finalize 62

https://bugzilla.mozilla.org/show_bug.cgi?id=1363508

README.md

@@ -14,7 +14,7 @@ Literally thousands of sources, references and suggestions. That said...
 * Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
 * The ghacks community and commentators
 * [12bytes](http://12bytes.org/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
-   * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted right [here](https://github.com/atomGit/Firefox-user.js) at github
+   * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted at [GitLab](https://gitlab.com/labwrat/Firefox-user.js/tree/master)
 
 <sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.
 

scratchpad-scripts/ghacks-clear-[removed].js

@@ -1,7 +1,7 @@
 /***
  This will reset the preferences that have been removed completely from the ghacks user.js.
 
- Last updated: 08-Sept-2018
+ Last updated: 30-Sept-2018
 
  For instructions see:
  https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@@ -102,6 +102,10 @@
     /* 62-beta */
     'browser.urlbar.autoFill.typed',
     'security.tls.version.fallback-limit',
+    /* 63-beta */
+    'extensions.webextensions.keepStorageOnUninstall',
+    'extensions.webextensions.keepUuidOnUninstall',
+    'privacy.trackingprotection.ui.enabled',
     /* reset parrot: check your open about:config after running the script */
     '_user.js.parrot'
   ]

user.js

@@ -1,7 +1,7 @@
 /******
 * name: ghacks user.js
-* date: 08 September 2018
+* date: 10 October 2018
-* version 62-beta: Total Eclipse of the Pants
+* version 62: Total Eclipse of the Pants
 *   "Once upon a time there was light in my life, but now there's only pants in the dark"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
@@ -216,7 +216,7 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
  * [NOTE] It includes updates for "revoked certificates"
  * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
  * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/
-user_pref("extensions.blocklist.enabled", true);
+user_pref("extensions.blocklist.enabled", true); // default: true
 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
 /* 0402: enable Kinto blocklist updates (FF50+)
  * What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
@@ -285,9 +285,6 @@ user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
  * [2] https://support.mozilla.org/kb/tracking-protection-firefox ***/
    // user_pref("privacy.trackingprotection.pbmode.enabled", true); // default: true
    // user_pref("privacy.trackingprotection.enabled", true);
-/* 0421: enable more Tracking Protection choices under Options>Privacy & Security>Use Tracking Protection
- * Displays three choices: "Always", "Only in private windows", "Never" ***/
-user_pref("privacy.trackingprotection.ui.enabled", true);
 /* 0422: set which Tracking Protection block list to use
  * [WARNING] We don't recommend enforcing this from here, as available block lists can change
  * [SETTING] Privacy & Security>Tracking Protection>Change Block List ***/
@@ -424,7 +421,7 @@ user_pref("network.predictor.enable-prefetch", false);
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
 /* 0701: disable IPv6
  * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice
- * with VPNs. That's even assuming your ISP and/or router and/or website can hande it
+ * with VPNs. That's even assuming your ISP and/or router and/or website can handle it
  * [WARNING] This is just an application level fallback. Disabling IPv6 is best done
  * at an OS/network level, and/or configured properly in VPN setups
  * [TEST] http://ipv6leak.com/
@@ -558,6 +555,10 @@ user_pref("browser.formfill.enable", false);
  * [SETTING] Privacy & Security>History>Custom Settings>Remember my browsing and download history
  * [NOTE] You can clear history and downloads on exiting Firefox (see 2803) ***/
    // user_pref("places.history.enabled", false);
+/* 0864: disable date/time picker (FF57+ default true)
+ * This can leak your locale if not en-US
+ * [1] https://trac.torproject.org/projects/tor/ticket/21787 ***/
+user_pref("dom.forms.datetime", false);
 /* 0870: disable Windows jumplist [WINDOWS] ***/
 user_pref("browser.taskbar.lists.enabled", false);
 user_pref("browser.taskbar.lists.frequent.enabled", false);
@@ -610,15 +611,16 @@ user_pref("security.insecure_field_warning.contextual.enabled", true);
 user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);
 
 /*** 1000: CACHE [SETUP]
-     ETAG [1] and other [2] cache tracking/fingerprinting techniques can be averted by
+     ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by
      disabling *BOTH* disk (1001) and memory (1003) cache. ETAGs can also be neutralized
-     by modifying response headers [3]. Another solution is to use a hardened configuration
+     by modifying response headers [4]. Another solution is to use a hardened configuration
-     with Temporary Containers [4]. Alternatively, you can *LIMIT* exposure by clearing
+     with Temporary Containers [5]. Alternatively, you can *LIMIT* exposure by clearing
      cache on close (2803). or on a regular basis manually or with an extension.
      [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
      [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
-     [3] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
+     [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
-     [4] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
+     [4] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
+     [5] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
 ***/
 user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
 /** CACHE ***/
@@ -679,7 +681,7 @@ user_pref("toolkit.winRegisterApplicationRestart", false);
  * If set to false then the shortcuts use a generic Firefox icon ***/
 user_pref("browser.shell.shortcutFavicons", false);
 /* 1031: disable favicons in tabs and new bookmarks
- * bookmark favicons are stored as data blobs in places.sqlite>moz_favicons ***/
+ * bookmark favicons are stored as data blobs in favicons.sqlite ***/
    // user_pref("browser.chrome.site_icons", false);
    // user_pref("browser.chrome.favicons", false);
 /* 1032: disable favicons in web notifications ***/
@@ -777,7 +779,7 @@ user_pref("security.cert_pinning.enforcement_level", 2);
 /** MIXED CONTENT ***/
 /* 1240: disable insecure active content on https pages - mixed content
  * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
-user_pref("security.mixed_content.block_active_content", true);
+user_pref("security.mixed_content.block_active_content", true); // default: true
 /* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/
 user_pref("security.mixed_content.block_display_content", true);
 
@@ -935,7 +937,7 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
  * [SETTING] Privacy & Security>Tabs>Enable Container Tabs ***/
    // user_pref("privacy.userContext.enabled", true);
 /* 1703: enable a private container for thumbnail loads (FF51+) ***/
-   // user_pref("privacy.usercontext.about_newtab_segregation.enabled", true);
+   // user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // default: true in FF61+
 /* 1704: set long press behaviour on "+ Tab" button to display container menu (FF53+)
  * 0=disables long press, 1=when clicked, the menu is shown
  * 2=the menu is shown after X milliseconds
@@ -1305,12 +1307,6 @@ user_pref("browser.download.forbid_open_with", true);
  * [1] archived: https://archive.is/DYjAM ***/
 user_pref("extensions.enabledScopes", 1); // (hidden pref)
 user_pref("extensions.autoDisableScopes", 15);
-/* 2661: clear localStorage and UUID when an extension is uninstalled
- * [NOTE] Both preferences must be the same
- * [1] https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local
- * [2] https://bugzilla.mozilla.org/1213990 ***/
-user_pref("extensions.webextensions.keepStorageOnUninstall", false);
-user_pref("extensions.webextensions.keepUuidOnUninstall", false);
 /* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) (FF60+)
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
    // user_pref("extensions.webextensions.restrictedDomains", "");
@@ -1332,7 +1328,7 @@ user_pref("security.csp.experimentalEnabled", true);
  * [1] https://bugzilla.mozilla.org/1331351
  * [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
  * [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
-user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
+user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // default: true in FF59+
 /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
  * [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
  * [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
@@ -1378,7 +1374,7 @@ user_pref("network.cookie.leave-secure-alone", true); // default: true
  * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
    // user_pref("network.cookie.same-site.enabled", true); // default: true
 /* 2710: disable DOM (Document Object Model) Storage
- * [WARNING] This will break a LOT of sites' functionality.
+ * [WARNING] This will break a LOT of sites' functionality AND extensions!
  * You are better off using an extension for more granular control ***/
    // user_pref("dom.storage.enabled", false);
 /* 2720: enforce IndexedDB (IDB) as enabled
@@ -1394,7 +1390,7 @@ user_pref("dom.indexedDB.enabled", true); // default: true
 user_pref("browser.cache.offline.enable", false);
 /* 2730b: disable offline cache on insecure sites (FF60+)
  * [1] https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ ***/
-user_pref("browser.cache.offline.insecure.enable", false);
+user_pref("browser.cache.offline.insecure.enable", false); // default: false in FF62+
 /* 2731: enforce websites to ask to store data for offline use
  * [1] https://support.mozilla.org/questions/1098540
  * [2] https://bugzilla.mozilla.org/959985 ***/
@@ -1547,6 +1543,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
       FF60: Fix keydown/keyup events (1438795)
  ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
  ** 1459089 - disable OS locale in HTTP Accept-Language headers [ANDROID] (FF62+)
+ ** 1363508 - spoof/suppress Pointer Events (FF64+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)