complete re-ordering and changelog

2022-02-07 02:15:37 +01:00 · 2022-02-07 02:15:37 +01:00 · 3ba007292f
commit 3ba007292f
parent 624708acdc
2 changed files with 289 additions and 205 deletions
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -3,6 +3,16 @@ Setting versions are documented using the pref `librewolf.cfg.version`, availabl
 # 5.5
 **target commit**:
 **base librewolf version**: 97.x
 **References**:
 - showing the insecure connection text is redundant as there's already the lock UI for http websites.
 - `browser.places.speculativeConnect.enabled` controls speculative connections for bookmarks and will be fully effective only once we hit v98.
 **Notes**: the settings have been re-organized and they should also be documented a bit better now.
 #### Removed preferences
 ```
 defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui
@ -15,7 +25,7 @@ defaultPref("browser.places.speculativeConnect.enabled", false);
 ### Changed preferences
 ```
-pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only
+pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
 ```
 ## 5.4
--- a/librewolf.cfg
+++ b/librewolf.cfg
@ -6,7 +6,7 @@
 defaultPref("librewolf.cfg.version", "5.5");
-/**
+/** INDEX
 * the file is organized in categories, and each one has a number of sections:
 * 
 * - PRIVACY
@ -23,7 +23,8 @@ defaultPref("librewolf.cfg.version", "5.5");
 *   - WEBRTC
 *   - PROXY
 *   - DNS
- *   - PREFETCHING
+ *   - PREFETCHING AND SPECULATIVE CONNECTIONS
 *   - OFFLINE
 * 
 * - FINGERPRINTING
 *   - RFP
@ -33,9 +34,54 @@ defaultPref("librewolf.cfg.version", "5.5");
 *   - SITE ISOLATION
 *   - CERTIFICATES
 *   - TLS/SSL
 *   - PERMISSIONS
 *   - FONTS
 *   - SAFE BROWSING
 *   - OTHERS
 * 
 * - REGION
 *   - LOCATION
 *   - LANGUAGE
 * 
 * - BEHAVIOR
 *   - DRM
 *   - SEARCH AND URLBAR
 *   - DOWNLOADS
 *   - AUTOPLAY
 *   - POP-UPS AND WINDOWS
 *   - MOUSE
 * 
 * - EXTENSIONS
 *   - USER INSTALLED
 *   - SYSTEM
 *   - EXTENSION FIREWALL
 * 
 * - BUILT-IN FEATURES
 *   - UPDATER
 *   - SYNC
 *   - LOCKWISE
 *   - CONTAINERS
 *   - DEVTOOLS
 *   - OTHERS
 * 
 * - UI
 *   - BRANDING
 *   - HANDLERS
 *   - FIRST LAUNCH
 *   - NEW TAB PAGE
 *   - ABOUT
 *   - RECOMMENDED
 * 
 * - TELEMETRY
 * 
 * - WINDOWS
 *   - UPDATES
 *   - OTHERS
 * 
 */
 /** [CATEGORY] PRIVACY */
 /** [SECTION] ISOLATION
@ -45,6 +91,8 @@ defaultPref("librewolf.cfg.version", "5.5");
 * 3. shims to avoid breakage caused by blocking lists
 * 4. stricter policies for xorigin referrers
 * 5. dFPI specific cookie cleaning mechanism
 * 
 * the desired category must be set with pref() otherwise it won't stick.
 */
 pref("browser.contentblocking.category", "strict");
 defaultPref("network.cookie.cookieBehavior", 5); // enforce dFPI
@ -93,6 +141,7 @@ defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hse
 defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://gitlab.com/librewolf-community/browser/source/-/raw/main/assets/uBOAssets.json");
 /** [CATEGORY] NETWORKING */
 /** [SECTION] HTTPS */
@ -144,16 +193,23 @@ defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
 * 5 = DoH is off, default currently
 */
-/** [SECTION] PREFETCHING
+/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
 * disable prefecthing for different things such as links, bookmarks and predictors.
 */
 lockPref("network.predictor.enabled", false);
 lockPref("network.prefetch-next", false);
 lockPref("network.http.speculative-parallel-limit", 0);
 defaultPref("browser.places.speculativeConnect.enabled", false);
 // disable speculative connections and domain guessing from the urlbar
 defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
 defaultPref("browser.urlbar.speculativeConnect.enabled", false);
 lockPref("browser.fixup.alternate.enabled", false);
 /** [SECTION] OFFLINE
 * let users set the browser as offline, without the browser trying to guess.
 */
 defaultPref("network.manage-offline-status", false);
 // TODO
 defaultPref("network.manage-offline-status", false); // let user control the offline behavior
 /** [CATEGORY] FINGERPRINTING */
@ -180,6 +236,7 @@ defaultPref("privacy.resistFingerprinting.letterboxing", false);
 defaultPref("webgl.disabled", true);
 /** [CATEGORY] SECURITY */
 /** [SECTION] SITE ISOLATION
@ -205,27 +262,22 @@ defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback
 /** [SECTION] TLS/SSL */
 lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
-pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only
+pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
 // show relevant and advanced issues on warnings and error screens
 defaultPref("browser.ssl_override_behavior", 1);
 defaultPref("browser.xul.error_pages.expert_bad_cert", true);
-// permissions
+/** [SECTION] PERMISSIONS */
-lockPref("permissions.delegation.enabled", false); // force permission request to show the real origin
+lockPref("permissions.delegation.enabled", false); // force permission request to show real origin
-lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions from some mozilla domains
+lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
 /** [SECTION] FONTS */
 defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts
-defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location
+/** [SECTION] SAFE BROWSING
-
+ * disable safe browsing, including the fetch of updates. reverting the 7 prefs below
-lockPref("security.csp.enable", true); // default
+ * allows to perform local checks and to fetch updated lists from google.
-defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
+ */
 // ---------------------------------
 // # SAFE BROWSING
 // ---------------------------------
 // disable safe browsing, including the fetch of updates and all outgoing connections 
 defaultPref("browser.safebrowsing.malware.enabled", false);
 defaultPref("browser.safebrowsing.phishing.enabled", false);
 defaultPref("browser.safebrowsing.blockedURIs.enabled", false);
@ -233,178 +285,191 @@ defaultPref("browser.safebrowsing.provider.google4.gethashURL", "");
 defaultPref("browser.safebrowsing.provider.google4.updateURL", "");
 defaultPref("browser.safebrowsing.provider.google.gethashURL", "");
 defaultPref("browser.safebrowsing.provider.google.updateURL", "");
-
+/**
-// disable safe browsing checks on downloads, both local and remote
+ * disable safe browsing checks on downloads, both local and remote. the locked prefs
 * control remote checks, while the first one is for local checks only.
 */
 defaultPref("browser.safebrowsing.downloads.enabled", false);
 lockPref("browser.safebrowsing.downloads.remote.enabled", false);
 lockPref("browser.safebrowsing.downloads.remote.url", "");
 lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
 lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false);
 // other safe browsing options, all default but enforce
 lockPref("browser.safebrowsing.passwords.enabled", false);
 lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
 lockPref("browser.safebrowsing.provider.google4.dataSharingURL", "");
-// ------------
+/** [SECTION] OTHERS */
-// # DOM - TODO
+lockPref("security.csp.enable", true); // enforce csp, default
-// ------------
+defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
-
+defaultPref("pdfjs.enableScripting", false); // disable js scripting in the built-in pdf reader
 // pop-ups and window related preferences
 defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups on close
 defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
 defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); // limit events that cause pop-ups
 defaultPref("dom.disable_window_move_resize", true); // block scripts from resizing windows
 defaultPref("browser.link.open_newwindow", 3); // open 'new windows' targeted links in 'new tab'
 defaultPref("browser.link.open_newwindow.restriction", 0); // ignore the size when applying the above pref
 // ----------------------
 // # MEDIA - TODO
 // ----------------------
-// autoplay
+/** [CATEGORY] REGION */
 defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked
 defaultPref("media.autoplay.default", 5); // personal preference, currently apply blocking policy to all autplay including muted
-
+/** [SECTION] LOCATION
-// -----------------------
+ * replace google with mozilla as the default geolocation provide and prevent use of OS location services
-// # DRM
+ */
 // -----------------------
 defaultPref("media.eme.enabled", false); // disable drm content, master switch that also controls widevine plugin
 defaultPref("media.gmp-manager.url", "data:text/plain,"); // prevent outgoing connections when DRM is disabled
 // disable the openh264 plugin
 defaultPref("media.gmp-provider.enabled", false);
 defaultPref("media.gmp-gmpopenh264.enabled", false);
 // ---------------------------------------------
 // # LOCATION, LANGUAGE AND REGION
 // ---------------------------------------------
 // use mozilla geo service as deault
 defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
 // prevent use of OS location services
 lockPref("geo.provider.ms-windows-location", false); // [WINDOWS]
 lockPref("geo.provider.use_corelocation", false); // [MAC]
 lockPref("geo.provider.use_gpsd", false); // [LINUX]
-/**
+/** [SECTION] LANGUAGE
-show language as en-US for all users, regardless of their OS language and browser language.
+ * show language as en-US for all users, regardless of their OS language and browser language.
-must use pref and not defaultPref to work. spoof_english also sets the UI correctly.
+ * both prefs must use pref() and not defaultPref to work.
 */
 pref("javascript.use_us_english_locale", true);
 pref("intl.accept_languages", "en-US, en");
-
+// disable region specific updates from mozilla
 // disable region updates
 lockPref("browser.region.network.url", "");
 lockPref("browser.region.update.enabled", false);
 // --------------------------------
 // # SEARCH AND URLBAR
 // --------------------------------
-// disable search suggestions
+
 /** [CATEGORY] BEHAVIOR */
 /** [SECTION] DRM */
 defaultPref("media.eme.enabled", false); // master switch for drm content
 defaultPref("media.gmp-manager.url", "data:text/plain,"); // prevent checks for plugin updates when drm is disabled
 // disable the widevine and the openh264 plugins
 defaultPref("media.gmp-provider.enabled", false);
 defaultPref("media.gmp-gmpopenh264.enabled", false);
 /** [SECTION] SEARCH AND URLBAR
 * disable search suggestion by default and do not update opensearch engines. urls should also be
 * displayed in full instead of trimming them.
 */
 defaultPref("browser.urlbar.suggest.searches", false);
 defaultPref("browser.search.suggest.enabled", false);
-
+defaultPref("browser.search.update", false);
-// firefox suggest, review to trim
+defaultPref("browser.urlbar.trimURLs", false);
-lockPref("browser.urlbar.quicksuggest.scenario", "history"); // prevent opt-in, doesn't work alone
+/**
-lockPref("browser.urlbar.quicksuggest.enabled", false); // disable suggest and hide its ui
+ * quicksuggest is a feature of firefox that shows sponsored suggestions. we disable it in full
-lockPref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // disable suggestions from firefox
+ * but the list could and should be trimmed at some point. the scenario controls the opt-in, while
-lockPref("browser.urlbar.suggest.quicksuggest.sponsored", false); // disable sponsored suggestions
+ * the second pref disables the feature and hides it from the ui.
 */
 lockPref("browser.urlbar.quicksuggest.scenario", "history");
 lockPref("browser.urlbar.quicksuggest.enabled", false);
 lockPref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
 lockPref("browser.urlbar.suggest.quicksuggest.sponsored", false);
 lockPref("browser.urlbar.quicksuggest.dataCollection.enabled", false); // default
-defaultPref("browser.search.update", false); // do not update open search search engines
+/** [SECTION] DOWNLOADS
-defaultPref("browser.urlbar.trimURLs", false); // do not trim urls in the urlbar
+ * user interaction should always be required for downloads, as a way to enhance security by asking
 * the user to specific a certain save location. 
 */
 defaultPref("browser.download.useDownloadDir", false);
 defaultPref("browser.download.autohideButton", false); // do not hide download button automatically
 defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents
-// urlbar-dns interactions, avoid unwanted and speculative connections
+/** [SECTION] AUTOPLAY
-defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
+ * block autoplay unless element is clicked, and apply the policy to all elements
-defaultPref("browser.urlbar.speculativeConnect.enabled", false);
+ * including muted ones.
-lockPref("browser.fixup.alternate.enabled", false);
+ */
 defaultPref("media.autoplay.blocking_policy", 2);
 defaultPref("media.autoplay.default", 5);
-// ----------------------------------
+/** [SECTION] POP-UPS AND WINDOWS
-// # BROWSER BEHAVIOR
+ * disable annoyin pop-ups and limit events that can trigger them.
-// ----------------------------------
+ */
 defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups
 defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
 defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
 /**
 * prevent scripts from resizing existing windows and opening new ones, by forcing them into
 * new tabs that can't be resized as well.
 */
 defaultPref("dom.disable_window_move_resize", true);
 defaultPref("browser.link.open_newwindow", 3);
 defaultPref("browser.link.open_newwindow.restriction", 0);
-lockPref("app.update.auto", false); // disable update auto installs
+/** [SECTION] MOUSE */
 defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links
 defaultPref("identity.fxaccounts.enabled", false); // sync and firefox account
 // password manager
 defaultPref("signon.rememberSignons", false); // disable saving passwords in the browser
 defaultPref("signon.autofillForms", false); // disable username and password autofills
 defaultPref("signon.formlessCapture.enabled", false); // disable formless login capture
-// autofill
+/** [CATEGORY] EXTENSIONS */
 /** [SECTION] USER INSTALLED
 * extensions are allowed to operate on restricted domains, while their scope
 * is set to profile+applications (https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/).
 * an installation prompt should always be displayed.
 */
 defaultPref("extensions.webextensions.restrictedDomains", "");
 defaultPref("extensions.enabledScopes", 5); // hidden
 defaultPref("extensions.postDownloadThirdPartyPrompt", false);
 /** [SECTION] SYSTEM
 * built-in extension are not allowed to auto-update. additionally the reporter extension
 * of webcompat is disabled. urls are stripped for defense in depth.
 */
 defaultPref("extensions.systemAddon.update.enabled", false);
 defaultPref("extensions.systemAddon.update.url", "");
 lockPref("extensions.webcompat-reporter.enabled", false);
 lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");
 /** [SECTION] EXTENSION FIREWALL
 * the firewall can be enabled with the below prefs, but it is not a sane default:
 * defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';");
 * defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';");
 */
 /** [CATEGORY] BUILT-IN FEATURES */
 /** [SECTION] UPDATER
 * since we do not bake auto-updates in the browser it doesn't make sense at the moment.
 */
 lockPref("app.update.auto", false);
 /** [SECTION] SYNC
 * this functionality is disabled by default but it can be activated in one click.
 * this pref fully controls the feature, including its ui.
 */
 defaultPref("identity.fxaccounts.enabled", false);
 /** [SECTION] LOCKWISE
 * disable the default password manager built into the browser, including its autofill
 * capabilities and formless login capture.
 */
 defaultPref("signon.rememberSignons", false);
 defaultPref("signon.autofillForms", false);
 defaultPref("extensions.formautofill.available", "off");
 defaultPref("extensions.formautofill.addresses.enabled", false);
 defaultPref("extensions.formautofill.creditCards.enabled", false);
 defaultPref("extensions.formautofill.creditCards.available", false);
 defaultPref("extensions.formautofill.heuristics.enabled", false);
 defaultPref("signon.formlessCapture.enabled", false);
-// containers
+/** [SECTION] CONTAINERS
-defaultPref("privacy.userContext.enabled", true); // enable containers
+ * enable containers and show the settings to control them in the stock ui
-defaultPref("privacy.userContext.ui.enabled", true);  // enable containers ui
+ */
 defaultPref("privacy.userContext.enabled", true);
 defaultPref("privacy.userContext.ui.enabled", true);
-defaultPref("pdfjs.enableScripting", false); // block pdf js scripting
+/** [SECTION] DEVTOOLS
-
+ * disable chrome and remote debugging.
-defaultPref("accessibility.force_disabled", 1); // block accessibility services
+ */
-
+defaultPref("devtools.chrome.enabled", false);
-// devtools
+defaultPref("devtools.debugger.remote-enabled", false);
-defaultPref("devtools.chrome.enabled", false); // disable chrome debugging tools
+defaultPref("devtools.remote.adb.extensionURL", "");
 defaultPref("devtools.debugger.remote-enabled", false); // default, disable remote debugging
 defaultPref("devtools.remote.adb.extensionURL", ""); // url to download ad extension
 defaultPref("devtools.selfxss.count", 0); // required for devtools console to work
-// misc
+/** [SECTION] OTHERS */
-defaultPref("browser.shell.checkDefaultBrowser", false); // do not check if default browser
+lockPref("browser.translation.engine", ""); // remove translation engine
-defaultPref("browser.aboutConfig.showWarning", false); // disable about:config warning
+defaultPref("accessibility.force_disabled", 1); // block accessibility services
-defaultPref("browser.download.autohideButton", false); // hide download button automatically
+defaultPref("webchannel.allowObject.urlWhitelist", ""); // do not receive objects through webchannels
 defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents
 defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links
 defaultPref("webchannel.allowObject.urlWhitelist", ""); // remove webchannel whitelist
 // --------------------------------------
 // # EXTENSIONS
 // --------------------------------------
-/**
+
- allow extensions to work on all domains.
+/** [CATEGORY] UI */
- default is "debug-notes.log"
+
 /** [SECTION] BRANDING
 * set librewolf support and releases urls in the UI, so that users land in the proper places.
 */
 defaultPref("extensions.webextensions.restrictedDomains", "");
 // set extensions scopes
 defaultPref("extensions.enabledScopes", 5); // hidden
 defaultPref("extensions.postDownloadThirdPartyPrompt", false); // force install prompt for thrid party extensions 
 // about:addons ui
 defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false); // disable recommendations from addons list
 defaultPref("extensions.getAddons.showPane", false); // disable recommendations section
 defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata
 defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
 // extension firewall, disabled by default
 // defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';");
 // defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';");
 // report site issue, disable button and url for in depth defense
 lockPref("extensions.webcompat-reporter.enabled", false);
 lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");
 // system addons, prevent updates and strip url for in depth defense
 defaultPref("extensions.systemAddon.update.enabled", false);
 defaultPref("extensions.systemAddon.update.url", "");
 // --------------------------------
 // # URLS AND ANNOYANCES
 // --------------------------------
 // set librewolf support and releases urls
 defaultPref("app.support.baseURL", "https://librewolf.net/docs/faq/#");
 defaultPref("browser.search.searchEnginesURL", "https://librewolf.net/docs/faq/#how-do-i-add-a-search-engine");
 defaultPref("browser.geolocation.warning.infoURL", "https://librewolf.net/docs/faq/#how-do-i-enable-location-aware-browsing");
@ -414,7 +479,9 @@ defaultPref("app.releaseNotesURL.aboutDialog", "https://gitlab.com/librewolf-com
 defaultPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser");
 defaultPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser");
-// remove default handlers and translation engine
+/** [SECTION] HANDLERS
 * remove the default handlers for several tipe of files and services.
 */
 lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.mailto.0.name", "");
 lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", "");
@ -423,9 +490,11 @@ lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.irc.0.name", "");
 lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.ircs.0.name", "");
 lockPref("browser.translation.engine", "");
-// disable welcome, what is new pages and ui tour
+/** [SECTION] FIRST LAUNCH
 * disable what's new and ui tour on first start and updates. the browser
 * should also not stress user about being the default one.
 */
 defaultPref("browser.startup.homepage_override.mstone", "ignore");
 defaultPref("startup.homepage_override_url", "about:blank");
 defaultPref("startup.homepage_welcome_url", "about:blank");
@ -433,25 +502,15 @@ defaultPref("startup.homepage_welcome_url.additional", "");
 lockPref("browser.messaging-system.whatsNewPanel.enabled", false);
 lockPref("browser.uitour.enabled", false);
 lockPref("browser.uitour.url", "");
 defaultPref("browser.shell.checkDefaultBrowser", false);
-// hide annoying ui elements from about:protections
+/** [SECTION] NEW TAB PAGE
-defaultPref("browser.contentblocking.report.lockwise.enabled", false);
+ * we want the new tab page to display nothing but the search bar without anything distracting.
-defaultPref("browser.contentblocking.report.monitor.enabled", false);
+ */
 lockPref("browser.contentblocking.report.hide_vpn_banner", true);
 lockPref("browser.contentblocking.report.vpn.enabled", false);
 lockPref("browser.contentblocking.report.show_mobile_app", false);
 defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button from about:preferences#home
 // ------------------------------------
 // # NEW TAB PAGE
 // ------------------------------------
 defaultPref("browser.newtab.preload", false);
 defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
 defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
 defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false);
 // hide pocket and sponsored content, from new tab page and search bar
 lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
 lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false);
@ -465,14 +524,35 @@ lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
 lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
 lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default
-// disable recommend as you browse
+/** [SECTION] ABOUT
 * remove annoying ui elements from the about pages, including about:protections
 */
 defaultPref("browser.contentblocking.report.lockwise.enabled", false);
 defaultPref("browser.contentblocking.report.monitor.enabled", false);
 lockPref("browser.contentblocking.report.hide_vpn_banner", true);
 lockPref("browser.contentblocking.report.vpn.enabled", false);
 lockPref("browser.contentblocking.report.show_mobile_app", false);
 // ...about:addons recommendations sections and more
 defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false);
 defaultPref("extensions.getAddons.showPane", false);
 defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata
 defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
 // ...about:preferences#home
 defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button
 // ...and about:config
 defaultPref("browser.aboutConfig.showWarning", false);
 /** [SECTION] RECOMMENDED
 * disable all "recommend as you browse" activity.
 */
 lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 // --------------------------------
 // # TELEMETRY
 // --------------------------------
 /** [CATEGORY] TELEMETRY
 * telemetry is already disabled elsewhere and most of the stuff in here is just for redundancy.
 */
 lockPref("toolkit.telemetry.unified", false); // master switch
 lockPref("toolkit.telemetry.enabled", false);  // master switch
 lockPref("toolkit.telemetry.server", "data:,");
@ -496,55 +576,49 @@ lockPref("datareporting.healthreport.uploadEnabled", false);
 lockPref("datareporting.policy.dataSubmissionEnabled", false);
 lockPref("security.protectionspopup.recordEventTelemetry", false);
 lockPref("browser.ping-centre.telemetry", false);
-
+// opt-out of normandy and studies
 // crash report
 lockPref("breakpad.reportURL", "");
 lockPref("browser.tabs.crashReporting.sendReport", false);
 // normandy and studies
 lockPref("app.normandy.enabled", false);
 lockPref("app.normandy.api_url", "");
 lockPref("app.shield.optoutstudies.enabled", false);
-
+// disable personalized extension recommendations
 // personalized extension recommendations
 lockPref("browser.discovery.enabled", false);
 lockPref("browser.discovery.containers.enabled", false);
 lockPref("browser.discovery.sites", "");
-
+// disable crash report
-// connectivity checks
+lockPref("browser.tabs.crashReporting.sendReport", false);
 lockPref("breakpad.reportURL", "");
 // disable connectivity checks
 lockPref("network.connectivity-service.enabled", false);
-
+// disable captive portal
 // captive portal
 lockPref("network.captive-portal-service.enabled", false);
 lockPref("captivedetect.canonicalURL", "");
 // prevent sending server side analytics
 lockPref("beacon.enabled", false);
-// --------------------------------
+/** [CATEGORY] WINDOWS
-// # WINDOWS
+ * the prefs in this section only apply to windows installations and they don't have any
-// --------------------------------
+ * effect on linux, macos and bsd users.
 */
-// disable windows specific background update service
+/** [SECTION] UPDATES
 * disable windows specific update services.
 */
 lockPref("app.update.service.enabled", false);
 defaultPref("app.update.background.scheduling.enabled", false);
-defaultPref("network.protocol-handler.external.ms-windows-store", false); // disable links launching windows store
+/** [SECTION] OTHERS */
 lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic Firefox start and session restore after reboot
 lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert
 lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry
-
+defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
 lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
 lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert
 defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso
 // -----------------------------------
 // # OVERRIDES
 // -----------------------------------
-// allow settings to be overriden with a file at `~/.librewolf/librewolf.overrides.cfg`
+
-// or `~/.var/app/io.gitlab.librewolf-community/.librewolf/librewolf.overrides.cfg` (Flatpak).
+/** [CATEGORY] OVERRIDES
 * allow settings to be overriden with a file placed in the right location
 * https://librewolf.net/docs/settings/#where-do-i-find-my-librewolfoverridescfg
 */
 let profile_directory;
 if (profile_directory = getenv('USERPROFILE') || getenv('HOME')) {
  pref('autoadmin.global_config_url', `file://${profile_directory}/.librewolf/librewolf.overrides.cfg`);