diff --git a/PKGBUILD b/PKGBUILD
index c5d6272..3c6d710 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Tad <tad@spotco.us>
 pkgname=brace
-pkgver=20211201
+pkgver=20211211
 pkgrel=1
 pkgdesc="Increases privacy/security through various configs."
 arch=('any')
diff --git a/brace.spec b/brace.spec
index fc275a5..8297bec 100644
--- a/brace.spec
+++ b/brace.spec
@@ -1,5 +1,5 @@
 Name: brace
-Version: 20211201
+Version: 20211211
 Release: 1
 Summary: Increases privacy/security through various configs.
 License: GPLv3+
diff --git a/brace/DEBIAN/control b/brace/DEBIAN/control
index 724a500..ff07ec2 100644
--- a/brace/DEBIAN/control
+++ b/brace/DEBIAN/control
@@ -1,5 +1,5 @@
 Package: brace
-Version: 20211201-1
+Version: 20211211-1
 Section: custom
 Priority: optional
 Architecture: all
diff --git a/brace/usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js b/brace/usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js
index b919cee..6bb0153 100644
--- a/brace/usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js
+++ b/brace/usr/lib/firefox/browser/defaults/preferences/userjs-arkenfox.js
@@ -1,14 +1,14 @@
 /******
 * name: arkenfox user.js
-* date: 24 November 2021
-* version 95-alpha
+* date: 9 December 2021
+* version 96-alpha
 * url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
 
 * README:
 
   1. Consider using Tor Browser if it meets your needs or fits your threat model
-       * https://www.torproject.org/about/torusers.html.en
+       * https://2019.www.torproject.org/about/torusers.html
   2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries
        * https://github.com/arkenfox/user.js/wiki
   3. If you skipped step 2, return to step 2
@@ -51,18 +51,16 @@
   1600: HEADERS / REFERERS
   1700: CONTAINERS
   2000: PLUGINS / MEDIA / WEBRTC
-  2300: WEB WORKERS
   2400: DOM (DOCUMENT OBJECT MODEL)
   2600: MISCELLANEOUS
-  2700: PERSISTENT STORAGE
+  2700: ETP (ENHANCED TRACKING PROTECTION)
   2800: SHUTDOWN & SANITIZING
-  4000: FPI (FIRST PARTY ISOLATION)
   4500: RFP (RESIST FINGERPRINTING)
   5000: OPTIONAL OPSEC
   5500: OPTIONAL HARDENING
   6000: DON'T TOUCH
   7000: DON'T BOTHER
-  8000: DON'T BOTHER: NON-RFP
+  8000: DON'T BOTHER: FINGERPRINTING
   9000: PERSONAL
   9999: DEPRECATED / REMOVED / LEGACY / RENAMED
 
@@ -108,7 +106,6 @@ pref("browser.newtabpage.activity-stream.section.highlights.includePocket", fals
 pref("browser.newtabpage.activity-stream.showSponsored", false);
 pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", false); // [FF66+]
 pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); // [FF83+]
-pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW: to support old versions
 /* 0106: clear default topsites
  * [NOTE] This does not block you from adding your own ***/
 pref("browser.newtabpage.activity-stream.default.sites", "");
@@ -328,6 +325,12 @@ pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
  * [SETUP-CHROME] If you use a proxy and you trust your extensions
  * [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
    // pref("network.proxy.failover_direct", false);
+/* 0706: disable proxy bypass for system request failures [FF95+]
+ * RemoteSettings, UpdateService, Telemetry [1]
+ * [WARNING] If false, this will break the fallback for some security features
+ * [SETUP-CHROME] If you use a proxy and you understand the security impact
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
+   // pref("network.proxy.allow_bypass", false); // [HIDDEN PREF]
 /* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
  * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
  * see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3]
@@ -371,9 +374,9 @@ pref("browser.urlbar.speculativeConnect.enabled", false);
  * [1] https://bugzilla.mozilla.org/1642623 ***/
 pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
 /* 0807: disable location bar contextual suggestions [FF92+]
- * [SETTING] Privacy & Security>Address Bar>Contextual Suggestions
+ * [SETTING] Privacy & Security>Address Bar>Suggestions from...
  * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
-pref("browser.urlbar.suggest.quicksuggest", false);
+pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
 pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
 /* 0808: disable tab-to-search [FF85+]
  * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
@@ -480,7 +483,7 @@ pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
  * no unsafe renegotiations on the channel between the browser and the server.
  * [STATS] SSL Labs (July 2021) reports over 99% of sites have secure renegotiation [4]
  * [1] https://wiki.mozilla.org/Security:Renegotiation
- * [2] https://tools.ietf.org/html/rfc5746
+ * [2] https://datatracker.ietf.org/doc/html/rfc5746
  * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
  * [4] https://www.ssllabs.com/ssl-pulse/ ***/
 pref("security.ssl.require_safe_negotiation", true);
@@ -607,10 +610,6 @@ pref("network.http.referer.XOriginPolicy", 2);
 /* 1602: control the amount of cross-origin information to send [FF52+]
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
 pref("network.http.referer.XOriginTrimmingPolicy", 2);
-/* 1603: enable the DNT (Do Not Track) HTTP header
- * [NOTE] DNT is enforced with Enhanced Tracking Protection (2710)
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Send websites a "Do Not Track" signal... ***/
-   // pref("privacy.donottrackheader.enabled", true);
 
 /*** [SECTION 1700]: CONTAINERS
    Check out Temporary Containers [2], read the article [3], and visit the wiki/repo [4]
@@ -632,25 +631,31 @@ pref("privacy.userContext.ui.enabled", true);
 /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
 pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
 /* 2001: disable WebRTC (Web Real-Time Communication)
- * [SETUP-WEB] WebRTC can leak your private network address from behind your VPN, but if this
- * is not your threat model, and you want Real-Time Communication, this is the pref for you ***/
-pref("media.peerconnection.enabled", false);
-/* 2002: limit WebRTC private network address leaks
- * In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3]
+ * Firefox uses mDNS hostname obfuscation on desktop (except Windows7/8) and the
+ * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after
+ * you grant device (microphone or camera) access
+ * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC
  * [TEST] https://browserleaks.com/webrtc
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
- * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy
- * [3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/
+ * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
+ * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
+   // pref("media.peerconnection.enabled", false);
+/* 2002: force WebRTC inside the proxy [FF70+] ***/
+pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
+/* 2003: force a single network interface for ICE candidates generation [FF42+]
+ * When using a system-wide proxy, it uses the proxy interface
+ * [1] https://developer.mozilla.org/en-US/docs/Web/API/RTCIceCandidate
+ * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
 pref("media.peerconnection.ice.default_address_only", true);
-pref("media.peerconnection.ice.no_host", true); // [FF51+]
-pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+]
+/* 2004: force exclusion of private IPs from ICE candidates [FF51+]
+ * [SETUP-HARDEN] This will protect your private IP even in TRUSTED scenarios after you
+ * grant device access, but often results in breakage on video-conferencing platforms ***/
+   // pref("media.peerconnection.ice.no_host", true);
 /* 2020: disable GMP (Gecko Media Plugins)
  * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
    // pref("media.gmp-provider.enabled", false);
 /* 2021: disable widevine CDM (Content Decryption Module)
  * [NOTE] This is covered by the EME master switch (2022) ***/
 pref("media.gmp-widevinecdm.enabled", false); //BRACE-UNCOMMENTED: proprietary
-pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
 /* 2022: disable all DRM content (EME: Encryption Media Extension)
  * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
  * [SETTING] General>DRM Content>Play DRM-controlled content
@@ -669,46 +674,6 @@ pref("media.eme.enabled", false);
  * [1] https://support.mozilla.org/questions/1293231 ***/
 pref("media.autoplay.blocking_policy", 2);
 
-/*** [SECTION 2300]: WEB WORKERS
-   A worker is a JS "background task" running in a global context, i.e. it is different from
-   the current window. Workers can spawn new workers (must be the same origin & scheme),
-   including service and shared workers. Shared workers can be utilized by multiple scripts and
-   communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
-
-   [1]    Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
-   [2]         Worker: https://developer.mozilla.org/docs/Web/API/Worker
-   [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API
-   [4]   SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker
-   [5]   ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker
-   [6]  Notifications: https://support.mozilla.org/questions/1165867#answer-981820
-***/
-pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
-/* 2302: disable service workers [FF32, FF44-compat]
- * Service workers essentially act as proxy servers that sit between web apps, and the
- * browser and network, are event driven, and can control the web page/site they are associated
- * with, intercepting and modifying navigation and resource requests, and caching resources.
- * [NOTE] Service workers require HTTPS, have no DOM access, and are not supported in PB mode [1]
- * [SETUP-WEB] Disabling service workers will break some sites. This pref is required true for
- * service worker notifications (2304), push notifications (disabled, 2305) and service worker
- * cache (2740). If you enable this pref, then check those settings as well
- * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7 ***/
-pref("dom.serviceWorkers.enabled", false);
-/* 2304: disable Web Notifications
- * [NOTE] Web Notifications can also use service workers (2302) and are behind a prompt (7002)
- * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
-   // pref("dom.webnotifications.enabled", false); // [FF22+]
-   // pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
-/* 2305: disable Push Notifications [FF44+]
- * Push is an API that allows websites to send you (subscribed) messages even when the site
- * isn't loaded, by pushing messages to your userAgentID through Mozilla's Push Server
- * [NOTE] Push requires service workers (2302) to subscribe to and display, and is behind
- * a prompt (7002). Disabling service workers alone doesn't stop Firefox polling the
- * Mozilla Push Server. To remove all subscriptions, reset your userAgentID.
- * [1] https://support.mozilla.org/kb/push-notifications-firefox
- * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/
-pref("dom.push.enabled", false);
-   // pref("dom.push.userAgentID", "");
-
 /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/
 pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
 /* 2401: disable "Confirm you want to leave" dialog on page close
@@ -722,6 +687,19 @@ pref("dom.disable_window_move_resize", true);
 pref("dom.disable_open_during_load", true);
 /* 2404: limit events that can cause a popup [SETUP-WEB] ***/
 pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
+/* 2410: disable Web Notifications
+ * [NOTE] Web Notifications are behind a prompt (7002) ***/
+   // pref("dom.webnotifications.enabled", false); // [FF22+]
+   // pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
+/* 2411: disable Push Notifications [FF44+]
+ * Push allows websites to send you subscribed messages through Mozilla's Push Server,
+ * and requires service workers to subscribe to and display, and is behind a prompt (7002)
+ * [NOTE] Disabling service workers alone doesn't stop Firefox polling the Mozilla Push Server
+ * [NOTE] To remove all subscriptions, reset your userAgentID
+ * [1] https://support.mozilla.org/kb/push-notifications-firefox
+ * [2] https://developer.mozilla.org/docs/Web/API/Push_API ***/
+pref("dom.push.enabled", false);
+   // pref("dom.push.userAgentID", "");
 
 /*** [SECTION 2600]: MISCELLANEOUS ***/
 pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
@@ -812,66 +790,24 @@ pref("extensions.postDownloadThirdPartyPrompt", false);
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
    // pref("extensions.webextensions.restrictedDomains", "");
 
-/*** [SECTION 2700]: PERSISTENT STORAGE
-   Data SET by websites including
-          cookies : profile\cookies.sqlite
-     localStorage : profile\webappsstore.sqlite
-        indexedDB : profile\storage\default
-   serviceWorkers :
-
-   [NOTE] indexedDB and serviceWorkers are not available in Private Browsing Mode
-   [NOTE] Blocking cookies also blocks websites access to: localStorage (incl. sessionStorage),
-   indexedDB, sharedWorker, and serviceWorker (and therefore service worker cache and notifications)
-   If you set a site exception for cookies (either "Allow" or "Allow for Session") then they become
-   accessible to websites except shared/service workers where the cookie setting must be "Allow"
-***/
+/*** [SECTION 2700]: ETP (ENHANCED TRACKING PROTECTION) ***/
 pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
-/* 2701: disable or isolate 3rd-party cookies and site-data [SETUP-WEB]
- * 0 = Accept cookies and site data
- * 1 = (Block) All third-party cookies
- * 2 = (Block) All cookies
- * 3 = (Block) Cookies from unvisited websites
- * 4 = (Block) Cross-site tracking cookies (default)
- * 5 = (Isolate All) Cross-site cookies (TCP: Total Cookie Protection / dFPI: dynamic FPI) [1] (FF86+)
- * Option 5 with FPI enabled (4001) is ignored and not shown, and option 4 used instead
- * [NOTE] You can set cookie exceptions under site permissions or use an extension
- * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies
- * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/
-pref("network.cookie.cookieBehavior", 1);
-pref("browser.contentblocking.category", "custom");
-/* 2710: enable Enhanced Tracking Protection (ETP) in all windows
- * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content
+/* 2701: enable Enhanced Tracking Protection's (ETP) Strict Mode [FF86+]
+ * [NOTE] ETP Strict Mode enables Total Cookie Protection (TCP)
+ * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
  * [SETTING] to add site exceptions: Urlbar>ETP Shield
  * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
-pref("privacy.trackingprotection.enabled", true);
-/* 2711: enable various ETP lists ***/
-pref("privacy.trackingprotection.socialtracking.enabled", true);
-pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true] //BRACE-UNCOMMENTED: extra sure for transitioning
-pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true] //BRACE-UNCOMMENTED
-/* 2740: disable service worker cache and cache storage
- * [NOTE] We clear service worker cache on exit (2811)
- * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
-   // pref("dom.caches.enabled", false);
-/* 2750: disable Storage API [FF51+]
- * The API gives sites the ability to find out how much space they can use, how much
- * they are already using, and even control whether or not they need to be alerted
- * before the user agent disposes of site data in order to make room for other things.
- * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
- * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
- * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
-   // pref("dom.storageManager.enabled", false);
-/* 2755: disable Storage Access API [FF65+]
- * [1] https://developer.mozilla.org/docs/Web/API/Storage_Access_API ***/
-   // pref("dom.storage_access.enabled", false);
-/* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/
-pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+] //MULL-COMMENT_ME: untested in Fenix
+pref("browser.contentblocking.category", "strict");
+/* 2702: enable state partitioning of service workers [FF96+] ***/
+pref("privacy.partition.serviceWorkers", true);
 
 /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
 pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
 /** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/
 /* 2801: delete cookies and site data on exit
  * 0=keep until they expire (default), 2=keep until you close Firefox
+ * [NOTE] A "cookie" block permission also controls localStorage/sessionStorage, indexedDB,
+ * sharedWorkers and serviceWorkers. serviceWorkers require an `Allow` permission
  * [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
  * [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow
  *   If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com
@@ -893,7 +829,7 @@ pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
  * [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
 pref("privacy.sanitize.sanitizeOnShutdown", false); //BRACE-DISABLED: usability, this ain't Tor Browser
 /* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
- * sanitizingOnShutdown is all or nothing, it does not allow exceptions (1681701)
+ * These items do not use exceptions, it is all or nothing (1681701)
  * [NOTE] If "history" is true, downloads will also be cleared
  * [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
  * [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
@@ -904,9 +840,9 @@ pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
 pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
 pref("privacy.clearOnShutdown.history", true);   // [DEFAULT: true]
 pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true]
+pref("privacy.clearOnShutdown.offlineApps", false); // [DEFAULT: false]
 pref("privacy.clearOnShutdown.cookies", false);
-pref("privacy.clearOnShutdown.offlineApps", true);
-   // pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences
+   // pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false]
 /* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME]
  * This dialog can also be accessed from the menu History>Clear Recent History
  * Firefox remembers your last choices. This will reset them when you start Firefox
@@ -916,11 +852,11 @@ pref("privacy.cpd.cache", true);    // [DEFAULT: true]
 pref("privacy.cpd.formdata", true); // [DEFAULT: true]
 pref("privacy.cpd.history", true);  // [DEFAULT: true]
 pref("privacy.cpd.sessions", true); // [DEFAULT: true]
+pref("privacy.cpd.offlineApps", false); // [DEFAULT: false]
 pref("privacy.cpd.cookies", false);
-pref("privacy.cpd.offlineApps", true);
    // pref("privacy.cpd.downloads", true); // not used, see note above
-   // pref("privacy.cpd.passwords", false); // [DEFAULT: false] this is not listed
-   // pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] Site Preferences
+   // pref("privacy.cpd.passwords", false); // [DEFAULT: false] not listed
+   // pref("privacy.cpd.siteSettings", false); // [DEFAULT: false]
 /* 2813: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
  * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
  * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008)
@@ -934,46 +870,6 @@ pref("privacy.cpd.offlineApps", true);
  * which will display a blank value, and are not guaranteed to work ***/
 pref("privacy.sanitize.timeSpan", 0);
 
-/*** [SECTION 4000]: FPI (FIRST PARTY ISOLATION)
-   1278037 - indexedDB (FF51+)
-   1277803 - favicons (FF52+)
-   1264562 - OCSP cache (FF52+)
-   1268726 - Shared Workers (FF52+)
-   1316283 - SSL session cache (FF52+)
-   1317927 - media cache (FF53+)
-   1323644 - HSTS and HPKP (FF54+)
-   1334690 - HTTP Alternative Services (FF54+)
-   1334693 - SPDY/HTTP2 (FF55+)
-   1337893 - DNS cache (FF55+)
-   1344170 - blob: URI (FF55+)
-   1300671 - data:, about: URLs (FF55+)
-   1473247 - IP addresses (FF63+)
-   1542309 - top-level domain URLs when host is in the public suffix list (FF68+)
-   1506693 - pdfjs range-based requests (FF68+)
-   1330467 - site permissions (FF69+)
-   1534339 - IPv6 (FF73+)
-   1721858 - WebSocket (FF92+)
-***/
-pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
-/* 4001: enable First Party Isolation [FF51+]
- * [SETUP-WEB] Breaks some cross-origin logins
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996 ***/
-pref("privacy.firstparty.isolate", true);
-/* 4002: enforce FPI restriction for window.opener [FF54+]
- * [NOTE] Setting this to false may reduce the breakage in 4001
- * FF65+ blocks postMessage with targetOrigin "*" if originAttributes don't match. But
- * to reduce breakage it ignores the 1st-party domain (FPD) originAttribute [2][3]
- * The 2nd pref removes that limitation and will only allow communication if FPDs also match
- * [1] https://bugzilla.mozilla.org/1319773#c22
- * [2] https://bugzilla.mozilla.org/1492607
- * [3] https://developer.mozilla.org/docs/Web/API/Window/postMessage ***/
-   // pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
-   // pref("privacy.firstparty.isolate.block_post_message", true);
-/* 4003: enable scheme with FPI [FF78+]
- * [NOTE] Experimental: existing data and site permissions are incompatible
- * and some site exceptions may not work e.g. HTTPS-only mode (1244) ***/
-   // pref("privacy.firstparty.isolate.use_site", true);
-
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
    RFP covers a wide range of ongoing fingerprinting solutions.
    It is an all-or-nothing buy in: you cannot pick and choose what parts you want
@@ -1033,12 +929,11 @@ pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
  * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme
  * [1] https://bugzilla.mozilla.org/418986 ***/
 pref("privacy.resistFingerprinting", true);
-/* 4502: set new window sizes to round to hundreds [FF55+] [SETUP-CHROME]
- * Width will round down to multiples of 200s and height to 100s, to fit your screen.
- * The max values are a starting point to round from if you want some control
+/* 4502: set new window size rounding max values [FF55+]
+ * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
  * [1] https://bugzilla.mozilla.org/1330882 ***/
-   // pref("privacy.window.maxInnerWidth", 1000);
-   // pref("privacy.window.maxInnerHeight", 1000);
+pref("privacy.window.maxInnerWidth", 1600);
+pref("privacy.window.maxInnerHeight", 900);
 /* 4503: disable mozAddonManager Web API [FF57+]
  * [NOTE] To allow extensions to work on AMO, you also need 2662
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
@@ -1223,7 +1118,13 @@ pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true]
  * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
  * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
 pref("privacy.window.name.update.enabled", true); // [DEFAULT: true]
-/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF91+ ***/
+/* 0607: enforce Local Storage Next Generation (LSNG) [FF65+] ***/
+pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
+/* 6008: enforce no First Party Isolation [FF51+]
+ * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701),
+ * and enabling FPI disables those. FPI is no longer maintained ***/
+pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
+/* 6050: prefsCleaner: reset previously active items removed from arkenfox FF92+ ***/
    // placeholder
 
 /*** [SECTION 7000]: DON'T BOTHER ***/
@@ -1264,8 +1165,8 @@ pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
    // pref("security.tls.version.min", 3); // [DEFAULT: 3]
    // pref("security.tls.version.max", 4);
 /* 7005: disable SSL session IDs [FF36+]
- * [WHY] Passive fingerprinting and perf costs. These are session-only and isolated
- * with network partitioning (FF85+) or when using FPI and/or containers ***/
+ * [WHY] Passive fingerprinting and perf costs. These are session-only
+ * and isolated with network partitioning (FF85+) and/or containers ***/
    // pref("security.ssl.disable_session_identifiers", true); // [HIDDEN PREF]
 /* 7006: onions
  * [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/
@@ -1288,7 +1189,7 @@ pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
    // pref("network.http.spdy.enabled.http2", false);
    // pref("network.http.spdy.websockets", false); // [FF65+]
 /* 7010: disable HTTP Alternative Services [FF37+]
- * [WHY] Already isolated by network partitioning (FF85+) or FPI ***/
+ * [WHY] Already isolated with network partitioning (FF85+) ***/
    // pref("network.http.altsvc.enabled", false);
    // pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+]
 /* 7011: disable website control over browser right-click context menu
@@ -1309,8 +1210,23 @@ pref("dom.allow_cut_copy", false); //BRACE-KEEP_FOR_NOW
  * [WHY] It can compromise security. System addons ship with prefs, use those ***/
    // pref("extensions.systemAddon.update.enabled", false); // [FF62+]
    // pref("extensions.systemAddon.update.url", ""); // [FF44+]
+/* 7015: enable the DNT (Do Not Track) HTTP header
+ * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/
+   // pref("privacy.donottrackheader.enabled", true);
+/* 7016: customize ETP settings
+ * [WHY] Arkenfox only supports strict which sets these at runtime (2701) ***/
+   // pref("network.cookie.cookieBehavior", 5);
+   // pref("privacy.partition.network_state.ocsp_cache", true);
+   // pref("privacy.trackingprotection.enabled", true);
+   // pref("privacy.trackingprotection.socialtracking.enabled", true);
+   // pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
+   // pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
+/* 7017: disable service workers [FF32, FF44-compat]
+ * [WHY] Already isolated (FF96+) with TCP (2701) behind a pref (2702)
+ * or blocked with TCP in 3rd parties (FF95 or lower) ***/
+   // pref("dom.serviceWorkers.enabled", false);
 
-/*** [SECTION 8000]: DON'T BOTHER: NON-RFP
+/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
    [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
    [WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere
 ***/
@@ -1360,11 +1276,11 @@ pref("browser.startup.homepage_override.mstone", "ignore"); // master switch
    // pref("full-screen-api.warning.timeout", 0);
 /* APPEARANCE ***/
    // pref("browser.download.autohideButton", false); // [FF57+]
-   // pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF]
-      // 0=light, 1=dark: with RFP this only affects chrome
    // pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // [FF68+] allow userChrome/userContent
    // pref("ui.prefersReducedMotion", 1); // disable chrome animations [FF77+] [RESTART] [HIDDEN PREF]
       // 0=no-preference, 1=reduce: with RFP this only affects chrome
+   // pref("ui.systemUsesDarkTheme", 1); // [FF67+] [HIDDEN PREF]
+      // 0=light, 1=dark: with RFP this only affects chrome
 /* CONTENT BEHAVIOR ***/
    // pref("accessibility.typeaheadfind", true); // enable "Find As You Type"
 pref("clipboard.autocopy", false); // disable autocopy default [LINUX] //BRACE-UNCOMMENTED: unwanted
@@ -1381,7 +1297,7 @@ pref("clipboard.autocopy", false); // disable autocopy default [LINUX] //BRACE-U
 /* UX FEATURES ***/
 pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New toolbar icon [FF69+]
 pref("extensions.pocket.enabled", false); // Pocket Account [FF46+] //BRACE-UNCOMMENTED: unwanted
-pref("extensions.screenshots.disabled", true); // [FF55+] //BRACE-UNCOMMENTED: unwanted
+   // pref("extensions.screenshots.disabled", true); // [FF55+]
 pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART] //BRACE-UNCOMMENTED: unwanted
    // pref("reader.parse-on-load.enabled", false); // Reader View
 /* OTHER ***/
@@ -1408,66 +1324,10 @@ pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal
 // 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - replaced by new 1402
    // [-] https://bugzilla.mozilla.org/1715507
    // pref("layout.css.font-visibility.level", 1);
-// ***/
-
-// ESR78.x still uses all the following prefs
-// [NOTE] replace the * with a slash in the line above to re-enable them
-// FF79
-// 0212: enforce fallback text encoding to match en-US
-   // When the content or server doesn't declare a charset the browser will
-   // fallback to the "Current locale" based on your application language
-   // [TEST] https://hsivonen.com/test/moz/check-charset.htm
-   // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20025
-   // [-] https://bugzilla.mozilla.org/1603712
-pref("intl.charset.fallback.override", "windows-1252");
-// FF82
-// 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
-   // i.e. ignore all of Mozilla's various search engines in multiple locales
-   // [-] https://bugzilla.mozilla.org/1619926
-pref("browser.search.geoSpecificDefaults", false);
-pref("browser.search.geoSpecificDefaults.url", "");
-// FF86
-// 1205: disable SSL Error Reporting
-   // [1] https://firefox-source-docs.mozilla.org/main/65.0/browser/base/sslerrorreport/preferences.html
-   // [-] https://bugzilla.mozilla.org/1681839
-pref("security.ssl.errorReporting.automatic", false);
-pref("security.ssl.errorReporting.enabled", false);
-pref("security.ssl.errorReporting.url", "");
-// 2653: disable hiding mime types (Options>General>Applications) not associated with a plugin
-   // [-] https://bugzilla.mozilla.org/1581678
-pref("browser.download.hide_plugins_without_extensions", false);
-// FF87
-// 0105d: disable Activity Stream recent Highlights in the Library [FF57+]
-   // [-] https://bugzilla.mozilla.org/1689405
-pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED: unwanted
-// 8002: disable PointerEvents
-   // [1] https://developer.mozilla.org/docs/Web/API/PointerEvent
-   // [-] https://bugzilla.mozilla.org/1688105
-   // pref("dom.w3c_pointer_events.enabled", false);
-// FF89
-// 0309: disable sending Flash crash reports
-   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
-pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
-// 0310: disable sending the URL of the website where a plugin crashed
-   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
-pref("dom.ipc.plugins.reportCrashURL", false);
-// 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+]
-   // [1] https://bugzilla.mozilla.org/1190623
-   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
-pref("security.mixed_content.block_object_subrequest", true);
-// 1803: disable Flash plugin
-   // 0=deactivated, 1=ask, 2=enabled
-   // ESR52.x is the last branch to fully support NPAPI, FF52+ stable only supports Flash
-   // [NOTE] You can still override individual sites via site permissions
-   // [-] https://bugzilla.mozilla.org/1682030 [underlying NPAPI code removed]
-pref("plugin.state.flash", 0); // [DEFAULT: 1]
-// FF90
-// 0708: disable FTP [FF60+]
-   // [-] https://bugzilla.mozilla.org/1574475
-   // pref("network.ftp.enabled", false); // [DEFAULT: false FF88+]
-// 7001: enforce no offline cache storage (appCache) [FF71+]
-   // [-] https://bugzilla.mozilla.org/1694662
-pref("browser.cache.offline.storage.enable", false); // [DEFAULT: false FF84+]
+// FF95
+// 0807: disable location bar contextual suggestions [FF92+] - replaced by new 0807
+   // [-] https://bugzilla.mozilla.org/1735976
+pref("browser.urlbar.suggest.quicksuggest", false);
 // ***/
 
 /* END: internal custom pref to test for syntax errors ***/
diff --git a/brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace.js b/brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace.js
index 13829c5..26d1fd9 100644
--- a/brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace.js
+++ b/brace/usr/lib/firefox/browser/defaults/preferences/userjs-brace.js
@@ -8,9 +8,10 @@ pref("dom.vibrator.enabled", false);
 pref("general.smoothScroll", false);
 pref("widget.allow-client-side-decoration", true);
 pref("mailnews.start_page.enabled", false);
+pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "{}"); //BRACE-KEEP_FOR_NOW
+pref("browser.library.activity-stream.enabled", false); //BRACE-UNCOMMENTED
 
 //Privacy
-pref("browser.contentblocking.ui.enabled", true);
 pref("browser.link.open_newwindow_restriction", true);
 pref("browser.snippets.enabled", false);
 pref("browser.snippets.firstrunHomepage.enabled", false);
@@ -23,11 +24,10 @@ pref("network.trr.custom_uri", "https://dns.quad9.net/dns-query");
 pref("plugin.expose_full_path", false);
 pref("extensions.enigmail.autoWkdLookup", 0);
 pref("messenger.status.reportIdle", false);
+pref("media.gmp-widevinecdm.visible", false); //BRACE-KEEP_FOR_NOW: proprietary
 
 //Security
 pref("browser.gnome-search-provider.enabled", false);
-pref("browser.preferences.exposeHTTPSOnly", true);
-pref("dom.security.https_only_mode", true); //MULL-COMMENT_ME
 pref("fission.autostart", true); //MULL-COMMENT_ME
 pref("security.webauth.u2f", true);
 pref("mail.phishing.detection.enabled", true);