readme: extension cookie exceptions

Only `geo.enabled` is covered by RFP, keep the other prefs under 0200 and do some cleanup

- 0202: the /en-US/ in link [2] is necessary for the anchor to work!
- `browser.search.geoip.timeout;1` is unnecessary when `browser.search.geoip.url` is empty string:
https://dxr.mozilla.org/mozilla-central/source/toolkit/components/search/nsSearchService.js#576

user.js

@@ -19,7 +19,9 @@
   3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
      * Auto-installing updates for Firefox and extensions are disabled (section 0302's)
      * Some user data is erased on close (section 2800), namely history (browsing, form, download)
-     * Cookies (and thus logins) are denied by default (2701). Use site exceptions or an extension
+     * Cookies are denied by default (2701), we use site exceptions. This breaks extensions
+       that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
+       [1] https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.7-Setting-Extension-Permission-Exceptions
      * EACH RELEASE check:
          - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
                   or enable them as an alternative to RFP or for ESR users
@@ -77,14 +79,13 @@ user_pref("browser.shell.checkDefaultBrowser", false);
 
 /*** 0200: GEOLOCATION ***/
 user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
-/* 0201: disable location-aware search ***/
-user_pref("browser.search.geoip.url", "");
-user_pref("browser.search.geoip.timeout", 1);
 /* 0202: disable GeoIP-based search results
  * [NOTE] May not be hidden if Firefox has changed your settings due to your locale
- * [1] https://trac.torproject.org/projects/tor/ticket/16254 ***/
+ * [1] https://trac.torproject.org/projects/tor/ticket/16254
+ * [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/
 user_pref("browser.search.countryCode", "US"); // (hidden pref)
 user_pref("browser.search.region", "US"); // (hidden pref)
+user_pref("browser.search.geoip.url", "");
 /* 0203: disable using OS locale, force APP locale ***/
 user_pref("intl.locale.matchOS", false);
 /* 0204: set APP locale ***/
@@ -101,6 +102,10 @@ user_pref("javascript.use_us_english_locale", true); // (hidden pref)
 /* 0209: use APP locale over OS locale in regional preferences (FF56+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1379420 [also 1364789] ***/
 user_pref("intl.regional_prefs.use_os_locales", false);
+/* 0210: use Mozilla geolocation service instead of Google when geolocation is enabled
+ * Optionally enable logging to the console (defaults to false) ***/
+user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
+   // user_pref("geo.wifi.logging.enabled", true); // (hidden pref)
 
 /*** 0300: QUIET FOX
      We choose to not disable auto-CHECKs (0301's) but to disable auto-INSTALLs (0302's).
@@ -1567,6 +1572,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
  ** 1354633 - limit MediaError.message to a whitelist (FF57+)
  ** 1382533 - enable fingerprinting resistance for Presentation API (see 2513) (FF57+)
       This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
+ **  967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)
@@ -1592,7 +1598,7 @@ user_pref("privacy.resistFingerprinting", true); // (hidden pref) (not hidden FF
 user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
 /* [NOTE] ESR52.x and non-RFP users replace the * with a slash on this line to enable these
 // FF55+
-// 4601: spoof (or limit?) number of CPU cores (FF48+)
+// 4601: [2514] spoof (or limit?) number of CPU cores (FF48+)
    // [WARNING] *may* affect core chrome/Firefox performance, will affect content.
    // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1008453
    // [2] https://trac.torproject.org/projects/tor/ticket/21675
@@ -1601,45 +1607,41 @@ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan
    // user_pref("dom.maxHardwareConcurrency", 2);
 // * * * /
 // FF56+
-// 4602: disable resource/navigation timing
+// 4602: [2411] disable resource/navigation timing
 user_pref("dom.enable_resource_timing", false);
-// 4603: disable timing attacks
+// 4603: [2412] disable timing attacks
    // [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
 user_pref("dom.enable_performance", false);
-// 4604: disable device sensor API
+// 4604: [2512] disable device sensor API
    // [WARNING] [SETUP] Optional protection depending on your device
    // [1] https://trac.torproject.org/projects/tor/ticket/15758
    // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
    // [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1357733
    // [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1292751
    // user_pref("device.sensors.enabled", false);
-// 4605: disable site specific zoom
+// 4605: [2515] disable site specific zoom
    // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using
    // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs
    // and new windows are reset to default and only the current tab retains the current zoom
 user_pref("browser.zoom.siteSpecific", false);
-// 4606: disable gamepad API - USB device ID enumeration
+// 4606: [2501] disable gamepad API - USB device ID enumeration
    // [WARNING] [SETUP] Optional protection depending on your connected devices
    // [1] https://trac.torproject.org/projects/tor/ticket/13023
    // user_pref("dom.gamepad.enabled", false);
-// 4607: disable giving away network info (FF31+)
+// 4607: [2503] disable giving away network info (FF31+)
    // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
    // [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API
    // [2] https://wicg.github.io/netinfo/
    // [3] https://bugzilla.mozilla.org/show_bug.cgi?id=960426
 user_pref("dom.netinfo.enabled", false);
-// 4608: disable speech recognition
-   // [1] https://developer.mozilla.org/docs/Web/API/SpeechRecognition
+// 4608: [2012] disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
+   // [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API
    // [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
    // [3] https://wiki.mozilla.org/HTML5_Speech_API
-user_pref("media.webspeech.recognition.enable", false);
 user_pref("media.webspeech.synth.enabled", false);
-// 4609: disable location-aware browsing
-   // [NOTE] Use Mozilla's API key if required
+// 4609: [0201] disable Location-Aware Browsing
+   // [1] https://www.mozilla.org/firefox/geolocation/
 user_pref("geo.enabled", false);
-user_pref("geo.wifi.uri", ""); // "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"
-user_pref("geo.wifi.xhr.timeout", 1); // reset this if you use geolocation
-user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
 // * * * /
 // ***/
 
@@ -1655,7 +1657,7 @@ user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
           by default. It works for TBB because for TBB, the spoofed values ARE their default.
      * We do not recommend UA spoofing yourself, leave it to privacy.resistFingerprinting (see 4500)
        which is already plugging leaks (see 2 above) the prefs below do not address
-     * Values below are for example only based on the current ESR/TBB at the time of writing
+     * Values below are for example only based on the current TBB at the time of writing
 ***/
 user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
 /* 4701: navigator.userAgent leaks in JS
@@ -1670,7 +1672,7 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow
 /* 4704: navigator.appVersion ***/
    // user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)
 /* 4705: navigator.platform leaks in JS ***/
-   // user_pref("general.platform.override", "Win64"); // (hidden pref)
+   // user_pref("general.platform.override", "Win32"); // (hidden pref)
 /* 4706: navigator.oscpu leaks in JS ***/
    // user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
 /* 4707: general.useragent.locale (related, see 0204) ***/
@@ -1692,7 +1694,7 @@ user_pref("browser.tabs.warnOnOpen", false);
 user_pref("browser.tabs.closeWindowWithLastTab", false);
 /* 5004: disable backspace (0=previous page, 1=scroll up, 2=do nothing) ***/
 user_pref("browser.backspace_action", 2);
-/* 5005: disable autocopy default (linux) ***/
+/* 5005: disable autocopy default [LINUX] ***/
    // user_pref("clipboard.autocopy", false);
 /* 5006: disable enforced extension signing (FF43+)
  * [NOTE] Only applicable to Nightly and ESR (FF48+)