dove.cfg

// Welcome to the next generation of Phoenix.

lockPref("browser.phoenix.cfg.initialized", true);
lockPref("general.config.filename", "phoenix.cfg");
lockPref("general.config.vendor", "phoenix");

// The Phoenix shall rise from the ashes of what fell before it.

defaultPref("browser.aboutConfig.showWarning", false);
defaultPref("general.warnOnAboutConfig", false);

// 001 DATA COLLECTION

// A lot of defense in depth...

/// Shield Studies/Normandy/Nimbus
// We also set "DisableFirefoxStudies" in policies 
// https://mozilla.github.io/policy-templates/#disablefirefoxstudies
// https://mozilla.github.io/normandy/
// https://wiki.mozilla.org/Firefox/Shield/Shield_Studies
// https://support.mozilla.org/kb/shield
// https://support.mozilla.org/kb/how-stop-firefox-making-automatic-connections#w_experiments-or-studies
// https://wiki.mozilla.org/Advocacy/heartbeat
// https://experimenter.info/
// resource://nimbus/ExperimentAPI.sys.mjs

lockPref("app.normandy.api_url", "");
lockPref("app.normandy.enabled", false);
lockPref("app.normandy.first_run", false);
lockPref("app.normandy.last_seen_buildid", "");
lockPref("app.normandy.logging.level", 70); // Limits logging to fatal only
lockPref("app.normandy.user_id", "");
lockPref("app.shield.optoutstudies.enabled", false);
lockPref("messaging-system.log", "off"); // Disables logging
lockPref("messaging-system.rsexperimentloader.enabled", false);
lockPref("messaging-system.rsexperimentloader.collection_id", "");
lockPref("nimbus.appId", ""); // https://searchfox.org/mozilla-central/source/toolkit/components/backgroundtasks/defaults/backgroundtasks_browser.js
lockPref("toolkit.telemetry.pioneer-new-studies-available", false);

/// WebVTT Testing Events
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml

lockPref("media.webvtt.testing.events", false);

/// Origin Trials
// https://wiki.mozilla.org/Origin_Trials

lockPref("dom.origin-trials.enabled", false);

/// Crash Reporting
// https://github.com/mozilla-services/socorro
// https://wiki.mozilla.org/Socorro
// https://firefox-source-docs.mozilla.org/tools/sanitizer/asan_nightly.html

lockPref("asanreporter.apiurl", "");
lockPref("asanreporter.clientid", "");
lockPref("breakpad.reportURL", "");
lockPref("browser.crashReports.chancesUntilSuppress", 0);
lockPref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // [DEFAULT]
lockPref("browser.crashReports.unsubmittedCheck.enabled", false); // [DEFAULT on Stable - but set to true on Nightly :/]
lockPref("browser.tabs.crashReporting.includeURL", false); // [DEFAULT} - Defense in depth
lockPref("browser.tabs.crashReporting.sendReport", false);
lockPref("toolkit.crashreporter.include_context_heap", false); // Defense in depth

/// X-Frame Options Error Reporting
// https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/data/xfocsp-error-report-ping.html

lockPref("security.xfocsp.errorReporting.automatic", false); // [DEFAULT]
lockPref("security.xfocsp.errorReporting.enabled", false);

/// Coverage
// https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/

lockPref("toolkit.coverage.enabled", false); // [DEFAULT]
lockPref("toolkit.coverage.endpoint.base", "");
lockPref("toolkit.coverage.opt-out", true); // [HIDDEN]
lockPref("toolkit.telemetry.coverage.opt-out", true); // [HIDDEN]

/// Default Browser Agent
/// We also configure "DisableDefaultBrowserAgent" in policies
// https://mozilla.github.io/policy-templates/#disabledefaultbrowseragent
// https://firefox-source-docs.mozilla.org/toolkit/mozapps/defaultagent/default-browser-agent/index.html

lockPref("default-browser-agent.enabled", false);

/// Misc. Telemetry
/// We also configure "DisableTelemetry" & "ImproveSuggest" in policies 
// https://mozilla.github.io/policy-templates/#disabletelemetry 
// https://mozilla.github.io/policy-templates/#firefoxsuggest
// https://searchfox.org/mozilla-central/source/testing/geckodriver/src/prefs.rs
// https://wiki.mozilla.org/QA/Telemetry
// https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/internals/preferences.html 
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml
// https://searchfox.org/mozilla-central/source/remote/shared/RecommendedPreferences.sys.mjs
// https://searchfox.org/mozilla-central/source/testing/profiles/perf/user.js

lockPref("browser.aboutwelcome.log", "off"); // Disable logging
lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
lockPref("browser.newtabpage.activity-stream.impressionId", "");
lockPref("browser.newtabpage.activity-stream.telemetry", false);
lockPref("browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint", "");
lockPref("browser.newtabpage.activity-stream.telemetry.ut.events", false);
lockPref("browser.places.interactions.enabled", false); // https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js
lockPref("browser.privacySegmentation.preferences.show", false); // [DEFAULT, at least on Nightly]
lockPref("browser.rights.3.shown", true);
lockPref("browser.search.serpEventTelemetryCategorization.enabled", false);
lockPref("browser.search.serpEventTelemetryCategorization.regionEnabled", false); // [DEFAULT, at least on Nightly]
lockPref("browser.search.serpMetricsRecordedCounter", 0); // [DEFAULT]
lockPref("browser.urlbar.quicksuggest.dataCollection.enabled", false); // [DEFAULT]
lockPref("browser.urlbar.quicksuggest.onboardingDialogChoice", "reject_2"); // [HIDDEN] https://searchfox.org/mozilla-central/source/browser/components/urlbar/docs/firefox-suggest-telemetry.rst https://searchfox.org/mozilla-central/source/toolkit/components/telemetry/docs/data/environment.rst https://searchfox.org/mozilla-central/source/browser/components/urlbar/tests/quicksuggest/browser/browser_quicksuggest_onboardingDialog.js
lockPref("datareporting.dau.cachedUsageProfileID", "beefbeef-beef-beef-beef-beeefbeefbee"); // [HIDDEN] https://searchfox.org/mozilla-central/source/toolkit/components/telemetry/app/ClientID.sys.mjs#44
lockPref("datareporting.healthreport.documentServerURI", ""); // [HIDDEN]
lockPref("datareporting.healthreport.logging.consoleEnabled", false); // [HIDDEN]
lockPref("datareporting.healthreport.service.enabled", false); // [HIDDEN]
lockPref("datareporting.healthreport.service.firstRun", false); // [HIDDEN]
lockPref("datareporting.healthreport.uploadEnabled", false);
lockPref("datareporting.policy.dataSubmissionEnabled", false);
lockPref("datareporting.policy.dataSubmissionPolicyAccepted", false);
lockPref("datareporting.policy.dataSubmissionPolicyBypassNotification", true);
lockPref("datareporting.policy.firstRunURL", "");
lockPref("dom.security.unexpected_system_load_telemetry_enabled", false);
lockPref("identity.fxaccounts.telemetry.clientAssociationPing.enabled", false);
lockPref("identity.fxaccounts.account.telemetry.sanitized_uid", "");
lockPref("network.jar.record_failure_reason", false); // https://searchfox.org/mozilla-release/source/modules/libpref/init/StaticPrefList.yaml#14271
lockPref("network.traffic_analyzer.enabled", false); // https://searchfox.org/mozilla-release/source/modules/libpref/init/StaticPrefList.yaml#13191
lockPref("network.trr.confirmation_telemetry_enabled", false);
lockPref("nimbus.telemetry.targetingContextEnabled", false); // https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js#2001
lockPref("privacy.trackingprotection.emailtracking.data_collection.enabled", false);
lockPref("toolkit.content-background-hang-monitor.disabled", true);
lockPref("toolkit.telemetry.archive.enabled", false);
lockPref("toolkit.telemetry.bhrPing.enabled", false);
lockPref("toolkit.telemetry.cachedClientID", "c0ffeec0-ffee-c0ff-eec0-ffeec0ffeec0");
lockPref("toolkit.telemetry.cachedProfileGroupID", "decafdec-afde-cafd-ecaf-decafdecafde");
lockPref("toolkit.telemetry.dap.helper.hpke", "");
lockPref("toolkit.telemetry.dap.helper.url", "");
lockPref("toolkit.telemetry.dap.leader.hpke", "");
lockPref("toolkit.telemetry.dap.leader.url", "");
lockPref("toolkit.telemetry.dap_enabled", false); // [DEFAULT]
lockPref("toolkit.telemetry.dap_helper", "");
lockPref("toolkit.telemetry.dap_helper_owner", "");
lockPref("toolkit.telemetry.dap_leader", "");
lockPref("toolkit.telemetry.dap_leader_owner", "");
lockPref("toolkit.telemetry.dap.logLevel", "Off");
lockPref("toolkit.telemetry.dap_task1_enabled", false); // [DEFAULT]
lockPref("toolkit.telemetry.dap_task1_taskid", ""); // [DEFAULT]
lockPref("toolkit.telemetry.dap_visit_counting_enabled", false); // [DEFAULT]
lockPref("toolkit.telemetry.dap_visit_counting_experiment_list", "[]"); // [DEFAULT]
lockPref("toolkit.telemetry.debugSlowSql", false);
lockPref("toolkit.telemetry.enabled", false);  // [DEFAULT on Stable Desktop, not on Nightly & elsewhere...]
lockPref("toolkit.telemetry.firstShutdownPing.enabled", false);
lockPref("toolkit.telemetry.geckoview.streaming", false); // [Android specific?]
lockPref("toolkit.telemetry.healthping.enabled", false); // [HIDDEN]
lockPref("toolkit.telemetry.newProfilePing.enabled", false);
lockPref("toolkit.telemetry.pioneerId", ""); // [HIDDEN]
lockPref("toolkit.telemetry.previousBuildID", "");
lockPref("toolkit.telemetry.reportingpolicy.firstRun", false);
lockPref("toolkit.telemetry.server", "data;");
lockPref("toolkit.telemetry.server_owner", "");
lockPref("toolkit.telemetry.shutdownPingSender.backgroundtask.enabled", false); // [DEFAULT]
lockPref("toolkit.telemetry.shutdownPingSender.enabled", false);
lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // [DEFAULT]
lockPref("toolkit.telemetry.testing.suppressPingsender", true); // [HIDDEN]
lockPref("toolkit.telemetry.translations.logLevel", "Off");
lockPref("toolkit.telemetry.unified", false);
lockPref("toolkit.telemetry.updatePing.enabled", false);
lockPref("toolkit.telemetry.user_characteristics_ping.current_version", 0); // [DEFAULT]
lockPref("toolkit.telemetry.user_characteristics_ping.last_version_sent", 0); // [DEFAULT]
lockPref("toolkit.telemetry.user_characteristics_ping.logLevel", "Off");
lockPref("toolkit.telemetry.user_characteristics_ping.opt-out", true);
lockPref("toolkit.telemetry.user_characteristics_ping.send-once", false); // [DEFAULT]
lockPref("toolkit.telemetry.user_characteristics_ping.uuid", ""); // [DEFAULT]

/// Misc. UX - Harmless but does not apply to us

lockPref("app.normandy.shieldLearnMoreUrl", "");
lockPref("datareporting.healthreport.infoURL", "");
lockPref("extensions.recommendations.privacyPolicyUrl", "");
lockPref("toolkit.crashreporter.infoURL", "");
lockPref("toolkit.datacollection.infoURL", "");

// 002 MOZILLA CRAP™

/// Firefox Recommendations & "Discovery"
// We also set "ExtensionRecommendations" & "FeatureRecommendations" in policies
// https://mozilla.github.io/policy-templates/#usermessaging
// https://support.mozilla.org/kb/recommendations-firefox
// https://support.mozilla.org/kb/personalized-extension-recommendations

lockPref("browser.dataFeatureRecommendations.enabled", false); // [DEFAULT]
lockPref("browser.discovery.enabled", false);
lockPref("browser.discovery.sites", "");
lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
lockPref("extensions.getAddons.browseAddons", ""); // Android
lockPref("extensions.getAddons.discovery.api_url", "data:;"); // https://searchfox.org/mozilla-central/source/testing/profiles/common/user.js
lockPref("extensions.getAddons.showPane", false);
lockPref("extensions.htmlaboutaddons.recommendations.enabled", false);
lockPref("extensions.recommendations.themeRecommendationUrl", "");
lockPref("extensions.webservice.discoverURL", "");

/// Fakespot

lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.ctaCopy", ""); // [DEFAULT]
lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.ctaUrl", ""); // [DEFAULT]
lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.defaultCategoryTitle", ""); // [DEFAULT]
lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.enabled", false);
lockPref("browser.newtabpage.activity-stream.contextualContent.fakespot.footerCopy", ""); // [DEFAULT]
lockPref("browser.shopping.experience2023.active", false);
lockPref("browser.shopping.experience2023.ads.enabled", false); // [DEFAULT]
lockPref("browser.shopping.experience2023.ads.exposure", false); // [HIDDEN]
lockPref("browser.shopping.experience2023.ads.userEnabled", false);
lockPref("browser.shopping.experience2023.autoOpen.enabled", false); // [DEFAULT]
lockPref("browser.shopping.experience2023.autoOpen.userEnabled", false);
lockPref("browser.shopping.experience2023.enabled", false); // [DEFAULT]
lockPref("browser.shopping.experience2023.integratedSidebar", false); // [DEFAULT]
lockPref("browser.shopping.experience2023.optedIn", 2);
lockPref("browser.shopping.experience2023.survey.enabled", false);
lockPref("browser.shopping.experience2023.survey.hasSeen", true);
lockPref("browser.urlbar.fakespot.featureGate", false); // [DEFAULT]
lockPref("browser.urlbar.fakespot.suggestedIndex", 0); // [HIDDEN]
lockPref("browser.urlbar.suggest.fakespot", false);
lockPref("toolkit.shopping.ohttpConfigURL", "");
lockPref("toolkit.shopping.ohttpRelayURL", "");

/// Pocket
// We also set "DisablePocket", "Pocket", & "SponsoredPocket" in policies 
// https://mozilla.github.io/policy-templates/#disablepocket
// https://mozilla.github.io/policy-templates/#firefoxhome
// https://searchfox.org/mozilla-central/source/toolkit/components/nimbus/FeatureManifest.yaml

lockPref("browser.newtabpage.activity-stream.discoverystream.fourCardLayout.enabled", false); // [DEFAULT]
lockPref("browser.newtabpage.activity-stream.discoverystream.hideCardBackground.enabled", true);
lockPref("browser.newtabpage.activity-stream.discoverystream.hideDescriptions.enabled", true);
lockPref("browser.newtabpage.activity-stream.discoverystream.newFooterSection.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.pocket-feed-parameters", "");
defaultPref("browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.region-stories-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.saveToPocketCardRegions", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled", false);
lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
lockPref("browser.newtabpage.activity-stream.pocketCta", "");
lockPref("browser.urlbar.pocket.featureGate", false);
lockPref("browser.urlbar.suggest.pocket", false);
lockPref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
lockPref("extensions.pocket.api", "");
lockPref("extensions.pocket.bffApi", "");
lockPref("extensions.pocket.bffRecentSaves", false);
lockPref("extensions.pocket.enabled", false);
lockPref("extensions.pocket.oAuthConsumerKey", "");
lockPref("extensions.pocket.oAuthConsumerKeyBff", "");
lockPref("extensions.pocket.refresh.emailButton.enabled", false);
lockPref("extensions.pocket.refresh.hideRecentSaves.enabled", true);
lockPref("extensions.pocket.showHome", false);
lockPref("extensions.pocket.site", "");

/// Firefox Relay

lockPref("signon.firefoxRelay.base_url", "");
lockPref("signon.firefoxRelay.feature", "disabled");
lockPref("signon.firefoxRelay.learn_more_url", "");
lockPref("signon.firefoxRelay.manage_url", "");
lockPref("signon.firefoxRelay.privacy_policy_url", "");
lockPref("signon.firefoxRelay.terms_of_service_url", "");

/// "Interest-based Content Relevance Ranking"
// https://bugzilla.mozilla.org/show_bug.cgi?id=1886207

lockPref("toolkit.contentRelevancy.enabled", false);
lockPref("toolkit.contentRelevancy.ingestEnabled", false);
lockPref("toolkit.contentRelevancy.log", false);

/// "Top Sites"
// We also set "SponsoredTopSites" in policies 
// https://mozilla.github.io/policy-templates/#firefoxhome
// https://searchfox.org/mozilla-central/source/toolkit/components/nimbus/FeatureManifest.yaml

defaultPref("browser.newtabpage.activity-stream.default.sites", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.contile-topsites-positions", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spoc-topsites-positions", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocTopsitesAdTypes", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocTopsitesZoneIds", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocTopsitesPlacement.enabled", false);
lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
lockPref("browser.newtabpage.activity-stream.improvesearch.noDefaultSearchTile", true); // [DEFAULT]
lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts", false);
lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned", "");
lockPref("browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines", "");
defaultPref("browser.newtabpage.pinned", "");
lockPref("browser.partnerlink.attributionURL", "");
lockPref("browser.partnerlink.campaign.topsites", "");
lockPref("browser.topsites.component.enabled", false);
lockPref("browser.topsites.contile.cachedTiles", "");
lockPref("browser.topsites.contile.enabled", false); // Make sure still active
lockPref("browser.topsites.contile.endpoint", "");
lockPref("browser.topsites.useRemoteSetting", false);
lockPref("browser.urlbar.sponsoredTopSites", false);

/// Misc. Activity Stream (about:home)
// We also configure "FirefoxHome" in policies
// https://mozilla.github.io/policy-templates/#firefoxhome
// https://searchfox.org/mozilla-central/source/testing/geckodriver/src/prefs.rs
// https://searchfox.org/mozilla-central/source/toolkit/components/nimbus/FeatureManifest.yaml

lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr", "null");
lockPref("browser.newtabpage.activity-stream.asrouter.providers.cfr-fxa", "null");
lockPref("browser.newtabpage.activity-stream.asrouter.providers.message-groups", "null");
lockPref("browser.newtabpage.activity-stream.asrouter.providers.messaging-experiments", "null");
lockPref("browser.newtabpage.activity-stream.asrouter.providers.onboarding", "null");
lockPref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "null");
lockPref("browser.newtabpage.activity-stream.asrouter.useRemoteL10n", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.ctaButtonSponsors", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.config", "[]");
lockPref("browser.newtabpage.activity-stream.discoverystream.contextualContent.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.contextualContent.feeds", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.contextualContent.listFeedTitle", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.contextualContent.locale-content-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.contextualContent.region-content-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.contextualContent.selectedFeed", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.editorsPicksHeader.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.endpoints", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.endpointSpocsClear", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.essentialReadsHeader.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.isCollectionDismissible", true);
lockPref("browser.newtabpage.activity-stream.discoverystream.locale-list-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.newSponsoredLabel.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.onboardingExperience.dismissed", true);
lockPref("browser.newtabpage.activity-stream.discoverystream.onboardingExperience.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.personalization.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.personalization.modelKeys", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.placements.spocs", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.placements.spocs.counts", "0");
lockPref("browser.newtabpage.activity-stream.discoverystream.recs.personalized", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.region-bff-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.region-spocs-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocs.personalized", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.spocs.startupCache.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.spocs-endpoint", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocs-endpoint-query", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocAdTypes", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocSiteId", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.spocZoneIds", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.sponsored-collections.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.topicLabels.locale-topic-label-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.topicLabels.region-topic-label-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.topicSelection.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.topicSelection.locale-topics-config", "");
lockPref("browser.newtabpage.activity-stream.discoverystream.topicSelection.onboarding.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.topicSelection.region-topics-config", "");
lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
lockPref("browser.newtabpage.activity-stream.feeds.recommendationprovider", false);
lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
lockPref("browser.newtabpage.activity-stream.feeds.snippets", false);
lockPref("browser.newtabpage.activity-stream.showSponsored", false);
lockPref("browser.newtabpage.activity-stream.system.showSponsored", false);
lockPref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "");
lockPref("browser.newtabpage.activity-stream.unifiedAds.enabled", false);
lockPref("browser.newtabpage.activity-stream.unifiedAds.endpoint", "");
lockPref("browser.newtabpage.activity-stream.unifiedAds.spocs.enabled", false);
lockPref("browser.newtabpage.activity-stream.unifiedAds.tiles.enabled", false);
lockPref("messaging-system.askForFeedback", false);

/// Firefox Suggest
// We also configure "FirefoxSuggest" & "UrlbarInterventions" in policies
// https://mozilla.github.io/policy-templates/#firefoxsuggest
// https://mozilla.github.io/policy-templates/#usermessaging
// https://mozilla-services.github.io/merino/firefox.html
// https://github.com/mozilla-services/merino-py

lockPref("browser.newtabpage.activity-stream.discoverystream.merino-feed-experiment", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.merino-provider.enabled", false);
lockPref("browser.newtabpage.activity-stream.discoverystream.merino-provider.endpoint", "");
lockPref("browser.urlbar.addons.featureGate", false);
lockPref("browser.urlbar.groupLabels.enabled", false);
lockPref("browser.urlbar.mdn.featureGate", false);
lockPref("browser.urlbar.merino.endpointURL", "");
lockPref("browser.urlbar.merino.providers", "");
lockPref("browser.urlbar.quicksuggest.contextualOptIn", false);
lockPref("browser.urlbar.quicksuggest.enabled", false);
lockPref("browser.urlbar.quicksuggest.hideSettingsUI", true);
lockPref("browser.urlbar.quicksuggest.nonSponsoredIndex", 0);
lockPref("browser.urlbar.quicksuggest.scenario", "offline");
lockPref("browser.urlbar.quicksuggest.shouldShowOnboardingDialog", false);
lockPref("browser.urlbar.quicksuggest.showedOnboardingDialog", true);
lockPref("browser.urlbar.quicksuggest.sponsoredIndex", 0);
lockPref("browser.urlbar.quicksuggest.sponsoredPriority", false);
lockPref("browser.urlbar.suggest.addons", false);
lockPref("browser.urlbar.suggest.mdn", false);
lockPref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
lockPref("browser.urlbar.suggest.quicksuggest.sponsored", false);
lockPref("browser.urlbar.suggest.trending", false);
lockPref("browser.urlbar.suggest.weather", false);
lockPref("browser.urlbar.suggest.yelp", false);
lockPref("browser.urlbar.trending.featureGate", false);
lockPref("browser.urlbar.weather.featureGate", false);
lockPref("browser.urlbar.yelp.featureGate", false);

/// Web Notifications
/// I have yet to see a legitimate use-case for websites using push notifications... but I have very commonly seen it abused for malicious purposes & spam
/// We also set "Notifications" in policies
// https://mozilla.github.io/policy-templates/#permissions
// https://mozilla-push-service.readthedocs.io/en/latest/
// https://mozilla-services.github.io/autopush-rs/

lockPref("dom.push.enabled", true); // [DEFAULT] - Fingerprintable & unnecessary with other prefs
defaultPref("permissions.default.desktop-notification", 2);

/// Misc. Promotions
// We also set "MoreFromMozilla" in policies
// https://mozilla.github.io/policy-templates/#usermessaging

lockPref("browser.contentblocking.report.hide_vpn_banner", true);
lockPref("browser.contentblocking.report.proxy.enabled", false);
lockPref("browser.contentblocking.report.proxy_extension.url", "");
lockPref("browser.contentblocking.report.show_mobile_app", false);
lockPref("browser.contentblocking.report.vpn_sub_id", "");
lockPref("browser.contentblocking.report.vpn.url", "");
lockPref("browser.contentblocking.report.vpn-android.url", "");
lockPref("browser.contentblocking.report.vpn-ios.url", "");
lockPref("browser.contentblocking.report.vpn-promo.url", "");
lockPref("browser.newtabpage.activity-stream.newtabWallpapers.highlightDismissed", true);
lockPref("browser.newtabpage.activity-stream.newtabWallpapers.highlightEnabled", false);
lockPref("browser.preferences.moreFromMozilla", false);
lockPref("browser.preferences.moreFromMozilla.template", "simple");
lockPref("browser.privatebrowsing.vpnpromourl", "");
lockPref("browser.promo.cookiebanners.enabled", false);
lockPref("browser.promo.focus.enabled", false);
lockPref("browser.promo.pin.enabled", false);
lockPref("browser.protections_panel.infoMessage.seen", true); // Disables ETP Banner
lockPref("browser.vpn_promo.enabled", false);
lockPref("cookiebanners.ui.desktop.showCallout", false);
lockPref("identity.fxaccounts.toolbar.pxiToolbarEnabled", false);
lockPref("identity.fxaccounts.toolbar.pxiToolbarEnabled.monitorEnabled", false);
lockPref("identity.fxaccounts.toolbar.pxiToolbarEnabled.relayEnabled", false);
lockPref("identity.fxaccounts.toolbar.pxiToolbarEnabled.vpnEnabled", false);
lockPref("identity.mobilepromo.android", "");
lockPref("identity.mobilepromo.ios", "");
lockPref("identity.sendtabpromo.url", "");

/// Kill about:welcome & Onboarding
/// We also set "OverrideFirstRunPage", "OverridePostUpdatePage", & "SkipOnboarding" in policies
// https://mozilla.github.io/policy-templates/#overridefirstrunpage
// https://mozilla.github.io/policy-templates/#overridepostupdatepage
// https://mozilla.github.io/policy-templates/#usermessaging

lockPref("browser.aboutwelcome.enabled", false);
lockPref("browser.aboutwelcome.screens", "");
lockPref("browser.aboutwelcome.showModal", false);
lockPref("browser.aboutwelcome.toolbarButtonEnabled", false);
lockPref("browser.EULA.override", true); // https://searchfox.org/mozilla-central/source/testing/profiles/perf/user.js
lockPref("browser.migrate.content-modal.about-welcome-behavior", "autoclose");
lockPref("browser.startup.homepage_override.mstone", "ignore");
lockPref("browser.suppress_first_window_animation", true);
lockPref("browser.usedOnWindows10.introURL", ""); // https://searchfox.org/mozilla-central/source/remote/shared/RecommendedPreferences.sys.mjs
lockPref("startup.homepage_override_url", "");
lockPref("startup.homepage_override_url_nimbus", "");
lockPref("startup.homepage_welcome_url", "");
lockPref("startup.homepage_welcome_url.additional", "");

/// Kill UI Tour & Misc. "Feature Tours"

lockPref("browser.firefox-view.feature-tour", "{\"screen\":\"\",\"complete\":true}");
lockPref("browser.firefox-view.view-count", 0); // Prevent logging # of times you use View
lockPref("browser.pdfjs.feature-tour", "{\"screen\":\"\",\"complete\":true}");
lockPref("browser.uitour.enabled", false);
lockPref("browser.uitour.loglevel", "Off");
lockPref("browser.uitour.requireSecure", true); // [DEFAULT]
lockPref("browser.uitour.surveyDuration", 0);
lockPref("browser.uitour.url", "");

/// Prevent Mozilla domains from having special privileges
// https://firefox-source-docs.mozilla.org/dom/ipc/process_model.html#privileged-mozilla-content

lockPref("browser.tabs.remote.separatePrivilegedMozillaWebContentProcess", false);
lockPref("browser.tabs.remote.separatedMozillaDomains", "");
lockPref("dom.ipc.processCount.privilegedmozilla", 0);
defaultPref("extensions.webextensions.restrictedDomains", "");
lockPref("permissions.manager.defaultsUrl", "");
lockPref("privacy.resistFingerprinting.block_mozAddonManager", true);
lockPref("services.sync.addons.trustedSourceHostnames", "");
lockPref("svg.context-properties.content.allowed-domains", "");
lockPref("webchannel.allowObject.urlWhitelist", "");

/// Remove Mozilla URL tracking params

defaultPref("app.releaseNotesURL", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes");
defaultPref("app.releaseNotesURL.aboutDialog", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes");
defaultPref("app.releaseNotesURL.prompt", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes");
defaultPref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%");

/// Disable Mozilla Web Compatibility Reporter
// Harmless from a privacy perspective - We just don't want to waste Mozilla's time due to our custom set-up...
// Also acts as attack surface reduction & a potential performance improvement

lockPref("extensions.webcompat-reporter.enabled", false); // [DEFAULT]
lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");
lockPref("ui.new-webcompat-reporter.enabled", false); // https://searchfox.org/mozilla-central/source/toolkit/components/nimbus/FeatureManifest.yaml#3604
lockPref("ui.new-webcompat-reporter.send-more-info-link", false); // [DEFAULT]

/// Set homepage to about:home, this is typically default, but overriden by some distro-packaged versions of Firefox like Fedora

defaultPref("browser.startup.homepage", "about:home"); // [DEFAULT]

// 003 Search & URL Bar

/// Allow adding custom search engines in about:preferences#search

defaultPref("browser.urlbar.update2.engineAliasRefresh", true);

/// Never trim URLs

lockPref("browser.urlbar.trimHttps", false);
lockPref("browser.urlbar.trimURLs", false);

/// Allow using a different search engine in Private Windows vs. Normal Windows

defaultPref("browser.search.separatePrivateDefault.ui.enabled", true);

// Ensure by default we use same search engine in both Private & Normal Windows
// Otherwise, Firefox's private search appears to default to Google... :/

defaultPref("browser.search.separatePrivateDefault", false);

// Prompt to use Private Browsing

defaultPref("browser.search.separatePrivateDefault.urlbarResult.enabled", true);

// Remove Search Engine Placeholders

lockPref("browser.urlbar.placeholderName", "");
lockPref("browser.urlbar.placeholderName.private", "");

/// Always show Punycode - Helps prevent phishing & IDN Homograph Attacks
// https://wikipedia.org/wiki/IDN_homograph_attack

defaultPref("network.IDN_show_punycode", true);

/// Do not autofill/autocomplete URLs by default

defaultPref("browser.urlbar.autoFill", false);

// Always show URL instead of search terms

lockPref("browser.urlbar.showSearchTerms.enabled", false);
lockPref("browser.urlbar.showSearchTerms.featureGate", false);

/// Enforce that JavaScript URLS are excluded from results

lockPref("browser.urlbar.filter.javascript", true); // [DEFAULT]

/// Disable "Recent Searches" being suggested since we disable Search & Form History anyways

lockPref("browser.urlbar.recentsearches.featureGate", false);
lockPref("browser.urlbar.suggest.recentsearches", false);

// Nice to have

defaultPref("browser.urlbar.clipboard.featureGate", false);
defaultPref("browser.urlbar.suggest.bookmark", true);
defaultPref("browser.urlbar.suggest.calculator", true);
defaultPref("browser.urlbar.suggest.clipboard", false);
defaultPref("browser.urlbar.suggest.engines", false);
defaultPref("browser.urlbar.suggest.history", false);
defaultPref("browser.urlbar.suggest.openpage", true);
defaultPref("browser.urlbar.unitConversion.enabled", true);

// 004 Implicit Connections

/// Disable Network Prefetching
// We also set "NetworkPrediction" in policies
// https://mozilla.github.io/policy-templates/#networkprediction
// https://developer.mozilla.org/docs/Glossary/Prefetch

lockPref("browser.places.speculativeConnect.enabled", false);
lockPref("browser.urlbar.speculativeConnect.enabled", false);
lockPref("network.dns.disablePrefetch", true);
lockPref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT]
lockPref("network.http.speculative-parallel-limit", 0);
lockPref("network.predictor.enable-hover-on-ssl", false); // [DEFAULT]
lockPref("network.predictor.enable-prefetch", false); // [DEFAULT]
lockPref("network.predictor.enabled", false);
lockPref("network.prefetch-next", false);

/// Disable Search Suggestions
/// We also set "SearchSuggestEnabled" in policies
// https://mozilla.github.io/policy-templates/#searchsuggestenabled

lockPref("browser.search.suggest.enabled", false);
lockPref("browser.search.suggest.enabled.private", false);
lockPref("browser.urlbar.showSearchSuggestionsFirst", false);
lockPref("browser.urlbar.suggest.searches", false);

/// Prevent leaking single word searches to DNS provider
/// We also set "GoToIntranetSiteForSingleWordEntryInAddressBar" in policies
// https://mozilla.github.io/policy-templates/#gotointranetsiteforsinglewordentryinaddressbar

lockPref("browser.fixup.dns_first_for_single_words", false); // [DEFAULT]
lockPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);

/// Prevent middle click on new tab button opening URLs or searches from clipboard

lockPref("browser.tabs.searchclipboardfor.middleclick", false);

// 005 HTTP(S) - Mixed Content & General Network Hardening

/// Enforce using HTTPS as much as possible

lockPref("dom.security.https_first", true);
lockPref("dom.security.https_first_for_custom_ports", true); // [DEFAULT, DEFENSE IN DEPTH]
lockPref("dom.security.https_first_pbm", true); // [DEFAULT]
lockPref("dom.security.https_first_schemeless", true);
lockPref("dom.security.https_only_mode", true);
lockPref("dom.security.https_only_mode.upgrade_local", true);
lockPref("dom.security.https_only_mode_pbm", true);
lockPref("security.mixed_content.block_active_content", true);
lockPref("security.mixed_content.block_display_content", true);
lockPref("security.mixed_content.upgrade_display_content", true);
lockPref("security.mixed_content.upgrade_display_content.audio", true); // [DEFAULT]
lockPref("security.mixed_content.upgrade_display_content.image", true); // [DEFAULT]
lockPref("security.mixed_content.upgrade_display_content.video", true); // [DEFAULT]

/// Prevent sending HTTP requests to websites that do not respond quickly to check if they support HTTPS

defaultPref("dom.security.https_only_mode_send_http_background_request", false);

/// Show suggestions when an HTTPS page can not be found 

defaultPref("dom.security.https_only_mode_error_page_user_suggestions", true);

/// Always warn on insecure webpages

lockPref("security.insecure_connection_text.enabled", true);
lockPref("security.insecure_connection_text.pbmode.enabled", true);
lockPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
lockPref("security.warn_submit_secure_to_insecure", true); // Warn when submitting a form from HTTP to HTTPS

/// Show detailed information on insecure warning pages

defaultPref("browser.xul.error_pages.expert_bad_cert", true);

/// Disable TLS1.3 0-RTT (Not forward secret)
// https://github.com/tlswg/tls13-spec/issues/1001

lockPref("security.tls.enable_0rtt_data", false);

/// Enforce preloading intermediates
// https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading

lockPref("security.remote_settings.intermediates.enabled", true); // [DEFAULT]

/// Never downgrade to insecure TLS 1.0/1.1

lockPref("security.tls.insecure_fallback_hosts", ""); // [DEFAULT]
lockPref("security.tls.version.enable-deprecated", false); // [DEFAULT]

/// Enforce TLS 1.3 downgrade protection
// https://bugzilla.mozilla.org/show_bug.cgi?id=1576790

lockPref("security.tls.hello_downgrade_check", true); // [DEFAULT]

/// Only load secure websockets from HTTPS pages

lockPref("network.websocket.allowInsecureFromHTTPS", false); // [DEFAULT]

/// Enforce blocking additional ports

lockPref("network.security.ports.banned.override", ""); // [DEFAULT]

/// Enable Post Quantum Key Agreement (Kyber)
/// We also set "PostQuantumKeyAgreementEnabled" in policies
// https://mozilla.github.io/policy-templates/#postquantumkeyagreementenabled

lockPref("media.webrtc.enable_pq_dtls", true);
lockPref("network.http.http3.enable_kyber", true);
lockPref("security.tls.enable_kyber", true);

/// Enforce MITM Detection
// https://bugzilla.mozilla.org/show_bug.cgi?id=1529643

lockPref("security.certerrors.mitm.priming.enabled", true); // [DEFAULT]

/// Disable Captive Portal & Connectivity Checks
// We also set "CaptivePortal" in policies
// https://support.mozilla.org/kb/how-stop-firefox-making-automatic-connections#w_network-detection
// https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy

lockPref("captivedetect.canonicalContent", "");
lockPref("captivedetect.canonicalURL", "");
lockPref("network.captive-portal-service.enabled", false);
lockPref("network.connectivity-service.DNSv4.domain", "");
lockPref("network.connectivity-service.DNSv6.domain", "");
lockPref("network.connectivity-service.enabled", false);
lockPref("network.connectivity-service.IPv4.url", "");
lockPref("network.connectivity-service.IPv6.url", "");

/// Proxy
// We also set "UseProxyForDNS" in policies
// https://mozilla.github.io/policy-templates/#proxy

defaultPref("network.file.disable_unc_paths", true);
defaultPref("network.gio.supported-protocols", "");
defaultPref("network.proxy.allow_bypass", false);
defaultPref("network.proxy.failover_direct", false);
defaultPref("network.proxy.socks_remote_dns", true);
defaultPref("network.proxy.socks5_remote_dns", true);

// 006 DNS

/// We also set "DNSOverHTTPS" in policies
// https://mozilla.github.io/policy-templates/#dnsoverhttps

/// Disable Mozilla DoH Rollout

lockPref("doh-rollout.disable-heuristics", true);
lockPref("doh-rollout.enabled", false);
lockPref("doh-rollout.skipHeuristicsCheck", true);
lockPref("doh-rollout.uri", "");
lockPref("network.trr.default_provider_uri", "");

/// Enable DoH & Set to Quad9 by default
/// We also set "DNSOverHTTPS" in policies
// https://mozilla.github.io/policy-templates/#dnsoverhttps

defaultPref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
defaultPref("network.trr.mode", 3);
defaultPref("network.trr.uri", "https://dns.quad9.net/dns-query");

/// Improve list of built-in DoH Providers

defaultPref("doh-rollout.provider-list", '[{"UIName":"Quad9 - Real-time Malware Protection","uri":"https://dns.quad9.net/dns-query"}, {"UIName":"DNS0 (ZERO) - Hardened Real-time Malware Protection","uri":"https://zero.dns0.eu"}, {"UIName":"DNS0 - Real-time Malware Protection","uri":"https://dns0.eu"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware Protection","uri":"https://base.dns.mullvad.net/dns-query"}, {"UIName":"AdGuard (Public) - Ad/Tracking Protection","uri":"https://dns.adguard-dns.com/dns-query"}, {"UIName":"Mullvad - No Filtering","uri":"https://dns.mullvad.net/dns-query"}, {"UIName":"Wikimedia - No Filtering","uri":"https://wikimedia-dns.org/dns-query"}, {"UIName":"AdGuard (Public) - No Filtering","uri":"https://unfiltered.adguard-dns.com/dns-query"}, {"UIName":"DNS0 - Kids","uri":"https://kids.dns0.eu"}, {"UIName":"Mullvad - Family","uri":"https://family.dns.mullvad.net/dns-query"}, {"UIName":"AdGuard (Public) - Family Protection","uri":"https://family.adguard-dns.com/dns-query"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware/Social Media Protection","uri":"https://extended.dns.mullvad.net/dns-query"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware/Social Media/Adult/Gambling Protection","uri":"https://all.dns.mullvad.net/dns-query"}]');

/// Skip DoH Connectivity Checks

lockPref("network.connectivity-service.DNS_HTTPS.domain", "");
lockPref("network.trr.confirmationNS", "skip");

/// Never disable DoH from registry checks
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml

lockPref("network.notify.checkForNRPT", false);
lockPref("network.notify.checkForProxies", false);

/// Enforce EncryptedClientHello
// We also set "DisableEncryptedClientHello" in policies
// https://mozilla.github.io/policy-templates/#disableencryptedclienthello
// https://blog.cloudflare.com/announcing-encrypted-client-hello

lockPref("network.dns.echconfig.enabled", true); // [DEFAULT]
lockPref("network.dns.http3_echconfig.enabled", true); // [DEFAULT]

/// Enable Native DNS HTTPS Lookups

defaultPref("network.dns.native_https_query", true);

// 007 CERTIFICATES

/// Enforce OCSP & Stapling

lockPref("security.OCSP.enabled", 1); // [DEFAULT]
lockPref("security.ssl.enable_ocsp_must_staple", true); // [DEFAULT]
lockPref("security.ssl.enable_ocsp_stapling", true); // [DEFAULT]

/// Hard-fail OCSP by default
// Personally have not ran into any issues from this in YEARS... & it provides a fairly significant security improvement
// Can reconsider if people start having issues

defaultPref("security.OCSP.require", true);

/// Enable CRLite & use where possible

lockPref("security.pki.crlite_mode", 2);
lockPref("security.remote_settings.crlite_filters.enabled", true);

/// Make exceptions for certificate errors session only

lockPref("security.certerrors.permanentOverride", false);

/// Enforce Strict Certificate Pinning

lockPref("security.cert_pinning.enforcement_level", 2);

/// Enable & Enforce Certificate Transparency
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15868

lockPref("security.pki.certificate_transparency.mode", 2); // [DEFAULT: 0]
lockPref("security.pki.certificate_transparency.disable_for_hosts", ""); // [DEFAULT]
lockPref("security.pki.certificate_transparency.disable_for_spki_hashes", ""); // [DEFAULT]

// 008 DOWNLOADS

/// Always prompt before downloading files
/// We also set "PromptForDownloadLocation" in policies
// https://mozilla.github.io/policy-templates/#promptfordownloadlocation

lockPref("browser.download.always_ask_before_handling_new_types", true);
lockPref("browser.download.useDownloadDir", false);

// Always notify when downloading files

lockPref("browser.download.alwaysOpenPanel", true); // [DEFAULT]

// Enforce blocking insecure downloads

lockPref("dom.block_download_insecure", true); // [DEFAULT]

// 009 SAFE BROWSING

/// Enable Safe Browsing by default
// Harmless from a privacy perspective due to the below changes, also effective at preventing real-time malicious domains and downloads.
// We will of course **ALWAYS** give users the ability to disable.

defaultPref("browser.safebrowsing.blockedURIs.enabled", true); // [DEFAULT]
defaultPref("browser.safebrowsing.downloads.enabled", true); // [DEFAULT]
defaultPref("browser.safebrowsing.malware.enabled", true); // [DEFAULT]
defaultPref("browser.safebrowsing.phishing.enabled", true); // [DEFAULT]

// I would rather not touch the below prefs, but they are important for ex. LibreWolf...

defaultPref("browser.safebrowsing.provider.google.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2"); // [DEFAULT]
defaultPref("browser.safebrowsing.provider.google.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2&key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
defaultPref("browser.safebrowsing.provider.google4.gethashURL", "https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSING_API_KEY%&$httpMethod=POST"); // [DEFAULT]
defaultPref("browser.safebrowsing.provider.google4.updateURL", "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSING_API_KEY%&$httpMethod=POST"); // [DEFAULT]

/// Prevent sending metadata of downloaded files to Google
// https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work#w_how-does-phishing-and-malware-protection-work-in-firefox
// https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

lockPref("browser.safebrowsing.downloads.remote.enabled", false);
lockPref("browser.safebrowsing.downloads.remote.url", "");

/// Enforce that no data is shared with Google
// https://bugzilla.mozilla.org/show_bug.cgi?id=1351147

lockPref("browser.safebrowsing.provider.google.dataSharing.enabled", false); // [DEFAULT] Android
lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); // [DEFAULT]
lockPref("browser.safebrowsing.provider.google4.dataSharingURL", "");

/// Show advanced details on pages blocked by Safe Browsing by default

defaultPref("browser.xul.error_pages.show_safe_browsing_details_on_load", true);

/// By default, when you report a Safe Browsing false positive, it sends the URL to both Mozilla & Google (NOT PROXIED), as well as your locale to Mozilla
// Ex. https://en-us.phish-error.mozilla.com/?url=example.org - Which redirects you directly to https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=example.org 
// We can improve privacy & speed by sending the domain *only* to Google & without sending your locale to anyone
// We could also potentially strip tpl=mozilla which tells Google the request is from Firefox - though it looks like there is a different page for Firefox users with a better privacy policy, so we will leave it for now
// Unclear whether 'MalwareMistake' is used, but we can set it anyways

defaultPref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", "https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=");
defaultPref("browser.safebrowsing.provider.google.reportPhishMistakeURL", "https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=");
defaultPref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", "https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=");
defaultPref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", "https://safebrowsing.google.com/safebrowsing/report_error/?tpl=mozilla&url=");

/// Similar behavior also appears to happen when you report a URL to Safe Browsing

defaultPref("browser.safebrowsing.reportPhishURL", "https://safebrowsing.google.com/safebrowsing/report_phish/?tpl=mozilla&url=");

/// Unclear whether these are actually used or not, but looks like Firefox has some kind of functionality to view a "report" from Safe Browsing about the safety, history, & general status of a site
// By default, it unnecessarily redirects from ex. https://safebrowsing.google.com/safebrowsing/diagnostic?site=example.org to https://transparencyreport.google.com/safe-browsing/search?url=example.org
// We can skip the redirect to improve speed

defaultPref("browser.safebrowsing.provider.google.reportURL", "https://transparencyreport.google.com/safe-browsing/search?url=");
defaultPref("browser.safebrowsing.provider.google4.reportURL", "https://transparencyreport.google.com/safe-browsing/search?url=");

// 010 GEOLOCATION

/// Prevent Wi-Fi Scanning

lockPref("browser.region.network.scan", false); // [DEFAULT]
lockPref("geo.wifi.scan", false);

/// Disable "Region Updates"
// https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html

lockPref("browser.region.network.url", "");
lockPref("browser.region.update.enabled", false);

/// Deny websites geo permission by default
/// We also set "Location" in policies
// https://mozilla.github.io/policy-templates/#permissions

defaultPref("permissions.default.geo", 2);

/// Geo Provider

defaultPref("geo.provider.network.url", "https://beacondb.net/v1/geolocate"); // Enable experimental geolocation support for BeaconDB, better than nothing for Windows/Linux users
defaultPref("geo.provider.use_corelocation", true); // Enable Apple Location Services for macOS
defaultPref("geo.provider.use_geoclue", false); // Disable Geoclue for Linux distros (at least for now)
defaultPref("geo.provider.ms-windows-location", false); // Disable Microsoft Location Services for Windows users

/// Update info URL to ours so that users receive accurate information

defaultPref("browser.geolocation.warning.infoURL", "https://phoenix.celenity.dev/geo");

// 011 AI
// https://support.mozilla.org/kb/ai-chatbot

/// Ensure that AI functionality is disabled by default

defaultPref("browser.ml.chat.enabled", false); // [DEFAULT] - AI Chatbot
defaultPref("browser.ml.chat.shortcuts", false); // Pop-up when highlighting text
defaultPref("browser.ml.enable", false); // [DEFAULT] - "Experimental Machine Learning Inference Engine"

/// If AI Chatbot is enabled, set it to DuckDuckGo AI Chat by default
/// Unfortunately this is not compatible with the pop-up when selecting text. There is also not a way at the moment to add it as a persistent option.

defaultPref("browser.ml.chat.provider", "https://duckduckgo.com/?q=DuckDuckGo+AI+Chat&ia=chat");

/// If AI Chatbot is enabled, remove built-in Anthropic Claude, ChatGPT, Google Gemini, & Le Chat Mistral options due to the terrible privacy policies...
/// HuggingChat is generally solid, though it does leave room for some questions, best option out of the built-in

defaultPref("browser.ml.chat.providers", "huggingchat");

/// Allow toggling AI via about:preferences#experimental by default

defaultPref("browser.ml.chat.hideFromLabs", false);

/// If pop-up when highlighting text is enabled, allow typing a custom prompt based on your selection

defaultPref("browser.ml.chat.shortcuts.custom", true); // [DEFAULT]

// 012 WEBRTC

defaultPref("media.peerconnection.ice.obfuscate_host_addresses", true);
defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
lockPref("privacy.webrtc.allowSilencingNotifications", true);
defaultPref("privacy.webrtc.globalMuteToggles", true);
lockPref("privacy.webrtc.hideGlobalIndicator", false);
lockPref("privacy.webrtc.sharedTabWarning", true);

/// Always sandbox Media Transport
// https://searchfox.org/mozilla-central/source/security/sandbox/common/SandboxSettings.cpp

lockPref("media.peerconnection.mtransport_process", true); // [DEFAULT]

// 013 DISK AVOIDANCE

/// Disable Search & Form History - Can be leaked to sites
// We also set "DisableFormHistory" in policies
// https://mozilla.github.io/policy-templates/#disableformhistory
// https://blog.mindedsecurity.com/2011/10/autocompleteagain.html

lockPref("browser.formfill.enable", false);

/// Disable caching, might reconsider since we clear cache on exit anyways

defaultPref("browser.cache.disk.enable", false);
defaultPref("browser.cache.disk_cache_ssl", false);
defaultPref("browser.cache.memory.enable", false);
defaultPref("browser.cache.memory.capacity", 0);
defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true);

/// Prevent storing unnecessary extra session data

defaultPref("browser.sessionstore.privacy_level", 2);

/// Sanitize on exit
// We also configure "SanitizeOnShutdown" in policies
// https://mozilla.github.io/policy-templates/#sanitizeonshutdown-selective

defaultPref("privacy.clearHistory.cache", true);
defaultPref("privacy.clearHistory.historyFormDataAndDownloads", true);
defaultPref("privacy.clearSiteData.cache", true);
defaultPref("privacy.clearSiteData.historyFormDataAndDownloads", true);
defaultPref("privacy.clearOnShutdown.cache", true);
defaultPref("privacy.clearOnShutdown.cookies", true);
defaultPref("privacy.clearOnShutdown.downloads", true);
defaultPref("privacy.clearOnShutdown.formdata", true);
defaultPref("privacy.clearOnShutdown.history", true);
defaultPref("privacy.clearOnShutdown.offlineApps", true);
defaultPref("privacy.clearOnShutdown.sessions", true);
defaultPref("privacy.clearOnShutdown_v2.cache", true);
defaultPref("privacy.clearOnShutdown_v2.cookiesAndStorage", true);
defaultPref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true);
defaultPref("privacy.cpd.cache", true);
defaultPref("privacy.cpd.formdata", true);
defaultPref("privacy.sanitize.sanitizeOnShutdown", true); // Allows selectively clearing data on shutdown

/// Set time range when manually clearing data to "everything" by default

defaultPref("privacy.sanitize.timeSpan", 0);

// Prevent automatically sharing Firefox Sync accounts...

lockPref("identity.fxaccounts.migrateToDevEdition", false);

/// Prevent logging blocked domains in about:protections

defaultPref("browser.contentblocking.cfr-milestone.enabled", false);
defaultPref("browser.contentblocking.database.enabled", false);

/// Disable favicons in shortcuts, prevents .ico files from persisting even after deletion

defaultPref("browser.shell.shortcutFavicons", false);

/// Delete cached files from windows opened with external applications
/// We also set "StartDownloadsInTempDirectory" in policies
// https://mozilla.github.io/policy-templates/#startdownloadsintempdirectory

defaultPref("browser.download.start_downloads_in_tmp_dir", true);
defaultPref("browser.helperApps.deleteTempFileOnExit", true);

// Prevent exposing content in the window title for Private Browsing windows
// https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js

defaultPref("privacy.exposeContentTitleInWindow.pbm", false);

/// When a file is deleted in Firefox, also remove from session list & history 
// https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js

defaultPref("browser.download.clearHistoryOnDelete", 2);

/// Adds a fire button in Private Browsing Windows to reset session

defaultPref("browser.privatebrowsing.resetPBM.enabled", true);

/// Prevent automatically starting Firefox & restoring session after reboot on Windows

defaultPref("toolkit.winRegisterApplicationRestart", false);

/// Disable LaterRun - Tracks profile creation time & number of browser uses
// https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41568
// https://bugzilla.mozilla.org/show_bug.cgi?id=1200639

lockPref("browser.laterrun.bookkeeping.profileCreationTime", 0);
lockPref("browser.laterrun.bookkeeping.sessionCount", 0);
lockPref("browser.laterrun.enabled", false);

/// Prevent coloring visited links

defaultPref("layout.css.visited_links_enabled", false);

/// Disable collecting & generating background thumbnails

defaultPref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN]

// 014 EXTENSIONS

// Only allow installing extensions from profile & application directories (Prevents extensions being installed from the system/via other programs)
/// https://archive.is/DYjAM
/// https://github.com/arkenfox/user.js/blob/master/user.js#L612

defaultPref("extensions.enabledScopes", 5);
lockPref("extensions.autoDisableScopes", 15); // [DEFAULT] Defense in depth, ensures extensions installed via directories are disabled by default...

// Only allow signed extensions

lockPref("extensions.langpacks.signatures.required", true);
lockPref("xpinstall.signatures.required", true); // {DEFAULT}
lockPref("xpinstall.whitelist.required", true); // {DEFAULT}

// Block extensions signed with weak signature algorithms

lockPref("xpinstall.signatures.weakSignaturesTemporarilyAllowed", false);

// Enforce Extension Blocklist

lockPref("extensions.blocklist.enabled", true); // [DEFAULT]

// Never bypass 3rd party extension install prompts

lockPref("extensions.postDownloadThirdPartyPrompt", false);

// Allow LocalCDN to work on quarantined domains

defaultPref("extensions.quarantineIgnoredByUser.{b86e4813-687a-43e6-ab65-0bde4ab75758}", true);

// Allow Mullvads extension to work on quarantined domains

defaultPref("extensions.quarantineIgnoredByUser.{d19a89b9-76c1-4a61-bcd4-49e8de916403}", true);

// 015 PDF.js

/// Disable JavaScript

lockPref("pdfjs.enableScripting", false);

/// Disable XFA
// https://insert-script.blogspot.com/2019/01/adobe-reader-pdf-callback-via-xslt.html
// https://www.sentinelone.com/blog/malicious-pdfs-revealing-techniques-behind-attacks/
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xfa
// https://wikipedia.org/wiki/XFA
// Not even a standard...

defaultPref("pdfjs.enableXfa", false);

/// Never allow documents to prevent copying text
/// We also set `EnablePermissions` in policies
// https://mozilla.github.io/policy-templates/#pdfjs

lockPref("pdfjs.enablePermissions", false); // [DEFAULT]

/// Prevent checking if default PDF viewer
// https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js

lockPref("browser.shell.checkDefaultPDF", false);
lockPref("browser.shell.checkDefaultPDF.silencedByUser", true);

/// Never open Microsoft Edge for PDFs
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml

lockPref("browser.pdf.launchDefaultEdgeAsApp", false);

/// Open PDFs in browser where possible

defaultPref("browser.download.open_pdf_attachments_inline", true);

/// Show sidebar by default when viewing PDFs

defaultPref("pdfjs.sidebarViewOnLoad", 2);

// 016 FINGERPRINTING PROTECTION

/// Set RFP to spoof the English locale by default

defaultPref("privacy.spoof_english", 2);

/// Round window sizes

defaultPref("privacy.window.maxInnerHeight", 900);
defaultPref("privacy.window.maxInnerWidth", 1600);

/// Expose RFP letterboxing to users, but do not enable by default

defaultPref("privacy.resistFingerprinting.letterboxing", false); // [DEFAULT, HIDDEN]

/// If RFP is enabled, always randomize canvas

lockPref("privacy.resistFingerprinting.randomDataOnCanvasExtract", true); // [DEFAULT]

/// If RFP is enabled, unbreak Apple Maps by default

defaultPref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid,beta.maps.apple.com");

/// Disable WebGPU
// https://browserleaks.com/webgpu

lockPref("dom.webgpu.enabled", false); // [DEFAULT]

/// Enforce that WebGL stays disabled if it is disabled

lockPref("webgl.disable-fail-if-major-performance-caveat", false);

/// Prevent using system colors

lockPref("browser.display.use_system_colors", false);

// 017 MISC. PRIVACY

/// Enable ETP Strict

lockPref("browser.contentblocking.category", "strict");

/// Set LibreWolf/forks to use our custom enhanced uBlock Origin config by default
// We do not support LibreWolf at the moment, but this will be beneficial if that ever changes in the future.

defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://phoenix.celenity.dev/uBlock/assets.json");

/// Enforce container isolation of about:home content

lockPref("browser.discovery.containers.enabled", true); // [DEFAULT]

/// Enforce Do Not Track & Global Privacy Control

lockPref("privacy.donottrackheader.enabled", true);
lockPref("privacy.globalprivacycontrol.enabled", true);
lockPref("privacy.globalprivacycontrol.functionality.enabled", true);
lockPref("privacy.globalprivacycontrol.pbmode.enabled", true); // [DEFAULT]

/// Disable "Privacy-Preserving Attribution"
// https://support.mozilla.org/kb/privacy-preserving-attribution

lockPref("dom.origin-trials.private-attribution.state", 0);
lockPref("dom.private-attribution.submission.enabled", false);

/// Disable Reporting API
// https://w3c.github.io/reporting/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1492036

lockPref("dom.reporting.enabled", false); // [DEFAULT]
lockPref("dom.reporting.crash.enabled", false);
lockPref("dom.reporting.featurePolicy.enabled", false);
lockPref("dom.reporting.header.enabled", false);

/// Trim cross-origin referers (Like Safari)

lockPref("network.http.referer.XOriginTrimmingPolicy", 2);

/// Restrict referers for trackers

lockPref("network.http.referer.defaultPolicy.trackers", 1);
lockPref("network.http.referer.defaultPolicy.trackers.pbmode", 1);

/// Disable Hyperlink Auditing (Click Tracking)
// https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/

lockPref("browser.send_pings", false); // [DEFAULT]
lockPref("browser.send_pings.max_per_link", 0); // [DEFENSE IN DEPTH]
lockPref("browser.send_pings.require_same_host", true); // [DEFENSE IN DEPTH]

/// Improve built-in query stripping to be on par with LibreWolf & Brave
// https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg#L77

defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oft_c oft_ck oft_d oft_id oft_ids oft_k oft_lk oft_sk oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");

/// Strip tracking parameters from URLs when shared by default

defaultPref("privacy.query_stripping.strip_on_share.enabled", true); // [DEFAULT]

// 018 PASSWORDS & AUTHENTICATION

/// Never Autofill

lockPref("signon.autofillForms", false);
lockPref("signon.autofillForms.http", false); // [DEFAULT]
lockPref("signon.formlessCapture.enabled", false);
lockPref("signon.privateBrowsingCapture.enabled", false);

/// Always allow showing password when hidden

defaultPref("layout.forms.reveal-password-button.enabled", true);
defaultPref("layout.forms.reveal-password-context-menu.enabled", true); // [DEFAULT]

/// Prevent websites from dictating whether to allow filling passwords
// https://blog.0xbadc0de.be/archives/124

defaultPref("signon.storeWhenAutocompleteOff", false);

/// Never truncate passwords
// https://www.ghacks.net/2020/05/18/firefox-77-wont-truncate-text-exceeding-max-length-to-address-password-pasting-issues/

defaultPref("editor.truncate_user_pastes", false);

/// Disable Password Manager by default - Insecure & unencrypted
/// You should instead use something like Bitwarden or Proton Pass

defaultPref("extensions.formautofill.addresses.enabled", false);
defaultPref("extensions.formautofill.creditCards.enabled", false);
defaultPref("services.sync.engine.passwords", false);
defaultPref("signon.rememberSignons", false);

/// If password manager is enabled, enable alerts for breached & vulnerable passwords by default, harmless and never sends passwords or sensitive data to Mozilla
// https://support.mozilla.org/kb/mozilla-monitor-faq#w_does-mozilla-monitor-know-my-passwords
// https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/
// https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js

defaultPref("signon.management.page.breach-alerts.enabled", true); // [DEFAULT]
defaultPref("signon.management.page.vulnerable-passwords.enabled", true); // [DEFAULT]

/// If password manager is enabled, enable strong password generation by default

defaultPref("signon.generation.enabled", true); // [DEFAULT]

/// Prevent cross-origin sub-resources from opening HTTP authentication dialogs

lockPref("network.auth.subresource-http-auth-allow", 1);

/// Disable Windows SSO
/// We also configure "WindowsSSO" in policies
// https://mozilla.github.io/policy-templates/#windowssso

lockPref("network.http.windows-sso.enabled", false); // [DEFAULT]
lockPref("network.http.windows-sso.container-enabled.0", false);

/// Disable Microsoft Entra
/// We also configure "MicrosoftEntraSSO" in policies
// https://mozilla.github.io/policy-templates/#microsoftentrasso

lockPref("network.http.microsoft-entra-sso.enabled", false); // [DEFAULT]
lockPref("network.http.microsoft-entra-sso.container-enabled.0", false);
lockPref("network.microsoft-sso-authority-list", ""); // DEFENSE IN DEPTH

/// Prevent using Negotiate authentication by default 
// https://people.redhat.com/mikeb/negotiate/

defaultPref("network.negotiate-auth.trusted-uris", ""); // [DEFAULT]

/// Enforce crashing on insecure password input

lockPref("intl.allow-insecure-text-input", false); // [DEFAULT]

/// Protect against password spoofing for cross-domain auth requests
// https://bugzilla.mozilla.org/show_bug.cgi?id=791594
// https://searchfox.org/mozilla-central/source/browser/app/profile/firefox.js

lockPref("privacy.authPromptSpoofingProtection", true); // [DEFAULT]

// 019 ATTACK SURFACE REDUCTION

/// Disable JavaScript Just-in-time Compilation (JIT)
// https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/

defaultPref("javascript.options.baselinejit", false);
defaultPref("javascript.options.ion", false);
defaultPref("javascript.options.native_regexp", false); //  https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21865 https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml
defaultPref("javascript.options.wasm_baselinejit", false);

/// Disable ASM.JS (More JIT)
// https://rh0dev.github.io/blog/2017/the-return-of-the-jit/

defaultPref("javascript.options.asmjs", false);

/// Disable MathML
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml 

defaultPref("mathml.disabled", true);

/// Disable Graphite & SVG OpenType fonts
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg

defaultPref("gfx.font_rendering.graphite.enabled", false);
defaultPref("gfx.font_rendering.opentype_svg.enabled", false);

/// Disable WebXR
// https://developer.mozilla.org/docs/Web/API/WebXR_Device_API

defaultPref("permissions.default.xr", 2);

// 022 MISC. SECURITY

// If a website asks for a certificate, always prompt the user
// Never automatically select one...
// https://www.stigviewer.com/stig/mozilla_firefox/2023-06-05/finding/V-251547

lockPref("security.default_personal_cert", "Ask Every Time"); // [DEFAULT]

/// Disable Accessibility Services
// https://support.mozilla.org/kb/accessibility-services#w_malware-and-adware

lockPref("accessibility.force_disabled", 1);
lockPref("devtools.accessibility.enabled", false);

/// Enforce that Content Analysis is disabled
/// We also set "ContentAnalysis" in policies
// https://mozilla.github.io/policy-templates/#contentanalysis
// https://github.com/chromium/content_analysis_sdk

lockPref("browser.contentanalysis.default_result", 0); // [DEFAULT]
lockPref("browser.contentanalysis.enabled", false); // [DEFAULT]
lockPref("browser.contentanalysis.interception_point.clipboard.enabled", false);
lockPref("browser.contentanalysis.interception_point.drag_and_drop.enabled", false);
lockPref("browser.contentanalysis.interception_point.file_upload.enabled", false);
lockPref("browser.contentanalysis.interception_point.print.enabled", false);

/// Enforce Site Isolation & Isolate all websites

lockPref("dom.ipc.processCount.webIsolated", 1);
lockPref("fission.autostart", true); // [DEFAULT]

/// Yes, this is a real pref... 
// https://searchfox.org/mozilla-central/source/testing/profiles/common/user.js

lockPref("security.turn_off_all_security_so_that_viruses_can_take_over_this_computer", false); // [DEFAULT]

/// Enable GPU Sandboxing
// https://www.ghacks.net/2023/01/17/firefox-110-will-launch-with-gpu-sandboxing-on-windows/

lockPref("security.sandbox.gpu.level", 1);

/// Disable GNOME Integration
// https://searchfox.org/mozilla-central/source/browser/components/shell/nsGNOMEShellService.cpp

lockPref("browser.gnome-search-provider.enabled", false);

/// Protect against CSRF Attacks (Like Chromium)
// https://groups.google.com/a/mozilla.org/g/dev-platform/c/6PZtLH7c6JQ
// https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/
// https://web.dev/articles/samesite-cookies-explained
// https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions

defaultPref("network.cookie.sameSite.laxByDefault", true);
defaultPref("network.cookie.sameSite.noneRequiresSecure", true);
defaultPref("network.cookie.sameSite.schemeful", true);

/// Enforce Strict file:// Origin Policy
// https://stuffandnonsense.co.uk/blog/firefoxs_file_uri_origin_policy_and_web_fonts
// https://stackoverflow.com/questions/2856502/css-font-face-not-working-with-firefox-but-working-with-chrome-and-ie

lockPref("security.fileuri.strict_origin_policy", true); // [DEFAULT]

/// Always protect against MIME Exploits
// https://www.pcmag.com/encyclopedia/term/mime-exploit

lockPref("security.block_fileuri_script_with_wrong_mime", true);
lockPref("security.block_Worker_with_wrong_mime", true); // [DEFAULT]

/// Never load Navigator Media Objects & getUserMedia Support in insecure contexts
// https://developer.mozilla.org/docs/Web/API/Navigator/mediaDevices
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml

lockPref("media.devices.insecure.enabled", false); // [DEFAULT]
lockPref("media.getusermedia.insecure.enabled", false); // [DEFAULT]

/// Disable Win32k System Calls
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15638
// https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
// https://docs.google.com/document/d/1gJDlk-9xkh6_8M_awrczWCaUuyr0Zd2TKjNBCiPO_G4/edit

lockPref("security.sandbox.content.win32k-disable", true); // [DEFAULT]
lockPref("security.sandbox.gmp.win32k-disable", true);
lockPref("security.sandbox.socket.win32k-disable", true); // [DEFAULT]

// Ensure that Firefox can't access the Windows Shell...
// https://www.stigviewer.com/stig/mozilla_firefox/2019-12-12/finding/V-15771

lockPref("network.protocol-handler.external.shell", false); // [DEFAULT]

// Always warn users before launching other apps...

lockPref("network.protocol-handler.warn-external-default", true); // [DEFAULT]
lockPref("network.protocol-handler.warn-external.mailto", true);
lockPref("security.external_protocol_requires_permission", true); // [DEFAULT]

/// Enforce various other important security-related prefs
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15473

lockPref("security.all_resource_uri_content_accessible", false); // [DEFAULT]
lockPref("security.allow_eval_in_parent_process", false); //[DEFAULT on standard Firefox releases only, not on ex. Thunderbird & other builds]
lockPref("security.allow_eval_with_system_principal", false); // [DEFAULT on standard Firefox releases only, not on ex. Thunderbird & other builds]
lockPref("security.allow_parent_unrestricted_js_loads", false); // [DEFAULT on standard Firefox releases only, not on ex. Thunderbird & other builds]
lockPref("security.allow_unsafe_parent_loads", false); // [DEFAULT]
lockPref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT]

// 023 BLOCK COOKIE BANNERS

defaultPref("cookiebanners.service.mode", 1);
defaultPref("cookiebanners.service.mode.privateBrowsing", 1);
defaultPref("cookiebanners.service.enableGlobalRules", true);
defaultPref("cookiebanners.ui.desktop.enabled", true);

// 024 MEDIA

/// Always sandbox GMP
// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml

lockPref("media.gmp.insecure.allow", false); // [DEFAULT]

/// Enforce validating signature for GMP when updating
// https://searchfox.org/mozilla-central/source/modules/libpref/init/all.js

lockPref("media.gmp-manager.cert.checkAttributes", true); // [DEFAULT]
lockPref("media.gmp-manager.cert.requireBuiltIn", true); // [DEFAULT]
lockPref("media.gmp-manager.checkContentSignature", true); // [DEFAULT]

/// Disable Autoplay by default

defaultPref("media.autoplay.default", 5);
defaultPref("userContent.player.click_to_play", true); // https://github.com/black7375/Firefox-UI-Fix/wiki/Options#defaults-6

/// DRM
// Garbage technology with freedom, privacy, & security concerns
// We also set "EncryptedMediaExtensions" in policies
// https://mozilla.github.io/policy-templates/#encryptedmediaextensions
// https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next

lockPref("browser.eme.ui.enabled", false);
lockPref("media.clearkey.persistent-license.enabled", false); // [DEFAULT]
lockPref("media.clearkey.test-key-systems.enabled", false); // [DEFAULT]
lockPref("media.eme.enabled", false);
lockPref("media.eme.encrypted-media-encryption-scheme.enabled", false);
lockPref("media.eme.hdcp-policy-check.enabled", false);
lockPref("media.eme.playready.enabled", false);
lockPref("media.eme.require-app-approval", true); // [DEFENSE IN DEPTH]: Enforce locking DRM behind permission https://searchfox.org/mozilla-central/source/mobile/android/app/geckoview-prefs.js#304
lockPref("media.eme.wmf.clearkey.enabled", false); // [DEFAULT]
lockPref("media.gmp-widevinecdm.enabled", false);
lockPref("media.gmp-widevinecdm.visible", false);
lockPref("media.gmp-widevinecdm-l1.enabled", false);
lockPref("media.gmp-widevinecdm-l1.visible", false);
lockPref("media.mediadrm-widevinecdm.visible", false); // [ANDROID]: https://searchfox.org/mozilla-central/source/mobile/android/app/geckoview-prefs.js#320

// 025 UPDATES

/// Browser Updates

defaultPref("app.update.badgeWaitTime", 0); // Immediately show badge on hamburger menu when update is available
defaultPref("app.update.notifyDuringDownload", true); // Ensure that users are notified when an update is downloaded
defaultPref("app.update.promptWaitTime", 3600); // Decrease time between update prompts, default is very generous...
defaultPref("browser.startup.upgradeDialog.enabled", true); // Enables showing a dialog/pop-up on major upgrades

/// Ensure we're always updating extensions by default
/// We also set "ExtensionUpdate" in policies
// https://mozilla.github.io/policy-templates/#extensionupdate

defaultPref("extensions.systemAddon.update.enabled", true); // [DEFAULT]
defaultPref("extensions.update.autoUpdateDefault", true); // [DEFAULT]
defaultPref("extensions.update.enabled", true); // [DEFAULT]
defaultPref("media.gmp-manager.updateEnabled", true);

// 026 DEBUGGING

/// Enforce local debugging only

lockPref("devtools.debugger.force-local", true);
lockPref("devtools.debugger.prompt-connection", true);
lockPref("devtools.debugger.remote-enabled", false);
lockPref("devtools.inspector.remote", false);

/// Ensure that URLs are not being logged in Reader errors

lockPref("reader.errors.includeURLs", false);

/// 027 MISC.

/// Enable Containers & isolate permissions per container

defaultPref("permissions.isolateBy.userContext", true);
defaultPref("privacy.userContext.enabled", true);
defaultPref("privacy.userContext.ui.enabled", true);

/// Never hide any extensions in about:debugging

lockPref("devtools.aboutdebugging.showHiddenAddons", true);

/// Enable Profiles UI
// Only works on Nightly?

defaultPref("browser.profiles.enabled", true);

/// Force pop-up windows to open in new tabs instead

lockPref("browser.link.open_newwindow", 3); // [DEFAULT]
lockPref("browser.link.open_newwindow.disabled_in_fullscreen", true);
lockPref("browser.link.open_newwindow.restriction", 0);

/// Always block pop-ups by default
/// We also configure "PopupBlocking" in policies
// https://mozilla.github.io/policy-templates/#popupblocking

defaultPref("dom.disable_open_during_load", true); // [DEFAULT]

/// Limit what events can cause pop-ups

defaultPref("dom.popup_allowed_events", "click dblclick");

/// Notify on Pop-up blocking by default

defaultPref("privacy.popups.showBrowserMessage", true);

/// Prevent scripts from moving, resizing, and messing with windows

lockPref("dom.disable_window_flip", true); // {DEFAULT}
lockPref("dom.disable_window_move_resize", true);

/// Never check default browser
/// We also set "DontCheckDefaultBrowser" in policies
// https://mozilla.github.io/policy-templates/#dontcheckdefaultbrowser

lockPref("browser.shell.checkDefaultBrowser", false);
lockPref("browser.shell.skipDefaultBrowserCheckOnFirstRun", true);

/// Disable annoying Web Speech API errors

lockPref("media.webspeech.synth.dont_notify_on_error", true);

/// Disable weather on Home by default

defaultPref("browser.newtabpage.activity-stream.showWeather", false);

/// Prevent websites from hijacking keyboard shortcuts by default
/// Can be overriden per site as needed

defaultPref("permissions.default.shortcuts", 2);

/// Disable Firefox "Reset/Refresh Profile" prompt
/// This could cause Phoenix users serious issues, especially those using user.js files
/// We also configure "DisableProfileRefresh" in policies
// https://mozilla.github.io/policy-templates/#disableprofilerefresh

lockPref("browser.disableResetPrompt", true);

// 028 PERFORMANCE
// A lot of these taken from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js

defaultPref("browser.cache.disk.metadata_memory_limit", 500);
defaultPref("browser.cache.jsbc_compression_level", 3);
defaultPref("browser.sessionstore.interval", 60000);
defaultPref("browser.sessionstore.max_tabs_undo", 7);
defaultPref("browser.sessionhistory.max_total_viewers", 7);
defaultPref("browser.tabs.min_inactive_duration_before_unload", 300000);
defaultPref("browser.toolbars.bookmarks.visibility", "always");
defaultPref("content.notify.interval", 100000); // https://searchfox.org/mozilla-central/rev/c1180ea13e73eb985a49b15c0d90e977a1aa919c/modules/libpref/init/StaticPrefList.yaml#1824-1834
defaultPref("extensions.logging.enabled", false); // [DEFAULT] https://searchfox.org/mozilla-central/source/mobile/android/app/geckoview-prefs.js#232
defaultPref("gfx.canvas.accelerated.cache-items", 4096);
defaultPref("gfx.canvas.accelerated.cache-size", 512);
defaultPref("gfx.content.skia-font-cache-size", 20);
defaultPref("gfx.webrender.all", true);
defaultPref("gfx.webrender.compositor", true);
defaultPref("image.mem.decode_bytes_at_a_time", 32768);
defaultPref("image.mem.shared.unmap.min_expiration_ms", 120000);
defaultPref("layout.css.grid-template-masonry-value.enabled", true); // https://developer.mozilla.org/docs/Web/CSS/CSS_Grid_Layout/Masonry_Layout
defaultPref("layout.css.report_errors", false); // https://searchfox.org/mozilla-central/source/mobile/android/app/geckoview-prefs.js#299
defaultPref("media.cache_readahead_limit", 7200);
defaultPref("media.cache_resume_threshold", 3600);
defaultPref("media.ffmpeg.vaapi.enabled", true); // Enable VA-API by default
defaultPref("network.buffer.cache.count", 128);
defaultPref("network.buffer.cache.size", 262144);
defaultPref("network.dnsCacheEntries", 1000);
defaultPref("network.dnsCacheExpiration", 3600);
defaultPref("network.dnsCacheExpirationGracePeriod", 240);
defaultPref("network.http.max-connections", 1800);
defaultPref("network.http.max-persistent-connections-per-proxy", 48);
defaultPref("network.http.max-persistent-connections-per-server", 10);
defaultPref("network.http.max-urgent-start-excessive-connections-per-host", 5);
defaultPref("media.memory_cache_max_size", 65536);

// 029 SMOOTH SCROLLING

defaultPref("general.smoothScroll", true);
defaultPref("general.smoothScroll.currentVelocityWeighting", "1");
defaultPref("general.smoothScroll.msdPhysics.continuousMotionMaxDeltaMS", 12);
defaultPref("general.smoothScroll.msdPhysics.enabled", true);
defaultPref("general.smoothScroll.msdPhysics.motionBeginSpringConstant", 600);
defaultPref("general.smoothScroll.msdPhysics.regularSpringConstant", 650);
defaultPref("general.smoothScroll.msdPhysics.slowdownMinDeltaMS", 25);
defaultPref("general.smoothScroll.msdPhysics.slowdownMinDeltaRatio", "2");
defaultPref("general.smoothScroll.msdPhysics.slowdownSpringConstant", 250);
defaultPref("general.smoothScroll.stopDecelerationWeighting", "1");
defaultPref("mousewheel.default.delta_multiplier_y", 300);

// Personal Touch 💜

/// Things that are  nice to have™
// Not directly privacy & security related

defaultPref("browser.uiCustomization.state", "{\"placements\":{\"widget-overflow-fixed-list\":[],\"unified-extensions-area\":[],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"urlbar-container\",\"_testpilot-containers-browser-action\",\"fxa-toolbar-menu-button\",\"reset-pbm-toolbar-button\",\"developer-button\",\"ublock0_raymondhill_net-browser-action\",\"downloads-button\",\"unified-extensions-button\"],\"TabsToolbar\":[\"tabbrowser-tabs\",\"new-tab-button\"],\"vertical-tabs\":[],\"PersonalToolbar\":[\"personal-bookmarks\"]},\"seen\":[\"reset-pbm-toolbar-button\",\"developer-button\",\"_testpilot-containers-browser-action\",\"ublock0_raymondhill_net-browser-action\"],\"dirtyAreaCache\":[\"nav-bar\",\"vertical-tabs\",\"PersonalToolbar\",\"unified-extensions-area\",\"TabsToolbar\"],\"currentVersion\":20,\"newElementCount\":4}"); // Clean-up default UI
defaultPref("browser.bookmarks.autoExportHTML", true);
defaultPref("browser.bookmarks.openInTabClosesMenu", false);
defaultPref("browser.compactmode.show", true);
defaultPref("browser.mailto.dualPrompt", false); // Prevent prompting to use as mailto handler
defaultPref("browser.mailto.prompt.os", false); // Prevent prompting to use as mailto handlerreduced
defaultPref("browser.menu.showViewImageInfo", true);
defaultPref("browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", false);
defaultPref("browser.newtabpage.activity-stream.newtabWallpapers.enabled", true);
defaultPref("browser.newtabpage.activity-stream.newtabWallpapers.v2.enabled", true);
defaultPref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
defaultPref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false);
defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
defaultPref("browser.newtabpage.activity-stream.section.highlights.rows", 0);
defaultPref("browser.newtabpage.activity-stream.showRecentSaves", false);
defaultPref("browser.preferences.experimental", true);
defaultPref("browser.privateWindowSeparation.enabled", false);
defaultPref("browser.search.openintab", true);
defaultPref("browser.search.widget.inNavBar", true);
defaultPref("browser.spin_cursor_while_busy", true);
defaultPref("browser.tabs.loadBookmarksInTabs", true);
defaultPref("browser.translations.alwaysTranslateLanguages", "bg,ca,cs,da,de,el,en,es,et,fi,fr,hr,hu,id,it,lv,lt,nl,pl,pt,ro,ru,sk,sl,sr,sv,tr,uk,vi");
defaultPref("browser.translations.automaticallyPopup", true); // [DEFAULT]
defaultPref("browser.translations.enable", true); // [DEFAULT]
defaultPref("browser.translations.newSettingsUI.enable", true);
defaultPref("browser.translations.select.enable", true); // [DEFAULT]
defaultPref("browser.urlbar.openintab", true);
defaultPref("devtools.chrome.enabled", true);
defaultPref("devtools.command-button-measure.enabled", true);
defaultPref("devtools.command-button-rulers.enabled", true);
defaultPref("devtools.command-button-screenshot.enabled", true);
defaultPref("devtools.dom.enabled", true);
defaultPref("devtools.debugger.ui.editor-wrapping", true);
defaultPref("findbar.highlightAll", true);
defaultPref("full-screen-api.transition-duration.enter", "0 0");
defaultPref("full-screen-api.transition-duration.leave", "0 0");
defaultPref("full-screen-api.warning.delay", -1);
defaultPref("full-screen-api.warning.timeout", 0);
defaultPref("security.xfocsp.hideOpenInNewWindow", false);
defaultPref("toolkit.legacyUserProfileCustomizations.stylesheets", true);
defaultPref("view_source.wrap_long_lines", true);

// DO NOT TOUCH

// These are prefs that do more harm than good and should not be touched by users
// Locking them so users are not misled into thinking they improve privacy/security
// If any of these have legitimate use cases, please let me know! Freedom is important to this project.

lockPref("beacon.enabled", true); // [DEFAULT] - Useless & fingerprintable, the websites can get the data from this API anyways...
lockPref("device.sensors.enabled", true); //  [DEFAULT] - Useless & fingerprintable, covered by RFP/FPP
lockPref("dom.enable_performance", true); //  [DEFAULT] - Useless & fingerprintable, covered by RFP/FPP
lockPref("dom.enable_resource_timing", true); //  [DEFAULT] - Useless & fingerprintable, covered by RFP/FPP
lockPref("dom.gamepad.enabled", true); // [DEFAULT] - Useless & fingerprintable, covered by RFP/FPP
lockPref("dom.serviceWorkers.enabled", true); // [DEFAULT] - Useless, isolated, fingerprintable, does more harm than good
lockPref("dom.webaudio.enabled", true); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP
lockPref("dom.webnotifications.enabled", true); // [DEFAULT] - Notifications are locked behind a permission prompt (Which we block anyways), unnecessary & fingerprintable
lockPref("geo.enabled", true); // [DEFAULT] - Geolocation is locked behind a permission prompt (Which we block anyways), unnecessary & fingerprintable
lockPref("media.navigator.enabled", true); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP
lockPref("media.ondevicechange.enabled", true); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP
lockPref("media.peerconnection.enabled", true); // [DEFAULT] - Only necessary to disable on Android, uses mDNS Host Obfuscation on desktop & Private IP is only exposed in trusted scenarios
lockPref("media.video_stats.enabled", true); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP
lockPref("media.webspeech.synth.enabled", true); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP
lockPref("network.http.altsvc.enabled", true); // [DEFAULT] - Isolated with network partitioning, no point, more harm than good
lockPref("privacy.firstparty.isolate", false); // [DEFAULT] - Deprecated, covered by TCP/ETP
lockPref("security.ssl.disable_session_identifiers", false); // [DEFAULT] - These are session only, disabling is fingerprintable, useless, & even hurts performance
lockPref("ui.use_standins_for_native_colors", false); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP
lockPref("webgl.enable-debug-renderer-info", true); // [DEFAULT] - Useless & does more harm than good, covered by FPP/RFP

// Sync more prefs
// Note that for this to work, the below prefs must be set on BOTH the device you are syncing from & to...
// Useful especially if you override our defaults

defaultPref("services.sync.prefs.sync.browser.aboutConfig.showWarning", true);
defaultPref("services.sync.prefs.sync.browser.bookmarks.autoExportHTML", true);
defaultPref("services.sync.prefs.sync.browser.bookmarks.openInTabClosesMenu", true);
defaultPref("services.sync.prefs.sync.browser.compactmode.show", true);
defaultPref("services.sync.prefs.sync.browser.mailto.dualPrompt", true);
defaultPref("services.sync.prefs.sync.browser.mailto.prompt.os", true);
defaultPref("services.sync.prefs.sync.browser.meta_refresh_when_inactive.disabled", true);
defaultPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled", true);
defaultPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.feeds.places", true);
defaultPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.improvesearch.handoffToAwesomebar", true);
defaultPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.newtabWallpapers.enabled", true);
defaultPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.newtabWallpapers.v2.enabled", true);
defaultPref("services.sync.prefs.sync.browser.newtabpage.activity-stream.showRecentSaves", true);
defaultPref("services.sync.prefs.sync.browser.preferences.experimental", true);
defaultPref("services.sync.prefs.sync.browser.privateWindowSeparation.enabled", true);
defaultPref("services.sync.prefs.sync.browser.search.openintab", true);
defaultPref("services.sync.prefs.sync.browser.spin_cursor_while_busy", true);
defaultPref("services.sync.prefs.sync.browser.tabs.loadBookmarksInTabs", true);
defaultPref("services.sync.prefs.sync.browser.translations.alwaysTranslateLanguages", true);
defaultPref("services.sync.prefs.sync.browser.translations.automaticallyPopup", true);
defaultPref("services.sync.prefs.sync.browser.translations.enable", true);
defaultPref("services.sync.prefs.sync.browser.translations.newSettingsUI.enable", true);
defaultPref("services.sync.prefs.sync.browser.translations.select.enable", true);
defaultPref("services.sync.prefs.sync.browser.urlbar.openintab", true);
defaultPref("services.sync.prefs.sync.devtools.chrome.enabled", true);
defaultPref("services.sync.prefs.sync.devtools.command-button-measure.enabled", true);
defaultPref("services.sync.prefs.sync.devtools.command-button-rulers.enabled", true);
defaultPref("services.sync.prefs.sync.devtools.command-button-screenshot.enabled", true);
defaultPref("services.sync.prefs.sync.devtools.debugger.ui.editor-wrapping", true);
defaultPref("services.sync.prefs.sync.devtools.dom.enabled", true);
defaultPref("services.sync.prefs.sync.findbar.highlightAll", true);
defaultPref("services.sync.prefs.sync.full-screen-api.transition-duration.enter", true);
defaultPref("services.sync.prefs.sync.full-screen-api.transition-duration.leave", true);
defaultPref("services.sync.prefs.sync.full-screen-api.warning.delay", true);
defaultPref("services.sync.prefs.sync.full-screen-api.warning.timeout", true);
defaultPref("services.sync.prefs.sync.security.xfocsp.hideOpenInNewWindow", true);
defaultPref("services.sync.prefs.sync.toolkit.legacyUserProfileCustomizations.stylesheets", true);
defaultPref("services.sync.prefs.sync.view_source.wrap_long_lines", true);
defaultPref("services.sync.prefs.sync.media.autoplay.blocking_policy", true);
defaultPref("services.sync.prefs.sync.media.gmp-gmpopenh264.enabled", true);
defaultPref("services.sync.prefs.sync.media.gmp-gmpopenh264.provider.enabled", true);
defaultPref("services.sync.prefs.sync.media.gmp-gmpopenh264.visible", true);
defaultPref("services.sync.prefs.sync.media.gmp-gmpopenh264.provider.enabled", true);
defaultPref("services.sync.prefs.sync.media.gmp-provider.enabled", true);
defaultPref("services.sync.prefs.sync.general.warnOnAboutConfig", true);
defaultPref("services.sync.prefs.sync.extensions.webextensions.restrictedDomains", true);
defaultPref("services.sync.prefs.sync.app.releaseNotesURL", true);
defaultPref("services.sync.prefs.sync.app.releaseNotesURL.aboutDialog", true);
defaultPref("services.sync.prefs.sync.app.releaseNotesURL.prompt", true);
defaultPref("services.sync.prefs.sync.extensions.getAddons.search.browseURL", true);
defaultPref("services.sync.prefs.sync.browser.firefox-view.search.enabled", true);
defaultPref("services.sync.prefs.sync.browser.firefox-view.virtual-list.enabled", true);
defaultPref("services.sync.prefs.sync.browser.tabs.firefox-view-newIcon", true);
defaultPref("services.sync.prefs.sync.browser.tabs.firefox-view-next", true);
defaultPref("services.sync.prefs.sync.browser.urlbar.update2.engineAliasRefresh", true);
defaultPref("services.sync.prefs.sync.browser.search.separatePrivateDefault.ui.enabled", true);
defaultPref("services.sync.prefs.sync.browser.search.separatePrivateDefault.urlbarResult.enabled", true);
defaultPref("services.sync.prefs.sync.network.IDN_show_punycode", true);
defaultPref("services.sync.prefs.sync.browser.urlbar.clipboard.featureGate", true);
defaultPref("services.sync.prefs.sync.browser.urlbar.suggest.calculator", true);
defaultPref("services.sync.prefs.sync.browser.urlbar.suggest.clipboard", true);
defaultPref("services.sync.prefs.sync.browser.urlbar.unitConversion.enabled", true);
defaultPref("services.sync.prefs.sync.dom.security.https_only_mode_error_page_user_suggestions", true);
defaultPref("services.sync.prefs.sync.browser.xul.error_pages.expert_bad_cert", true);
defaultPref("services.sync.prefs.sync.network.trr.custom_uri", true);
defaultPref("services.sync.prefs.sync.network.trr.mode", true);
defaultPref("services.sync.prefs.sync.network.trr.uri", true);
defaultPref("services.sync.prefs.sync.doh-rollout.provider-list", true);
defaultPref("services.sync.prefs.sync.network.dns.native_https_query", true);
defaultPref("services.sync.prefs.sync.security.OCSP.require", true);
defaultPref("services.sync.prefs.sync.security.ssl.require_safe_negotiation", true);
defaultPref("services.sync.prefs.sync.browser.xul.error_pages.show_safe_browsing_details_on_load", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.provider.google.reportMalwareMistakeURL", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.provider.google.reportPhishMistakeURL", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.provider.google4.reportMalwareMistakeURL", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.provider.google4.reportPhishMistakeURL", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.reportPhishURL", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.provider.google.reportURL", true);
defaultPref("services.sync.prefs.sync.browser.safebrowsing.provider.google4.reportURL", true);
defaultPref("services.sync.prefs.sync.permissions.default.camera", true);
defaultPref("services.sync.prefs.sync.permissions.default.geo", true);
defaultPref("services.sync.prefs.sync.permissions.default.microphone", true);
defaultPref("services.sync.prefs.sync.geo.provider.network.url", true);
defaultPref("services.sync.prefs.sync.geo.provider.use_corelocation", true);
defaultPref("services.sync.prefs.sync.geo.provider.use_geoclue", true);
defaultPref("services.sync.prefs.sync.geo.provider.ms-windows-location", true);
defaultPref("services.sync.prefs.sync.browser.geolocation.warning.infoURL", true);
defaultPref("services.sync.prefs.sync.privacy.webrtc.globalMuteToggles", true);
defaultPref("services.sync.prefs.sync.browser.cache.disk.enable", true);
defaultPref("services.sync.prefs.sync.browser.cache.disk_cache_ssl", true);
defaultPref("services.sync.prefs.sync.browser.cache.memory.enable", true);
defaultPref("services.sync.prefs.sync.browser.cache.memory.capacity", true);
defaultPref("services.sync.prefs.sync.privacy.clearHistory.historyFormDataAndDownloads", true);
defaultPref("services.sync.prefs.sync.privacy.clearSiteData.historyFormDataAndDownloads", true);
defaultPref("services.sync.prefs.sync.privacy.sanitize.timeSpan", true);
defaultPref("services.sync.prefs.sync.browser.privatebrowsing.resetPBM.enabled", true);
defaultPref("services.sync.prefs.sync.extensions.quarantineIgnoredByUser.{b86e4813-687a-43e6-ab65-0bde4ab75758}", true);
defaultPref("services.sync.prefs.sync.extensions.quarantineIgnoredByUser.{d19a89b9-76c1-4a61-bcd4-49e8de916403}", true);
defaultPref("services.sync.prefs.sync.browser.download.open_pdf_attachments_inline", true);
defaultPref("services.sync.prefs.sync.pdfjs.sidebarViewOnLoad", true);
defaultPref("services.sync.prefs.sync.intl.accept_languages", true);
defaultPref("services.sync.prefs.sync.intl.locale.requested", true);
defaultPref("services.sync.prefs.sync.privacy.antitracking.enableWebcompat", true);
defaultPref("services.sync.prefs.sync.privacy.fingerprintingProtection.remoteOverrides.enabled", true);
defaultPref("services.sync.prefs.sync.privacy.spoof_english", true);
defaultPref("services.sync.prefs.sync.privacy.resistFingerprinting", true);
defaultPref("services.sync.prefs.sync.privacy.resistFingerprinting.letterboxing", true);
defaultPref("services.sync.prefs.sync.privacy.restrict3rdpartystorage.heuristic.opened_window_after_interaction", true);
defaultPref("services.sync.prefs.sync.privacy.restrict3rdpartystorage.heuristic.recently_visited", true);
defaultPref("services.sync.prefs.sync.privacy.restrict3rdpartystorage.heuristic.redirect", true);
defaultPref("services.sync.prefs.sync.privacy.restrict3rdpartystorage.heuristic.window_open", true);
defaultPref("services.sync.prefs.sync.privacy.query_stripping.strip_list", true);
defaultPref("services.sync.prefs.sync.layout.forms.reveal-password-button.enabled", true);
defaultPref("services.sync.prefs.sync.layout.forms.reveal-password-context-menu.enabled", true);
defaultPref("services.sync.prefs.sync.signon.management.page.vulnerable-passwords.enabled", true);
defaultPref("services.sync.prefs.sync.network.negotiate-auth.trusted-uris", true);
defaultPref("services.sync.prefs.sync.cookiebanners.service.mode", true);
defaultPref("services.sync.prefs.sync.cookiebanners.service.mode.privateBrowsing", true);
defaultPref("services.sync.prefs.sync.cookiebanners.service.enableGlobalRules", true);
defaultPref("services.sync.prefs.sync.cookiebanners.ui.desktop.enabled", true);
defaultPref("services.sync.prefs.sync.userContent.player.click_to_play", true);
defaultPref("services.sync.prefs.sync.app.update.badgeWaitTime", true);
defaultPref("services.sync.prefs.sync.app.update.notifyDuringDownload", true);
defaultPref("services.sync.prefs.sync.app.update.promptWaitTime", 3600);
defaultPref("services.sync.prefs.sync.privacy.userContext.ui.enabled", true);
defaultPref("services.sync.prefs.sync.browser.profiles.enabled", true);
defaultPref("services.sync.prefs.sync.privacy.popups.showBrowserMessage", true);
defaultPref("services.sync.prefs.sync.browser.cache.disk.metadata_memory_limit", true);
defaultPref("services.sync.prefs.sync.browser.cache.jsbc_compression_level", true);
defaultPref("services.sync.prefs.sync.browser.sessionstore.interval", true);
defaultPref("services.sync.prefs.sync.browser.sessionstore.max_tabs_undo", true);
defaultPref("services.sync.prefs.sync.browser.sessionhistory.max_total_viewers", true);
defaultPref("services.sync.prefs.sync.browser.tabs.min_inactive_duration_before_unload", true);
defaultPref("services.sync.prefs.sync.browser.toolbars.bookmarks.visibility", true);
defaultPref("services.sync.prefs.sync.content.notify.interval", true);
defaultPref("services.sync.prefs.sync.dom.security.https_only_mode_send_http_background_request", true);
defaultPref("services.sync.prefs.sync.extensions.logging.enabled", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.currentVelocityWeighting", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.continuousMotionMaxDeltaMS", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.enabled", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.motionBeginSpringConstant", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.regularSpringConstant", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.slowdownMinDeltaMS", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.slowdownMinDeltaRatio", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.msdPhysics.slowdownSpringConstant", true);
defaultPref("services.sync.prefs.sync.general.smoothScroll.stopDecelerationWeighting", true);
defaultPref("services.sync.prefs.sync.gfx.canvas.accelerated.cache-items", true);
defaultPref("services.sync.prefs.sync.gfx.canvas.accelerated.cache-size", true);
defaultPref("services.sync.prefs.sync.gfx.content.skia-font-cache-size", true);
defaultPref("services.sync.prefs.sync.gfx.webrender.all", true);
defaultPref("services.sync.prefs.sync.gfx.webrender.compositor", true);
defaultPref("services.sync.prefs.sync.image.mem.decode_bytes_at_a_time", true);
defaultPref("services.sync.prefs.sync.image.mem.shared.unmap.min_expiration_ms", true);
defaultPref("services.sync.prefs.sync.javascript.options.wasm", true);
defaultPref("services.sync.prefs.sync.layout.css.grid-template-masonry-value.enabled", true);
defaultPref("services.sync.prefs.sync.layout.css.report_errors", true);
defaultPref("services.sync.prefs.sync.media.cache_readahead_limit", true);
defaultPref("services.sync.prefs.sync.media.cache_resume_threshold", true);
defaultPref("services.sync.prefs.sync.media.ffmpeg.vaapi.enabled", true);
defaultPref("services.sync.prefs.sync.media.memory_cache_max_size", true);
defaultPref("services.sync.prefs.sync.media.peerconnection.ice.default_address_only", true);
defaultPref("services.sync.prefs.sync.media.peerconnection.ice.no_host", true);
defaultPref("services.sync.prefs.sync.mousewheel.default.delta_multiplier_y", true);
defaultPref("services.sync.prefs.sync.network.buffer.cache.count", true);
defaultPref("services.sync.prefs.sync.network.buffer.cache.size", true);
defaultPref("services.sync.prefs.sync.network.dnsCacheEntries", true);
defaultPref("services.sync.prefs.sync.network.dnsCacheExpiration", true);
defaultPref("services.sync.prefs.sync.network.dnsCacheExpirationGracePeriod", true);
defaultPref("services.sync.prefs.sync.network.http.max-connections", true);
defaultPref("services.sync.prefs.sync.network.http.max-connections", true);
defaultPref("services.sync.prefs.sync.network.http.max-persistent-connections-per-proxy", true);
defaultPref("services.sync.prefs.sync.network.http.max-persistent-connections-per-server", true);
defaultPref("services.sync.prefs.sync.network.http.max-urgent-start-excessive-connections-per-host", true);
defaultPref("services.sync.prefs.sync.network.http.referer.XOriginPolicy", true);
defaultPref("services.sync.prefs.sync.webgl.disabled", true);

// Defense in depth to prevent identifying info from being sent to remote AutoConfig locations if configured...
lockPref("mail.identity.useremail", "");
lockPref("autoadmin.append_emailaddr", false);

// Configure autoconfig files if used by the user
defaultPref("autoadmin.failover_to_cached", true);
defaultPref("autoadmin.offline_failover", true);
defaultPref("autoadmin.refresh_interval", 60);

/// Ensure that configs doesn't gain privileged browser access...
// https://www.mozilla.org/firefox/62.0/releasenotes/
lockPref("general.config.sandbox_enabled", true);

lockPref("browser.phoenix.cfg.applied", true);


// Advanced hardening.

// We can do better.

// This is what I generally use for my primary profile & browsing needs. 

// Some of these will be configured as "pref", which allows overriding if needed, but resets on next launch.

// 001 NETWORKING

// Require safe renegotiations - Disables RFC 5746 (Per session)

pref("security.ssl.require_safe_negotiation", true);

// Hard-fail OCSP per session

defaultPref("security.OCSP.require", false); // [DEFAULT]
pref("security.OCSP.require", true);

// 002 FINGERPRINTING PROTECTION

/// Enable RFP (resistFingerprinting)
// https://github.com/arkenfox/user.js/blob/master/user.js#L745
// NOTE: You can add site exceptions to `privacy.resistFingerprinting.exemptedDomains` in your about:config

defaultPref("privacy.resistFingerprinting", true);
defaultPref("privacy.resistFingerprinting.letterboxing", true);

/// Disable FPP Overrides/WebCompat

defaultPref("privacy.fingerprintingProtection.remoteOverrides.enabled", false);

/// Disable WebGL
// https://blog.browserscan.net/docs/webgl-fingerprinting
// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern

defaultPref("webgl.disabled", true);

/// 003 WEBRTC

// Never leak IP address - This *will* break WebRTC

lockPref("media.peerconnection.ice.default_address_only", true);
lockPref("media.peerconnection.ice.no_host", true);
lockPref("media.peerconnection.ice.obfuscate_host_addresses", true);
lockPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);

// 004 MISC. PRIVACY

/// Block Camera & Microphone permission by default

defaultPref("permissions.default.camera", 2);
defaultPref("permissions.default.microphone", 2);

/// Disable ETP WebCompat & Heuristics

defaultPref("privacy.antitracking.enableWebcompat", false);
defaultPref("privacy.restrict3rdpartystorage.heuristic.opened_window_after_interaction", false);
defaultPref("privacy.restrict3rdpartystorage.heuristic.recently_visited", false);
defaultPref("privacy.restrict3rdpartystorage.heuristic.redirect", false);
defaultPref("privacy.restrict3rdpartystorage.heuristic.window_open", false);

/// Only send cross-origin referers if hosts match

defaultPref("network.http.referer.XOriginPolicy", 2);

// 005 ATTACK SURFACE REDUCTION

/// Disable WebAssembly
// https://spectrum.ieee.org/more-worries-over-the-security-of-web-assembly

defaultPref("javascript.options.wasm", false);

// 006 MISC.

/// Prevent sites from automatically refreshing

defaultPref("accessibility.blockautorefresh", true);
defaultPref("browser.meta_refresh_when_inactive.disabled", true);

/// Stricter Autoplay Blocking

defaultPref("media.autoplay.blocking_policy", 2);

// Dove Thunderbird Mozilla.cfg

// Built from Phoenix (Hardened)

lockPref("browser.dove.cfg.initialized", true);
lockPref("general.config.filename", "dove.cfg");
lockPref("general.config.vendor", "dove");

// 000 RESET UNDESIRED PREFS FROM PHOENIX

defaultPref("app.releaseNotesURL", "https://live.thunderbird.net/%APP%/releasenotes?locale=%LOCALE%&version=%VERSION%&channel=%CHANNEL%&os=%OS%&buildid=%APPBUILDID%");
defaultPref("app.releaseNotesURL.aboutDialog", "https://live.thunderbird.net/%APP%/releasenotes?locale=%LOCALE%&version=%VERSION%&channel=%CHANNEL%&os=%OS%&buildid=%APPBUILDID%");
defaultPref("app.releaseNotesURL.prompt", "https://live.thunderbird.net/%APP%/releasenotes?locale=%LOCALE%&version=%VERSION%&channel=%CHANNEL%&os=%OS%&buildid=%APPBUILDID%");

/// Required for extensions from the ATO

unlockPref("privacy.resistFingerprinting.block_mozAddonManager");
clearPref("privacy.resistFingerprinting.block_mozAddonManager");
defaultPref("privacy.resistFingerprinting.block_mozAddonManager", false);
unlockPref("xpinstall.signatures.required");
clearPref("xpinstall.signatures.required");
defaultPref("xpinstall.signatures.required", false);
defaultPref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid,addons.thunderbird.net");

// 001 TELEMETRY

lockPref("toolkit.telemetry.ecosystemtelemetry.enabled", false); // [DEFAULT]

/// Crash Reporting

lockPref("dom.ipc.plugins.reportCrashURL", false);

// 002 MOZILLA CRAP

/// Disable Mozilla Email Provisioner/Creating new email addresses with their "partners"

lockPref("mail.provider.enabled", false);

/// Never check default mail client

lockPref("mail.shell.checkDefaultClient", false);

/// Skip Onboarding

lockPref("mail.rights.override", true);
lockPref("mailnews.start_page_override.mstone", "ignore");

/// Disable Start Page by default & clear default URL

defaultPref("mailnews.start_page.enabled", false);
defaultPref("mailnews.start_page.override_url", "");
defaultPref("mailnews.start_page.url", "");

/// Disable Donate Page

lockPref("app.donation.eoy.url", "");
lockPref("app.donation.eoy.version.viewed", 999);

/// Disable Filelink
// https://support.mozilla.org/kb/filelink-large-attachments

lockPref("mail.cloud_files.enabled", false);

/// Disable "Chat" functionality

lockPref("mail.chat.enabled", false);

/// Kill Add-on "Discovery" Recommendations

lockPref("extensions.getAddons.recommended.url", "");

/// Remove unnecessary URL params

defaultPref("extensions.getAddons.search.browseURL", "https://addons.thunderbird.net/%LOCALE%/%APP%/search/?q=%TERMS%");

// 003 DISK AVOIDANCE

/// Disable caching, might reconsider since we clear cache on exit anyways

lockPref("mail.imap.use_disk_cache2", false);

/// Set website permissions to be session only [INVESTIGATE]

defaultPref("permissions.memory_only", true);

/// Fully disable browsing history [INVESTIGATE]

lockPref("places.history.enabled", false);

/// Sanitize cookies on exit

lockPref("network.cookie.noPersistentStorage", true);

/// Prevent logging chat history
// https://stackoverflow.com/questions/32155137/how-to-disable-chat-history-in-mozilla-thunderbird

lockPref("purple.logging.log_chats", false);
lockPref("purple.logging.log_ims", false);

/// Do not leak info in chat notifications by default

defaultPref("mail.chat.notification_info", 2);

// 004 GENERAL NETWORK HARDENING

/// Enforce using secure connections for Auto config

lockPref("mailnews.auto_config.fetchFromISP.sslOnly", true);
lockPref("mailnews.auto_config.guess.requireGoodCert", true); // [DEFAULT]
lockPref("mailnews.auto_config.guess.sslOnly", true);

/// Disable link previews

lockPref("mail.compose.add_link_preview", false);

/// Always warn when making insecure connections
// Unclear whether actually used anywhere

lockPref("security.warn_entering_weak", true);
lockPref("security.warn_leaving_secure", true);
lockPref("security.warn_viewing_mixed", true);

// 005 UI

/// Always show full email addresses

lockPref("mail.showCondensedAddresses", false);

/// Always show email information & headers

lockPref("mail.show_headers", 2);
lockPref("mailnews.headers.showMessageId", true);
lockPref("mailnews.headers.showOrganization", true);
lockPref("mailnews.headers.showReferences", true);
lockPref("mailnews.headers.showSender", true);
lockPref("mailnews.headers.showUserAgent", true);

// 006 INFORMATION LEAKAGE

/// Never send read receipts

lockPref("mail.mdn.report.enabled", false);
lockPref("purple.conversations.im.send_read", false); // [CHAT]

/// Never send chat typing notifications

lockPref("purple.conversations.im.send_typing", false);

/// Never report chat idle status

lockPref("messenger.status.reportIdle", false);

/// Prevent sending user agent with emails, as it is unnecessary, not even defined in spec, & leaks information
// https://bugzilla.mozilla.org/show_bug.cgi?id=1114475

lockPref("mailnews.headers.sendUserAgent", false);
lockPref("mailnews.headers.useMinimalUserAgent", true); // [DEFAULT, DEFENSE IN DEPTH]

/// Prevent leaking system locale & date/time in replies

defaultPref("mailnews.reply_header_authorwroteondate", "#1 wrote on #2 #3:");
defaultPref("mailnews.reply_header_authorwrotesingle", "#1 wrote:");
defaultPref("mailnews.reply_header_ondateauthorwrote", "On #2 #3, #1 wrote:");
defaultPref("mailnews.reply_header_type", 1);

/// Prevent leaking spellcheck dictionary info
// https://bugzilla.mozilla.org/show_bug.cgi?id=1370217

lockPref("mail.suppress_content_language", true);

/// Prevent leaking locale & specific time through date header
// https://bugzilla.mozilla.org/show_bug.cgi?id=1603359

lockPref("mail.sanitize_date_header", true);

// 007 MISC. PRIVACY

/// Never load remote content in emails

lockPref("mailnews.message_display.disable_remote_image", true); // [DEFAULT]

/// Disable Geolocation

lockPref("browser.geolocation.warning.infoURL", "");
lockPref("geo.enabled", false);
lockPref("geo.provider.network.url", "");
lockPref("geo.provider.use_corelocation", false);
lockPref("geo.provider.use_geoclue", false);
lockPref("geo.provider.ms-windows-location", false);

/// Enable & Enforce ETP Strict Features (ETP Strict is not available on Thunderbird)

lockPref("network.cookie.cookieBehavior", 5);
lockPref("network.cookie.cookieBehavior.pbmode", 5);
lockPref("network.http.referer.disallowCrossSiteRelaxingDefault", true); // [DEFAULT]
lockPref("network.http.referer.disallowCrossSiteRelaxingDefault.pbmode", true); // [DEFAULT]
lockPref("network.http.referer.disallowCrossSiteRelaxingDefault.pbmode.top_navigation", true); // [DEFAULT]
lockPref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true);
lockPref("privacy.bounceTrackingProtection.enabled", true); // [DEFAULT
lockPref("privacy.fingerprintingProtection", true);
lockPref("privacy.fingerprintingProtection.pbmode", true);
lockPref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [DEFAULT]
lockPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [DEFAULT]
lockPref("privacy.partition.bloburl_per_partition_key", true); // [DEFAULT]
lockPref("privacy.partition.network_state.ocsp_cache", true); // [DEFAULT]
lockPref("privacy.partition.network_state.ocsp_cache.pbmode", true); // [DEFAULT]
lockPref("privacy.query_stripping.enabled", true);
lockPref("privacy.query_stripping.enabled.pbmode", true);
lockPref("privacy.trackingprotection.cryptomining.enabled", true);
lockPref("privacy.trackingprotection.emailtracking.enabled", true);
lockPref("privacy.trackingprotection.emailtracking.pbmode.enabled", true); // [DEFAULT]
lockPref("privacy.trackingprotection.enabled", true);
lockPref("privacy.trackingprotection.fingerprinting.enabled", true);
lockPref("privacy.trackingprotection.pbmode.enabled", true); // [DEFAULT]
lockPref("privacy.trackingprotection.socialtracking.enabled", true);

/// Allow toggling per session

defaultPref("network.http.referer.XOriginPolicy", 0);
pref("network.http.referer.XOriginPolicy", 2);

/// Prevent leaking sensitive information from the Cardbook extension
// https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/user.js#L1231

lockPref("extensions.cardbook.useOnlyEmail", true);

/// Always notify when encryption is possible

lockPref("mail.openpgp.remind_encryption_possible", true); // [DEFAULT]
lockPref("mail.smime.remind_encryption_possible", true); // [DEFAULT]

/// Always automatically encrypt when possible

lockPref("mail.e2ee.auto_enable", true);

/// Always notify when E2EE is disabled

lockPref("mail.e2ee.notify_on_auto_disable", true); // [DEFAULT]

/// Use GnuPG if built-in RNP fails
// https://wiki.mozilla.org/Thunderbird:OpenPGP:Smartcards#Allow_the_use_of_external_GnuP

defaultPref("mail.openpgp.allow_external_gnupg", true);

// 008 MISC. SECURITY

/// Sanitize HTML content
// https://www.bucksch.org/1/projects/mozilla/108153/

lockPref("mail.html_sanitize.drop_conditional_css", true); // [DEFAULT]
lockPref("mailnews.display.html_as", 3);
lockPref("rss.display.html_as", 3);

/// Enforce built-in phishing protection
// https://support.mozilla.org/kb/thunderbirds-scam-detection

lockPref("mail.phishing.detection.disallow_form_actions", true); // [DEFAULT]
lockPref("mail.phishing.detection.enabled", true); // [DEFAULT]
lockPref("mail.phishing.detection.ipaddresses", true); // [DEFAULT]
lockPref("mail.phishing.detection.mismatched_hosts", true); // [DEFAULT]

// 009 MISC.

/// Send emails in plaintext by default
// https://drewdevault.com/2016/04/11/Please-use-text-plain-for-emails.html

defaultPref("mail.html_compose", false);
defaultPref("mail.default_send_format", 1);
defaultPref("mail.identity.default.compose_html", false);

/// By default, load summary of RSS feeds instead of the full webpage & prevent loading additional webpage content

defaultPref("rss.message.loadWebPageOnSelect", 0);
defaultPref("rss.show.summary", 1);

/// Do not allow calendar to extract data from emails by default

defaultPref("calendar.extract.service.enabled", false); // [DEFAULT]

/// Disable Web Notifications

lockPref("dom.webnotifications.enabled", false);

/// Kill Gecko Media Plugins

lockPref("media.gmp-gmpopenh264.enabled", false);
lockPref("media.gmp-gmpopenh264.provider.enabled", false);
lockPref("media.gmp-gmpopenh264.visible", false);
unlockPref("media.gmp-manager.updateEnabled");
clearPref("media.gmp-manager.updateEnabled");
lockPref("media.gmp-manager.url", "");
lockPref("media.gmp-manager.url.override", "");
lockPref("media.gmp-provider.enabled", false);

/// Enforce allow installing "incompatible" add-ons - REQUIRED FOR UBLOCK ORIGIN

lockPref("extensions.strictCompatibility", false);

/// Disable SVG
// https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg

defaultPref("svg.disabled", true);

// DO NOT TOUCH

lockPref("browser.privatebrowsing.autostart", false); // Breaks uBlock Origin & all other extensions... also unnecessary since we always sanitize data anyways
lockPref("mailnews.oauth.usePrivateBrowser", false); // Breaks uBlock Origin & all other extensions... also unnecessary since we always sanitize data anyways

lockPref("browser.dove.cfg.applied", true);