revisit middle mouse click behavior

* deprecate middlemouse.contentLoadURL since its default
* add browser.tabs.searchclipboardfor.middleclick to prevent clipboard leaks to search engines by mistake

.gitlab-ci.yml

@@ -0,0 +1,6 @@
+stages:
+  - dummy
+dummy-job:
+  stage: dummy
+  script:
+    - echo "Hello, world!"

.gitlab/issue_templates/Default.md

@@ -19,7 +19,7 @@ https://librewolf.net/docs/faq/#i-have-a-problem-where-do-i-open-a-new-issue
 
 ### details
 - browser version & OS:
-- steps to reprouce:
+- steps to reproduce:
 - expected result:
 - actual result:
 - console errors and warnings:

docs/Changelog.md

@@ -1,9 +1,210 @@
 This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
 Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.
 
+# 7.7
+
+**base librewolf version**: 115.x
+
+**References**:
+- https://gitlab.com/librewolf-community/settings/-/issues/262
+
+#### Added preferences
+
+```
+defaultPref("browser.urlbar.suggest.weather", false);
+defaultPref("extensions.quarantinedDomains.enabled", false);
+```
+
+# 7.6
+
+**base librewolf version**: 111.x - 114.x
+
+**References**:
+- the prefs added in the `LOGGING` section are off by default in the official Mozilla builds, so we are just acting like Firefox here;
+
+#### Removed preferences
+
+```
+defaultPref("browser.contentblocking.report.monitor.enabled", false); // default
+```
+
+#### Changed preferences
+
+```
+defaultPref("app.support.baseURL", "https://support.librewolf.net/");
+```
+
+#### Added preferences
+
+```
+pref("browser.dom.window.dump.enabled", false);
+pref("devtools.console.stdout.chrome", false);
+```
+
+# 7.5
+
+**target commit**: from 71a20c6fff90e7fbcb216f1d644ca1b40b32b8e2 to 6fe09c63cbfb83ebfb6a17f5e624248f2501b97e
+
+**base librewolf version**: 109.x and 110.x
+
+**References**:
+
+- thumbnails are only used in privileged code to populate New Tab Page and Ctrl+Tab previews.
+- the startup blank window doesn't break anything and the perceived performance boost is irrelevant on modern hardware.
+- reset popup events to default as it's mostly a non-issue.
+
+#### Removed preferences
+
+```
+defaultPref("browser.pagethumbnails.capturing_disabled", true);
+defaultPref("browser.startup.blankWindow", false);
+defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
+```
+
+# 7.4
+
+**target commit**: b0d277a77b36e3bcc5c0f7a1b0eca7a54a388d9d
+
+**base librewolf version**: 108.x
+
+**References**:
+
+- win7/8.x don't need this pref thanks to Firefox's own implementation of mDNS.
+
+#### Removed preferences
+
+```
+defaultPref("media.peerconnection.ice.no_host", true); // don't use any private IPs for ICE candidate
+```
+
+# 7.3
+
+**target commit**: from 9395f5c0e061250acbcbcb523d2270d57136d411 to 240e184b785e4e46c09ca6881111f7c2d4d31a3f
+
+**base librewolf version**: 107.x
+
+**References**:
+
+- mixed content is already covered by HTTPS-only-mode;
+- [dom.disable_beforeunload is no longer necessary](https://github.com/arkenfox/user.js/issues/1575);
+- [beacon API is fine](https://gitlab.com/librewolf-community/settings/-/issues/229);
+- [Firefox Vew pref was removed in previous commit](https://gitlab.com/librewolf-community/settings/-/commit/9395f5c0e061250acbcbcb523d2270d57136d411), adding reference to the changelog;
+
+#### Removed preferences
+
+```
+defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content
+defaultPref("dom.disable_beforeunload", true);
+defaultPref("dom.disable_open_during_load", true); // default
+defaultPref("browser.tabs.firefox-view", false);
+pref("beacon.enabled", false);
+```
+
+# 7.2
+
+**target commit**: from 7211e954b82da3cde5c5cf2d613fe1f84288e635 to eb51b4785e5b67fc388bcbd06a8324d5a54f5850
+
+**base librewolf version**: 106.x
+
+**References**:
+
+- hide Firefox View til reviewed, see https://gitlab.com/librewolf-community/browser/source/-/issues/78;
+- hotfix for syntax error;
+
+#### Removed preferences
+
+```
+defaultPref("browser.ssl_override_behavior", 1); // deprecated
+```
+
+#### Added preferences
+
+```
+defaultPref("browser.tabs.firefox-view", false);
+```
+
+# 7.1
+
+**target commit**: 33e1ec1cb97d1f16a696057fe9007ae8391def6b
+
+**base librewolf version**: 106.x
+
+**References**:
+
+- change most `lockPref()` to `pref()` or `defaultPref()`, see https://gitlab.com/librewolf-community/settings/-/issues/204;
+- offline autodetection is mature enough and it is used by some APIs;
+- if someone wants to get the mozilla extension for USB debugging, that's fine.
+
+#### Removed preferences
+```
+defaultPref("network.manage-offline-status", false);
+defaultPref("devtools.remote.adb.extensionURL", "");
+defaultPref("devtools.chrome.enabled", false); // default
+```
+
+# 7.0
+
+**target commit**: from ed9334d258d20830deafe1a02b87b0cea678236d to 1bdfd333e31c3d119c0bf5506a56b2026ead3583
+
+**base librewolf version**: 105.x
+
+**References**:
+
+- [enable APS](https://github.com/arkenfox/user.js/issues/1530#issuecomment-1242850653);
+- trim unnecessary or default NTP prefs, then tidy existing ones;
+- stick to default session restore interval for writes;
+- remove a bunch of default prefs that have been that way for the longest;
+- offer accessibility by default;
+- remove hardcore svg security pref since CVEs are very old and irrelevant, see [this discussion](https://github.com/arkenfox/user.js/issues/1529);
+- improve [autoplay behavior](https://gitlab.com/librewolf-community/settings/-/issues/213).
+
+#### Added preferences
+```
+defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
+defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
+```
+
+#### Removed preferences
+```
+defaultPref("browser.newtab.preload", false);
+lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
+lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
+lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default
+lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false);
+defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves
+defaultPref("network.http.windows-sso.enabled", false); // default
+defaultPref("privacy.partition.serviceWorkers", true); // default v105+
+defaultPref("accessibility.force_disabled", 1); // block accessibility services
+lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default
+lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default
+defaultPref("network.http.referer.XOriginPolicy", 0); // default
+lockPref("browser.safebrowsing.passwords.enabled", false); // default
+lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false); // default
+defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts
+defaultPref("media.autoplay.blocking_policy", 2);
+```
+
+# 6.9
+
+**target commit**: 49a705f835e1438372fbdf1a779fbc5846212a68
+
+**base librewolf version**: 104.x
+
+**References**:
+- autofill prefs have been replaced in a migration, we now only keep the bare minimum;
+
+#### Removed preferences
+```
+defaultPref("browser.fixup.alternate.enabled", false); // default v104+
+defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // default v104+
+defaultPref("extensions.formautofill.available", "off"); // deprecated
+defaultPref("extensions.formautofill.creditCards.available", false); // deprecated
+defaultPref("extensions.formautofill.heuristics.enabled", false);
+```
+
 # 6.8
 
-**target commit**:
+**target commit**: 381cbed42c98d2376faf7e4ec449623bb99b0be1
 
 **base librewolf version**: 103.x
 

librewolf.cfg

@@ -1,21 +1,21 @@
 
 /** LIBREWOLF SETTINGS
  * 
- * please take the time to read and understand, but also to customize the settings to find your own setup.
- * the answers to the most common questions are at this link https://librewolf.net/docs/faq/
+ * take the time to read and understand, but also to customize the settings to find your own setup.
+ * the answers to the most common questions can be found at https://librewolf.net/docs/faq/.
  * 
- * WARNING: please make sure the first line of this file is empty. this is a known bug.
+ * WARNING: make sure the first line of this file is empty. this is a known bug.
  */
-defaultPref("librewolf.cfg.version", "6.8");
+lockPref("librewolf.cfg.version", "7.7");
 
 
 /** INDEX
  * the file is organized in categories, and each one has a number of sections:
  * 
  * PRIVACY [ISOLATION, SANITIZING, CACHE AND STORAGE, HISTORY AND SESSION RESTORE, QUERY STRIPPING]
- * NETWORKING [HTTPS, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS, OFFLINE]
+ * NETWORKING [HTTPS, REFERERS, WEBRTC, PROXY, DNS, PREFETCHING AND SPECULATIVE CONNECTIONS]
  * FINGERPRINTING [RFP, WEBGL]
- * SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, FONTS, SAFE BROWSING, OTHERS]
+ * SECURITY [SITE ISOLATION, CERTIFICATES, TLS/SSL, PERMISSIONS, SAFE BROWSING, OTHERS]
  * REGION [LOCATION, LANGUAGE]
  * BEHAVIOR [DRM, SEARCH AND URLBAR, DOWNLOADS, AUTOPLAY, POP-UPS AND WINDOWS, MOUSE]
  * EXTENSIONS [USER INSTALLED, SYSTEM, EXTENSION FIREWALL]
@@ -42,7 +42,9 @@ defaultPref("librewolf.cfg.version", "6.8");
  * the UI that allows to change mode manually is hidden.
  */
 pref("browser.contentblocking.category", "strict");
-defaultPref("privacy.partition.serviceWorkers", true); // isolate service workers
+// enable APS
+defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
+defaultPref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);  
 
 /** [SECTION] SANITIZING 
  * all the cleaning prefs true by default except for siteSetting and offlineApps,
@@ -58,9 +60,7 @@ defaultPref("browser.cache.disk.enable", false); // disable disk cache
 /** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
 defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true);
 defaultPref("media.memory_cache_max_size", 65536);
-// disable favicons in profile folder and page thumbnail capturing
-defaultPref("browser.shell.shortcutFavicons", false);
-defaultPref("browser.pagethumbnails.capturing_disabled", true);
+defaultPref("browser.shell.shortcutFavicons", false); // disable favicons in profile folder
 defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
 
 /** [SECTION] HISTORY AND SESSION RESTORE
@@ -71,7 +71,6 @@ pref("privacy.history.custom", true);
 pref("browser.privatebrowsing.autostart", false);
 defaultPref("browser.formfill.enable", false); // disable form history
 defaultPref("browser.sessionstore.privacy_level", 2); // prevent websites from storing session data like cookies and forms
-defaultPref("browser.sessionstore.interval", 60000); // increase time between session saves
 
 /** [SECTION] QUERY STRIPPING
  * currently we set the same query stripping list that brave uses:
@@ -84,6 +83,14 @@ defaultPref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hse
  */
 defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://gitlab.com/librewolf-community/browser/source/-/raw/main/assets/uBOAssets.json");
 
+/** [SECTION] LOGGING
+ * these prefs are off by default in the official Mozilla builds,
+ * so it only makes sense that we also disable them.
+ * See https://gitlab.com/librewolf-community/settings/-/issues/240
+ */
+pref("browser.dom.window.dump.enabled", false);
+pref("devtools.console.stdout.chrome", false);
+
 
 
 /** [CATEGORY] NETWORKING */
@@ -91,23 +98,19 @@ defaultPref("librewolf.uBO.assetsBootstrapLocation", "https://gitlab.com/librewo
 /** [SECTION] HTTPS */
 defaultPref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing
 defaultPref("network.auth.subresource-http-auth-allow", 1); // block HTTP authentication credential dialogs
-defaultPref("security.mixed_content.block_display_content", true); // block insecure passive content
 
 /** [SECTION] REFERERS
  * to enhance privacy but keep a certain level of usability we trim cross-origin
- * referers, instead of completely avoid sending them.
+ * referers to only send scheme, host and port, instead of completely avoid sending them.
  * as a general rule, the behavior of referes which are not cross-origin should not
  * be changed.
  */
-defaultPref("network.http.referer.XOriginPolicy", 0); // default, might be worth changing to 2 to stop sending them completely
-defaultPref("network.http.referer.XOriginTrimmingPolicy", 2); // trim referer to only send scheme, host and port
+defaultPref("network.http.referer.XOriginTrimmingPolicy", 2);
 
 /** [SECTION] WEBRTC
- * there's no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
- * with the below preference we protect the value even in trusted environments and for win7/8 users,
- * although this will likely cause breakage.
+ * there is no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
+ * the private IP address is only used in trusted environments, eg. allowed camera and mic access.
  */
-defaultPref("media.peerconnection.ice.no_host", true); // don't use any private IPs for ICE candidate
 defaultPref("media.peerconnection.ice.default_address_only", true); // use a single interface for ICE candidates, the vpn one when a vpn is used
 
 /** [SECTION] PROXY */
@@ -120,7 +123,7 @@ defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // for
 defaultPref("network.trr.confirmationNS", "skip"); // skip undesired doh test connection
 defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
 /**
- * librewolf doesn't use DoH, but it can be enabled with the following prefs:
+ * librewolf does not use DoH, but it can be enabled with the following prefs:
  * pref("network.trr.mode", 2);
  * pref("network.trr.uri", "https://dns.quad9.net/dns-query");
  * 
@@ -133,21 +136,14 @@ defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
  */
 
 /** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
- * disable prefecthing for different things such as links, bookmarks and predictors.
+ * disable prefecthing for different things such as links, bookmarks and predictions.
  */
-lockPref("network.predictor.enabled", false);
-lockPref("network.prefetch-next", false);
-lockPref("network.http.speculative-parallel-limit", 0);
+pref("network.predictor.enabled", false);
+pref("network.prefetch-next", false);
+pref("network.http.speculative-parallel-limit", 0);
 defaultPref("browser.places.speculativeConnect.enabled", false);
 // disable speculative connections and domain guessing from the urlbar
-defaultPref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // default v104+
 defaultPref("browser.urlbar.speculativeConnect.enabled", false);
-defaultPref("browser.fixup.alternate.enabled", false); // default v104+
-
-/** [SECTION] OFFLINE
- * let users set the browser as offline, without the browser trying to guess.
- */
-defaultPref("network.manage-offline-status", false);
 
 
 
@@ -160,8 +156,7 @@ defaultPref("network.manage-offline-status", false);
 defaultPref("privacy.resistFingerprinting", true);
 // rfp related settings
 defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prevents rfp from breaking AMO
-defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing
-defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP
+defaultPref("browser.display.use_system_colors", false); // default, except Win
 /**
  * increase the size of new RFP windows for better usability, while still using a rounded value.
  * if the screen resolution is lower it will stretch to the biggest possible rounded value.
@@ -181,7 +176,9 @@ defaultPref("webgl.disabled", true);
 /** [SECTION] CERTIFICATES */
 defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs
 /**
- * enable safe negotiation and show warning when it is not supported. might cause breakage.
+ * enable safe negotiation and show warning when it is not supported. might cause breakage
+ * if the the server does not support RFC 5746, in tha case SSL_ERROR_UNSAFE_NEGOTIATION
+ * will be shown.
  */
 defaultPref("security.ssl.require_safe_negotiation", true);
 defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
@@ -193,21 +190,16 @@ defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
  * in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check.
  */
 defaultPref("security.remote_settings.crlite_filters.enabled", true);
-defaultPref("security.OCSP.require", true); // set to hard-fail
+defaultPref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
 
 /** [SECTION] TLS/SSL */
-lockPref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
-pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref()
-// show relevant and advanced issues on warnings and error screens
-defaultPref("browser.ssl_override_behavior", 1);
-defaultPref("browser.xul.error_pages.expert_bad_cert", true);
+pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
+pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref(), default
+defaultPref("browser.xul.error_pages.expert_bad_cert", true); // show relevant and advanced issues on warnings and error screens
 
 /** [SECTION] PERMISSIONS */
-lockPref("permissions.delegation.enabled", false); // force permission request to show real origin
-lockPref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
-
-/** [SECTION] FONTS */
-defaultPref("gfx.font_rendering.opentype_svg.enabled", false); // disale svg opentype fonts
+pref("permissions.delegation.enabled", false); // force permission request to show real origin
+pref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
 
 /** [SECTION] SAFE BROWSING
  * disable safe browsing, including the fetch of updates. reverting the 7 prefs below
@@ -221,18 +213,16 @@ defaultPref("browser.safebrowsing.provider.google4.updateURL", "");
 defaultPref("browser.safebrowsing.provider.google.gethashURL", "");
 defaultPref("browser.safebrowsing.provider.google.updateURL", "");
 /**
- * disable safe browsing checks on downloads, both local and remote. the locked prefs
+ * disable safe browsing checks on downloads, both local and remote. the resetting prefs
  * control remote checks, while the first one is for local checks only.
  */
 defaultPref("browser.safebrowsing.downloads.enabled", false);
-lockPref("browser.safebrowsing.downloads.remote.enabled", false);
-lockPref("browser.safebrowsing.downloads.remote.url", "");
-lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
-lockPref("browser.safebrowsing.downloads.remote.block_uncommon", false);
-// other safe browsing options, all default but enforce
-lockPref("browser.safebrowsing.passwords.enabled", false);
-lockPref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
-lockPref("browser.safebrowsing.provider.google4.dataSharingURL", "");
+pref("browser.safebrowsing.downloads.remote.enabled", false);
+pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
+pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
+ // empty for defense in depth
+pref("browser.safebrowsing.downloads.remote.url", "");
+pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
 
 /** [SECTION] OTHERS */
 defaultPref("network.IDN_show_punycode", true); // use punycode in idn to prevent spoofing
@@ -246,9 +236,9 @@ defaultPref("pdfjs.enableScripting", false); // disable js scripting in the buil
  * replace google with mozilla as the default geolocation provide and prevent use of OS location services
  */
 defaultPref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
-lockPref("geo.provider.ms-windows-location", false); // [WINDOWS]
-lockPref("geo.provider.use_corelocation", false); // [MAC]
-lockPref("geo.provider.use_gpsd", false); // [LINUX]
+defaultPref("geo.provider.ms-windows-location", false); // [WINDOWS]
+defaultPref("geo.provider.use_corelocation", false); // [MAC]
+defaultPref("geo.provider.use_gpsd", false); // [LINUX]
 defaultPref("geo.provider.use_geoclue", false); // [LINUX]
 
 /** [SECTION] LANGUAGE
@@ -258,8 +248,8 @@ defaultPref("geo.provider.use_geoclue", false); // [LINUX]
 pref("javascript.use_us_english_locale", true);
 pref("intl.accept_languages", "en-US, en");
 // disable region specific updates from mozilla
-lockPref("browser.region.network.url", "");
-lockPref("browser.region.update.enabled", false);
+pref("browser.region.network.url", "");
+pref("browser.region.update.enabled", false);
 
 
 
@@ -284,6 +274,7 @@ defaultPref("browser.search.update", false);
  * this also includes the best match feature, as it is part of firefox suggest.
  */
 pref("browser.urlbar.quicksuggest.enabled", false);
+defaultPref("browser.urlbar.suggest.weather", false); // disable weather suggestions in urlbar once they are no longer behind feature gate
 
 /** [SECTION] DOWNLOADS
  * user interaction should always be required for downloads, as a way to enhance security by asking
@@ -295,19 +286,13 @@ defaultPref("browser.download.manager.addToRecentDocs", false); // do not add do
 defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction
 
 /** [SECTION] AUTOPLAY
- * block autoplay unless element is clicked, and apply the policy to all elements
- * including muted ones.
+ * block autoplay unless element is right-clicked. this means background videos, videos in a different tab,
+ * or media opened while other media is played will not start automatically.
+ * thumbnails will not autoplay unless hovered. exceptions can be set from the UI.
  */
-defaultPref("media.autoplay.blocking_policy", 2);
 defaultPref("media.autoplay.default", 5);
 
 /** [SECTION] POP-UPS AND WINDOWS
- * disable annoyin pop-ups and limit events that can trigger them.
- */
-defaultPref("dom.disable_beforeunload", true); // disable "confirm you want to leave" pop-ups
-defaultPref("dom.disable_open_during_load", true); // block pop-ups windows
-defaultPref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
-/**
  * prevent scripts from resizing existing windows and opening new ones, by forcing them into
  * new tabs that can't be resized as well.
  */
@@ -316,7 +301,7 @@ defaultPref("browser.link.open_newwindow", 3);
 defaultPref("browser.link.open_newwindow.restriction", 0);
 
 /** [SECTION] MOUSE */
-defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click from opening links
+defaultPref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
 
 
 
@@ -330,6 +315,13 @@ defaultPref("middlemouse.contentLoadURL", false); // prevent mouse middle click
 defaultPref("extensions.webextensions.restrictedDomains", "");
 defaultPref("extensions.enabledScopes", 5); // hidden
 defaultPref("extensions.postDownloadThirdPartyPrompt", false);
+/**
+ * the pref disables quarantined domains.
+ * this is a security feature, we should remove it with v116 as there will be a UI to control this per-extension.
+ * unless we patch remote settings we rely on static dumps. this means even if we did not flip this pref it would
+ * not make a difference at the moment.
+ */
+defaultPref("extensions.quarantinedDomains.enabled", false);
 
 /** [SECTION] SYSTEM
  * built-in extension are not allowed to auto-update. additionally the reporter extension
@@ -367,11 +359,8 @@ defaultPref("identity.fxaccounts.enabled", false);
  */
 defaultPref("signon.rememberSignons", false);
 defaultPref("signon.autofillForms", false);
-defaultPref("extensions.formautofill.available", "off");
 defaultPref("extensions.formautofill.addresses.enabled", false);
 defaultPref("extensions.formautofill.creditCards.enabled", false);
-defaultPref("extensions.formautofill.creditCards.available", false);
-defaultPref("extensions.formautofill.heuristics.enabled", false);
 defaultPref("signon.formlessCapture.enabled", false);
 
 /** [SECTION] CONTAINERS
@@ -381,17 +370,13 @@ defaultPref("privacy.userContext.enabled", true);
 defaultPref("privacy.userContext.ui.enabled", true);
 
 /** [SECTION] DEVTOOLS
- * disable chrome and remote debugging.
+ * disable remote debugging.
  */
-defaultPref("devtools.chrome.enabled", false);
-defaultPref("devtools.debugger.remote-enabled", false);
-defaultPref("devtools.remote.adb.extensionURL", "");
+pref("devtools.debugger.remote-enabled", false); // default, but subject to branding so keep it
 defaultPref("devtools.selfxss.count", 0); // required for devtools console to work
 
 /** [SECTION] OTHERS */
-lockPref("browser.translation.engine", ""); // remove translation engine
-defaultPref("accessibility.force_disabled", 1); // block accessibility services
-defaultPref("webchannel.allowObject.urlWhitelist", ""); // do not receive objects through webchannels
+pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
 defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
 
 
@@ -401,7 +386,7 @@ defaultPref("services.settings.server", "https://%.invalid") // set the remote s
 /** [SECTION] BRANDING
  * set librewolf support and releases urls in the UI, so that users land in the proper places.
  */
-defaultPref("app.support.baseURL", "https://librewolf.net/docs/faq/#");
+defaultPref("app.support.baseURL", "https://support.librewolf.net/");
 defaultPref("browser.search.searchEnginesURL", "https://librewolf.net/docs/faq/#how-do-i-add-a-search-engine");
 defaultPref("browser.geolocation.warning.infoURL", "https://librewolf.net/docs/faq/#how-do-i-enable-location-aware-browsing");
 defaultPref("app.feedback.baseURL", "https://librewolf.net/#questions");
@@ -424,30 +409,27 @@ lockPref("browser.uitour.url", "");
 defaultPref("browser.shell.checkDefaultBrowser", false);
 
 /** [SECTION] NEW TAB PAGE
- * we want the new tab page to display nothing but the search bar without anything distracting.
+ * we want NTP to display nothing but the search bar without anything distracting.
+ * the three prefs below are just for minimalism and they should be easy to revert for users.
  */
-defaultPref("browser.newtab.preload", false);
 defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
 defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
 defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false);
-// hide pocket and sponsored content, from new tab page and search bar
+// hide stories and sponsored content from Firefox Home
 lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
-lockPref("browser.newtabpage.activity-stream.feeds.system.topstories", false);
-lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
-lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}"); // hide buggy pocket section from about:preferences#home
 lockPref("browser.newtabpage.activity-stream.showSponsored", false);
 lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
+// disable telemetry in Firefox Home
+lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
 lockPref("browser.newtabpage.activity-stream.telemetry", false);
+// hide stories UI in about:preferences#home, empty highlights list
+lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
 lockPref("browser.newtabpage.activity-stream.default.sites", "");
-lockPref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false);
-lockPref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
-lockPref("browser.newtabpage.activity-stream.feeds.snippets", false); // default
 
 /** [SECTION] ABOUT
  * remove annoying ui elements from the about pages, including about:protections
  */
 defaultPref("browser.contentblocking.report.lockwise.enabled", false);
-defaultPref("browser.contentblocking.report.monitor.enabled", false);
 lockPref("browser.contentblocking.report.hide_vpn_banner", true);
 lockPref("browser.contentblocking.report.vpn.enabled", false);
 lockPref("browser.contentblocking.report.show_mobile_app", false);
@@ -484,9 +466,7 @@ lockPref("toolkit.telemetry.newProfilePing.enabled", false);
 lockPref("toolkit.telemetry.updatePing.enabled", false);
 lockPref("toolkit.telemetry.firstShutdownPing.enabled", false);
 lockPref("toolkit.telemetry.shutdownPingSender.enabled", false);
-lockPref("toolkit.telemetry.shutdownPingSender.enabledFirstSession", false); // default
 lockPref("toolkit.telemetry.bhrPing.enabled", false);
-lockPref("toolkit.telemetry.reportingpolicy.firstRun", false); // default
 lockPref("toolkit.telemetry.cachedClientID", "");
 lockPref("toolkit.telemetry.previousBuildID", "");
 lockPref("toolkit.telemetry.server_owner", "");
@@ -511,12 +491,10 @@ lockPref("browser.discovery.sites", "");
 lockPref("browser.tabs.crashReporting.sendReport", false);
 lockPref("breakpad.reportURL", "");
 // disable connectivity checks
-lockPref("network.connectivity-service.enabled", false);
+pref("network.connectivity-service.enabled", false);
 // disable captive portal
-lockPref("network.captive-portal-service.enabled", false);
-lockPref("captivedetect.canonicalURL", "");
-// prevent sending server side analytics
-lockPref("beacon.enabled", false);
+pref("network.captive-portal-service.enabled", false);
+pref("captivedetect.canonicalURL", "");
 
 /** [CATEGORY] WINDOWS
  * the prefs in this section only apply to windows installations and they don't have any
@@ -532,9 +510,8 @@ defaultPref("app.update.background.scheduling.enabled", false);
 /** [SECTION] OTHERS */
 lockPref("default-browser-agent.enabled", false); // disable windows specific telemetry
 defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
-lockPref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
+pref("toolkit.winRegisterApplicationRestart", false); // disable automatic start and session restore after reboot
 lockPref("security.family_safety.mode", 0); // disable win8.1 family safety cert
-defaultPref("network.http.windows-sso.enabled", false); // disable MS auto authentication via sso