57 release

Controls the visibility of the "Options>Privacy & Security>Site Data" section.
I'd prefer to remove this completely because it only adds to the confusion about all the different storage types.
This is just an extension for localStorage (2705) with 3 methods: estimate(), persist() and persisted(). A site can ask for permission (?) to persist data which when granted basically just means that "Storage will not be cleared except by explicit user action" whereas otherwise when not persisted "Storage may be cleared by the UA under storage pressure." - I don't see a problem with that.
We'll keep 2706 inactive for now but might remove it in a future commit.

scratchpad-scripts/test.js

@@ -0,0 +1 @@
+// boo!

updater.bat

@@ -0,0 +1,107 @@
+@ECHO OFF
+TITLE ghacks user.js updater
+
+REM ### ghacks-user.js updater for Windows
+REM ## author: @claustromaniac
+REM ## version: 2.1
+
+SETLOCAL EnableDelayedExpansion
+SET "_ua="
+SET "_log="
+:parse
+IF "%~1"=="" GOTO endparse
+IF "%~1"=="-unattended" SET "_ua=true"
+IF "%~1"=="-log" SET "_log=true"
+SHIFT
+GOTO parse
+:endparse
+SET "_name="
+SET "_date="
+SET "_version="
+SET /A "_line=0"
+ECHO.
+IF EXIST user.js (
+	FOR /F "delims=" %%i IN (user.js) DO (
+		IF !_line! EQU 1 SET "_name=%%i"
+		IF !_line! EQU 2 SET "_date=%%i"
+		IF !_line! EQU 3 SET "_version=%%i"
+		SET /A "_line+=1"
+		IF !_line! GEQ 4 GOTO break
+	)
+	:break
+	IF !_line! GEQ 4 (
+		IF "ghacks"=="!_name:~8,6!" (
+			FOR /F "delims=:" %%G IN ("!_version!") DO SET "_version=%%G"
+			SET "_version=!_version:~2!"
+			SET "_date=!_date:~8!"
+			ECHO ghacks user.js !_version!, !_date!
+		) ELSE ( ECHO Current user.js version not recognised. )
+	) ELSE ( ECHO Current user.js version not recognised. )
+) ELSE ( ECHO user.js not detected in the current directory. )
+ECHO.
+IF NOT "%_ua%"=="true" (
+	ECHO This batch should be run from your Firefox profile directory. It will download the latest version of ghacks user.js from github and then append any of your own changes from user-overrides.js to it.
+	ECHO.
+	REM ECHO Visit the wiki for more detailed information.
+	REM ECHO.
+	CHOICE /M "Continue"
+	IF ERRORLEVEL 2 GOTO end
+)
+CLS
+ECHO.
+IF "%_log%"=="true" (
+	CALL :log >>user.js-update-log.txt 2>&1 
+	EXIT /B
+	:log
+	ECHO ##################################################################
+	ECHO.
+	ECHO %date%, %time%
+	ECHO.
+)
+IF EXIST user.js (
+	IF EXIST user.js.bak REN user.js.bak user.js.old.bak
+	REN user.js user.js.bak
+	ECHO Current user.js file backed up.
+	ECHO.
+)
+ECHO Retrieving latest user.js file from ghacks github repository...
+powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/user.js', 'user.js')" >nul
+ECHO.
+IF EXIST user.js (
+	IF EXIST "user-overrides.js" (
+		ECHO Appending user-overrides.js...
+		ECHO.
+		COPY /B /V /Y user.js+"user-overrides.js" "tempuserjs"
+		DEL /F user.js
+		REN tempuserjs user.js
+		ECHO.
+	)
+	ECHO Handling backups...
+	SET "changed="
+	IF EXIST user.js.bak ( FC user.js.bak user.js >nul && SET "changed=false" || SET "changed=true" )
+	ECHO.
+	ECHO.
+	IF "!changed!"=="true" (
+		IF EXIST user.js.old.bak DEL /F user.js.old.bak
+		ECHO Update complete.
+	) ELSE (
+		IF "!changed!"=="false" (
+			DEL /F user.js.bak
+			IF EXIST user.js.old.bak REN user.js.old.bak user.js.bak
+			ECHO Update completed without changes.
+		) ELSE ECHO Update complete.
+	)
+	ECHO.
+) ELSE (
+	IF EXIST user.js.bak REN user.js.bak user.js
+	IF EXIST user.js.old.bak REN user.js.old.bak user.js.bak
+	ECHO.
+	ECHO Update failed. Make sure PowerShell is allowed internet access.
+	ECHO.
+	ECHO No changes were made.
+	ECHO.
+)
+IF NOT "%_log%"=="true" (
+        IF NOT "%_ua%"=="true" PAUSE
+)
+:end

updater.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+### ghacks-user.js updater for Mac/Linux
+## author: @overdodactyl
+## version: 1.1
+
+ghacksjs="https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js"
+
+echo -e "\nThis script should be run from your Firefox profile directory.\n"
+
+currdir=$(pwd)
+
+## get the full path of this script (greadlink for Mac, readlink for Linux)
+scriptfullpath=$(greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null || readlink -f "${BASH_SOURCE[0]}")
+
+## change directory to the Firefox profile directory
+cd "$(dirname "${scriptfullpath}")"
+
+echo -e "Updating the user.js for Firefox profile:\n$(pwd)\n"
+
+if [ -e user.js ]; then
+  echo "Your current user.js file for this profile will be backed up and the latest ghacks version from github will take its place."
+  echo -e "\nIf currently using the ghacks user.js, please compare versions:"
+  echo "  Available online: $(curl -s ${ghacksjs} | sed -n '4p')"
+  echo "  Currently using:  $(sed -n '4p' user.js)"
+else
+  echo "A user.js file does not exist in this profile. If you continue, the latest ghacks version from github will be downloaded."
+fi
+
+echo -e "\nIf a user-overrides.js file exists in this profile, it will be appended to the user.js.\n"
+
+read -p "Continue Y/N? " -n 1 -r
+echo -e "\n\n"
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  if [ -e user.js ]; then
+    # backup current user.js
+    bakfile="user.js.backup.$(date +"%Y-%m-%d_%H%M")"
+    mv user.js "${bakfile}" && echo "Your previous user.js file was backed up: ${bakfile}"
+  fi
+
+  # download latest ghacks user.js
+  echo "downloading latest ghacks user.js file"
+  curl -O ${ghacksjs} && echo "ghacks user.js has been downloaded"
+
+  if [ -e user-overrides.js ]; then
+    echo "user-overrides.js file found"
+    cat user-overrides.js >> user.js && echo "user-overrides.js has been appended to user.js"
+  fi
+else
+  echo "Process aborted"
+fi
+
+## change directory back to the original working directory
+cd "${currdir}"

user.js

@@ -1,8 +1,8 @@
 /******
 * name: ghacks user.js
-* date: 2 October 2017
-* version 56: You're So Pants
-*   "You're so pants, you probably think this song is about you. Don't you? Don't You?"
+* date: 20 November 2017
+* version 57: I Love Rock 'n' Pants
+*   "Singing, I love rock and pants. So put another dime in the jukebox, baby"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
 
@@ -19,7 +19,9 @@
   3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
      * Auto-installing updates for Firefox and extensions are disabled (section 0302's)
      * Some user data is erased on close (section 2800), namely history (browsing, form, download)
-     * Cookies (and thus logins) are denied by default (2701). Use site exceptions or an extension
+     * Cookies are denied by default (2701), we use site exceptions. This breaks extensions
+       that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
+       [1] https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.7-Setting-Extension-Permission-Exceptions
      * EACH RELEASE check:
          - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
                   or enable them as an alternative to RFP or for ESR users
@@ -77,14 +79,13 @@ user_pref("browser.shell.checkDefaultBrowser", false);
 
 /*** 0200: GEOLOCATION ***/
 user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
-/* 0201: disable location-aware search ***/
-user_pref("browser.search.geoip.url", "");
-user_pref("browser.search.geoip.timeout", 1);
 /* 0202: disable GeoIP-based search results
  * [NOTE] May not be hidden if Firefox has changed your settings due to your locale
- * [1] https://trac.torproject.org/projects/tor/ticket/16254 ***/
+ * [1] https://trac.torproject.org/projects/tor/ticket/16254
+ * [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/
 user_pref("browser.search.countryCode", "US"); // (hidden pref)
 user_pref("browser.search.region", "US"); // (hidden pref)
+user_pref("browser.search.geoip.url", "");
 /* 0203: disable using OS locale, force APP locale ***/
 user_pref("intl.locale.matchOS", false);
 /* 0204: set APP locale ***/
@@ -101,6 +102,10 @@ user_pref("javascript.use_us_english_locale", true); // (hidden pref)
 /* 0209: use APP locale over OS locale in regional preferences (FF56+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1379420 [also 1364789] ***/
 user_pref("intl.regional_prefs.use_os_locales", false);
+/* 0210: use Mozilla geolocation service instead of Google when geolocation is enabled
+ * Optionally enable logging to the console (defaults to false) ***/
+user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
+   // user_pref("geo.wifi.logging.enabled", true); // (hidden pref)
 
 /*** 0300: QUIET FOX
      We choose to not disable auto-CHECKs (0301's) but to disable auto-INSTALLs (0302's).
@@ -154,15 +159,20 @@ user_pref("extensions.webservice.discoverURL", "");
  * IF unified=false then .enabled controls the telemetry module
  * IF unified=true then .enabled ONLY controls whether to record extended data
  * so make sure to have both set as false
- * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html ***/
+ * [NOTE] FF58+ `toolkit.telemetry.enabled` is now LOCKED to reflect prerelease
+ * or release builds (true and false respectively), see [2]
+ * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
+ * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
 user_pref("toolkit.telemetry.unified", false);
-user_pref("toolkit.telemetry.enabled", false);
+user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
 user_pref("toolkit.telemetry.server", "");
 user_pref("toolkit.telemetry.archive.enabled", false);
 user_pref("toolkit.telemetry.cachedClientID", "");
 user_pref("toolkit.telemetry.newProfilePing.enabled", false); // (FF55+)
 user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // (FF55+)
 user_pref("toolkit.telemetry.updatePing.enabled", false); // (FF56+)
+user_pref("toolkit.telemetry.bhrPing.enabled", false); // (FF57+) Background Hang Reporter
+user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // (FF57+)
 /* 0333a: disable health report ***/
 user_pref("datareporting.healthreport.uploadEnabled", false);
 /* 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
@@ -189,15 +199,6 @@ user_pref("browser.newtabpage.introShown", true);
  * MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
  * [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/
 user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
-/* 0374: disable "social" integration
- * [1] https://developer.mozilla.org/docs/Mozilla/Projects/Social_API ***/
-user_pref("social.whitelist", "");
-user_pref("social.toast-notifications.enabled", false);
-user_pref("social.shareDirectory", "");
-user_pref("social.remote-install.enabled", false);
-user_pref("social.directories", "");
-user_pref("social.share.activationPanelEnabled", false);
-user_pref("social.enabled", false); // (hidden pref)
 
 /*** 0400: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION
      This section has security & tracking protection implications vs privacy concerns vs effectiveness
@@ -332,6 +333,9 @@ user_pref("network.allow-experiments", false);
 /* 0505: block URL used for system extension updates (FF44+)
  * [NOTE] You will not get any system extension updates except when you update Firefox ***/
    // user_pref("extensions.systemAddon.update.url", "");
+/* 0506: disable PingCentre telemetry (used in several system extensions) (FF57+)
+ * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0333) ***/
+user_pref("browser.ping-centre.telemetry", false);
 /* 0510: disable Pocket (FF39+)
  * Pocket is a third party (now owned by Mozilla) "save for later" cloud service
  * [1] https://en.wikipedia.org/wiki/Pocket_(application)
@@ -358,6 +362,7 @@ user_pref("extensions.shield-recipe-client.api_url", "");
  * [1] https://wiki.mozilla.org/Firefox/Activity_Stream
  * [2] https://www.ghacks.net/2016/02/15/firefox-mockups-show-activity-stream-new-tab-page-and-share-updates/ ***/
 user_pref("browser.newtabpage.activity-stream.enabled", false);
+user_pref("browser.library.activity-stream.enabled", false); // (FF57+)
 /* 0515: disable Screenshots (FF55+)
  * [1] https://github.com/mozilla-services/screenshots
  * [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/
@@ -496,6 +501,9 @@ user_pref("browser.urlbar.autoFill.typed", false);
 /* 0850e: disable location bar one-off searches (FF51+)
  * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
 user_pref("browser.urlbar.oneOffSearches", false);
+/* 0850f: disable location bar suggesting local search history (FF57+)
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1181644 ***/
+user_pref("browser.urlbar.maxHistoricalSearchSuggestions", 0); // max. number of search suggestions
 /* 0860: disable search and form history
  * [SETTING-56+] Options>Privacy & Security>History>Custom Settings>Remember search and form history
  * [SETTING-ESR] Options>Privacy>History>Custom Settings>Remember search and form history
@@ -982,7 +990,6 @@ user_pref("media.gmp-widevinecdm.autoupdate", false);
 /* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP] ***/
 user_pref("media.eme.enabled", false); // Options>Content>Play DRM Content
 user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox, restart required
-user_pref("media.eme.chromium-api.enabled", false); // (FF55+)
 /* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
  * This is the bundled codec used for video chat in WebRTC ***/
 user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
@@ -1081,9 +1088,8 @@ user_pref("dom.disable_beforeunload", true);
 /*** 2300: WEB WORKERS [SETUP]
      A worker is a JS "background task" running in a global context, i.e. it is different from
      the current window. Workers can spawn new workers (must be the same origin & scheme),
-     including service and shared workers. Shared workers can be utilized by multiple scripts
-     and communicate between browsing contexts (windows/tabs/iframes) and can even control your
-     cache. Push and web notifications require service workers, which in turn require workers.
+     including service and shared workers. Shared workers can be utilized by multiple scripts and
+     communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
 
      [WARNING] Disabling workers *will* break sites (e.g. Google Street View, Twitter).
      It is recommended that you use a separate profile for these sorts of sites.
@@ -1197,23 +1203,12 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m
  * [1] https://wiki.mozilla.org/Media/getUserMedia
  * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/
 user_pref("media.navigator.enabled", false);
-/* 2506: disable video statistics - JS performance fingerprinting (FF25+)
- * [1] https://trac.torproject.org/projects/tor/ticket/15757
- * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=654550 ***/
-user_pref("media.video_stats.enabled", false);
 /* 2508: disable hardware acceleration to reduce graphics fingerprinting
  * [SETTING] Options>General>Performance>Custom>Use hardware acceleration when available
  * [WARNING] [SETUP] Affects text rendering (fonts will look different) and impacts video performance
  * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
    // user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
 user_pref("layers.acceleration.disabled", true);
-/* 2509: disable touch events
- * fingerprinting attack vector - leaks screen res & actual screen coordinates
- * 0=disabled, 1=enabled, 2=autodetect
- * [WARNING] [SETUP] Optional protection depending on your device
- * [1] https://developer.mozilla.org/docs/Web/API/Touch_events
- * [2] https://trac.torproject.org/projects/tor/ticket/10286 ***/
-   // user_pref("dom.w3c_touch_events.enabled", 0);
 /* 2510: disable Web Audio API (FF51+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 ***/
 user_pref("dom.webaudio.enabled", false);
@@ -1259,16 +1254,14 @@ user_pref("network.jar.open-unsafe-types", false);
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=232227
  * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1330876 ***/
 user_pref("ui.use_standins_for_native_colors", true); // (hidden pref)
+/* 2610: remove special permissions for certain mozilla domains (FF35+)
+ * [1] resource://app/defaults/permissions ***/
+user_pref("permissions.manager.defaultsUrl", "");
 /* 2611: disable WebIDE to prevent remote debugging and extension downloads
  * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
 user_pref("devtools.webide.autoinstallADBHelper", false);
-user_pref("devtools.webide.autoinstallFxdtAdapters", false);
 user_pref("devtools.debugger.remote-enabled", false);
 user_pref("devtools.webide.enabled", false);
-/* 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - e.g. Roku
- * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
-user_pref("browser.casting.enabled", false);
-user_pref("gfx.layerscope.enabled", false);
 /* 2614: disable HTTP2 (which was based on SPDY which is now deprecated)
  * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance
  * privacy, and in fact opens up a number of server-side fingerprinting opportunities
@@ -1343,6 +1336,10 @@ user_pref("browser.uitour.url", "");
 /* 2629: disable remote JAR files being opened, regardless of content type (FF42+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1173171 ***/
 user_pref("network.jar.block-remote-files", true);
+/* 2630: prevent accessibility services from accessing your browser
+ * [SETTING] Options>Privacy & Security>Permissions>Prevent accessibility services from accessing your browser
+ * [1] https://support.mozilla.org/kb/accessibility-services ***/
+user_pref("accessibility.force_disabled", 1);
 /* 2662: disable "open with" in download dialog (FF50+)
  * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
  * in such a way that it is forbidden to run external applications.
@@ -1437,11 +1434,12 @@ user_pref("network.cookie.thirdparty.sessionOnly", true);
  * The API gives sites the ability to find out how much space they can use, how much
  * they are already using, and even control whether or not they need to be alerted
  * before the user agent disposes of site data in order to make room for other things.
+ * [NOTE] This also controls the visibility of the "Options>Privacy & Security>Site Data" section
  * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
  * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
  * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
-user_pref("dom.storageManager.enabled", false); // (FF51+)
-user_pref("browser.storageManager.enabled", false); // (FF53+)
+   // user_pref("dom.storageManager.enabled", false); // (FF51+)
+   // user_pref("browser.storageManager.enabled", false); // (FF53+)
 /* 2707: clear localStorage and UUID when an extension is uninstalled
  * [NOTE] Both preferences must be the same
  * [1] https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local
@@ -1560,13 +1558,15 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
  ** 1372072 - spoof network information API as "unknown" (see 4607) (FF56+)
  ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
  ** 1372069 & 1403813 - block geolocation requests (same as if you deny a site permission) (see 4609) (FF56+)
- ** 1369309 - spoof media statistics (see 2506) (FF57+)
- ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 2509) (FF57+)
+ ** 1369309 - spoof media statistics (see 4610) (FF57+)
+ ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
  ** 1217290 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
  ** 1382545 - reduce fingerprinting in Animation API (FF57+)
  ** 1354633 - limit MediaError.message to a whitelist (FF57+)
  ** 1382533 - enable fingerprinting resistance for Presentation API (see 2513) (FF57+)
       This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
+ **  967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
+ ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)
@@ -1592,7 +1592,7 @@ user_pref("privacy.resistFingerprinting", true); // (hidden pref) (not hidden FF
 user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
 /* [NOTE] ESR52.x and non-RFP users replace the * with a slash on this line to enable these
 // FF55+
-// 4601: spoof (or limit?) number of CPU cores (FF48+)
+// 4601: [2514] spoof (or limit?) number of CPU cores (FF48+)
    // [WARNING] *may* affect core chrome/Firefox performance, will affect content.
    // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1008453
    // [2] https://trac.torproject.org/projects/tor/ticket/21675
@@ -1601,45 +1601,54 @@ user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan
    // user_pref("dom.maxHardwareConcurrency", 2);
 // * * * /
 // FF56+
-// 4602: disable resource/navigation timing
+// 4602: [2411] disable resource/navigation timing
 user_pref("dom.enable_resource_timing", false);
-// 4603: disable timing attacks
+// 4603: [2412] disable timing attacks
    // [1] https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
 user_pref("dom.enable_performance", false);
-// 4604: disable device sensor API
+// 4604: [2512] disable device sensor API
    // [WARNING] [SETUP] Optional protection depending on your device
    // [1] https://trac.torproject.org/projects/tor/ticket/15758
    // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
    // [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1357733
    // [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1292751
    // user_pref("device.sensors.enabled", false);
-// 4605: disable site specific zoom
+// 4605: [2515] disable site specific zoom
    // Zoom levels affect screen res and are highly fingerprintable. This does not stop you using
    // zoom, it will just not use/remember any site specific settings. Zoom levels on new tabs
    // and new windows are reset to default and only the current tab retains the current zoom
 user_pref("browser.zoom.siteSpecific", false);
-// 4606: disable gamepad API - USB device ID enumeration
+// 4606: [2501] disable gamepad API - USB device ID enumeration
    // [WARNING] [SETUP] Optional protection depending on your connected devices
    // [1] https://trac.torproject.org/projects/tor/ticket/13023
    // user_pref("dom.gamepad.enabled", false);
-// 4607: disable giving away network info (FF31+)
+// 4607: [2503] disable giving away network info (FF31+)
    // e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
    // [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API
    // [2] https://wicg.github.io/netinfo/
    // [3] https://bugzilla.mozilla.org/show_bug.cgi?id=960426
 user_pref("dom.netinfo.enabled", false);
-// 4608: disable speech recognition
-   // [1] https://developer.mozilla.org/docs/Web/API/SpeechRecognition
+// 4608: [2021] disable the SpeechSynthesis (Text-to-Speech) part of the Web Speech API
+   // [1] https://developer.mozilla.org/docs/Web/API/Web_Speech_API
    // [2] https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
    // [3] https://wiki.mozilla.org/HTML5_Speech_API
-user_pref("media.webspeech.recognition.enable", false);
 user_pref("media.webspeech.synth.enabled", false);
-// 4609: disable location-aware browsing
-   // [NOTE] Use Mozilla's API key if required
+// 4609: [0201] disable Location-Aware Browsing
+   // [1] https://www.mozilla.org/firefox/geolocation/
 user_pref("geo.enabled", false);
-user_pref("geo.wifi.uri", ""); // "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"
-user_pref("geo.wifi.xhr.timeout", 1); // reset this if you use geolocation
-user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
+// * * * /
+// FF57+
+// 4610: [2506] disable video statistics - JS performance fingerprinting (FF25+)
+   // [1] https://trac.torproject.org/projects/tor/ticket/15757
+   // [2] https://bugzilla.mozilla.org/show_bug.cgi?id=654550
+user_pref("media.video_stats.enabled", false);
+// 4611: [2509] disable touch events
+   // fingerprinting attack vector - leaks screen res & actual screen coordinates
+   // 0=disabled, 1=enabled, 2=autodetect
+   // [WARNING] [SETUP] Optional protection depending on your device
+   // [1] https://developer.mozilla.org/docs/Web/API/Touch_events
+   // [2] https://trac.torproject.org/projects/tor/ticket/10286
+   // user_pref("dom.w3c_touch_events.enabled", 0);
 // * * * /
 // ***/
 
@@ -1655,7 +1664,7 @@ user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
           by default. It works for TBB because for TBB, the spoofed values ARE their default.
      * We do not recommend UA spoofing yourself, leave it to privacy.resistFingerprinting (see 4500)
        which is already plugging leaks (see 2 above) the prefs below do not address
-     * Values below are for example only based on the current ESR/TBB at the time of writing
+     * Values below are for example only based on the current TBB at the time of writing
 ***/
 user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
 /* 4701: navigator.userAgent leaks in JS
@@ -1670,7 +1679,7 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow
 /* 4704: navigator.appVersion ***/
    // user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)
 /* 4705: navigator.platform leaks in JS ***/
-   // user_pref("general.platform.override", "Win64"); // (hidden pref)
+   // user_pref("general.platform.override", "Win32"); // (hidden pref)
 /* 4706: navigator.oscpu leaks in JS ***/
    // user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
 /* 4707: general.useragent.locale (related, see 0204) ***/
@@ -1692,7 +1701,7 @@ user_pref("browser.tabs.warnOnOpen", false);
 user_pref("browser.tabs.closeWindowWithLastTab", false);
 /* 5004: disable backspace (0=previous page, 1=scroll up, 2=do nothing) ***/
 user_pref("browser.backspace_action", 2);
-/* 5005: disable autocopy default (linux) ***/
+/* 5005: disable autocopy default [LINUX] ***/
    // user_pref("clipboard.autocopy", false);
 /* 5006: disable enforced extension signing (FF43+)
  * [NOTE] Only applicable to Nightly and ESR (FF48+)
@@ -1702,6 +1711,9 @@ user_pref("browser.backspace_action", 2);
  * 1=current window, 2=new window, 3=most recent window
  * [SETTING] Options>General>Tabs>Open new windows in a new tab instead ***/
 user_pref("browser.link.open_newwindow", 3);
+/* 5008: open bookmarks in a new tab (FF57+)
+ * [NOTE] You can also use middle-click, cmd/ctl-click, and use the context menu ***/
+   // user_pref("browser.tabs.loadBookmarksInTabs", true);
 /* 5010: enable ctrl-tab previews ***/
 user_pref("browser.ctrlTab.previews", true);
 /* 5011: don't open "page/selection source" in a tab. The window used instead is cleaner
@@ -1713,6 +1725,10 @@ user_pref("layout.spellcheckDefault", 1);
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=620472
  * [2] https://developer.mozilla.org/docs/Online_and_offline_events ***/
 user_pref("network.manage-offline-status", false);
+/* 5014: control download button visibility (FF57+)
+ * true = the button is automatically shown/hidden based on whether the session has downloads or not
+ * false = the button is always visible ***/
+   // user_pref("browser.download.autohideButton", false);
 /* 5015: disable animations (FF55+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1352069 ***/
    // user_pref("toolkit.cosmeticAnimations.enabled", false);
@@ -1741,8 +1757,6 @@ user_pref("browser.tabs.loadInBackground", true);
  * true: load the new tab in the background, leaving focus on the current tab
  * false: load the new tab in the foreground, taking the focus from the current tab. ***/
 user_pref("browser.tabs.loadDivertedInBackground", false);
-/* 5022: hide recently bookmarked items (you still have the original bookmarks) (FF49+) ***/
-user_pref("browser.bookmarks.showRecentlyBookmarked", false);
 /* 5023: enable "Find As You Type"
  * [1] http://kb.mozillazine.org/Accessibility.typeaheadfind ***/
    // user_pref("accessibility.typeaheadfind", true);
@@ -1762,6 +1776,7 @@ user_pref("browser.bookmarks.showRecentlyBookmarked", false);
    // user_pref("media.wave.enabled", false);
    // user_pref("media.webm.enabled", false);
    // user_pref("media.wmf.enabled", false); // https://www.youtube.com/html5 - for the two H.264 entries
+   // user_pref("media.wmf.amd.vp9.enabled", true); // (FF57+)
    // user_pref("media.wmf.vp9.enabled", false);
 /* 5026: disable "Reader View" ***/
    // user_pref("reader.parse-on-load.enabled", false);
@@ -2067,6 +2082,33 @@ user_pref("browser.fullscreen.animate", false);
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1385201
 user_pref("extensions.formautofill.experimental", false);
 // * * * /
+// FF57
+// 0374: disable "social" integration
+   // [1] https://developer.mozilla.org/docs/Mozilla/Projects/Social_API
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1388902
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1406193 (leftover prefs removed in FF58)
+user_pref("social.whitelist", "");
+user_pref("social.toast-notifications.enabled", false);
+user_pref("social.shareDirectory", "");
+user_pref("social.remote-install.enabled", false);
+user_pref("social.directories", "");
+user_pref("social.share.activationPanelEnabled", false);
+user_pref("social.enabled", false); // (hidden pref)
+// 1830: disable DRM's EME WideVineAdapter
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1395468
+user_pref("media.eme.chromium-api.enabled", false); // (FF55+)
+// 2611: disable WebIDE extension downloads (Valence)
+   // [1] https://trac.torproject.org/projects/tor/ticket/16222
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1393497
+user_pref("devtools.webide.autoinstallFxdtAdapters", false);
+// 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - e.g. Roku
+   // [1] https://trac.torproject.org/projects/tor/ticket/16222
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1393582
+user_pref("browser.casting.enabled", false);
+// 5022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1401238
+user_pref("browser.bookmarks.showRecentlyBookmarked", false);
+// * * * /
 // ***/
 
 /* END: internal custom pref to test for syntax errors ***/