Merge branch 'v5.5' into 'master'

Draft: v5.5 See merge request librewolf-community/settings!29
2022-02-07 23:46:01 +00:00 · 2022-02-07 23:46:01 +00:00 · a28dddb15a
commit a28dddb15a
parent 3a37e084e9 79f5ec4b40
3 changed files with 389 additions and 309 deletions
--- a/distribution/policies.json
+++ b/distribution/policies.json
@ -29,7 +29,7 @@
        },
        "Extensions": {
            "Install": [
-                "https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.40.2-an+fx.xpi"
+                "https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.40.8-an+fx.xpi"
            ],
            "Uninstall": [
                "google@search.mozilla.org",
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -1,6 +1,37 @@
 This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
 Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
 # 5.5
 **target commit**:
 **base librewolf version**: 97.x
 **References**:
 - showing the insecure connection text is redundant as there's already the lock UI for http websites.
 - `browser.places.speculativeConnect.enabled` controls speculative connections for bookmarks and will be fully effective only once we hit v98.
 - we will no longer disable history but we'll clear it on close. [reasoning](https://gitlab.com/librewolf-community/settings/-/issues/135).
 - [download annoyances](https://gitlab.com/librewolf-community/settings/-/issues/144).
 **Notes**: the settings have been re-organized and they should also be documented a bit better now.
 #### Removed preferences
 ```
 defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui
 defaultPref("places.history.enabled", true);
 ```
 #### Added preferences
 ```
 defaultPref("browser.places.speculativeConnect.enabled", false);
 defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction
 ```
 #### Changed preferences
 ```
 pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
 ```
 ## 5.4
 **target commit**:
--- a/librewolf.cfg
+++ b/librewolf.cfg
@ -1,221 +1,225 @@
-//----------------------|
+/** LIBREWOLF SETTINGS
-//  LibreWolf settings  |
+ * 
-//----------------------|
+ * please take the time to read and understand, but also to customize the settings to find your own setup.
 * the answers to the most common questions are at this link https://librewolf.net/docs/faq/
 */
 defaultPref("librewolf.cfg.version", "5.5");
 /**
 NOTE: please take the time to read and understand, but also to customize the settings to find your own setup.
 the answers to the most common questions are at this link https://librewolf.net/docs/faq/
 /** INDEX
 * the file is organized in categories, and each one has a number of sections:
 * 
 * PRIVACY [ISOLATION, SANITIZING, CACHE AND STORAGE, HISTORY AND SESSION RESTORE, QUERY STRIPPING]
 * NETWORKING [HTTPS, IPv6, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS, OFFLINE]
 * FINGERPRINTING [RFP, WEBGL]
 * SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, FONTS, SAFE BROWSING, OTHERS]
 * REGION [LOCATION, LANGUAGE]
 * BEHAVIOR [DRM, SEARCH AND URLBAR, DOWNLOADS, AUTOPLAY, POP-UPS AND WINDOWS, MOUSE]
 * EXTENSIONS [USER INSTALLED, SYSTEM, EXTENSION FIREWALL]
 * BUILT-IN FEATURES [UPDATER, SYNC, LOCKWISE, CONTAINERS, DEVTOOLS, OTHERS]
 * UI [BRANDING, HANDLERS, FIRST LAUNCH, NEW TAB PAGE, ABOUT, RECOMMENDED]
 * TELEMETRY
 * WINDOWS [UPDATES, OTHERS]
 */
 defaultPref("librewolf.cfg.version", "5.4");
 // -------------------------------
 // # SANITIZING, TP, SESSIONS
 // -------------------------------
-/**
+/** [CATEGORY] PRIVACY */
- strict mode includes:
+
- - dFPI for both normal and private browsing
+/** [SECTION] ISOLATION
- - strict blocking lists for trackers, including crypto, fping and socialtracking
+ * default to strict mode, which includes:
- - shims to avoid breakage caused by blocking lists
+ * 1. dFPI for both normal and private windows
- - stricter policies for xorigin referrers
+ * 2. strict blocking lists for trackers
- - cookie cleaning mechanism specific to dFPI
+ * 3. shims to avoid breakage caused by blocking lists
-*/
+ * 4. stricter policies for xorigin referrers
 * 5. dFPI specific cookie cleaning mechanism
 * 
 * the desired category must be set with pref() otherwise it won't stick.
 */
 pref("browser.contentblocking.category", "strict");
-
+defaultPref("network.cookie.cookieBehavior", 5); // enforce dFPI
 defaultPref("network.cookie.cookieBehavior", 5); // dFPI is default for strict mode, but enforce
 defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until end of the session, then clear
 defaultPref("privacy.partition.serviceWorkers", true); // isolate service workers
 /** [SECTION] SANITIZING */
 defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until end of the session, then clear
 // make third party and http cookies session-only
 defaultPref("network.cookie.thirdparty.sessionOnly", true);
 defaultPref("network.cookie.thirdparty.nonsecureSessionOnly", true);
 /**
- this way of sanitizing cookies would override the exceptions set by the users and just delete everything,
+ * this way of sanitizing cookies would override the exceptions set by the users and just delete everything,
- we disable it but cookies and site data are still cleared per session unless exceptions are set.
+ * we disable it but cookies and site data are still cleared per session unless exceptions are set.
- all the cleaning prefs true by default except for siteSetting and offlineApps, which is what we want.
+ * all the cleaning prefs true by default except for siteSetting and offlineApps, which is what we want.
-*/
+ */
 defaultPref("privacy.clearOnShutdown.cookies", false);
 defaultPref("privacy.sanitize.sanitizeOnShutdown", true);
 defaultPref("privacy.sanitize.timeSpan", 0);
-// disable browsing, search and form history
+/** [SECTION] CACHE AND STORAGE */
-defaultPref("places.history.enabled", false);
+defaultPref("browser.cache.disk.enable", false); // disable disk cache
-defaultPref("browser.formfill.enable", false);
+/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
 defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true);
 defaultPref("media.memory_cache_max_size", 65536);
 // disable favicons in profile folder and page thumbnail capturing
 defaultPref("browser.shell.shortcutFavicons", false);
 defaultPref("browser.pagethumbnails.capturing_disabled", true);
 defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
-// prevent websites from storing session data like cookies and forms, increase time between session saves
+/** [SECTION] HISTORY AND SESSION RESTORE */
-defaultPref("browser.sessionstore.privacy_level", 2);
+defaultPref("browser.formfill.enable", false); // disable form history
-defaultPref("browser.sessionstore.interval", 60000);
+defaultPref("browser.sessionstore.privacy_level", 2); // prevent websites from storing session data like cookies and forms
 defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves
-// -----------------
+/** [SECTION] QUERY STRIPPING
 // QUERY STRIPPING
 // -----------------
 /**
 * enable query stripping and set the strip list.
 * currently we use the same one that brave uses:
 * https://github.com/brave/brave-core/blob/f337a47cf84211807035581a9f609853752a32fb/browser/net/brave_site_hacks_network_delegate_helper.cc#L29
 */
 defaultPref("privacy.query_stripping.enabled", true);
 defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");
 /**
 * librewolf specific pref that allows to include the query stripping lists in uBO by default.
 * the asset file is fetched every 7 days.
 */
 defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://gitlab.com/librewolf-community/browser/source/-/raw/main/assets/uBOAssets.json");
 // ----------------------
 // # NETWORKING
 // ----------------------
-// https and mixed content
+
 /** [CATEGORY] NETWORKING */
 /** [SECTION] HTTPS */
 defaultPref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing
-defaultPref("network.auth.subresource-http-auth-allow", 1); // stop cross-origin resources from using HTTP authentication
+defaultPref("network.auth.subresource-http-auth-allow", 1); // block HTTP authentication credential dialogs
 defaultPref("security.insecure_connection_text.enabled", true); // display http websites as insecure in the ui
 defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content
-defaultPref("network.dns.disableIPv6", true); // disable ipv6
+/** [SECTION] IPv6
 * privacy extension isn't the default for all linux distros, so we disable ipv6.
 */
 defaultPref("network.dns.disableIPv6", true);
-// always send xorigin referer but trim them
+/** [SECTION] REFERERS
-defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2
+ * to enhance privacy but keep a certain level of usability we trim cross-origin
 * referers, instead of completely avoid sending them.
 * as a general rule, the behavior of referes which are not cross-origin should not
 * be changed.
 */
 defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2 to stop sending them completely
 defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port
-defaultPref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention
+/** [SECTION] WEBRTC
-defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
+ * there's no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
-
+ * with the below preference we protect the value even in trusted environments and for win7/8 users,
-// proxy
+ * although this will likely cause breakage.
-defaultPref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one
+ */
 defaultPref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy
 // doh
 defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
 /**
 0 = default
 1 = browser picks faster
 2 = DoH with system dns fallback
 3 = DoH without fallback
 5 = DoH is off, default currently
 below prefs must be applied with pref in order to work
 */
 // pref("network.trr.mode", 2);
 // pref("network.trr.uri", "https://dns.quad9.net/dns-query");
 // prefetching
 defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
 lockPref("network.predictor.enabled", false); // disable predictor
 lockPref("network.prefetch-next", false); // disable link prefetching
 lockPref("network.http.speculative-parallel-limit", 0); // disable prefetching on mouse over
 defaultPref("network.manage-offline-status", false); // let user control the offline behavior
 // ------------
 // # DOM
 // ------------
 // pop-ups and window related preferences
 defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups on close
 defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
 defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown"); // limit events that cause pop-ups
 defaultPref("dom.disable_window_move_resize", true); // block scripts from resizing windows
 defaultPref("browser.link.open_newwindow", 3); // open 'new windows' targeted links in 'new tab'
 defaultPref("browser.link.open_newwindow.restriction", 0); // ignore the size when applying the above pref
 // --------------------------------
 // # CACHE AND TEMPORARY FILES
 // --------------------------------
 defaultPref("browser.cache.disk.enable", false); // disable disk cache
 defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true); // block media cache from writing to disk in pb mode
 defaultPref("media.memory_cache_max_size", 65536); // increase max cache size to avoid playback issues caused by above setting
 defaultPref("browser.shell.shortcutFavicons", false); // disable shortcut favicons from being stored in profile
 defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
 defaultPref("browser.pagethumbnails.capturing_disabled", true); // disable page thumbnails capturing
 // ----------------------
 // # MEDIA
 // ----------------------
 /**
 * limit potential private IP leaks for webrtc users.
 * mDNS protects the value on linux, osx and win10+.
 * these prefs protect the value when allowing mic and camera access, and for win7/8.x.
 * */
 defaultPref("media.peerconnection.ice.no_host", true); // don't use any private IPs for ICE candidate
 defaultPref("media.peerconnection.ice.default_address_only", true); // use a single interface for ICE candidates, the vpn one when a vpn is used
 defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy, when one is used
-// autoplay
+/** [SECTION] PROXY */
-defaultPref("media.autoplay.blocking_policy", 2); // only allow to play when a certain element is clicked
+defaultPref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy
-defaultPref("media.autoplay.default", 5); // personal preference, currently apply blocking policy to all autplay including muted
+defaultPref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention to prevent proxy bypass
 defaultPref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one
 defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy when one is used
-// --------------------------------------
+/** [SECTION] DNS */
-// # FINGERPRINTING
+defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
-// --------------------------------------
+defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
 /**
 * librewolf doesn't use DoH, but it can be enabled with the following prefs:
 * pref("network.trr.mode", 2);
 * pref("network.trr.uri", "https://dns.quad9.net/dns-query");
 * 
 * the possible modes are:
 * 0 = default
 * 1 = browser picks faster
 * 2 = DoH with system dns fallback
 * 3 = DoH without fallback
 * 5 = DoH is off, default currently
 */
-defaultPref("privacy.resistFingerprinting", true); // master switch
+/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
 * disable prefecthing for different things such as links, bookmarks and predictors.
 */
 lockPref("network.predictor.enabled", false);
 lockPref("network.prefetch-next", false);
 lockPref("network.http.speculative-parallel-limit", 0);
 defaultPref("browser.places.speculativeConnect.enabled", false);
 // disable speculative connections and domain guessing from the urlbar
 defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
 defaultPref("browser.urlbar.speculativeConnect.enabled", false);
 lockPref("browser.fixup.alternate.enabled", false);
-// rfp compatibility settings
+/** [SECTION] OFFLINE
 * let users set the browser as offline, without the browser trying to guess.
 */
 defaultPref("network.manage-offline-status", false);
 /** [CATEGORY] FINGERPRINTING */
 /** [SECTION] RFP
 * librewolf should stick to RFP for fingerprinting. we should not set prefs that interfere with it
 * and disabling API for no good reason will be counter productive, so it should also be avoided.  
 */
 defaultPref("privacy.resistFingerprinting", true);
 // rfp related settings
 defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO
 defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing
 defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP
 defaultPref("privacy.resistFingerprinting.letterboxing", false); // expose hidden letterboxing pref, but do not enable by default
 /**
 * increase the size of new RFP windows for better usability, while still using a rounded value.
 * if the screen resolution is lower it will stretch to the biggest possible rounded value.
- * */
+ * also, expose hidden letterboxing pref but do not enable it for now.
 */
 defaultPref("privacy.window.maxInnerWidth", 1600);
 defaultPref("privacy.window.maxInnerHeight", 900);
 defaultPref("privacy.resistFingerprinting.letterboxing", false);
-defaultPref("webgl.disabled", true); // master switch, disable webgl
+/** [SECTION] WEBGL */
 defaultPref("webgl.disabled", true);
 // --------------------------------
 // # SECURITY
 // --------------------------------
 defaultPref("fission.autostart", true); // enable fission by default
-// certificates
+/** [CATEGORY] SECURITY */
-defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning
+
 /** [SECTION] SITE ISOLATION
 * https://wiki.mozilla.org/Project_Fission
 */
 defaultPref("fission.autostart", true);
 /** [SECTION] CERTIFICATES */
 defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs
 defaultPref("security.pki.sha1_enforcement_level", 1); // disable sha-1 certificates
 /**
 * enable safe negotiation and show warning when it is not supported. might cause breakage.
 */
 defaultPref("security.ssl.require_safe_negotiation", true);
 defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /**
 * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use
 * CRL instead, particularly the CRLite solution with no OCSP fallback.
 */
 defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching
 // crl with no ocsp fallback
 defaultPref("security.remote_settings.crlite_filters.enabled", true);
-defaultPref("security.pki.crlite_mode", 2);
+defaultPref("security.pki.crlite_mode", 2); // mode 2 means no fallback
-// safe negotiation
+/** [SECTION] TLS/SSL */
-defaultPref("security.ssl.require_safe_negotiation", true); // block websites that do not support safe negotiation, occasional breakage
+lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
-defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true); // show warning when safe negotiation is not enable and website is accessed
+pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
 // show relevant and advanced issues on warnings and error screens
 defaultPref("browser.ssl_override_behavior", 1);
 defaultPref("browser.xul.error_pages.expert_bad_cert", true);
-// tls behavior
+/** [SECTION] PERMISSIONS */
-lockPref("security.tls.enable_0rtt_data", false); // disable 0 round trip time to improve tls 1.3 security
+lockPref("permissions.delegation.enabled", false); // force permission request to show real origin
-defaultPref("security.tls.version.enable-deprecated", false); // default but helps resetting the preference
+lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
 defaultPref("browser.ssl_override_behavior", 1); // prepopulate url on ssl warning screens
 defaultPref("browser.xul.error_pages.expert_bad_cert", true); // advanced ui infos for broken connections
 // permissions
 lockPref("permissions.delegation.enabled", false); // force permission request to show the real origin
 lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions from some mozilla domains
 /** [SECTION] FONTS */
 defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts
-defaultPref("browser.download.useDownloadDir", false); // force user interaction on downloads, by always asking location
+/** [SECTION] SAFE BROWSING
-
+ * disable safe browsing, including the fetch of updates. reverting the 7 prefs below
-lockPref("security.csp.enable", true); // default
+ * allows to perform local checks and to fetch updated lists from google.
-
+ */
 // ---------------------------------
 // # SAFE BROWSING
 // ---------------------------------
 // disable safe browsing, including the fetch of updates and all outgoing connections 
 defaultPref("browser.safebrowsing.malware.enabled", false);
 defaultPref("browser.safebrowsing.phishing.enabled", false);
 defaultPref("browser.safebrowsing.blockedURIs.enabled", false);
@ -223,156 +227,192 @@ defaultPref("browser.safebrowsing.provider.google4.gethashURL", "");
 defaultPref("browser.safebrowsing.provider.google4.updateURL", "");
 defaultPref("browser.safebrowsing.provider.google.gethashURL", "");
 defaultPref("browser.safebrowsing.provider.google.updateURL", "");
-
+/**
-// disable safe browsing checks on downloads, both local and remote
+ * disable safe browsing checks on downloads, both local and remote. the locked prefs
 * control remote checks, while the first one is for local checks only.
 */
 defaultPref("browser.safebrowsing.downloads.enabled", false);
 lockPref("browser.safebrowsing.downloads.remote.enabled", false);
 lockPref("browser.safebrowsing.downloads.remote.url", "");
 lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
 lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false);
 // other safe browsing options, all default but enforce
 lockPref("browser.safebrowsing.passwords.enabled", false);
 lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
 lockPref("browser.safebrowsing.provider.google4.dataSharingURL", "");
-// -----------------------
+/** [SECTION] OTHERS */
-// # DRM
+lockPref("security.csp.enable", true); // enforce csp, default
-// -----------------------
+defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
 defaultPref("pdfjs.enableScripting", false); // disable js scripting in the built-in pdf reader
 defaultPref("media.eme.enabled", false); // disable drm content, master switch that also controls widevine plugin
 defaultPref("media.gmp-manager.url", "data:text/plain,"); // prevent outgoing connections when DRM is disabled
 // disable the openh264 plugin
 defaultPref("media.gmp-provider.enabled", false);
 defaultPref("media.gmp-gmpopenh264.enabled", false);
-// ---------------------------------------------
+/** [CATEGORY] REGION */
 // # LOCATION, LANGUAGE AND REGION
 // ---------------------------------------------
-// use mozilla geo service as deault
+/** [SECTION] LOCATION
 * replace google with mozilla as the default geolocation provide and prevent use of OS location services
 */
 defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
 // prevent use of OS location services
 lockPref("geo.provider.ms-windows-location", false); // [WINDOWS]
 lockPref("geo.provider.use_corelocation", false); // [MAC]
 lockPref("geo.provider.use_gpsd", false); // [LINUX]
-/**
+/** [SECTION] LANGUAGE
-show language as en-US for all users, regardless of their OS language and browser language.
+ * show language as en-US for all users, regardless of their OS language and browser language.
-must use pref and not defaultPref to work. spoof_english also sets the UI correctly.
+ * both prefs must use pref() and not defaultPref to work.
 */
 pref("javascript.use_us_english_locale", true);
 pref("intl.accept_languages", "en-US, en");
-
+// disable region specific updates from mozilla
 // disable region updates
 lockPref("browser.region.network.url", "");
 lockPref("browser.region.update.enabled", false);
 // --------------------------------
 // # SEARCH AND URLBAR
 // --------------------------------
-// disable search suggestions
+
 /** [CATEGORY] BEHAVIOR */
 /** [SECTION] DRM */
 defaultPref("media.eme.enabled", false); // master switch for drm content
 defaultPref("media.gmp-manager.url", "data:text/plain,"); // prevent checks for plugin updates when drm is disabled
 // disable the widevine and the openh264 plugins
 defaultPref("media.gmp-provider.enabled", false);
 defaultPref("media.gmp-gmpopenh264.enabled", false);
 /** [SECTION] SEARCH AND URLBAR
 * disable search suggestion by default and do not update opensearch engines. urls should also be
 * displayed in full instead of trimming them.
 */
 defaultPref("browser.urlbar.suggest.searches", false);
 defaultPref("browser.search.suggest.enabled", false);
-
+defaultPref("browser.search.update", false);
-// firefox suggest, review to trim
+defaultPref("browser.urlbar.trimURLs", false);
-lockPref("browser.urlbar.quicksuggest.scenario", "history"); // prevent opt-in, doesn't work alone
+/**
-lockPref("browser.urlbar.quicksuggest.enabled", false); // disable suggest and hide its ui
+ * quicksuggest is a feature of firefox that shows sponsored suggestions. we disable it in full
-lockPref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // disable suggestions from firefox
+ * but the list could and should be trimmed at some point. the scenario controls the opt-in, while
-lockPref("browser.urlbar.suggest.quicksuggest.sponsored", false); // disable sponsored suggestions
+ * the second pref disables the feature and hides it from the ui.
 */
 lockPref("browser.urlbar.quicksuggest.scenario", "history");
 lockPref("browser.urlbar.quicksuggest.enabled", false);
 lockPref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
 lockPref("browser.urlbar.suggest.quicksuggest.sponsored", false);
 lockPref("browser.urlbar.quicksuggest.dataCollection.enabled", false); // default
-defaultPref("browser.search.update", false); // do not update open search search engines
+/** [SECTION] DOWNLOADS
-defaultPref("browser.urlbar.trimURLs", false); // do not trim urls in the urlbar
+ * user interaction should always be required for downloads, as a way to enhance security by asking
 * the user to specific a certain save location. 
 */
 defaultPref("browser.download.useDownloadDir", false);
 defaultPref("browser.download.autohideButton", false); // do not hide download button automatically
 defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents
 defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction
-// urlbar-dns interactions, avoid unwanted and speculative connections
+/** [SECTION] AUTOPLAY
-defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
+ * block autoplay unless element is clicked, and apply the policy to all elements
-defaultPref("browser.urlbar.speculativeConnect.enabled", false);
+ * including muted ones.
-lockPref("browser.fixup.alternate.enabled", false);
+ */
 defaultPref("media.autoplay.blocking_policy", 2);
 defaultPref("media.autoplay.default", 5);
-// ----------------------------------
+/** [SECTION] POP-UPS AND WINDOWS
-// # BROWSER BEHAVIOR
+ * disable annoyin pop-ups and limit events that can trigger them.
-// ----------------------------------
+ */
 defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups
 defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
 defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
 /**
 * prevent scripts from resizing existing windows and opening new ones, by forcing them into
 * new tabs that can't be resized as well.
 */
 defaultPref("dom.disable_window_move_resize", true);
 defaultPref("browser.link.open_newwindow", 3);
 defaultPref("browser.link.open_newwindow.restriction", 0);
-lockPref("app.update.auto", false); // disable update auto installs
+/** [SECTION] MOUSE */
 defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links
 defaultPref("identity.fxaccounts.enabled", false); // sync and firefox account
 // password manager
 defaultPref("signon.rememberSignons", false); // disable saving passwords in the browser
 defaultPref("signon.autofillForms", false); // disable username and password autofills
 defaultPref("signon.formlessCapture.enabled", false); // disable formless login capture
-// autofill
+/** [CATEGORY] EXTENSIONS */
 /** [SECTION] USER INSTALLED
 * extensions are allowed to operate on restricted domains, while their scope
 * is set to profile+applications (https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/).
 * an installation prompt should always be displayed.
 */
 defaultPref("extensions.webextensions.restrictedDomains", "");
 defaultPref("extensions.enabledScopes", 5); // hidden
 defaultPref("extensions.postDownloadThirdPartyPrompt", false);
 /** [SECTION] SYSTEM
 * built-in extension are not allowed to auto-update. additionally the reporter extension
 * of webcompat is disabled. urls are stripped for defense in depth.
 */
 defaultPref("extensions.systemAddon.update.enabled", false);
 defaultPref("extensions.systemAddon.update.url", "");
 lockPref("extensions.webcompat-reporter.enabled", false);
 lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");
 /** [SECTION] EXTENSION FIREWALL
 * the firewall can be enabled with the below prefs, but it is not a sane default:
 * defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';");
 * defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';");
 */
 /** [CATEGORY] BUILT-IN FEATURES */
 /** [SECTION] UPDATER
 * since we do not bake auto-updates in the browser it doesn't make sense at the moment.
 */
 lockPref("app.update.auto", false);
 /** [SECTION] SYNC
 * this functionality is disabled by default but it can be activated in one click.
 * this pref fully controls the feature, including its ui.
 */
 defaultPref("identity.fxaccounts.enabled", false);
 /** [SECTION] LOCKWISE
 * disable the default password manager built into the browser, including its autofill
 * capabilities and formless login capture.
 */
 defaultPref("signon.rememberSignons", false);
 defaultPref("signon.autofillForms", false);
 defaultPref("extensions.formautofill.available", "off");
 defaultPref("extensions.formautofill.addresses.enabled", false);
 defaultPref("extensions.formautofill.creditCards.enabled", false);
 defaultPref("extensions.formautofill.creditCards.available", false);
 defaultPref("extensions.formautofill.heuristics.enabled", false);
 defaultPref("signon.formlessCapture.enabled", false);
-// containers
+/** [SECTION] CONTAINERS
-defaultPref("privacy.userContext.enabled", true); // enable containers
+ * enable containers and show the settings to control them in the stock ui
-defaultPref("privacy.userContext.ui.enabled", true);  // enable containers ui
+ */
 defaultPref("privacy.userContext.enabled", true);
 defaultPref("privacy.userContext.ui.enabled", true);
-defaultPref("pdfjs.enableScripting", false); // block pdf js scripting
+/** [SECTION] DEVTOOLS
-
+ * disable chrome and remote debugging.
-defaultPref("accessibility.force_disabled", 1); // block accessibility services
+ */
-
+defaultPref("devtools.chrome.enabled", false);
-// devtools
+defaultPref("devtools.debugger.remote-enabled", false);
-defaultPref("devtools.chrome.enabled", false); // disable chrome debugging tools
+defaultPref("devtools.remote.adb.extensionURL", "");
 defaultPref("devtools.debugger.remote-enabled", false); // default, disable remote debugging
 defaultPref("devtools.remote.adb.extensionURL", ""); // url to download ad extension
 defaultPref("devtools.selfxss.count", 0); // required for devtools console to work
-// misc
+/** [SECTION] OTHERS */
-defaultPref("browser.shell.checkDefaultBrowser", false); // do not check if default browser
+lockPref("browser.translation.engine", ""); // remove translation engine
-defaultPref("browser.aboutConfig.showWarning", false); // disable about:config warning
+defaultPref("accessibility.force_disabled", 1); // block accessibility services
-defaultPref("browser.download.autohideButton", false); // hide download button automatically
+defaultPref("webchannel.allowObject.urlWhitelist", ""); // do not receive objects through webchannels
 defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents
 defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links
 defaultPref("webchannel.allowObject.urlWhitelist", ""); // remove webchannel whitelist
 // --------------------------------------
 // # EXTENSIONS
 // --------------------------------------
-/**
+
- allow extensions to work on all domains.
+/** [CATEGORY] UI */
- default is "debug-notes.log"
+
 /** [SECTION] BRANDING
 * set librewolf support and releases urls in the UI, so that users land in the proper places.
 */
 defaultPref("extensions.webextensions.restrictedDomains", "");
 // set extensions scopes
 defaultPref("extensions.enabledScopes", 5); // hidden
 defaultPref("extensions.postDownloadThirdPartyPrompt", false); // force install prompt for thrid party extensions 
 // about:addons ui
 defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false); // disable recommendations from addons list
 defaultPref("extensions.getAddons.showPane", false); // disable recommendations section
 defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata
 defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
 // extension firewall, disabled by default
 // defaultPref("extensions.webextensions.base-content-security-policy", "default-src 'none'; script-src 'none'; object-src 'none';");
 // defaultPref("extensions.webextensions.base-content-security-policy.v3", "default-src 'none'; script-src 'none'; object-src 'none';");
 // report site issue, disable button and url for in depth defense
 lockPref("extensions.webcompat-reporter.enabled", false);
 lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");
 // system addons, prevent updates and strip url for in depth defense
 defaultPref("extensions.systemAddon.update.enabled", false);
 defaultPref("extensions.systemAddon.update.url", "");
 // --------------------------------
 // # URLS AND ANNOYANCES
 // --------------------------------
 // set librewolf support and releases urls
 defaultPref("app.support.baseURL", "https://librewolf.net/docs/faq/#");
 defaultPref("browser.search.searchEnginesURL", "https://librewolf.net/docs/faq/#how-do-i-add-a-search-engine");
 defaultPref("browser.geolocation.warning.infoURL", "https://librewolf.net/docs/faq/#how-do-i-enable-location-aware-browsing");
@ -382,7 +422,9 @@ defaultPref("app.releaseNotesURL.aboutDialog", "https://gitlab.com/librewolf-com
 defaultPref("app.update.url.details", "https://gitlab.com/librewolf-community/browser");
 defaultPref("app.update.url.manual", "https://gitlab.com/librewolf-community/browser");
-// remove default handlers and translation engine
+/** [SECTION] HANDLERS
 * remove the default handlers for several tipe of files and services.
 */
 lockPref("gecko.handlerService.schemes.mailto.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.mailto.0.name", "");
 lockPref("gecko.handlerService.schemes.mailto.1.uriTemplate", "");
@ -391,9 +433,11 @@ lockPref("gecko.handlerService.schemes.irc.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.irc.0.name", "");
 lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.ircs.0.name", "");
 lockPref("browser.translation.engine", "");
-// disable welcome, what is new pages and ui tour
+/** [SECTION] FIRST LAUNCH
 * disable what's new and ui tour on first start and updates. the browser
 * should also not stress user about being the default one.
 */
 defaultPref("browser.startup.homepage_override.mstone", "ignore");
 defaultPref("startup.homepage_override_url", "about:blank");
 defaultPref("startup.homepage_welcome_url", "about:blank");
@ -401,25 +445,15 @@ defaultPref("startup.homepage_welcome_url.additional", "");
 lockPref("browser.messaging-system.whatsNewPanel.enabled", false);
 lockPref("browser.uitour.enabled", false);
 lockPref("browser.uitour.url", "");
 defaultPref("browser.shell.checkDefaultBrowser", false);
-// hide annoying ui elements from about:protections
+/** [SECTION] NEW TAB PAGE
-defaultPref("browser.contentblocking.report.lockwise.enabled", false);
+ * we want the new tab page to display nothing but the search bar without anything distracting.
-defaultPref("browser.contentblocking.report.monitor.enabled", false);
+ */
 lockPref("browser.contentblocking.report.hide_vpn_banner", true);
 lockPref("browser.contentblocking.report.vpn.enabled", false);
 lockPref("browser.contentblocking.report.show_mobile_app", false);
 defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button from about:preferences#home
 // ------------------------------------
 // # NEW TAB PAGE
 // ------------------------------------
 defaultPref("browser.newtab.preload", false);
 defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
 defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
 defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false);
 // hide pocket and sponsored content, from new tab page and search bar
 lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
 lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false);
@ -433,14 +467,35 @@ lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
 lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
 lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default
-// disable recommend as you browse
+/** [SECTION] ABOUT
 * remove annoying ui elements from the about pages, including about:protections
 */
 defaultPref("browser.contentblocking.report.lockwise.enabled", false);
 defaultPref("browser.contentblocking.report.monitor.enabled", false);
 lockPref("browser.contentblocking.report.hide_vpn_banner", true);
 lockPref("browser.contentblocking.report.vpn.enabled", false);
 lockPref("browser.contentblocking.report.show_mobile_app", false);
 // ...about:addons recommendations sections and more
 defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false);
 defaultPref("extensions.getAddons.showPane", false);
 defaultPref("extensions.getAddons.cache.enabled", false); // disable fetching of extension metadata
 defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
 // ...about:preferences#home
 defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button
 // ...and about:config
 defaultPref("browser.aboutConfig.showWarning", false);
 /** [SECTION] RECOMMENDED
 * disable all "recommend as you browse" activity.
 */
 lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 // --------------------------------
 // # TELEMETRY
 // --------------------------------
 /** [CATEGORY] TELEMETRY
 * telemetry is already disabled elsewhere and most of the stuff in here is just for redundancy.
 */
 lockPref("toolkit.telemetry.unified", false); // master switch
 lockPref("toolkit.telemetry.enabled", false);  // master switch
 lockPref("toolkit.telemetry.server", "data:,");
@ -464,55 +519,49 @@ lockPref("datareporting.healthreport.uploadEnabled", false);
 lockPref("datareporting.policy.dataSubmissionEnabled", false);
 lockPref("security.protectionspopup.recordEventTelemetry", false);
 lockPref("browser.ping-centre.telemetry", false);
-
+// opt-out of normandy and studies
 // crash report
 lockPref("breakpad.reportURL", "");
 lockPref("browser.tabs.crashReporting.sendReport", false);
 // normandy and studies
 lockPref("app.normandy.enabled", false);
 lockPref("app.normandy.api_url", "");
 lockPref("app.shield.optoutstudies.enabled", false);
-
+// disable personalized extension recommendations
 // personalized extension recommendations
 lockPref("browser.discovery.enabled", false);
 lockPref("browser.discovery.containers.enabled", false);
 lockPref("browser.discovery.sites", "");
-
+// disable crash report
-// connectivity checks
+lockPref("browser.tabs.crashReporting.sendReport", false);
 lockPref("breakpad.reportURL", "");
 // disable connectivity checks
 lockPref("network.connectivity-service.enabled", false);
-
+// disable captive portal
 // captive portal
 lockPref("network.captive-portal-service.enabled", false);
 lockPref("captivedetect.canonicalURL", "");
 // prevent sending server side analytics
 lockPref("beacon.enabled", false);
-// --------------------------------
+/** [CATEGORY] WINDOWS
-// # WINDOWS
+ * the prefs in this section only apply to windows installations and they don't have any
-// --------------------------------
+ * effect on linux, macos and bsd users.
 */
-// disable windows specific background update service
+/** [SECTION] UPDATES
 * disable windows specific update services.
 */
 lockPref("app.update.service.enabled", false);
 defaultPref("app.update.background.scheduling.enabled", false);
-defaultPref("network.protocol-handler.external.ms-windows-store", false); // disable links launching windows store
+/** [SECTION] OTHERS */
 lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic Firefox start and session restore after reboot
 lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert
 lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry
-
+defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
 lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
 lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert
 defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso
 // -----------------------------------
 // # OVERRIDES
 // -----------------------------------
-// allow settings to be overriden with a file at `~/.librewolf/librewolf.overrides.cfg`
+
-// or `~/.var/app/io.gitlab.librewolf-community/.librewolf/librewolf.overrides.cfg` (Flatpak).
+/** [CATEGORY] OVERRIDES
 * allow settings to be overriden with a file placed in the right location
 * https://librewolf.net/docs/settings/#where-do-i-find-my-librewolfoverridescfg
 */
 let profile_directory;
 if (profile_directory = getenv('USERPROFILE') || getenv('HOME')) {
  pref('autoadmin.global_config_url', `file://${profile_directory}/.librewolf/librewolf.overrides.cfg`);