commit 0a67cdec8bac0d2172a2ffbf92af4e093c8e8275
parent b85668c2cd4a24caac21329033c3b6652fb17321
Author: Thorin-Oakenpants <Thorin-Oakenpants@users.noreply.github.com>
Date: Tue, 11 Dec 2018 07:18:26 +1300
#578 cleanups (#576)
- cleanup of tags placement, order consistency, and to use square brackets (allows usage elsewhere to not get tagged, eg 1402)
- other bits and bobs
Diffstat:
| M | user.js | | | 518 | ++++++++++++++++++++++++++++++++++++++++--------------------------------------- |
1 file changed, 262 insertions(+), 256 deletions(-)
diff --git a/user.js b/user.js
@@ -112,7 +112,7 @@ user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [SETTI
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false); // [SETTING]
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
-/* 0105d: disable AS recent Highlights in the Library (FF57+) ***/
+/* 0105d: disable AS recent Highlights in the Library [FF57+] ***/
// user_pref("browser.library.activity-stream.enabled", false);
/* 0110: start Firefox in PB (Private Browsing) mode
* [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed
@@ -131,20 +131,21 @@ user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely decease
/* 0201: disable Location-Aware Browsing
* [1] https://www.mozilla.org/firefox/geolocation/ ***/
// user_pref("geo.enabled", false);
-/* 0201b: set a default permission for Location (FF58+)
+/* 0201b: set a default permission for Location [FF58+]
+ * 0=always ask (default), 1=allow, 2=block
* [NOTE] best left at default "always ask", fingerprintable via Permissions API
* [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
- // user_pref("permissions.default.geo", 2); // 0=always ask (default), 1=allow, 2=block
+ // user_pref("permissions.default.geo", 2);
/* 0202: disable GeoIP-based search results
* [NOTE] May not be hidden if Firefox has changed your settings due to your locale
* [1] https://trac.torproject.org/projects/tor/ticket/16254
* [2] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_geolocation-for-default-search-engine ***/
-user_pref("browser.search.region", "US"); // (hidden pref)
+user_pref("browser.search.region", "US"); // [HIDDEN PREF]
user_pref("browser.search.geoip.url", "");
-/* 0205: set OS & APP locale (FF59+)
+/* 0205: set OS & APP locale [FF59+]
* If set to empty, the OS locales are used. If not set at all, default locale is used ***/
-user_pref("intl.locale.requested", "en-US"); // (hidden pref)
+user_pref("intl.locale.requested", "en-US"); // [HIDDEN PREF]
/* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
* i.e. ignore all of Mozilla's various search engines in multiple locales ***/
user_pref("browser.search.geoSpecificDefaults", false);
@@ -153,14 +154,14 @@ user_pref("browser.search.geoSpecificDefaults.url", "");
user_pref("intl.accept_languages", "en-US, en");
/* 0208: enforce US English locale regardless of the system locale
* [1] https://bugzilla.mozilla.org/867501 ***/
-user_pref("javascript.use_us_english_locale", true); // (hidden pref)
-/* 0209: use APP locale over OS locale in regional preferences (FF56+)
+user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
+/* 0209: use APP locale over OS locale in regional preferences [FF56+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1379420,1364789 ***/
user_pref("intl.regional_prefs.use_os_locales", false);
/* 0210: use Mozilla geolocation service instead of Google when geolocation is enabled
* Optionally enable logging to the console (defaults to false) ***/
user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
- // user_pref("geo.wifi.logging.enabled", true); // (hidden pref)
+ // user_pref("geo.wifi.logging.enabled", true); // [HIDDEN PREF]
/*** [SECTION 0300]: QUIET FOX
We choose to not disable auto-CHECKs (0301's) but to disable auto-INSTALLs (0302's).
@@ -198,7 +199,7 @@ user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
/* 0310: disable sending the URL of the website where a plugin crashed ***/
user_pref("dom.ipc.plugins.reportCrashURL", false);
/* 0320: disable about:addons' Get Add-ons panel (uses Google-Analytics) ***/
-user_pref("extensions.getAddons.showPane", false); // hidden pref
+user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
user_pref("extensions.webservice.discoverURL", "");
/* 0330: disable telemetry
* the pref (.unified) affects the behaviour of the pref (.enabled)
@@ -214,29 +215,29 @@ user_pref("toolkit.telemetry.enabled", false); // see [NOTE] above FF58+
user_pref("toolkit.telemetry.server", "data:,");
user_pref("toolkit.telemetry.archive.enabled", false);
user_pref("toolkit.telemetry.cachedClientID", "");
-user_pref("toolkit.telemetry.newProfilePing.enabled", false); // (FF55+)
-user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // (FF55+)
-user_pref("toolkit.telemetry.updatePing.enabled", false); // (FF56+)
-user_pref("toolkit.telemetry.bhrPing.enabled", false); // (FF57+) Background Hang Reporter
-user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // (FF57+)
-user_pref("toolkit.telemetry.hybridContent.enabled", false); // (FF59+)
+user_pref("toolkit.telemetry.newProfilePing.enabled", false); // [FF55+]
+user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // [FF55+]
+user_pref("toolkit.telemetry.updatePing.enabled", false); // [FF56+]
+user_pref("toolkit.telemetry.bhrPing.enabled", false); // [FF57+] Background Hang Reporter
+user_pref("toolkit.telemetry.firstShutdownPing.enabled", false); // [FF57+]
+user_pref("toolkit.telemetry.hybridContent.enabled", false); // [FF59+]
/* 0333: disable health report
* [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical... data ***/
user_pref("datareporting.healthreport.uploadEnabled", false);
-/* 0334: disable new data submission, master kill switch (FF41+)
+/* 0334: disable new data submission, master kill switch [FF41+]
* If disabled, no policy is shown or upload takes place, ever
* [1] https://bugzilla.mozilla.org/1195552 ***/
user_pref("datareporting.policy.dataSubmissionEnabled", false);
/* 0350: disable crash reports ***/
user_pref("breakpad.reportURL", "");
-/* 0351: disable sending of crash reports (FF44+) ***/
-user_pref("browser.tabs.crashReporting.sendReport", false);
-user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)
-user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // (FF58+)
+/* 0351: disable sending of crash reports ***/
+user_pref("browser.tabs.crashReporting.sendReport", false); // [FF44+]
+user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // [FF51+]
+user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [FF58+]
/* 0370: disable "Snippets" (Mozilla content shown on about:home screen)
* [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/
user_pref("browser.aboutHomeSnippets.updateUrl", "data:,");
-/* 0380: disable Browser Error Reporter (FF60+)
+/* 0380: disable Browser Error Reporter [FF60+]
* [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
* [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html ***/
user_pref("browser.chrome.errorReporter.enabled", false);
@@ -258,7 +259,7 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
* [NOTE] It includes updates for "revoked certificates"
* [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
* [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/
-user_pref("extensions.blocklist.enabled", true); // default: true
+user_pref("extensions.blocklist.enabled", true); // [DEFAULT: true]
user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
/* 0403: disable individual unwanted/unneeded parts of the Kinto blocklists
* What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
@@ -279,40 +280,43 @@ user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozi
SB v4 (FF57+) doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity)
#Required reading [#] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
[1] https://wiki.mozilla.org/Security/Safe_Browsing ***/
-/* 0410: disable "Block dangerous and deceptive content" (under Options>Privacy & Security)
- * This covers deceptive sites such as phishing and social engineering ***/
+/* 0410: disable "Block dangerous and deceptive content"
+ * This covers deceptive sites such as phishing and social engineering
+ * [SETTING] Privacy & Security>Security>Deceptive Content and Software Protection ***/
// user_pref("browser.safebrowsing.malware.enabled", false);
- // user_pref("browser.safebrowsing.phishing.enabled", false); // (FF50+)
-/* 0411: disable "Block dangerous downloads" (under Options>Privacy & Security)
- * This covers malware and PUPs (potentially unwanted programs) ***/
+ // user_pref("browser.safebrowsing.phishing.enabled", false); // [FF50+]
+/* 0411: disable "Block dangerous downloads"
+ * This covers malware and PUPs (potentially unwanted programs)
+ * [SETTING] Privacy & Security>Security>Deceptive Content and Software Protection ***/
// user_pref("browser.safebrowsing.downloads.enabled", false);
-/* 0412: disable "Warn me about unwanted and uncommon software" (under Options>Privacy & Security) (FF48+) ***/
- // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
- // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
- // user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false); // (FF49+)
- // user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); // (FF49+)
+/* 0412: disable "Warn me about unwanted and uncommon software"
+ * [SETTING] Privacy & Security>Security>Deceptive Content and Software Protection ***/
+ // user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false); // [FF48+]
+ // user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false); // [FF48+]
+ // user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false); // [FF49+]
+ // user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false); // [FF49+]
/* 0413: disable Google safebrowsing updates ***/
// user_pref("browser.safebrowsing.provider.google.updateURL", "");
// user_pref("browser.safebrowsing.provider.google.gethashURL", "");
- // user_pref("browser.safebrowsing.provider.google4.updateURL", ""); // (FF50+)
- // user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); // (FF50+)
+ // user_pref("browser.safebrowsing.provider.google4.updateURL", ""); // [FF50+]
+ // user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); // [FF50+]
/* 0414: disable binaries NOT in local lists being checked by Google (real-time checking) ***/
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
/* 0415: disable reporting URLs ***/
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
-user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // (FF50+)
-user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); // (FF54+)
-user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); // (FF54+)
-user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); // (FF54+)
-user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); // (FF54+)
-/* 0416: disable 'ignore this warning' on Safe Browsing warnings which when clicked
- * bypasses the block for that session. This is a means for admins to enforce SB
+user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // [FF50+]
+user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); // [FF54+]
+user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); // [FF54+]
+user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); // [FF54+]
+user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); // [FF54+]
+/* 0416: disable 'ignore this warning' on Safe Browsing warnings
+ * If clicked, it bypasses the block for that session. This is a means for admins to enforce SB
* [TEST] see github wiki APPENDIX A: Test Sites: Section 5
* [1] https://bugzilla.mozilla.org/1226490 ***/
// user_pref("browser.safebrowsing.allowOverride", false);
-/* 0417: disable data sharing (FF58+) ***/
+/* 0417: disable data sharing [FF58+] ***/
user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
@@ -323,28 +327,28 @@ user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
* [NOTE] TP sends DNT headers regardless of the DNT pref (see 1610)
* [1] https://wiki.mozilla.org/Security/Tracking_protection
* [2] https://support.mozilla.org/kb/tracking-protection-firefox ***/
- // user_pref("privacy.trackingprotection.pbmode.enabled", true); // default: true
+ // user_pref("privacy.trackingprotection.pbmode.enabled", true); // [DEFAULT: true]
// user_pref("privacy.trackingprotection.enabled", true);
/* 0422: set which Tracking Protection block list to use
* [WARNING] We don't recommend enforcing this from here, as available block lists can change
* [SETTING] Privacy & Security>Content Blocking>All Detected Trackers>Change block list ***/
// user_pref("urlclassifier.trackingTable", "test-track-simple,base-track-digest256"); // basic
-/* 0423: disable Mozilla's blocklist for known Flash tracking/fingerprinting (FF48+)
+/* 0423: disable Mozilla's blocklist for known Flash tracking/fingerprinting [FF48+]
* [1] https://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
* [2] https://bugzilla.mozilla.org/1237198 ***/
// user_pref("browser.safebrowsing.blockedURIs.enabled", false);
/* 0424: disable Mozilla's tracking protection and Flash blocklist updates ***/
// user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
// user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
-/* 0425: disable passive Tracking Protection (FF53+)
+/* 0425: disable passive Tracking Protection [FF53+]
* Passive TP annotates channels to lower the priority of network loads for resources on the tracking protection list
* [NOTE] It has no effect if TP is enabled, but keep in mind that by default TP is only enabled in Private Windows
* This is included for people who want to completely disable Tracking Protection.
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1170190,1141814 ***/
// user_pref("privacy.trackingprotection.annotate_channels", false);
// user_pref("privacy.trackingprotection.lower_network_priority", false);
-/* 0426: enforce Content Blocking (required to block cookies) (FF63+) ***/
-user_pref("browser.contentblocking.enabled", true); // default: true
+/* 0426: enforce Content Blocking (required to block cookies) [FF63+] ***/
+user_pref("browser.contentblocking.enabled", true); // [DEFAULT: true]
/*** [SECTION 0500]: SYSTEM ADD-ONS / EXPERIMENTS
System Add-ons are a method for shipping extensions, considered to be
@@ -365,7 +369,7 @@ user_pref("browser.contentblocking.enabled", true); // default: true
user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");
/* 0502: disable Mozilla permission to silently opt you into tests ***/
user_pref("network.allow-experiments", false);
-/* 0503: disable Normandy/Shield (FF60+)
+/* 0503: disable Normandy/Shield [FF60+]
* Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
* [1] https://wiki.mozilla.org/Firefox/Shield
* [2] https://github.com/mozilla/normandy ***/
@@ -374,23 +378,23 @@ user_pref("app.normandy.api_url", "");
user_pref("app.shield.optoutstudies.enabled", false);
/* 0505: disable System Add-on updates
* [NOTE] In FF61 and lower, you will not get any System Add-on updates except when you update Firefox ***/
- // user_pref("extensions.systemAddon.update.enabled", false); // (FF62+)
+ // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
// user_pref("extensions.systemAddon.update.url", "");
-/* 0506: disable PingCentre telemetry (used in several System Add-ons) (FF57+)
+/* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
* Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0333) ***/
user_pref("browser.ping-centre.telemetry", false);
-/* 0510: disable Pocket (FF39+)
+/* 0510: disable Pocket [FF46+]
* Pocket is a third party (now owned by Mozilla) "save for later" cloud service
* [1] https://en.wikipedia.org/wiki/Pocket_(application)
* [2] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/
user_pref("extensions.pocket.enabled", false);
-/* 0515: disable Screenshots (FF55+)
+/* 0515: disable Screenshots
* alternatively in FF60+, disable uploading to the Screenshots server
* [1] https://github.com/mozilla-services/screenshots
* [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/
- // user_pref("extensions.screenshots.disabled", true);
- // user_pref("extensions.screenshots.upload-disabled", true); // (FF60+)
-/* 0516: disable Onboarding (FF55+)
+ // user_pref("extensions.screenshots.disabled", true); // [FF55+]
+ // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+]
+/* 0516: disable Onboarding [FF55+]
* Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
* about:home or about:newtab is opened, the onboarding overlay is injected into that page
* [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
@@ -398,17 +402,17 @@ user_pref("extensions.pocket.enabled", false);
* [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
* [3] https://bugzilla.mozilla.org/863246#c154 ***/
user_pref("browser.onboarding.enabled", false);
-/* 0517: disable Form Autofill (FF55+)
+/* 0517: disable Form Autofill
* [NOTE] Stored data is NOT secure (uses a JSON file)
* [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
* [SETTING] Privacy & Security>Forms & Passwords>Autofill addresses
* [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
* [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/
-user_pref("extensions.formautofill.addresses.enabled", false);
-user_pref("extensions.formautofill.available", "off"); // (FF56+)
-user_pref("extensions.formautofill.creditCards.enabled", false); // (FF56+)
-user_pref("extensions.formautofill.heuristics.enabled", false);
-/* 0518: disable Web Compatibility Reporter (FF56+)
+user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
+user_pref("extensions.formautofill.available", "off"); // [FF56+]
+user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
+user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
+/* 0518: disable Web Compatibility Reporter [FF56+]
* Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
user_pref("extensions.webcompat-reporter.enabled", false);
@@ -421,7 +425,7 @@ user_pref("network.prefetch-next", false);
* [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
* [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
user_pref("network.dns.disablePrefetch", true);
-user_pref("network.dns.disablePrefetchFromHTTPS", true); // (hidden pref)
+user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF]
/* 0603a: disable Seer/Necko
* [1] https://developer.mozilla.org/docs/Mozilla/Projects/Necko ***/
user_pref("network.predictor.enabled", false);
@@ -430,7 +434,7 @@ user_pref("network.predictor.enabled", false);
* [2] https://wiki.mozilla.org/Necko/CaptivePortal
* [3] https://trac.torproject.org/projects/tor/ticket/21790 ***/
user_pref("captivedetect.canonicalURL", "");
-user_pref("network.captive-portal-service.enabled", false); // (FF52+)
+user_pref("network.captive-portal-service.enabled", false); // [FF52+]
/* 0605: disable link-mouseover opening connection to linked server
* [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
* [2] https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links/ ***/
@@ -443,7 +447,7 @@ user_pref("browser.send_pings.require_same_host", true);
/* 0607: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS]
* [1] https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/ ***/
user_pref("network.protocol-handler.external.ms-windows-store", false);
-/* 0608: disable predictor / prefetching (FF48+) ***/
+/* 0608: disable predictor / prefetching [FF48+] ***/
user_pref("network.predictor.enable-prefetch", false);
/*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
@@ -467,7 +471,7 @@ user_pref("network.dns.disableIPv6", true);
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);
user_pref("network.http.spdy.enabled.http2", false);
-/* 0703: disable HTTP Alternative Services (FF37+)
+/* 0703: disable HTTP Alternative Services [FF37+]
* [1] https://tools.ietf.org/html/rfc7838#section-9
* [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
user_pref("network.http.altsvc.enabled", false);
@@ -478,11 +482,11 @@ user_pref("network.http.altsvc.oe", false);
* [1] http://kb.mozillazine.org/Network.proxy.socks_remote_dns
* [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
user_pref("network.proxy.socks_remote_dns", true);
-/* 0706: remove paths when sending URLs to PAC scripts (FF51+)
+/* 0706: remove paths when sending URLs to PAC scripts [FF51+]
* CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
* [1] https://bugzilla.mozilla.org/1255474 ***/
-user_pref("network.proxy.autoconfig_url.include_path", false); // default: false
-/* 0707: disable (or setup) DNS-over-HTTPS (DoH) (FF60+)
+user_pref("network.proxy.autoconfig_url.include_path", false); // [DEFAULT: false]
+/* 0707: disable (or setup) DNS-over-HTTPS (DoH) [FF60+]
* TRR = Trusted Recursive Resolver
* .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats, but always use native result
* [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare)
@@ -491,12 +495,12 @@ user_pref("network.proxy.autoconfig_url.include_path", false); // default: false
// user_pref("network.trr.mode", 0);
// user_pref("network.trr.bootstrapAddress", "");
// user_pref("network.trr.uri", "");
-/* 0708: disable FTP (FF60+)
+/* 0708: disable FTP [FF60+]
* [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/
// user_pref("network.ftp.enabled", false);
-/* 0709: disable using UNC (Uniform Naming Convention) paths (FF61+)
+/* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
* [1] https://trac.torproject.org/projects/tor/ticket/26424 ***/
-user_pref("network.file.disable_unc_paths", true); // (hidden pref)
+user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
/* 0710: disable GIO as a potential proxy bypass vector
* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
* gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
@@ -504,7 +508,7 @@ user_pref("network.file.disable_unc_paths", true); // (hidden pref)
* [2] https://trac.torproject.org/23044
* [3] https://en.wikipedia.org/wiki/GVfs
* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
-user_pref("network.gio.supported-protocols", ""); // (hidden pref)
+user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [SETUP-CHROME]
If you are in a private environment (no unwanted eyeballs) and your device is private
@@ -515,10 +519,10 @@ user_pref("network.gio.supported-protocols", ""); // (hidden pref)
#Required reading [#] https://xkcd.com/538/
***/
user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
-/* 0801: disable location bar using search - PRIVACY
+/* 0801: disable location bar using search
* don't leak typos to a search engine, give an error message instead ***/
user_pref("keyword.enabled", false);
-/* 0802: disable location bar domain guessing - PRIVACY/SECURITY
+/* 0802: disable location bar domain guessing
* domain guessing intercepts DNS "hostname not found errors" and resends a
* request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
* via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
@@ -526,14 +530,14 @@ user_pref("keyword.enabled", false);
* intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
* and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
user_pref("browser.fixup.alternate.enabled", false);
-/* 0803: display all parts of the url in the location bar - helps SECURITY ***/
+/* 0803: display all parts of the url in the location bar ***/
user_pref("browser.urlbar.trimURLs", false);
-/* 0804: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
+/* 0804: limit history leaks via enumeration (PER TAB: back/forward)
* This is a PER TAB session history. You still have a full history stored under all history
* default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
* use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical ***/
user_pref("browser.sessionhistory.max_entries", 10);
-/* 0805: disable CSS querying page history - CSS history leak - PRIVACY
+/* 0805: disable CSS querying page history - CSS history leak
* [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's
* only in 'certain circumstances', also see latest comments in [2]
* [TEST] http://lcamtuf.coredump.cx/yahh/ (see github wiki APPENDIX C on how to use)
@@ -541,20 +545,20 @@ user_pref("browser.sessionhistory.max_entries", 10);
* [2] https://bugzilla.mozilla.org/147777
* [3] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector ***/
user_pref("layout.css.visited_links_enabled", false);
-/* 0806: disable displaying javascript in history URLs - SECURITY ***/
+/* 0806: disable displaying javascript in history URLs ***/
user_pref("browser.urlbar.filter.javascript", true);
-/* 0807: disable search bar LIVE search suggestions - PRIVACY
+/* 0807: disable search bar LIVE search suggestions
* [SETTING] Search>Provide search suggestions ***/
user_pref("browser.search.suggest.enabled", false);
-/* 0808: disable location bar LIVE search suggestions (requires 0807 = true) - PRIVACY
+/* 0808: disable location bar LIVE search suggestions (requires 0807 = true)
* Also disable the location bar prompt to enable/disable or learn more about it.
* [SETTING] Search>Show search suggestions in address bar results ***/
user_pref("browser.urlbar.suggest.searches", false);
-user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); // (FF41+)
-/* 0809: disable location bar suggesting "preloaded" top websites (FF54+)
+user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); // [FF41+]
+/* 0809: disable location bar suggesting "preloaded" top websites [FF54+]
* [1] https://bugzilla.mozilla.org/1211726 ***/
user_pref("browser.urlbar.usepreloadedtopurls.enabled", false);
-/* 0810: disable location bar making speculative connections (FF56+)
+/* 0810: disable location bar making speculative connections [FF56+]
* [1] https://bugzilla.mozilla.org/1348275 ***/
user_pref("browser.urlbar.speculativeConnect.enabled", false);
/* 0850a: disable location bar autocomplete and suggestion types
@@ -578,12 +582,12 @@ user_pref("browser.urlbar.suggest.openpage", false);
/* 0850d: disable location bar autofill
* [1] http://kb.mozillazine.org/Inline_autocomplete ***/
user_pref("browser.urlbar.autoFill", false);
-/* 0850e: disable location bar one-off searches (FF51+)
+/* 0850e: disable location bar one-off searches [FF51+]
* [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
user_pref("browser.urlbar.oneOffSearches", false);
-/* 0850f: disable location bar suggesting local search history (FF57+)
+/* 0850f: disable location bar suggesting local search history [FF57+]
* [1] https://bugzilla.mozilla.org/1181644 ***/
-user_pref("browser.urlbar.maxHistoricalSearchSuggestions", 0); // max. number of search suggestions
+user_pref("browser.urlbar.maxHistoricalSearchSuggestions", 0);
/* 0860: disable search and form history
* [NOTE] You can clear formdata on exiting Firefox (see 2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history ***/
@@ -592,7 +596,7 @@ user_pref("browser.formfill.enable", false);
* [NOTE] You can clear history and downloads on exiting Firefox (see 2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
// user_pref("places.history.enabled", false);
-/* 0864: disable date/time picker (FF57+ default true)
+/* 0864: disable date/time picker
* This can leak your locale if not en-US
* [1] https://trac.torproject.org/projects/tor/ticket/21787 ***/
user_pref("dom.forms.datetime", false);
@@ -615,35 +619,35 @@ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
* [SETTING] Privacy & Security>Forms & Passwords>Use a master password
* [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/
/* 0903: set how often Firefox should ask for the master password
- * 0=the first time (default), 1=every time it's needed, 2=every n minutes (as per the next pref) ***/
+ * 0=the first time (default), 1=every time it's needed, 2=every n minutes (see 0904) ***/
user_pref("security.ask_for_password", 2);
-/* 0904: set how often in minutes Firefox should ask for the master password (see pref above)
+/* 0904: set how often in minutes Firefox should ask for the master password (see 0903)
* in minutes, default is 30 ***/
user_pref("security.password_lifetime", 5);
-/* 0905: disable auto-filling username & password form fields - SECURITY
+/* 0905: disable auto-filling username & password form fields
* can leak in cross-site forms AND be spoofed
* [NOTE] Password will still be auto-filled after a user name is manually entered
* [1] http://kb.mozillazine.org/Signon.autofillForms ***/
user_pref("signon.autofillForms", false);
-/* 0906: disable websites' autocomplete="off" (FF30+)
+/* 0906: disable websites' autocomplete="off" [FF30+]
* Don't let sites dictate use of saved logins and passwords. Increase security through
* stronger password use. The trade-off is the convenience. Some sites should never be
* saved (such as banking sites). Set at true, informed users can make their own choice. ***/
-user_pref("signon.storeWhenAutocompleteOff", true); // default: true
+user_pref("signon.storeWhenAutocompleteOff", true); // [DEFAULT: true]
/* 0907: display warnings for logins on non-secure (non HTTPS) pages
* [1] https://bugzilla.mozilla.org/1217156 ***/
user_pref("security.insecure_password.ui.enabled", true);
/* 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true)
* e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix) ***/
user_pref("browser.fixup.hide_user_pass", true);
-/* 0909: disable formless login capture for Password Manager (FF51+) ***/
+/* 0909: disable formless login capture for Password Manager [FF51+] ***/
user_pref("signon.formlessCapture.enabled", false);
-/* 0910: disable autofilling saved passwords on HTTP pages and show warning (FF52+)
+/* 0910: disable autofilling saved passwords on HTTP pages and show warning [FF52+]
* [1] https://www.fxsitecompat.com/en-CA/docs/2017/insecure-login-forms-now-disable-autofill-show-warning-beneath-input-control/
* [2] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119 ***/
user_pref("signon.autofillForms.http", false);
user_pref("security.insecure_field_warning.contextual.enabled", true);
-/* 0911: prevent cross-origin images from triggering an HTTP-Authentication prompt (FF55+)
+/* 0911: prevent cross-origin images from triggering an HTTP-Authentication prompt [FF55+]
* [1] https://bugzilla.mozilla.org/1357835 ***/
user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);
@@ -672,7 +676,7 @@ user_pref("browser.cache.disk_cache_ssl", false);
/* 1003: disable memory cache
* [NOTE] Not recommended due to performance issues ***/
// user_pref("browser.cache.memory.enable", false);
- // user_pref("browser.cache.memory.capacity", 0); // (hidden pref)
+ // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF]
/* 1005: disable fastback cache
* To improve performance when pressing back/forward Firefox stores visited pages
* so they don't have to be re-parsed. This is not the same as memory cache.
@@ -683,7 +687,7 @@ user_pref("browser.cache.disk_cache_ssl", false);
/* 1006: disable permissions manager from writing to disk [RESTART]
* [NOTE] This means any permission changes are session only
* [1] https://bugzilla.mozilla.org/967812 ***/
- // user_pref("permissions.memory_only", true); // (hidden pref)
+ // user_pref("permissions.memory_only", true); // [HIDDEN PREF]
/* 1008: set DNS cache and expiration time (default 400 and 60, same as Tor Browser) ***/
// user_pref("network.dnsCacheEntries", 400);
// user_pref("network.dnsCacheExpiration", 60);
@@ -700,15 +704,15 @@ user_pref("browser.sessionstore.max_windows_undo", 0);
user_pref("browser.sessionstore.privacy_level", 2);
/* 1022: disable resuming session from crash [SETUP-CHROME] ***/
user_pref("browser.sessionstore.resume_from_crash", false);
-/* 1023: set the minimum interval between session save operations - increasing it
- * can help on older machines and some websites, as well as reducing writes, see [1]
+/* 1023: set the minimum interval between session save operations
+ * Increasing this can help on older machines and some websites, as well as reducing writes, see [1]
* Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc
* [SETUP-CHROME] This can also affect entries in the "Recently Closed Tabs" feature:
* i.e. the longer the interval the more chance a quick tab open/close won't be captured.
* This longer interval *may* affect history but we cannot replicate any history not recorded
* [1] https://bugzilla.mozilla.org/1304389 ***/
user_pref("browser.sessionstore.interval", 30000);
-/* 1024: disable automatic Firefox start and session restore after reboot [WINDOWS] (FF62+)
+/* 1024: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS]
* [1] https://bugzilla.mozilla.org/603903 ***/
user_pref("toolkit.winRegisterApplicationRestart", false);
/** FAVICONS ***/
@@ -721,7 +725,7 @@ user_pref("browser.shell.shortcutFavicons", false);
* bookmark favicons are stored as data blobs in favicons.sqlite ***/
// user_pref("browser.chrome.site_icons", false);
/* 1032: disable favicons in web notifications ***/
-user_pref("alerts.showFavicons", false); // default: false
+user_pref("alerts.showFavicons", false); // [DEFAULT: false]
/*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS)
Note that your cipher and other settings can be used server side as a fingerprint attack
@@ -744,29 +748,29 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
* [2] https://www.ssllabs.com/ssl-pulse/ ***/
user_pref("security.ssl.require_safe_negotiation", true);
/* 1202: control TLS versions with min and max
- * 1=min version of TLS 1.0, 2=min version of TLS 1.1, 3=min version of TLS 1.2 etc
+ * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3 etc
* [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1
* [1] http://kb.mozillazine.org/Security.tls.version.*
* [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
* [2] archived: https://archive.is/hY2Mm ***/
// user_pref("security.tls.version.min", 3);
-user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3
-/* 1203: disable SSL session tracking (FF36+)
+user_pref("security.tls.version.max", 4);
+/* 1203: disable SSL session tracking [FF36+]
* SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 24hrs.
* Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
* this disables sending SSL Session IDs and TLS Session Tickets to prevent session tracking
* [1] https://tools.ietf.org/html/rfc5077
* [2] https://bugzilla.mozilla.org/967977 ***/
-user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)
+user_pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
/* 1204: disable SSL Error Reporting
* [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html ***/
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("security.ssl.errorReporting.url", "");
-/* 1205: disable TLS1.3 0-RTT (round-trip time) (FF51+)
+/* 1205: disable TLS1.3 0-RTT (round-trip time) [FF51+]
* [1] https://github.com/tlswg/tls13-spec/issues/1001
* [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
-user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
+user_pref("security.tls.enable_0rtt_data", false);
/** OCSP (Online Certificate Status Protocol)
#Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/
@@ -790,7 +794,7 @@ user_pref("security.OCSP.enabled", 1);
user_pref("security.OCSP.require", true);
/** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
-/* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)
+/* 1220: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
* 0=disable detecting Family Safety mode and importing the root
* 1=only attempt to detect Family Safety mode (don't import the root)
* 2=detect Family Safety mode and import the root
@@ -802,7 +806,7 @@ user_pref("security.family_safety.mode", 0);
* [TEST] https://fiprinca.0x90.eu/poc/
* [1] https://bugzilla.mozilla.org/1334485 - related bug
* [2] https://bugzilla.mozilla.org/1216882 - related bug (see comment 9) ***/
- // user_pref("security.nocertdb", true); // (hidden pref)
+ // user_pref("security.nocertdb", true); // [HIDDEN PREF]
/* 1222: enforce strict pinning
* PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
* [WARNING] If you rely on an AV (antivirus) to protect your web browsing
@@ -811,12 +815,12 @@ user_pref("security.family_safety.mode", 0);
user_pref("security.cert_pinning.enforcement_level", 2);
/** MIXED CONTENT ***/
-/* 1240: disable insecure active content on https pages - mixed content
+/* 1240: disable insecure active content on https pages
* [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
-user_pref("security.mixed_content.block_active_content", true); // default: true
-/* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/
+user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
+/* 1241: disable insecure passive content (such as images) on https pages ***/
user_pref("security.mixed_content.block_display_content", true);
-/* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks (FF59+)
+/* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+]
* [1] https://bugzilla.mozilla.org/1190623 ***/
user_pref("security.mixed_content.block_object_subrequest", true);
@@ -860,11 +864,11 @@ user_pref("browser.ssl_override_behavior", 1);
* i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
* [TEST] https://expired.badssl.com/ ***/
user_pref("browser.xul.error_pages.expert_bad_cert", true);
-/* 1273: display "insecure" icon (FF59+) and "Not Secure" text (FF60+) on HTTP sites ***/
-user_pref("security.insecure_connection_icon.enabled", true); // all windows
-user_pref("security.insecure_connection_text.enabled", true);
- // user_pref("security.insecure_connection_icon.pbmode.enabled", true); // private windows only
- // user_pref("security.insecure_connection_text.pbmode.enabled", true);
+/* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
+user_pref("security.insecure_connection_icon.enabled", true); // [FF59+]
+user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
+ // user_pref("security.insecure_connection_icon.pbmode.enabled", true); // [FF59+] private windows only
+ // user_pref("security.insecure_connection_text.pbmode.enabled", true); // [FF60+] private windows only
/*** [SECTION 1400]: FONTS ***/
user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
@@ -883,15 +887,15 @@ user_pref("browser.display.use_document_fonts", 0);
// user_pref("font.name.sans-serif.x-western", "Arial"); // default: Arial
// user_pref("font.name.monospace.x-unicode", "Lucida Console");
// user_pref("font.name.monospace.x-western", "Lucida Console"); // default: Courier New
-/* 1403: disable icon fonts (glyphs) (FF41) and local fallback rendering
+/* 1403: disable icon fonts (glyphs) and local fallback rendering
* [1] https://bugzilla.mozilla.org/789788
* [2] https://trac.torproject.org/projects/tor/ticket/8455 ***/
- // user_pref("gfx.downloadable_fonts.enabled", false);
+ // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
// user_pref("gfx.downloadable_fonts.fallback_delay", -1);
/* 1404: disable rendering of SVG OpenType fonts
* [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
-/* 1405: disable WOFF2 (Web Open Font Format) (FF35+) ***/
+/* 1405: disable WOFF2 (Web Open Font Format) [FF35+] ***/
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
/* 1406: disable CSS Font Loading API
* [NOTE] Disabling fonts can uglify the web a fair bit. ***/
@@ -904,13 +908,13 @@ user_pref("font.blacklist.underline_offset", "");
* In the past it had security issues. Update: This continues to be the case, see [1]
* [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
user_pref("gfx.font_rendering.graphite.enabled", false);
-/* 1409: limit system font exposure to a whitelist (FF52+) [RESTART]
+/* 1409: limit system font exposure to a whitelist [FF52+] [RESTART]
* If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
* [WARNING] Creating your own probably highly-unique whitelist will raise your entropy. If
* you block sites choosing fonts in 1401, this preference is irrelevant. In future,
* privacy.resistFingerprinting (see 4500) will cover this (and 1401 can be relaxed)
* [1] https://bugzilla.mozilla.org/1121643 ***/
- // user_pref("font.system.whitelist", ""); // (hidden pref)
+ // user_pref("font.system.whitelist", ""); // [HIDDEN PREF]
/*** [SECTION 1600]: HEADERS / REFERERS
Only *cross domain* referers need controlling and XOriginPolicy (1603) is perfect for that. Thus we enforce
@@ -937,22 +941,22 @@ user_pref("network.http.referer.trimmingPolicy", 0);
/* 1603: CROSS ORIGIN: control when to send a referer [SETUP-WEB]
* 0=always (default), 1=only if base domains match, 2=only if hosts match ***/
user_pref("network.http.referer.XOriginPolicy", 1);
-/* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)
+/* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
user_pref("network.http.referer.XOriginTrimmingPolicy", 0);
/* 1605: ALL: disable spoofing a referer
* [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
* (Cross-Site Request Forgery) protections that some sites may rely on ***/
-user_pref("network.http.referer.spoofSource", false); // default: false
-/* 1606: ALL: set the default Referrer Policy
+user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
+/* 1606: ALL: set the default Referrer Policy [FF59+]
* 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
* [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
* [1] https://www.w3.org/TR/referrer-policy/
* [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
* [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
-user_pref("network.http.referer.defaultPolicy", 3); // (FF59+) default: 3
-user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2
-/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain (FF54+)
+user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3]
+user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
+/* 1607: TOR: hide (not spoof) referrer when leaving a .onion domain [FF54+]
* [NOTE] Firefox cannot access .onion sites by default. We recommend you use
* the Tor Browser which is specifically designed for hidden services
* [1] https://bugzilla.mozilla.org/1305144 ***/
@@ -968,15 +972,15 @@ user_pref("privacy.donottrackheader.enabled", true);
[3] https://github.com/mozilla/testpilot-containers
***/
user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
-/* 1701: enable Container Tabs setting in preferences (see 1702) (FF50+)
+/* 1701: enable Container Tabs setting in preferences (see 1702) [FF50+]
* [1] https://bugzilla.mozilla.org/1279029 ***/
user_pref("privacy.userContext.ui.enabled", true);
-/* 1702: enable Container Tabs (FF50+)
+/* 1702: enable Container Tabs [FF50+]
* [SETTING] General>Tabs>Enable Container Tabs ***/
user_pref("privacy.userContext.enabled", true);
-/* 1703: enable a private container for thumbnail loads (FF51+) ***/
-user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // default: true in FF61+
-/* 1704: set long press behaviour on "+ Tab" button to display container menu (FF53+)
+/* 1703: enable a private container for thumbnail loads [FF51+] ***/
+user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true in FF61+]
+/* 1704: set long press behaviour on "+ Tab" button to display container menu [FF53+]
* 0=disables long press, 1=when clicked, the menu is shown
* 2=the menu is shown after X milliseconds
* [NOTE] The menu does not contain a non-container tab option
@@ -1008,8 +1012,8 @@ user_pref("plugin.scan.plid.all", false);
user_pref("media.gmp-provider.enabled", false);
user_pref("media.gmp.trial-create.enabled", false);
user_pref("media.gmp-manager.url", "data:text/plain,");
-user_pref("media.gmp-manager.url.override", "data:text/plain,"); // (hidden pref)
-user_pref("media.gmp-manager.updateEnabled", false); // disable local fallback (hidden pref)
+user_pref("media.gmp-manager.url.override", "data:text/plain,"); // [HIDDEN PREF]
+user_pref("media.gmp-manager.updateEnabled", false); // disable local fallback [HIDDEN PREF]
/* 1825: disable widevine CDM (Content Decryption Module) [SETUP-WEB] ***/
user_pref("media.gmp-widevinecdm.visible", false);
user_pref("media.gmp-widevinecdm.enabled", false);
@@ -1020,7 +1024,7 @@ user_pref("media.gmp-widevinecdm.autoupdate", false);
user_pref("media.eme.enabled", false);
/* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
* This is the bundled codec used for video chat in WebRTC [SETUP-WEB] ***/
-user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
+user_pref("media.gmp-gmpopenh264.enabled", false); // [HIDDEN PREF]
user_pref("media.gmp-gmpopenh264.autoupdate", false);
/*** [SECTION 2000]: MEDIA / CAMERA / MIC ***/
@@ -1038,8 +1042,8 @@ user_pref("media.navigator.video.enabled", false); // video capability for WebRT
/* 2002: limit WebRTC IP leaks if using WebRTC
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
* [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
-user_pref("media.peerconnection.ice.default_address_only", true); // (FF42-FF50)
-user_pref("media.peerconnection.ice.no_host", true); // (FF51+)
+user_pref("media.peerconnection.ice.default_address_only", true); // [FF42-FF50]
+user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
/* 2010: disable WebGL (Web Graphics Library), force bare minimum feature set if used & disable WebGL extensions
* [1] https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
* [2] https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern ***/
@@ -1048,33 +1052,33 @@ user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.disable-extensions", true);
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
-/* 2012: disable two more webgl preferences (FF51+) ***/
+/* 2012: disable two more webgl preferences [FF51+] ***/
user_pref("webgl.dxgl.enabled", false); // [WINDOWS]
user_pref("webgl.enable-webgl2", false);
/* 2022: disable screensharing ***/
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.browser.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);
-/* 2024: set a default permission for Camera/Microphone (FF58+)
+/* 2024: set a default permission for Camera/Microphone [FF58+]
* 0=always ask (default), 1=allow, 2=block
* [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/
// user_pref("permissions.default.camera", 2);
// user_pref("permissions.default.microphone", 2);
-/* 2026: disable canvas capture stream (FF41+)
+/* 2026: disable canvas capture stream [FF41+]
* [1] https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream ***/
user_pref("canvas.capturestream.enabled", false);
-/* 2027: disable camera image capture (FF35+)
+/* 2027: disable camera image capture [FF35+]
* [1] https://trac.torproject.org/projects/tor/ticket/16339 ***/
-user_pref("dom.imagecapture.enabled", false); // default: false
-/* 2028: disable offscreen canvas (FF44+)
+user_pref("dom.imagecapture.enabled", false); // [DEFAULT: false]
+/* 2028: disable offscreen canvas [FF44+]
* [1] https://developer.mozilla.org/docs/Web/API/OffscreenCanvas ***/
-user_pref("gfx.offscreencanvas.enabled", false); // default: false
-/* 2030: disable auto-play of HTML5 media (FF63+)
+user_pref("gfx.offscreencanvas.enabled", false); // [DEFAULT: false]
+/* 2030: disable auto-play of HTML5 media [FF63+]
* 0=Allowed (default), 1=Blocked, 2=Prompt
* [SETUP-WEB] This may break video playback on various sites ***/
user_pref("media.autoplay.default", 1);
-/* 2031: disable audio auto-play in non-active tabs (FF51+)
+/* 2031: disable audio auto-play in non-active tabs [FF51+]
* [1] https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/ ***/
user_pref("media.block-autoplay-until-in-foreground", true);
@@ -1083,12 +1087,12 @@ user_pref("_user.js.parrot", "2200 syntax error: the parrot's 'istory!");
/* 2201: prevent websites from disabling new window features
* [1] http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features ***/
user_pref("dom.disable_window_open_feature.close", true);
-user_pref("dom.disable_window_open_feature.location", true); // default: true
+user_pref("dom.disable_window_open_feature.location", true); // [DEFAULT: true]
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar
-user_pref("dom.disable_window_open_feature.resizable", true); // default: true
-user_pref("dom.disable_window_open_feature.status", true); // status bar - default: true
+user_pref("dom.disable_window_open_feature.resizable", true); // [DEFAULT: true]
+user_pref("dom.disable_window_open_feature.status", true); // [DEFAULT: true]
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_open_feature.toolbar", true);
/* 2202: prevent scripts moving and resizing open windows ***/
@@ -1142,14 +1146,15 @@ user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
user_pref("dom.serviceWorkers.enabled", false);
/* 2304: disable web notifications
* [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
-user_pref("dom.webnotifications.enabled", false); // (FF22+)
-user_pref("dom.webnotifications.serviceworker.enabled", false); // (FF44+)
-/* 2305: set a default permission for Notifications (see 2304) (FF58+)
+user_pref("dom.webnotifications.enabled", false); // [FF22+]
+user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
+/* 2305: set a default permission for Notifications (see 2304) [FF58+]
+ * 0=always ask (default), 1=allow, 2=block
* [NOTE] best left at default "always ask", fingerprintable via Permissions API
* [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings ***/
- // user_pref("permissions.default.desktop-notification", 2); // 0=always ask (default), 1=allow, 2=block
-/* 2306: disable push notifications (FF44+)
+ // user_pref("permissions.default.desktop-notification", 2);
+/* 2306: disable push notifications [FF44+]
* web apps can receive messages pushed to them from a server, whether or
* not the web app is in the foreground, or even currently loaded
* [1] https://developer.mozilla.org/docs/Web/API/Push_API ***/
@@ -1169,10 +1174,10 @@ user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!
* the website for it to look at the clipboard
* [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
user_pref("dom.event.clipboardevents.enabled", false);
-/* 2403: disable clipboard commands (cut/copy) from "non-privileged" content (FF41+)
+/* 2403: disable clipboard commands (cut/copy) from "non-privileged" content [FF41+]
* this disables document.execCommand("cut"/"copy") to protect your clipboard
* [1] https://bugzilla.mozilla.org/1170911 ***/
-user_pref("dom.allow_cut_copy", false); // (hidden pref)
+user_pref("dom.allow_cut_copy", false); // [HIDDEN PREF]
/* 2404: disable "Confirm you want to leave" dialog on page close
* Does not prevent JS leaks of the page close event.
* [1] https://developer.mozilla.org/docs/Web/Events/beforeunload
@@ -1180,7 +1185,7 @@ user_pref("dom.allow_cut_copy", false); // (hidden pref)
user_pref("dom.disable_beforeunload", true);
/* 2414: disable shaking the screen ***/
user_pref("dom.vibrator.enabled", false);
-/* 2420: disable asm.js (FF22+)
+/* 2420: disable asm.js [FF22+]
* [1] http://asmjs.org/
* [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
* [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
@@ -1193,10 +1198,10 @@ user_pref("javascript.options.asmjs", false);
* [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 ***/
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);
-/* 2422: disable WebAssembly for now (FF52+)
+/* 2422: disable WebAssembly [FF52+]
* [1] https://developer.mozilla.org/docs/WebAssembly ***/
user_pref("javascript.options.wasm", false);
-/* 2426: disable Intersection Observer API (FF53+)
+/* 2426: disable Intersection Observer API [FF53+]
* Almost a year to complete, three versions late to stable (as default false),
* number #1 cause of crashes in nightly numerous times, and is (primarily) an
* ad network API for "ad viewability checks" down to a pixel level
@@ -1210,7 +1215,7 @@ user_pref("dom.IntersectionObserver.enabled", false);
user_pref("javascript.options.shared_memory", false);
/* 2428: enforce DOMHighResTimeStamp API
* [WARNING] Required for normalization of timestamps and any timer resolution mitigations ***/
-user_pref("dom.event.highrestimestamp.enabled", true); // default: true
+user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
/*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/
user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
@@ -1225,7 +1230,7 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m
* Optional protection depending on your connected devices
* [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/
// user_pref("dom.vr.enabled", false);
-/* 2505: disable media device enumeration (FF29+)
+/* 2505: disable media device enumeration [FF29+]
* [NOTE] media.peerconnection.enabled should also be set to false (see 2001)
* [1] https://wiki.mozilla.org/Media/getUserMedia
* [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices ***/
@@ -1237,13 +1242,13 @@ user_pref("media.navigator.enabled", false);
* [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
// user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
user_pref("layers.acceleration.disabled", true);
-/* 2510: disable Web Audio API (FF51+)
+/* 2510: disable Web Audio API [FF51+]
* [1] https://bugzilla.mozilla.org/1288359 ***/
user_pref("dom.webaudio.enabled", false);
/* 2516: disable PointerEvents
* [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent ***/
user_pref("dom.w3c_pointer_events.enabled", false);
-/* 2517: disable Media Capabilities API (FF63+)
+/* 2517: disable Media Capabilities API [FF63+]
* [SETUP-PERF] This *may* affect media performance if disabled, no one is sure
* [1] https://github.com/WICG/media-capabilities
* [2] https://wicg.github.io/media-capabilities/#security-privacy-considerations ***/
@@ -1263,8 +1268,8 @@ user_pref("beacon.enabled", false);
user_pref("browser.helperApps.deleteTempFileOnExit", true);
/* 2604: disable page thumbnail collection
* look in profile/thumbnails directory - you may want to clean that out ***/
-user_pref("browser.pagethumbnails.capturing_disabled", true); // (hidden pref)
-/* 2605: block web content in file processes (FF55+)
+user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
+/* 2605: block web content in file processes [FF55+]
* [SETUP-WEB] You may want to disable this for corporate or developer environments
* [1] https://bugzilla.mozilla.org/1343184 ***/
user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
@@ -1280,11 +1285,11 @@ user_pref("devtools.chrome.enabled", false);
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);
-/* 2609: disable MathML (Mathematical Markup Language) (FF51+)
+/* 2609: disable MathML (Mathematical Markup Language) [FF51+]
* [TEST] http://browserspy.dk/mathml.php
* [1] https://bugzilla.mozilla.org/1173199 ***/
user_pref("mathml.disabled", true);
-/* 2610: disable in-content SVG (Scalable Vector Graphics) (FF53+)
+/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
* [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
* [1] https://bugzilla.mozilla.org/1216893 ***/
// user_pref("svg.disabled", true);
@@ -1296,19 +1301,20 @@ user_pref("middlemouse.contentLoadURL", false);
* [NOTE] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
* To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
user_pref("network.http.redirection-limit", 10);
-/* 2615: disable websites overriding Firefox's keyboard shortcuts (FF58+)
+/* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
+ * 0= (default), 1=allow, 2=block
* [NOTE] At the time of writing, causes issues with delete and backspace keys
* [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts ***/
- // user_pref("permissions.default.shortcuts", 2); // 0 (default) or 1=allow, 2=block
-/* 2616: remove special permissions for certain mozilla domains (FF35+)
+ // user_pref("permissions.default.shortcuts", 2);
+/* 2616: remove special permissions for certain mozilla domains [FF35+]
* [1] resource://app/defaults/permissions ***/
user_pref("permissions.manager.defaultsUrl", "");
/* 2617: remove webchannel whitelist ***/
user_pref("webchannel.allowObject.urlWhitelist", "");
-/* 2618: disable exposure of system colors to CSS or canvas (FF44+)
+/* 2618: disable exposure of system colors to CSS or canvas [FF44+]
* [NOTE] see second listed bug: may cause black on black for elements with undefined colors
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876 ***/
-user_pref("ui.use_standins_for_native_colors", true); // (hidden pref)
+user_pref("ui.use_standins_for_native_colors", true); // [HIDDEN PREF]
/* 2619: enforce Punycode for Internationalized Domain Names to eliminate possible spoofing
* Firefox has *some* protections, but it is better to be safe than sorry. The downside: it will also
* display legitimate IDN's punycoded, which might be undesirable for users of non-latin alphabets
@@ -1341,7 +1347,7 @@ user_pref("browser.download.useDownloadDir", false);
user_pref("browser.download.manager.addToRecentDocs", false);
/* 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin ***/
user_pref("browser.download.hide_plugins_without_extensions", false);
-/* 2654: disable "open with" in download dialog (FF50+)
+/* 2654: disable "open with" in download dialog [FF50+]
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
* in such a way that it is forbidden to run external applications.
* [SETUP-CHROME] This may interfere with some users' workflow or methods
@@ -1353,34 +1359,34 @@ user_pref("browser.download.forbid_open_with", true);
* [SETUP-CHROME] This will break extensions that do not use the default XPI directories
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
* [1] archived: https://archive.is/DYjAM ***/
-user_pref("extensions.enabledScopes", 1); // (hidden pref)
+user_pref("extensions.enabledScopes", 1); // [HIDDEN PREF]
user_pref("extensions.autoDisableScopes", 15);
-/* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) (FF60+)
+/* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) [FF60+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
// user_pref("extensions.webextensions.restrictedDomains", "");
/* 2663: enable warning when websites try to install add-ons
* [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons ***/
-user_pref("xpinstall.whitelist.required", true); // default: true
+user_pref("xpinstall.whitelist.required", true); // [DEFAULT: true]
/** SECURITY ***/
/* 2680: enable CSP (Content Security Policy)
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
-user_pref("security.csp.enable", true); // default: true
-/* 2681: disable CSP violation events (FF59+)
+user_pref("security.csp.enable", true); // [DEFAULT: true]
+/* 2681: disable CSP violation events [FF59+]
* [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent ***/
user_pref("security.csp.enable_violation_events", false);
-/* 2682: enable CSP 1.1 experimental hash-source directive (FF29+)
+/* 2682: enable CSP 1.1 experimental hash-source directive [FF44+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975 ***/
user_pref("security.csp.experimentalEnabled", true);
-/* 2683: block top level window data: URIs (FF56+)
+/* 2683: block top level window data: URIs [FF56+]
* [1] https://bugzilla.mozilla.org/1331351
* [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
* [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
-user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // default: true in FF59+
+user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true]
/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
* [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
* [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
-user_pref("security.dialog_enable_delay", 700); // default: 1000 (milliseconds)
+user_pref("security.dialog_enable_delay", 700);
/*** [SECTION 2700]: PERSISTENT STORAGE
Data SET by websites including
@@ -1401,27 +1407,27 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
* [SETTING] Privacy & Security>Cookies and Site Data>Type blocked
* [1] https://www.fxsitecompat.com/en-CA/docs/2015/web-storage-indexeddb-cache-api-now-obey-third-party-cookies-preference/ ***/
user_pref("network.cookie.cookieBehavior", 1);
-/* 2702: set third-party cookies (i.e ALL) (if enabled, see above pref) to session-only
+/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only
and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
[NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
.nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
* [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
* [2] http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly ***/
user_pref("network.cookie.thirdparty.sessionOnly", true);
-user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // (FF58+)
+user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
/* 2703: set cookie lifetime policy
* 0=until they expire (default), 2=until you close Firefox
* [NOTE] 3=for n days : no longer supported in FF63+ (see 2704-deprecated)
* [SETTING] Privacy & Security>Cookies and Site Data>Keep until... ***/
// user_pref("network.cookie.lifetimePolicy", 0);
-/* 2705: disable HTTP sites setting cookies with the "secure" directive (FF52+)
+/* 2705: disable HTTP sites setting cookies with the "secure" directive [FF52+]
* [1] https://developer.mozilla.org/Firefox/Releases/52#HTTP ***/
-user_pref("network.cookie.leave-secure-alone", true); // default: true
-/* 2706: enable support for same-site cookies (FF60+)
+user_pref("network.cookie.leave-secure-alone", true); // [DEFAULT: true]
+/* 2706: enable support for same-site cookies [FF60+]
* [1] https://bugzilla.mozilla.org/795346
* [2] https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
* [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
- // user_pref("network.cookie.same-site.enabled", true); // default: true
+ // user_pref("network.cookie.same-site.enabled", true); // [DEFAULT: true]
/* 2710: disable DOM (Document Object Model) Storage
* [WARNING] This will break a LOT of sites' functionality AND extensions!
* You are better off using an extension for more granular control ***/
@@ -1433,12 +1439,12 @@ user_pref("network.cookie.leave-secure-alone", true); // default: true
* on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically
* via an extenion. Note that IDB currently cannot be sanitized by host.
* [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ ***/
-user_pref("dom.indexedDB.enabled", true); // default: true
+user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true]
/* 2730: disable offline cache ***/
user_pref("browser.cache.offline.enable", false);
-/* 2730b: disable offline cache on insecure sites (FF60+)
+/* 2730b: disable offline cache on insecure sites [FF60+]
* [1] https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ ***/
-user_pref("browser.cache.offline.insecure.enable", false); // default: false in FF62+
+user_pref("browser.cache.offline.insecure.enable", false); // [DEFAULT: false in FF62+]
/* 2731: enforce websites to ask to store data for offline use
* [1] https://support.mozilla.org/questions/1098540
* [2] https://bugzilla.mozilla.org/959985 ***/
@@ -1446,7 +1452,7 @@ user_pref("offline-apps.allow_by_default", false);
/* 2740: disable service workers cache and cache storage
* [1] https://w3c.github.io/ServiceWorker/#privacy ***/
user_pref("dom.caches.enabled", false);
-/* 2750: disable Storage API (FF51+)
+/* 2750: disable Storage API [FF51+]
* The API gives sites the ability to find out how much space they can use, how much
* they are already using, and even control whether or not they need to be alerted
* before the user agent disposes of site data in order to make room for other things.
@@ -1494,9 +1500,9 @@ user_pref("privacy.cpd.offlineApps", true); // Offline Website Data
user_pref("privacy.cpd.passwords", false); // this is not listed
user_pref("privacy.cpd.sessions", true); // Active Logins
user_pref("privacy.cpd.siteSettings", false); // Site Preferences
-/* 2805: privacy.*.openWindows (clear session restore data) (FF34+)
+/* 2805: privacy.*.openWindows (clear session restore data) [FF34+]
* [NOTE] There is a years-old bug that these cause two windows when Firefox restarts.
- * You do not need these anyway if session restore is disabled (see 1020) ***/
+ * You do not need these anyway if session restore is cleared with history (see 2803) ***/
// user_pref("privacy.clearOnShutdown.openWindows", true);
// user_pref("privacy.cpd.openWindows", true);
/* 2806: reset default 'Time range to clear' for 'Clear Recent History' (see 2804)
@@ -1529,20 +1535,20 @@ user_pref("privacy.sanitize.timeSpan", 0);
** 1381197 - [fixed in FF59+] extensions cannot control cookies with FPI Origin Attributes
***/
user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
-/* 4001: enable First Party Isolation (FF51+)
+/* 4001: enable First Party Isolation [FF51+]
* [SETUP-WEB] May break cross-domain logins and site functionality until perfected
* [1] https://bugzilla.mozilla.org/1260931 ***/
user_pref("privacy.firstparty.isolate", true);
-/* 4002: enforce FPI restriction for window.opener (FF54+)
+/* 4002: enforce FPI restriction for window.opener [FF54+]
* [NOTE] Setting this to false may reduce the breakage in 4001
- * [FF65+] blocks postMessage with targetOrigin "*" if originAttributes don't match. But
+ * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
* to reduce breakage it ignores the 1st-party domain (FPD) originAttribute. (see [2],[3])
* The 2nd pref removes that limitation and will only allow communication if FPDs also match.
* [1] https://bugzilla.mozilla.org/1319773#c22
* [2] https://bugzilla.mozilla.org/1492607
* [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
-user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // default: true
- // user_pref("privacy.firstparty.isolate.block_post_message", true); // (hidden pref)
+user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
+ // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF]
/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
This master switch will be used for a wide range of items, many of which will
@@ -1596,28 +1602,28 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // default
Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
FF60: Fix keydown/keyup events (1438795)
** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
- ** 1459089 - disable OS locale in HTTP Accept-Language headers [ANDROID] (FF62+)
+ ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
** 1363508 - spoof/suppress Pointer Events (see 2516) (FF64+)
FF65: pointerEvent.pointerid (1492766)
***/
user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
-/* 4501: enable privacy.resistFingerprinting (FF41+)
+/* 4501: enable privacy.resistFingerprinting [FF41+]
* [SETUP-WEB] RFP is not ready for the masses, so expect some website breakage
* [1] https://bugzilla.mozilla.org/418986 ***/
-user_pref("privacy.resistFingerprinting", true); // (hidden pref) (not hidden FF55+)
-/* 4502: set new window sizes to round to hundreds (FF55+)
+user_pref("privacy.resistFingerprinting", true);
+/* 4502: set new window sizes to round to hundreds [FF55+]
* [SETUP-CHROME] Width will round down to multiples of 200s and height to 100s, to fit your screen.
* The override values are a starting point to round from if you want some control
* [1] https://bugzilla.mozilla.org/1330882
* [2] https://hardware.metrics.mozilla.com/ ***/
- // user_pref("privacy.window.maxInnerWidth", 1600); // (hidden pref)
- // user_pref("privacy.window.maxInnerHeight", 900); // (hidden pref)
-/* 4503: disable mozAddonManager Web API (FF57+)
+ // user_pref("privacy.window.maxInnerWidth", 1600); // [HIDDEN PREF]
+ // user_pref("privacy.window.maxInnerHeight", 900); // [HIDDEN PREF]
+/* 4503: disable mozAddonManager Web API [FF57+]
* [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need
* to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
-user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // (hidden pref)
-/* 4504: disable showing about:blank as soon as possible during startup (FF60+)
+user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF]
+/* 4504: disable showing about:blank as soon as possible during startup [FF60+]
* When default true (FF62+) this no longer masks the RFP resizing activity
* [1] https://bugzilla.mozilla.org/1448423 ***/
user_pref("browser.startup.blankWindow", false);
@@ -1631,7 +1637,7 @@ user_pref("browser.startup.blankWindow", false);
user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
/* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these
// FF55+
-// 4601: [2514] spoof (or limit?) number of CPU cores (FF48+)
+// 4601: [2514] spoof (or limit?) number of CPU cores [FF48+]
// [NOTE] *may* affect core chrome/Firefox performance, will affect content.
// [1] https://bugzilla.mozilla.org/1008453
// [2] https://trac.torproject.org/projects/tor/ticket/21675
@@ -1660,7 +1666,7 @@ user_pref("browser.zoom.siteSpecific", false);
// Optional protection depending on your connected devices
// [1] https://trac.torproject.org/projects/tor/ticket/13023
// user_pref("dom.gamepad.enabled", false);
-// 4607: [2503] disable giving away network info (FF31+)
+// 4607: [2503] disable giving away network info [FF31+]
// e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
// [1] https://developer.mozilla.org/docs/Web/API/Network_Information_API
// [2] https://wicg.github.io/netinfo/
@@ -1673,7 +1679,7 @@ user_pref("dom.netinfo.enabled", false);
user_pref("media.webspeech.synth.enabled", false);
// * * * /
// FF57+
-// 4610: [2506] disable video statistics - JS performance fingerprinting (FF25+)
+// 4610: [2506] disable video statistics - JS performance fingerprinting [FF25+]
// [1] https://trac.torproject.org/projects/tor/ticket/15757
// [2] https://bugzilla.mozilla.org/654550
user_pref("media.video_stats.enabled", false);
@@ -1686,7 +1692,7 @@ user_pref("media.video_stats.enabled", false);
// user_pref("dom.w3c_touch_events.enabled", 0);
// * * * /
// FF59+
-// 4612: [2511] disable MediaDevices change detection (FF51+)
+// 4612: [2511] disable MediaDevices change detection [FF51+]
// [1] https://developer.mozilla.org/docs/Web/Events/devicechange
// [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
user_pref("media.ondevicechange.enabled", false);
@@ -1711,20 +1717,20 @@ user_pref("webgl.enable-debug-renderer-info", false);
***/
user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
/* 4701: navigator.userAgent ***/
- // user_pref("general.useragent.override", ""); // (hidden pref)
+ // user_pref("general.useragent.override", ""); // [HIDDEN PREF]
/* 4702: navigator.buildID
* Revealed build time down to the second. In FF64+ it now returns a fixed timestamp
* [1] https://bugzilla.mozilla.org/583181
* [2] https://www.fxsitecompat.com/en-CA/docs/2018/navigator-buildid-now-returns-a-fixed-timestamp/ ***/
- // user_pref("general.buildID.override", ""); // (hidden pref)
+ // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
/* 4703: navigator.appName ***/
- // user_pref("general.appname.override", ""); // (hidden pref)
+ // user_pref("general.appname.override", ""); // [HIDDEN PREF]
/* 4704: navigator.appVersion ***/
- // user_pref("general.appversion.override", ""); // (hidden pref)
+ // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
/* 4705: navigator.platform ***/
- // user_pref("general.platform.override", ""); // (hidden pref)
+ // user_pref("general.platform.override", ""); // [HIDDEN PREF]
/* 4706: navigator.oscpu ***/
- // user_pref("general.oscpu.override", ""); // (hidden pref)
+ // user_pref("general.oscpu.override", ""); // [HIDDEN PREF]
/*** [SECTION 5000]: PERSONAL
Non-project related but useful. If any of these interest you, add them to your overrides ***/
@@ -1742,8 +1748,8 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
// user_pref("full-screen-api.warning.timeout", 0);
// user_pref("general.warnOnAboutConfig", false);
/* APPEARANCE ***/
- // user_pref("browser.download.autohideButton", false); // (FF57+)
- // user_pref("toolkit.cosmeticAnimations.enabled", false); // (FF55+)
+ // user_pref("browser.download.autohideButton", false); // [FF57+]
+ // user_pref("toolkit.cosmeticAnimations.enabled", false); // [FF55+]
/* CONTENT BEHAVIOR ***/
// user_pref("accessibility.typeaheadfind", true); // enable "Find As You Type"
// user_pref("clipboard.autocopy", false); // disable autocopy default [LINUX]
@@ -1751,13 +1757,13 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
/* UX BEHAVIOR ***/
// user_pref("browser.backspace_action", 2); // 0=previous page, 1=scroll up, 2=do nothing
// user_pref("browser.tabs.closeWindowWithLastTab", false);
- // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab (FF57+)
- // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see Bugzilla 1320061 (FF53+)
+ // user_pref("browser.tabs.loadBookmarksInTabs", true); // open bookmarks in a new tab [FF57+]
+ // user_pref("browser.urlbar.decodeURLsOnCopy", true); // see Bugzilla 1320061 [FF53+]
// user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC]
// user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
/* OTHER ***/
// user_pref("browser.bookmarks.max_backups", 2);
- // user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync (FF60+) [RESTART]
+ // user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync [FF60+] [RESTART]
// user_pref("network.manage-offline-status", false); // see Bugzilla 620472
// user_pref("reader.parse-on-load.enabled", false); // "Reader View"
// user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
@@ -1781,7 +1787,7 @@ user_pref("dom.network.enabled", false);
// 2600's: (35+) disable WebSockets
// [-] https://bugzilla.mozilla.org/1091016
user_pref("network.websocket.enabled", false);
-// 1610: (36+) set DNT "value" to "not be tracked" (FF21+)
+// 1610: (36+) set DNT "value" to "not be tracked" [FF21+]
// [1] http://kb.mozillazine.org/Privacy.donottrackheader.value
// [-] https://bugzilla.mozilla.org/1042135#c101
// user_pref("privacy.donottrackheader.value", 1);
@@ -1830,7 +1836,7 @@ user_pref("pfs.datasource.url", "");
// user_pref("browser.search.showOneOffButtons", false);
// ***/
/* FF44
-// 0414: disable safebrowsing's real-time binary checking (google) (FF43+)
+// 0414: disable safebrowsing's real-time binary checking (google) [FF43+]
// [-] https://bugzilla.mozilla.org/1237103
user_pref("browser.safebrowsing.provider.google.appRepURL", ""); // browser.safebrowsing.appRepURL
// 1200's: block rc4 whitelist
@@ -1854,8 +1860,8 @@ user_pref("browser.sessionstore.privacy_level_deferred", 2);
/* FF46
// 0333: disable health report
// [-] https://bugzilla.mozilla.org/1234526
-user_pref("datareporting.healthreport.service.enabled", false); // (hidden pref)
-user_pref("datareporting.healthreport.documentServerURI", ""); // (hidden pref)
+user_pref("datareporting.healthreport.service.enabled", false); // [HIDDEN PREF]
+user_pref("datareporting.healthreport.documentServerURI", ""); // [HIDDEN PREF]
// 0334b: disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
// [-] https://bugzilla.mozilla.org/1234522
user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);
@@ -1865,7 +1871,7 @@ user_pref("browser.safebrowsing.appRepURL", ""); // Google application reputatio
// 0420: disable polaris (part of Tracking Protection, never used in stable)
// [-] https://bugzilla.mozilla.org/1235565
// user_pref("browser.polaris.enabled", false);
-// 0510: disable "Pocket" - replaced by extensions.pocket.*
+// 0510: disable "Pocket" [FF39+] - replaced by extensions.pocket.*
// [-] https://bugzilla.mozilla.org/1215694
user_pref("browser.pocket.enabled", false);
user_pref("browser.pocket.api", "");
@@ -1876,7 +1882,7 @@ user_pref("browser.pocket.oAuthConsumerKey", "");
// 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
// is enabled ONLY for people that opted into it, even if unified Telemetry is enabled
// [-] https://bugzilla.mozilla.org/1236580
-user_pref("toolkit.telemetry.unifiedIsOptIn", true); // (hidden pref)
+user_pref("toolkit.telemetry.unifiedIsOptIn", true); // [HIDDEN PREF]
// 0333b: disable about:healthreport page UNIFIED
// [-] https://bugzilla.mozilla.org/1236580
user_pref("datareporting.healthreport.about.reportUrlUnified", "data:text/plain,");
@@ -1994,14 +2000,14 @@ user_pref("media.eme.apiVisible", false);
user_pref("dom.archivereader.enabled", false);
// ***/
/* FF55
-// 0209: disable geolocation on non-secure origins (FF54+)
+// 0209: disable geolocation on non-secure origins [FF54+]
// [1] https://bugzilla.mozilla.org/1269531
// [-] https://bugzilla.mozilla.org/1072859
user_pref("geo.security.allowinsecure", false);
-// 0336: disable "Heartbeat" (Mozilla user rating telemetry) (FF37+)
+// 0336: disable "Heartbeat" (Mozilla user rating telemetry) [FF37+]
// [1] https://trac.torproject.org/projects/tor/ticket/18738
// [-] https://bugzilla.mozilla.org/1361578
-user_pref("browser.selfsupport.enabled", false); // (hidden pref)
+user_pref("browser.selfsupport.enabled", false); // [HIDDEN PREF]
user_pref("browser.selfsupport.url", "");
// 0360: disable new tab "pings"
// [-] https://bugzilla.mozilla.org/1241390
@@ -2009,14 +2015,14 @@ user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
// 0861: disable saving form history on secure websites
// [-] https://bugzilla.mozilla.org/1361220
user_pref("browser.formfill.saveHttpsForms", false);
-// 0863: disable Form Autofill (FF54+) - replaced by extensions.formautofill.*
+// 0863: disable Form Autofill [FF54+] - replaced by extensions.formautofill.*
// [-] https://bugzilla.mozilla.org/1364334
user_pref("browser.formautofill.enabled", false);
// 2410: disable User Timing API
// [1] https://trac.torproject.org/projects/tor/ticket/16336
// [-] https://bugzilla.mozilla.org/1344669
user_pref("dom.enable_user_timing", false);
-// 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
+// 2507: disable keyboard fingerprinting (physical keyboards) [FF38+]
// The Keyboard API allows tracking the "read parameter" of pressed keys in forms on
// web pages. These parameters vary between types of keyboard layouts such as QWERTY,
// AZERTY, Dvorak, and between various languages, e.g. German vs English.
@@ -2033,10 +2039,10 @@ user_pref("browser.tabs.animate", false);
user_pref("browser.fullscreen.animate", false);
// ***/
/* FF56
-// 0515: disable Screenshots (rollout pref only) (FF54+)
+// 0515: disable Screenshots (rollout pref only) [FF54+]
// [-] https://bugzilla.mozilla.org/1386333
// user_pref("extensions.screenshots.system-disabled", true);
-// 0517: disable Form Autofill (FF55+) - replaced by extensions.formautofill.available
+// 0517: disable Form Autofill [FF55+] - replaced by extensions.formautofill.available
// [-] https://bugzilla.mozilla.org/1385201
user_pref("extensions.formautofill.experimental", false);
// ***/
@@ -2050,10 +2056,10 @@ user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);
-user_pref("social.enabled", false); // (hidden pref)
-// 1830: disable DRM's EME WideVineAdapter
+user_pref("social.enabled", false); // [HIDDEN PREF]
+// 1830: disable DRM's EME WideVineAdapter [FF55+]
// [-] https://bugzilla.mozilla.org/1395468
-user_pref("media.eme.chromium-api.enabled", false); // (FF55+)
+user_pref("media.eme.chromium-api.enabled", false);
// 2608: disable WebIDE extension downloads (Valence)
// [1] https://trac.torproject.org/projects/tor/ticket/16222
// [-] https://bugzilla.mozilla.org/1393497
@@ -2062,14 +2068,14 @@ user_pref("devtools.webide.autoinstallFxdtAdapters", false);
// [1] https://trac.torproject.org/projects/tor/ticket/16222
// [-] https://bugzilla.mozilla.org/1393582
user_pref("browser.casting.enabled", false);
-// 5022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
+// 5022: hide recently bookmarked items (you still have the original bookmarks) [FF49+]
// [-] https://bugzilla.mozilla.org/1401238
user_pref("browser.bookmarks.showRecentlyBookmarked", false);
// ***/
/* FF58
-// 0351: disable sending of crash reports - replaced by *.autoSubmit2
+// 0351: disable sending of crash reports [FF51+] - replaced by *.autoSubmit2
// [-] https://bugzilla.mozilla.org/1424373
-user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51-57)
+user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false);
// ***/
/* FF59
// 0203: disable using OS locale, force APP locale - replaced by intl.locale.requested
@@ -2083,7 +2089,7 @@ user_pref("general.useragent.locale", "en-US");
// If you want to see what health data is present, then this must be set at default
// [-] https://bugzilla.mozilla.org/1352497
user_pref("datareporting.healthreport.about.reportUrl", "data:text/plain,");
-// 0511: disable FlyWeb (FF49+)
+// 0511: disable FlyWeb [FF49+]
// Flyweb is a set of APIs for advertising and discovering local-area web servers
// [1] https://flyweb.github.io/
// [2] https://wiki.mozilla.org/FlyWeb/Security_scenarios
@@ -2094,7 +2100,7 @@ user_pref("dom.flyweb.enabled", false);
// [1] https://trac.torproject.org/projects/tor/ticket/13575
// [-] https://bugzilla.mozilla.org/1430197
user_pref("browser.cache.frecency_experiment", -1);
-// 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests (FF51+)
+// 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests [FF51+]
// Allow resources from domains with an existing HSTS cache record or in the HSTS preload list
// to be upgraded to HTTPS internally but disable sending out HSTS Priming requests, because
// those may cause noticeable delays e.g. requests time out or are not handled well by servers
@@ -2103,9 +2109,9 @@ user_pref("browser.cache.frecency_experiment", -1);
// [-] https://bugzilla.mozilla.org/1424917
user_pref("security.mixed_content.use_hsts", true);
user_pref("security.mixed_content.send_hsts_priming", false);
-// 1606: set the default Referrer Policy - replaced by network.http.referer.defaultPolicy
+// 1606: set the default Referrer Policy [FF53+] - replaced by network.http.referer.defaultPolicy
// [-] https://bugzilla.mozilla.org/587523
-user_pref("network.http.referer.userControlPolicy", 3); // (FF53-FF58) default: 3
+user_pref("network.http.referer.userControlPolicy", 3);
// 1804: disable plugins using external/untrusted scripts with XPCOM or XPConnect
// [-] (part8) https://bugzilla.mozilla.org/1416703#c21
user_pref("security.xpconnect.plugin.unrestricted", false);
@@ -2128,14 +2134,14 @@ user_pref("dom.idle-observers-api.enabled", false);
user_pref("browser.newtabpage.directory.source", "data:text/plain,");
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);
-// 0512: disable Shield (FF53+) - replaced internally by Normandy (see 0503)
+// 0512: disable Shield - replaced internally by Normandy (see 0503) [FF53+]
// Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
// [1] https://wiki.mozilla.org/Firefox/Shield
// [2] https://github.com/mozilla/normandy
// [-] https://bugzilla.mozilla.org/1436113
user_pref("extensions.shield-recipe-client.enabled", false);
user_pref("extensions.shield-recipe-client.api_url", "");
-// 0514: disable Activity Stream (FF54+)
+// 0514: disable Activity Stream [FF54+]
// [-] https://bugzilla.mozilla.org/1433324
user_pref("browser.newtabpage.activity-stream.enabled", false);
// 2301: disable workers
@@ -2158,7 +2164,7 @@ user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);
-// 2612: disable remote JAR files being opened, regardless of content type (FF42+)
+// 2612: disable remote JAR files being opened, regardless of content type [FF42+]
// [1] https://bugzilla.mozilla.org/1173171
// [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/
// [-] https://bugzilla.mozilla.org/1427726
@@ -2176,18 +2182,18 @@ user_pref("plugin.state.java", 0);
// 0202: disable GeoIP-based search results
// [NOTE] May not be hidden if Firefox has changed your settings due to your locale
// [-] https://bugzilla.mozilla.org/1462015
-user_pref("browser.search.countryCode", "US"); // (hidden pref)
+user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF]
// 0301a: disable auto-update checks for Firefox
// [SETTING] General>Firefox Updates>Never check for updates
// [-] https://bugzilla.mozilla.org/1420514
// user_pref("app.update.enabled", false);
-// 0402: enable Kinto blocklist updates (FF50+)
+// 0402: enable Kinto blocklist updates [FF50+]
// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
// As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be
// revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes
// [-] https://bugzilla.mozilla.org/1458917
user_pref("services.blocklist.update_enabled", true);
-// 0503: disable "Savant" Shield study (FF61+)
+// 0503: disable "Savant" Shield study [FF61+]
// [-] https://bugzilla.mozilla.org/1457226
user_pref("shield.savant.enabled", false);
// 1031: disable favicons in tabs and new bookmarks - merged into browser.chrome.site_icons
@@ -2199,7 +2205,7 @@ user_pref("shield.savant.enabled", false);
user_pref("media.autoplay.enabled", false);
// 2704: set cookie lifetime in days (see 2703)
// [-] https://bugzilla.mozilla.org/1457170
- // user_pref("network.cookie.lifetime.days", 90); // default: 90
+ // user_pref("network.cookie.lifetime.days", 90); // [DEFAULT: 90]
// 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder
// [-] https://bugzilla.mozilla.org/1473595
// user_pref("browser.ctrlTab.previews", true);
