refactor: clean up firefox user-overrides.js

- Remove 4 dead commented-out prefs (privatebrowsing.autostart,
  sessionstore.privacy_level, media.eme.enabled, disableIPv6 duplicate)
- Remove deprecated pdfjs.disabled (dropped from arkenfox, no longer honored)
- Remove deprecated browser.fixup.domainsuffixwhitelist.i2p (FF120+)
- Strip arkenfox wiki comment bloat: 97 → 22 lines
- Organize remaining 15 active prefs by section

1 files changed, 18 insertions, 88 deletions

diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js
index 5f57297..c6d3bc8 100644
--- a/firefox/user-overrides.js
+++ b/firefox/user-overrides.js
@@ -1,96 +1,26 @@
-/* override recipe: enable session restore ***/
-user_pref("browser.startup.page", 3); // 0102
-  // user_pref("browser.privatebrowsing.autostart", false); // 0110 required if you had it set as true
-  // user_pref("browser.sessionstore.privacy_level", 0); // 1003 optional to restore cookies/formdata
-user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", false); // [DEFAULT: true]
-user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); // 2811 FF128+
+/** Session restore **/
+user_pref("browser.startup.page", 3); // 0102: resume previous session
+user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", false);
+user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); // FF128+
 
-/* 1601: control when to send a cross-origin referer
- * 0=always (default), 1=only if base domains match, 2=only if hosts match
- * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram
- * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/
-user_pref("network.http.referer.XOriginPolicy", 0);
+/** Search & URL bar **/
+user_pref("keyword.enabled", true); // allow search from URL bar
+user_pref("network.http.referer.XOriginPolicy", 0); // always send cross-origin referer
 
-/* 0801: disable location bar using search
- * Don't leak URL typos to a search engine, give an error message instead
- * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
- * [NOTE] This does not affect explicit user action such as using search buttons in the
- * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo)
- * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/
-user_pref("keyword.enabled", true);
-
-/* 2620: enforce PDFJS, disable PDFJS scripting
- * This setting controls if the option "Display in Firefox" is available in the setting below
- *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
- * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1]
- *   It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
- *   It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
- * [NOTE] JS can still force a pdf to open in-browser by bundling its own code
- * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons
- * [SETTING] General>Applications>Portable Document Format (PDF)
- * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
-user_pref("pdfjs.disabled", true); // [DEFAULT: false]
-
-/* 5003: disable saving passwords
- * [NOTE] This does not clear any passwords already saved
- * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/
+/** Passwords & autofill **/
 user_pref("signon.rememberSignons", false);
+user_pref("extensions.formautofill.addresses.enabled", false);
+user_pref("extensions.formautofill.creditCards.enabled", false);
+user_pref("extensions.formautofill.heuristics.enabled", false);
 
-/* 5017: disable Form Autofill
- * If .supportedCountries includes your region (browser.search.region) and .supported
- * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON
- * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
- * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses
- * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/
-user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
-user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
-user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
-
-/* 2022: disable all DRM content (EME: Encryption Media Extension)
- * Optionally hide the setting which also disables the DRM prompt
- * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
- * [SETTING] General>DRM Content>Play DRM-controlled content
- * [TEST] https://bitmovin.com/demos/drm
- * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
-// user_pref("media.eme.enabled", false); // already disabled
-user_pref("browser.eme.ui.enabled", false);
+/** DRM **/
+user_pref("browser.eme.ui.enabled", false); // hide DRM UI toggle
 
-/* 0701: disable IPv6
- * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming
- * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4
- * [SETUP-WEB] PR_CONNECT_RESET_ERROR: this pref *might* be the cause
- * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6
- * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an
- * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
- * then this won't make much difference. If you are masking your IP, then it can only help.
- * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
- * [TEST] https://ipleak.org/
- * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
-// user_pref("network.dns.disableIPv6", true);
-user_pref("network.dns.disableIPv6", false);
+/** Network **/
+user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled
 
+/** Resist Fingerprinting **/
 user_pref("privacy.resistFingerprinting.testGranularityMask", 4);
-/* 4505: experimental RFP [FF91+]
- * [WARNING] DO NOT USE unless testing, see [1] comment 12
- * [1] https://bugzilla.mozilla.org/1635603 ***/
 user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com,teams.microsoft.com");
-
-user_pref("browser.fixup.domainsuffixwhitelist.i2p", true);
-
-/* 4504: enable letterboxing [FF67+]
- * Dynamically resizes the inner window by applying margins in stepped ranges [2]
- * If you use the dimension pref, then it will only apply those resolutions.
- * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000")
- * [SETUP-WEB] This is independent of RFP (4501). If you're not using RFP, or you are but
- * dislike the margins, then flip this pref, keeping in mind that it is effectively fingerprintable
- * [WARNING] DO NOT USE: the dimension pref is only meant for testing
- * [1] https://bugzilla.mozilla.org/1407366
- * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/
-user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
-
-/* 4506: disable RFP spoof english prompt [FF59+]
- * 0=prompt, 1=disabled, 2=enabled
- * [NOTE] When changing from value 2, preferred languages ('intl.accept_languages') is not reset.
- * [SETUP-WEB] when enabled, sets 'en-US, en' for displaying pages and 'en-US' as locale.
- * [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... ***/
-user_pref("privacy.spoof_english", 2);
+user_pref("privacy.resistFingerprinting.letterboxing", true);
+user_pref("privacy.spoof_english", 2); // force English headers