Updated Optional Hardening (markdown)

Optional-Hardening.md

@@ -1,24 +1,14 @@
-## Manual options
-
-### Change your **default search engine**.
-   * Alternatively, [select](https://support.mozilla.org/en-US/kb/change-your-default-search-settings-firefox#w_default-search-engine) a different search engine just for [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) windows.
-      1) Go to `☰` *→ Settings → Search → Default Search Engine*
-      2) Change your default search engine to DuckDuckGo, or [add](https://github.com/yokoffing/Betterfox/blob/04c3184359c83d7b58411c3b68f40f3e9d95c373/Securefox.js#L600-L604) a premium search engine like [Kagi](https://kagi.com/).
-
-### **Clear browsing data** on shutdown ([sanitize on close](https://github.com/yokoffing/Betterfox/blob/99f2e860633f307781ddb73d792358ad1bec6af5/Securefox.js#L409-L434)).
-
-* You can **allow exceptions** if you want to stay logged in to some sites:
-    1) Go to `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions*
-    2) Check *Delete cookies and site data when Firefox is closed*.
-* For cross-domain logins, add exceptions for both sites
-    * e.g. `https://www.youtube.com` (site) + `https://accounts.google.com` (single sign on)
-
-Also consider changing [`browser.sessionstore.privacy_level`](https://github.com/yokoffing/Betterfox/blob/ac69c81e8a61a46df579e9be6cb1cc3dcbac4c0b/Securefox.js#L377-L381) to `2`.
-***
-
 ## Overrides
 See [Common Overrides](https://github.com/yokoffing/Betterfox/wiki/Overrides) for instructions.
 
+### Default search engine
+Change your **default search engine**:
+* Alternatively, [select](https://support.mozilla.org/en-US/kb/change-your-default-search-settings-firefox#w_default-search-engine) a different search engine just for [Private Browsing](https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history) windows. (This is an option after you apply the `user.js`.)
+    1) Go to `☰` *→ Settings → Search → Default Search Engine*
+    2) Change your default search engine to DuckDuckGo, or [add](https://github.com/yokoffing/Betterfox/blob/04c3184359c83d7b58411c3b68f40f3e9d95c373/Securefox.js#L600-L604) a premium search engine like [Kagi](https://kagi.com/).
+
+***
+
 ### HTTPS-Only Mode
 We already [block](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L810-L827) HTTP subresources from loading on HTTPS pages and [attempt](https://github.com/yokoffing/Betterfox/blob/df5fc26a1bdccd30e01f3c1dfe69a09a2c050410/Securefox.js#L545-L550) to upgrade HTTP site navigation to HTTPS.
 ```
@@ -39,17 +29,6 @@ user_pref("urlclassifier.features.socialtracking.skipURLs", "");
 
 ***
 
-### Hide cross-site referrer
-:warning: This will break Instagram embeds, Bing login, `MangaPill.com`, and some images/video.
-```
-// PREF: do not to send a referrer when navigating to a different site
-// For subresources, the referrer is only sent to subdomains:
-// e.g., from a.example.com to b.example.com.
-user_pref("network.http.referer.XOriginPolicy", 1);
-```
-
-***
-
 ### Disable `default-browser-agent` (Windows only)
 On Windows, Mozilla [collects information](https://techdows.com/2020/04/what-is-firefox-default-browser-agent-and-how-to-disable-it.html) on what you've set as your default browser. However, disabling `default-browser-agent.enabled` also breaks the `Make Default...` button to set Firefox as the default browser.
 
@@ -63,15 +42,50 @@ user_pref("default-browser-agent.enabled", false);
 
 ***
 
-### DNS-over-HTTPS (DoH) 
-Setup your DoH settings. See [here](https://github.com/yokoffing/Betterfox/blob/dbaff70e63c74a856c30efbdbace5c63cf655888/Securefox.js#L612-L621)
+### Sanitize on close
+**Clear browsing data** on shutdown:
+* Go to `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Delete cookies and site data when Firefox is closed*
+
+You can **allow exceptions** if you want to stay logged in to some sites:
+* Go to `☰` *→ Settings → Privacy & Security → Cookies and Site Data → Manage Exceptions*
+* For cross-domain logins, add exceptions for both sites
+    * e.g. `https://www.youtube.com` (site) + `https://accounts.google.com` (single sign on)
 ```
-user_pref("network.trr.uri", "YOUR_DOH_HERE");
+// PREF: clear browsing data on shutdown, while respecting site exceptions
+user_pref("privacy.sanitize.sanitizeOnShutdown", true);
+user_pref("privacy.clearOnShutdown.history", true);
+user_pref("privacy.clearOnShutdown.downloads", true);
+user_pref("privacy.clearOnShutdown.formdata", true);
+user_pref("privacy.clearOnShutdown.sessions", true);
+user_pref("privacy.clearOnShutdown.offlineApps", true);
+user_pref("privacy.clearOnShutdown.siteSettings", false);
+user_pref("browser.sessionstore.privacy_level", 2);
+```
+
+***
+
+### DNS-over-HTTPS (DoH) 
+Enforce your DoH settings. See [here](https://github.com/yokoffing/Betterfox/blob/dbaff70e63c74a856c30efbdbace5c63cf655888/Securefox.js#L612-L621).
+```
+user_pref("network.trr.uri", "PASTE_YOUR_DOH_ADDRESS_HERE");
 user_pref("network.trr.mode", 3); // enforce TRR (without System fallback)
 ```
 
 ***
 
+### Hide cross-site referrer
+Do not send a [referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) when navigating to a different site (e.g., `google.com` → `facebook.com`).
+
+For subresources, the referrer will only be sent to subdomains (e.g., `a.example.com` → `b.example.com`).
+
+:warning: This will break Instagram embeds, Bing login, `MangaPill.com`, and some images/videos. :warning:
+```
+// PREF: do not to send a referrer when navigating to a different site
+user_pref("network.http.referer.XOriginPolicy", 1);
+```
+
+***
+
 ## Fingerprinting
 Fingerprinting is a high [threat model](https://thenewoil.org/en/guides/prologue/threatmodel/) issue that is only [addressed](https://github.com/arkenfox/user.js/wiki/3.3-Overrides-%5BTo-RFP-or-Not%5D#-fingerprinting) reasonably by Tor.<sup>[1](https://youtu.be/5NrbdO4yWek?t=4334)</sup>