ToDo: diffs FF53-FF54

[earthlng]

v53.0 vs v54.0

119 diffs ( 54 new, 55 gone, 10 different )

new in v54.0:

• pref("browser.formautofill.enabled", false); ec03969
• pref("browser.newtabpage.activity-stream.enabled", false); 1621cd5
• pref("browser.urlbar.usepreloadedtopurls.enabled", false); 1a04c13
• MistakeURLs: d3e1fe3
  • https://hg.mozilla.org/mozilla-central/rev/077f42a9964c#l10.1
  • pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url=");
  • pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url=");
  • pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url=");
  • pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url=");
• pref("dom.ipc.processCount.extension", 1); dd01dd5
• pref("extensions.screenshots.system-disabled", true); - f61c951
• pref("geo.security.allowinsecure", true); f3a0e8d
• pref("network.http.referer.hideOnionSource", false); ffd8980
• pref("privacy.firstparty.isolate.restrict_opener_access", true); da73ca1
• pref("security.sandbox.logging.enabled", false); dd01dd5
• pref("security.data_uri.inherit_security_context", true);
  • added to "items to keep an eye on: issue 20

removed, renamed or hidden in v54.0:

Done - see 82432a3

• pref("browser.safebrowsing.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url="); https://hg.mozilla.org/mozilla-central/rev/077f42a9964c#l10.1
• pref("browser.safebrowsing.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url="); https://hg.mozilla.org/mozilla-central/rev/077f42a9964c#l10.1
• pref("dom.archivereader.enabled", false); 1342361
• pref("media.eme.apiVisible", true); 1242321

changed in v54.0:

• pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/"); // prev: "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/"
  => Migrate the blocklist preferences to new URI
• pref("media.peerconnection.ice.tcp", true); // prev: false - ab7dfb7

ignore

==NEW

pref("apz.allow_with_webrender", false);
pref("browser.formautofill.loglevel", "Warn"); // see master switch to disable
pref("browser.urlbar.usepreloadedtopurls.expire_days", 14); // see master switch to disable
pref("browser.storageManager.pressureNotification.minIntervalMS", 1200000);
pref("browser.storageManager.pressureNotification.usageThresholdGB", 5);
pref("devtools.gridinspector.showGridOutline", false);
pref("devtools.source-map.locations.enabled", false);
pref("dom.forms.select.customstyling", true); // https://bugzilla.mozilla.org/show_bug.cgi?id=1339966
pref("dom.ipc.plugins.forcedirect.enabled", true); // we do not support flash
pref("dom.moduleScripts.enabled", false); // ECMAScripts
pref("dom.timeout.max_consecutive_callbacks", 5);
pref("dom.vr.puppet.enabled", false);
pref("dom.vr.test.enabled", false);
pref("extensions.e10sMultiBlocksEnabling", true); // leave e10s experimental staging alone
pref("gfx.downloadable_fonts.keep_variation_tables", false);
pref("gfx.downloadable_fonts.otl_validation", false);
pref("gfx.webrender.enabled", true);
pref("image.mem.animated.discardable", false);
pref("image.mem.shared", false);
   // ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1331944
   // ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1339202
pref("intl.tsf.associate_imc_only_when_imm_ime_is_active", false);
pref("intl.tsf.hack.ms_japanese_ime.do_not_associate_imc_on_win10", true);
pref("intl.uidirection", -1);
pref("layers.advanced.border-layers", false);
pref("layers.advanced.caret-layers", false);
pref("layout.css.text-justify.enabled", false);
pref("layout.scrollbars.always-layerize-track", false);
/* https://developer.mozilla.org/en-US/docs/Mozilla/QA/Marionette ***/
pref("marionette.enabled", false);
pref("marionette.forcelocal", true);
pref("marionette.log.level", "info");
pref("marionette.port", 2828);
pref("marionette.prefs.recommended", true);
pref("media.eme.vp9-in-mp4.enabled", false);
pref("media.ffmpeg.low-latency.enabled", false);
pref("services.sync.engine.bookmarks.validation.interval", 86400);
pref("services.sync.engine.bookmarks.validation.maxRecords", 1000);
pref("services.sync.engine.bookmarks.validation.percentageChance", 10);
pref("signon.masterPasswordReprompt.timeout_ms", 900000);
pref("network.throttle.enable", true);
pref("network.throttle.resume-for", 2000);
pref("network.throttle.suspend-for", 2000);

==REMOVED or HIDDEN

pref("browser.newtabpage.remote", false);
pref("browser.newtabpage.remote.content-signing-test", false);
pref("browser.newtabpage.remote.keys", "");
pref("browser.newtabpage.remote.mode", "production");
pref("browser.newtabpage.remote.version", "1");
pref("devtools.sourcemap.locations.enabled", false);
pref("devtools.toolbox.toolbarSpec", '["splitconsole", "paintflashing toggle","scratchpad","resize toggle","screenshot --fullpage --file", "rulers", "measure"]');
pref("gfx.font_rendering.cleartype.always_use_for_content", false);
pref("gfx.font_rendering.cleartype.use_for_downloadable_fonts", true);
pref("intl.uidirection.ar", "rtl");
pref("intl.uidirection.fa", "rtl");
pref("intl.uidirection.he", "rtl");
pref("intl.uidirection.ug", "rtl");
pref("intl.uidirection.ur", "rtl");
// https://bugzilla.mozilla.org/show_bug.cgi?id=1343941
pref("layers.allow-d3d9-fallback", false);
pref("layers.prefer-d3d9", false);
pref("layout.css.object-fit-and-position.enabled", true);
pref("layout.css.unprefixing-service.enabled", true);
// remove HTTP1 Pipeline Support: https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
pref("network.http.pipelining", false);
pref("network.http.pipelining.abtest", false);
pref("network.http.pipelining.aggressive", false);
pref("network.http.pipelining.max-optimistic-requests", 4);
pref("network.http.pipelining.maxrequests", 32);
pref("network.http.pipelining.maxsize", 300000);
pref("network.http.pipelining.read-timeout", 30000);
pref("network.http.pipelining.reschedule-on-timeout", true);
pref("network.http.pipelining.reschedule-timeout", 1500);
pref("network.http.pipelining.ssl", false);
pref("network.http.proxy.pipelining", false);
pref("pointer-lock-api.prefixed.enabled", false);
pref("security.sandbox.windows.log", false);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1296767#c125
pref("services.sync.jpake.firstMsgMaxTries", 300);
pref("services.sync.jpake.lastMsgMaxTries", 300);
pref("services.sync.jpake.maxTries", 10);
pref("services.sync.jpake.pollInterval", 1000);
pref("services.sync.jpake.serverURL", "https://setup.services.mozilla.com/");
pref("services.sync.log.logger.service.jpakeclient", "Debug");
pref("services.sync.log.logger.userapi", "Debug");
pref("services.sync.miscURL", "misc/");
pref("services.sync.privacyURL", "https://services.mozilla.com/privacy-policy/");
pref("services.sync.scheduler.sync11.singleDeviceInterval", 86400);
pref("services.sync.serverURL", "https://auth.services.mozilla.com/");
pref("services.sync.statusURL", "https://services.mozilla.com/status/");
pref("services.sync.syncKeyHelpURL", "https://services.mozilla.com/help/synckey");
pref("services.sync.termsURL", "https://services.mozilla.com/tos/");
pref("services.sync.userURL", "user/");
// ---------------------------------------------------------------------------------------
// renamed to 'services.sync.engine.bookmarks.validation.*'
pref("services.sync.validation.interval", 86400);
pref("services.sync.validation.maxRecords", 100);
pref("services.sync.validation.percentageChance", 10);
// https://bugzilla.mozilla.org/show_bug.cgi?id=1313045
pref("toolkit.identity.debug", false);
pref("toolkit.identity.enabled", false);

==CHANGED

pref("browser.safebrowsing.provider.google4.lists", "goog-badbinurl-proto,goog-downloadwhite-proto,goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto"); // prev: "goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto"
pref("dom.event.highrestimestamp.enabled", true); // prev: false
pref("dom.ipc.plugins.asyncdrawing.enabled", true); // prev: false // we do not support flash
pref("extensions.blocklist.detailsURL", "https://blocked.cdn.mozilla.net/"); // prev: "https://www.mozilla.com/%LOCALE%/blocklist/"
pref("extensions.blocklist.itemURL", "https://blocked.cdn.mozilla.net/%blockID%.html"); // prev: "https://blocklist.addons.mozilla.org/%LOCALE%/%APP%/blocked/%blockID%"
pref("font.name-list.serif.x-math", "..."); // removed 'Symbol' from the list
pref("layout.css.clip-path-shapes.enabled", true); // prev: false
pref("security.mixed_content.hsts_priming_cache_timeout", 604800); // prev: 10080

[earthlng]

javascript.options.shared_memory - #47 (comment) + #47 (comment)

[crssi]

Nice work @earthlng.

Those looks promising for "lite" version for FF 54+:
browser.safebrowsing.provider.google.reportMalwareMistakeURL
browser.safebrowsing.provider.google.reportPhishMistakeURL
browser.safebrowsing.provider.google4.reportMalwareMistakeURL
browser.safebrowsing.provider.google4.reportPhishMistakeURL

Assuming that I need to trust some entity, switching those to mozilla servers instead of google is a good thing... at least I also have current (the google ones) to false now.

[earthlng]

Thanks @crssi

In a "lite" version we would probably enable safebrowsing and trackingprotection and therefore not change those 4 prefs, but since we don't have different versions at the moment and since we have the 2 "old" prefs already set to empty string (browser.safebrowsing.reportMalwareMistakeURL + browser.safebrowsing.reportPhishMistakeURL), we will most likely also set the 4 new prefs to empty string in the master user.js.

[earthlng]

extensions.blocklist.url

FF54:    https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
FF53:    https://blocklist.addons.mozilla.org/blocklist/3/               %APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/
user.js: https://blocklist.addons.mozilla.org/blocklist/3/               %APP_ID%/%APP_VERSION%/

new sanitized pref for FF54 user.js:

user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");

[crssi]

I understand... we are on exactly "on the same page" here. :)
Enable for the lite version and "empty string"/disable on the current.

[earthlng]

probably only used in beta 54 and will be removed from stable?

yeah, maybe. let's ignore it for now and wait until stable is released and then we can see if the pref is still there

[Radagast]

If you don't mind my asking, what do you use for calculating the differences between releases. I use Linux and would like to keep a track of the pref changes on this platform.

Thanks

[earthlng]

what do you use for calculating the differences between releases

custom scripts
If there's a demand for it, I can create and upload the diffs for the linux versions as well

[Radagast]

If there's a demand for it, I can create and upload the diffs for the linux versions as well

Thanks for the information. I for one wold be very interested in seeing the Linux prefs added but I don't wish to present you with additional work if the demand is low.

[earthlng]

Also ESR (but just the final ones - stable-vs-stable)

they are all stable afaik, what do you mean? Tell me which versions you want compared and I can do it.
45.0 vs 52.0? That will be a massive list.

Actually, I think I should add your repo to the resources wiki - any objection?

IDK, its usefulness is pretty limited, and I already link to the files there in every ToDo: diffs issue, but feel free to add it if you want

I for one would be very interested in seeing the Linux prefs added

@Radagast, this will have to do for now, sorry. Apart from the few prefs listed there, the large majority of prefs is the same for Linux and Windows.

[earthlng]

Well, in ESR not too many things change between the minor versions (fe. 52.0 to 52.1.0)

/******************************************************************************************
 * diffs between FF prefs v52.0esr and v52.1.0esr
 ******************************************************************************************/
// changed in v52.1.0esr:
pref("network.predictor.enable-prefetch", false); // prev: true
pref("security.pki.certificate_transparency.mode", 0); // prev: 1

At some point there will be massive changes when all the old stuff gets removed and the new stuff added, but atm I'm not sure when exactly that is normally happening.

[publicarray]

Does anyone know what browser.migrate.automigrate.enabled does?

[publicarray]

Thanks for looking into it. I did not expect you take a deep dive. I only thought to ask because at some stage it was added to the user.js before the upload to github.

Look what I found relating to funnelcake: https://bugzilla.mozilla.org/show_bug.cgi?id=1322718#c1 (at the top is a link to a google doc)

PS Thanks for the invite. I can't promise much involvement though.

[publicarray]

Looks like yes. I looked at https://bugzilla.mozilla.org/show_bug.cgi?id=1289231 and It looks like browser.migrate.automigrate.enabled is about auto migrating browser settings from another browser e.g. from Internet Explorer to Firefox. Funnelcake is probably revisiting these prefs and "experiences".

EDIT: fixed link.

[earthlng]

If It's user initiated why is it called automigrate? It's in the Personal Settings section and I'd like to keep it there and not remove it. I'm assuming it's still possible to import settings etc from other browsers even with this set to false. And I doubt that someone who switches to FF will do so with this user.js right from the get-go. Once they find this they'll have their settings, bookmarks, etc already imported from their old browser.

[earthlng]

network.throttle.* - IMO we can ignore those. Throttling downloads when a page load happens seems nice. Also no privacy/security implications afaik. 1312754 changeset

[earthlng]

• browser.urlbar.usepreloadedtopurls.enabled - 1211726 = pre-seeding the awesome bar suggestions with a hardcoded list of URLs - I don't think we ever want this so lets add it to the user.js and set it to false. Nightly already sets it to true atm. IMO we can ignore the second pref
  browser.urlbar.usepreloadedtopurls.expire_days
• dom.vr.puppet.enabled + dom.vr.test.enabled - both default to false in FF54 and IMO we can ignore these for now
• security.sandbox.logging.enabled - would be nice to have in the PERSONAL section IMO, maybe commented out and titled as "enable sandbox logging"
• browser.storageManager.pressureNotification.* - we have browser.storageManager.enabled;false in 2706 so IMO we can ignore these 2 new prefs

[Atavic]

@earthlng A note here, as I modify any child entry even if the main ones has been modified, e.g. browser.urlbar.usepreloadedtopurls.expire_days and browser.urlbar.usepreloadedtopurls.enabled
This way, if the latter is modified in some unexpected way, I still have the former one with my settings (like 999 days).

[earthlng]

expire_days = 0 (?) or 1 is what you want in that case btw rather than 999 ;)

as I modify any child entry even if the main ones has been modified

yes, I saw that in your fork :) but we would end up with hundreds of additional prefs if we did that. We want to make this user.js easier to use and adding dozens or even hundreds of additional "unnecessary" prefs would be the opposite of that

[earthlng]

changes in beta11 since the beta1 diff in OP:

NEW

pref("extensions.screenshots.system-disabled", true); - f61c951 (note, thorin already added this one item to the first post)
pref("layout.css.appearance.enabled", true);
pref("layout.css.moz-appearance.enabled", true);
pref("signon.masterPasswordReprompt.timeout_ms", 900000);

CHANGED

pref("browser.crashReports.unsubmittedCheck.enabled", true); // prev: false
pref("browser.migrate.automigrate.enabled", true); // prev: false
pref("font.name-list.serif.x-math", "..."); // removed 'Symbol' from the font list in beta11
pref("javascript.options.shared_memory", true); // prev: false
pref("print.use_simplify_page", true); // prev: false
pref("security.mixed_content.hsts_priming_cache_timeout", 604800); // prev: 10080

[earthlng]

• ("image.mem.shared", false) - you added a link to 1331944 but the commit was done in 1339202

They had to "Revert back to using a pref for the moment" because the older patch (without a pref?) caused a crash and had to be backed out.
I'm really not qualified to comment on this and we can only hope that the devs identify and fix as many potential flaws as possible before they enable this pref.
The same goes for image.mem.animated.discardable @ https://bugzilla.mozilla.org/show_bug.cgi?id=1343341

• ("gfx.downloadable_fonts.otl_validation", false) - this is interesting. 1331737

Expose a pref to control the validation of OpenType Layout tables, so that Nightly/Aurora users can choose to bypass validation (like we do on Beta/Release) if they really want out-of-spec fonts to be loaded.

The default behavior will still be as now -- such fonts will load on Beta/Release, so we don't annoy too many users, but Nightly/DevEd will block them and issue console error messages to encourage people to report and fix out-of-spec fonts and font-deployment workflows.

I think the Nightly behavior is preferable because allowing "out-of-spec" data parsing is probably never a good thing other than not to "annoy too many users". They also mention that

there are moves afoot to perhaps modify the spec to allow it, but as of now it's an OpenType spec violation and causes OTS to complain

But they also say

on beta/release, we allow those tables to bypass OTS even if they have spec violations, as in general harfbuzz can still handle them safely.

"in general" - well okay - maybe worth considering adding this and set to to "true"

• ("gfx.downloadable_fonts.keep_variation_tables", false) - 1341085
  similar to the one above this one also allows to "weaken" the OTS sanitizer but it's only made available for testing purposes and I think we can ignore this because "false" is fine

• ("extensions.screenshots.system-disabled", true) - Firefox Screenshots integrated in Firefox Nightly
  some users will probably not want this so we should consider adding this, maybe in the Personal section idk

• security.mixed_content.hsts_priming_cache_timeout - we have HSTS Priming disabled so this is irrelevant

• signon.masterPasswordReprompt.timeout_ms - Bug 1348791 - Add a timeout to master password prompt when searching logins

The login manager searching logins for autofill may trap the user
in an infinite loop of master password prompts until the user enters
the correct master password. To prevent that, we're adding a timeout
to showing the master password prompt for autofill after it was last
cancelled.

IMO no need to add this to the user.js

[earthlng]

YAGNI

IMO every pref in the user.js with the same value as the default value in FF should be active.
Otherwise it's confusing because IMO commented prefs are optional hardening stuff that are only commented out because they break too much sites. Therefore for 1202 I would activate the 2nd + 3rd pref IF security.tls.version.max;4 lands in stable. If not then we can wait with the change until it does land.

[publicarray]

IMO every pref in the user.js with the same value as the default value in FF should be active.

@earthlng while I get your point I disagree. By not forcing every default pref we allow the user to change some settings via the FF GUI granted some could be set to less private/secure by the user. Also I'm lazy so if I don't like a pref I don't need to change as many 😛. For me I like that can look at the user.js and I know that all the used prefs that are in use differ from the FF default (i.e. I know what improvements are made through the user.js)

[earthlng]

security.data_uri.inherit_security_context - this is not ready to use just yet. ATM none of mozilla's testfiles can handle this and the code behind it is completely untested. The pref was also already renamed for FF55 btw. IMO we should add this pref to the "to keep an eye on" list, with a link to 1324406 which is the main ticket for the problem they're trying to fix with this pref. FYI 1324406 blocks the restricted 1296976 ("Access Denied")
The code most likely works but there are serious concerns that it could open more holes/problems than it tries to solve!
The 2nd link you added above for this pref is for a similar problem ie blocking top level window data: URIs, but is not directly related to this pref - one is about not inheriting security context and the other is for blocking top level data:URIs

• 1324406 - Treat 'data:' documents as unique, opaque origins (ASSIGNED)

  • Depends on: 1302399, 1337268, 1337269, 1337270, 1337271, 1337272, 1345593, 1365145, 1366973, ...
    • 1328860 => RESOLVED FIXED in Firefox 54 - Install pref to have data: URIs not inherit the security context
    • 1365166 => RESOLVED FIXED in Firefox 55 - rename security.data_uri.inherit_security_context to security.data_uri.unique_opaque_origin
  • Blocks: 1296976 - Access Denied - You are not authorized to access bug 1296976

• 1331351 - Consider blocking top level window data: URIs

  • Depends on: 1357386 => RESOLVED FIXED in Firefox 55 - Gather telemetry for toplevel data: URI loads
  • Duplicates: 1360485 => RESOLVED DUPLICATE of bug 1331351 - Firefox is vulnerable to phishing stored in data URI
    • lists a PoC testsite in OP (http://createcharts.esy.es/data-url.html)

[earthlng]

dom.event.highrestimestamp.enabled - yes we want true but true is the default value in FF54+ and is unlikely ever gonna change - do we really need to add this to the user.js? We're a bit late to the party with this one xD

[earthlng]

// Allow Flash async drawing mode in 64-bit release builds
pref("dom.ipc.plugins.asyncdrawing.enabled", true);
// Force the accelerated direct path for a subset of Flash wmode values
pref("dom.ipc.plugins.forcedirect.enabled", true);

Flash stuff - who gives a fuck?!? If people still use that piece of shit that's not my problem.

[earthlng]

dom.event.highrestimestamp.enabled
Edit: If anything we should enforce it as false, so, I assume, we fall back to epoch time, and the old dom.enable_user_timing is still applied (with epoch) at least in 54 until it is removed in 55

afaik setting it to false would make things worse. Look at the TBB ticket you linked again. This pref does something but it's not about precision or imprecision. Hopefully they'll bring back dom.enable_user_timing - IDK what the interaction is between these 2 prefs.

[earthlng]

browser.migrate.automigrate.enabled - the change probably won't land in the FF54 Release (see beta11 diff) and I will remove it from the list tomorrow if that's the case
gfx.downloadable_fonts.otl_validation - I already commented on that here
extensions.screenshots.system-disabled - do we want to wait till this gets set to false by default, or ignore it completely?

[earthlng]

changes in FF54 Release since the beta1 diff in OP (bold = changes since beta13):

NEW

pref("extensions.screenshots.system-disabled", true);
pref("intl.tsf.associate_imc_only_when_imm_ime_is_active", false);
pref("intl.tsf.hack.ms_japanese_ime.do_not_associate_imc_on_win10", true);
pref("layout.css.appearance.enabled", true);
pref("layout.css.moz-appearance.enabled", true);
pref("signon.masterPasswordReprompt.timeout_ms", 900000);

CHANGED

pref("browser.crashReports.unsubmittedCheck.enabled", true); // prev: false
pref("browser.migrate.automigrate.enabled", true); // prev: false
pref("devtools.devedition.promo.enabled", true); // prev: false // only 'true' in beta versions
pref("font.name-list.serif.x-math", "..."); // removed 'Symbol' from the font list
pref("javascript.options.shared_memory", true); // prev: false
pref("print.use_simplify_page", true); // prev: false
pref("security.mixed_content.hsts_priming_cache_timeout", 604800); // prev: 10080
pref("security.tls.version.max", 4); // prev: 3

[earthlng]

// This is referred only when both "intl.tsf.enable" and "intl.tsf.support_imm"
// are true.  When this is true, default IMC is associated with focused window
// only when active keyboard layout is a legacy IMM-IME.
pref("intl.tsf.associate_imc_only_when_imm_ime_is_active", false);
// Whether default IMC should be associated with focused window when MS-IME
// for Japanese on Win10 is active.  MS-IME for Japanese on Win10 has a crash
// bug.  While restoring default IMC when MS-IME for Japanese is active,
// it sometimes crashes after Creators Update.  This pref avoid the crash.
pref("intl.tsf.hack.ms_japanese_ime.do_not_associate_imc_on_win10", true);

If you agree that we can ignore these 2 then we can close this and you can release an alpha.

edit: I think this is the bugzilla for those 2 but it's Access Denied because of the crash I guess ...
Bug 1367692 - Make IMEHandler not restore default IMC unless legacy IMM-IME is active
edit2: or this one from the Security vulnerabilities fixed in Firefox 54
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7752
https://bugzilla.mozilla.org/show_bug.cgi?id=1359547