diff --git a/SecureFox.js b/SecureFox.js
index 3cb6d3c..e843594 100644
--- a/SecureFox.js
+++ b/SecureFox.js
@@ -11,7 +11,7 @@
  * SecureFox                                                                *
  * "Natura non constristatur"                                               *     
  * priority: provide sensible security and privacy                          *  
- * version: September 2022                                                  *
+ * version: October 2022                                                    *
  * url: https://github.com/yokoffing/Better-Fox                             *                   
 ****************************************************************************/
 
@@ -36,15 +36,16 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true); // enabled
 user_pref("privacy.socialtracking.block_cookies.enabled", true); // enabled with "Strict"
    // user_pref("browser.contentblocking.customBlockList.preferences.ui.enabled", true);
 user_pref("privacy.partition.network_state.ocsp_cache", true); // enabled with "Strict"
-user_pref("privacy.query_stripping.enabled", true); // enabled with "Strict"
 user_pref("privacy.trackingprotection.emailtracking.enabled", true); // EXPERIMENTAL
 // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1773695
 
-// PREF: Lower the priority of network loads for resources on the tracking protection list.
-// [1] https://github.com/arkenfox/user.js/issues/102#issuecomment-298413904
-   // user_pref("privacy.trackingprotection.lower_network_priority", true);
+// PREF: query stripping
+// We set the same query stripping list that Brave uses:
+// https://github.com/brave/brave-core/blob/f337a47cf84211807035581a9f609853752a32fb/browser/net/brave_site_hacks_network_delegate_helper.cc
+user_pref("privacy.query_stripping.enabled", true); // enabled with "Strict"
+user_pref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oft_c oft_ck oft_d oft_id oft_ids oft_k oft_lk oft_sk oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");
 
-// PREF: allow embedded tweets and Reddit posts
+// PREF: allow embedded tweets, Instagram, and Reddit posts
 // [TEST - reddit embed] https://www.pcgamer.com/amazing-halo-infinite-bugs-are-already-rolling-in/
 // [TEST - instagram embed] https://www.ndtv.com/entertainment/bharti-singh-and-husband-haarsh-limbachiyaa-announce-pregnancy-see-trending-post-2646359
 // [TEST - tweet embed] https://www.newsweek.com/cryptic-tweet-britney-spears-shows-elton-john-collab-may-date-back-2015-1728036
@@ -53,6 +54,16 @@ user_pref("privacy.trackingprotection.emailtracking.enabled", true); // EXPERIME
 user_pref("urlclassifier.trackingSkipURLs", "*.reddit.com, *.twitter.com, *.twimg.com"); // MANUAL
 user_pref("urlclassifier.features.socialtracking.skipURLs", "*.instagram.com, *.twitter.com, *.twimg.com"); // MANUAL
 
+// PREF: lower the priority of network loads for resources on the tracking protection list
+// [NOTE] Applicable because we allow for some social embeds
+// [1] https://github.com/arkenfox/user.js/issues/102#issuecomment-298413904
+user_pref("privacy.trackingprotection.lower_network_priority", true);
+
+// PREF: disable allowance for embedded tweets, Instagram, and Reddit posts [OVERRIDE]
+user_pref("urlclassifier.trackingSkipURLs", "");
+user_pref("urlclassifier.features.socialtracking.skipURLs", "");
+user_pref("privacy.trackingprotection.lower_network_priority", false);
+
 // PREF: Site Isolation
 // Creates operating system process-level boundaries for all sites loaded in Firefox for Desktop. Isolating each site
 // into a separate operating system process makes it harder for malicious sites to read another site’s private data.
@@ -87,15 +98,16 @@ user_pref("browser.contentblocking.reject-and-isolate-cookies.preferences.ui.ena
 // [1] https://www.zdnet.com/article/firefox-to-ship-network-partitioning-as-a-new-anti-tracking-defense/
 // [2] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#network_partitioning
 // [3] https://blog.mozilla.org/security/2021/01/26/supercookie-protections/
-user_pref("privacy.partition.network_state", true); // default
+user_pref("privacy.partition.network_state", true); // DEFAULT
 user_pref("privacy.partition.network_state.ocsp_cache", true); // enabled with "Strict"
-user_pref("privacy.partition.serviceWorkers", true);
-user_pref("privacy.partition.bloburl_per_agent_cluster", true);
+user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+]
+      // user_pref("privacy.partition.bloburl_per_agent_cluster", true); [regressions]
 user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
 
 // PREF: Smartblock
 // [1] https://support.mozilla.org/en-US/kb/smartblock-enhanced-tracking-protection
 // [2] https://www.youtube.com/watch?v=VE8SrClOTgw
+// [3] https://searchfox.org/mozilla-central/source/browser/extensions/webcompat/data/shims.js
 user_pref("extensions.webcompat.enable_shims", true); // default
 
 // PREF: Redirect Tracking Prevention
@@ -145,44 +157,42 @@ user_pref("dom.storage.next_gen", true); // default
 /****************************************************************************
  * SECTION: OSCP & CERTS / HPKP (HTTP Public Key Pinning)                   *
 ****************************************************************************/
+
 // PREF: OCSP (Online Certificate Status Protocol)
+// OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host
+// OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder
+// OCSP adds latency
+// Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10)
+// Firefox falls back on plain OCSP when must-staple is not configured on the host certificate
 // [1] https://scotthelme.co.uk/revocation-is-broken/
 // [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
 
 // PREF: enforce OCSP fetching to confirm current validity of certificates
-// 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
 // OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
 // It's a trade-off between security (checking) and privacy (leaking info to the CA)
 // Unlike Chrome, Firefox’s default settings also query OCSP responders to confirm the validity
 // of SSL/TLS certificates. However, because OCSP query failures are so common, Firefox
-// (like other browsers) implements a “soft-fail” policy. 
+// (like other browsers) implements a “soft-fail” policy
 // [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
 // [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers...
 // [1] https://en.wikipedia.org/wiki/Ocsp
 // [2] https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/#ftoc-heading-3
+// 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
 user_pref("security.OCSP.enabled", 0); // [DEFAULT: 1]
 
-// PREF: Enterprise Root Certificates of the operating system is not automatically activated
-// user_pref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
-
 // PREF: set OCSP fetch failures to hard-fail
 // When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
 // Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
 // It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
 // could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
-// [WARNING] Expect breakage
+// [WARNING] Expect breakage:
+// security.OCSP.require will make the connection fail when the OCSP responder is unavailable
+// security.OCSP.require is known to break browsing on some captive portals
 // [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
 // [2] https://www.imperialviolet.org/2014/04/19/revchecking.html
 // [3] https://www.ssl.com/blogs/how-do-browsers-handle-revoked-ssl-tls-certificates/#ftoc-heading-3
-// user_pref("security.OCSP.require", true);
-
-// PREF: enable strict pinning
-// PKP (Public Key Pinning) 0=disabled, 1=allow user MiTM (such as your antivirus), 2=strict
-// If you rely on an AV (antivirus) to protect your web browsing
-// by inspecting ALL your web traffic, then leave at current default=1
-// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206
-user_pref("security.cert_pinning.enforcement_level", 2);
-
+      // user_pref("security.OCSP.require", true);
+      
 // PREF: enable CRLite
 // In FF84+ it covers valid certs and in mode 2 doesn't fall back to OCSP
 // 0 = disabled
@@ -194,6 +204,17 @@ user_pref("security.cert_pinning.enforcement_level", 2);
 user_pref("security.remote_settings.crlite_filters.enabled", true);
 user_pref("security.pki.crlite_mode", 2);
 
+// PREF: enable strict pinning
+// PKP (Public Key Pinning) 0=disabled, 1=allow user MiTM (such as your antivirus), 2=strict
+// If you rely on an AV (antivirus) to protect your web browsing
+// by inspecting ALL your web traffic, then leave at current default=1
+// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206
+user_pref("security.cert_pinning.enforcement_level", 2);
+
+// PREF: disable Enterprise Root Certificates of the operating system
+user_pref("security.enterprise_roots.enabled", false); // DEFAULT
+      // user_pref("security.certerrors.mitm.auto_enable_enterprise_roots", false);
+
 /****************************************************************************
  * SECTION: SSL (Secure Sockets Layer) / TLS (Transport Layer Security)    *
 ****************************************************************************/
@@ -216,7 +237,7 @@ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 // [2] https://datatracker.ietf.org/doc/html/rfc5746
 // [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
 // [4] https://www.ssllabs.com/ssl-pulse/
-// user_pref("security.ssl.require_safe_negotiation", true);
+      // user_pref("security.ssl.require_safe_negotiation", true);
 
 // PREF: display advanced information on Insecure Connection warning pages
 // only works when it's possible to add an exception
@@ -242,7 +263,8 @@ user_pref("security.tls.enable_0rtt_data", false);
 ****************************************************************************/
 
 // PREF: disable rendering of SVG OpenType fonts
-user_pref("gfx.font_rendering.opentype_svg.enabled", false);
+// [1] https://github.com/arkenfox/user.js/issues/1529
+      // user_pref("gfx.font_rendering.opentype_svg.enabled", false);
 
 // PREF: limit font visibility (Windows, Mac, some Linux) [FF94+]
 // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
@@ -250,14 +272,21 @@ user_pref("gfx.font_rendering.opentype_svg.enabled", false);
 // In Private Browsing windows: uses the most restrictive between normal and private
 // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
 // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
-user_pref("layout.css.font-visibility.private", 1);
-user_pref("layout.css.font-visibility.standard", 1);
-user_pref("layout.css.font-visibility.trackingprotection", 1);
+      // user_pref("layout.css.font-visibility.standard", 1); // Normal Browsing windows with tracking protection disabled(?)
+user_pref("layout.css.font-visibility.trackingprotection", 1); // Normal Browsing windows with tracking protection enabled
+user_pref("layout.css.font-visibility.private", 1); // Private Browsing windows
+user_pref("layout.css.font-visibility.resistFingerprinting", 1); // DEFAULT
 
 /****************************************************************************
  * SECTION: RESIST FINGERPRINTING (RFP)                                     *
 ****************************************************************************/
 
+// PREF: enable advanced fingerprinting protection 
+// [WARNING] Leave disabled unless you're okay with all the drawbacks
+// [1] https://librewolf.net/docs/faq/#what-are-the-most-common-downsides-of-rfp-resist-fingerprinting
+// [2] https://old.reddit.com/r/firefox/comments/wuqpgi/comment/ile3whx/?context=3
+      // user_pref("privacy.resistFingerprinting", true);
+
 // PREF: set new window size rounding max values [FF55+]
 // [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
 // [1] https://bugzilla.mozilla.org/1330882
@@ -285,7 +314,7 @@ user_pref("widget.non-native-theme.enabled", true); // [DEFAULT: true]
 ****************************************************************************/
 
 // PREF: disable disk cache
-// [NOTE] If you think disk cache helps perf, then feel free to override this
+// [NOTE] If you think disk cache helps performance, then feel free to override this
 user_pref("browser.cache.disk.enable", false);
 
 // PREF: disable media cache from writing to disk in Private Browsing
@@ -298,8 +327,9 @@ user_pref("media.memory_cache_max_size", 65536); // 8x default size of 8192 [per
 // 0=everywhere, 1=unencrypted sites, 2=nowhere
 user_pref("browser.sessionstore.privacy_level", 2);
 
-// PREF: disable shortcut favicons from being stored in profile
-user_pref("browser.shell.shortcutFavicons", false);
+// PREF: disable shortcut favicons from being stored in profile [broken?]
+// Doesn't seem to work on any configurations
+      // user_pref("browser.shell.shortcutFavicons", false);
 
 // PREF: disable page thumbnails capturing
 user_pref("browser.pagethumbnails.capturing_disabled", true); // [depreciated?]
@@ -350,65 +380,57 @@ user_pref("privacy.sanitize.timeSpan", 0);
 /******************************************************************************
  * SECTION: SHUTDOWN & SANITIZING                           *
 ******************************************************************************/
-// PREF: enable Firefox to clear items on shutdown
-// This infographic is most helpful:
-// [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1765533#c1
+
+// PREF: clear browsing data on shutdown, while respecting site exceptions
+// Set cookies, site data, cache, etc. to clear on shutdown
+// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
+// [INFOGRAPHIC] https://bugzilla.mozilla.org/show_bug.cgi?id=1765533#c1
+// [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
+// [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication (1), not logins via cookies
+// [1] https://en.wikipedia.org/wiki/Basic_access_authentication
 user_pref("privacy.sanitize.sanitizeOnShutdown", true);
 
-// PREF: SANITIZE ON SHUTDOWN: RESPECTS SITE EXCEPTIONS FF102+
-// Set cookies, site data, and cache to clear on shutdown
+// Uncomment individual prefs to disable clearing on shutdown:
+// [NOTE] If "history" is true, downloads will also be cleared
+user_pref("privacy.clearOnShutdown.offlineApps", true);
+// user_pref("privacy.clearOnShutdown.history", false);
+      // user_pref("privacy.clearOnShutdown.downloads", false);
+// user_pref("privacy.clearOnShutdown.formdata", false);
+// user_pref("privacy.clearOnShutdown.sessions", false);
+user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
+
+// PREF: configure site exceptions
+// Currently, there is no way to add sites via about:config
+// [SETTING] to manage site exceptions: Options>Privacy & Security>Cookies & Site Data>Manage Exceptions
+// [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question)
 // For cross-domain logins, add exceptions for both sites:
 // e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on)
-// [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
 // [WARNING] Be selective with what cookies you keep, as they also disable partitioning (1)
-// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
-// [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow (when on the website in question)
-// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings
 // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1767271
-user_pref("privacy.clearOnShutdown.offlineApps", true);
-user_pref("privacy.clearOnShutdown.cookies", true);
-user_pref("privacy.clearOnShutdown.cache", true);
-
-// PREF: SANITIZE ON SHUTDOWN: ALL OR NOTHING
-// Set/enforce what items to clear on shutdown
-// [NOTE] If "history" is true, downloads will also be cleared
-// [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
-// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
-// [1] https://en.wikipedia.org/wiki/Basic_access_authentication
-// user_pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown.history", false);   // [DEFAULT: true]
-   user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true]
-   // user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
 
 /******************************************************************************
  * SECTION: SPECULATIVE CONNECTIONS                           *
 ******************************************************************************/
 
-// [NOTE] Firefox 85+ partitions (isolates) pooled connections, prefetch connections, pre-connect connections,
-// speculative connections, TLS session identifiers, and other connections. We can take advantage of the speed of
-// pre-connections while preserving privacy. Users may harden these settings to their preference.
-// For more information, see "PREF: State Paritioning" and "PREF: Network Partitioning".
-
 // [NOTE] uBlock Origin overrides Firefox defaults and sets these settings to false. To enable:
 // [SETTINGS] uBlock Origin -> Extension options -> Settings -> Privacy -> uncheck "Disable pre-fetching"
 
-// PREF: Network Predictor
-// Keeps track of components that were loaded during page visits so that the browser knows next time
-// which resources to request from the server: It uses a local file to remember which resources were
-// needed when the user visits a webpage (such as image.jpg and script.js), so that the next time the
-// user mouseovers a link to that webpage, this history can be used to predict what resources will
-// be needed rather than wait for the document to link those resources.
-// Only performs pre-connect, not prefetch, by default. No data is actually sent to the site until a user actively clicks a link.
-// [NOTE] DNS pre-resolve and TCP preconnect (which includes SSL handshake). Honors settings in Private Browsing to erase data.
-// [1] https://wiki.mozilla.org/Privacy/Reviews/Necko
-// [2] https://www.ghacks.net/2014/05/11/seer-disable-firefox/
-// [3] https://github.com/dillbyrne/random-agent-spoofer/issues/238#issuecomment-110214518
-// [4] https://www.igvita.com/posa/high-performance-networking-in-google-chrome/#predictor
-user_pref("network.predictor.enabled", false);
-// Fetch critical resources on the page ahead of time as determined by the local file, to accelerate rendering of the page.
-// user_pref("network.predictor.enable-hover-on-ssl", false);
-user_pref("network.predictor.enable-prefetch", false);
+// PREF: New tab preload
+// [WARNING] Disabling this may cause a delay when opening a new tab in Firefox
+// [1] https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
+user_pref("browser.newtab.preload", false);
+
+// PREF: Speculative connections on New Tab page
+// Firefox will open predictive connections to sites when the user hovers their mouse over thumbnails
+// on the New Tab Page or the user starts to search in the Search Bar, or in the search field on the
+// New Tab Page. In case the user follows through with the action, the page can begin loading faster
+// since some of the work was already started in advance.
+// [NOTE] TCP and SSL handshakes are set up in advance but page contents are not downloaded until a click on the link is registered
+// [1] https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections?redirectslug=how-stop-firefox-automatically-making-connections&redirectlocale=en-US#:~:text=Speculative%20pre%2Dconnections
+// [2] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
+// [3] https://www.keycdn.com/blog/resource-hints#prefetch
+// [4] https://3perf.com/blog/link-rels/#prefetch
+user_pref("network.http.speculative-parallel-limit", 0);
 
 // PREF: DNS pre-resolve <link rel="dns-prefetch">
 // Resolve hostnames ahead of time, to avoid DNS latency.
@@ -421,46 +443,14 @@ user_pref("network.predictor.enable-prefetch", false);
 user_pref("network.dns.disablePrefetch", true);
 user_pref("network.dns.disablePrefetchFromHTTPS", true); // DEFAULT
 
-// PREF: Preconnect to the autocomplete URL in the address bar
-// Firefox preloads URLs that autocomplete when a user types into the address bar.
-// Connects to destination server ahead of time, to avoid TCP handshake latency.
-// [NOTE] Firefox will perform DNS lookup and TCP and TLS handshake, but will not start sending or receiving HTTP data.
-// [1] https://www.ghacks.net/2017/07/24/disable-preloading-firefox-autocomplete-urls/
-user_pref("browser.urlbar.speculativeConnect.enabled", false);
-
-// PREF: Link prefetching <link rel="prefetch">
-// Firefox will prefetch certain links if any of the websites you are viewing uses the special prefetch-link tag.
-// A directive that tells a browser to fetch a resource that will likely be needed for the next navigation.
-// The resource will be fetched with extremely low priority (since everything the browser knows
-// is needed in the current page is more important than a resource that we guess might be needed in the next one).
-// Prefetch’s main use case is speeding up the next navigation rather than the current one.
-// When the user clicks on a link, or initiates any kind of page load, link prefetching will stop and any prefetch hints will be discarded.
-// [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Privacy_implications
-// [2] http://www.mecs-press.org/ijieeb/ijieeb-v7-n5/IJIEEB-V7-N5-2.pdf
-// [3] https://timkadlec.com/remembers/2020-06-17-prefetching-at-this-age/
-// [4] https://3perf.com/blog/link-rels/#prefetch
-user_pref("network.prefetch-next", false);
-
-// PREF: Prefetch links upon hover
-// When you hover over links, connections are established to linked domains and servers automatically to speed up the loading
-// process should you click on the link. To improve the loading speed, Firefox will open predictive connections to sites when
-// the user hovers their mouse over. In case the user follows through with the action, the page can begin loading faster since
-// some of the work was already started in advance. Focuses on fetching a resource for the NEXT navigation.
-// [NOTE] TCP and SSL handshakes are set up in advance but page contents are not downloaded until a click on the link is registered.
-// [?] Only affects the new tab page? https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections?redirectslug=how-stop-firefox-automatically-making-connections&redirectlocale=en-US#:~:text=Speculative%20pre%2Dconnections
-// [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
-// [2] https://www.keycdn.com/blog/resource-hints#prefetch
-// [3] https://3perf.com/blog/link-rels/#prefetch
-user_pref("network.http.speculative-parallel-limit", 0);
-
 // PREF: Preload <link rel=preload>
+// This tells the browser that the resource should be loaded as part of the current navigation
+// and it should start fetching it ASAP. This attribute can be applied to CSS, fonts, images, JavaScript files and more.
 // This tells the browser to download and cache a resource (like a script or a stylesheet) as soon as possible.
 // The browser doesn’t do anything with the resource after downloading it. Scripts aren’t executed, stylesheets
 // aren’t applied. It’s just cached – so that when something else needs it, it’s available immediately.
 // Focuses on fetching a resource for the CURRENT navigation.
 // [NOTE] Unlike other pre-connection tags (except modulepreload), this tag is mandatory for the browser.
-// A browser is required to download the resource specified in <link rel="preload">. With other tags described here,
-// a browser is free to skip preloading the resource if it decides to (e.g. if the network is slow).
 // [1] https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types/preload
 // [2] https://w3c.github.io/preload/
 // [3] https://3perf.com/blog/link-rels/#preload
@@ -468,32 +458,86 @@ user_pref("network.http.speculative-parallel-limit", 0);
 // [5] https://www.smashingmagazine.com/2016/02/preload-what-is-it-good-for/#how-can-preload-do-better
 // [6] https://www.keycdn.com/blog/resource-hints#preload
 // [7] https://github.com/arkenfox/user.js/issues/1098#issue-791949341
-// user_pref("network.preload", false);
+// [8] https://yashints.dev/blog/2018/10/06/web-perf-2#preload
+// [9] https://web.dev/preload-critical-assets/
+user_pref("network.preload", true); // DEFAULT
 
-// PREF: New tab preload
-// [WARNING] Disabling this causes a delay when opening a new tab in Firefox.
-// [1] https://wiki.mozilla.org/Tiles/Technical_Documentation#Ping
-// [2] https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-source
-// [3] https://gecko.readthedocs.org/en/latest/browser/browser/DirectoryLinksProvider.html#browser-newtabpage-directory-ping
-user_pref("browser.newtab.preload", false);
+// PREF: Preconnect to the autocomplete URL in the address bar
+// Firefox preloads URLs that autocomplete when a user types into the address bar.
+// Connects to destination server ahead of time, to avoid TCP handshake latency.
+// [NOTE] Firefox will perform DNS lookup (if enabled) and TCP and TLS handshake,
+// but will not start sending or receiving HTTP data.
+// [1] https://www.ghacks.net/2017/07/24/disable-preloading-firefox-autocomplete-urls/
+user_pref("browser.urlbar.speculativeConnect.enabled", false);
 
 // PREF: disable mousedown speculative connections on bookmarks and history
 user_pref("browser.places.speculativeConnect.enabled", false);
 
+// PREF: Link prefetching <link rel="prefetch">
+// Firefox will prefetch certain links if any of the websites you are viewing uses the special prefetch-link tag.
+// A directive that tells a browser to fetch a resource that will likely be needed for the next navigation.
+// The resource will be fetched with extremely low priority (since everything the browser knows
+// is needed in the current page is more important than a resource that we guess might be needed in the next one).
+// Speeds up the NEXT navigation rather than the current one.
+// When the user clicks on a link, or initiates any kind of page load, link prefetching will stop and any prefetch hints will be discarded.
+// [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ#Privacy_implications
+// [2] http://www.mecs-press.org/ijieeb/ijieeb-v7-n5/IJIEEB-V7-N5-2.pdf
+// [3] https://timkadlec.com/remembers/2020-06-17-prefetching-at-this-age/
+// [4] https://3perf.com/blog/link-rels/#prefetch
+user_pref("network.prefetch-next", false);
+
+// PREF: Network Predictor (NP)
+// Keeps track of components that were loaded during page visits so that the browser knows next time
+// which resources to request from the server: It uses a local file to remember which resources were
+// needed when the user visits a webpage (such as image.jpg and script.js), so that the next time the
+// user prepares to go to that webpage (upon navigation? URL bar? mouseover?), this history can be used
+// to predict what resources will be needed rather than wait for the document to link those resources.
+/// NP only performs pre-connect, not prefetch, by default, including DNS pre-resolve and TCP preconnect
+// (which includes SSL handshake). No data is actually sent to the site until a user actively clicks
+// a link. However, NP is still opening TCP connections and doing SSL handshakes, so there is still
+// information leakage about your browsing patterns. This isn't desirable from a privacy perspective.
+// [NOTE] Disabling DNS prefetching disables the DNS prefetching behavior of NP
+// [1] https://wiki.mozilla.org/Privacy/Reviews/Necko
+// [2] https://www.ghacks.net/2014/05/11/seer-disable-firefox/
+// [3] https://github.com/dillbyrne/random-agent-spoofer/issues/238#issuecomment-110214518
+// [4] https://www.igvita.com/posa/high-performance-networking-in-google-chrome/#predictor
+user_pref("network.predictor.enabled", false);
+
+// PREF: NP fetches resources on the page ahead of time, to accelerate rendering of the page
+// Performs both pre-connect and prefetch
+user_pref("network.predictor.enable-prefetch", false);
+
+// PREF: NP activates upon hovered links:
+// The next time the user mouseovers a link to that webpage, history is used to predict what
+// resources will be needed rather than wait for the document to link those resources.
+// When you hover over links, connections are established to linked domains and servers
+// automatically to speed up the loading process should you click on the link. To improve the
+// loading speed, Firefox will open predictive connections to sites when the user hovers their
+// mouse over. In case the user follows through with the action, the page can begin loading
+// faster since some of the work was already started in advance. Focuses on fetching a resource
+// for the NEXT navigation.
+user_pref("network.predictor.enable-hover-on-ssl", false); // DEFAULT
+
 /******************************************************************************
  * SECTION: SEARCH / URL BAR                              *
 ******************************************************************************/
 
 // PREF: do not trim certain parts of the URL
 // [1] https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/browser.urlbar.trimURLs#values
-// user_pref("browser.urlbar.trimURLs", false);
+      // user_pref("browser.urlbar.trimURLs", false);
 
-// PREF: Enable a seperate search engine for Private Windows
-// Remember to go into Preferences -> Search and select another search provider (like DuckDuckGo)
+// PREF: enable a seperate search engine for Private Windows
+// [SETTINGS] Preferences -> Search and select another search provider (like DuckDuckGo)
 user_pref("browser.search.separatePrivateDefault", true);
 user_pref("browser.search.separatePrivateDefault.ui.enabled", true);
 
-// PREF: Disable live search engine suggestions (Google, Bing, etc.)
+// PREF: enable option to add custom search
+// [SETTINGS] Settings -> Search -> Search Shortcuts -> Add
+// [EXAMPLE] https://lite.duckduckgo.com/lite/?q=%s
+// [1] https://reddit.com/r/firefox/comments/xkzswb/adding_firefox_search_engine_manually/
+user_pref("browser.urlbar.update2.engineAliasRefresh", true); // HIDDEN
+
+// PREF: disable live search engine suggestions (Google, Bing, etc.)
 // [WARNING] Search engines keylog every character you type from the URL bar
 user_pref("browser.search.suggest.enabled", false);
 user_pref("browser.search.suggest.enabled.private", false); // default
@@ -504,9 +548,10 @@ user_pref("browser.search.suggest.enabled.private", false); // default
 // user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // default FF104+
 
 // PREF: disable Firefox Suggest
-user_pref("browser.urlbar.groupLabels.enabled", false);
+// [1] https://github.com/arkenfox/user.js/issues/1257
 user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
 user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
+      // user_pref("browser.urlbar.groupLabels.enabled", false);
 
 // PREF: URL bar domain guessing
 // Domain guessing intercepts DNS "hostname not found errors" and resends a
@@ -586,10 +631,10 @@ user_pref("dom.security.https_only_mode_error_page_user_suggestions", true);
 // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945
 // [2] https://blog.mozilla.org/attack-and-defense/2021/03/10/insights-into-https-only-mode/
 user_pref("dom.security.https_only_mode_send_http_background_request", true); // DEFAULT
-         // user_pref("dom.security.https_only_fire_http_request_background_timer_ms", 500); // default=3000
+         // user_pref("dom.security.https_only_fire_http_request_background_timer_ms", 1250); // default=3000
 
 // PREF: Enable HTTPS-Only mode for local resources
-// user_pref("dom.security.https_only_mode.upgrade_local", true);
+      // user_pref("dom.security.https_only_mode.upgrade_local", true);
 
 /******************************************************************************
  * SECTION: DNS-over-HTTPS                                                    *
@@ -601,8 +646,8 @@ user_pref("dom.security.https_only_mode_send_http_background_request", true); //
 // [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
 // [2] https://www.internetsociety.org/blog/2018/12/dns-privacy-support-in-mozilla-firefox/
 // 0=off, 2=TRR preferred, 3=TRR only, 5=TRR disabled
-   // user_pref("network.trr.mode", 2); // enable TRR (with System fallback)
-user_pref("network.trr.mode", 3); // enable TRR (without System fallback)
+      // user_pref("network.trr.mode", 2); // enable TRR (with System fallback)
+      // user_pref("network.trr.mode", 3); // enable TRR (without System fallback)
 
 // PREF: DoH resolver
 // You will type between the "" for both prefs.
@@ -613,15 +658,24 @@ user_pref("network.trr.uri", "https://xxxx/dns-query");
 user_pref("network.trr.custom_uri", "https://xxxx/dns-query");
 user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 
+// PREF: enable Oblivious DoH
+// [1] https://blog.cloudflare.com/oblivious-dns/
+// [2] https://www.reddit.com/r/firefox/comments/xc9y4g/how_to_enable_oblivious_doh_odoh_for_enhanced_dns/
+      // user_pref("network.trr.mode", 3);
+      // user_pref("network.trr.odoh.enabled", true);
+      // user_pref("network.trr.odoh.configs_uri", "https://odoh.cloudflare-dns.com/.well-known/odohconfigs");
+      // user_pref("network.trr.odoh.target_host", "https://odoh.cloudflare-dns.com/");
+      // user_pref("network.trr.odoh.target_path", "dns-query");
+      // user_pref("network.trr.odoh.proxy_uri", "https://odoh1.surfdomeinen.nl/proxy");
+
 // PREF: DoH resolver list
-/ "[{ \"name\": \"Cloudflare\", \"url\": \"https://mozilla.cloudflare-dns.com/dns-query\" },{ \"name\": \"NextDNS\", \"url\": \"https://trr.dns.nextdns.io/\" }]"
-***/
-   // user_pref("network.trr.resolvers", "[{ \"name\": \"<NAME1>\", \"url\": \"https://<URL1>\" }, { \"name\": \"<NAME2>\", \"url\": \"https://<URL2>\" }]");
-   // user_pref("network.trr.resolvers", "[{ \"name\": \"<NextDNS Custom>\", \"url\": \"https://dns.nextdns.io/7ad2e5/FF_WINDOWS\" }]");
+// [EXAMPLE] "[{ \"name\": \"Cloudflare\", \"url\": \"https://mozilla.cloudflare-dns.com/dns-query\" },{ \"name\": \"NextDNS\", \"url\": \"https://trr.dns.nextdns.io/\" }]"
+      // user_pref("network.trr.resolvers", "[{ \"name\": \"<NAME1>\", \"url\": \"https://<URL1>\" }, { \"name\": \"<NAME2>\", \"url\": \"https://<URL2>\" }]");
+      // user_pref("network.trr.resolvers", "[{ \"name\": \"<NextDNS Custom>\", \"url\": \"https://dns.nextdns.io/7ad2e5/FF_WINDOWS\" }]");
 
 // PREF: Temporary workaround for DNS leak with DOH active [NO LONGER NEEDED]
 // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1730418
-// user_pref("network.dns.upgrade_with_https_rr", false);
+      // user_pref("network.dns.upgrade_with_https_rr", false);
 
 /******************************************************************************
  * SECTION: ESNI / ECH                            *
@@ -630,73 +684,119 @@ user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 // PREF: enable Encrypted Client Hello (ECH)
 // [1] https://blog.cloudflare.com/encrypted-client-hello/
 // [2] https://www.youtube.com/watch?v=tfyrVYqXQRE
-// user_pref("network.dns.echconfig.enabled", true);
-// user_pref("network.dns.use_https_rr_as_altsvc", true); // default
+      // user_pref("network.dns.echconfig.enabled", true);
+      // user_pref("network.dns.use_https_rr_as_altsvc", true); // DEFAULT
 
 // PREF: disable HTTP Alternative Services [FF37+]
-// [WHY] Already isolated by network partitioning (FF85+) or FPI 
-// user_pref("network.http.altsvc.enabled", false);
-// user_pref("network.http.altsvc.oe", false);
+// [WHY] Already isolated by network partitioning (FF85+)
+      // user_pref("network.http.altsvc.enabled", false);
+      // user_pref("network.http.altsvc.oe", false);
+
+/******************************************************************************
+ * SECTION: PROXY / SOCKS / IPv6                           *
+******************************************************************************/
+
+// PREF: disable IPv6
+// IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming
+// your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4
+// [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6
+// [NOTE] This is an application level fallback. Disabling IPv6 is best done at an
+// OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
+// then this won't make much difference. If you are masking your IP, then it can only help.
+// [NOTE] However, many VPN options now provide IPv6 coverage.
+// [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
+// [TEST] https://ipleak.org/
+// [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6)
+      // user_pref("network.dns.disableIPv6", true);
+
+// PREF: set the proxy server to do any DNS lookups when using SOCKS
+// e.g. in Tor, this stops your local DNS server from knowing your Tor destination
+// as a remote Tor node will handle the DNS request
+// [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
+// [SETTING] Settings>Network Settings>Proxy DNS when using SOCKS v5
+user_pref("network.proxy.socks_remote_dns", true);
+
+// PREF: disable using UNC (Uniform Naming Convention) paths [FF61+]
+// [SETUP-CHROME] Can break extensions for profiles on network shares
+// [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424
+user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
+
+// PREF: disable GIO as a potential proxy bypass vector
+// Gvfs/GIO has a set of supported protocols like obex, network, archive, computer,
+// dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+)
+// [1] https://bugzilla.mozilla.org/1433507
+// [2] https://en.wikipedia.org/wiki/GVfs
+// [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
+user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
 
 /******************************************************************************
  * SECTION: PASSWORDS                             *
 ******************************************************************************/
 
-// PREF: Disable autofilling saved passwords on HTTP pages and show warning
-// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119
-user_pref("signon.autofillForms.http", false);
-user_pref("security.insecure_field_warning.contextual.enabled", true);
-
-// Disable capturing credentials in private browsing
-user_pref("signon.privateBrowsingCapture.enabled", false);
-
-// PREF: Disable Firefox Lockwise (about:logins)
-// [1] https://lockwise.firefox.com/
-// [2] https://support.mozilla.org/en-US/kb/firefox-lockwise-managing-account-data
-user_pref("signon.management.page.breach-alerts.enabled", false); 
-user_pref("signon.management.page.breachAlertUrl", "");
-user_pref("browser.contentblocking.report.lockwise.enabled", false);
-user_pref("browser.contentblocking.report.lockwise.how_it_works.url", "");
-
-// PREF: Disable Firefox built-in password generator
-// Create passwords with random characters and numbers.
-// [NOTE] Doesn't work with Lockwise disabled!
-// [1] https://wiki.mozilla.org/Toolkit:Password_Manager/Password_Generation
-user_pref("signon.generation.available", false);
-user_pref("signon.generation.enabled", false);
-
-// PREF: Disable password manager
-// NOTE” This does not clear any passwords already saved
-user_pref("signon.rememberSignons", false);
-user_pref("signon.rememberSignons.visibilityToggle", false);
-user_pref("signon.schemeUpgrades", false);
-user_pref("signon.showAutoCompleteFooter", false);
-user_pref("signon.autologin.proxy", false);
-user_pref("signon.debug", false);
-
-// PREF: Disable Firefox import password from signons.sqlite file
-// [1] https://support.mozilla.org/en-US/questions/1020818
-user_pref("signon.management.page.fileImport.enabled", false);
-user_pref("signon.importedFromSqlite", false);
-user_pref("signon.recipes.path", "");
-
-// PREF: Disable auto-filling username & password form fields
-// Can leak in cross-site forms and be spoofed
-// NOTE: Username and password is still available when you enter the field
-user_pref("signon.autofillForms", false);
-user_pref("signon.autofillForms.autocompleteOff", true);
-user_pref("signon.showAutoCompleteOrigins", false);
-
-// PREF: Disable websites autocomplete
-// Don't let sites dictate use of saved logins and passwords. 
-user_pref("signon.storeWhenAutocompleteOff", false);
-
-// PREF: Disable formless login capture
+// PREF: disable formless login capture
 // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1166947
 user_pref("signon.formlessCapture.enabled", false);
 
-// PREF: Disable Firefox Monitor
-user_pref("extensions.fxmonitor.enabled", false);
+// PREF: disable capturing credentials in private browsing
+user_pref("signon.privateBrowsingCapture.enabled", false);
+
+// PREF: disable auto-filling username & password form fields
+// Can leak in cross-site forms and be spoofed
+// NOTE: Username and password is still available when you enter the field
+user_pref("signon.autofillForms", false);
+      // user_pref("signon.autofillForms.autocompleteOff", true);
+      // user_pref("signon.showAutoCompleteOrigins", false);
+
+// PREF: disable autofilling saved passwords on HTTP pages and show warning
+// [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1217152,1319119
+      // user_pref("signon.autofillForms.http", false);
+      // user_pref("security.insecure_field_warning.contextual.enabled", true);
+
+// PREF: disable password manager
+// [NOTE] This does not clear any passwords already saved
+user_pref("signon.rememberSignons", false);
+      // user_pref("signon.rememberSignons.visibilityToggle", false);
+      // user_pref("signon.schemeUpgrades", false);
+      // user_pref("signon.showAutoCompleteFooter", false);
+      // user_pref("signon.autologin.proxy", false);
+         // user_pref("signon.debug", false);
+
+// PREF: disable Firefox built-in password generator
+// Create passwords with random characters and numbers.
+// [NOTE] Doesn't work with Lockwise disabled!
+// [1] https://wiki.mozilla.org/Toolkit:Password_Manager/Password_Generation
+      // user_pref("signon.generation.available", false);
+      // user_pref("signon.generation.enabled", false);
+
+// PREF: disable Firefox Lockwise (about:logins)
+// [NOTE] No usernames or passwords are sent to third-party sites
+// [1] https://lockwise.firefox.com/
+// [2] https://support.mozilla.org/en-US/kb/firefox-lockwise-managing-account-data
+      // user_pref("signon.management.page.breach-alerts.enabled", false); 
+         // user_pref("signon.management.page.breachAlertUrl", "");
+      // user_pref("browser.contentblocking.report.lockwise.enabled", false);
+         // user_pref("browser.contentblocking.report.lockwise.how_it_works.url", "");
+
+// PREF: disable Firefox import password from signons.sqlite file
+// [1] https://support.mozilla.org/en-US/questions/1020818
+      // user_pref("signon.management.page.fileImport.enabled", false);
+      // user_pref("signon.importedFromSqlite", false);
+         // user_pref("signon.recipes.path", "");
+
+// PREF: disable websites autocomplete
+// Don't let sites dictate use of saved logins and passwords. 
+      // user_pref("signon.storeWhenAutocompleteOff", false);
+
+// PREF: disable Firefox Monitor
+      // user_pref("extensions.fxmonitor.enabled", false);
+      
+// PREF: enable native password manager [OVERRIDE]
+user_pref("signon.rememberSignons", true);
+user_pref("signon.autofillForms", true);
+user_pref("browser.formfill.enable", true);
+// enable autofill on page load:
+      // user_pref("signon.autofillForms.autocompleteOff", false);
+      // user_pref("signon.showAutoCompleteOrigins", true);
 
 /****************************************************************************
  * SECTION: ADDRESS + CREDIT CARD MANAGER                                   *
@@ -707,8 +807,6 @@ user_pref("extensions.fxmonitor.enabled", false);
 // [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
 // [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome
 user_pref("extensions.formautofill.addresses.enabled", false);
-user_pref("extensions.formautofill.available", "off");
-user_pref("extensions.formautofill.creditCards.available", false);
 user_pref("extensions.formautofill.creditCards.enabled", false);
 user_pref("extensions.formautofill.heuristics.enabled", false);
 user_pref("browser.formfill.enable", false);
@@ -811,8 +909,12 @@ user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
  * SECTION: CONTAINERS                                                        *
 ******************************************************************************/
 // PREF: enable Container Tabs and its UI setting [FF50+]
+// [NOTE] No longer a privacy benefit due to Firefox upgrades (see State Partitioning and Network Partitioning)
+// Useful if you want to login to the same site under different accounts
+// You also may want to download Multi-Account Containers for extra options (2)
 // [SETTING] General>Tabs>Enable Container Tabs
 // [1] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
+// [2] https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/
 user_pref("privacy.userContext.enabled", true);
 user_pref("privacy.userContext.ui.enabled", true);
 
@@ -820,6 +922,8 @@ user_pref("privacy.userContext.ui.enabled", true);
 // [NOTE] The menu is always shown on long press and right click
 // [SETTING] General>Tabs>Enable Container Tabs>Settings>Select a container for each new tab ***/
    // user_pref("privacy.userContext.newTabContainerOnLeftClick.enabled", true);
+   
+   https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
 
 /******************************************************************************
  * SECTION: WEBRTC                                                            *
@@ -900,41 +1004,76 @@ user_pref("media.peerconnection.ice.default_address_only", true);
  * SECTION: GOOGLE SAFE BROWSING (GSB)                                        *
 ******************************************************************************/
 
-// PREF: GSB checks for downloads (remote)
+// PREF: disable GSB (master switch)
+// Increased privacy away from Google, but less protection against threats.
+// [WARNING] Be sure to have alternate security measures if you disable Safe Browsing.
+// [SETTING] Privacy & Security>Security>... Block dangerous and deceptive content
+// [1] https://www.wikiwand.com/en/Google_Safe_Browsing#/Privacy
+// [2] https://ashkansoltani.org/2012/02/25/cookies-from-nowhere
+// [3] https://blog.cryptographyengineering.com/2019/10/13/dear-apple-safe-browsing-might-not-be-that-safe/
+user_pref("browser.safebrowsing.malware.enabled", false);
+user_pref("browser.safebrowsing.phishing.enabled", false);
+      // user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
+      // user_pref("browser.safebrowsing.provider.google4.updateURL", "");
+      // user_pref("browser.safebrowsing.provider.google.gethashURL", "");
+      // user_pref("browser.safebrowsing.provider.google.updateURL", "");
+
+// PREF: disable GSB checking downloads (master switch)
+// This is the master switch for the safebrowsing.downloads prefs
+// [SETTING] Privacy & Security>Security>... "Block dangerous downloads"
+user_pref("browser.safebrowsing.downloads.enabled", false);
+      
+// PREF: disable GSB checks for downloads (remote)
 // To verify the safety of certain executable files, Firefox may submit some information about the
 // file, including the name, origin, size and a cryptographic hash of the contents, to the Google
 // Safe Browsing service which helps Firefox determine whether or not the file should be blocked.
-user_pref("browser.safebrowsing.downloads.remote.enabled", false); // default
-// user_pref("browser.safebrowsing.downloads.remote.url", "");
-
-// PREF: GSB, master switch
-// WARNING: Be sure to have alternate security measures if you disable Safe Browsing.
-// Increased privacy away from Google, but less protection against threats.
-// Privacy & Security>Security>... "Block dangerous and deceptive content"
-// [1] https://www.wikiwand.com/en/Google_Safe_Browsing#/Privacy
-// [2] https://ashkansoltani.org/2012/02/25/cookies-from-nowhere
-user_pref("browser.safebrowsing.malware.enabled", false);
-user_pref("browser.safebrowsing.phishing.enabled", false);
-
-// PREF: GSB checking downloads local + remote, master switch
-// Privacy & Security>Security>... "Block dangerous downloads"
-user_pref("browser.safebrowsing.downloads.enabled", false);
-
-// PREF: GSB checks for unwanted software
-// Privacy & Security>Security>... "Warn you about unwanted and uncommon software"
+user_pref("browser.safebrowsing.downloads.remote.enabled", false); // DEFAULT
+      // user_pref("browser.safebrowsing.downloads.remote.url", "");
+// [SETTING] Privacy & Security>Security>... "Warn you about unwanted and uncommon software"
 user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
 user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
 
-// PREF: 'ignore this warning' on Google Safe Browsing warnings
+// PREF: disable 'ignore this warning' on GSB warnings
 // If clicked, it bypasses the block for that session. This is a means for admins to enforce SB.
 // [1] https://bugzilla.mozilla.org/1226490
-// user_pref("browser.safebrowsing.allowOverride", false);
-// user_pref("browser.safebrowsing.blockedURIs.enabled", true);
+user_pref("browser.safebrowsing.blockedURIs.enabled", false);
+user_pref("browser.safebrowsing.allowOverride", true); // DEFAULT
+
+// PREF: enforce GSB (local checks only) [OVERRIDE]
+// [NOTE] All the checks made by GSB will be performed locally, 
+// as if you enabled Safe Browsing in about:preferences#privacy
+// If you want to re-enable GSB, insert the following prefs in your overrides:
+user_pref("browser.safebrowsing.malware.enabled", true);
+user_pref("browser.safebrowsing.phishing.enabled", true);
+user_pref("browser.safebrowsing.blockedURIs.enabled", true);
+user_pref("browser.safebrowsing.allowOverride", false);
+// If you also want Safe Browsing to locally check your downloads, add:
+      // user_pref("browser.safebrowsing.downloads.enabled", false);
 
 /******************************************************************************
  * SECTION: MOZILLA                                                   *
 ******************************************************************************/
 
+// PREF: disable Firefox accounts
+// [ALTERNATIVE] Use xBrowserSync
+// [1] https://addons.mozilla.org/en-US/firefox/addon/xbs
+user_pref("identity.fxaccounts.enabled", false);
+
+// PREF: disable Push API
+// Push is an API that allows websites to send you (subscribed) messages even when the site
+// isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server.
+// [1] https://support.mozilla.org/en-US/kb/push-notifications-firefox
+// [2] https://developer.mozilla.org/en-US/docs/Web/API/Push_API
+// [3] https://www.reddit.com/r/firefox/comments/fbyzd4/the_most_private_browser_isnot_firefox/
+user_pref("dom.push.enabled", false);
+      // user_pref("dom.push.userAgentID", "");
+
+// PREF: Set a default permission for Notifications
+// To add site exceptions: Page Info>Permissions>Receive Notifications.
+// To manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings.
+// 0=always ask (default), 1=allow, 2=block
+user_pref("permissions.default.desktop-notification", 2);
+
 // PREF: Disable annoying location requests from websites
 user_pref("permissions.default.geo", 2);
 // PREF: Use Mozilla geolocation service instead of Google when geolocation is enabled
@@ -953,12 +1092,6 @@ user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX]
 // user_pref("browser.region.network.url", "");
 user_pref("browser.region.update.enabled", false);
 
-// PREF: Set a default permission for Notifications
-// To add site exceptions: Page Info>Permissions>Receive Notifications.
-// To manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings.
-// 0=always ask (default), 1=allow, 2=block
-user_pref("permissions.default.desktop-notification", 2);
-
 // PREF: Enforce Firefox blocklist for extensions + No hiding tabs
 // This includes updates for "revoked certificates".
 // [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
@@ -980,9 +1113,9 @@ user_pref("extensions.blocklist.enabled", true); // default
 /******************************************************************************
  * SECTION: TELEMETRY                                                   *
 ******************************************************************************/
+// Disable all the various Mozilla telemetry, studies, reports, etc.
 
-// PREF: disable all the various Mozilla telemetry, studies, reports, etc.
-// Telemtry
+// PREF: Telemetry
 user_pref("toolkit.telemetry.unified", false);
 user_pref("toolkit.telemetry.enabled", false);
 user_pref("toolkit.telemetry.server", "data:,");
@@ -993,19 +1126,19 @@ user_pref("toolkit.telemetry.updatePing.enabled", false);
 user_pref("toolkit.telemetry.bhrPing.enabled", false);
 user_pref("toolkit.telemetry.firstShutdownPing.enabled", false);
 
-// Corroborator
-user_pref("corroborator.enabled", false);
+// PREF: Corroborator
+      // user_pref("corroborator.enabled", false);
 
-// Telemetry Coverage
+// PREF: Telemetry Coverage
 user_pref("toolkit.telemetry.coverage.opt-out", true);
 user_pref("toolkit.coverage.opt-out", true);
-// user_pref("toolkit.coverage.endpoint.base", "");
+      // user_pref("toolkit.coverage.endpoint.base", "");
 
-// Health Reports
+// PREF: Health Reports
 // [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send technical data.
 user_pref("datareporting.healthreport.uploadEnabled", false);
 
-// New data submission, master kill switch
+// PREF: new data submission, master kill switch
 // If disabled, no policy is shown or upload takes place, ever
 // [1] https://bugzilla.mozilla.org/1195552
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
@@ -1013,7 +1146,6 @@ user_pref("datareporting.policy.dataSubmissionEnabled", false);
 // PREF: Studies
 // [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies
 user_pref("app.shield.optoutstudies.enabled", false);
-// user_pref("messaging-system.rsexperimentloader.enabled", false); [???]
 
 // Personalized Extension Recommendations in about:addons and AMO
 // [NOTE] This pref has no effect when Health Reports are disabled.
@@ -1021,9 +1153,9 @@ user_pref("app.shield.optoutstudies.enabled", false);
 user_pref("browser.discovery.enabled", false);
 
 // PREF: disable crash reports
-// user_pref("breakpad.reportURL", "");
+      // user_pref("breakpad.reportURL", "");
 user_pref("browser.tabs.crashReporting.sendReport", false);
-user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // default
+      user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // DEFAULT
 // PREF: backlogged crash reports
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
 
@@ -1031,24 +1163,24 @@ user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
 // [WARNING] Do NOT use for mobile devices. May NOT be able to use Firefox on public wifi (hotels, coffee shops, etc).
 // [1] https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
 // [2] https://wiki.mozilla.org/Necko/CaptivePortal
-// user_pref("captivedetect.canonicalURL", "");
-// user_pref("network.captive-portal-service.enabled", false);
+      // user_pref("captivedetect.canonicalURL", "");
+      // user_pref("network.captive-portal-service.enabled", false);
 
 // PREF: Network Connectivity checks
 // [WARNING] Do NOT use for mobile devices. May NOT be able to use Firefox on public wifi (hotels, coffee shops, etc).
 // [1] https://bugzilla.mozilla.org/1460537
-// user_pref("network.connectivity-service.enabled", false);
+      // user_pref("network.connectivity-service.enabled", false);
 
 // PREF: software that continually reports what default browser you are using
 user_pref("default-browser-agent.enabled", false);
 
 // PREF: "report extensions for abuse"
-user_pref("extensions.abuseReport.enabled", false);
+      // user_pref("extensions.abuseReport.enabled", false);
 
 // PREF: Normandy/Shield [extensions tracking]
 // Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
 user_pref("app.normandy.enabled", false);
-// user_pref("app.normandy.api_url", "");
+user_pref("app.normandy.api_url", "");
 
 // PREF: PingCentre telemetry (used in several System Add-ons)
 // Currently blocked by 'datareporting.healthreport.uploadEnabled'