode", 2);
@@ -547,14 +517,14 @@ user_pref("security.mixed_content.block_display_content", true);
  * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site")
  * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions)
  * [TEST] http://example.com [upgrade]
- * [TEST] http://neverssl.com/ [no upgrade] ***/
+ * [TEST] http://httpforever.com/ [no upgrade] ***/
 user_pref("dom.security.https_only_mode", true); // [FF76+]
    // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+]
 /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
    // user_pref("dom.security.https_only_mode.upgrade_local", true);
 /* 1246: disable HTTP background requests [FF82+]
- * When attempting to upgrade, if the server doesn't respond within 3 seconds,
+ * When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox sends
- * Firefox sends HTTP requests in order to check if the server supports HTTPS or not
+ * a top-level HTTP request without path in order to check if the server supports HTTPS or not
  * This is done to avoid waiting for a timeout which takes 90 seconds
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
 user_pref("dom.security.https_only_mode_send_http_background_request", false);
@@ -574,8 +544,6 @@ user_pref("browser.ssl_override_behavior", 1);
  * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
  * [TEST] https://expired.badssl.com/ ***/
 user_pref("browser.xul.error_pages.expert_bad_cert", true);
-/* 1273: display "Not Secure" text on HTTP sites ***/
-user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
 
 /*** [SECTION 1400]: FONTS ***/
 user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
@@ -592,7 +560,6 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
    // user_pref("layout.css.font-visibility.trackingprotection", 1);
 
 /*** [SECTION 1600]: HEADERS / REFERERS
-   Expect some breakage e.g. banks: use an extension if you need precise control
                   full URI: https://example.com:8888/foo/bar.html?id=1234
      scheme+host+port+path: https://example.com:8888/foo/bar.html
           scheme+host+port: https://example.com:8888
@@ -601,29 +568,21 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
 user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
 /* 1601: control when to send a cross-origin referer
  * 0=always (default), 1=only if base domains match, 2=only if hosts match
- * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/
+ * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram
+ * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/
 user_pref("network.http.referer.XOriginPolicy", 2);
 /* 1602: control the amount of cross-origin information to send [FF52+]
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
 user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
-/* 1603: enable the DNT (Do Not Track) HTTP header
- * [NOTE] DNT is enforced with Enhanced Tracking Protection (2710)
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/
-   // user_pref("privacy.donottrackheader.enabled", true);
 
-/*** [SECTION 1700]: CONTAINERS
+/*** [SECTION 1700]: CONTAINERS ***/
-   Check out Temporary Containers [2], read the article [3], and visit the wiki/repo [4]
-   [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
-   [2] https://addons.mozilla.org/firefox/addon/temporary-containers/
-   [3] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
-   [4] https://github.com/stoically/temporary-containers/wiki
-***/
 user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
 /* 1701: enable Container Tabs and its UI setting [FF50+]
- * [SETTING] General>Tabs>Enable Container Tabs ***/
+ * [SETTING] General>Tabs>Enable Container Tabs
+ * https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers ***/
 user_pref("privacy.userContext.enabled", true);
 user_pref("privacy.userContext.ui.enabled", true);
-/* 1702: set behaviour on "+ Tab" button to display container menu on left click [FF74+]
+/* 1702: set behavior on "+ Tab" button to display container menu on left click [FF74+]
  * [NOTE] The menu is always shown on long press and right click
  * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/
    // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true);
@@ -657,11 +616,13 @@ user_pref("media.peerconnection.ice.default_address_only", true);
  * [NOTE] This is covered by the EME master switch (2022) ***/
    // user_pref("media.gmp-widevinecdm.enabled", false);
 /* 2022: disable all DRM content (EME: Encryption Media Extension)
+ * Optionally hide the setting which also disables the DRM prompt
  * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
  * [SETTING] General>DRM Content>Play DRM-controlled content
  * [TEST] https://bitmovin.com/demos/drm
  * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
 user_pref("media.eme.enabled", false);
+   // user_pref("browser.eme.ui.enabled", false);
 /* 2030: disable autoplay of HTML5 media [FF63+]
  * 0=Allow all, 1=Block non-muted media (default), 5=Block all
  * [NOTE] You can set exceptions under site permissions
@@ -669,51 +630,11 @@ user_pref("media.eme.enabled", false);
    // user_pref("media.autoplay.default", 5);
 /* 2031: disable autoplay of HTML5 media if you interacted with the site [FF78+]
  * 0=sticky (default), 1=transient, 2=user
- * Firefox's Autoplay Policy Documentation [PDF] is linked below via SUMO
+ * Firefox's Autoplay Policy Documentation (PDF) is linked below via SUMO
  * [NOTE] If you have trouble with some video sites, then add an exception (2030)
  * [1] https://support.mozilla.org/questions/1293231 ***/
 user_pref("media.autoplay.blocking_policy", 2);
 
-/*** [SECTION 2300]: WEB WORKERS
-   A worker is a JS "background task" running in a global context, i.e. it is different from
-   the current window. Workers can spawn new workers (must be the same origin & scheme),
-   including service and shared workers. Shared workers can be utilized by multiple scripts and
-   communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
-
-   [1]    Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
-   [2]         Worker: https://developer.mozilla.org/docs/Web/API/Worker
-   [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API
-   [4]   SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker
-   [5]   ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker
-   [6]  Notifications: https://support.mozilla.org/questions/1165867#answer-981820
-***/
-user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
-/* 2302: disable service workers [FF32, FF44-compat]
- * Service workers essentially act as proxy servers that sit between web apps, and the
- * browser and network, are event driven, and can control the web page/site they are associated
- * with, intercepting and modifying navigation and resource requests, and caching resources.
- * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1]
- * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for
- * service worker notifications (2304), push notifications (disabled, 2305) and service worker
- * cache (2740). If you enable this pref, then check those settings as well
- * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/
-user_pref("dom.serviceWorkers.enabled", false);
-/* 2304: disable Web Notifications
- * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (7002)
- * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
-   // user_pref("dom.webnotifications.enabled", false); // [FF22+]
-   // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
-/* 2305: disable Push Notifications [FF44+]
- * Push is an API that allows websites to send you (subscribed) messages even when the site
- * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server
- * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind
- * a prompt (7002). Disabling service workers alone doesn't stop Firefox polling the
- * Mozilla Push Server. To remove all subscriptions, reset your userAgentID.
- * [1] https://support.mozilla.org/kb/push-notifications-firefox
- * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/
-user_pref("dom.push.enabled", false);
-   // user_pref("dom.push.userAgentID", "");
-
 /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/
 user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
 /* 2401: disable "Confirm you want to leave" dialog on page close
@@ -801,6 +722,9 @@ user_pref("browser.download.useDownloadDir", false);
 user_pref("browser.download.alwaysOpenPanel", false);
 /* 2653: disable adding downloads to the system's "recent documents" list ***/
 user_pref("browser.download.manager.addToRecentDocs", false);
+/* 2654: enable user interaction for security by always asking how to handle new mimetypes [FF101+]
+ * [SETTING] General>Files and Applications>What should Firefox do with other files ***/
+user_pref("browser.download.always_ask_before_handling_new_types", true);
 
 /** EXTENSIONS ***/
 /* 2660: lock down allowed extension directories
@@ -817,88 +741,39 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false);
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
    // user_pref("extensions.webextensions.restrictedDomains", "");
 
-/*** [SECTION 2700]: PERSISTENT STORAGE
+/*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/
-   Data SET by websites including
-          cookies : profile\cookies.sqlite
-     localStorage : profile\webappsstore.sqlite
-        indexedDB : profile\storage\default
-   serviceWorkers :
-
-   [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode
-   [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage),
-   indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications)
-   If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become
-   accessible to websites except shared/service workers where the cookie setting must be "Allow"
-***/
 user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
-/* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB]
+/* 2701: enable ETP Strict Mode [FF86+]
- * 0 = Accept cookies and site data
+ * ETP Strict Mode enables Total Cookie Protection (TCP)
- * 1 = (Block) All third-party cookies
+ * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of
- * 2 = (Block) All cookies
+ * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared
- * 3 = (Block) Cookies from unvisited websites
+ * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
- * 4 = (Block) Cross-site tracking cookies (default)
- * 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+)
- * Option 5 with FPI enabled (4001) is ignored and not shown, and option 4 used instead
- * [NOTE] You can set cookie exceptions under site permissions or use an extension
- * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies
- * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/
-user_pref("network.cookie.cookieBehavior", 1);
-user_pref("browser.contentblocking.category", "custom");
-/* 2710: enable Enhanced Tracking Protection (ETP) in all windows
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content
  * [SETTING] to add site exceptions: Urlbar>ETP Shield
  * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
-user_pref("privacy.trackingprotection.enabled", true);
+user_pref("browser.contentblocking.category", "strict");
-/* 2711: enable various ETP lists ***/
+/* 2702: disable ETP web compat features [FF93+]
-user_pref("privacy.trackingprotection.socialtracking.enabled", true);
+ * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants
-   // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
+ * Opener and redirect heuristics are granted for 30 days, see [3]
-   // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
+ * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/
-/* 2740: disable service worker cache and cache storage
+ * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
- * [NOTE] We clear service worker cache on exit (2811)
+ * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
- * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
+   // user_pref("privacy.antitracking.enableWebcompat", false);
-   // user_pref("dom.caches.enabled", false);
+/* 2710: enable state partitioning of service workers [FF96+] ***/
-/* 2750: disable Storage API [FF51+]
+user_pref("privacy.partition.serviceWorkers", true);
- * The API gives sites the ability to find out how much space they can use, how much
- * they are already using, and even control whether or not they need to be alerted
- * before the user agent disposes of site data in order to make room for other things.
- * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
- * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
- * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
-   // user_pref("dom.storageManager.enabled", false);
-/* 2755: disable Storage Access API [FF65+]
- * [1] https://developer.mozilla.org/docs/Web/API/Storage_Access_API ***/
-   // user_pref("dom.storage_access.enabled", false);
-/* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/
-user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
 
 /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
 user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
-/** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/
+/** SANITIZE ON SHUTDOWN: ALLOWS COOKIES + SITE DATA EXCEPTIONS FF102+ ***/
-/* 2801: delete cookies and site data on exit
- * 0=keep until they expire (default), 2=keep until you close Firefox
- * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
- * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow
- *   If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com
- * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
-user_pref("network.cookie.lifetimePolicy", 2);
-/* 2802: delete cache on exit [FF96+]
- * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
- * [1] https://bugzilla.mozilla.org/1671182 ***/
-   // user_pref("privacy.clearsitedata.cache.enabled", true);
-/* 2803: set third-party cookies to session-only
- * [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
- * .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
- * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
-user_pref("network.cookie.thirdparty.sessionOnly", true);
-user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
-
-/** SANITIZE ON SHUTDOWN : ALL OR NOTHING ***/
 /* 2810: enable Firefox to clear items on shutdown (2811)
- * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
+ * [NOTE] Exceptions: A "cookie" block permission also controls "offlineApps" (see note in 2811).
+ * serviceWorkers require an "Allow" permission. For cross-domain logins, add exceptions for
+ * both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
+ * [WARNING] Be selective with what cookies you keep, as they also disable partitioning (1767271)
+ * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes
+ * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question)
+ * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
 user_pref("privacy.sanitize.sanitizeOnShutdown", true);
 /* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
- * These items do not use exceptions, it is all or nothing (1681701)
  * [NOTE] If "history" is true, downloads will also be cleared
  * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
  * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
@@ -909,10 +784,16 @@ user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
 user_pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
 user_pref("privacy.clearOnShutdown.history", true);   // [DEFAULT: true]
 user_pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown.offlineApps", false); // [DEFAULT: false]
+user_pref("privacy.clearOnShutdown.offlineApps", true);
-user_pref("privacy.clearOnShutdown.cookies", false);
+user_pref("privacy.clearOnShutdown.cookies", true);
    // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
-/* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME]
+/* 2812: delete cache on exit [FF96+]
+ * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
+ * [1] https://bugzilla.mozilla.org/1671182 ***/
+   // user_pref("privacy.clearsitedata.cache.enabled", true);
+
+/** SANITIZE MANUAL: ALL OR NOTHING ***/
+/* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME]
  * This dialog can also be accessed from the menu History>Clear Recent History
  * Firefox remembers your last choices. This will reset them when you start Firefox
  * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog
@@ -926,59 +807,19 @@ user_pref("privacy.cpd.cookies", false);
    // user_pref("privacy.cpd.downloads", true); // not used, see note above
    // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] not listed
    // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false]
-/* 2813: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
+/* 2821: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
  * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
  * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008)
  * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
    // user_pref("privacy.clearOnShutdown.openWindows", true);
    // user_pref("privacy.cpd.openWindows", true);
-/* 2814: reset default "Time range to clear" for "Clear Recent History" (2812)
+/* 2822: reset default "Time range to clear" for "Clear Recent History" (2820)
  * Firefox remembers your last choice. This will reset the value when you start Firefox
  * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
  * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
  * which will display a blank value, and are not guaranteed to work ***/
 user_pref("privacy.sanitize.timeSpan", 0);
 
-/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION)
-   1278037 - indexedDB (FF51+)
-   1277803 - favicons (FF52+)
-   1264562 - OCSP cache (FF52+)
-   1268726 - Shared Workers (FF52+)
-   1316283 - SSL session cache (FF52+)
-   1317927 - media cache (FF53+)
-   1323644 - HSTS and HPKP (FF54+)
-   1334690 - HTTP Alternative Services (FF54+)
-   1334693 - SPDY/HTTP2 (FF55+)
-   1337893 - DNS cache (FF55+)
-   1344170 - blob: URI (FF55+)
-   1300671 - data:, about: URLs (FF55+)
-   1473247 - IP addresses (FF63+)
-   1542309 - top-level domain URLs when host is in the public suffix list (FF68+)
-   1506693 - pdfjs range-based requests (FF68+)
-   1330467 - site permissions (FF69+)
-   1534339 - IPv6 (FF73+)
-   1721858 - WebSocket (FF92+)
-***/
-user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
-/* 4001: enable First Party Isolation [FF51+]
- * [SETUP-WEB] Breaks some cross-origin logins
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/
-user_pref("privacy.firstparty.isolate", true);
-/* 4002: enforce FPI restriction for window.opener [FF54+]
- * [NOTE] Setting this to false may reduce the breakage in 4001
- * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
- * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3]
- * The 2nd pref removes that limitation and will only allow communication if FPDs also match
- * [1] https://bugzilla.mozilla.org/1319773#c22
- * [2] https://bugzilla.mozilla.org/1492607
- * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/
-   // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
-   // user_pref("privacy.firstparty.isolate.block_post_message", true);
-/* 4003: enable scheme with FPI [FF78+]
- * [NOTE] Experimental: existing data and site permissions are incompatible
- * and some site exceptions may not work e.g. HTTPS-only mode (1244) ***/
-   // user_pref("privacy.firstparty.isolate.use_site", true);
-
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
    RFP covers a wide range of ongoing fingerprinting solutions.
    It is an all-or-nothing buy in: you cannot pick and choose what parts you want
@@ -988,14 +829,15 @@ user_pref("privacy.firstparty.isolate", true);
     418986 - limit window.screen & CSS media queries (FF41)
       [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
    1281949 - spoof screen orientation (FF50)
+   1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50-99)
+      FF53: fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044)
    1330890 - spoof timezone as UTC0 (FF55)
    1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
-   1217238 - reduce precision of time exposed by javascript (FF55)
  FF56
    1369303 - spoof/disable performance API
    1333651 - spoof User Agent & Navigator API
-      JS: the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux
+      version: spoofed as ESR (FF102+ this is limited to Android)
-      HTTP Headers: spoofed as Windows or Android
+      OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
    1369319 - disable device sensor API
    1369357 - disable site specific zoom
    1337161 - hide gamepads from content
@@ -1031,6 +873,8 @@ user_pref("privacy.firstparty.isolate", true);
    1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82)
  FF91+
     531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1)
+   1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100)
+   1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was capped at 100ms) (FF102)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting [FF41+]
@@ -1064,7 +908,7 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
    // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid");
    // user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
 /* 4506: set RFP's font visibility level (1402) [FF94+] ***/
-   // user_pref("layout.css.font-visibility.resistFingerprinting", 1);
+   // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
 /* 4507: disable showing about:blank as soon as possible during startup [FF60+]
  * When default true this no longer masks the RFP chrome resizing activity
  * [1] https://bugzilla.mozilla.org/1448423 ***/
@@ -1090,7 +934,7 @@ user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
  * [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js ***/
 user_pref("browser.link.open_newwindow.restriction", 0);
 /* 4520: disable WebGL (Web Graphics Library)
- * [SETUP-WEB] If you need it then enable it. RFP still randomizes canvas for naive scripts ***/
+ * [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for naive scripts ***/
 user_pref("webgl.disabled", true);
 
 /*** [SECTION 5000]: OPTIONAL OPSEC
@@ -1123,7 +967,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
 /* 5005: disable intermediate certificate caching [FF41+] [RESTART]
  * [NOTE] This affects login/cert/key dbs. The effect is all credentials are session-only.
  * Saved logins and passwords are not available. Reset the pref and restart to return them ***/
-   // user_pref("security.nocertdb", true); // [HIDDEN PREF]
+   // user_pref("security.nocertdb", true); // [HIDDEN PREF in FF101 or lower]
 /* 5006: disable favicons in history and bookmarks
  * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your
  * actual history (and bookmarks) already do. Your history is more detailed, so
@@ -1167,8 +1011,8 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
    // user_pref("browser.download.folderList", 2);
 
 /*** [SECTION 5500]: OPTIONAL HARDENING
-   Not recommended. Keep in mind that these can cause breakage and performance
+   Not recommended. Overriding these can cause breakage and performance issues,
-   issues, are mostly fingerpintable, and the threat model is practically zero
+   they are mostly fingerprintable, and the threat model is practically nonexistent
 ***/
 user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!");
 /* 5501: disable MathML (Mathematical Markup Language) [FF51+]
@@ -1213,22 +1057,40 @@ user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true]
 /* 6002: enforce no referer spoofing
  * [WHY] Spoofing can affect CSRF (Cross-Site Request Forgery) protections ***/
 user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
-/* 6003: enforce CSP (Content Security Policy)
- * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
-user_pref("security.csp.enable", true); // [DEFAULT: true]
 /* 6004: enforce a security delay on some confirmation dialogs such as install, open/save
  * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
 user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000]
-/* 6005: enforce window.opener protection [FF65+]
+/* 6008: enforce no First Party Isolation [FF51+]
- * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
+ * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701),
-user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true]
+ * and enabling FPI disables those. FPI is no longer maintained ***/
-/* 6006: enforce "window.name" protection [FF82+]
+user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
- * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
+/* 6009: enforce SmartBlock shims [FF81+]
- * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
+ * In FF96+ these are listed in about:compat
- * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
+ * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
-user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true]
+user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true]
-/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/
+/* 6010: enforce/reset TLS 1.0/1.1 downgrades to session only
-   // placeholder
+ * [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed
+ * [TEST] https://tls-v1-1.badssl.com:1010/ ***/
+user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
+/* 6011: enforce disabling of Web Compatibility Reporter [FF56+]
+ * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla
+ * [WHY] To prevent wasting Mozilla's time with a custom setup ***/
+user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
+/* 6012: disable SHA-1 certificates ***/
+user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1 FF102+]
+/* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/
+   // user_pref("browser.urlbar.trimURLs", "");
+   // user_pref("dom.caches.enabled", "");
+   // user_pref("dom.storageManager.enabled", "");
+   // user_pref("dom.storage_access.enabled", "");
+   // user_pref("dom.targetBlankNoOpener.enabled", "");
+   // user_pref("network.cookie.thirdparty.sessionOnly", "");
+   // user_pref("network.cookie.thirdparty.nonsecureSessionOnly", "");
+   // user_pref("privacy.firstparty.isolate.block_post_message", "");
+   // user_pref("privacy.firstparty.isolate.restrict_opener_access", "");
+   // user_pref("privacy.firstparty.isolate.use_site", "");
+   // user_pref("privacy.window.name.update.enabled", "");
+   // user_pref("security.insecure_connection_text.enabled", "");
 
 /*** [SECTION 7000]: DON'T BOTHER ***/
 user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
@@ -1239,7 +1101,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
    // user_pref("geo.enabled", false);
    // user_pref("full-screen-api.enabled", false);
    // user_pref("browser.cache.offline.enable", false);
-   // user_pref("dom.vr.enabled", false);
+   // user_pref("dom.vr.enabled", false); // [DEFAULT: false FF97+]
 /* 7002: set default permissions
  * Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+]
  * 0=always ask (default), 1=allow, 2=block
@@ -1264,16 +1126,16 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
    // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
    // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
 /* 7004: control TLS versions
- * [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/
+ * [WHY] Passive fingerprinting and security ***/
    // user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
    // user_pref("security.tls.version.max", 4);
 /* 7005: disable SSL session IDs [FF36+]
- * [WHY] Passive fingerprinting and perf costs. These are session-only and isolated
+ * [WHY] Passive fingerprinting and perf costs. These are session-only
- * with network partitioning (FF85+) or when using FPI and/or containers ***/
+ * and isolated with network partitioning (FF85+) and/or containers ***/
-   // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
+   // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF in FF101 or lower]
 /* 7006: onions
  * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/
-   // user_pref("dom.securecontext.whitelist_onions", true); // 1382359
+   // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006
    // user_pref("network.http.referer.hideOnionSource", true); // 1305144
 /* 7007: referers
  * [WHY] Only cross-origin referers (1600s) need control ***/
@@ -1284,15 +1146,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
  * [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/
    // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2]
    // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
-/* 7009: disable HTTP2
- * [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1]
- * [1] https://w3techs.com/technologies/details/ce-http2/all/all ***/
-   // user_pref("network.http.spdy.enabled", false);
-   // user_pref("network.http.spdy.enabled.deps", false);
-   // user_pref("network.http.spdy.enabled.http2", false);
-   // user_pref("network.http.spdy.websockets", false); // [FF65+]
 /* 7010: disable HTTP Alternative Services [FF37+]
- * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/
+ * [WHY] Already isolated with network partitioning (FF85+) ***/
    // user_pref("network.http.altsvc.enabled", false);
    // user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+]
 /* 7011: disable website control over browser right-click context menu
@@ -1312,8 +1167,36 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
  * [WHY] It can compromise security. System addons ship with prefs, use those ***/
    // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
    // user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
+/* 7015: enable the DNT (Do Not Track) HTTP header
+ * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/
+   // user_pref("privacy.donottrackheader.enabled", true);
+/* 7016: customize ETP settings
+ * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
+   // user_pref("network.cookie.cookieBehavior", 5);
+   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
+   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
+   // user_pref("privacy.partition.network_state.ocsp_cache", true);
+   // user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP FF102+]
+   // user_pref("privacy.trackingprotection.enabled", true);
+   // user_pref("privacy.trackingprotection.socialtracking.enabled", true);
+   // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
+   // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
+/* 7017: disable service workers
+ * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2710)
+ * or blocked with TCP in 3rd parties (FF95 or lower) ***/
+   // user_pref("dom.serviceWorkers.enabled", false);
+/* 7018: disable Web Notifications
+ * [WHY] Web Notifications are behind a prompt (7002)
+ * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
+   // user_pref("dom.webnotifications.enabled", false); // [FF22+]
+   // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
+/* 7019: disable Push Notifications [FF44+]
+ * [WHY] Push requires subscription
+ * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID"
+ * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/
+   // user_pref("dom.push.enabled", false);
 
-/*** [SECTION 8000]: DON'T BOTHER: NON-RFP
+/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
    [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
    [WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere
 ***/
@@ -1323,7 +1206,7 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan
    // user_pref("dom.enable_performance", false);
    // user_pref("dom.enable_resource_timing", false);
    // user_pref("dom.gamepad.enabled", false);
-   // user_pref("dom.netinfo.enabled", false);
+   // user_pref("dom.netinfo.enabled", false); // [DEFAULT: false NON-ANDROID: false ANDROID FF99+]
    // user_pref("dom.webaudio.enabled", false);
 /* 8002: disable other ***/
    // user_pref("browser.display.use_document_fonts", 0);
@@ -1361,6 +1244,16 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc
    // user_pref("browser.warnOnQuitShortcut", false); // [FF94+]
    // user_pref("full-screen-api.warning.delay", 0);
    // user_pref("full-screen-api.warning.timeout", 0);
+/* UPDATES ***/
+   // user_pref("app.update.auto", false); // [NON-WINDOWS] disable auto app updates
+      // [NOTE] You will still get prompts to update, and should do so in a timely manner
+      // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them
+   // user_pref("browser.search.update", false); // disable search engine updates (e.g. OpenSearch)
+      // [NOTE] This does not affect Mozilla's built-in or Web Extension search engines
+   // user_pref("extensions.update.enabled", false); // disable extension and theme update checks
+   // user_pref("extensions.update.autoUpdateDefault", false); // disable installing extension and theme updates
+      // [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle)
+   // user_pref("extensions.getAddons.cache.enabled", false); // disable extension metadata (extension detail tab)
 /* APPEARANCE ***/
    // user_pref("browser.download.autohideButton", false); // [FF57+]
    // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent
@@ -1380,7 +1273,7 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc
    // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see bugzilla 1320061 [FF53+]
    // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux]
    // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
-   // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under]
+   // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+]
 /* UX FEATURES ***/
 user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+]
    // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
@@ -1415,6 +1308,46 @@ user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is m
 // 0807: disable location bar contextual suggestions [FF92+] - replaced by new 0807
    // [-] https://bugzilla.mozilla.org/1735976
 user_pref("browser.urlbar.suggest.quicksuggest", false);
+// FF96
+// 0302: disable auto-INSTALLING Firefox updates via a background service + hide the setting [FF90+] [WINDOWS]
+   // [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
+   // [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows
+   // [-] https://bugzilla.mozilla.org/1738983
+user_pref("app.update.background.scheduling.enabled", false);
+// FF97
+// 7006: onions - replaced by new 7006 "allowlist"
+   // [-] https://bugzilla.mozilla.org/1744006
+   // user_pref("dom.securecontext.whitelist_onions", true); // 1382359
+// FF99
+// 6003: enforce CSP (Content Security Policy)
+   // [1] https://developer.mozilla.org/docs/Web/HTTP/CSP
+   // [-] https://bugzilla.mozilla.org/1754301
+user_pref("security.csp.enable", true); // [DEFAULT: true]
+// FF100
+// 7009: disable HTTP2 - replaced by network.http.http2* prefs
+   // [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1]
+   // [1] https://w3techs.com/technologies/details/ce-http2/all/all
+   // [-] https://bugzilla.mozilla.org/1752621
+   // user_pref("network.http.spdy.enabled", false);
+   // user_pref("network.http.spdy.enabled.deps", false);
+   // user_pref("network.http.spdy.enabled.http2", false);
+   // user_pref("network.http.spdy.websockets", false); // [FF65+]
+// FF102
+   // 0901: set when Firefox should prompt for the primary password
+   // 0=once per session (default), 1=every time it's needed, 2=after n minutes (0902)
+   // [-] https://bugzilla.mozilla.org/1767099
+user_pref("security.ask_for_password", 2);
+   // 0902: set how long in minutes Firefox should remember the primary password (0901)
+   // [-] https://bugzilla.mozilla.org/1767099
+user_pref("security.password_lifetime", 5); // [DEFAULT: 30]
+   // 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810)
+   // 0=keep until they expire (default), 2=keep until you close Firefox
+   // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
+   // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665
+user_pref("network.cookie.lifetimePolicy", 2);
+   // 6007: enforce Local Storage Next Generation (LSNG) [FF65+]
+   // [-] https://bugzilla.mozilla.org/1764696
+user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
 // ***/
 
 /* END: internal custom pref to test for syntax errors ***/