2025-04-22 16:39:30 -04:00
6 changed files with 215 additions and 299 deletions
--- a/prefsCleaner.bat
+++ b/prefsCleaner.bat
@ -3,7 +3,7 @@ TITLE prefs.js cleaner
 REM ### prefs.js cleaner for Windows
 REM ## author: @claustromaniac
-REM ## version: 2.8
+REM ## version: 2.7
 CD /D "%~dp0"
@ -15,7 +15,7 @@ ECHO:
 ECHO                 ########################################
 ECHO                 ####  prefs.js cleaner for Windows  ####
 ECHO                 ####        by claustromaniac       ####
-ECHO                 ####              v2.8              ####
+ECHO                 ####              v2.7              ####
 ECHO                 ########################################
 ECHO:
 CALL :message "This script should be run from your Firefox profile directory."
@ -37,7 +37,7 @@ CALL :strlenCheck
 CALL :FFcheck
 CALL :message "Backing up prefs.js..."
-FOR /F "delims=" %%# IN ('powershell -command get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
+FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
 COPY /B /V /Y prefs.js "prefs-backup-%ldt%.js"
 CALL :message "Cleaning prefs.js..."
--- a/prefsCleaner.sh
+++ b/prefsCleaner.sh
@ -2,7 +2,7 @@
 ## prefs.js cleaner for Linux/Mac
 ## author: @claustromaniac
-## version: 2.1
+## version: 2.0
 ## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh
@ -132,13 +132,13 @@ done
 ## change directory to the Firefox profile directory
 cd "$(dirname "${SCRIPT_FILE}")"
-# Check if running as root and if any files have the owner as root/wheel.
+# Check if running as root and if any files have the owner/group as root/wheel.
 if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then
 	fQuit 1 "You shouldn't run this with elevated privileges (such as with doas/sudo)."
-elif [ -n "$(find ./ -user 0)" ]; then
+elif [ -n "$(find ./ -user 0 -o -group 0)" ]; then
 	printf 'It looks like this script was previously run with elevated privileges,
 you will need to change ownership of the following files to your user:\n'
-	find . -user 0
+	find . -user 0 -o -group 0
 	fQuit 1
 fi
@ -148,7 +148,7 @@ echo -e "\n\n"
 echo "                   ╔══════════════════════════╗"
 echo "                   ║     prefs.js cleaner     ║"
 echo "                   ║    by claustromaniac     ║"
-echo "                   ║           v2.1           ║"
+echo "                   ║           v2.0           ║"
 echo "                   ╚══════════════════════════╝"
 echo -e "\nThis script should be run from your Firefox profile directory.\n"
 echo "It will remove any entries from prefs.js that also exist in user.js."
--- a/scratchpad-scripts/arkenfox-cleanup.js
+++ b/scratchpad-scripts/arkenfox-cleanup.js
@ -6,7 +6,7 @@
  There is an archived version at https://github.com/arkenfox/user.js/issues/123
  if you want the full list since jesus
-  Last updated: 21-April-2025
+  Last updated: 2-November-2023
  Instructions:
  - [optional] close Firefox and backup your profile
@ -35,13 +35,7 @@
  const aPREFS = [
    /* DEPRECATED */
    /* 129-140 */
    'media.ondevicechange.enabled', // 137
    'webchannel.allowObject.urlWhitelist', // 132
    /* 116-128 */
    'browser.contentanalysis.default_allow', // 127
    'browser.messaging-system.whatsNewPanel.enabled', // 126
    'browser.ping-centre.telemetry', // 123
    'dom.webnotifications.serviceworker.enabled', // 117
    'javascript.use_us_english_locale', // 119
    'layout.css.font-visibility.private', // 118
@ -51,7 +45,6 @@
    'network.dns.skipTRR-when-parental-control-enabled', // 119
    'permissions.delegation.enabled', // 118
    'security.family_safety.mode', // 117
    'widget.non-native-theme.enabled', // 127
    /* 103-115 */
    'browser.cache.offline.enable', // 115
    'extensions.formautofill.heuristics.enabled', // 114
@ -74,29 +67,10 @@
    'security.ssl3.rsa_des_ede3_sha', // 93
    /* REMOVED */
    /* 129-140 */
    'dom.securecontext.allowlist_onions',
    'network.http.referer.hideOnionSource',
    'privacy.clearOnShutdown.cache',
    'privacy.clearOnShutdown.cookies',
    'privacy.clearOnShutdown.downloads',
    'privacy.clearOnShutdown.formdata',
    'privacy.clearOnShutdown.history',
    'privacy.clearOnShutdown.offlineApps',
    'privacy.clearOnShutdown.sessions',
    'privacy.cpd.cache',
    'privacy.cpd.cookies',
    'privacy.cpd.formdata',
    'privacy.cpd.history',
    'privacy.cpd.offlineApps',
    'privacy.cpd.sessions',
    /* 116-128 */
    'browser.fixup.alternate.enabled',
    'browser.taskbar.previews.enable',
    'browser.urlbar.dnsResolveSingleWordsAfterSearch',
    'geo.provider.network.url',
    'geo.provider.network.logging.enabled',
    'geo.provider.use_gpsd',
    'media.gmp-widevinecdm.enabled',
    'network.protocol-handler.external.ms-windows-store',
    'privacy.partition.always_partition_third_party_non_cookie_storage',
--- a/updater.bat
+++ b/updater.bat
@ -3,7 +3,7 @@ TITLE arkenfox user.js updater
 REM ## arkenfox user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.20
+REM ## version: 4.19
 REM ## instructions: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-windows
 SET v=4.19
@ -177,7 +177,7 @@ IF EXIST user.js.new (
 		IF DEFINED _singlebackup (
 			MOVE /Y user.js user.js.bak >nul
 		) ELSE (
-			FOR /F "delims=" %%# IN ('powershell -command get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
+			FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
 			MOVE /Y user.js "user-backup-!ldt!.js" >nul
 		)
 		REN user.js.new user.js
--- a/updater.sh
+++ b/updater.sh
@ -2,7 +2,7 @@
 ## arkenfox user.js updater for macOS and Linux
-## version: 4.0
+## version: 3.9
 ## Author: Pat Johnson (@overdodactyl)
 ## Additional contributors: @earthlng, @ema-pe, @claustromaniac, @infinitewarp
@ -393,11 +393,11 @@ update_updater "$@"
 getProfilePath # updates PROFILE_PATH or exits on error
 cd "$PROFILE_PATH" || exit 1
-# Check if any files have the owner as root/wheel.
+# Check if any files have the owner/group as root/wheel.
-if [ -n "$(find ./ -user 0)" ]; then
+if [ -n "$(find ./ -user 0 -o -group 0)" ]; then
 	printf 'It looks like this script was previously run with elevated privileges,
 you will need to change ownership of the following files to your user:\n'
-	find . -user 0
+	find . -user 0 -o -group 0
 	cd "$CURRDIR"
 	exit 1
 fi
--- a/user.js
+++ b/user.js
@ -1,7 +1,7 @@
 /******
 *    name: arkenfox user.js
-*    date: 6 March 2025
+*    date: 20 November 2023
-* version: 135
+* version: 119
 *    urls: https://github.com/arkenfox/user.js [repo]
 *        : https://arkenfox.github.io/gui/ [interactive]
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
@ -35,7 +35,7 @@
    - It is recommended to not use the updater, or you will get a later version which may cause issues.
      So you should manually append your overrides (and keep a copy), and manually update when you
      change ESR releases (arkenfox is already past that release)
-    - If you decide to keep updating, then the onus is on you - also see section 9999
+    - If you decide to keep updating, then the onus is on - also see section 9999
 * INDEX:
@ -56,14 +56,12 @@
  2600: MISCELLANEOUS
  2700: ETP (ENHANCED TRACKING PROTECTION)
  2800: SHUTDOWN & SANITIZING
-  4000: FPP (fingerprintingProtection)
+  4500: RFP (resistFingerprinting)
  4500: OPTIONAL RFP (resistFingerprinting)
  5000: OPTIONAL OPSEC
  5500: OPTIONAL HARDENING
  6000: DON'T TOUCH
  7000: DON'T BOTHER
  8000: DON'T BOTHER: FINGERPRINTING
  8500: TELEMETRY
  9000: NON-PROJECT RELATED
  9999: DEPRECATED / RENAMED
@ -83,7 +81,7 @@ user_pref("browser.aboutConfig.showWarning", false);
 user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 /* 0102: set startup page [SETUP-CHROME]
 * 0=blank, 1=home, 2=last visited page, 3=resume previous session
- * [NOTE] Session Restore is cleared with history (2811+), and not used in Private Browsing mode
+ * [NOTE] Session Restore is cleared with history (2811), and not used in Private Browsing mode
 * [SETTING] General>Startup>Restore previous session ***/
 user_pref("browser.startup.page", 0);
 /* 0103: set HOME+NEWWINDOW page
@ -96,17 +94,22 @@ user_pref("browser.startup.homepage", "about:blank");
 user_pref("browser.newtabpage.enabled", false);
 /* 0105: disable sponsored content on Firefox Home (Activity Stream)
 * [SETTING] Home>Firefox Home Content ***/
-user_pref("browser.newtabpage.activity-stream.showSponsored", false); // [FF58+]
+user_pref("browser.newtabpage.activity-stream.showSponsored", false); // [FF58+] Pocket > Sponsored Stories
-user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] Shortcuts>Sponsored shortcuts
+user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+] Sponsored shortcuts
 /* 0106: clear default topsites
 * [NOTE] This does not block you from adding your own ***/
 user_pref("browser.newtabpage.activity-stream.default.sites", "");
 /*** [SECTION 0200]: GEOLOCATION ***/
 user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
 /* 0201: use Mozilla geolocation service instead of Google if permission is granted [FF74+]
 * Optionally enable logging to the console (defaults to false) ***/
 user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
   // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF]
 /* 0202: disable using the OS's geolocation service ***/
 user_pref("geo.provider.ms-windows-location", false); // [WINDOWS]
 user_pref("geo.provider.use_corelocation", false); // [MAC]
 user_pref("geo.provider.use_gpsd", false); // [LINUX] [HIDDEN PREF]
 user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX]
 /*** [SECTION 0300]: QUIETER FOX ***/
@ -117,8 +120,8 @@ user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
 /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
 user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
 /* 0322: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
- * [NOTE] This pref has no effect when Health Reports (8501) are disabled
+ * [NOTE] This pref has no effect when Health Reports (0331) are disabled
- * [SETTING] Privacy & Security>Firefox Data Collection and Use>Allow personalized extension recommendations
+ * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations
 * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
 user_pref("browser.discovery.enabled", false);
 /* 0323: disable shopping experience [FF116+]
@ -126,13 +129,44 @@ user_pref("browser.discovery.enabled", false);
 user_pref("browser.shopping.experience2023.enabled", false); // [DEFAULT: false]
 /** TELEMETRY ***/
 /* 0330: disable new data submission [FF41+]
 * If disabled, no policy is shown or upload takes place, ever
 * [1] https://bugzilla.mozilla.org/1195552 ***/
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
 /* 0331: disable Health Reports
 * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/
 user_pref("datareporting.healthreport.uploadEnabled", false);
 /* 0332: disable telemetry
 * The "unified" pref affects the behavior of the "enabled" pref
 * - If "unified" is false then "enabled" controls the telemetry module
 * - If "unified" is true then "enabled" only controls whether to record extended data
 * [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease (true) or release builds (false) [2]
 * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
 * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
 user_pref("toolkit.telemetry.unified", false);
 user_pref("toolkit.telemetry.enabled", false); // see [NOTE]
 user_pref("toolkit.telemetry.server", "data:,");
 user_pref("toolkit.telemetry.archive.enabled", false);
 user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+]
 user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+]
 user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
 user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
 user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
 /* 0333: disable Telemetry Coverage
 * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
 user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
 user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF]
 user_pref("toolkit.coverage.endpoint.base", "");
 /* 0334: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
 * Defense-in-depth: currently covered by 0331 ***/
 user_pref("browser.ping-centre.telemetry", false);
 /* 0335: disable Firefox Home (Activity Stream) telemetry ***/
 user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
 user_pref("browser.newtabpage.activity-stream.telemetry", false);
 /** STUDIES ***/
 /* 0340: disable Studies
- * [SETTING] Privacy & Security>Firefox Data Collection and Use>Install and run studies ***/
+ * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
 user_pref("app.shield.optoutstudies.enabled", false);
 /* 0341: disable Normandy/Shield [FF60+]
 * Shield is a telemetry system that can push and test "recipes"
@ -146,7 +180,7 @@ user_pref("breakpad.reportURL", "");
 user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
   // user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+] [DEFAULT: false]
 /* 0351: enforce no submission of backlogged Crash Reports [FF58+]
- * [SETTING] Privacy & Security>Firefox Data Collection and Use>Send backlogged crash reports  ***/
+ * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports  ***/
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT: false]
 /** OTHER ***/
@ -204,7 +238,7 @@ user_pref("network.prefetch-next", false);
 /* 0602: disable DNS prefetching
 * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
 user_pref("network.dns.disablePrefetch", true);
-user_pref("network.dns.disablePrefetchFromHTTPS", true);
+   // user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
 /* 0603: disable predictor / prefetching ***/
 user_pref("network.predictor.enabled", false);
 user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false]
@ -234,7 +268,7 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
 * [1] https://bugzilla.mozilla.org/1433507
 * [2] https://en.wikipedia.org/wiki/GVfs
 * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
-user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: ""]
+user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: "" FF118+]
 /* 0705: disable proxy direct failover for system requests [FF91+]
 * [WARNING] Default true is a security feature against malicious extensions [1]
 * [SETUP-CHROME] If you use a proxy and you trust your extensions
@ -252,7 +286,7 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: ""]
 * [SETTING] Privacy & Security>DNS over HTTPS
 * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
 * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
- * [3] https://support.mozilla.org/kb/firefox-dns-over-https
+ * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
 * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
   // user_pref("network.trr.mode", 3);
 /* 0712: set DoH provider
@ -268,16 +302,14 @@ user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
 * [1] https://bugzilla.mozilla.org/1348275 ***/
 user_pref("browser.urlbar.speculativeConnect.enabled", false);
 /* 0802: disable location bar contextual suggestions
- * [NOTE] The UI is controlled by the .enabled pref
+ * [SETTING] Privacy & Security>Address Bar>Suggestions from...
 * [SETTING] Search>Address Bar>Suggestions from...
 * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
 user_pref("browser.urlbar.quicksuggest.enabled", false); // [FF92+]
 user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
 user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+]
 /* 0803: disable live search suggestions
- * [NOTE] Both must be true for live search to work in the location bar
+ * [NOTE] Both must be true for the location bar to work
 * [SETUP-CHROME] Override these if you trust and use a privacy respecting search engine
- * [SETTING] Search>Show search suggestions | Show search suggestions in address bar results ***/
+ * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/
 user_pref("browser.search.suggest.enabled", false);
 user_pref("browser.urlbar.suggest.searches", false);
 /* 0805: disable urlbar trending search suggestions [FF118+]
@ -285,32 +317,26 @@ user_pref("browser.urlbar.suggest.searches", false);
 user_pref("browser.urlbar.trending.featureGate", false);
 /* 0806: disable urlbar suggestions ***/
 user_pref("browser.urlbar.addons.featureGate", false); // [FF115+]
 user_pref("browser.urlbar.fakespot.featureGate", false); // [FF130+] [DEFAULT: false]
 user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF]
 user_pref("browser.urlbar.pocket.featureGate", false); // [FF116+] [DEFAULT: false]
 user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false]
 user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+]
 /* 0807: disable urlbar clipboard suggestions [FF118+] ***/
-   // user_pref("browser.urlbar.clipboard.featureGate", false);
+   // user_pref("browser.urlbar.clipboard.featureGate", false); // [DEFAULT: false]
 /* 0808: disable recent searches [FF120+]
 * [NOTE] Recent searches are cleared with history (2811+)
 * [1] https://support.mozilla.org/kb/search-suggestions-firefox ***/
   // user_pref("browser.urlbar.recentsearches.featureGate", false);
 /* 0810: disable search and form history
 * [NOTE] We also clear formdata on exit (2811+)
 * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
 * [NOTE] We also clear formdata on exit (2811)
 * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
 * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
 * [2] https://bugzilla.mozilla.org/381681 ***/
 user_pref("browser.formfill.enable", false);
 /* 0815: disable tab-to-search [FF85+]
 * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
- * [SETTING] Search>Address Bar>When using the address bar, suggest>Search engines ***/
+ * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
   // user_pref("browser.urlbar.suggest.engines", false);
 /* 0820: disable coloring of visited links
 * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
 * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
- * attacks. Don't forget clearing history on exit (2811+). However, social engineering [2#limits][4][5]
+ * attacks. Don't forget clearing history on exit (2811). However, social engineering [2#limits][4][5]
 * and advanced targeted timing attacks could still produce usable results
 * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
 * [2] https://dbaron.org/mozilla/visited-privacy
@ -346,17 +372,14 @@ user_pref("network.auth.subresource-http-auth-allow", 1);
 * [SETTING] Privacy & Security>Logins and Passwords>Allow Windows single sign-on for...
 * [1] https://support.mozilla.org/kb/windows-sso ***/
   // user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false]
 /* 0907: enforce no automatic authentication on Microsoft sites [FF131+] [MAC]
 * On macOS, SSO only works on corporate devices ***/
   // user_pref("network.http.microsoft-entra-sso.enabled", false); // [DEFAULT: false]
 /*** [SECTION 1000]: DISK AVOIDANCE ***/
 user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
 /* 1001: disable disk cache
- * [NOTE] We also clear cache on exit (2811+)
+ * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this
- * [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this ***/
+ * [NOTE] We also clear cache on exit (2811) ***/
 user_pref("browser.cache.disk.enable", false);
-/* 1002: set media cache in Private Browsing to in-memory and increase its maximum size
+/* 1002: disable media cache from writing to disk in Private Browsing
 * [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB ***/
 user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+]
 user_pref("media.memory_cache_max_size", 65536);
@ -388,7 +411,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 * but the problem is that the browser can't know that. Setting this pref to true is the only way for the
 * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
 * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
- * [STATS] SSL Labs (May 2024) reports over 99.7% of top sites have secure renegotiation [4]
+ * [STATS] SSL Labs (Nov 2023) reports over 99.5% of top sites have secure renegotiation [4]
 * [1] https://wiki.mozilla.org/Security:Renegotiation
 * [2] https://datatracker.ietf.org/doc/html/rfc5746
 * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
@ -415,14 +438,13 @@ user_pref("security.tls.enable_0rtt_data", false);
 * [1] https://en.wikipedia.org/wiki/Ocsp ***/
 user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
 /* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
- * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR | SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
+ * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR
 * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
 * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
 * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
 * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
 * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
- * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html
+ * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
 * [3] https://letsencrypt.org/2024/12/05/ending-ocsp/ ***/
 user_pref("security.OCSP.require", true);
 /** CERTS / HPKP (HTTP Public Key Pinning) ***/
@ -437,7 +459,7 @@ user_pref("security.cert_pinning.enforcement_level", 2);
 * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default)
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
 * [2] https://blog.mozilla.org/security/tag/crlite/ ***/
-user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+]
+user_pref("security.remote_settings.crlite_filters.enabled", true);
 user_pref("security.pki.crlite_mode", 2);
 /** MIXED CONTENT ***/
@ -494,12 +516,6 @@ user_pref("privacy.userContext.ui.enabled", true);
 * [NOTE] The menu is always shown on long press and right click
 * [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/
   // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true);
 /* 1703: set external links to open in site-specific containers [FF123+]
 * [SETUP-WEB] Depending on your container extension(s) and their settings
 * true=Firefox will not choose a container (so your extension can)
 * false=Firefox will choose the container/no-container (default)
 * [1] https://bugzilla.mozilla.org/1874599 ***/
   // user_pref("browser.link.force_default_user_context_id_for_external_opens", true);
 /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
 user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
@ -507,7 +523,7 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
 user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
 /* 2003: force a single network interface for ICE candidates generation [FF42+]
 * When using a system-wide proxy, it uses the proxy interface
- * [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate
+ * [1] https://developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate
 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
 user_pref("media.peerconnection.ice.default_address_only", true);
 /* 2004: force exclusion of private IPs from ICE candidates [FF51+]
@ -542,6 +558,8 @@ user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false]
 /* 2616: remove special permissions for certain mozilla domains [FF35+]
 * [1] resource://app/defaults/permissions ***/
 user_pref("permissions.manager.defaultsUrl", "");
 /* 2617: remove webchannel whitelist ***/
 user_pref("webchannel.allowObject.urlWhitelist", "");
 /* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing
 * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
 * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
@ -564,13 +582,6 @@ user_pref("pdfjs.disabled", false); // [DEFAULT: false]
 user_pref("pdfjs.enableScripting", false); // [FF86+]
 /* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */
 user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX]
 /* 2630: disable content analysis by DLP (Data Loss Prevention) agents
 * DLP agents are background processes on managed computers that allow enterprises to monitor locally running
 * applications for data exfiltration events, which they can allow/block based on customer defined DLP policies.
 * 0=Block all requests, 1=Warn on all requests (which lets the user decide), 2=Allow all requests
 * [1] https://github.com/chromium/content_analysis_sdk */
 user_pref("browser.contentanalysis.enabled", false); // [FF121+] [DEFAULT: false]
 user_pref("browser.contentanalysis.default_result", 0); // [FF127+] [DEFAULT: 0]
 /** DOWNLOADS ***/
 /* 2651: enable user interaction for security by always asking where to download
@ -615,123 +626,81 @@ user_pref("browser.contentblocking.category", "strict"); // [HIDDEN PREF]
 * Opener and redirect heuristics are granted for 30 days, see [3]
 * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/
 * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
- * [3] https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
+ * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
   // user_pref("privacy.antitracking.enableWebcompat", false);
 /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
 user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
 /* 2810: enable Firefox to clear items on shutdown
 * [NOTE] In FF129+ clearing "siteSettings" on shutdown (2811+), or manually via site data (2820+) and
 * via history (2830), will no longer remove sanitize on shutdown "cookie and site data" site exceptions (2815)
 * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes | Settings ***/
 user_pref("privacy.sanitize.sanitizeOnShutdown", true);
 /** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/
-/* 2811: set/enforce clearOnShutdown items (if 2810 is true) [SETUP-CHROME] [FF128+] ***/
+/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
-user_pref("privacy.clearOnShutdown_v2.cache", true); // [DEFAULT: true]
+ * [NOTE] If "history" is true, downloads will also be cleared
-user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); // [DEFAULT: true]
+ * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
-   // user_pref("privacy.clearOnShutdown_v2.siteSettings", false); // [DEFAULT: false]
+ * [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
-/* 2812: set/enforce clearOnShutdown items [FF136+] ***/
+user_pref("privacy.clearOnShutdown.cache", true);     // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", true); // [DEFAULT: true]
+user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown_v2.downloads", true);
+user_pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown_v2.formdata", true);
+user_pref("privacy.clearOnShutdown.history", true);   // [DEFAULT: true]
-/* 2813: set Session Restore to clear on shutdown (if 2810 is true) [FF34+]
+user_pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true]
- * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811+)
+   // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
 /* 2812: set Session Restore to clear on shutdown (if 2810 is true) [FF34+]
 * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
 * [NOTE] If true, this prevents resuming from crashes (also see 5008) ***/
   // user_pref("privacy.clearOnShutdown.openWindows", true);
-/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS ***/
+/** SANITIZE ON SHUTDOWN: RESPECTS "ALLOW" SITE EXCEPTIONS FF103+ ***/
-/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME] [FF128+]
+/* 2815: set "Cookies" and "Site Data" to clear on shutdown (if 2810 is true) [SETUP-CHROME]
- * [NOTE] Exceptions: For cross-domain logins, add exceptions for both sites
+ * [NOTE] Exceptions: A "cookie" block permission also controls "offlineApps" (see note below).
- * e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
+ * serviceWorkers require an "Allow" permission. For cross-domain logins, add exceptions for
 * both sites e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
 * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
 * [WARNING] Be selective with what sites you "Allow", as they also disable partitioning (1767271)
 * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question)
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
-user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true);
+user_pref("privacy.clearOnShutdown.cookies", true); // Cookies
 user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data
-/** SANITIZE SITE DATA: IGNORES "ALLOW" SITE EXCEPTIONS ***/
+/** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/
-/* 2820: set manual "Clear Data" items [SETUP-CHROME] [FF128+]
+/* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME]
 * This dialog can also be accessed from the menu History>Clear Recent History
 * Firefox remembers your last choices. This will reset them when you start Firefox
- * [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/
+ * [NOTE] Regardless of what you set "downloads" to, as soon as the dialog
-user_pref("privacy.clearSiteData.cache", true);
+ * for "Clear Recent History" is opened, it is synced to the same as "history" ***/
-user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions
+user_pref("privacy.cpd.cache", true);    // [DEFAULT: true]
-user_pref("privacy.clearSiteData.historyFormDataAndDownloads", true);
+user_pref("privacy.cpd.formdata", true); // [DEFAULT: true]
-   // user_pref("privacy.clearSiteData.siteSettings", false);
+user_pref("privacy.cpd.history", true);  // [DEFAULT: true]
-/* 2821: set manual "Clear Data" items [FF136+] ***/
+user_pref("privacy.cpd.sessions", true); // [DEFAULT: true]
-user_pref("privacy.clearSiteData.browsingHistoryAndDownloads", true);
+user_pref("privacy.cpd.offlineApps", false); // [DEFAULT: false]
-user_pref("privacy.clearSiteData.formdata", true);
+user_pref("privacy.cpd.cookies", false);
-
+   // user_pref("privacy.cpd.downloads", true); // not used, see note above
-/** SANITIZE HISTORY: IGNORES "ALLOW" SITE EXCEPTIONS ***/
+   // user_pref("privacy.cpd.openWindows", false); // Session Restore
-/* 2830: set manual "Clear History" items, also via Ctrl-Shift-Del [SETUP-CHROME] [FF128+]
+   // user_pref("privacy.cpd.passwords", false);
- * Firefox remembers your last choices. This will reset them when you start Firefox
+   // user_pref("privacy.cpd.siteSettings", false);
- * [SETTING] Privacy & Security>History>Custom Settings>Clear History ***/
+/* 2822: reset default "Time range to clear" for "Clear Recent History" (2820)
 user_pref("privacy.clearHistory.cache", true); // [DEFAULT: true]
 user_pref("privacy.clearHistory.cookiesAndStorage", false);
 user_pref("privacy.clearHistory.historyFormDataAndDownloads", true); // [DEFAULT: true]
   // user_pref("privacy.clearHistory.siteSettings", false); // [DEFAULT: false]
 /* 2831: set manual "Clear History" items [FF136+] ***/
 user_pref("privacy.clearHistory.browsingHistoryAndDownloads", true); // [DEFAULT: true]
 user_pref("privacy.clearHistory.formdata", true);
 /** SANITIZE MANUAL: TIMERANGE ***/
 /* 2840: set "Time range to clear" for "Clear Data" (2820+) and "Clear History" (2830+)
 * Firefox remembers your last choice. This will reset the value when you start Firefox
 * 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
 * [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
 * which will display a blank value, and are not guaranteed to work ***/
 user_pref("privacy.sanitize.timeSpan", 0);
-/*** [SECTION 4000]: FPP (fingerprintingProtection)
+/*** [SECTION 4500]: RFP (resistFingerprinting)
-   RFP (4501) overrides FPP
+   RFP covers a wide range of ongoing fingerprinting solutions.
-
+   It is an all-or-nothing buy in: you cannot pick and choose what parts you want
-   In FF118+ FPP is on by default in private windows (4001) and in FF119+ is controlled
+   [TEST] https://arkenfox.github.io/TZP/tzp.html
   by ETP (2701). FPP will also use Remote Services in future to relax FPP protections
   on a per site basis for compatibility (4004).
   https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargetsDefault.inc
   [NOTE] RFPTargets + granular overrides are somewhat experimental and may produce unexpected results
   - e.g. FrameRate can only be controlled per process, not per origin
   1826408 - restrict fonts to system (kBaseFonts + kLangPackFonts) (Windows, Mac, some Linux)
      https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
   1858181 - subtly randomize canvas per eTLD+1, per session and per window-mode (FF120+)
 ***/
 user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!");
 /* 4001: enable FPP in PB mode [FF114+]
 * [NOTE] In FF119+, FPP for all modes (7016) is enabled with ETP Strict (2701) ***/
   // user_pref("privacy.fingerprintingProtection.pbmode", true); // [DEFAULT: true]
 /* 4002: set global FPP overrides [FF114+]
 * uses "RFPTargets" [1] which despite the name these are not used by RFP
 * e.g. "+AllTargets,-CSSPrefersColorScheme,-JSDateTimeUTC" = all targets but allow prefers-color-scheme and do not change timezone
 * e.g. "-AllTargets,+CanvasRandomization,+JSDateTimeUTC" = no targets but do use FPP canvas and change timezone
 * [NOTE] Not supported by arkenfox. Either use RFP or FPP at defaults
 * [1] https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc ***/
   // user_pref("privacy.fingerprintingProtection.overrides", "");
 /* 4003: set granular FPP overrides
 * JSON format: e.g."[{\"firstPartyDomain\": \"netflix.com\", \"overrides\": \"-CanvasRandomization,-FrameRate,\"}]"
 * [NOTE] Not supported by arkenfox. Either use RFP or FPP at defaults ***/
   // user_pref("privacy.fingerprintingProtection.granularOverrides", "");
 /* 4004: disable remote FPP overrides [FF127+] ***/
   // user_pref("privacy.fingerprintingProtection.remoteOverrides.enabled", false);
 /*** [SECTION 4500]: OPTIONAL RFP (resistFingerprinting)
   RFP overrides FPP (4000)
   FF128+ Arkenfox by default uses FPP (automatically enabled with ETP Strict). For most people
   this is all you need. To use RFP instead, add RFP (4501) to your overrides, and optionally
   add letterboxing (4504), spoof_english (4506), and webgl (4520).
   RFP is an all-or-nothing buy in: you cannot pick and choose what parts you want
   [WARNING] DO NOT USE extensions to alter RFP protected metrics
    418986 - limit window.screen & CSS media queries (FF41)
   1281949 - spoof screen orientation (FF50)
   1330890 - spoof timezone as UTC0 (FF55)
   1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
 FF56
   1333651 - spoof User Agent & Navigator API
-      JS: spoofed as Windows 10, OS 10.15, Android 10, or Linux
+      version: android version spoofed as ESR (FF119 or lower)
-      HTTP Header: spoofed as Windows 10 or Android 10.15 until FF136 then matches JS spoof
+      OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
   1369319 - disable device sensor API
   1369357 - disable site specific zoom
   1337161 - hide gamepads from content
@ -746,14 +715,14 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!");
   1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
      Spoof: enumerate devices as one "Internal Camera" and one "Internal Microphone"
      Block: suppresses the ondevicechange event
-   1039069 - warn when language prefs are not set to "en*" (FF59)
+   1039069 - warn when language prefs are not set to "en*" (also see 0210, 0211) (FF59)
   1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59)
      Spoofing mimics the content language of the document. Currently it only supports en-US.
      Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
   1337157 - disable WebGL debug renderer info (FF60)
   1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62)
   1479239 - return "no-preference" with prefers-reduced-motion (FF63)
-   1363508 & 1826051 - spoof/suppress Pointer Events (FF64, FF132)
+   1363508 - spoof/suppress Pointer Events (FF64)
   1492766 - spoof pointerEvent.pointerid (FF65)
   1485266 - disable exposure of system colors to CSS or canvas (FF67)
   1494034 - return "light" with prefers-color-scheme (FF67)
@ -769,24 +738,16 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!");
   1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102)
   1422237 - return "srgb" with color-gamut (FF110)
   1794628 - return "none" with inverted-colors (FF114)
   1787790 - normalize system fonts (FF128)
   1835987 - spoof timezone as Atlantic/Reykjavik (previously FF55+ was UTC) (FF128)
   1834307 - always use smooth scrolling (FF132)
   1918202 - spoof screen orientation based on spoofed screen size and platform (FF132)
      previously it always returned landscape-primary and an angle of 0 (FF50+)
   1390465 - load all subtitles in WebVTT (Video Text Tracks) (FF133)
   1873382 - make spoofed devicePixelRatio and CSS media queries match (FF133)
      previously FF41+ devicePixelRatio was hardcoded as 1 and FF127+ as 2
      previously FF41+ CSS media queries were spoofed as zoom level at a devicePixelRatio of 1
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable RFP
 * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a canvas site exception via the urlbar
 * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme
 * [NOTE] pbmode applies if true and the original pref is false
- * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a canvas site exception via the urlbar.
+ * [1] https://bugzilla.mozilla.org/418986 ***/
- * RFP also has a few side effects: mainly that timezone is GMT, and websites will prefer light theme ***/
+user_pref("privacy.resistFingerprinting", true); // [FF41+]
   // user_pref("privacy.resistFingerprinting", true); // [FF41+]
   // user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
-/* 4502: set RFP new window size max rounded values [FF55+]
+/* 4502: set new window size rounding max values [FF55+]
 * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
 * [1] https://bugzilla.mozilla.org/1330882 ***/
 user_pref("privacy.window.maxInnerWidth", 1600);
@ -795,7 +756,7 @@ user_pref("privacy.window.maxInnerHeight", 900);
 * [NOTE] To allow extensions to work on AMO, you also need 2662
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
 user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
-/* 4504: enable letterboxing [FF67+]
+/* 4504: enable RFP letterboxing [FF67+]
 * Dynamically resizes the inner window by applying margins in stepped ranges [2]
 * If you use the dimension pref, then it will only apply those resolutions.
 * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000")
@ -803,36 +764,36 @@ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
 * dislike the margins, then flip this pref, keeping in mind that it is effectively fingerprintable
 * [WARNING] DO NOT USE: the dimension pref is only meant for testing
 * [1] https://bugzilla.mozilla.org/1407366
- * [2] https://hg.mozilla.org/mozilla-central/rev/7211cb4f58ff#l5.13 ***/
+ * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/
-   // user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
+user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
   // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF]
-/* 4505: disable RFP by domain [FF91+]
+/* 4505: experimental RFP [FF91+]
- * [NOTE] Working examples: "arkenfox.github.io", "*github.io"
+ * [WARNING] DO NOT USE unless testing, see [1] comment 12
- * Non-working examples: "https://arkenfox.github.io", "github.io", "*arkenfox.github.io" ***/
+ * [1] https://bugzilla.mozilla.org/1635603 ***/
   // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid");
 /* 4506: disable RFP spoof english prompt [FF59+]
 * 0=prompt, 1=disabled, 2=enabled
 * [NOTE] When changing from value 2, preferred languages ('intl.accept_languages') is not reset.
 * [SETUP-WEB] when enabled, sets 'en-US, en' for displaying pages and 'en-US' as locale.
 * [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... ***/
 user_pref("privacy.spoof_english", 1);
 /* 4510: disable using system colors
 * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
 user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS]
-/* 4511: disable using system accent colors ***/
+/* 4511: enforce non-native widget theme
-user_pref("widget.non-native-theme.use-theme-accent", false); // [DEFAULT: false WINDOWS]
+ * Security: removes/reduces system API calls, e.g. win32k API [1]
 * Fingerprinting: provides a uniform look and feel across platforms [2]
 * [1] https://bugzilla.mozilla.org/1381938
 * [2] https://bugzilla.mozilla.org/1411425 ***/
 user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
 /* 4512: enforce links targeting new windows to open in a new tab instead
 * 1=most recent window or tab, 2=new window, 3=new tab
 * Stops malicious window sizes and some screen resolution leaks.
 * You can still right-click a link and open in a new window
 * [SETTING] General>Tabs>Open links in tabs instead of new windows
 * [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881 ***/
 user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
 /* 4513: set all open window methods to abide by "browser.link.open_newwindow" (4512)
 * [1] https://searchfox.org/mozilla-central/source/dom/tests/browser/browser_test_new_window_from_content.js ***/
 user_pref("browser.link.open_newwindow.restriction", 0);
-/* 4520: disable WebGL (Web Graphics Library) ***/
+/* 4520: disable WebGL (Web Graphics Library)
-   // user_pref("webgl.disabled", true);
+ * [SETUP-WEB] If you need it then override it. RFP still randomizes canvas for naive scripts ***/
 user_pref("webgl.disabled", true);
 /*** [SECTION 5000]: OPTIONAL OPSEC
   Disk avoidance, application data isolation, eyeballs...
@ -881,7 +842,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
 * [1] https://bugzilla.mozilla.org/1281959 ***/
   // user_pref("browser.download.forbid_open_with", true);
 /* 5010: disable location bar suggestion types
- * [SETTING] Search>Address Bar>When using the address bar, suggest ***/
+ * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
   // user_pref("browser.urlbar.suggest.history", false);
   // user_pref("browser.urlbar.suggest.bookmark", false);
   // user_pref("browser.urlbar.suggest.openpage", false);
@ -893,7 +854,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
 * [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
   // user_pref("browser.urlbar.autoFill", false);
 /* 5013: disable browsing and download history
- * [NOTE] We also clear history and downloads on exit (2811+)
+ * [NOTE] We also clear history and downloads on exit (2811)
 * [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
   // user_pref("places.history.enabled", false);
 /* 5014: disable Windows jumplist [WINDOWS] ***/
@ -945,7 +906,7 @@ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!");
 * [2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
 * [3] https://rh0dev.github.io/blog/2017/the-return-of-the-jit/ ***/
   // user_pref("javascript.options.asmjs", false);
-/* 5505: disable Ion and baseline JIT to harden against JS exploits [RESTART]
+/* 5505: disable Ion and baseline JIT to harden against JS exploits
 * [NOTE] When both Ion and JIT are disabled, and trustedprincipals
 * is enabled, then Ion can still be used by extensions (1599226)
 * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
@ -974,8 +935,8 @@ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!");
 /* 5509: disable IPv6 if using a VPN
 * This is an application level fallback. Disabling IPv6 is best done at an OS/network
 * level, and/or configured properly in system wide VPN setups.
 * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
 * [SETUP-WEB] PR_CONNECT_RESET_ERROR
 * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
 * [TEST] https://ipleak.org/
 * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
   // user_pref("network.dns.disableIPv6", true);
@ -1018,20 +979,13 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
 /* 6012: enforce Quarantined Domains [FF115+]
 * [WHY] https://support.mozilla.org/kb/quarantined-domains */
 user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true]
-/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF128+ ***/
+/* 6050: prefsCleaner: previously active items removed from arkenfox 115-127 ***/
-   // user_pref("privacy.clearOnShutdown.cache", "");
+   // user_pref("accessibility.force_disabled", "");
-   // user_pref("privacy.clearOnShutdown.cookies", "");
+   // user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", "");
-   // user_pref("privacy.clearOnShutdown.downloads", "");
+   // user_pref("network.protocol-handler.external.ms-windows-store", "");
-   // user_pref("privacy.clearOnShutdown.formdata", "");
+   // user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", "");
-   // user_pref("privacy.clearOnShutdown.history", "");
+   // user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", "");
-   // user_pref("privacy.clearOnShutdown.offlineApps", "");
+   // user_pref("privacy.partition.serviceWorkers", "");
   // user_pref("privacy.clearOnShutdown.sessions", "");
   // user_pref("privacy.cpd.cache", "");
   // user_pref("privacy.cpd.cookies", "");
   // user_pref("privacy.cpd.formdata", "");
   // user_pref("privacy.cpd.history", "");
   // user_pref("privacy.cpd.offlineApps", "");
   // user_pref("privacy.cpd.sessions", "");
 /*** [SECTION 7000]: DON'T BOTHER ***/
 user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
@ -1072,6 +1026,10 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 * [WHY] Passive fingerprinting and perf costs. These are session-only
 * and isolated with network partitioning (FF85+) and/or containers ***/
   // user_pref("security.ssl.disable_session_identifiers", true);
 /* 7006: onions
 * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/
   // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006
   // user_pref("network.http.referer.hideOnionSource", true); // 1305144
 /* 7007: referers
 * [WHY] Only cross-origin referers (1602, 5510) matter ***/
   // user_pref("network.http.sendRefererHeader", 2);
@ -1108,12 +1066,10 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 * [NOTE] FPP (fingerprintingProtection) is ignored when RFP (4501) is enabled
 * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
   // user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5]
-   // user_pref("network.cookie.cookieBehavior.optInPartitioning", true); // [ETP FF132+]
+   // user_pref("privacy.fingerprintingProtection", true); // [FF114+] [ETP FF119+]
   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
-   // user_pref("privacy.bounceTrackingProtection.mode", 1); // [FF131+] [ETP FF133+]
+   // user_pref("privacy.partition.network_state.ocsp_cache", true);
   // user_pref("privacy.fingerprintingProtection", true); // [FF114+] [ETP FF119+]
   // user_pref("privacy.partition.network_state.ocsp_cache", true); // [DEFAULT: true]
   // user_pref("privacy.query_stripping.enabled", true); // [FF101+]
   // user_pref("privacy.trackingprotection.enabled", true);
   // user_pref("privacy.trackingprotection.socialtracking.enabled", true);
@ -1127,7 +1083,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
   // user_pref("dom.webnotifications.enabled", false);
 /* 7019: disable Push Notifications [FF44+]
- * [WHY] Website "push" requires subscription, and the API is required for CRLite (1224)
+ * [WHY] Push requires subscription
 * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID"
 * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/
   // user_pref("dom.push.enabled", false);
@ -1138,10 +1094,6 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
 * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
   // user_pref("media.peerconnection.enabled", false);
 /* 7021: enable GPC (Global Privacy Control) in non-PB windows
 * [WHY] Passive and active fingerprinting. Mostly redundant with Tracking Protection
 * in ETP Strict (2701) and sanitizing on close (2800s) ***/
   // user_pref("privacy.globalprivacycontrol.enabled", true);
 /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
   [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
@ -1172,58 +1124,6 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan
   // user_pref("ui.use_standins_for_native_colors", "");
   // user_pref("webgl.enable-debug-renderer-info", "");
 /*** [SECTION 8500]: TELEMETRY
   Arkenfox does not consider Firefox telemetry to be a privacy or security concern - comments below.
   But since most arkenfox users prefer it disabled, we'll do that rather than cause overrides.
   Opt-out
   - Telemetry is essential: a browser engine is a _very_ large complex beast costing billions to maintain
   - Opt-in telemetry _does not_ work and results in data that is unrepresentative and may be misleading
   Choice
   - Every new profile on first use provides data collection/use policy and the abillty to opt-out
   - It can be disabled at any time (Settings>Privacy & Security>Data Collection and Use) 
   Data
   - no PII (Personally Identifiable Information)
   - can be viewed in about:telemetry
   - uses Prio [1][2][3], Glean [4], Oblivious HTTP [5][6]
   [1] https://crypto.stanford.edu/prio/
   [2] https://hacks.mozilla.org/2018/10/testing-privacy-preserving-telemetry-with-prio/
   [3] https://blog.mozilla.org/security/2019/06/06/next-steps-in-privacy-preserving-telemetry-with-prio/
   [4] https://firefox-source-docs.mozilla.org/toolkit/components/glean/index.html
   [5] https://firefox-source-docs.mozilla.org/toolkit/components/glean/user/ohttp.html
   [6] https://blog.mozilla.org/en/tag/oblivious-http/
 ***/
 user_pref("_user.js.parrot", "8500 syntax error: the parrot's off the twig!");
 /* 8500: disable new data submission [FF41+]
 * If disabled, no policy is shown or upload takes place, ever
 * [1] https://bugzilla.mozilla.org/1195552 ***/
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
 /* 8501: disable Health Reports
 * [SETTING] Privacy & Security>Firefox Data Collection and Use>Send technical... data ***/
 user_pref("datareporting.healthreport.uploadEnabled", false);
 /* 0802: disable telemetry
 * The "unified" pref affects the behavior of the "enabled" pref
 * - If "unified" is false then "enabled" controls the telemetry module
 * - If "unified" is true then "enabled" only controls whether to record extended data
 * [NOTE] "toolkit.telemetry.enabled" is now LOCKED to reflect prerelease (true) or release builds (false) [2]
 * [1] https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
 * [2] https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5 ***/
 user_pref("toolkit.telemetry.unified", false);
 user_pref("toolkit.telemetry.enabled", false); // see [NOTE]
 user_pref("toolkit.telemetry.server", "data:,");
 user_pref("toolkit.telemetry.archive.enabled", false);
 user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+]
 user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+]
 user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
 user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
 user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
 /* 8503: disable Telemetry Coverage
 * [1] https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/ ***/
 user_pref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN PREF]
 user_pref("toolkit.coverage.opt-out", true); // [FF64+] [HIDDEN PREF]
 user_pref("toolkit.coverage.endpoint.base", "");
 /*** [SECTION 9000]: NON-PROJECT RELATED ***/
 user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!");
 /* 9001: disable welcome notices ***/
@ -1231,18 +1131,60 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // [HIDDEN PREF
 /* 9002: disable General>Browsing>Recommend extensions/features as you browse [FF67+] ***/
 user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 /* 9003: disable What's New toolbar icon [FF69+] ***/
 user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
 /* 9004: disable search terms [FF110+]
 * [SETTING] Search>Search Bar>Use the address bar for search and navigation>Show search terms instead of URL... ***/
 user_pref("browser.urlbar.showSearchTerms.enabled", false);
 /*** [SECTION 9999]: DEPRECATED / RENAMED ***/
 user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
-/* ESR128.x still uses all the following prefs
+/* ESR115.x still uses all the following prefs
 // [NOTE] replace the * with a slash in the line above to re-enable active ones
-// FF132
+// FF116
-/* 2617: remove webchannel whitelist
+// 4506: set RFP's font visibility level (1402) [FF94+]
-   // [-] https://bugzilla.mozilla.org/1275612
+   // [-] https://bugzilla.mozilla.org/1838415
-   // user_pref("webchannel.allowObject.urlWhitelist", "");
+   // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
 // FF117
 // 1221: disable Windows Microsoft Family Safety cert [FF50+] [WINDOWS]
   // 0=disable detecting Family Safety mode and importing the root
   // 1=only attempt to detect Family Safety mode (don't import the root)
   // 2=detect Family Safety mode and import the root
   // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686
   // [-] https://bugzilla.mozilla.org/1844908
 user_pref("security.family_safety.mode", 0);
 // 7018: disable service worker Web Notifications [FF44+]
   // [WHY] Web Notifications are behind a prompt (7002)
   // [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/
   // [-] https://bugzilla.mozilla.org/1842457
   // user_pref("dom.webnotifications.serviceworker.enabled", false);
 // FF118
 // 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
   // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
   // In normal windows: uses the first applicable: RFP over TP over Standard
   // In Private Browsing windows: uses the most restrictive between normal and private
   // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
   // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
   // [-] https://bugzilla.mozilla.org/1847599
   // user_pref("layout.css.font-visibility.private", 1);
   // user_pref("layout.css.font-visibility.standard", 1);
   // user_pref("layout.css.font-visibility.trackingprotection", 1);
 // 2623: disable permissions delegation [FF73+]
   // Currently applies to cross-origin geolocation, camera, mic and screen-sharing
   // permissions, and fullscreen requests. Disabling delegation means any prompts
   // for these will show/use their correct 3rd party origin
   // [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion
   // [-] https://bugzilla.mozilla.org/1697151
   // user_pref("permissions.delegation.enabled", false);
 // FF119
 // 0211: use en-US locale regardless of the system or region locale
   // [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
   // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630
   // [-] https://bugzilla.mozilla.org/1846224
   // user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
 // 0711: disable skipping DoH when parental controls are enabled [FF70+]
   // [-] https://bugzilla.mozilla.org/1586941
 user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 // ***/
 /* END: internal custom pref to test for syntax errors ***/