Bumps to v78-beta6

> Closes #13

.eslintrc.yml

@@ -0,0 +1,45 @@
+%YAML 1.2
+---
+
+root: true
+
+extends: 'eslint:recommended'
+
+globals:
+  # From <https://searchfox.org/mozilla-central/rev/c938c7416c633639a5c8ce4412be586eefb48005/modules/libpref/parser/src/lib.rs#296>
+  pref: true
+  user_pref: true
+  sticky: true
+  locked: true
+  sticky_pref: true
+
+rules:
+  # Expect a semicolon after each statement.
+  semi:
+    - "error"
+    - "always"
+    -
+      omitLastInOneLineBlock: false
+
+  # As internal code style, don't allow tabulation.
+  no-tabs: "error"
+  # ... nor trailing spaces !
+  no-trailing-spaces: "error"
+
+  # Expect only double-quoted strings.
+  quotes:
+    - "error"
+    - "double"
+
+  # Don't allow whitespace before semicolons.
+  semi-spacing:
+    - "error"
+    -
+      before: false
+
+  # Don't allow irregular whitespace characters in our sheet.
+  no-irregular-whitespace:
+    - "error"
+    -
+      skipStrings: false
+      skipComments: false

.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve Thunderbird User.JS
+title: "[BUG] "
+labels: 'bug'
+assignees: ''
+
+---
+
+**Describe the bug**
+<!-- A clear and concise description of what the bug is. -->
+
+
+**Expected behavior**
+<!-- A clear and concise description of what you expected to happen. -->
+
+
+**Screenshots**
+<!-- If applicable (i.e. graphical glitch), add screenshots to help explain your problem. -->
+
+
+**Environment**
+<!-- Please complete the following information: -->
+- Thunderbird version used (X.Y.Z) : 
+- `thunderbird user.js` template version used (X.Y or commit SHA) : 
+- Operating system and version : 
+- \[IF RELEVANT\] Graphical environment name and version : 
+
+
+**Additional context**
+<!-- If applicable, add any other context about the problem here. -->
+
+
+**Checklist**
+<!--- Put an `X` in all the boxes that apply : -->
+- [ ] I can confirm the bug is due to `thunderbird user.js` **template** and not an overridden preference nor an add-on ;
+- [ ] I have searched for `[SETUP-*]` tags and read them up ;
+- [ ] I have searched the GitHub project (issues and Wiki) for my issue.

.github/ISSUE_TEMPLATE/change_request.md

@@ -0,0 +1,30 @@
+---
+name: Change request
+about: Suggest a change for Thunderbird User.JS
+title: "[RFC] "
+labels: 'enhancement'
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+
+**List the concerned preferences**
+<!-- A clear and concise list of the preferences you want to add/remove/change. -->
+
+
+**Describe alternatives you've considered**
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+
+**Additional context**
+<!-- Add any other context (Thunderbird version, OS, etc.) or screenshots about the feature request here. -->
+
+
+**Checklist**
+<!--- Put an `X` in all the boxes that apply : -->
+- [ ] I know `thunderbird user.js` is a **template** and personal preferences should be stored elsewhere ;
+- [ ] The change I want to propose should globally improve the `usability / ( privacy + security + anti-fingerprinting )` ratio ;
+- [ ] I agree that subsequent modifications to my change scope may occur in the future.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,28 @@
+<!--- Provide a general summary of your changes in the title above -->
+
+
+## Description
+<!--- Describe your changes in detail -->
+
+
+## Reason and / or context
+<!--- Why is this change required ? What problem does it solve ? -->
+<!--- If it fixes an open issue, please link to the issue here -->
+
+
+## How has this been tested ?
+<!--- Include details of your testing environment here -->
+
+
+## Types of changes :
+<!--- What types of changes does your code introduce ? Put an `X` in all the boxes that apply : -->
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] Typo / style fix (non-breaking change which improves readability)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to change)
+
+## Checklist :
+<!--- Put an `X` in all the boxes that apply : -->
+- [ ] My changes looks good ;
+- [ ] I agree that my code may be modified in the future ;
+- [ ] My code follows the code style of this project (see `.eslintrc.yml`).

.github/workflows/linting.yml

@@ -0,0 +1,17 @@
+---
+name: Linting
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    name: Run ESLint on user.js
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-node@v1
+
+      - run: npm install -g eslint
+      - run: eslint user.js

.travis.yml

@@ -1,8 +0,0 @@
-language: node_js
-node_js:
-  - 'node'
-
-before_script:
-  - npm install -g acorn
-script:
-  - acorn --silent user.js

LICENSE

@@ -2,7 +2,7 @@ MIT License
 
 Copyright (c) 2019-2020 HorlogeSkynet
 Copyright (c) 2019      dngray
-Copyright (c) 2019      ghacksuserjs
+Copyright (c) 2019      arkenfox [prev. ghacksuserjs]
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -14,9 +14,10 @@ For a more technical breakdown and explanation, you can read more on the [overvi
 The `thunderbird user.js` is a **template** which aims to provide as much privacy and enhanced security as possible.  
 It differs from the `arkenfox user.js` in that the focus is to keep Thunderbird as an **email client** and disable as many web browsing features as possible. We believe web browsing should be done in a web browser, and not an email client.
 
-- If you're using Thunderbird with Tor we suggest that you install the [TorBirdy](https://addons.thunderbird.net/addon/torbirdy) add-on. If you are using Tor, you should also consider using [Tails](https://tails.boum.org/) or [Whonix](https://www.whonix.org/).
-- If you're a **Gmail** user see [this article about OAuth2](https://github.com/HorlogeSkynet/thunderbird-user.js/wiki/3.1-OAuth2-Users).
-- For information about [extensions](https://github.com/HorlogeSkynet/thunderbird-user.js/wiki/4.1-Extensions), see the Wiki. **Calendar** users should [see this page](https://github.com/HorlogeSkynet/thunderbird-user.js/wiki/4.1.1-Calendar).
+- If you're using Thunderbird (< 68) with Tor we suggest that you install the [TorBirdy](https://addons.thunderbird.net/addon/torbirdy) add-on. If you are using Tor, you should also consider using [Tails](https://tails.boum.org/) or [Whonix](https://www.whonix.org/).
+- If you're using **Gmail**, please check [this article about OAuth2](https://github.com/HorlogeSkynet/thunderbird-user.js/wiki/3.1-OAuth2-Users).
+- For information about [extensions](https://github.com/HorlogeSkynet/thunderbird-user.js/wiki/4.1-Extensions), see the Wiki.
+- **Calendar** users should [see this page](https://github.com/HorlogeSkynet/thunderbird-user.js/wiki/4.1.1-Calendar).
 
 Also be aware that this `user.js` is made specifically for Thunderbird and has only been tested in the latest stable release.
 
@@ -28,11 +29,13 @@ Also be aware that this `user.js` is made specifically for Thunderbird and has o
 
 ### :red_square: Acknowledgments
 
-* [tya99](https://github.com/tya99) most of the ground work and initial port from the Firefox version of [arkenfox user.js](https://github.com/arkenfox/user.js)
-* [dngray](https://github.com/dngray) continual maintenance and Wiki
-* [HorlogeSkynet](https://github.com/HorlogeSkynet) continual maintenance
+* @tya99 most of the ground work and initial port from the Firefox version of [arkenfox user.js](https://github.com/arkenfox/user.js)
+* [@dngray](https://github.com/dngray) continual maintenance and Wiki
+* [@HorlogeSkynet](https://github.com/HorlogeSkynet) continual maintenance
 
 ### :blue_square: Related Projects
 
-* [CHEF-KOCH/TBCK](https://github.com/CHEF-KOCH/TBCK)
 * [Privacy Handbuch](https://www.privacy-handbuch.de/handbuch_31p.htm)
+* [Privacy Haters](http://r-36.net/scm/privacy-haters/file/README.md.html)
+* [12bytes.org's user-overrides.js](https://codeberg.org/12bytes.org/thunderbird-user.js-supplement)
+* ~~CHEF-KOCH/TBCK~~

user.js

@@ -1,15 +1,13 @@
 /******
 * name: thunderbird user.js
-* date: 1 November 2020
-* version: v78-beta1
-* authors: v52+ github | v51- www.ghacks.net
+* date: 23 November 2020
+* version: v78-beta6
 * url: https://github.com/HorlogeSkynet/thunderbird-user.js
 * license: MIT (https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/LICENSE)
 * releases: https://github.com/HorlogeSkynet/thunderbird-user.js/releases
 
 * README:
-  0. Consider using Tor, use TorBirdy as well.
-    * https://addons.thunderbird.net/addon/torbirdy
+  0. Consider using Tor
   1. READ the full README
     * https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/README.md
   2. READ this
@@ -30,7 +28,7 @@
          [SETUP-HARDEN] maybe you should consider using the Tor Browser
     * [WARNING] tags are extra special and used sparingly, so heed them
   4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
-  5. KEEP UP TO DATE: https://github.com/HorlogeSkynet/thunderbird-user.js/wiki#small_orange_diamond-maintenance
+  5. KEEP UP TO DATE: https://github.com/arkenfox/user.js/wiki#small_orange_diamond-maintenance
 
 * INDEX:
   0100: STARTUP
@@ -83,7 +81,7 @@ user_pref("browser.aboutConfig.showWarning", false); // HTML version [FF71+]
 user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 /* 0101: disable default browser check
  * [SETTING] Edit>Preferences>Advanced>Always check to see if Thunderbird is the default mail client on startup ***/
-user_pref("mail.shell.checkDefaultMail", false);
+user_pref("mail.shell.checkDefaultClient", false);
 /* 0102: set START page
  * [SETTING] Edit>Preferences>General>Thunderbird Start Page ***/
 user_pref("mailnews.start_page.enabled", false);
@@ -188,27 +186,44 @@ user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
 user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
 user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
 /* 0340: disable Health Reports
- * [SETTING] Privacy & Security>Thunderbird Data Collection & Use>Allow Firefox to send technical... data ***/
+ * [SETTING] Privacy & Security>Thunderbird Data Collection & Use>Allow Thunderbird to send technical... data ***/
 user_pref("datareporting.healthreport.uploadEnabled", false);
 /* 0341: disable new data submission, master kill switch [FF41+]
  * If disabled, no policy is shown or upload takes place, ever
  * [1] https://bugzilla.mozilla.org/1195552 ***/
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
 /* 0342: disable Studies (see 0503)
- * [SETTING] Privacy & Security>Thunderbird Data Collection & Use>Allow Firefox to install and run studies ***/
+ * [NOTE] This option is missing from Thunderbird's preferences panel (hidden?) ***/
 user_pref("app.shield.optoutstudies.enabled", false);
 /* 0350: disable Crash Reports ***/
 user_pref("breakpad.reportURL", "");
 user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
 user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
 /* 0351: disable backlogged Crash Reports
- * [SETTING] Privacy & Security>Thunderbird Data Collection & Use>Allow Firefox to send backlogged crash reports  ***/
+ * [SETTING] Privacy & Security>Thunderbird Data Collection & Use>Allow Thunderbird to send backlogged crash reports  ***/
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
+/* 0370: disable UI instrumentation ***/
+user_pref("mail.instrumentation.postUrl", "");
+user_pref("mail.instrumentation.askUser", false);
+user_pref("mail.instrumentation.userOptedIn", false);
+/* 0371: disable about:rights notification on fresh profiles
+ * When a profile is loaded for the first time, a bottom notification appears with a button
+ * showing "Know your rights...". If clicked, the _special_ page about:rights appears.
+ * When `mail.rights.override` is unset (default), Thunderbird falls-back on `mail.rights.version`
+ * value. If it's unset (default too) or lower than the current version, notification is displayed.
+ * false=always show the notification
+ * true=never show the notification
+ * [1] https://searchfox.org/comm-esr78/rev/384830b0570096c48770398060f87fbe556f6f01/mail/base/content/specialTabs.js#1218 ***/
+user_pref("mail.rights.override", true);  // [DEFAULT: unset]
+   // user_pref("mail.rights.version", 1)  // [DEFAULT: unset]
 /* 0390: disable Captive Portal detection
  * [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
  * [2] https://wiki.mozilla.org/Necko/CaptivePortal ***/
 user_pref("captivedetect.canonicalURL", "");
 user_pref("network.captive-portal-service.enabled", false); // [FF52+]
+/* 0391: disable Network Connectivity checks [FF65+]
+ * [1] https://bugzilla.mozilla.org/1460537 ***/
+user_pref("network.connectivity-service.enabled", false);
 
 /*** [SECTION 0400]: BLOCKLISTS / SAFE BROWSING (SB) ***/
 user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
@@ -269,7 +284,7 @@ user_pref("browser.safebrowsing.downloads.remote.url", "");
      * Linux: "/usr/lib/firefox/browser/features" (or similar)
 
      [1] https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
-     [2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions
+     [2] https://searchfox.org/mozilla-central/source/browser/extensions
 ***/
 user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");
 /* 0503: disable Normandy/Shield [FF60+]
@@ -319,6 +334,9 @@ user_pref("network.http.speculative-parallel-limit", 0);
  * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
 user_pref("browser.send_pings", false); // [DEFAULT: false]
 user_pref("browser.send_pings.require_same_host", true);
+/* 0610: don't refresh nor reload pages when tab/window is not active or in idle state
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=518805 ***/
+user_pref("browser.meta_refresh_when_inactive.disabled", true);
 
 /*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
@@ -333,6 +351,7 @@ user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost
  * [1] https://github.com/arkenfox/user.js/issues/437#issuecomment-403740626
  * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
 user_pref("network.dns.disableIPv6", true);
+user_pref("network.notify.IPv6", false);
 /* 0702: disable HTTP2
  * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
  * enhance privacy, and opens up a number of server-side fingerprinting opportunities.
@@ -884,12 +903,12 @@ user_pref("javascript.options.baselinejit", false);
  * [NOTE] In FF71+ this no longer affects extensions (1576254)
  * [1] https://developer.mozilla.org/docs/WebAssembly ***/
 user_pref("javascript.options.wasm", false);
-/* 2426: disable Intersection Observer API [FF55+]
- * [NOTE] Unlike arkenfox/user.js, we explicitly disable it
+/* 2426: disable Intersection Observer API [FF55+] [RESTART]
+ * [NOTE] Disabling it may break the error console (CTRL+SHIFT+J)
  * [1] https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
  * [2] https://w3c.github.io/IntersectionObserver/
  * [3] https://bugzilla.mozilla.org/1243846 ***/
-user_pref("dom.IntersectionObserver.enabled", false);
+   // user_pref("dom.IntersectionObserver.enabled", false);
 /* 2429: enable (limited but sufficient) window.opener protection [FF65+]
  * Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
 user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF78+]
@@ -942,6 +961,10 @@ user_pref("permissions.default.xr", 2);
 
 /*** [SECTION 2600]: MISCELLANEOUS ***/
 user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
+/* 2601: prevent accessibility services from accessing your browser [RESTART] [SETUP-FEATURE]
+ * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
+ * [1] https://support.mozilla.org/kb/accessibility-services ***/
+user_pref("accessibility.force_disabled", 1);
 /* 2602: disable sending additional analytics to web servers
  * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
 user_pref("beacon.enabled", false);
@@ -953,9 +976,10 @@ user_pref("devtools.chrome.enabled", false);
  * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
 user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false]
 /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
+ * [NOTE] Unlike arkenfox/user.js, we explicitly disable it
  * [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
  * [1] https://bugzilla.mozilla.org/1173199 ***/
-   // user_pref("mathml.disabled", true);
+user_pref("mathml.disabled", true);
 /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
  * [NOTE] In FF70+ and ESR68.1.0+ this no longer affects extensions (1564208)
  * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
@@ -967,7 +991,7 @@ user_pref("middlemouse.contentLoadURL", false);
 /* 2614: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
  * [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
  * To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
-user_pref("network.http.redirection-limit", 10);
+user_pref("network.http.redirection-limit", 8);
 /* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
  * Firefox has *some* protections, but it is better to be safe than sorry
  * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
@@ -1007,7 +1031,7 @@ user_pref("browser.download.hide_plugins_without_extensions", false);
  * XPI files which are installed outside of profile and application directories
  * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
  * [1] archived: https://archive.is/DYjAM ***/
-user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
+user_pref("extensions.enabledScopes", 1); // [HIDDEN PREF]
 user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
 /* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
@@ -1065,8 +1089,9 @@ user_pref("dom.storage.enabled", false);
 user_pref("browser.cache.offline.enable", false);
 /* 2740: disable service worker cache and cache storage
  * [NOTE] We clear service worker cache on exiting Firefox (see 2803)
+ * [NOTE] Unlike arkenfox/user.js, we explicitly disable it
  * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
-    // user_pref("dom.caches.enabled", false);
+user_pref("dom.caches.enabled", false);
 /* 2750: disable Storage API [FF51+]
  * The API gives sites the ability to find out how much space they can use, how much
  * they are already using, and even control whether or not they need to be alerted
@@ -1087,6 +1112,21 @@ user_pref("dom.storageManager.enabled", false);
        Firefox interface as "Browsing & Download History" and their values will be synced
 ***/
 user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
+/* 2802: enable Thunderbird to clear items on shutdown (see 2803)
+user_pref("privacy.sanitize.sanitizeOnShutdown", true);
+/* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME]
+ * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value
+ * but if 'history' is false, downloads can still be cleared independently
+ * However, this may not always be the case. The interface combines and syncs these
+ * prefs when set from there, and the sanitize code may change at any time ***/
+user_pref("privacy.clearOnShutdown.cache", true);
+user_pref("privacy.clearOnShutdown.cookies", true);
+user_pref("privacy.clearOnShutdown.downloads", true); // see note above
+user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
+user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
+user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
+user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins
+user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
 /* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME]
  * This dialog can also be accessed from the menu History>Clear Recent History
  * Firefox remembers your last choices. This will reset them when you start Firefox.
@@ -1130,14 +1170,15 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
 user_pref("privacy.firstparty.isolate", true);
 /* 4002: enforce FPI restriction for window.opener [FF54+]
  * [NOTE] Setting this to false may reduce the breakage in 4001
+ * [NOTE] Unlike arkenfox/user.js, we explicitly set them
  * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
  * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute. (see [2],[3])
  * The 2nd pref removes that limitation and will only allow communication if FPDs also match.
  * [1] https://bugzilla.mozilla.org/1319773#c22
  * [2] https://bugzilla.mozilla.org/1492607
  * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
-   // user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
-   // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR]
+user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
+user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR]
 
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
    This master switch will be used for a wide range of items, many of which will
@@ -1374,12 +1415,11 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
 /* CONTENT BEHAVIOR ***/
    // user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type"
    // user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX]
+/* RETURN RECEIPT BEHAVIOR ***/
+   // user_pref("mail.mdn.report.enabled", false); // disable return receipt sending unconditionally
 /* UX BEHAVIOR ***/
    // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [DEFAULT: false on Linux]
    // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
-/* UX FEATURES: disable and hide the icons and menus ***/
-   // user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
-   // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
 /* OTHER ***/
    // user_pref("network.manage-offline-status", false); // see bugzilla 620472
    // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
@@ -1394,7 +1434,7 @@ user_pref("mail.identity.id1.header.InReplyTo", "");
 /*** [SECTION 6000]: THUNDERBIRD (AUTO CONFIG / UI / HEADERS / ADDRESS BOOK)
    Options general to Thunderbird's mail configuration and user interface
 
-   [1] https://dxr.mozilla.org/comm-release/
+   [1] https://searchfox.org/comm-esr78/source/
    [2] http://kb.mozillazine.org/Mail_and_news_settings
 ***/
 user_pref("_user.js.parrot", "6000 syntax error: this parrot is blind!");
@@ -1411,45 +1451,53 @@ user_pref("mailnews.auto_config.fetchFromISP.sendEmailAddress", false);
 user_pref("mailnews.auto_config.fetchFromExchange.enabled", false);
 user_pref("mailnews.auto_config_url", "");
 user_pref("mailnews.auto_config.addons_url","");
-/* 6001: Disable account provisioning [SETUP-INSTALL]
+/* 6002: Disable account provisioning [SETUP-INSTALL]
  * This option allows users to create a new email account through partner providers.
  * [1] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Account_Provisioner ***/
 user_pref("mail.provider.enabled", false);
 
 /** UI (User Interface) ***/
-/* 6003: Hide tab bar
+/* 6010: Hide tab bar
  * false=Hides the tab bar if there is only one tab. (default) ***/
 user_pref("mail.tabs.autoHide", true);
-/* 6004: Show full email instead of just name from address book
+/* 6011: Show full email instead of just name from address book
  * true=Show just the display name for people in the address book (default)
  * false=Show both the email address and display name. ***/
 user_pref("mail.showCondensedAddresses", false);
-/* 6010: Disable "Filelink for Large Attachments" feature
+/* 6012: Disable "Filelink for Large Attachments" feature
  * [1] https://support.thunderbird.net/kb/filelink-large-attachments ***/
 user_pref("mail.cloud_files.enabled", false);
 user_pref("mail.cloud_files.inserted_urls.footer.link", "");
-/* 6020: Don't hide cookies and passwords related (advanced?) buttons ***/
+/* 6013: Don't hide cookies and passwords related (advanced?) buttons ***/
 user_pref("pref.privacy.disable_button.view_cookies", false);
 user_pref("pref.privacy.disable_button.cookie_exceptions", false);
 user_pref("pref.privacy.disable_button.view_passwords", false);
+/* 6014: Prevent access to emails until the master password is entered
+ * If a master password has been set, Thunderbird will prevent access to locally available emails
+ * until the secret is provided.
+ * This preference MAY mitigate risk due to intimate relationship threat in some cases (see [2])...
+ * [WARNING] This DOES NOT encrypt locally cached emails anyhow (poor man's application security)
+ * [1] https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-master-password
+ * [2] https://www.schneier.com/wp-content/uploads/2020/06/Privacy_Threats_in_Intimate_Relationships-1.pdf ***/
+user_pref("mail.password_protect_local_cache", true);  // [HIDDEN PREF]
 
 /** HEADERS ***/
-/* 6004:
+/* 6020:
  * true=Show Sender header in message pane.
  * false=Does nothing. (default) ***/
 user_pref("mailnews.headers.showSender", true);
-/* 6005:
+/* 6021:
  * true=Show User Agent header in message pane
  * false=Does nothing. (default) ***/
 user_pref("mailnews.headers.showUserAgent", false);
-/* 6006: Hello argument
+/* 6022: Hello argument
  * Lets you replace your IP address with the specified string in Received: headers when your
  * IP address is not a "fully qualified domain name" (FQDN). Typically you only need to do this
  * when you have a NAT box to prevent it from using the NAT boxes IP address.
  * If you don't set it to something in your SMTP server's domain it may increase your spam
  * score. ***/
 user_pref("mail.smtpserver.default.hello_argument", "[127.0.0.1]");
-/* 6007: Displayed dates and times
+/* 6023: Displayed dates and times
  * [SETUP-INSTALL] When your e-mail program displays the e-mail's date and time, it normally
  * converts them to your time zone. If your computer's time zone settings are wrong, then you will
  * see the wrong time (and possibly the wrong date).
@@ -1460,9 +1508,9 @@ user_pref("mail.smtpserver.default.hello_argument", "[127.0.0.1]");
  * [2] http://wiki.cacert.org/ThunderBirdAdvancedConfig
  * ***/
 user_pref("mailnews.display.original_date", false);
-/* 6008: Display the sender's Timezone when set to true ***/
+/* 6024: Display the sender's Timezone when set to true ***/
 user_pref("mailnews.display.date_senders_timezone", false);
-/* 6009: Display Time Date based on Received Header
+/* 6025: Display Time Date based on Received Header
  * Thunderbird shows the time when the message was sent, according to the sender. It is possible
  * to make Thunderbird show the time when the message arrived on your mail server, based on the
  * "Received" header. Set the following preference. New messages will show the time the message
@@ -1470,11 +1518,18 @@ user_pref("mailnews.display.date_senders_timezone", false);
    // user_pref("mailnews.use_received_date", true);
 
 /** ADDRESS BOOK ***/
-/* 6007: Address book collection
- * [SETUP-FEATURE] Disable address book email collection
- * Consider using https://addons.thunderbird.net/addon/cardbook instead ***/
-user_pref("mail.collect_addressbook", false);
+/* 6030: Address book collection [SETUP-FEATURE]
+ * Disable Thunderbird internal address book email collection
+ * Consider using CardBook extension instead (https://addons.thunderbird.net/addon/cardbook/)
+ * [SETTING] Preferences>Composition>Addressing>Automatically add outgoing e-mail addresses...
+ * [SETTING][CARDBOOK] CardBook>Preferences>Email>Collect Outgoing Email ***/
+user_pref("mail.collect_addressbook", "");  // [DEFAULT: "jsaddrbook://history.sqlite"]
 user_pref("mail.collect_email_address_outgoing", false);
+/* 6031: Only use email addresses, without their Display Names [CARDBOOK] [SETUP-FEATURE]
+ * By default, CardBook extension incorporates contacts display names in addresses fields.
+ * This could leak sensitive information to all recipients.
+ * [SETTING][CARDBOOK] CardBook>Preferences>Email>Sending Emails>Only use email addresses... ***/
+user_pref("extensions.cardbook.useOnlyEmail", true);
 
 /*** [SECTION 6100]: EMAIL COMPOSITION (ENCODING / FORMAT / VIEW)
    Options that relate to composition, formatting and viewing email
@@ -1496,19 +1551,30 @@ user_pref("mailnews.send_default_charset", "UTF-8");
 /* 6104: Forces encoding in reply to be the default charset
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=234958#c2 ***/
 user_pref("mailnews.reply_in_default_charset", true);
+/* 6105: Avoid information leakage in reply header
+ * Reply header may contain sensitive information about system locale (date and/or language)
+ * 0=no header
+ * 1="<author> wrote:" (see `reply_header_authorwrotesingle` below)
+ * 2="On <date> <author> wrote:" (see `reply_header_ondateauthorwrote` below [DEFAULT])
+ * 3="<author> wrote On <date>:" (see `reply_header_authorwroteondate` below`)
+ * 4=user specified (you may use below tokens to forge your own format [DISCOURAGED]) ***/
+user_pref("mailnews.reply_header_type", 1);
+user_pref("mailnews.reply_header_authorwrotesingle", "#1 wrote:");
+   // user_pref("mailnews.reply_header_ondateauthorwrote", "On #2 #3, #1 wrote:");
+   // user_pref("mailnews.reply_header_authorwroteondate", "#1 wrote on #2 #3:");
 
 /** COMPOSITION ***/
-/* 6105: Check spelling before sending [SETUP-FEATURE]
+/* 6110: Check spelling before sending [SETUP-FEATURE]
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=667133 ***/
 user_pref("mail.SpellCheckBeforeSend", false);
-/* 6106: Behavior when sending HTML message [SETUP-FEATURE]
+/* 6111: Behavior when sending HTML message [SETUP-FEATURE]
  * (0=Ask, 1=Send as plain text, 2=Send as HTML anyway,
  * 3=Include both plain text and HTML message bodies in message)
  * Email that is HTML should also have plaintext multipart for plain text users.
  * [1] https://drewdevault.com/2016/04/11/Please-use-text-plain-for-emails.html
  * [SETTING] Edit > Preferences > Send Options > Send the message in both plain text and HTML ***/
 user_pref("mail.default_html_action", 1);
-/* 6107: Send email in plaintext unless expressly overridden.
+/* 6112: Send email in plaintext unless expressly overridden.
  * [SETUP-FEATURE] Sometimes HTML is useful especially when used with Markdown Here
  * [NOTE] Holding down shift when you click on "Write" will bypass
  * [1] http://kb.mozillazine.org/Plain_text_e-mail_%28Thunderbird%29
@@ -1516,18 +1582,18 @@ user_pref("mail.default_html_action", 1);
  * [3] https://markdown-here.com ***/
 user_pref("mail.html_compose", false);
 user_pref("mail.identity.default.compose_html", false);
-/* 6108: Downgrade email to plaintext by default
+/* 6113: Downgrade email to plaintext by default
  * [SETUP-FEATURE] Only use HTML email if you need it, see above
  * [SETTING] Edit > Preferences > Composition > Send Options > Send messages as plain-text if possible ***/
 user_pref("mailnews.sendformat.auto_downgrade", false);
-/* 6109: What classes can process incoming data.
+/* 6114: What classes can process incoming data.
  * (0=All classes (default), 1=Don't display HTML, 2=Don't display HTML and inline images,
  * 3=Don't display HTML, inline images and some other uncommon types, 100=Use a hard coded list)
  * In the past this has mitigated a vulnerability CVE-2008-0304 (rare)
  * [1] https://www.mozilla.org/en-US/security/advisories/mfsa2008-12/
  * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=677905 ***/
 user_pref("mailnews.display.disallow_mime_handlers", 3);
-/* 6110: How to display HTML parts of a message body
+/* 6115: How to display HTML parts of a message body
  * (0=Display the HTML normally (default), 1=Convert it to text and then back again
  * 2=Display the HTML source, 3=Sanitize the HTML, 4=Display all body parts)
  * (in trunk builds later than 2011-07-23)
@@ -1535,36 +1601,36 @@ user_pref("mailnews.display.disallow_mime_handlers", 3);
  * [2] https://hg.mozilla.org/comm-central/rev/c1ef44a22eb2
  * [3] https://www.bucksch.org/1/projects/mozilla/108153/ ***/
 user_pref("mailnews.display.html_as", 3);
-/* 6111: Prefer to view as plaintext or html [SETUP-FEATURE]
+/* 6116: Prefer to view as plaintext or html [SETUP-FEATURE]
  * true=Display a message as plain text when there is both a HTML and a plain
  * text version of a message body
  * false=Display a message as HTML when there is both a HTML and a plain text
  * version of a message body. (default) ***/
 user_pref("mailnews.display.prefer_plaintext", false);
-/* 6112: Inline attachments [SETUP-FEATURE]
+/* 6117: Inline attachments [SETUP-FEATURE]
  * true=Show inlinable attachments (text, images, messages) after the message.
  * false=Do not display any attachments with the message ***/
 user_pref("mail.inline_attachments", false);
-/* 6113: Big attachment warning
+/* 6118: Big attachment warning
  * [1] https://support.mozilla.org/en-US/questions/1081046
  * [2] http://forums.mozillazine.org/viewtopic.php?f=39&t=2949521 */
 user_pref("mail.compose.big_attachments.notify", true); // [DEFAULT: true]
-/* 6114: Set big attachment size to warn at */
-   // user_pref("mailnews.message_warning_size", 20971520); // DEFAULT size
+/* 6119: Set big attachment size to warn at */
+   // user_pref("mailnews.message_warning_size", 20971520); // [DEFAULT: 20971520]
 
 /** VIEW ***/
-/* 6115: Disable JavaScript
+/* 6130: Disable JavaScript
  * [NOTE] JavaScript is already disabled in message content.
  * [1] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Releases/3
  * [2] https://stackoverflow.com/questions/3054315/is-javascript-supported-in-an-email-message
  * ***/
 user_pref("javascript.enabled", false);
-/* 6116: Disable media source extensions
+/* 6131: Disable media source extensions
  * [1] https://www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox ***/
 user_pref("media.mediasource.enabled", false);
-/* 6117: Disable hardware decoding support ***/
+/* 6132: Disable hardware decoding support ***/
 user_pref("media.hardware-video-decoding.enabled", false);
-/* 6118: Default image permissions
+/* 6133: Default image permissions
  * 1=Allow all images to load, regardless of origin. (Default),
  * 2=Block all images from loading.
  * 3=Prevent third-party images from loading
@@ -1572,12 +1638,12 @@ user_pref("media.hardware-video-decoding.enabled", false);
 user_pref("permissions.default.image", 2);
 
 /*** [SECTION 6200]: OTHER THUNDERBIRD COMPONENTS (CHAT / CALENDAR / RSS)
-   Options that relate to other Thunderbird components such as the chat client, calendar and rss)
+   Options that relate to other Thunderbird components such as the chat client, calendar and RSS)
 ***/
 user_pref("_user.js.parrot", "6200 syntax error: this parrot is not tweeting!");
 
 /** CHAT ***/
-/* 6201: Disable chat functionality ***/
+/* 6201: Disable chat functionality [SETUP-FEATURE] ***/
 user_pref("mail.chat.enabled", false);
 /* 6202: Disable logging of group chats ***/
 user_pref("purple.logging.log_chats", false);
@@ -1587,33 +1653,41 @@ user_pref("purple.logging.log_ims", false);
 user_pref("purple.logging.log_system", false);
 /* 6205: Disable typing notifications ***/
 user_pref("purple.conversations.im.send_typing", false);
-/* 6210: When chat is enabled, do not connect to accounts automatically
+/* 6206: When chat is enabled, do not connect to accounts automatically
  * 0=Do not connect / show the account manager,
  * 1=Connect automatically. (Default) ***/
    // user_pref("messenger.startup.action", 0);
+/* 6207: When chat is enabled, do not report idle status ***/
+   // user_pref("messenger.status.reportIdle", false);
 
 /** CALENDAR ***/
-/* 6206: Disable calendar integration
-  * [SETUP-FEATURE] Lightning calendar add-on is integrated in Thunderbird 38 and later.
-  * Keeping this preference false allows us to properly show the opt-in/opt-out dialog
-  * on new profiles fresh start, see [3].
-  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=401779
-  * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1130854
-  * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1130852 ***/
+/* 6210: Disable calendar integration
+ * [SETUP-FEATURE] Lightning calendar add-on is integrated in Thunderbird 38 and later.
+ * Keeping this preference false allows us to properly show the opt-in/opt-out dialog
+ * on new profiles fresh start, see [3].
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=401779
+ * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1130854
+ * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1130852 ***/
 user_pref("mail.calendar-integration.opt-out", false);
-/* 6207: Set user agent for calendar ***/
+/* 6211: Set user agent for calendar ***/
 user_pref("calendar.useragent.extra", "");
+/* 6212: Set calendar timezone to avoid system detection [SETUP-INSTALL]
+ * By default, extensive system detection would be performed to find user's current timezone.
+ * Setting this preference to "UTC" should disable it.
+ * You may also directly set it to your timezone, i.e. "Pacific/Fakaofo"
+ * [SETTING] Edit>Preferences>Calendar>Calendar>Timezone ***/
+user_pref("calendar.timezone.local", "UTC");  // [DEFAULT: ""]
 
 /** RSS ***/
 /** These features don't actually do anything as they aren't implemented
- * [1] https://dxr.mozilla.org/comm-release/source/mail/base/content/mailWindowOverlay.js#649
+ * [1] https://searchfox.org/comm-esr78/rev/384830b0570096c48770398060f87fbe556f6f01/mail/base/content/mailWindowOverlay.js#925
  * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=458606#c9
-/* 6208: What classes can process incoming data.
+/* 6220: What classes can process incoming data.
  * (0=All classes (default), 1=Don't display HTML, 2=Don't display HTML and inline images,
  * 3=Don't display HTML, inline images and some other uncommon types, 100=Use a hard coded list)
  * [1] https://www.privacy-handbuch.de/handbuch_31j.htm
 user_pref("rss.display.disallow_mime_handlers", 3);
-/* 6209: How to display HTML parts of a message body
+/* 6221: How to display HTML parts of a message body
  * (0=Display the HTML normally (default), 1=Convert it to text and then back again
  * 2=Display the HTML source, 3=Sanitize the HTML, 4=Display all body parts)
  * (in trunk builds later than 2011-07-23)
@@ -1621,25 +1695,25 @@ user_pref("rss.display.disallow_mime_handlers", 3);
  * [2] https://hg.mozilla.org/comm-central/rev/c1ef44a22eb2
  * [3] https://www.bucksch.org/1/projects/mozilla/108153/
 user_pref("rss.display.html_as", 1);
-/* 6210: Prefer to view as plaintext or html
+/* 6222: Prefer to view as plaintext or html
  * true=Display a message as plain text when there is both a HTML and a plain
  * text version of a message body
  * false=Display a message as HTML when there is both a HTML and a plain text
  * version of a message body. (default)
 user_pref("rss.display.prefer_plaintext", true);
 **/
-/* 6211: Feed message display (summary or web page), on open.
+/* 6223: Feed message display (summary or web page), on open.
  * Action on double click or enter in threadpane for a feed message.
  * 0=open content-base url in new window, 1=open summary in new window,
  * 2=toggle load summary and content-base url in message pane,
  * 3=load content-base url in browser
  * [1] http://forums.mozillazine.org/viewtopic.php?f=39&t=2502335 ***/
 user_pref("rss.show.content-base", 3);
-/* 6212: Feed message display (summary or web page), on select.
+/* 6224: Feed message display (summary or web page), on select.
  * 0=global override, load web page, 1=global override, load summary,
  * 2=use default feed folder setting from Subscribe dialog; if no setting default to 1 ***/
 user_pref("rss.show.summary", 1);
-/* 6213: Feed message additional web page display.
+/* 6225: Feed message additional web page display.
  * 0=no action, 1=load web page in default browser, on select ***/
 user_pref("rss.message.loadWebPageOnSelect", 0);
 
@@ -1656,9 +1730,9 @@ user_pref("_user.js.parrot", "6300 syntax error: this parrot is talking in codes
 /* These used to be inversed, however it seems upstream has changed this behavior
  * [1] https://www.privacy-handbuch.de/handbuch_31f.htm ***/
 /* 6301: Silence the Enigmail version header ***/
-user_pref("extensions.enigmail.addHeaders", false); // Default
+user_pref("extensions.enigmail.addHeaders", false); // [DEFAULT: false]
 /* 6302: Silence the Enigmail comment ***/
-user_pref("extensions.enigmail.useDefaultComment", true); // Default
+user_pref("extensions.enigmail.useDefaultComment", true); // [DEFAULT: true]
 /* 6303: Silence the version ***/
 user_pref("extensions.enigmail.agentAdditionalParam", "--no-emit-version --no-comments");
 /* 6304: Specifies the hash algorithm used by GnuPG for its cryptographic operations:
@@ -1678,7 +1752,7 @@ user_pref("extensions.enigmail.protectedHeaders", 2);
 /* 6306: Text to use as replacement for the subject, following the Memory Hole
  * standard. If nothing is defined, then "Encrypted Message" is used.
  ***/
-user_pref("extensions.enigmail.protectedSubjectText", "Encrypted Message"); // Default
+user_pref("extensions.enigmail.protectedSubjectText", "Encrypted Message"); // [DEFAULT: "Encrypted Message"]
 
 /** AUTOCRYPT ***/
 /* 6307: Choose whether to enable AutoCrypt