Update user.js

✅ Sorted a lot of rules and fixed some parameters
✅ Enabled window.opener protection
⛔️ Disabled Service Workers
⛔️ Disabled Web Notifications
⛔️ Disabled Push Notifications
⛔️ Disabled "Confirm you want to leave" dialog on page close
⛔️ Disabled asm.js
⛔️ Disabled Intersection Observer API

user.js

@@ -52,7 +52,7 @@ user_pref("datareporting.policy.firstRunURL", "");
 user_pref("datareporting.policy.minimumPolicyVersion", 0);
 user_pref("datareporting.policy.minimumPolicyVersion.channel-beta", 0);
 // Pref : Disable personalized Extension Recommendations in about:addons and AMO
-//[NOTE] This pref has no effect when Health Reports are disabled
+// [NOTE] This pref has no effect when Health Reports are disabled
 // https://support.mozilla.org/kb/personalized-extension-recommendations
 user_pref("browser.discovery.enabled", false); // [DEFAULT: false]
 // Pref : Disable Crash Reports
@@ -180,13 +180,6 @@ user_pref("browser.snippets.statsUrl", "");
 user_pref("browser.snippets.updateInterval", -1);
 user_pref("browser.snippets.updateUrl", "");
 user_pref("browser.snippets.syncPromo.enabled", false);
-// Pref : Disable right-click menu manipulation via JavaScript (disabled)
-user_pref("dom.event.contextmenu.enabled", false);
-// Pref : Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
-// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in 
-// JS-based web applications (Google Docs...)
-// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
-user_pref("dom.event.clipboardevents.enabled", false);
 // Pref : Force Punycode for Internationalized Domain Names
 // http://kb.mozillazine.org/Network.IDN_show_punycode
 // https://www.xudongz.com/blog/2017/idn-phishing/
@@ -219,8 +212,6 @@ user_pref("beacon.enabled", false);
 // https://developer.mozilla.org/en-US/docs/Web/API/SpeechRecognition
 // https://wiki.mozilla.org/HTML5_Speech_API
 user_pref("media.webspeech.recognition.enable", false);
-// Pref : Disable vibrator API
-user_pref("dom.vibrator.enabled", false);
 // Pref : Don't use Mozilla-provided location-specific search engines
 user_pref("browser.search.geoSpecificDefaults", false);
 // Pref : Don't monitor OS online/offline connection state
@@ -325,10 +316,83 @@ user_pref("security.csp.enable", true); // [DEFAULT: true]
 user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true]
 //
 // >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+// Section : Web Workers
+// >>>>>>>>>>>>>>>>>>>>>>
+// Pref : Disable service workers
+// Service workers essentially act as proxy servers that sit between web apps, and the browser and network, are event driven, and can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources.
+// [NOTE] Service worker APIs are hidden (in Firefox) and cannot be used when in PB mode.
+// [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access.
+user_pref("dom.serviceWorkers.enabled", false);
+// Pref : Disable web notifications
+// https://developer.mozilla.org/docs/Web/API/Notifications_API
+user_pref("dom.webnotifications.enabled", false);
+user_pref("dom.webnotifications.serviceworker.enabled", false);
+// Pref : Disable push notifications
+// Web apps can receive messages pushed to them from a server, whether or not the web app is in the foreground, or even currently loaded
+// https://developer.mozilla.org/docs/Web/API/Push_API
+user_pref("dom.push.alwaysConnect", false);
+user_pref("dom.push.enabled", false);
+user_pref("dom.push.debug", false);
+user_pref("dom.push.connection.enabled", false);
+user_pref("dom.push.serverURL", "");
+user_pref("dom.push.userAgentID", "");
+//
+// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+// Section : DOM (Document Object Model) & Javascript
+// >>>>>>>>>>>>>>>>>>>>>>
+// Pref : Disable right-click menu manipulation via JavaScript
+user_pref("dom.event.contextmenu.enabled", false);
+// Pref : Disable website access to clipboard events/content
+// Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
+// https://developer.mozilla.org/en-US/docs/Mozilla/Preferences/Preference_reference/dom.event.clipboardevents.enabled
+user_pref("dom.event.clipboardevents.enabled", false);
+// Pref : Disable "Confirm you want to leave" dialog on page close
+// Does not prevent JS leaks of the page close event.
+// https://developer.mozilla.org/docs/Web/Events/beforeunload
+// https://support.mozilla.org/questions/1043508
+user_pref("dom.disable_beforeunload", true);
+// Pref : Disable shaking the screen (Vibrator API)
+user_pref("dom.vibrator.enabled", false);
+// Pref : Disable asm.js
+// http://asmjs.org/
+// https://www.mozilla.org/security/advisories/mfsa2015-29/
+// https://www.mozilla.org/security/advisories/mfsa2015-50/
+// https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
+// https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
+// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
+user_pref("javascript.options.asmjs", false);
+// Pref : Disable Ion and baseline JIT to help harden JS against exploits
+// If false, causes the odd site issue and there is also a performance loss
+// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
+// user_pref("javascript.options.ion", false);
+// user_pref("javascript.options.baselinejit", false);
+// Pref : Disable WebAssembly
+// https://webassembly.org/
+// https://developer.mozilla.org/docs/WebAssembly
+// https://en.wikipedia.org/wiki/WebAssembly
+// https://trac.torproject.org/projects/tor/ticket/21549
+// user_pref("javascript.options.wasm", false);
+// Pref : Disable Intersection Observer API
+// Almost a year to complete, three versions late to stable (as default false), number #1 cause of crashes in nightly numerous times, and is (primarily) an ad network API for "ad viewability checks" down to a pixel level
+// https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
+// https://w3c.github.io/IntersectionObserver/
+// https://bugzilla.mozilla.org/1243846
+user_pref("dom.IntersectionObserver.enabled", false);
+// Pref : Disable Shared Memory (Spectre mitigation)
+// https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md
+// https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
+user_pref("javascript.options.shared_memory", false); // [DEFAULT: false]
+// Pref : Enforce DOMHighResTimeStamp API
+// [WARNING] Required for normalization of timestamps and any timer resolution mitigations
+user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
+// Pref : Enable (limited but sufficient) window.opener protection
+// Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set
+user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: false]
+//
+// >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 // Section : Media / Camera / Mic
 // >>>>>>>>>>>>>>>>>>>>>>
-// Pref : WebSockets is a technology that makes it possible to open an interactive communication 
-// session between the user's browser and a server. (May leak IP when using proxy/VPN)
+// Pref : WebSockets is a technology that makes it possible to open an interactive communication session between the user's browser and a server. (May leak IP when using proxy/VPN)
 user_pref("media.peerconnection.enabled", false);
 // Pref : Limit WebRTC IP leaks if using WebRTC
 // https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
@@ -633,7 +697,7 @@ user_pref("dom.disable_window_move_resize", true); // [DEFAULT: true]
 // You can still right-click a link and open in a new window.
 // [TEST] https://people.torproject.org/~gk/misc/entire_desktop.html
 // https://trac.torproject.org/projects/tor/ticket/9881
-user_pref("browser.link.open_newwindow", 2); // [DEFAULT: 3]
+user_pref("browser.link.open_newwindow", 3); // [DEFAULT: 3]
 user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
 // Pref : Disable Fullscreen API (requires user interaction) to prevent screen-resolution leaks
 // [NOTE] You can still manually toggle the browser's fullscreen state, but this pref will disable embedded video fullscreen controls, e.g. youtube
@@ -642,7 +706,7 @@ user_pref("browser.link.open_newwindow.restriction", 0); // [DEFAULT: 0]
 // Pref : Block popup windows
 user_pref("dom.disable_open_during_load", true); // [DEFAULT: true]
 // Pref : Set max popups from a single non-click event
-user_pref("dom.popup_maximum", 3); // [DEFAULT: 4]
+user_pref("dom.popup_maximum", 2); // [DEFAULT: 20]
 // Pref : Limit events that can cause a popup
 // http://kb.mozillazine.org/Dom.popup_allowed_events
 user_pref("dom.popup_allowed_events", "click dblclick"); // [DEFAULT: "change click dblclick mouseup pointerup notificationclick reset submit touchend"]