From 1556ef498de0a618bca761aa47eccd334d8b428b Mon Sep 17 00:00:00 2001
From: Narsil <narsil@noreply@nixnet.servcies>
Date: Thu, 19 Aug 2021 22:10:14 +0000
Subject: [PATCH] Update 'user.js'

---
 user.js | 91 ++++++++++++++++++++-------------------------------------
 1 file changed, 32 insertions(+), 59 deletions(-)

diff --git a/user.js b/user.js
index e6351a6..00e4081 100644
--- a/user.js
+++ b/user.js
@@ -86,20 +86,7 @@ user_pref("browser.newtabpage.activity-stream.default.sites", "");
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // GEOLOCATION
 // >>>>>>>>>>>>>>>>>>>>>
-// Disable Location-Aware Browsing
-// [WARNING] The API state is fingerprintable. Permission is already behind a prompt
-// https://www.mozilla.org/firefox/geolocation/
-user_pref("geo.enabled", false);
-user_pref("browser.search.geoip.url", ""); // [HIDDEN PREF]
-// -------------------------------------
-// Set a default permission for Location [FF58+]
-// 0=always ask (default), 1=allow, 2=block
-// [NOTE] Best left at default "always ask", fingerprintable via Permissions API
-// [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location
-// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings
-// user_pref("permissions.default.geo", 2);
-// -------------------------------------
-// Use Mozilla geolocation service instead of Google if geolocation is granted [FF74+]
+// Use Mozilla geolocation service instead of Google if permission is granted [FF74+]
 // Optionally enable logging to the console (defaults to false)
 user_pref("geo.provider.network.url", "");
 // user_pref("geo.provider.network.logging.enabled", true); // [HIDDEN PREF]
@@ -117,10 +104,7 @@ user_pref("browser.region.update.enabled", false); // [[FF79+]
 // Set search region
 // May not be hidden if Firefox has changed your settings due to your region
 user_pref("browser.search.region", "en-US, en"); // [HIDDEN PREF]
-//
-// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-// LANGUAGE / LOCALE
-// >>>>>>>>>>>>>>>>>>>>>
+// -------------------------------------
 // Set preferred language for displaying web pages
 // https://addons.mozilla.org/about ***/
 user_pref("intl.accept_languages", "en-US");
@@ -858,7 +842,7 @@ user_pref("security.OCSP.require", false);
 // 3 = only allow locally-added roots (e.g. anti-virus) (default)
 // 4 = only allow locally-added roots or for certs in 2015 and earlier
 // [SETUP-CHROME] If you have problems, update your software: SHA-1 is obsolete
-// ttps://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
+// https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
 user_pref("security.pki.sha1_enforcement_level", 1);
 // -------------------------------------
 // Disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
@@ -1023,10 +1007,10 @@ user_pref("network.http.referer.XOriginPolicy", 2);
 // 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port
 user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
 // -------------------------------------
-// Disable spoofing a referer
-// [WARNING] Do not set this to true, as spoofing effectively disables the anti-CSRF
-// (Cross-Site Request Forgery) protections that some sites may rely on
-// user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
+// Enforce no spoofing of referer
+// Spoofing effectively disables the anti-CSRF (Cross-Site Request Forgery)
+// protections that some sites may rely on
+user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
 // -------------------------------------
 // Set the default Referrer Policy [FF59+]
 // 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
@@ -1085,13 +1069,6 @@ user_pref("media.getusermedia.screensharing.enabled", false);
 user_pref("media.getusermedia.browser.enabled", false);
 user_pref("media.getusermedia.audiocapture.enabled", false);
 // -------------------------------------
-// Set a default permission for Camera/Microphone [FF58+]
-// 0=always ask (default), 1=allow, 2=block
-// [SETTING] to add site exceptions: Ctrl+I>Permissions>Use the Camera/Microphone
-// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings
-user_pref("permissions.default.camera", 2);
-user_pref("permissions.default.microphone", 2);
-// -------------------------------------
 // Disable GMP (Gecko Media Plugins)
 // https://wiki.mozilla.org/GeckoMediaPlugins
 // user_pref("media.gmp-provider.enabled", false);
@@ -1152,13 +1129,6 @@ user_pref("dom.push.enabled", false);
 user_pref("dom.push.connection.enabled", false);
 user_pref("dom.push.serverURL", "");
 user_pref("dom.push.userAgentID", "");
-// -------------------------------------
-// Set a default permission for Notifications [FF58+]
-// 0=always ask (default), 1=allow, 2=block
-// [NOTE] Best left at default "always ask", fingerprintable via Permissions API
-// [SETTING] to add site exceptions: Ctrl+I>Permissions>Receive Notifications
-// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Notifications>Settings
-// user_pref("permissions.default.desktop-notification", 2);
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT
@@ -1250,17 +1220,6 @@ user_pref("dom.battery.enabled", false);
 // https://wicg.github.io/media-capabilities/#security-privacy-considerations
 // user_pref("media.media-capabilities.enabled", false);
 // -------------------------------------
-// Disable virtual reality devices
-// [WARNING] The API state is fingerprintable. Permission is already behind a prompt
-// https://developer.mozilla.org/docs/Web/API/WebVR_API
-user_pref("dom.vr.enabled", false);
-// -------------------------------------
-// Set a default permission for Virtual Reality [FF73+]
-// 0=always ask (default), 1=allow, 2=block
-// [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Virtual Reality Devices
-// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Virtual Reality>Settings
-// user_pref("permissions.default.xr", 2);
-// -------------------------------------
 // Disable WebGL (Web Graphics Library)
 // [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy,
 // especially with readPixels(). Some of the other entropy is lessened with RFP
@@ -1394,12 +1353,6 @@ user_pref("privacy.window.name.update.enabled", true);
 // Disable bypassing 3rd party extension install prompts [FF82+]
 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331
 user_pref("extensions.postDownloadThirdPartyPrompt", false);
-// -------------------------------------
-// Disable Fullscreen API (requires user interaction)
-// [NOTE] You can still toggle fullscreen with F11
-// [WARNING] This is fingerprintable and will break embedded video/game FS controls, e.g. youtube
-// [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
-// user_pref("full-screen-api.enabled", false);
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // DOWNLOADS
@@ -1484,11 +1437,6 @@ user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
 // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
 user_pref("network.cookie.lifetimePolicy", 2);
 // -------------------------------------
-// Disable offline cache (appCache)
-// [NOTE] In FF90+ the storage capability has been removed.
-// [WARNING] The API state is fingerprintable. Storage capability was removed in FF90+
-// user_pref("browser.cache.offline.enable", false);
-// -------------------------------------
 // Disable service worker cache and cache storage
 // [NOTE] We clear service worker cache on exit
 // https://w3c.github.io/ServiceWorker/#privacy
@@ -1708,6 +1656,31 @@ user_pref("network.manage-offline-status", false); // see bugzilla 620472
 user_pref("_config.applied", true);
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+// DON'T BOTHER
+// >>>>>>>>>>>>>>>>>>>>>
+// Disable APIs
+// Location-Aware Browsing, Full Screen, offline cache (appCache), Virtual Reality
+// [WHY] The API state is easily fingerprintable. Geo and VR are behind prompts
+// appCache storage capability was removed in FF90. Full screen requires user interaction,
+user_pref("geo.enabled", false);
+// user_pref("full-screen-api.enabled", false);
+// user_pref("browser.cache.offline.enable", false);
+user_pref("dom.vr.enabled", false);
+// -------------------------------------
+// Set default permissions
+// Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+]
+// 0=always ask (default), 1=allow, 2=block
+// [WHY] These are fingerprintable via Permissions API, except VR. Just add site
+// exceptions as block for frequently visited annoying sites: i.e not global
+// [SETTING] to add site exceptions: Ctrl+I>Permissions>
+// [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings
+user_pref("permissions.default.geo", 2);
+user_pref("permissions.default.camera", 2);
+user_pref("permissions.default.microphone", 2);
+user_pref("permissions.default.desktop-notification", 2);
+user_pref("permissions.default.xr", 0); // Virtual Reality
+//
+// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // DON'T BOTHER: NON-RFP
 // >>>>>>>>>>>>>>>>>>>>>
 // Spoof number of CPU cores [FF48+] ***/