update to current

README.md

@@ -20,7 +20,8 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef
  - [wiki](https://github.com/arkenfox/user.js/wiki)
  - [stickies](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22)
  - [diffs](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Adiffs)
- - [common questions and answers](https://github.com/arkenfox/user.js/issues?q=is%3Aissue+label%3Aanswered)
 
 ### 🟥  acknowledgments
 Literally thousands of sources, references and suggestions. Many thanks, and much appreciated.
+
+

scratchpad-scripts/arkenfox-clear-RFP-alternatives.js

@@ -0,0 +1,72 @@
+/***
+  This will reset the preferences that are under sections 4600 & 4700 in the
+  arkenfox user.js. These are the prefs that are no longer necessary, or they
+  conflict with, privacy.resistFingerprinting if you have that enabled.
+
+  Final update: 10-August-2021
+
+  As of v91, section 4600 is no longer recommended, and is all inactive. This
+  now includes the old 4700 section. You can reset them using prefsCleaner.
+  
+  For instructions see:
+  https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
+***/
+
+(() => {
+
+  if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!');
+
+  const aPREFS = [
+    /* section 4600 */
+    'dom.maxHardwareConcurrency',
+    'dom.enable_resource_timing',
+    'dom.enable_performance',
+    'device.sensors.enabled',
+    'browser.zoom.siteSpecific',
+    'dom.gamepad.enabled',
+    'dom.netinfo.enabled',
+    'media.webspeech.synth.enabled',
+    'media.video_stats.enabled',
+    'dom.w3c_touch_events.enabled',
+    'media.navigator.enabled',
+    'media.ondevicechange.enabled',
+    'webgl.enable-debug-renderer-info',
+    'ui.prefersReducedMotion',
+    'dom.w3c_pointer_events.enabled', // deprecated FF87
+    'ui.use_standins_for_native_colors',
+    'ui.systemUsesDarkTheme',
+    'dom.webaudio.enabled',
+    'layout.css.font-visibility.level',
+    /* section 4700 */
+    'general.appname.override',
+    'general.appversion.override',
+    'general.buildID.override',
+    'general.oscpu.override',
+    'general.platform.override',
+    'general.useragent.override',
+    /* reset parrot: check your open about:config after running the script */
+    '_user.js.parrot'
+  ];
+
+  console.clear();
+
+  let c = 0;
+  for (const sPname of aPREFS) {
+    if (Services.prefs.prefHasUserValue(sPname)) {
+      Services.prefs.clearUserPref(sPname);
+      if (!Services.prefs.prefHasUserValue(sPname)) {
+        console.info('reset', sPname);
+        c++;
+      } else console.warn('failed to reset', sPname);
+    }
+  }
+
+  focus();
+
+  const d = (c==1) ? ' pref' : ' prefs';
+  alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset');
+
+  return 'all done';
+
+})();
+

scratchpad-scripts/arkenfox-clear-deprecated.js

@@ -0,0 +1,232 @@
+/***
+  Version: up to and including FF/ESR91
+
+  This will reset the preferences that have been deprecated by Mozilla
+  and used in the arkenfox user.js
+
+  It is in reverse order, so feel free to remove sections that do not apply
+
+  For instructions see:
+  https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
+***/
+
+(() => {
+
+  if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!');
+
+  const aPREFS = [
+    /* deprecated */
+    /* FF79-91 */
+    'browser.cache.offline.storage.enable',
+    'browser.download.hide_plugins_without_extensions',
+    'browser.library.activity-stream.enabled',
+    'browser.search.geoSpecificDefaults',
+    'browser.search.geoSpecificDefaults.url',
+    'dom.ipc.plugins.flash.subprocess.crashreporter.enabled',
+    'dom.ipc.plugins.reportCrashURL',
+    'dom.w3c_pointer_events.enabled',
+    'intl.charset.fallback.override',
+    'network.ftp.enabled',
+    'plugin.state.flash',
+    'security.mixed_content.block_object_subrequest',
+    'security.ssl.errorReporting.automatic',
+    'security.ssl.errorReporting.enabled',
+    'security.ssl.errorReporting.url',
+    /* 69-78 */
+    'browser.newtabpage.activity-stream.telemetry.ping.endpoint',
+    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
+    'browser.urlbar.oneOffSearches',
+    'devtools.webide.autoinstallADBExtension',
+    'devtools.webide.enabled',
+    'dom.indexedDB.enabled',
+    'extensions.blocklist.url',
+    'geo.wifi.logging.enabled',
+    'geo.wifi.uri',
+    'gfx.downloadable_fonts.woff2.enabled',
+    'media.autoplay.allow-muted',
+    'media.autoplay.enabled.user-gestures-needed',
+    'offline-apps.allow_by_default',
+    'plugins.click_to_play',
+    'privacy.userContext.longPressBehavior',
+    'toolkit.cosmeticAnimations.enabled',
+    'toolkit.telemetry.hybridContent.enabled',
+    'webgl.disable-extensions',
+    /* 61-68 */
+    'app.update.enabled',
+    'browser.aboutHomeSnippets.updateUrl',
+    'browser.chrome.errorReporter.enabled',
+    'browser.chrome.errorReporter.submitUrl',
+    'browser.chrome.favicons',
+    'browser.ctrlTab.previews',
+    'browser.fixup.hide_user_pass',
+    'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
+    'browser.newtabpage.activity-stream.disableSnippets',
+    'browser.onboarding.enabled',
+    'browser.search.countryCode',
+    'browser.urlbar.autocomplete.enabled',
+    'devtools.webide.adbAddonURL',
+    'devtools.webide.autoinstallADBHelper',
+    'dom.event.highrestimestamp.enabled',
+    'experiments.activeExperiment',
+    'experiments.enabled',
+    'experiments.manifest.uri',
+    'experiments.supported',
+    'lightweightThemes.update.enabled',
+    'media.autoplay.enabled',
+    'network.allow-experiments',
+    'network.cookie.lifetime.days',
+    'network.jar.block-remote-files',
+    'network.jar.open-unsafe-types',
+    'plugin.state.java',
+    'security.csp.enable_violation_events',
+    'security.csp.experimentalEnabled',
+    'shield.savant.enabled',
+    /* 60 or earlier */
+    'browser.bookmarks.showRecentlyBookmarked',
+    'browser.casting.enabled',
+    'browser.crashReports.unsubmittedCheck.autoSubmit',
+    'browser.formautofill.enabled',
+    'browser.formfill.saveHttpsForms',
+    'browser.fullscreen.animate',
+    'browser.history.allowPopState',
+    'browser.history.allowPushState',
+    'browser.history.allowReplaceState',
+    'browser.newtabpage.activity-stream.enabled',
+    'browser.newtabpage.directory.ping',
+    'browser.newtabpage.directory.source',
+    'browser.newtabpage.enhanced',
+    'browser.newtabpage.introShown',
+    'browser.pocket.api',
+    'browser.pocket.enabled',
+    'browser.pocket.oAuthConsumerKey',
+    'browser.pocket.site',
+    'browser.polaris.enabled',
+    'browser.safebrowsing.appRepURL',
+    'browser.safebrowsing.enabled',
+    'browser.safebrowsing.gethashURL',
+    'browser.safebrowsing.malware.reportURL',
+    'browser.safebrowsing.provider.google.appRepURL',
+    'browser.safebrowsing.reportErrorURL',
+    'browser.safebrowsing.reportGenericURL',
+    'browser.safebrowsing.reportMalwareErrorURL',
+    'browser.safebrowsing.reportMalwareMistakeURL',
+    'browser.safebrowsing.reportMalwareURL',
+    'browser.safebrowsing.reportPhishMistakeURL',
+    'browser.safebrowsing.reportURL',
+    'browser.safebrowsing.updateURL',
+    'browser.search.showOneOffButtons',
+    'browser.selfsupport.enabled',
+    'browser.selfsupport.url',
+    'browser.sessionstore.privacy_level_deferred',
+    'browser.tabs.animate',
+    'browser.trackingprotection.gethashURL',
+    'browser.trackingprotection.updateURL',
+    'browser.urlbar.unifiedcomplete',
+    'browser.usedOnWindows10.introURL',
+    'camera.control.autofocus_moving_callback.enabled',
+    'camera.control.face_detection.enabled',
+    'datareporting.healthreport.about.reportUrl',
+    'datareporting.healthreport.about.reportUrlUnified',
+    'datareporting.healthreport.documentServerURI',
+    'datareporting.healthreport.service.enabled',
+    'datareporting.policy.dataSubmissionEnabled.v2',
+    'devtools.webide.autoinstallFxdtAdapters',
+    'dom.archivereader.enabled',
+    'dom.battery.enabled',
+    'dom.beforeAfterKeyboardEvent.enabled',
+    'dom.disable_image_src_set',
+    'dom.disable_window_open_feature.scrollbars',
+    'dom.disable_window_status_change',
+    'dom.enable_user_timing',
+    'dom.flyweb.enabled',
+    'dom.idle-observers-api.enabled',
+    'dom.keyboardevent.code.enabled',
+    'dom.network.enabled',
+    'dom.push.udp.wakeupEnabled',
+    'dom.telephony.enabled',
+    'dom.vr.oculus050.enabled',
+    'dom.workers.enabled',
+    'dom.workers.sharedWorkers.enabled',
+    'extensions.formautofill.experimental',
+    'extensions.screenshots.system-disabled',
+    'extensions.shield-recipe-client.api_url',
+    'extensions.shield-recipe-client.enabled',
+    'full-screen-api.approval-required',
+    'general.useragent.locale',
+    'geo.security.allowinsecure',
+    'intl.locale.matchOS',
+    'loop.enabled',
+    'loop.facebook.appId',
+    'loop.facebook.enabled',
+    'loop.facebook.fallbackUrl',
+    'loop.facebook.shareUrl',
+    'loop.feedback.formURL',
+    'loop.feedback.manualFormURL',
+    'loop.logDomains',
+    'loop.server',
+    'media.block-play-until-visible',
+    'media.eme.apiVisible',
+    'media.eme.chromium-api.enabled',
+    'media.getusermedia.screensharing.allow_on_old_platforms',
+    'media.getusermedia.screensharing.allowed_domains',
+    'media.gmp-eme-adobe.autoupdate',
+    'media.gmp-eme-adobe.enabled',
+    'media.gmp-eme-adobe.visible',
+    'network.http.referer.userControlPolicy',
+    'network.http.sendSecureXSiteReferrer',
+    'network.http.spdy.enabled.http2draft',
+    'network.http.spdy.enabled.v3-1',
+    'network.websocket.enabled',
+    'pageThumbs.enabled',
+    'pfs.datasource.url',
+    'plugin.scan.Acrobat',
+    'plugin.scan.Quicktime',
+    'plugin.scan.WindowsMediaPlayer',
+    'plugins.enumerable_names',
+    'plugins.update.notifyUser',
+    'plugins.update.url',
+    'privacy.clearOnShutdown.passwords',
+    'privacy.donottrackheader.value',
+    'security.mixed_content.send_hsts_priming',
+    'security.mixed_content.use_hsts',
+    'security.ssl3.ecdhe_ecdsa_rc4_128_sha',
+    'security.ssl3.ecdhe_rsa_rc4_128_sha',
+    'security.ssl3.rsa_rc4_128_md5',
+    'security.ssl3.rsa_rc4_128_sha',
+    'security.tls.insecure_fallback_hosts.use_static_list',
+    'security.tls.unrestricted_rc4_fallback',
+    'security.xpconnect.plugin.unrestricted',
+    'social.directories',
+    'social.enabled',
+    'social.remote-install.enabled',
+    'social.share.activationPanelEnabled',
+    'social.shareDirectory',
+    'social.toast-notifications.enabled',
+    'social.whitelist',
+    'toolkit.telemetry.unifiedIsOptIn',
+
+    /* reset parrot: check your open about:config after running the script */
+    '_user.js.parrot'
+  ];
+
+  console.clear();
+
+  let c = 0;
+  for (const sPname of aPREFS) {
+    if (Services.prefs.prefHasUserValue(sPname)) {
+      Services.prefs.clearUserPref(sPname);
+      if (!Services.prefs.prefHasUserValue(sPname)) {
+        console.info('reset', sPname);
+        c++;
+      } else console.warn('failed to reset', sPname);
+    }
+  }
+
+  focus();
+
+  const d = (c==1) ? ' pref' : ' prefs';
+  alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset');
+
+  return 'all done';
+
+})();

scratchpad-scripts/arkenfox-clear-removed.js

@@ -1,29 +1,10 @@
 /***
-  This will reset the preferences that have been
+  This will reset the preferences that have been removed completely from the arkenfox user.js.
-  - removed from the arkenfox user.js
-  - deprecated by Mozilla but listed in the arkenfox user.js in the past
 
-  Last updated: 16-January-2022
+  Last updated: 29-August-2021
-
-  Instructions:
-  - [optional] close Firefox and backup your profile
-  - [optional] disable your network connection [1]
-  - start Firefox
-  - load about:config and press Ctrl+Shift+K to open the Web Console for about:config
-    - using about:config is important, so the script has the right permissions
-  - paste this script
-  - if you edited the list of prefs in the script, make sure the last pref does not have a trailing comma
-  - hit enter
-  - check the Info output to see which prefs were reset
-  - restart
-     - some prefs require a restart
-     - a restart will reapply your user.js
-  - [optional] re-enable your network connection
- 
-  [1] Blocking Firefox from the internet ensures it cannot act on your reset preferences in the
-  period before you restart it, such as app and extension auto-updating, or downloading unwanted
-  components (GMP etc). It depends on what you're resetting and how long before you restart.
 
+  For instructions see:
+  https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
 ***/
 
 (() => {
@@ -31,231 +12,31 @@
   if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!');
 
   const aPREFS = [
-    /* DEPRECATED */
+    /* removed in arkenfox user.js */
-    /* FF92+ */
+    /* 91 */
-    'browser.urlbar.suggest.quicksuggest', // 95
-    'layout.css.font-visibility.level', // 94
-    'security.ssl3.rsa_des_ede3_sha', // 93
-    /* FF79-91 */
-    'browser.cache.offline.storage.enable',
-    'browser.download.hide_plugins_without_extensions',
-    'browser.library.activity-stream.enabled',
-    'browser.search.geoSpecificDefaults',
-    'browser.search.geoSpecificDefaults.url',
-    'dom.ipc.plugins.flash.subprocess.crashreporter.enabled',
-    'dom.ipc.plugins.reportCrashURL',
-    'dom.w3c_pointer_events.enabled',
-    'intl.charset.fallback.override',
-    'network.ftp.enabled',
-    'plugin.state.flash',
-    'security.mixed_content.block_object_subrequest',
-    'security.ssl.errorReporting.automatic',
-    'security.ssl.errorReporting.enabled',
-    'security.ssl.errorReporting.url',
-    /* 69-78 */
-    'browser.newtabpage.activity-stream.telemetry.ping.endpoint',
-    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
-    'browser.urlbar.oneOffSearches',
-    'devtools.webide.autoinstallADBExtension',
-    'devtools.webide.enabled',
-    'dom.indexedDB.enabled',
-    'extensions.blocklist.url',
-    'geo.wifi.logging.enabled',
-    'geo.wifi.uri',
-    'gfx.downloadable_fonts.woff2.enabled',
-    'media.autoplay.allow-muted',
-    'media.autoplay.enabled.user-gestures-needed',
-    'offline-apps.allow_by_default',
-    'plugins.click_to_play',
-    'privacy.userContext.longPressBehavior',
-    'toolkit.cosmeticAnimations.enabled',
-    'toolkit.telemetry.hybridContent.enabled',
-    'webgl.disable-extensions',
-    /* 61-68 */
-    'app.update.enabled',
-    'browser.aboutHomeSnippets.updateUrl',
-    'browser.chrome.errorReporter.enabled',
-    'browser.chrome.errorReporter.submitUrl',
-    'browser.chrome.favicons',
-    'browser.ctrlTab.previews',
-    'browser.fixup.hide_user_pass',
-    'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
-    'browser.newtabpage.activity-stream.disableSnippets',
-    'browser.onboarding.enabled',
-    'browser.search.countryCode',
-    'browser.urlbar.autocomplete.enabled',
-    'devtools.webide.adbAddonURL',
-    'devtools.webide.autoinstallADBHelper',
-    'dom.event.highrestimestamp.enabled',
-    'experiments.activeExperiment',
-    'experiments.enabled',
-    'experiments.manifest.uri',
-    'experiments.supported',
-    'lightweightThemes.update.enabled',
-    'media.autoplay.enabled',
-    'network.allow-experiments',
-    'network.cookie.lifetime.days',
-    'network.jar.block-remote-files',
-    'network.jar.open-unsafe-types',
-    'plugin.state.java',
-    'security.csp.enable_violation_events',
-    'security.csp.experimentalEnabled',
-    'shield.savant.enabled',
-    /* 60 or earlier */
-    'browser.bookmarks.showRecentlyBookmarked',
-    'browser.casting.enabled',
-    'browser.crashReports.unsubmittedCheck.autoSubmit',
-    'browser.formautofill.enabled',
-    'browser.formfill.saveHttpsForms',
-    'browser.fullscreen.animate',
-    'browser.history.allowPopState',
-    'browser.history.allowPushState',
-    'browser.history.allowReplaceState',
-    'browser.newtabpage.activity-stream.enabled',
-    'browser.newtabpage.directory.ping',
-    'browser.newtabpage.directory.source',
-    'browser.newtabpage.enhanced',
-    'browser.newtabpage.introShown',
-    'browser.pocket.api',
-    'browser.pocket.enabled',
-    'browser.pocket.oAuthConsumerKey',
-    'browser.pocket.site',
-    'browser.polaris.enabled',
-    'browser.safebrowsing.appRepURL',
-    'browser.safebrowsing.enabled',
-    'browser.safebrowsing.gethashURL',
-    'browser.safebrowsing.malware.reportURL',
-    'browser.safebrowsing.provider.google.appRepURL',
-    'browser.safebrowsing.reportErrorURL',
-    'browser.safebrowsing.reportGenericURL',
-    'browser.safebrowsing.reportMalwareErrorURL',
-    'browser.safebrowsing.reportMalwareMistakeURL',
-    'browser.safebrowsing.reportMalwareURL',
-    'browser.safebrowsing.reportPhishMistakeURL',
-    'browser.safebrowsing.reportURL',
-    'browser.safebrowsing.updateURL',
-    'browser.search.showOneOffButtons',
-    'browser.selfsupport.enabled',
-    'browser.selfsupport.url',
-    'browser.sessionstore.privacy_level_deferred',
-    'browser.tabs.animate',
-    'browser.trackingprotection.gethashURL',
-    'browser.trackingprotection.updateURL',
-    'browser.urlbar.unifiedcomplete',
-    'browser.usedOnWindows10.introURL',
-    'camera.control.autofocus_moving_callback.enabled',
-    'camera.control.face_detection.enabled',
-    'datareporting.healthreport.about.reportUrl',
-    'datareporting.healthreport.about.reportUrlUnified',
-    'datareporting.healthreport.documentServerURI',
-    'datareporting.healthreport.service.enabled',
-    'datareporting.policy.dataSubmissionEnabled.v2',
-    'devtools.webide.autoinstallFxdtAdapters',
-    'dom.archivereader.enabled',
-    'dom.beforeAfterKeyboardEvent.enabled',
-    'dom.disable_image_src_set',
-    'dom.disable_window_open_feature.scrollbars',
-    'dom.disable_window_status_change',
-    'dom.enable_user_timing',
-    'dom.flyweb.enabled',
-    'dom.idle-observers-api.enabled',
-    'dom.keyboardevent.code.enabled',
-    'dom.network.enabled',
-    'dom.push.udp.wakeupEnabled',
-    'dom.telephony.enabled',
-    'dom.vr.oculus050.enabled',
-    'dom.workers.enabled',
-    'dom.workers.sharedWorkers.enabled',
-    'extensions.formautofill.experimental',
-    'extensions.screenshots.system-disabled',
-    'extensions.shield-recipe-client.api_url',
-    'extensions.shield-recipe-client.enabled',
-    'full-screen-api.approval-required',
-    'general.useragent.locale',
-    'geo.security.allowinsecure',
-    'intl.locale.matchOS',
-    'loop.enabled',
-    'loop.facebook.appId',
-    'loop.facebook.enabled',
-    'loop.facebook.fallbackUrl',
-    'loop.facebook.shareUrl',
-    'loop.feedback.formURL',
-    'loop.feedback.manualFormURL',
-    'loop.logDomains',
-    'loop.server',
-    'media.block-play-until-visible',
-    'media.eme.apiVisible',
-    'media.eme.chromium-api.enabled',
-    'media.getusermedia.screensharing.allow_on_old_platforms',
-    'media.getusermedia.screensharing.allowed_domains',
-    'media.gmp-eme-adobe.autoupdate',
-    'media.gmp-eme-adobe.enabled',
-    'media.gmp-eme-adobe.visible',
-    'network.http.referer.userControlPolicy',
-    'network.http.sendSecureXSiteReferrer',
-    'network.http.spdy.enabled.http2draft',
-    'network.http.spdy.enabled.v3-1',
-    'network.websocket.enabled',
-    'pageThumbs.enabled',
-    'pfs.datasource.url',
-    'plugin.scan.Acrobat',
-    'plugin.scan.Quicktime',
-    'plugin.scan.WindowsMediaPlayer',
-    'plugins.enumerable_names',
-    'plugins.update.notifyUser',
-    'plugins.update.url',
-    'privacy.clearOnShutdown.passwords',
-    'privacy.donottrackheader.value',
-    'security.mixed_content.send_hsts_priming',
-    'security.mixed_content.use_hsts',
-    'security.ssl3.ecdhe_ecdsa_rc4_128_sha',
-    'security.ssl3.ecdhe_rsa_rc4_128_sha',
-    'security.ssl3.rsa_rc4_128_md5',
-    'security.ssl3.rsa_rc4_128_sha',
-    'security.tls.insecure_fallback_hosts.use_static_list',
-    'security.tls.unrestricted_rc4_fallback',
-    'security.xpconnect.plugin.unrestricted',
-    'social.directories',
-    'social.enabled',
-    'social.remote-install.enabled',
-    'social.share.activationPanelEnabled',
-    'social.shareDirectory',
-    'social.toast-notifications.enabled',
-    'social.whitelist',
-    'toolkit.telemetry.unifiedIsOptIn',
-
-    /* REMOVED */
-    /* 92+ */
-    'dom.caches.enabled',
-    'dom.storageManager.enabled',
-    'dom.storage_access.enabled',
-    'privacy.firstparty.isolate.block_post_message',
-    'privacy.firstparty.isolate.restrict_opener_access',
-    'privacy.firstparty.isolate.use_site',
-    'security.insecure_connection_text.enabled',
-    /* 79-91 */
     'alerts.showFavicons',
-    'browser.newtabpage.activity-stream.asrouter.providers.snippets',
-    'browser.send_pings.require_same_host',
-    'browser.urlbar.usepreloadedtopurls.enabled',
     'dom.allow_cut_copy',
     'dom.battery.enabled',
-    'dom.IntersectionObserver.enabled',
     'dom.storage.enabled',
     'dom.vibrator.enabled',
-    'extensions.screenshots.upload-disabled',
     'general.warnOnAboutConfig',
     'gfx.direct2d.disabled',
     'layers.acceleration.disabled',
     'media.getusermedia.audiocapture.enabled',
     'media.getusermedia.browser.enabled',
     'media.getusermedia.screensharing.enabled',
-    'media.gmp-widevinecdm.visible',
     'media.media-capabilities.enabled',
-    'network.http.redirection-limit',
-    'privacy.partition.network_state',
     'security.insecure_connection_icon.enabled',
     'security.mixed_content.block_active_content',
+    /* 79-90 */
+    'browser.newtabpage.activity-stream.asrouter.providers.snippets',
+    'browser.send_pings.require_same_host',
+    'browser.urlbar.usepreloadedtopurls.enabled',
+    'dom.IntersectionObserver.enabled',
+    'extensions.screenshots.upload-disabled',
+    'media.gmp-widevinecdm.visible',
+    'network.http.redirection-limit',
+    'privacy.partition.network_state',
     'security.ssl.enable_ocsp_stapling',
     'security.ssl3.dhe_rsa_aes_128_sha',
     'security.ssl3.dhe_rsa_aes_256_sha',
@@ -288,6 +69,7 @@
     'browser.cache.disk.smart_size.first_run',
     'browser.cache.offline.insecure.enable',
     'browser.contentblocking.enabled',
+    'browser.eme.ui.enabled',
     'browser.laterrun.enabled',
     'browser.offline-apps.notify',
     'browser.rights.3.shown',
@@ -451,8 +233,6 @@
        // 'dom.ipc.plugins.sandbox-level.default',
        // 'dom.ipc.plugins.sandbox-level.flash',
        // 'security.sandbox.logging.enabled',
-
-    /* IMPORTANT: last active pref must not have a trailing comma */ 
     /* reset parrot: check your open about:config after running the script */
     '_user.js.parrot'
   ];

scratchpad-scripts/troubleshooter.js

@@ -1,3 +1,4 @@
+
 /*** arkenfox user.js troubleshooter.js v1.6.3 ***/
 
 (function() {

updater.bat

@@ -3,10 +3,10 @@ TITLE arkenfox user.js updater
 
 REM ## arkenfox user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.15
+REM ## version: 4.14
 REM ## instructions: https://github.com/arkenfox/user.js/wiki/3.3-Updater-Scripts
 
-SET v=4.15
+SET v=4.14
 
 VERIFY ON
 CD /D "%~dp0"
@@ -23,6 +23,7 @@ IF /I "%~1"=="-merge" (SET _merge=1)
 IF /I "%~1"=="-updatebatch" (SET _updateb=1)
 IF /I "%~1"=="-singlebackup" (SET _singlebackup=1)
 IF /I "%~1"=="-esr" (SET _esr=1)
+IF /I "%~1"=="-rfpalts" (SET _rfpalts=1)
 SHIFT
 GOTO parse
 :endparse
@@ -140,6 +141,10 @@ IF EXIST user.js.new (DEL /F "user.js.new")
 CALL :message "Retrieving latest user.js file from github repository..."
 CALL :psdownload https://raw.githubusercontent.com/arkenfox/user.js/master/user.js "user.js.new"
 IF EXIST user.js.new (
+	IF DEFINED _rfpalts (
+		CALL :message "Activating RFP Alternatives section..."
+		CALL :activate user.js.new "[SETUP-non-RFP]"
+	)
 	IF DEFINED _esr (
 		CALL :message "Activating ESR section..."
 		CALL :activate user.js.new ".x still uses all the following prefs"
@@ -315,6 +320,8 @@ ECHO:     Run without user input.
 CALL :message "  -singleBackup"
 ECHO:     Use a single backup file and overwrite it on new updates, instead of
 ECHO:     cumulative backups. This was the default behaviour before v4.3.
+CALL :message "  -rfpAlts"
+ECHO:     Activate RFP Alternatives section
 CALL :message "  -updateBatch"
 ECHO:     Update the script itself on execution, before the normal routine.
 CALL :message ""

updater.sh

@@ -41,9 +41,9 @@ ESR=false
 
 # Download method priority: curl -> wget
 DOWNLOAD_METHOD=''
-if command -v curl >/dev/null; then
+if [[ $(command -v 'curl') ]]; then
   DOWNLOAD_METHOD='curl --max-redirs 3 -so'
-elif command -v wget >/dev/null; then
+elif [[ $(command -v 'wget') ]]; then
   DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O'
 else
   echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}"
@@ -51,7 +51,7 @@ else
 fi
 
 
-show_banner() {
+show_banner () {
   echo -e "${BBLUE}
                 ############################################################################
                 ####                                                                    ####
@@ -103,13 +103,13 @@ Optional Arguments:
 #     File Handling     #
 #########################
 
-download_file() { # expects URL as argument ($1)
+download_file () { # expects URL as argument ($1)
   declare -r tf=$(mktemp)
 
   $DOWNLOAD_METHOD "${tf}" "$1" && echo "$tf" || echo '' # return the temp-filename or empty string on error
 }
 
-open_file() { # expects one argument: file_path
+open_file () { # expects one argument: file_path
   if [ "$(uname)" == 'Darwin' ]; then
     open "$1"
   elif [ "$(uname -s | cut -c -5)" == "Linux" ]; then
@@ -119,11 +119,11 @@ open_file() { # expects one argument: file_path
   fi
 }
 
-readIniFile() { # expects one argument: absolute path of profiles.ini
+readIniFile () { # expects one argument: absolute path of profiles.ini
   declare -r inifile="$1"
 
   # tempIni will contain: [ProfileX], Name=, IsRelative= and Path= (and Default= if present) of the only (if) or the selected (else) profile
-  if [ "$(grep -c '^\[Profile' "${inifile}")" -eq "1" ]; then ### only 1 profile found
+  if [ $(grep -c '^\[Profile' "${inifile}") -eq "1" ]; then ### only 1 profile found
     tempIni="$(grep '^\[Profile' -A 4 "${inifile}")"
   else
     echo -e "Profiles found:\n––––––––––––––––––––––––––––––"
@@ -150,7 +150,7 @@ readIniFile() { # expects one argument: absolute path of profiles.ini
   [[ ${pathisrel} == "1" ]] && PROFILE_PATH="$(dirname "${inifile}")/${PROFILE_PATH}"
 }
 
-getProfilePath() {
+getProfilePath () {
   declare -r f1=~/Library/Application\ Support/Firefox/profiles.ini
   declare -r f2=~/.mozilla/firefox/profiles.ini
 
@@ -175,8 +175,8 @@ getProfilePath() {
 #########################
 
 # Returns the version number of a updater.sh file
-get_updater_version() {
+get_updater_version () {
-  echo "$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")"
+  echo $(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")
 }
 
 # Update updater.sh
@@ -184,14 +184,14 @@ get_updater_version() {
 # Args:
 #   -d: New version will not be looked for and update will not occur
 #   -u: Check for update, if available, execute without asking
-update_updater() {
+update_updater () {
-  [ "$UPDATE" = 'no' ] && return 0 # User signified not to check for updates
+  [ $UPDATE = 'no' ] && return 0 # User signified not to check for updates
 
   declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')"
   [ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed
 
   if [[ $(get_updater_version "$SCRIPT_FILE") < $(get_updater_version "${tmpfile}") ]]; then
-    if [ "$UPDATE" = 'check' ]; then
+    if [ $UPDATE = 'check' ]; then
       echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}"
       read -p "" -n 1 -r
       echo -e "\n\n"
@@ -211,11 +211,11 @@ update_updater() {
 #########################
 
 # Returns version number of a user.js file
-get_userjs_version() {
+get_userjs_version () {
-  [ -e "$1" ] && echo "$(sed -n '4p' "$1")" || echo "Not detected."
+  [ -e $1 ] && echo "$(sed -n '4p' "$1")" || echo "Not detected."
 }
 
-add_override() {
+add_override () {
   input=$1
   if [ -f "$input" ]; then
     echo "" >> user.js
@@ -235,27 +235,27 @@ add_override() {
   fi
 }
 
-remove_comments() { # expects 2 arguments: from-file and to-file
+remove_comments () { # expects 2 arguments: from-file and to-file
   sed -e '/^\/\*.*\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e 's|^[[:space:]]*//.*$||' -e '/^[[:space:]]*$/d' -e 's|);[[:space:]]*//.*|);|' "$1" > "$2"
 }
 
 # Applies latest version of user.js and any custom overrides
-update_userjs() {
+update_userjs () {
   declare -r newfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')"
   [ -z "${newfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && return 1 # check if download failed
 
   echo -e "Please observe the following information:
     Firefox profile:  ${ORANGE}$(pwd)${NC}
-    Available online: ${ORANGE}$(get_userjs_version "$newfile")${NC}
+    Available online: ${ORANGE}$(get_userjs_version $newfile)${NC}
     Currently using:  ${ORANGE}$(get_userjs_version user.js)${NC}\n\n"
 
-  if [ "$CONFIRM" = 'yes' ]; then
+  if [ $CONFIRM = 'yes' ]; then
     echo -e "This script will update to the latest user.js file and append any custom configurations from user-overrides.js. ${RED}Continue Y/N? ${NC}"
     read -p "" -n 1 -r
     echo -e "\n"
     if [[ $REPLY =~ ^[Nn]$ ]]; then
       echo -e "${RED}Process aborted${NC}"
-      rm "$newfile"
+      rm $newfile
       return 1
     fi
   fi
@@ -269,7 +269,7 @@ update_userjs() {
   # backup user.js
   mkdir -p userjs_backups
   local bakname="userjs_backups/user.js.backup.$(date +"%Y-%m-%d_%H%M")"
-  [ "$BACKUP" = 'single' ] && bakname='userjs_backups/user.js.backup'
+  [ $BACKUP = 'single' ] && bakname='userjs_backups/user.js.backup'
   cp user.js "$bakname" &>/dev/null
 
   mv "${newfile}" user.js
@@ -295,19 +295,19 @@ update_userjs() {
     past_nocomments='userjs_diffs/past_userjs.txt'
     current_nocomments='userjs_diffs/current_userjs.txt'
 
-    remove_comments "$pastuserjs" "$past_nocomments"
+    remove_comments $pastuserjs $past_nocomments
-    remove_comments user.js "$current_nocomments"
+    remove_comments user.js $current_nocomments
 
     diffname="userjs_diffs/diff_$(date +"%Y-%m-%d_%H%M").txt"
-    diff=$(diff -w -B -U 0 "$past_nocomments" "$current_nocomments")
+    diff=$(diff -w -B -U 0 $past_nocomments $current_nocomments)
-    if [ -n "$diff" ]; then
+    if [ ! -z "$diff" ]; then
       echo "$diff" > "$diffname"
       echo -e "Status: ${GREEN}A diff file was created:${NC} ${PWD}/${diffname}"
     else
       echo -e "Warning: ${ORANGE}Your new user.js file appears to be identical.  No diff file was created.${NC}"
-      [ "$BACKUP" = 'multiple' ] && rm "$bakname" &>/dev/null
+      [ $BACKUP = 'multiple' ] && rm $bakname &>/dev/null
     fi
-    rm "$past_nocomments" "$current_nocomments" "$pastuserjs" &>/dev/null
+    rm $past_nocomments $current_nocomments $pastuserjs &>/dev/null
   fi
 
   [ "$VIEW" = true ] && open_file "${PWD}/user.js"
@@ -319,7 +319,7 @@ update_userjs() {
 
 if [ $# != 0 ]; then
   # Display usage if first argument is -help or --help
-  if [ "$1" = '--help' ] || [ "$1" = '-help' ]; then
+  if [ $1 = '--help' ] || [ $1 = '-help' ]; then
     usage
   else
     while getopts ":hp:ludsno:bcvre" opt; do
@@ -363,7 +363,7 @@ if [ $# != 0 ]; then
         r)
           tfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')"
           [ -z "${tfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && exit 1 # check if download failed
-          mv "$tfile" "${tfile}.js"
+          mv $tfile "${tfile}.js"
           echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}"
           open_file "${tfile}.js"
           exit 0
@@ -382,7 +382,7 @@ if [ $# != 0 ]; then
 fi
 
 show_banner
-update_updater "$@"
+update_updater $@
 
 getProfilePath # updates PROFILE_PATH or exits on error
 cd "$PROFILE_PATH" && update_userjs

user.js

@@ -1,22 +1,22 @@
 /******
 * name: arkenfox user.js
-* date: 21 January 2021
+* date: 27 October 2021
-* version 96
+* version 91.1
 * url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
 
 * README:
 
   1. Consider using Tor Browser if it meets your needs or fits your threat model
-       * https://2019.www.torproject.org/about/torusers.html
+       * https://www.torproject.org/about/torusers.html.en
   2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries
        * https://github.com/arkenfox/user.js/wiki
   3. If you skipped step 2, return to step 2
   4. Make changes
-       * There are often trade-offs and conflicts between security vs privacy vs anti-tracking
+       * There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting
          and these need to be balanced against functionality & convenience & breakage
        * Some site breakage and unintended consequences will happen. Everyone's experience will differ
-         e.g. some user data is erased on exit (section 2800), change this to suit your needs
+         e.g. some user data is erased on close (section 2800), change this to suit your needs
        * While not 100% definitive, search for "[SETUP" tags
          e.g. third party images/videos not loading on some sites? check 1601
        * Take the wiki link in step 2 and read the Troubleshooting entry
@@ -31,8 +31,10 @@
   * It is best to use the arkenfox release that is optimized for and matches your Firefox version
   * EVERYONE: each release
     - run prefsCleaner to reset prefs made inactive, including deprecated (9999s)
-    ESR91
+    ESR78
-    - If you are not using arkenfox v91... (not a definitive list)
+    - If you are not using arkenfox v78... (not a definitive list)
+      - 1244: HTTPS-Only mode is enabled
+      - 4511: non-native widget theme is enforced
       - 9999: switch the appropriate deprecated section(s) back on
 
 * INDEX:
@@ -51,16 +53,18 @@
   1600: HEADERS / REFERERS
   1700: CONTAINERS
   2000: PLUGINS / MEDIA / WEBRTC
+  2300: WEB WORKERS
   2400: DOM (DOCUMENT OBJECT MODEL)
   2600: MISCELLANEOUS
-  2700: ETP (ENHANCED TRACKING PROTECTION)
+  2700: PERSISTENT STORAGE
-  2800: SHUTDOWN & SANITIZING
+  2800: SHUTDOWN
+  4000: FPI (FIRST PARTY ISOLATION)
   4500: RFP (RESIST FINGERPRINTING)
   5000: OPTIONAL OPSEC
   5500: OPTIONAL HARDENING
   6000: DON'T TOUCH
   7000: DON'T BOTHER
-  8000: DON'T BOTHER: FINGERPRINTING
+  8000: DON'T BOTHER: NON-RFP
   9000: PERSONAL
   9999: DEPRECATED / REMOVED / LEGACY / RENAMED
 
@@ -83,7 +87,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 user_pref("browser.shell.checkDefaultBrowser", false);
 /* 0102: set startup page [SETUP-CHROME]
  * 0=blank, 1=home, 2=last visited page, 3=resume previous session
- * [NOTE] Session Restore is cleared with history (2811, 2812), and not used in Private Browsing mode
+ * [NOTE] Session Restore is cleared with history (2803, 2804), and not used in Private Browsing mode
  * [SETTING] General>Startup>Restore previous session ***/
 user_pref("browser.startup.page", 0);
 /* 0103: set HOME+NEWWINDOW page
@@ -100,7 +104,7 @@ user_pref("browser.newtab.preload", false);
  * [SETTING] Home>Firefox Home Content>...  to show/hide what you want ***/
 user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
 user_pref("browser.newtabpage.activity-stream.telemetry", false);
-user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false]
+user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false FF89+]
 user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
 user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
 user_pref("browser.newtabpage.activity-stream.showSponsored", false);
@@ -131,14 +135,35 @@ user_pref("browser.region.update.enabled", false); // [FF79+]
  * [SETTING] General>Language and Appearance>Language>Choose your preferred language...
  * [TEST] https://addons.mozilla.org/about ***/
 user_pref("intl.accept_languages", "en-US, en");
-/* 0211: use en-US locale regardless of the system or region locale
+/* 0211: use US English locale regardless of the system locale
  * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
- * [TEST] https://arkenfox.github.io/TZP/tests/formatting.html
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
 user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
 
 /*** [SECTION 0300]: QUIETER FOX ***/
 user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
+/** UPDATES ***/
+/* 0301: disable auto-INSTALLING Firefox updates [NON-WINDOWS]
+ * [NOTE] You will still get prompts to update, and should do so in a timely manner
+ * [SETTING] General>Firefox Updates>Check for updates but let you choose to install them ***/
+user_pref("app.update.auto", false);
+/* 0302: disable auto-INSTALLING Firefox updates via a background service [FF90+] [WINDOWS]
+ * [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
+ * [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows ***/
+user_pref("app.update.background.scheduling.enabled", false);
+/* 0303: disable auto-CHECKING for extension and theme updates ***/
+   // user_pref("extensions.update.enabled", false);
+/* 0304: disable auto-INSTALLING extension and theme updates (after the check in 0303)
+ * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
+   // user_pref("extensions.update.autoUpdateDefault", false);
+/* 0305: disable extension metadata
+ * used when installing/updating an extension, and in daily background update checks:
+ * when false, extension detail tabs will have no description ***/
+   // user_pref("extensions.getAddons.cache.enabled", false);
+/* 0306: disable search engine updates (e.g. OpenSearch)
+ * [NOTE] This does not affect Mozilla's built-in or Web Extension search engines ***/
+user_pref("browser.search.update", false);
+
 /** RECOMMENDATIONS ***/
 /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/
 user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
@@ -210,12 +235,16 @@ user_pref("network.captive-portal-service.enabled", false); // [FF52+]
 /* 0361: disable Network Connectivity checks [FF65+]
  * [1] https://bugzilla.mozilla.org/1460537 ***/
 user_pref("network.connectivity-service.enabled", false);
+/* 0362: enforce disabling of Web Compatibility Reporter [FF56+]
+ * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
+user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
 
 /*** [SECTION 0400]: SAFE BROWSING (SB)
    SB has taken many steps to preserve privacy. If required, a full url is never sent
    to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes.
    Firefox takes measures such as stripping out identifying parameters and since SBv4 (FF57+)
    doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity)
+   FWIW, Google also swear it is anonymized and only used to flag malicious sites.
 
    [1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
    [2] https://wiki.mozilla.org/Security/Safe_Browsing
@@ -259,7 +288,7 @@ user_pref("network.dns.disablePrefetch", true);
    // user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
 /* 0603: disable predictor / prefetching ***/
 user_pref("network.predictor.enabled", false);
-user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
+   // user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
 /* 0604: disable link-mouseover opening connection to linked server
  * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/
 user_pref("network.http.speculative-parallel-limit", 0);
@@ -289,25 +318,14 @@ user_pref("network.proxy.socks_remote_dns", true);
  * [SETUP-CHROME] Can break extensions for profiles on network shares
  * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
 user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
-/* 0704: disable GIO as a potential proxy bypass vector
+/* 0704: disable GIO as a potential proxy bypass vector [FF60+]
- * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer,
+ * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
- * dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+)
+ * gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
  * [1] https://bugzilla.mozilla.org/1433507
  * [2] https://en.wikipedia.org/wiki/GVfs
  * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
 user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
-/* 0705: disable proxy direct failover for system requests [FF91+]
+/* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+]
- * [WARNING] Default true is a security feature against malicious extensions [1]
- * [SETUP-CHROME] If you use a proxy and you trust your extensions
- * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
-   // user_pref("network.proxy.failover_direct", false);
-/* 0706: disable proxy bypass for system request failures [FF95+]
- * RemoteSettings, UpdateService, Telemetry [1]
- * [WARNING] If false, this will break the fallback for some security features
- * [SETUP-CHROME] If you use a proxy and you understand the security impact
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
-   // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF]
-/* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
  * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
  * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3]
  * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
@@ -315,6 +333,11 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
  * [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/
  * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
    // user_pref("network.trr.mode", 5);
+/* 0706: disable proxy direct failover for system requests [FF91+]
+ * [WARNING] Default true is a security feature against malicious extensions [1]
+ * [SETUP-CHROME] If you use a proxy and you trust your extensions
+ * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
+   // user_pref("network.proxy.failover_direct", false);
 
 /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
 user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
@@ -349,18 +372,13 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
  * 0=never resolve single words, 1=heuristic (default), 2=always resolve
  * [1] https://bugzilla.mozilla.org/1642623 ***/
 user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
-/* 0807: disable location bar contextual suggestions [FF92+]
- * [SETTING] Privacy & Security>Address Bar>Suggestions from...
- * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
-user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
-user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
 /* 0808: disable tab-to-search [FF85+]
  * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
  * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
    // user_pref("browser.urlbar.suggest.engines", false);
 /* 0810: disable search and form history
  * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
- * [NOTE] We also clear formdata on exit (2811)
+ * [NOTE] We also clear formdata on exit (2803)
  * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
  * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
  * [2] https://bugzilla.mozilla.org/381681 ***/
@@ -378,7 +396,7 @@ user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
 /* 0820: disable coloring of visited links
  * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
  * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
- * attacks. Don't forget clearing history on exit (2811). However, social engineering [2#limits][4][5]
+ * attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5]
  * and advanced targeted timing attacks could still produce usable results
  * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
  * [2] https://dbaron.org/mozilla/visited-privacy
@@ -419,10 +437,11 @@ user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false]
 user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
 /* 1001: disable disk cache
  * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this
- * [NOTE] We also clear cache on exit (2811) ***/
+ * [NOTE] We also clear cache on exit (2803) ***/
 user_pref("browser.cache.disk.enable", false);
 /* 1002: disable media cache from writing to disk in Private Browsing
- * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/
+ * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB
+ * [SETUP-WEB] ESR78: playback might break on subsequent loading (1650281) ***/
 user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+]
 user_pref("media.memory_cache_max_size", 65536);
 /* 1003: disable storing extra session data [SETUP-CHROME]
@@ -457,18 +476,17 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
  * safe from the attack if it disables renegotiations but the problem is that the browser can't
  * know that. Setting this pref to true is the only way for the browser to ensure there will be
  * no unsafe renegotiations on the channel between the browser and the server.
- * [STATS] SSL Labs (July 2021) reports over 99% of top sites have secure renegotiation [4]
+ * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4]
  * [1] https://wiki.mozilla.org/Security:Renegotiation
- * [2] https://datatracker.ietf.org/doc/html/rfc5746
+ * [2] https://tools.ietf.org/html/rfc5746
  * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
  * [4] https://www.ssllabs.com/ssl-pulse/ ***/
 user_pref("security.ssl.require_safe_negotiation", true);
+/* 1203: reset TLS 1.0 and 1.1 downgrades i.e. session only ***/
+user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
 /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
- * This data is not forward secret, as it is encrypted solely under keys derived using
- * the offered PSK. There are no guarantees of non-replay between connections
  * [1] https://github.com/tlswg/tls13-spec/issues/1001
- * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt
+ * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
- * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
 user_pref("security.tls.enable_0rtt_data", false);
 
 /** OCSP (Online Certificate Status Protocol)
@@ -534,8 +552,8 @@ user_pref("dom.security.https_only_mode", true); // [FF76+]
 /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
    // user_pref("dom.security.https_only_mode.upgrade_local", true);
 /* 1246: disable HTTP background requests [FF82+]
- * When attempting to upgrade, if the server doesn't respond within 3 seconds, Firefox sends
+ * When attempting to upgrade, if the server doesn't respond within 3 seconds,
- * a top-level HTTP request without path in order to check if the server supports HTTPS or not
+ * Firefox sends HTTP requests in order to check if the server supports HTTPS or not
  * This is done to avoid waiting for a timeout which takes 90 seconds
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945 ***/
 user_pref("dom.security.https_only_mode_send_http_background_request", false);
@@ -555,22 +573,22 @@ user_pref("browser.ssl_override_behavior", 1);
  * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
  * [TEST] https://expired.badssl.com/ ***/
 user_pref("browser.xul.error_pages.expert_bad_cert", true);
+/* 1273: display "Not Secure" text on HTTP sites ***/
+user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
 
 /*** [SECTION 1400]: FONTS ***/
 user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
 /* 1401: disable rendering of SVG OpenType fonts ***/
 user_pref("gfx.font_rendering.opentype_svg.enabled", false);
-/* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
+/* 1402: limit font visibility (Windows, Mac, some Linux) [FF79+]
+ * [NOTE] In FF80+ RFP ignores the pref and uses value 1
  * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
- * In normal windows: uses the first applicable: RFP (4506) over TP over Standard
- * In Private Browsing windows: uses the most restrictive between normal and private
  * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
  * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
-   // user_pref("layout.css.font-visibility.private", 1);
+   // user_pref("layout.css.font-visibility.level", 1);
-   // user_pref("layout.css.font-visibility.standard", 1);
-   // user_pref("layout.css.font-visibility.trackingprotection", 1);
 
 /*** [SECTION 1600]: HEADERS / REFERERS
+   Expect some breakage e.g. banks: use an extension if you need precise control
                   full URI: https://example.com:8888/foo/bar.html?id=1234
      scheme+host+port+path: https://example.com:8888/foo/bar.html
           scheme+host+port: https://example.com:8888
@@ -579,12 +597,15 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
 user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
 /* 1601: control when to send a cross-origin referer
  * 0=always (default), 1=only if base domains match, 2=only if hosts match
- * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram
+ * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/
- * If "2" is too strict, then override to "0" and use Smart Referer (Strict mode + add exceptions) ***/
 user_pref("network.http.referer.XOriginPolicy", 2);
 /* 1602: control the amount of cross-origin information to send [FF52+]
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
 user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
+/* 1603: enable the DNT (Do Not Track) HTTP header
+ * [NOTE] DNT is enforced with Enhanced Tracking Protection (2710)
+ * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/
+   // user_pref("privacy.donottrackheader.enabled", true);
 
 /*** [SECTION 1700]: CONTAINERS
    Check out Temporary Containers [2], read the article [3], and visit the wiki/repo [4]
@@ -606,25 +627,19 @@ user_pref("privacy.userContext.ui.enabled", true);
 /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
 user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
 /* 2001: disable WebRTC (Web Real-Time Communication)
- * Firefox uses mDNS hostname obfuscation on desktop (except Windows7/8) and the
+ * [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not
- * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after
+ * in your threat model, and you want Real-Time Communication, this is the pref for you
- * you grant device (microphone or camera) access
+ * [1] https://www.privacytools.io/#webrtc ***/
- * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC
+user_pref("media.peerconnection.enabled", false);
+/* 2002: limit WebRTC IP leaks if using WebRTC
+ * In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3]
  * [TEST] https://browserleaks.com/webrtc
- * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
- * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
+ * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy
-   // user_pref("media.peerconnection.enabled", false);
+ * [3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/
-/* 2002: force WebRTC inside the proxy [FF70+] ***/
-user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
-/* 2003: force a single network interface for ICE candidates generation [FF42+]
- * When using a system-wide proxy, it uses the proxy interface
- * [1] https://developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate
- * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
 user_pref("media.peerconnection.ice.default_address_only", true);
-/* 2004: force exclusion of private IPs from ICE candidates [FF51+]
+user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
- * [SETUP-HARDEN] This will protect your private IP even in TRUSTED scenarios after you
+user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+]
- * grant device access, but often results in breakage on video-conferencing platforms ***/
-   // user_pref("media.peerconnection.ice.no_host", true);
 /* 2020: disable GMP (Gecko Media Plugins)
  * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
    // user_pref("media.gmp-provider.enabled", false);
@@ -632,13 +647,11 @@ user_pref("media.peerconnection.ice.default_address_only", true);
  * [NOTE] This is covered by the EME master switch (2022) ***/
    // user_pref("media.gmp-widevinecdm.enabled", false);
 /* 2022: disable all DRM content (EME: Encryption Media Extension)
- * Optionally hide the setting which also disables the DRM prompt
  * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
  * [SETTING] General>DRM Content>Play DRM-controlled content
  * [TEST] https://bitmovin.com/demos/drm
  * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
 user_pref("media.eme.enabled", false);
-   // user_pref("browser.eme.ui.enabled", false);
 /* 2030: disable autoplay of HTML5 media [FF63+]
  * 0=Allow all, 1=Block non-muted media (default), 5=Block all
  * [NOTE] You can set exceptions under site permissions
@@ -651,6 +664,46 @@ user_pref("media.eme.enabled", false);
  * [1] https://support.mozilla.org/questions/1293231 ***/
 user_pref("media.autoplay.blocking_policy", 2);
 
+/*** [SECTION 2300]: WEB WORKERS
+   A worker is a JS "background task" running in a global context, i.e. it is different from
+   the current window. Workers can spawn new workers (must be the same origin & scheme),
+   including service and shared workers. Shared workers can be utilized by multiple scripts and
+   communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
+
+   [1]    Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
+   [2]         Worker: https://developer.mozilla.org/docs/Web/API/Worker
+   [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API
+   [4]   SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker
+   [5]   ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker
+   [6]  Notifications: https://support.mozilla.org/questions/1165867#answer-981820
+***/
+user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
+/* 2302: disable service workers [FF32, FF44-compat]
+ * Service workers essentially act as proxy servers that sit between web apps, and the
+ * browser and network, are event driven, and can control the web page/site they are associated
+ * with, intercepting and modifying navigation and resource requests, and caching resources.
+ * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1]
+ * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for
+ * service worker notifications (2304), push notifications (disabled, 2305) and service worker
+ * cache (2740). If you enable this pref, then check those settings as well
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/
+user_pref("dom.serviceWorkers.enabled", false);
+/* 2304: disable Web Notifications
+ * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (7002)
+ * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
+   // user_pref("dom.webnotifications.enabled", false); // [FF22+]
+   // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
+/* 2305: disable Push Notifications [FF44+]
+ * Push is an API that allows websites to send you (subscribed) messages even when the site
+ * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server
+ * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind
+ * a prompt (7002). Disabling service workers alone doesn't stop Firefox polling the
+ * Mozilla Push Server. To remove all subscriptions, reset your userAgentID.
+ * [1] https://support.mozilla.org/kb/push-notifications-firefox
+ * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/
+user_pref("dom.push.enabled", false);
+   // user_pref("dom.push.userAgentID", "");
+
 /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/
 user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
 /* 2401: disable "Confirm you want to leave" dialog on page close
@@ -668,6 +721,7 @@ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
 /*** [SECTION 2600]: MISCELLANEOUS ***/
 user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
 /* 2601: prevent accessibility services from accessing your browser [RESTART]
+ * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
  * [1] https://support.mozilla.org/kb/accessibility-services ***/
 user_pref("accessibility.force_disabled", 1);
 /* 2602: disable sending additional analytics to web servers
@@ -734,9 +788,7 @@ user_pref("permissions.delegation.enabled", false);
  * [SETUP-CHROME] On Android this blocks longtapping and saving images
  * [SETTING] General>Downloads>Always ask you where to save files ***/
 user_pref("browser.download.useDownloadDir", false);
-/* 2652: disable downloads panel opening on every download [FF96+] ***/
+/* 2652: disable adding downloads to the system's "recent documents" list ***/
-user_pref("browser.download.alwaysOpenPanel", false);
-/* 2653: disable adding downloads to the system's "recent documents" list ***/
 user_pref("browser.download.manager.addToRecentDocs", false);
 
 /** EXTENSIONS ***/
@@ -754,93 +806,164 @@ user_pref("extensions.postDownloadThirdPartyPrompt", false);
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
    // user_pref("extensions.webextensions.restrictedDomains", "");
 
-/*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/
+/*** [SECTION 2700]: PERSISTENT STORAGE
-user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
+   Data SET by websites including
-/* 2701: enable ETP Strict Mode [FF86+]
+          cookies : profile\cookies.sqlite
- * ETP Strict Mode enables Total Cookie Protection (TCP)
+     localStorage : profile\webappsstore.sqlite
- * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of
+        indexedDB : profile\storage\default
- * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared
+   serviceWorkers :
- * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
- * [SETTING] to add site exceptions: Urlbar>ETP Shield
- * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
-user_pref("browser.contentblocking.category", "strict");
-/* 2702: disable ETP web compat features [FF93+]
- * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants
- * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/
- * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 ***/
-   // user_pref("privacy.antitracking.enableWebcompat", false);
-/* 2710: enable state partitioning of service workers [FF96+] ***/
-user_pref("privacy.partition.serviceWorkers", true);
 
-/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
+   [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode
-user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
+   [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage),
-/** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/
+   indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications)
-/* 2801: delete cookies and site data on exit
+   If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become
- * 0=keep until they expire (default), 2=keep until you close Firefox
+   accessible to websites except shared/service workers where the cookie setting must be "Allow"
- * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, indexedDB,
+***/
- * sharedWorkers and serviceWorkers. serviceWorkers require an "Allow" permission
+user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
- * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
+/* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB]
- * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow
+ * 0 = Accept cookies and site data
- *   If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com
+ * 1 = (Block) All third-party cookies
- * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
+ * 2 = (Block) All cookies
-user_pref("network.cookie.lifetimePolicy", 2);
+ * 3 = (Block) Cookies from unvisited websites
-/* 2802: delete cache on exit [FF96+]
+ * 4 = (Block) Cross-site tracking cookies (default)
- * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
+ * 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+)
- * [1] https://bugzilla.mozilla.org/1671182 ***/
+ * Option 5 with FPI enabled (4001) is ignored and not shown, and option 4 used instead
-   // user_pref("privacy.clearsitedata.cache.enabled", true);
+ * [NOTE] You can set cookie exceptions under site permissions or use an extension
-/* 2803: set third-party cookies to session-only
+ * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
+ * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies
+ * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/
+user_pref("network.cookie.cookieBehavior", 1);
+user_pref("browser.contentblocking.category", "custom");
+/* 2702: set third-party cookies (if enabled, see 2701) to session-only
  * [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
  * .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
  * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
 user_pref("network.cookie.thirdparty.sessionOnly", true);
 user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
+/* 2703: delete cookies and site data on close
+ * 0=keep until they expire (default), 2=keep until you close Firefox
+ * [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2)
+ * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/
+   // user_pref("network.cookie.lifetimePolicy", 2);
+/* 2710: enable Enhanced Tracking Protection (ETP) in all windows
+ * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content
+ * [SETTING] to add site exceptions: Urlbar>ETP Shield
+ * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
+user_pref("privacy.trackingprotection.enabled", true);
+/* 2711: enable various ETP lists ***/
+user_pref("privacy.trackingprotection.socialtracking.enabled", true);
+   // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
+   // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
+/* 2740: disable service worker cache and cache storage
+ * [NOTE] We clear service worker cache on exit (2803)
+ * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
+   // user_pref("dom.caches.enabled", false);
+/* 2750: disable Storage API [FF51+]
+ * The API gives sites the ability to find out how much space they can use, how much
+ * they are already using, and even control whether or not they need to be alerted
+ * before the user agent disposes of site data in order to make room for other things.
+ * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
+ * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
+ * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
+   // user_pref("dom.storageManager.enabled", false);
+/* 2755: disable Storage Access API [FF65+]
+ * [1] https://developer.mozilla.org/docs/Web/API/Storage_Access_API ***/
+   // user_pref("dom.storage_access.enabled", false);
+/* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/
+user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
 
-/** SANITIZE ON SHUTDOWN : ALL OR NOTHING ***/
+/*** [SECTION 2800]: SHUTDOWN
-/* 2810: enable Firefox to clear items on shutdown (2811)
+   * Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under
+     Privacy & Security>Delete cookies and site data when Firefox is closed (1681701)
+   * If you want to keep some sites' cookies (exception as "Allow") and optionally other site
+     data but clear all the rest on close, then you need to set the "cookie" and optionally the
+     "offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703)
+***/
+user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
+/* 2802: enable Firefox to clear items on shutdown (2803)
  * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
 user_pref("privacy.sanitize.sanitizeOnShutdown", true);
-/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
+/* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME]
- * These items do not use exceptions, it is all or nothing (1681701)
  * [NOTE] If "history" is true, downloads will also be cleared
- * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
+ * [NOTE] Active Logins: does not refer to logins via cookies, but rather HTTP Basic Authentication [1]
- * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
+ * [NOTE] Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
  * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
  * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
-user_pref("privacy.clearOnShutdown.cache", true);     // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.cache", true);
-user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.cookies", true);
-user_pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.downloads", true); // see note above
-user_pref("privacy.clearOnShutdown.history", true);   // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
-user_pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
-user_pref("privacy.clearOnShutdown.offlineApps", false); // [DEFAULT: false]
+user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
-user_pref("privacy.clearOnShutdown.cookies", false);
+user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins
-   // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
+user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
-/* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME]
+/* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME]
  * This dialog can also be accessed from the menu History>Clear Recent History
  * Firefox remembers your last choices. This will reset them when you start Firefox
  * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog
  * for "Clear Recent History" is opened, it is synced to the same as "history" ***/
-user_pref("privacy.cpd.cache", true);    // [DEFAULT: true]
+user_pref("privacy.cpd.cache", true);
-user_pref("privacy.cpd.formdata", true); // [DEFAULT: true]
+user_pref("privacy.cpd.cookies", true);
-user_pref("privacy.cpd.history", true);  // [DEFAULT: true]
-user_pref("privacy.cpd.sessions", true); // [DEFAULT: true]
-user_pref("privacy.cpd.offlineApps", false); // [DEFAULT: false]
-user_pref("privacy.cpd.cookies", false);
    // user_pref("privacy.cpd.downloads", true); // not used, see note above
-   // user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] not listed
+user_pref("privacy.cpd.formdata", true); // Form & Search History
-   // user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false]
+user_pref("privacy.cpd.history", true); // Browsing & Download History
-/* 2813: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
+user_pref("privacy.cpd.offlineApps", true); // Offline Website Data
- * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
+user_pref("privacy.cpd.passwords", false); // this is not listed
+user_pref("privacy.cpd.sessions", true); // Active Logins
+user_pref("privacy.cpd.siteSettings", false); // Site Preferences
+/* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
+ * [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803)
  * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008)
  * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
    // user_pref("privacy.clearOnShutdown.openWindows", true);
    // user_pref("privacy.cpd.openWindows", true);
-/* 2814: reset default "Time range to clear" for "Clear Recent History" (2812)
+/* 2806: reset default "Time range to clear" for "Clear Recent History" (2804)
  * Firefox remembers your last choice. This will reset the value when you start Firefox
  * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
  * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
  * which will display a blank value, and are not guaranteed to work ***/
 user_pref("privacy.sanitize.timeSpan", 0);
 
+/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION)
+   1278037 - indexedDB (FF51+)
+   1277803 - favicons (FF52+)
+   1264562 - OCSP cache (FF52+)
+   1268726 - Shared Workers (FF52+)
+   1316283 - SSL session cache (FF52+)
+   1317927 - media cache (FF53+)
+   1323644 - HSTS and HPKP (FF54+)
+   1334690 - HTTP Alternative Services (FF54+)
+   1334693 - SPDY/HTTP2 (FF55+)
+   1337893 - DNS cache (FF55+)
+   1344170 - blob: URI (FF55+)
+   1300671 - data:, about: URLs (FF55+)
+   1473247 - IP addresses (FF63+)
+   1542309 - top-level domain URLs when host is in the public suffix list (FF68+)
+   1506693 - pdfjs range-based requests (FF68+)
+   1330467 - site permissions (FF69+)
+   1534339 - IPv6 (FF73+)
+   1721858 - WebSocket (FF92+)
+***/
+user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
+/* 4001: enable First Party Isolation [FF51+]
+ * [SETUP-WEB] Breaks some cross-origin logins
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/
+user_pref("privacy.firstparty.isolate", true);
+/* 4002: enforce FPI restriction for window.opener [FF54+]
+ * [NOTE] Setting this to false may reduce the breakage in 4001
+ * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
+ * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3]
+ * The 2nd pref removes that limitation and will only allow communication if FPDs also match
+ * [1] https://bugzilla.mozilla.org/1319773#c22
+ * [2] https://bugzilla.mozilla.org/1492607
+ * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/
+   // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
+   // user_pref("privacy.firstparty.isolate.block_post_message", true);
+/* 4003: enable scheme with FPI [FF78+]
+ * [NOTE] Experimental: existing data and site permissions are incompatible
+ * and some site exceptions may not work e.g. HTTPS-only mode (1244) ***/
+   // user_pref("privacy.firstparty.isolate.use_site", true);
+
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
    RFP covers a wide range of ongoing fingerprinting solutions.
    It is an all-or-nothing buy in: you cannot pick and choose what parts you want
@@ -850,13 +973,14 @@ user_pref("privacy.sanitize.timeSpan", 0);
     418986 - limit window.screen & CSS media queries (FF41)
       [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
    1281949 - spoof screen orientation (FF50)
+   1281963 - hide contents of navigator.plugins and navigator.mimeTypes (FF50-88)
    1330890 - spoof timezone as UTC0 (FF55)
    1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
    1217238 - reduce precision of time exposed by javascript (FF55)
  FF56
    1369303 - spoof/disable performance API
    1333651 - spoof User Agent & Navigator API
-      JS: the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux
+      JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux
       HTTP Headers: spoofed as Windows or Android
    1369319 - disable device sensor API
    1369357 - disable site specific zoom
@@ -869,6 +993,8 @@ user_pref("privacy.sanitize.timeSpan", 0);
    1217290 & 1409677 - enable some fingerprinting resistance for WebGL
    1382545 - reduce fingerprinting in Animation API
    1354633 - limit MediaError.message to a whitelist
+   1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87)
+      Blocks exposure of local IP Addresses via mDNS (Multicast DNS)
  FF58-90
     967895 - spoof canvas and enable site permission prompt (FF58)
    1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
@@ -900,11 +1026,12 @@ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs")
  * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme
  * [1] https://bugzilla.mozilla.org/418986 ***/
 user_pref("privacy.resistFingerprinting", true);
-/* 4502: set new window size rounding max values [FF55+]
+/* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME]
- * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
+ * Width will round down to multiples of 200s and height to 100s, to fit your screen.
+ * The max values are a starting point to round from if you want some control
  * [1] https://bugzilla.mozilla.org/1330882 ***/
-user_pref("privacy.window.maxInnerWidth", 1600);
+   // user_pref("privacy.window.maxInnerWidth", 1000);
-user_pref("privacy.window.maxInnerHeight", 900);
+   // user_pref("privacy.window.maxInnerHeight", 1000);
 /* 4503: disable mozAddonManager Web API [FF57+]
  * [NOTE] To allow extensions to work on AMO, you also need 2662
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
@@ -925,15 +1052,13 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
  * [1] https://bugzilla.mozilla.org/1635603 ***/
    // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid");
    // user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
-/* 4506: set RFP's font visibility level (1402) [FF94+] ***/
+/* 4506: disable showing about:blank as soon as possible during startup [FF60+]
-   // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
-/* 4507: disable showing about:blank as soon as possible during startup [FF60+]
  * When default true this no longer masks the RFP chrome resizing activity
  * [1] https://bugzilla.mozilla.org/1448423 ***/
 user_pref("browser.startup.blankWindow", false);
-/* 4510: disable using system colors
+/* 4510: enforce no system colors
  * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
-user_pref("browser.display.use_system_colors", false); // [DEFAULT false NON-WINDOWS]
+user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
 /* 4511: enforce non-native widget theme
  * Security: removes/reduces system API calls, e.g. win32k API [1]
  * Fingerprinting: provides a uniform look and feel across platforms [2]
@@ -989,7 +1114,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
 /* 5006: disable favicons in history and bookmarks
  * [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your
  * actual history (and bookmarks) already do. Your history is more detailed, so
- * control that instead; e.g. disable history, clear history on exit, use PB mode
+ * control that instead; e.g. disable history, clear history on close, use PB mode
  * [NOTE] favicons.sqlite is sanitized on Firefox close ***/
    // user_pref("browser.chrome.site_icons", false);
 /* 5007: exclude "Undo Closed Tabs" in Session Restore ***/
@@ -1013,7 +1138,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
  * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
    // user_pref("browser.urlbar.autoFill", false);
 /* 5013: disable browsing and download history
- * [NOTE] We also clear history and downloads on exit (2811)
+ * [NOTE] We also clear history and downloads on exit (2803)
  * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
    // user_pref("places.history.enabled", false);
 /* 5014: disable Windows jumplist [WINDOWS] ***/
@@ -1049,10 +1174,9 @@ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!");
  * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
    // user_pref("javascript.options.asmjs", false);
 /* 5505: disable Ion and baseline JIT to harden against JS exploits
- * [NOTE] When both Ion and JIT are disabled, and trustedprincipals
+ * [NOTE] In FF75+, when **both** Ion and JIT are disabled, **and** the new
- * is enabled, then Ion can still be used by extensions (1599226)
+ * hidden pref is enabled, then Ion can still be used by extensions (1599226)
- * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
+ * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit ***/
- * [2] https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ ***/
    // user_pref("javascript.options.ion", false);
    // user_pref("javascript.options.baselinejit", false);
    // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
@@ -1083,38 +1207,29 @@ user_pref("security.csp.enable", true); // [DEFAULT: true]
 user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000]
 /* 6005: enforce window.opener protection [FF65+]
  * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
-user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true]
+user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+]
 /* 6006: enforce "window.name" protection [FF82+]
  * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
  * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
  * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
-user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true]
+user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+]
-/* 0607: enforce Local Storage Next Generation (LSNG) [FF65+] ***/
+/* 6050: prefsCleaner: reset previously active items removed from arkenfox in 79-91 ***/
-user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
+   // user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "");
-/* 6008: enforce no First Party Isolation [FF51+]
+   // user_pref("browser.send_pings.require_same_host", "");
- * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701),
+   // user_pref("dom.allow_cut_copy", "");
- * and enabling FPI disables those. FPI is no longer maintained ***/
+   // user_pref("dom.vibrator.enabled", "");
-user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
+   // user_pref("media.getusermedia.audiocapture.enabled", "");
-/* 6009: enforce SmartBlock shims [FF81+]
+   // user_pref("media.getusermedia.browser.enabled", "");
- * In FF96+ these are listed in about:compat
+   // user_pref("media.getusermedia.screensharing.enabled", "");
- * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
+   // user_pref("media.gmp-widevinecdm.visible", "");
-user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true]
+   // user_pref("network.http.redirection-limit", "");
-/* 6010: enforce/reset TLS 1.0/1.1 downgrades to session only
+   // user_pref("privacy.partition.network_state", "");
- * [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed
+   // user_pref("security.insecure_connection_icon.enabled", ""); // [DEFAULT: true FF70+]
- * [TEST] https://tls-v1-1.badssl.com:1010/ ***/
+   // user_pref("security.mixed_content.block_active_content", ""); // [DEFAULT: true since at least FF60]
-user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
+   // user_pref("security.ssl.enable_ocsp_stapling", ""); // [DEFAULT: true FF26+]
-/* 6011: enforce disabling of Web Compatibility Reporter [FF56+]
+   // user_pref("webgl.disable-fail-if-major-performance-caveat", ""); // [DEFAULT: true FF86+]
- * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla
+   // user_pref("webgl.enable-webgl2", "");
- * [WHY] To prevent wasting Mozilla's time with a custom setup ***/
+   // user_pref("webgl.min_capability_mode", "");
-user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
-/* 6050: prefsCleaner: reset items removed from arkenfox FF92+ ***/
-   // user_pref("dom.caches.enabled", "");
-   // user_pref("dom.storageManager.enabled", "");
-   // user_pref("dom.storage_access.enabled", "");
-   // user_pref("privacy.firstparty.isolate.block_post_message", "");
-   // user_pref("privacy.firstparty.isolate.restrict_opener_access", "");
-   // user_pref("privacy.firstparty.isolate.use_site", "");
-   // user_pref("security.insecure_connection_text.enabled", "");
 
 /*** [SECTION 7000]: DON'T BOTHER ***/
 user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
@@ -1149,18 +1264,18 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
    // user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS
    // user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
    // user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
+   // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES
 /* 7004: control TLS versions
- * [WHY] Passive fingerprinting and security ***/
+ * [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/
    // user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
    // user_pref("security.tls.version.max", 4);
 /* 7005: disable SSL session IDs [FF36+]
- * [WHY] Passive fingerprinting and perf costs. These are session-only
+ * [WHY] Passive fingerprinting and perf costs. These are session-only and isolated
- * and isolated with network partitioning (FF85+) and/or containers ***/
+ * with network partitioning (FF85+) or when using FPI and/or containers ***/
    // user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
 /* 7006: onions
  * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/
    // user_pref("dom.securecontext.whitelist_onions", true); // 1382359
-   // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006
    // user_pref("network.http.referer.hideOnionSource", true); // 1305144
 /* 7007: referers
  * [WHY] Only cross-origin referers (1600s) need control ***/
@@ -1169,7 +1284,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 /* 7008: set the default Referrer Policy [FF59+]
  * 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
  * [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/
-   // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2]
+   // user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+]
    // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
 /* 7009: disable HTTP2
  * [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1]
@@ -1179,9 +1294,9 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
    // user_pref("network.http.spdy.enabled.http2", false);
    // user_pref("network.http.spdy.websockets", false); // [FF65+]
 /* 7010: disable HTTP Alternative Services [FF37+]
- * [WHY] Already isolated with network partitioning (FF85+) ***/
+ * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/
    // user_pref("network.http.altsvc.enabled", false);
-   // user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+]
+   // user_pref("network.http.altsvc.oe", false);
 /* 7011: disable website control over browser right-click context menu
  * [WHY] Just use Shift-Right-Click ***/
    // user_pref("dom.event.contextmenu.enabled", false);
@@ -1199,34 +1314,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
  * [WHY] It can compromise security. System addons ship with prefs, use those ***/
    // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
    // user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
-/* 7015: enable the DNT (Do Not Track) HTTP header
- * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/
-   // user_pref("privacy.donottrackheader.enabled", true);
-/* 7016: customize ETP settings
- * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
-   // user_pref("network.cookie.cookieBehavior", 5);
-   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
-   // user_pref("privacy.partition.network_state.ocsp_cache", true);
-   // user_pref("privacy.trackingprotection.enabled", true);
-   // user_pref("privacy.trackingprotection.socialtracking.enabled", true);
-   // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
-   // user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
-/* 7017: disable service workers [FF32, FF44-compat]
- * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2710)
- * or blocked with TCP in 3rd parties (FF95 or lower) ***/
-   // user_pref("dom.serviceWorkers.enabled", false);
-/* 7018: disable Web Notifications
- * [WHY] Web Notifications are behind a prompt (7002)
- * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
-   // user_pref("dom.webnotifications.enabled", false); // [FF22+]
-   // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
-/* 7019: disable Push Notifications [FF44+]
- * [WHY] Push requires subscription
- * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID"
- * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/
-   // user_pref("dom.push.enabled", false);
 
-/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
+/*** [SECTION 8000]: DON'T BOTHER: NON-RFP
    [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
    [WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere
 ***/
@@ -1268,29 +1357,18 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc
    // user_pref("startup.homepage_welcome_url.additional", "");
    // user_pref("startup.homepage_override_url", ""); // What's New page after updates
 /* WARNINGS ***/
-   // user_pref("browser.tabs.warnOnClose", false); // [DEFAULT false FF94+]
+   // user_pref("browser.tabs.warnOnClose", false);
    // user_pref("browser.tabs.warnOnCloseOtherTabs", false);
    // user_pref("browser.tabs.warnOnOpen", false);
-   // user_pref("browser.warnOnQuitShortcut", false); // [FF94+]
    // user_pref("full-screen-api.warning.delay", 0);
    // user_pref("full-screen-api.warning.timeout", 0);
-/* UPDATES ***/
-   // user_pref("app.update.auto", false); // [NON-WINDOWS] disable auto app updates
-      // [NOTE] You will still get prompts to update, and should do so in a timely manner
-      // [SETTING] General>Firefox Updates>Check for updates but let you choose to install them
-   // user_pref("browser.search.update", false); // disable search engine updates (e.g. OpenSearch)
-      // [NOTE] This does not affect Mozilla's built-in or Web Extension search engines
-   // user_pref("extensions.update.enabled", false); // disable extension and theme update checks
-   // user_pref("extensions.update.autoUpdateDefault", false); // disable installing extension and theme updates
-      // [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle)
-   // user_pref("extensions.getAddons.cache.enabled", false); // disable extension metadata (extension detail tab)
 /* APPEARANCE ***/
    // user_pref("browser.download.autohideButton", false); // [FF57+]
+   // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF]
+      // 0=light, 1=dark: with RFP this only affects chrome
    // user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent
    // user_pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF]
       // 0=no-preference, 1=reduce: with RFP this only affects chrome
-   // user_pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF]
-      // 0=light, 1=dark: with RFP this only affects chrome
 /* CONTENT BEHAVIOR ***/
    // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type"
    // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX]
@@ -1320,30 +1398,68 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features",
    // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
 
 /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
-   Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1]
+   Documentation denoted as [-]. Items deprecated in FF78 or earlier have been archived at [1]
    [1] https://github.com/arkenfox/user.js/issues/123
 ***/
 user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
-/* ESR91.x still uses all the following prefs
+/* ESR78.x still uses all the following prefs
 // [NOTE] replace the * with a slash in the line above to re-enable them
-// FF93
+// FF79
-// 7003: disable non-modern cipher suites
+// 0212: enforce fallback text encoding to match en-US
-   // [-] https://bugzilla.mozilla.org/1724072
+   // When the content or server doesn't declare a charset the browser will
-   // user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES
+   // fallback to the "Current locale" based on your application language
-// FF94
+   // [TEST] https://hsivonen.com/test/moz/check-charset.htm
-// 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - replaced by new 1402
+   // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025
-   // [-] https://bugzilla.mozilla.org/1715507
+   // [-] https://bugzilla.mozilla.org/1603712
-   // user_pref("layout.css.font-visibility.level", 1);
+user_pref("intl.charset.fallback.override", "windows-1252");
-// FF95
+// FF82
-// 0807: disable location bar contextual suggestions [FF92+] - replaced by new 0807
+// 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
-   // [-] https://bugzilla.mozilla.org/1735976
+   // i.e. ignore all of Mozilla's various search engines in multiple locales
-user_pref("browser.urlbar.suggest.quicksuggest", false);
+   // [-] https://bugzilla.mozilla.org/1619926
-// FF96
+user_pref("browser.search.geoSpecificDefaults", false);
-// 0302: disable auto-INSTALLING Firefox updates via a background service + hide the setting [FF90+] [WINDOWS]
+user_pref("browser.search.geoSpecificDefaults.url", "");
-   // [SETTING] General>Firefox Updates>Automatically install updates>When Firefox is not running
+// FF86
-   // [1] https://support.mozilla.org/kb/enable-background-updates-firefox-windows
+// 1205: disable SSL Error Reporting
-   // [-] https://bugzilla.mozilla.org/1738983
+   // [1] https://firefox-source-docs.mozilla.org/main/65.0/browser/base/sslerrorreport/preferences.html
-user_pref("app.update.background.scheduling.enabled", false);
+   // [-] https://bugzilla.mozilla.org/1681839
+user_pref("security.ssl.errorReporting.automatic", false);
+user_pref("security.ssl.errorReporting.enabled", false);
+user_pref("security.ssl.errorReporting.url", "");
+// 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin
+   // [-] https://bugzilla.mozilla.org/1581678
+user_pref("browser.download.hide_plugins_without_extensions", false);
+// FF87
+// 0105d: disable Activity Stream recent Highlights in the Library [FF57+]
+   // [-] https://bugzilla.mozilla.org/1689405
+   // user_pref("browser.library.activity-stream.enabled", false);
+// 8002: disable PointerEvents
+   // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent
+   // [-] https://bugzilla.mozilla.org/1688105
+   // user_pref("dom.w3c_pointer_events.enabled", false);
+// FF89
+// 0309: disable sending Flash crash reports
+   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
+user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
+// 0310: disable sending the URL of the website where a plugin crashed
+   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
+user_pref("dom.ipc.plugins.reportCrashURL", false);
+// 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+]
+   // [1] https://bugzilla.mozilla.org/1190623
+   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
+user_pref("security.mixed_content.block_object_subrequest", true);
+// 1803: disable Flash plugin
+   // 0=deactivated, 1=ask, 2=enabled
+   // ESR52.x is the last branch to fully support NPAPI, FF52+ stable only supports Flash
+   // [NOTE] You can still override individual sites via site permissions
+   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
+user_pref("plugin.state.flash", 0); // [DEFAULT: 1]
+// FF90
+// 0708: disable FTP [FF60+]
+   // [-] https://bugzilla.mozilla.org/1574475
+   // user_pref("network.ftp.enabled", false); // [DEFAULT: false FF88+]
+// 7001: enforce no offline cache storage (appCache) [FF71+]
+   // [-] https://bugzilla.mozilla.org/1694662
+user_pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+]
 // ***/
 
 /* END: internal custom pref to test for syntax errors ***/