diff --git a/.gitignore b/.gitignore
index 025d4db..056acc3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@
 /mozconfig
 /tmp.nsi
 /tmp-permissive.nsi
+/tmp-strict.nsi
diff --git a/artifacts_all.sh b/artifacts_all.sh
index bd9a84a..e630e33 100644
--- a/artifacts_all.sh
+++ b/artifacts_all.sh
@@ -40,10 +40,9 @@ if [ $? -ne 0 ]; then exit 1; fi
 if [ ! -z $permissive ]; then
     pushd librewolf
     echo "Applying permissive patches..."
+    cp -v ../settings/librewolf.cfg . && cp -v ../settings/distribution/policies.json distribution
     patch -p1 -i ../patches/permissive/librewolf-config.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     patch -p1 -i ../patches/permissive/librewolf-policies.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     popd
 
     # create the final zip artifact
@@ -58,6 +57,27 @@ if [ ! -z $permissive ]; then
     if [ $? -ne 0 ]; then exit 1; fi
 fi
 
+# patch to strict config
+if [ ! -z $strict ]; then
+    pushd librewolf
+    echo "Applying strict config..."
+    cp -v ../settings/librewolf.cfg . && cp -v ../settings/distribution/policies.json distribution
+    patch -p1 -i ../patches/strict/librewolf-config.patch
+    patch -p1 -i ../patches/strict/librewolf-policies.patch
+    popd
+
+    # create the final zip artifact
+    rm -f librewolf-$pkgver.en-US.$ospkg-strict.zip
+    zip -qr9 librewolf-$pkgver.en-US.$ospkg-strict.zip librewolf
+    if [ $? -ne 0 ]; then exit 1; fi
+
+    # now to try to make the installer
+    rm -f librewolf-$pkgver.en-US.win64-strict-setup.exe tmp-strict.nsi
+    sed "s/win64-setup/win64-strict-setup/g" < tmp.nsi > tmp-strict.nsi
+    makensis-3.01.exe -V1 tmp-strict.nsi
+    if [ $? -ne 0 ]; then exit 1; fi
+fi
+
 popd
 }
 
@@ -108,10 +128,9 @@ if [ $? -ne 0 ]; then exit 1; fi
 if [ ! -z $permissive ]; then
     pushd librewolf
     echo "Applying permissive patches..."
+    cp -v ../settings/librewolf.cfg . && cp -v ../settings/distribution/policies.json distribution
     patch -p1 -i ../patches/permissive/librewolf-config.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     patch -p1 -i ../patches/permissive/librewolf-policies.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     popd
 
     # create the final zip artifact
@@ -176,10 +195,9 @@ if [ $? -ne 0 ]; then exit 1; fi
 if [ ! -z $permissive ]; then
     pushd librewolf
     echo "Applying permissive patches..."
+    cp -v ../settings/librewolf.cfg . && cp -v ../settings/distribution/policies.json distribution
     patch -p1 -i ../patches/permissive/librewolf-config.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     patch -p1 -i ../patches/permissive/librewolf-policies.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     popd
 
     # create the final zip artifact
diff --git a/build.sh b/build.sh
index 9b79131..0c7d86a 100755
--- a/build.sh
+++ b/build.sh
@@ -45,104 +45,68 @@ extract() {
     echo "extract: done."
 }
 
-
-# LibreWolf specific mozconfig and patches
-create_mozconfig() {
-    cat >../mozconfig <<END
-ac_add_options --enable-application=browser
-
-# This supposedly speeds up compilation (We test through dogfooding anyway)
-ac_add_options --disable-tests
-ac_add_options --disable-debug
-
-ac_add_options --enable-release
-ac_add_options --enable-hardening
-ac_add_options --enable-rust-simd
-ac_add_options --enable-optimize
-
-
-# Branding
-ac_add_options --enable-update-channel=release
-# theming bugs: ac_add_options --with-app-name=librewolf
-# theming bugs: ac_add_options --with-app-basename=LibreWolf
-ac_add_options --with-branding=browser/branding/librewolf
-ac_add_options --with-distribution-id=io.gitlab.librewolf-community
-ac_add_options --with-unsigned-addon-scopes=app,system
-ac_add_options --allow-addon-sideload
-export MOZ_REQUIRE_SIGNING=0
-
-# Features
-ac_add_options --disable-crashreporter
-ac_add_options --disable-updater
-
-# Disables crash reporting, telemetry and other data gathering tools
-mk_add_options MOZ_CRASHREPORTER=0
-mk_add_options MOZ_DATA_REPORTING=0
-mk_add_options MOZ_SERVICES_HEALTHREPORT=0
-mk_add_options MOZ_TELEMETRY_REPORTING=0
-
-# first attempt to fix the win32 vcredist issue results in build errors..
-#WIN32_REDIST_DIR=$VCINSTALLDIR\redist\x86\Microsoft.VC141.CRT
-END
-}
-
+. ./mozconfigs.sh
 
 do_patches() {
     echo "do_patches: begin. (srcdir=$srcdir)"
 
+    if [ "$srcdir" == "tor-browser" ]; then
+	echo "do_patches: warning: not running do_patches on tor-browser. done."
+	return
+    fi
+
     if [ ! -d $srcdir ]; then exit 1; fi
     cd $srcdir
 
     echo 'Creating mozconfig...'
+
+    if [ "$mozconfig_mode" == "xcompile" ]; then
+	create_mozconfig_xcompile
+	cp -v ../mozconfig .
+    elif [ "$strict" == "strict" ]; then
+	create_mozconfig_strict
+	cp -v ../mozconfig .
+    else
+	create_mozconfig_default
+	cp -v ../mozconfig .
+    fi
     
-    create_mozconfig
-    # just a straight copy for now..
-    cp -v ../mozconfig .
+
+    echo 'Copy librewolf branding files...'
+    
+    cp -vr ../common/source_files/* ./
+    # new branding stuff
+    cp -v ../files/configure.sh browser/branding/librewolf
 
     echo 'Applying patches...'
     
     patch -p1 -i ../linux/mozilla-vpn-ad.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-
+    
     if [ "$srcdir" == "mozilla-unified" ]; then
 	patch -p1 -i ../patches/nightly/context-menu2.patch
-	if [ $? -ne 0 ]; then exit 1; fi
 	patch -p1 -i ../patches/nightly/report-site-issue.patch
-	if [ $? -ne 0 ]; then exit 1; fi
-#!	patch -p1 -i ../patches/nightly/megabar2.patch
-#!	if [ $? -ne 0 ]; then exit 1; fi
+	patch -p1 -i ../patches/nightly/megabar2.patch
     else
 	patch -p1 -i ../linux/context-menu.patch
-	if [ $? -ne 0 ]; then exit 1; fi
 	patch -p1 -i ../linux/remove_addons.patch
-	if [ $? -ne 0 ]; then exit 1; fi
 	patch -p1 -i ../linux/megabar.patch
-	if [ $? -ne 0 ]; then exit 1; fi
     fi
 
     echo 'GNU sed patches...'
     
     patch -p1 -i ../patches/sed-patches/allow-searchengines-non-esr.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     patch -p1 -i ../patches/sed-patches/disable-pocket.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     patch -p1 -i ../patches/sed-patches/remove-internal-plugin-certs.patch
-    if [ $? -ne 0 ]; then exit 1; fi
     patch -p1 -i ../patches/sed-patches/stop-undesired-requests.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-
-    echo 'Copy librewolf branding files...'
     
-    # copy branding resources
-    cp -vr ../common/source_files/* ./
-    # new branding stuff
-    cp -v ../files/configure.sh browser/branding/librewolf
-
     echo 'Local patches...'
     
     # local win10 patches
     patch -p1 -i ../patches/browser-confvars.patch # not sure about this one yet!
-    if [ $? -ne 0 ]; then exit 1; fi
+    
+    if [ "$strict" == "strict" ]; then
+	echo 'strict patches...'
+    fi
     
     cd ..
     echo "do_patches: done."
@@ -335,7 +299,7 @@ git_init() {
 
 # Permissive configuration options (win10 only at the moment)
 
-config_diff() {
+perm_config_diff() {
     pushd settings > /dev/null
       cp "/c/Program Files/LibreWolf/librewolf.cfg" librewolf.cfg
       if [ $? -ne 0 ]; then exit 1; fi
@@ -345,7 +309,7 @@ config_diff() {
     popd > /dev/null
 }
 
-policies_diff() {
+perm_policies_diff() {
     pushd settings/distribution > /dev/null
       cp "/c/Program Files/LibreWolf/distribution/policies.json" policies.json
       if [ $? -ne 0 ]; then exit 1; fi
@@ -355,6 +319,26 @@ policies_diff() {
     popd > /dev/null
 }
 
+strict_config_diff() {
+    pushd settings > /dev/null
+      cp "/c/Program Files/LibreWolf/librewolf.cfg" librewolf.cfg
+      if [ $? -ne 0 ]; then exit 1; fi
+      git diff librewolf.cfg > ../patches/strict/librewolf-config.patch
+      git diff librewolf.cfg
+      git checkout librewolf.cfg > /dev/null 2>&1
+    popd > /dev/null
+}
+
+strict_policies_diff() {
+    pushd settings/distribution > /dev/null
+      cp "/c/Program Files/LibreWolf/distribution/policies.json" policies.json
+      if [ $? -ne 0 ]; then exit 1; fi
+      git diff policies.json > ../../patches/strict/librewolf-policies.patch
+      git diff policies.json
+      git checkout policies.json > /dev/null 2>&1 
+    popd > /dev/null
+}
+
 #
 # Nightly builds
 #
@@ -384,7 +368,13 @@ reset_mozilla_unified() {
     cd ..
     echo "reset_mozilla_unified: done."
 }
-# tor.. experimental
+
+# strict
+set_strict() {
+    strict=strict
+}
+
+# tor-browser.. (experimental)
 init_tor_browser() {
     git clone --no-checkout https://git.torproject.org/tor-browser.git
     
@@ -494,6 +484,10 @@ if [[ "$*" == *reset_tor_browser* ]]; then
     reset_tor_browser
     done_something=1
 fi
+if [[ "$*" == *set_strict* ]]; then
+    set_strict
+    done_something=1
+fi
 
 
 
@@ -607,12 +601,20 @@ fi
 
 # librewolf.cfg and policies.json differences
 
-if [[ "$*" == *config_diff* ]]; then
-    config_diff
+if [[ "$*" == *perm_config_diff* ]]; then
+    perm_config_diff
+    done_something=1
+fi
+if [[ "$*" == *perm_policies_diff* ]]; then
+    perm_policies_diff
+    done_something=1
+fi
+if [[ "$*" == *strict_config_diff* ]]; then
+    strict_config_diff
     done_something=1
 fi
 if [[ "$*" == *policies_diff* ]]; then
-    policies_diff
+    strict_policies_diff
     done_something=1
 fi
 if [[ "$*" == *mach_run_config* ]]; then
@@ -634,13 +636,14 @@ Use: ./build.sh clean | all | [other stuff...]
 
     artifacts_win    - apply .cfg, build the zip file and NSIS setup.exe installer.
     artifacts_perm   - package as above, but use the permissive config/policies.
+    artifacts_strict - package as above, but use the strict config/policies.
 
 # Linux related functions:
 
     deps_deb            - install dependencies with apt.
     deps_rpm            - install dependencies with dnf.
-    deps_pkg            - install dependencies with pkg. (freebsd)
-    deps_mac            - install dependencies with brew. (macOS)
+    deps_pkg            - install dependencies with pkg.  (experimental)
+    deps_mac            - install dependencies with brew. (experimental)
 
     artifacts_deb       - apply .cfg, create a dist zip file (for debian10).
     artifacts_deb_perm  - include permissive build.
@@ -649,16 +652,18 @@ Use: ./build.sh clean | all | [other stuff...]
 
 # Generic utility functionality:
 
-    all             - build all, produce all artifacts including -permissive.
-    clean           - remove generated cruft.
+    all                - build all, produce all artifacts including -permissive.
+    clean              - remove generated cruft.
 
-    mach_env        - create mach build environment.
-    rustup          - perform a rustup for this user.
-    git_subs        - update git submodules.
-    config_diff     - diff between my .cfg and dist .cfg file. (win10)
-    policies_diff   - diff between my policies and the dist policies. (win10)
-    git_init        - create .git folder in firefox-87.0 for creating patches.
-    mach_run_config - copy librewolf config/policies to enable 'mach run'.
+    mach_env           - create mach build environment.
+    rustup             - perform a rustup for this user.
+    git_subs           - update git submodules.
+    perm_config_diff   - diff between my .cfg and dist .cfg file. (win10)
+    perm_policies_diff - diff between my policies and the dist policies. (win10)
+    git_init           - create .git folder in firefox-87.0 for creating patches.
+    mach_run_config    - copy librewolf config/policies to enable 'mach run'.
+
+There is also a strict_config_diff and strict_policies_diff for the strict version.
 
 # Cross-compile from linux: (experimental)
 
@@ -669,14 +674,15 @@ Use: ./build.sh clean | all | [other stuff...]
     setup_rpm_root   - setup compile environment (root stuff)
     setup_rpm_user   - setup compile environmnet (build user)
 
-# Nightly:
+# Nightly etc.:
 
     init_mozilla_unified   - use bootstrap.py to grab the latest mozilla-unified.
     set_mozilla_unified    - use mozilla-unified instead of firefox-87.0 source.
     reset_mozilla_unified  - clean mozilla-unified and pull latest git changes.
 
 You can use init_tor_browser, set_tor_browser as above, but it attempts a Tor
-Browser build instead (esr releases). (experimental)
+Browser build instead (esr releases). (experimental) or use set_strict to get
+a more restricted version (experimental).
 
 # Installation from linux zip file:
 
diff --git a/linux_xcompile.sh b/linux_xcompile.sh
index b77b14c..60d7650 100644
--- a/linux_xcompile.sh
+++ b/linux_xcompile.sh
@@ -52,94 +52,9 @@ setup_rpm_user() {
 
 
 
-
-
 linux_patches() {
-    echo "linux_patches: begin."
-
-
-    if [ ! -d firefox-$pkgver ]; then exit 1; fi
-    cd firefox-$pkgver
-
-    echo 'Applying patches...'
-    
-    patch -p1 -i ../linux/context-menu.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-    patch -p1 -i ../linux/megabar.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-    patch -p1 -i ../linux/mozilla-vpn-ad.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-    patch -p1 -i ../linux/remove_addons.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-
-    
-    echo 'Creating mozconfig...'
-    cat >../mozconfig <<END
-ac_add_options --enable-application=browser
-
-# This supposedly speeds up compilation (We test through dogfooding anyway)
-ac_add_options --disable-tests
-ac_add_options --disable-debug
-
-ac_add_options --enable-release
-ac_add_options --enable-hardening
-ac_add_options --enable-rust-simd
-ac_add_options --enable-optimize
-
-
-# Branding
-ac_add_options --enable-update-channel=release
-# theming bugs: ac_add_options --with-app-name=librewolf
-# theming bugs: ac_add_options --with-app-basename=LibreWolf
-ac_add_options --with-branding=browser/branding/librewolf
-ac_add_options --with-distribution-id=io.gitlab.librewolf-community
-ac_add_options --with-unsigned-addon-scopes=app,system
-ac_add_options --allow-addon-sideload
-export MOZ_REQUIRE_SIGNING=0
-
-# Features
-ac_add_options --disable-crashreporter
-ac_add_options --disable-updater
-
-# Disables crash reporting, telemetry and other data gathering tools
-mk_add_options MOZ_CRASHREPORTER=0
-mk_add_options MOZ_DATA_REPORTING=0
-mk_add_options MOZ_SERVICES_HEALTHREPORT=0
-mk_add_options MOZ_TELEMETRY_REPORTING=0
-
-# first attempt to fix the win32 vcredist issue results in build errors..
-#WIN32_REDIST_DIR=$VCINSTALLDIR\redist\x86\Microsoft.VC141.CRT
-END
-    # just a straight copy for now..
-    cp -v ../mozconfig .
-
-    echo 'GNU sed patches...'
-    
-    patch -p1 -i ../patches/sed-patches/allow-searchengines-non-esr.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-    patch -p1 -i ../patches/sed-patches/disable-pocket.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-    patch -p1 -i ../patches/sed-patches/remove-internal-plugin-certs.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-    patch -p1 -i ../patches/sed-patches/stop-undesired-requests.patch
-    if [ $? -ne 0 ]; then exit 1; fi
-
-    echo 'Copy librewolf branding files...'
-    
-    # copy branding resources
-    cp -vr ../common/source_files/* ./
-    # new branding stuff
-    cp -v ../files/configure.sh browser/branding/librewolf
-
-    echo 'Local patches...'
-    
-    # local win10 patches
-    patch -p1 -i ../patches/browser-confvars.patch # not sure about this one yet!
-    if [ $? -ne 0 ]; then exit 1; fi
-    
-    cd ..
-    
-    echo "linux_patches: done."
+    mozconfig_mode=xcompile
+    do_patches
 }
 
 
diff --git a/mozconfigs.sh b/mozconfigs.sh
new file mode 100644
index 0000000..4ea8d8f
--- /dev/null
+++ b/mozconfigs.sh
@@ -0,0 +1,122 @@
+create_mozconfig_default() {
+    cat >../mozconfig <<END
+ac_add_options --enable-application=browser
+
+# This supposedly speeds up compilation (We test through dogfooding anyway)
+ac_add_options --disable-tests
+ac_add_options --disable-debug
+
+ac_add_options --enable-release
+ac_add_options --enable-hardening
+ac_add_options --enable-rust-simd
+ac_add_options --enable-optimize
+
+
+# Branding
+ac_add_options --enable-update-channel=release
+# theming bugs: ac_add_options --with-app-name=librewolf
+# theming bugs: ac_add_options --with-app-basename=LibreWolf
+ac_add_options --with-branding=browser/branding/librewolf
+ac_add_options --with-distribution-id=io.gitlab.librewolf-community
+ac_add_options --with-unsigned-addon-scopes=app,system
+ac_add_options --allow-addon-sideload
+export MOZ_REQUIRE_SIGNING=0
+
+# Features
+ac_add_options --disable-crashreporter
+ac_add_options --disable-updater
+
+# Disables crash reporting, telemetry and other data gathering tools
+mk_add_options MOZ_CRASHREPORTER=0
+mk_add_options MOZ_DATA_REPORTING=0
+mk_add_options MOZ_SERVICES_HEALTHREPORT=0
+mk_add_options MOZ_TELEMETRY_REPORTING=0
+
+# first attempt to fix the win32 vcredist issue results in build errors..
+#WIN32_REDIST_DIR=$VCINSTALLDIR\redist\x86\Microsoft.VC141.CRT
+END
+}
+
+create_mozconfig_xcompile() {
+    cat >../mozconfig <<END
+# Crosscompile to windows..
+
+ac_add_options --enable-application=browser
+
+# This supposedly speeds up compilation (We test through dogfooding anyway)
+ac_add_options --disable-tests
+ac_add_options --disable-debug
+
+ac_add_options --enable-release
+ac_add_options --enable-hardening
+ac_add_options --enable-rust-simd
+ac_add_options --enable-optimize
+
+
+# Branding
+ac_add_options --enable-update-channel=release
+# theming bugs: ac_add_options --with-app-name=librewolf
+# theming bugs: ac_add_options --with-app-basename=LibreWolf
+ac_add_options --with-branding=browser/branding/librewolf
+ac_add_options --with-distribution-id=io.gitlab.librewolf-community
+ac_add_options --with-unsigned-addon-scopes=app,system
+ac_add_options --allow-addon-sideload
+export MOZ_REQUIRE_SIGNING=0
+
+# Features
+ac_add_options --disable-crashreporter
+ac_add_options --disable-updater
+
+# Disables crash reporting, telemetry and other data gathering tools
+mk_add_options MOZ_CRASHREPORTER=0
+mk_add_options MOZ_DATA_REPORTING=0
+mk_add_options MOZ_SERVICES_HEALTHREPORT=0
+mk_add_options MOZ_TELEMETRY_REPORTING=0
+
+# first attempt to fix the win32 vcredist issue results in build errors..
+#WIN32_REDIST_DIR=$VCINSTALLDIR\redist\x86\Microsoft.VC141.CRT
+END
+}
+
+create_mozconfig_strict() {
+    cat >../mozconfig <<END
+# Balls to the wall edition..
+ac_add_options --disable-webrtc
+
+
+ac_add_options --enable-application=browser
+
+# This supposedly speeds up compilation (We test through dogfooding anyway)
+ac_add_options --disable-tests
+ac_add_options --disable-debug
+
+ac_add_options --enable-release
+ac_add_options --enable-hardening
+ac_add_options --enable-rust-simd
+ac_add_options --enable-optimize
+
+# Branding
+ac_add_options --enable-update-channel=release
+# theming bugs: ac_add_options --with-app-name=librewolf
+# theming bugs: ac_add_options --with-app-basename=LibreWolf
+ac_add_options --with-branding=browser/branding/librewolf
+ac_add_options --with-distribution-id=io.gitlab.librewolf-community
+ac_add_options --with-unsigned-addon-scopes=app,system
+ac_add_options --allow-addon-sideload
+export MOZ_REQUIRE_SIGNING=0
+
+# Features
+ac_add_options --disable-crashreporter
+ac_add_options --disable-updater
+
+# Disables crash reporting, telemetry and other data gathering tools
+mk_add_options MOZ_CRASHREPORTER=0
+mk_add_options MOZ_DATA_REPORTING=0
+mk_add_options MOZ_SERVICES_HEALTHREPORT=0
+mk_add_options MOZ_TELEMETRY_REPORTING=0
+
+# first attempt to fix the win32 vcredist issue results in build errors..
+#WIN32_REDIST_DIR=$VCINSTALLDIR\redist\x86\Microsoft.VC141.CRT
+END
+}
+
diff --git a/patches/strict/README.md b/patches/strict/README.md
new file mode 100644
index 0000000..a11389b
--- /dev/null
+++ b/patches/strict/README.md
@@ -0,0 +1,9 @@
+# current differences between -release and -strict
+
+## librewolf.cfg:
+
+* todo
+
+## policies.json
+
+* todo: add noscript
diff --git a/patches/strict/librewolf-config.patch b/patches/strict/librewolf-config.patch
new file mode 100644
index 0000000..e69de29
diff --git a/patches/strict/librewolf-policies.patch b/patches/strict/librewolf-policies.patch
new file mode 100644
index 0000000..e69de29