summaryrefslogtreecommitdiff
path: root/pcr/iceweasel-hardening
diff options
context:
space:
mode:
Diffstat (limited to 'pcr/iceweasel-hardening')
-rw-r--r--pcr/iceweasel-hardening/PKGBUILD213
-rw-r--r--pcr/iceweasel-hardening/drm-free.pngbin0 -> 3213 bytes
-rw-r--r--pcr/iceweasel-hardening/enable-object-directory-paths.patch13
-rw-r--r--pcr/iceweasel-hardening/gnu_headshadow.pngbin0 -> 6785 bytes
-rw-r--r--pcr/iceweasel-hardening/iceweasel-install-dir.patch13
-rw-r--r--pcr/iceweasel-hardening/iceweasel.desktop310
-rw-r--r--pcr/iceweasel-hardening/iceweasel.install31
-rw-r--r--pcr/iceweasel-hardening/libre.patch338
-rw-r--r--pcr/iceweasel-hardening/mozconfig46
-rw-r--r--pcr/iceweasel-hardening/mozilla-1253216.patch12
-rw-r--r--pcr/iceweasel-hardening/mozilla-build-arm.patch24
-rw-r--r--pcr/iceweasel-hardening/remove-default-and-shell-icons-in-packaging-manifest.patch34
-rw-r--r--pcr/iceweasel-hardening/vendor.js351
13 files changed, 1385 insertions, 0 deletions
diff --git a/pcr/iceweasel-hardening/PKGBUILD b/pcr/iceweasel-hardening/PKGBUILD
new file mode 100644
index 000000000..790b18177
--- /dev/null
+++ b/pcr/iceweasel-hardening/PKGBUILD
@@ -0,0 +1,213 @@
+# Maintainer: André Silva <emulatorman@parabola.nu>
+# Contributor: Márcio Silva <coadde@parabola.nu>
+# Contributor (ConnochaetOS): Henry Jensen <hjensen@connochaetos.org>
+# Contributor: Luke Shumaker <lukeshu@sbcglobal.net>
+# Contributor: fauno <fauno@kiwwwi.com.ar>
+# Contributor: vando <facundo@esdebian.org>
+# Contributor (Arch): Jakub Schmidtke <sjakub@gmail.com>
+# Contributor: Figue <ffigue at gmail>
+# Contributor: taro-k <taro-k@movasense_com>
+# Contributor: Michał Masłowski <mtjm@mtjm.eu>
+# Contributor: Luke R. <g4jc@openmailbox.org>
+# Contributor: Isaac David <isacdaavid@isacdaavid.info>
+# Thank you very much to the older contributors:
+# Contributor: evr <evanroman at gmail>
+# Contributor: Muhammad 'MJ' Jassim <UnbreakableMJ@gmail.com>
+
+_pgo=false
+
+# We're getting this from Debian Sid
+_debname=firefox
+_brandingver=49.0
+_brandingrel=1
+_debver=49.0
+_debrel=deb4
+_debrepo=http://ftp.debian.org/debian/pool/main/
+_parabolarepo=https://repo.parabola.nu/other/iceweasel
+debfile() { echo $@|sed -r 's@(.).*@\1/&/&@'; }
+
+_pkgname=firefox
+pkgname=iceweasel-hardening
+epoch=1
+pkgver=$_debver.$_debrel
+pkgrel=1
+pkgdesc="A libre version of Debian Iceweasel, the standalone web browser based on Mozilla Firefox, with several patches that were introduced to strengthen and protect the end user from security threats"
+arch=(i686 x86_64 armv7h)
+license=(MPL GPL LGPL)
+depends=(alsa-lib dbus-glib ffmpeg gtk2 gtk3 hunspell icu=57.1 libevent libvpx=1.6.0 libxt mime-types mozilla-common nss sqlite startup-notification ttf-font)
+makedepends=(autoconf2.13 diffutils gconf imagemagick imake inetutils libidl2 libpulse librsvg-stable libxslt mesa mozilla-searchplugins pkg-config python2 quilt unzip yasm zip)
+makedepends_i686=(rust)
+makedepends_x86_64=("${makedepends_i686[@]}")
+options=(!emptydirs !makeflags debug)
+if $_pgo; then
+ makedepends+=(xorg-server-xvfb)
+ options+=(!ccache)
+fi
+optdepends=('networkmanager: Location detection via available WiFi networks'
+ 'libnotify: Notification integration'
+ 'upower: Battery API')
+url="https://wiki.parabola.nu/${pkgname%-*}"
+replaces=("${pkgname%-*}-libre" "$_pkgname")
+conflicts=("${pkgname%-*}-libre" "${pkgname%-*}")
+provides=("${pkgname%-*}")
+install=${pkgname%-*}.install
+source=("$_debrepo/`debfile $_debname`_$_debver.orig.tar.xz"
+ "$_debrepo/`debfile $_debname`_$_debver-${_debrel#deb}.debian.tar.xz"
+ "$_parabolarepo/${pkgname}_$_brandingver-$_brandingrel.branding.tar.xz"
+ "$_parabolarepo/${pkgname}_$_brandingver-$_brandingrel.branding.tar.xz.sig"
+ mozconfig
+ libre.patch
+ remove-default-and-shell-icons-in-packaging-manifest.patch
+ gnu_headshadow.png
+ drm-free.png
+ ${pkgname%-*}.desktop
+ ${pkgname%-*}-install-dir.patch
+ vendor.js
+ enable-object-directory-paths.patch
+ mozilla-1253216.patch
+ mozilla-build-arm.patch)
+sha256sums=('2f463afd3c74eb9477f58525214f06498357ff90f01b45fb2675fc77c57bcffe'
+ '8e4051a587e380849226fa0de89a02468c45133a758665dc2a7064a248f138a8'
+ 'c0fd88e37187298a7658919cf2e4b6d024425b781d6aff5bdba49dc991f379d3'
+ 'SKIP'
+ '8212fd5e341a251c97871c0f114f6332c78326f707f9d20eddc8d644e0c5c988'
+ '013af398e97da9e855a143582816bf819e0d9d8d2b0e323d6b832f3df1157fdd'
+ '32f1fe3ad4f80d0ae419064db2abe49b97cd7cb18c35d68be1a2befb60172a2a'
+ '93e3001ce152e1d142619e215a9ef07dd429943b99d21726c25da9ceb31e31cd'
+ '56eba484179c7f498076f8dc603d8795e99dce8c6ea1da9736318c59d666bff6'
+ '87034dbb640f70454b27d1695a6f03b6fd1ab81c82eb4d8c771db925ae03d408'
+ '3aea6676f1e53a09673b6ae219d281fc28054beb6002b09973611c02f827651d'
+ 'aec1e2c3a1f5626c39d5d71000a45033de5b67b5fb9cb437a45f16ee5c5d2dc3'
+ 'e260e555b261aabab1e48786dd514eeea056e4402af7cfd4dfd1d32858441484'
+ 'fbb6011501a74a8ea6d01c041870fcefb7ef2859c134aedc676e5f6452833f65'
+ '56eecee8162c138c442773d66483886f1242c8dd2b16eed5711ae5e63d9b0e3a')
+validpgpkeys=(
+ 'C92BAA713B8D53D3CAE63FC9E6974752F9704456' # André Silva
+ '684D54A189305A9CC95446D36B888913DDB59515' # Márcio Silva
+)
+
+prepare() {
+ cd "$srcdir/$_pkgname-$_debver"
+ mv "$srcdir/debian" .
+ mv "$srcdir/${pkgname%-*}-$_brandingver/branding" debian
+ mv "$srcdir/${pkgname%-*}-$_brandingver/patches/iceweasel-branding" debian/patches
+ cat "$srcdir/${pkgname%-*}-$_brandingver/patches/series" >> debian/patches/series
+
+ export QUILT_PATCHES=debian/patches
+ export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
+ export QUILT_DIFF_ARGS='--no-timestamps'
+
+ quilt push -av
+
+ # Put gnu_headshadow.png and drm-free.png in the source code
+ install -m644 "$srcdir/"{gnu_headshadow,drm-free}.png \
+ browser/base/content/abouthome
+
+ # Useless since we are doing it ourselves
+ patch -Np1 -i "$srcdir/remove-default-and-shell-icons-in-packaging-manifest.patch"
+
+ # Enable object directory paths for Iceweasel rebranding
+ patch -Np1 -i "$srcdir/enable-object-directory-paths.patch"
+
+ # Install to /usr/lib/${pkgname%-*}
+ patch -Np1 -i "$srcdir/${pkgname%-*}-install-dir.patch"
+
+ # Patch and remove anything that's left
+ patch -Np1 -i "$srcdir/libre.patch"
+ sed -i 's|Adobe Flash|SWF Player|g;
+ ' browser/base/content/pageinfo/permissions.js \
+ browser/base/content/browser-plugins.js
+ sed -i '\|["]displayName["][:] ["]Flash["]| s|Flash|SWF Player|
+ \|["]displayName["][:] ["]Shockwave["]| s|Shockwave|DCR Player|
+ \|["]displayName["][:] ["]QuickTime["]| s|QuickTime|MOV Player|
+ \|installLinux| s|true|false|
+ ' browser/base/content/browser-plugins.js
+
+ # Load our build config, disable SafeSearch
+ cp "$srcdir/mozconfig" .mozconfig
+
+ mkdir "$srcdir/path"
+ ln -s /usr/bin/python2 "$srcdir/path/python"
+
+ # Load our searchplugins
+ rm -rv browser/locales/en-US/searchplugins
+ cp -av /usr/lib/mozilla/searchplugins browser/locales/en-US
+
+ # Disable various components at the source level
+ sed -i 's|[;]1|;0|' toolkit/components/telemetry/TelemetryStartup.manifest || die "failed break telemetry startup"
+ sed -i 's|[;]1|;0|' browser/experiments/Experiments.manifest || die "failed to break ExperimentsService"
+ sed -i '/pocket/d' browser/extensions/moz.build || die "failed to wipe pocket"
+
+ # ARM-specific changes:
+ if [[ "$CARCH" == arm* ]]; then
+ sed -i '/ac_add_options --enable-rust/d' .mozconfig
+ echo "ac_add_options --disable-ion" >> .mozconfig
+ echo "ac_add_options --disable-elf-hack" >> .mozconfig
+ echo "ac_add_options --disable-webrtc" >> .mozconfig
+
+ # Disable gold linker, reduce memory consumption at link time
+ sed -i '/ac_add_options --enable-gold/d' .mozconfig
+ LDFLAGS+=" -Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
+ echo "ac_add_options --disable-tests" >> .mozconfig
+ echo "ac_add_options --disable-debug" >> .mozconfig
+
+ patch -p1 -i ../mozilla-1253216.patch
+ patch -p1 -i ../mozilla-build-arm.patch
+ fi
+}
+
+build() {
+ cd "$srcdir/$_pkgname-$_debver"
+
+ # _FORTIFY_SOURCE causes configure failures
+ CPPFLAGS+=" -O2"
+
+ # Hardening
+ LDFLAGS+=" -Wl,-z,now"
+
+ # GCC 6
+ CXXFLAGS+=" -fno-delete-null-pointer-checks -fno-schedule-insns2"
+
+ export PATH="$srcdir/path:$PATH"
+
+ if $_pgo; then
+ # Do PGO
+ xvfb-run -a -s "-extension GLX -screen 0 1280x1024x24" \
+ make -f client.mk build MOZ_PGO=1
+ else
+ make -f client.mk build
+ fi
+}
+
+package() {
+ cd "$srcdir/$_pkgname-$_debver"
+ make -f client.mk DESTDIR="$pkgdir" INSTALL_SDK= install
+
+ install -Dm644 ../vendor.js "$pkgdir/usr/lib/${pkgname%-*}/browser/defaults/preferences/vendor.js"
+
+ _brandingdir=debian/branding
+ brandingdir=moz-objdir/$_brandingdir
+ icondir="$pkgdir/usr/share/icons/hicolor"
+ for i in 16 22 24 32 48 64 128 192 256 384; do
+ rsvg-convert -w $i -h $i "$_brandingdir/${pkgname}_icon.svg" \
+ -o "$brandingdir/default$i.png"
+ install -Dm644 "$brandingdir/default$i.png" \
+ "$icondir/${i}x${i}/apps/${pkgname%-*}.png"
+ done
+
+ install -Dm644 "$_brandingdir/${pkgname}_icon.svg" \
+ "$icondir/scalable/apps/${pkgname%-*}.svg"
+
+ install -d "$pkgdir/usr/share/applications"
+ install -m644 "$srcdir/${pkgname%-*}.desktop" \
+ "$pkgdir/usr/share/applications"
+
+ # Use system-provided dictionaries
+ rm -rf "$pkgdir/usr/lib/${pkgname%-*}/"{dictionaries,hyphenation}
+ ln -s /usr/share/hunspell "$pkgdir/usr/lib/${pkgname%-*}/dictionaries"
+ ln -s /usr/share/hyphen "$pkgdir/usr/lib/${pkgname%-*}/hyphenation"
+
+ # Replace duplicate binary with symlink
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=658850
+ ln -sf ${pkgname%-*} "$pkgdir/usr/lib/${pkgname%-*}/${pkgname%-*}-bin"
+}
diff --git a/pcr/iceweasel-hardening/drm-free.png b/pcr/iceweasel-hardening/drm-free.png
new file mode 100644
index 000000000..e30994e67
--- /dev/null
+++ b/pcr/iceweasel-hardening/drm-free.png
Binary files differ
diff --git a/pcr/iceweasel-hardening/enable-object-directory-paths.patch b/pcr/iceweasel-hardening/enable-object-directory-paths.patch
new file mode 100644
index 000000000..bc938c66e
--- /dev/null
+++ b/pcr/iceweasel-hardening/enable-object-directory-paths.patch
@@ -0,0 +1,13 @@
+diff --git a/python/mozbuild/mozbuild/frontend/context.py b/python/mozbuild/mozbuild/frontend/context.py
+index 41ae8ae..dcc3263 100644
+--- a/python/mozbuild/mozbuild/frontend/context.py
++++ b/python/mozbuild/mozbuild/frontend/context.py
+@@ -408,8 +408,6 @@ class Path(ContextDerivedValue, unicode):
+ class SourcePath(Path):
+ """Like Path, but limited to paths in the source directory."""
+ def __init__(self, context, value):
+- if value.startswith('!'):
+- raise ValueError('Object directory paths are not allowed')
+ if value.startswith('%'):
+ raise ValueError('Filesystem absolute paths are not allowed')
+ super(SourcePath, self).__init__(context, value)
diff --git a/pcr/iceweasel-hardening/gnu_headshadow.png b/pcr/iceweasel-hardening/gnu_headshadow.png
new file mode 100644
index 000000000..e0f73a3bf
--- /dev/null
+++ b/pcr/iceweasel-hardening/gnu_headshadow.png
Binary files differ
diff --git a/pcr/iceweasel-hardening/iceweasel-install-dir.patch b/pcr/iceweasel-hardening/iceweasel-install-dir.patch
new file mode 100644
index 000000000..af113fa85
--- /dev/null
+++ b/pcr/iceweasel-hardening/iceweasel-install-dir.patch
@@ -0,0 +1,13 @@
+diff --git a/config/baseconfig.mk b/config/baseconfig.mk
+index 7ca8e35..6e92846 100644
+--- a/config/baseconfig.mk
++++ b/config/baseconfig.mk
+@@ -5,7 +5,7 @@
+ MOZ_APP_BASE_VERSION = $(firstword $(subst ., ,$(MOZ_APP_VERSION))).$(word 2,$(subst ., ,$(MOZ_APP_VERSION)))
+ includedir := $(includedir)/$(MOZ_APP_NAME)-$(MOZ_APP_BASE_VERSION)
+ idldir = $(datadir)/idl/$(MOZ_APP_NAME)-$(MOZ_APP_BASE_VERSION)
+-installdir = $(libdir)/$(MOZ_APP_NAME)-$(MOZ_APP_BASE_VERSION)
++installdir = $(libdir)/$(MOZ_APP_NAME)
+ sdkdir = $(libdir)/$(MOZ_APP_NAME)-devel-$(MOZ_APP_BASE_VERSION)
+ ifndef TOP_DIST
+ TOP_DIST = dist
diff --git a/pcr/iceweasel-hardening/iceweasel.desktop b/pcr/iceweasel-hardening/iceweasel.desktop
new file mode 100644
index 000000000..028aeffde
--- /dev/null
+++ b/pcr/iceweasel-hardening/iceweasel.desktop
@@ -0,0 +1,310 @@
+[Desktop Entry]
+Version=1.0
+Name=Iceweasel
+GenericName=Web Browser
+GenericName[ar]=متصفح ويب
+GenericName[ast]=Restolador Web
+GenericName[bn]=ওয়েব ব্রাউজার
+GenericName[ca]=Navegador web
+GenericName[cs]=Webový prohlížeč
+GenericName[da]=Webbrowser
+GenericName[de]=Webbrowser
+GenericName[el]=Περιηγητής διαδικτύου
+GenericName[es]=Navegador web
+GenericName[et]=Veebibrauser
+GenericName[fa]=مرورگر اینترنتی
+GenericName[fi]=WWW-selain
+GenericName[fr]=Navigateur Web
+GenericName[gl]=Navegador Web
+GenericName[he]=דפדפן אינטרנט
+GenericName[hr]=Web preglednik
+GenericName[hu]=Webböngésző
+GenericName[it]=Browser Web
+GenericName[ja]=ウェブ・ブラウザ
+GenericName[ko]=웹 브라우저
+GenericName[ku]=Geroka torê
+GenericName[lt]=Interneto naršyklė
+GenericName[nb]=Nettleser
+GenericName[nl]=Webbrowser
+GenericName[nn]=Nettlesar
+GenericName[no]=Nettleser
+GenericName[pl]=Przeglądarka WWW
+GenericName[pt]=Navegador Web
+GenericName[pt_BR]=Navegador Web
+GenericName[ro]=Navigator Internet
+GenericName[ru]=Веб-браузер
+GenericName[sk]=Internetový prehliadač
+GenericName[sl]=Spletni brskalnik
+GenericName[sv]=Webbläsare
+GenericName[tr]=Web Tarayıcı
+GenericName[ug]=توركۆرگۈ
+GenericName[uk]=Веб-браузер
+GenericName[vi]=Trình duyệt Web
+GenericName[zh_CN]=网络浏览器
+GenericName[zh_TW]=網路瀏覽器
+Comment=Browse the Web
+Comment[ar]=تصفح الشبكة العنكبوتية العالمية
+Comment[ast]=Restola pela Rede
+Comment[bn]=ইন্টারনেট ব্রাউজ করুন
+Comment[ca]=Navegueu per el web
+Comment[cs]=Prohlížení stránek World Wide Webu
+Comment[da]=Surf på internettet
+Comment[de]=Im Internet surfen
+Comment[el]=Μπορείτε να περιηγηθείτε στο διαδίκτυο (Web)
+Comment[es]=Navegue por la web
+Comment[et]=Lehitse veebi
+Comment[fa]=صفحات شبکه جهانی اینترنت را مرور نمایید
+Comment[fi]=Selaa Internetin WWW-sivuja
+Comment[fr]=Naviguer sur le Web
+Comment[gl]=Navegar pola rede
+Comment[he]=גלישה ברחבי האינטרנט
+Comment[hr]=Pretražite web
+Comment[hu]=A világháló böngészése
+Comment[it]=Esplora il web
+Comment[ja]=ウェブを閲覧します
+Comment[ko]=웹을 돌아 다닙니다
+Comment[ku]=Li torê bigere
+Comment[lt]=Naršykite internete
+Comment[nb]=Surf på nettet
+Comment[nl]=Verken het internet
+Comment[nn]=Surf på nettet
+Comment[no]=Surf på nettet
+Comment[pl]=Przeglądanie stron WWW
+Comment[pt]=Navegue na Internet
+Comment[pt_BR]=Navegue na Internet
+Comment[ro]=Navigați pe Internet
+Comment[ru]=Доступ в Интернет
+Comment[sk]=Prehliadanie internetu
+Comment[sl]=Brskajte po spletu
+Comment[sv]=Surfa på webben
+Comment[tr]=İnternet'te Gezinin
+Comment[ug]=دۇنيادىكى توربەتلەرنى كۆرگىلى بولىدۇ
+Comment[uk]=Перегляд сторінок Інтернету
+Comment[vi]=Để duyệt các trang web
+Comment[zh_CN]=浏览互联网
+Comment[zh_TW]=瀏覽網際網路
+Exec=iceweasel %u
+Icon=iceweasel
+Terminal=false
+Type=Application
+MimeType=text/html;text/xml;application/xhtml+xml;application/vnd.mozilla.xul+xml;text/mml;x-scheme-handler/http;x-scheme-handler/https;
+StartupNotify=true
+Categories=Network;WebBrowser;
+Keywords=web;browser;internet;
+Actions=new-window;new-private-window;
+
+[Desktop Action new-window]
+Name=New Window
+Name[ach]=Dirica manyen
+Name[af]=Nuwe venster
+Name[an]=Nueva finestra
+Name[ar]=نافذة جديدة
+Name[as]=নতুন উইন্ডো
+Name[ast]=Ventana nueva
+Name[az]=Yeni Pəncərə
+Name[be]=Новае акно
+Name[bg]=Нов прозорец
+Name[bn_BD]=নতুন উইন্ডো (N)
+Name[bn_IN]=নতুন উইন্ডো
+Name[br]=Prenestr nevez
+Name[brx]=गोदान उइन्ड'(N)
+Name[bs]=Novi prozor
+Name[ca]=Finestra nova
+Name[cak]=K'ak'a' tzuwäch
+Name[cs]=Nové okno
+Name[cy]=Ffenestr Newydd
+Name[da]=Nyt vindue
+Name[de]=Neues Fenster
+Name[dsb]=Nowe wokno
+Name[el]=Νέο παράθυρο
+Name[en_GB]=New Window
+Name[en_US]=New Window
+Name[en_ZA]=New Window
+Name[eo]=Nova fenestro
+Name[es_AR]=Nueva ventana
+Name[es_CL]=Nueva ventana
+Name[es_ES]=Nueva ventana
+Name[es_MX]=Nueva ventana
+Name[et]=Uus aken
+Name[eu]=Leiho berria
+Name[fa]=پنجره جدید
+Name[ff]=Henorde Hesere
+Name[fi]=Uusi ikkuna
+Name[fr]=Nouvelle fenêtre
+Name[fy_NL]=Nij finster
+Name[ga_IE]=Fuinneog Nua
+Name[gd]=Uinneag ùr
+Name[gl]=Nova xanela
+Name[gn]=Ovetã pyahu
+Name[gu_IN]=નવી વિન્ડો
+Name[he]=חלון חדש
+Name[hi_IN]=नया विंडो
+Name[hr]=Novi prozor
+Name[hsb]=Nowe wokno
+Name[hu]=Új ablak
+Name[hy_AM]=Նոր Պատուհան
+Name[id]=Jendela Baru
+Name[is]=Nýr gluggi
+Name[it]=Nuova finestra
+Name[ja]=新しいウィンドウ
+Name[ja_JP-mac]=新規ウインドウ
+Name[ka]=ახალი ფანჯარა
+Name[kk]=Жаңа терезе
+Name[km]=បង្អួចថ្មី
+Name[kn]=ಹೊಸ ಕಿಟಕಿ
+Name[ko]=새 창
+Name[kok]=नवें जनेल
+Name[ks]=نئئ وِنڈو
+Name[lij]=Neuvo barcon
+Name[lo]=ຫນ້າຕ່າງໃຫມ່
+Name[lt]=Naujas langas
+Name[ltg]=Jauns lūgs
+Name[lv]=Jauns logs
+Name[mai]=नव विंडो
+Name[mk]=Нов прозорец
+Name[ml]=പുതിയ ജാലകം
+Name[mr]=नवीन पटल
+Name[ms]=Tetingkap Baru
+Name[my]=ဝင်းဒိုးအသစ်
+Name[nb_NO]=Nytt vindu
+Name[ne_NP]=नयाँ सञ्झ्याल
+Name[nl]=Nieuw venster
+Name[nn_NO]=Nytt vindauge
+Name[or]=ନୂତନ ୱିଣ୍ଡୋ
+Name[pa_IN]=ਨਵੀਂ ਵਿੰਡੋ
+Name[pl]=Nowe okno
+Name[pt_BR]=Nova janela
+Name[pt_PT]=Nova janela
+Name[rm]=Nova fanestra
+Name[ro]=Fereastră nouă
+Name[ru]=Новое окно
+Name[sat]=नावा विंडो (N)
+Name[si]=නව කවුළුවක්
+Name[sk]=Nové okno
+Name[sl]=Novo okno
+Name[son]=Zanfun taaga
+Name[sq]=Dritare e Re
+Name[sr]=Нови прозор
+Name[sv_SE]=Nytt fönster
+Name[ta]=புதிய சாளரம்
+Name[te]=కొత్త విండో
+Name[th]=หน้าต่างใหม่
+Name[tr]=Yeni pencere
+Name[tsz]=Eraatarakua jimpani
+Name[uk]=Нове вікно
+Name[ur]=نیا دریچہ
+Name[uz]=Yangi oyna
+Name[vi]=Cửa sổ mới
+Name[wo]=Palanteer bu bees
+Name[xh]=Ifestile entsha
+Name[zh_CN]=新建窗口
+Name[zh_TW]=開新視窗
+Exec=iceweasel --new-window %u
+
+[Desktop Action new-private-window]
+Name=New Private Window
+Name[ach]=Dirica manyen me mung
+Name[af]=Nuwe privaatvenster
+Name[an]=Nueva finestra privada
+Name[ar]=نافذة خاصة جديدة
+Name[as]=নতুন ব্যক্তিগত উইন্ডো
+Name[ast]=Ventana privada nueva
+Name[az]=Yeni Məxfi Pəncərə
+Name[be]=Новае акно адасаблення
+Name[bg]=Нов прозорец за поверително сърфиране
+Name[bn_BD]=নতুন ব্যক্তিগত উইন্ডো
+Name[bn_IN]=নতুন ব্যক্তিগত উইন্ডো
+Name[br]=Prenestr merdeiñ prevez nevez
+Name[brx]=गोदान प्राइभेट उइन्ड'
+Name[bs]=Novi privatni prozor
+Name[ca]=Finestra privada nova
+Name[cak]=K'ak'a' ichinan tzuwäch
+Name[cs]=Nové anonymní okno
+Name[cy]=Ffenestr Breifat Newydd
+Name[da]=Nyt privat vindue
+Name[de]=Neues privates Fenster
+Name[dsb]=Nowe priwatne wokno
+Name[el]=Νέο παράθυρο ιδιωτικής περιήγησης
+Name[en_GB]=New Private Window
+Name[en_US]=New Private Window
+Name[en_ZA]=New Private Window
+Name[eo]=Nova privata fenestro
+Name[es_AR]=Nueva ventana privada
+Name[es_CL]=Nueva ventana privada
+Name[es_ES]=Nueva ventana privada
+Name[es_MX]=Nueva ventana privada
+Name[et]=Uus privaatne aken
+Name[eu]=Leiho pribatu berria
+Name[fa]=پنجره ناشناس جدید
+Name[ff]=Henorde Suturo Hesere
+Name[fi]=Uusi yksityinen ikkuna
+Name[fr]=Nouvelle fenêtre de navigation privée
+Name[fy_NL]=Nij priveefinster
+Name[ga_IE]=Fuinneog Nua Phríobháideach
+Name[gd]=Uinneag phrìobhaideach ùr
+Name[gl]=Nova xanela privada
+Name[gn]=Ovetã ñemi pyahu
+Name[gu_IN]=નવી ખાનગી વિન્ડો
+Name[he]=חלון פרטי חדש
+Name[hi_IN]=नयी निजी विंडो
+Name[hr]=Novi privatni prozor
+Name[hsb]=Nowe priwatne wokno
+Name[hu]=Új privát ablak
+Name[hy_AM]=Սկսել Գաղտնի դիտարկում
+Name[id]=Jendela Mode Pribadi Baru
+Name[is]=Nýr huliðsgluggi
+Name[it]=Nuova finestra anonima
+Name[ja]=新しいプライベートウィンドウ
+Name[ja_JP-mac]=新規プライベートウインドウ
+Name[ka]=ახალი პირადი ფანჯარა
+Name[kk]=Жаңа жекелік терезе
+Name[km]=បង្អួចឯកជនថ្មី
+Name[kn]=ಹೊಸ ಖಾಸಗಿ ಕಿಟಕಿ
+Name[ko]=새 사생활 보호 모드
+Name[kok]=नवो खाजगी विंडो
+Name[ks]=نْو پرایوٹ وینڈو
+Name[lij]=Nêuvo barcón privòu
+Name[lo]=ເປີດຫນ້າຕ່າງສວນຕົວຂື້ນມາໃຫມ່
+Name[lt]=Naujas privataus naršymo langas
+Name[ltg]=Jauns privatais lūgs
+Name[lv]=Jauns privātais logs
+Name[mai]=नया निज विंडो (W)
+Name[mk]=Нов приватен прозорец
+Name[ml]=പുതിയ സ്വകാര്യ ജാലകം
+Name[mr]=नवीन वैयक्तिक पटल
+Name[ms]=Tetingkap Persendirian Baharu
+Name[my]=New Private Window
+Name[nb_NO]=Nytt privat vindu
+Name[ne_NP]=नयाँ निजी सञ्झ्याल
+Name[nl]=Nieuw privévenster
+Name[nn_NO]=Nytt privat vindauge
+Name[or]=ନୂତନ ବ୍ୟକ୍ତିଗତ ୱିଣ୍ଡୋ
+Name[pa_IN]=ਨਵੀਂ ਪ੍ਰਾਈਵੇਟ ਵਿੰਡੋ
+Name[pl]=Nowe okno prywatne
+Name[pt_BR]=Nova janela privativa
+Name[pt_PT]=Nova janela privada
+Name[rm]=Nova fanestra privata
+Name[ro]=Fereastră privată nouă
+Name[ru]=Новое приватное окно
+Name[sat]=नावा निजेराक् विंडो (W )
+Name[si]=නව පුද්ගලික කවුළුව (W)
+Name[sk]=Nové okno v režime Súkromné prehliadanie
+Name[sl]=Novo zasebno okno
+Name[son]=Sutura zanfun taaga
+Name[sq]=Dritare e Re Private
+Name[sr]=Нови приватан прозор
+Name[sv_SE]=Nytt privat fönster
+Name[ta]=புதிய தனிப்பட்ட சாளரம்
+Name[te]=కొత్త ఆంతరంగిక విండో
+Name[th]=หน้าต่างส่วนตัวใหม่
+Name[tr]=Yeni gizli pencere
+Name[tsz]=Juchiiti eraatarakua jimpani
+Name[uk]=Приватне вікно
+Name[ur]=نیا نجی دریچہ
+Name[uz]=Yangi maxfiy oyna
+Name[vi]=Cửa sổ riêng tư mới
+Name[wo]=Panlanteeru biir bu bees
+Name[xh]=Ifestile yangasese entsha
+Name[zh_CN]=新建隐私浏览窗口
+Name[zh_TW]=新增隱私視窗
+Exec=iceweasel --private-window %u
diff --git a/pcr/iceweasel-hardening/iceweasel.install b/pcr/iceweasel-hardening/iceweasel.install
new file mode 100644
index 000000000..574e0d3db
--- /dev/null
+++ b/pcr/iceweasel-hardening/iceweasel.install
@@ -0,0 +1,31 @@
+notice() {
+ cat <<EOM
+ == IMPORTANT NOTICE ==
+
+ This package contains several patches that were introduced
+ to strengthen and protect the end user from security threats.
+
+ For users who wish to opt-out of security, you may override options in
+ about:config using a user.js file in your ~/.mozilla's profile folder.
+
+ Some user.js examples:
+ user_pref("dom.storage.enabled", true); # Enables DOM tracking
+ user_pref("network.websocket.max-connections", "5"); # Enables WebSocket IP Leak
+
+ Further reading:
+ * https://lists.parabola.nu/pipermail/dev/2016-October/004522.html
+ * http://kb.mozillazine.org/About:config
+ * http://kb.mozillazine.org/User.js_file
+
+EOM
+}
+
+post_install() {
+ notice
+}
+
+post_upgrade() {
+ post_install
+}
+
+# vim:set ts=2 sw=2 et:
diff --git a/pcr/iceweasel-hardening/libre.patch b/pcr/iceweasel-hardening/libre.patch
new file mode 100644
index 000000000..a434fef2f
--- /dev/null
+++ b/pcr/iceweasel-hardening/libre.patch
@@ -0,0 +1,338 @@
+diff --git a/browser/base/content/abouthome/aboutHome.css b/browser/base/content/abouthome/aboutHome.css
+index c1ef3a4..48e1a16 100644
+--- a/browser/base/content/abouthome/aboutHome.css
++++ b/browser/base/content/abouthome/aboutHome.css
+@@ -343,26 +343,46 @@ body[narrow] #restorePreviousSession::before {
+ width: 32px;
+ }
+
+-#aboutMozilla {
++#aboutGNU {
+ display: block;
+- position: relative; /* pin wordmark to edge of document, not of viewport */
+ -moz-box-ordinal-group: 0;
+ opacity: .5;
+ transition: opacity 150ms;
+ }
+
+-#aboutMozilla:hover {
++#aboutGNU:hover {
+ opacity: 1;
+ }
+
+-#aboutMozilla::before {
+- content: url("chrome://browser/content/abouthome/mozilla.png");
++#aboutGNU::before {
++ content: url("chrome://browser/content/abouthome/gnu_headshadow.png");
+ display: block;
+ position: absolute;
+ top: 12px;
+ right: 12px;
+- width: 69px;
+- height: 19px;
++ width: 200px;
++ height: 110px;
++}
++
++#aboutDRMfree {
++ display: block;
++ -moz-box-ordinal-group: 0;
++ opacity: .5;
++ transition: opacity 150ms;
++}
++
++#aboutDRMfree:hover {
++ opacity: 1;
++}
++
++#aboutDRMfree::before {
++ content: url("chrome://browser/content/abouthome/drm-free.png");
++ display: block;
++ position: absolute;
++ top: 12px;
++ left: 12px;
++ width: 120px;
++ height: 120px;
+ }
+
+ /* [HiDPI]
+@@ -435,9 +455,5 @@ body[narrow] #restorePreviousSession::before {
+ transform: scale(-0.5, 0.5) translateX(24px);
+ transform-origin: top center;
+ }
+-
+- #aboutMozilla::before {
+- content: url("chrome://browser/content/abouthome/mozilla@2x.png");
+- }
+ }
+
+diff --git a/browser/base/content/abouthome/aboutHome.js b/browser/base/content/abouthome/aboutHome.js
+index 8943165..cd2efd8 100644
+--- a/browser/base/content/abouthome/aboutHome.js
++++ b/browser/base/content/abouthome/aboutHome.js
+@@ -9,17 +9,13 @@
+ // * add a <span/> for it in aboutHome.xhtml
+ // * add an entry here in the proper ordering (based on spans)
+ // The <a/> part of the snippet will be linked to the corresponding url.
+-const DEFAULT_SNIPPETS_URLS = [
+- "https://www.mozilla.org/firefox/features/?utm_source=snippet&utm_medium=snippet&utm_campaign=default+feature+snippet"
+-, "https://addons.mozilla.org/firefox/?utm_source=snippet&utm_medium=snippet&utm_campaign=addons"
+-];
++const DEFAULT_SNIPPETS_URLS = [ "" ];
+
+-const SNIPPETS_UPDATE_INTERVAL_MS = 14400000; // 4 hours.
++const SNIPPETS_UPDATE_INTERVAL_MS = 86400000; // 1 Day.
+
+ // IndexedDB storage constants.
+ const DATABASE_NAME = "abouthome";
+ const DATABASE_VERSION = 1;
+-const DATABASE_STORAGE = "persistent";
+ const SNIPPETS_OBJECTSTORE_NAME = "snippets";
+ var searchText;
+
+diff --git a/browser/base/content/abouthome/aboutHome.xhtml b/browser/base/content/abouthome/aboutHome.xhtml
+index 655f64b..6dd78e5 100644
+--- a/browser/base/content/abouthome/aboutHome.xhtml
++++ b/browser/base/content/abouthome/aboutHome.xhtml
+@@ -49,10 +49,6 @@
+ </div>
+
+ <div id="snippetContainer">
+- <div id="defaultSnippets" hidden="true">
+- <span id="defaultSnippet1">&abouthome.defaultSnippet1.v1;</span>
+- <span id="defaultSnippet2">&abouthome.defaultSnippet2.v1;</span>
+- </div>
+ <span id="rightsSnippet" hidden="true">&abouthome.rightsSnippet;</span>
+ <div id="snippets"/>
+ </div>
+@@ -74,7 +70,7 @@
+ <button class="launchButton" id="restorePreviousSession">&historyRestoreLastSession.label;</button>
+ </div>
+
+- <a id="aboutMozilla" href="https://www.mozilla.org/about/?utm_source=about-home&amp;utm_medium=Referral"
+- aria-label="&abouthome.aboutMozilla.label;"/>
++ <a id="aboutGNU" href="https://www.gnu.org"></a>
++ <a id="aboutDRMfree" href="https://www.defectivebydesign.org/drm-free"></a>
+ </body>
+ </html>
+diff --git a/browser/base/jar.mn b/browser/base/jar.mn
+index c9a70fc..ab0f1dd 100644
+--- a/browser/base/jar.mn
++++ b/browser/base/jar.mn
+@@ -32,7 +32,8 @@ browser.jar:
+ content/browser/abouthome/settings.png (content/abouthome/settings.png)
+ content/browser/abouthome/restore.png (content/abouthome/restore.png)
+ content/browser/abouthome/restore-large.png (content/abouthome/restore-large.png)
+- content/browser/abouthome/mozilla.png (content/abouthome/mozilla.png)
++ content/browser/abouthome/gnu_headshadow.png (content/abouthome/gnu_headshadow.png)
++ content/browser/abouthome/drm-free.png (content/abouthome/drm-free.png)
+ content/browser/abouthome/snippet1@2x.png (content/abouthome/snippet1@2x.png)
+ content/browser/abouthome/snippet2@2x.png (content/abouthome/snippet2@2x.png)
+ content/browser/abouthome/downloads@2x.png (content/abouthome/downloads@2x.png)
+@@ -43,7 +44,6 @@ browser.jar:
+ content/browser/abouthome/settings@2x.png (content/abouthome/settings@2x.png)
+ content/browser/abouthome/restore@2x.png (content/abouthome/restore@2x.png)
+ content/browser/abouthome/restore-large@2x.png (content/abouthome/restore-large@2x.png)
+- content/browser/abouthome/mozilla@2x.png (content/abouthome/mozilla@2x.png)
+
+ content/browser/aboutNetError.xhtml (content/aboutNetError.xhtml)
+
+diff --git a/browser/locales/en-US/chrome/browser/aboutHome.dtd b/browser/locales/en-US/chrome/browser/aboutHome.dtd
+index 7e3b57a..6edc89d 100644
+--- a/browser/locales/en-US/chrome/browser/aboutHome.dtd
++++ b/browser/locales/en-US/chrome/browser/aboutHome.dtd
+@@ -11,14 +11,6 @@
+
+ <!ENTITY abouthome.pageTitle "&brandFullName; Start Page">
+
+-<!-- LOCALIZATION NOTE (abouthome.defaultSnippet1.v1):
+- text in <a/> will be linked to the Firefox features page on mozilla.com
+--->
+-<!ENTITY abouthome.defaultSnippet1.v1 "Thanks for choosing Firefox! To get the most out of your browser, learn more about the <a>latest features</a>.">
+-<!-- LOCALIZATION NOTE (abouthome.defaultSnippet2.v1):
+- text in <a/> will be linked to the featured add-ons on addons.mozilla.org
+--->
+-<!ENTITY abouthome.defaultSnippet2.v1 "It’s easy to customize your Firefox exactly the way you want it. <a>Choose from thousands of add-ons</a>.">
+ <!-- LOCALIZATION NOTE (abouthome.rightsSnippet): text in <a/> will be linked to about:rights -->
+ <!ENTITY abouthome.rightsSnippet "&brandFullName; is free and open source software from the non-profit Mozilla Foundation. <a>Know your rights…</a>">
+
+diff --git a/browser/locales/en-US/chrome/browser-region/region.properties b/browser/locales/en-US/chrome/browser-region/region.properties
+index e078ed5..ce2c5ed 100644
+--- a/browser/locales/en-US/chrome/browser-region/region.properties
++++ b/browser/locales/en-US/chrome/browser-region/region.properties
+@@ -3,17 +3,12 @@
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+ # Default search engine
+-browser.search.defaultenginename=Google
++browser.search.defaultenginename=searx
+
+ # Search engine order (order displayed in the search bar dropdown)s
+-browser.search.order.1=Google
+-browser.search.order.2=Yahoo
+-browser.search.order.3=Bing
+-
+-# This is the default set of web based feed handlers shown in the reader
+-# selection UI
+-browser.contentHandlers.types.0.title=My Yahoo!
+-browser.contentHandlers.types.0.uri=https://add.my.yahoo.com/rss?url=%s
++browser.search.order.1=searx
++browser.search.order.2=DuckDuckGo HTML
++browser.search.order.3=DuckDuckGo Lite
+
+ # increment this number when anything gets changed in the list below. This will
+ # cause Firefox to re-read these prefs and inject any new handlers into the
+@@ -22,20 +17,10 @@ browser.contentHandlers.types.0.uri=https://add.my.yahoo.com/rss?url=%s
+ # don't make any spelling errors here.
+ gecko.handlerService.defaultHandlersVersion=4
+
+-# The default set of protocol handlers for webcal:
+-gecko.handlerService.schemes.webcal.0.name=30 Boxes
+-gecko.handlerService.schemes.webcal.0.uriTemplate=https://30boxes.com/external/widget?refer=ff&url=%s
+-
+-# The default set of protocol handlers for mailto:
+-gecko.handlerService.schemes.mailto.0.name=Yahoo! Mail
+-gecko.handlerService.schemes.mailto.0.uriTemplate=https://compose.mail.yahoo.com/?To=%s
+-gecko.handlerService.schemes.mailto.1.name=Gmail
+-gecko.handlerService.schemes.mailto.1.uriTemplate=https://mail.google.com/mail/?extsrc=mailto&url=%s
+-
+ # The default set of protocol handlers for irc:
+-gecko.handlerService.schemes.irc.0.name=Mibbit
+-gecko.handlerService.schemes.irc.0.uriTemplate=https://www.mibbit.com/?url=%s
++gecko.handlerService.schemes.irc.0.name=Freenode Web IRC
++gecko.handlerService.schemes.irc.0.uriTemplate=https://webchat.freenode.net
+
+ # The default set of protocol handlers for ircs:
+-gecko.handlerService.schemes.ircs.0.name=Mibbit
+-gecko.handlerService.schemes.ircs.0.uriTemplate=https://www.mibbit.com/?url=%s
++gecko.handlerService.schemes.ircs.0.name=Freenode Web IRC
++gecko.handlerService.schemes.ircs.0.uriTemplate=https://webchat.freenode.net
+diff --git a/browser/locales/generic/profile/bookmarks.html.in b/browser/locales/generic/profile/bookmarks.html.in
+index cba600e..cd4e711 100644
+--- a/browser/locales/generic/profile/bookmarks.html.in
++++ b/browser/locales/generic/profile/bookmarks.html.in
+@@ -20,13 +20,20 @@
+ <DT><H3 PERSONAL_TOOLBAR_FOLDER="true" ID="rdf:#$FvPhC3">@bookmarks_toolbarfolder@</H3>
+ <DD>@bookmarks_toolbarfolder_description@
+ <DL><p>
+- <DT><A HREF="https://www.mozilla.org/@AB_CD@/firefox/central/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAz5JREFUeNpcU0toXFUY/s49596588ikySSmM8rk0UkJEirVTVEjYk1NUdRFFgouXZQI2k2hUCjdiYIuCi4Kuig0DbqQYgU3Yi0iFRuRCBMwaZvMZDTNY95z3/fM8b8jldpzOeeee/i/737n+/+f4ZExf730rkiaZ9NJMx/nmk5HypMqqLr+ZuD4F67N5ZYejmfRsnvhyKsLhSs3zP70SubgYKHSdFENu+gXAprQIGnvBi5ez0m1b6u7M399+PTx+UvtCKtFi2F6195qXK2byir88esy5ksfYND5DhuhRCtUKBNB0Q7w5Z8ee2GgWdjOn250fn5v5j8F5dOHlZD0kWRgAwp3hrKY0S9BJWKIcQ5PShhNG4+1bHx+IocT+RXcrRSDMfFNRvvt3Oyp/icIrRhUl9hoO4kt3F55Bxf3LkLV20jWOohbDjzXxyc/lMH0cRSyCd1xq+dFhu986t7T0CUwIzB8EkW3O5ibhj44ib7NJhiBKRoB/aS4ZWHjbxtjGQYP7nGRTjim1SaQqYiAVAREpHG8vzWJn+6PQ6CF0HPR7nQQczpYeEWHyWMUkwU8MSECGwgJxAWp9xWKNzkuH3oet+JDlIE9Momedh1G4CN0bfhVG9nsS0BQQthJx0V7j3elq7ihqV5ezQTwZmodP9ZGkU/bOPr4Nr53xtDYsaD7Dg4nNqFaH5OCYSSdGhf7daNmuv6wEKqXk/yExKGBHSznFsH6FFpKQ/JAA0ulUejWLt44lkHXsqDaX6C6Nl4Rnq8vK8s/KThDMlJhkI91YOO+iR3XwEelCdTCBLSgijNzd6DLNfhlHfZ6FtWiWBQpq/V2LdSrrNPljBQkoOjuCiPxAMutOIbkPqYSEqeequGZaTLzdhZhS0PlnlB9bvhtr5CuHj3y2Qj8hVQ/kEopxONEEsO/0yATDYXYAdWrE69JEElXq7Hyk0tro+xBU1yZmr4xrIcvptIRCZlJJAYBmRGRkD08aivA7VDvWPqt564Xn41w/AHB1/u7l1/uGxGU8mNcgodUNDIq0JDeLnpzc1uo1Qr76rWbqyf/142PjsXJqdkmN2YDnQ9oGkJNU+t57q7qUv4y9/t64+HYfwQYAN7OczrzUDvGAAAAAElFTkSuQmCC" ID="rdf:#$GvPhC3">@getting_started@</A>
++ <DT><A HREF="https://www.parabola.nu/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABL0lEQVQ4jWNgoCcoq16VU1GzygnEBtEVDWuV8GooKFuhWVG3uiM3d5UokG4qr1szAaa5vGbVt4ralacwNDU0rGIrr10VBVG0+lxhwyqVsqqVtRW1q6eD5IvL19oB2V+B+D9QzQu4xtDQVZylVavygRKHqurWOlbUrknKK12qWlCwWLK8elUFA8N/xvLy5VYVtas+gzWDDVi9E2QjT1XdcufymjWpQJt1cXmnvHwVP1DzR7hmIC6vW+kOtpnYQKysW30arrlm9RVi9cFBRfXKJTADympWJZNsQFnN6rUQA1adAQU2SZqBXmUGBtozUDiU1qxQJtl2oCY3kO2l1avCSdYMAsBAWwyM2plkaS4p6eYGOv1YQ0MDB1kGlFWuDChuWKZBlmYQqK5eJU22ZkIAAEIlnQZQkzITAAAAAElFTkSuQmCC">Parabola GNU/Linux-libre</A>
+ </DL><p>
+- <DT><H3 ID="rdf:#$ZvPhC3">@firefox_heading@</H3>
++ <DT><H3 ID="rdf:#$YvPhC3">Parabola GNU/Linux-libre</H3>
+ <DL><p>
+- <DT><A HREF="https://www.mozilla.org/@AB_CD@/firefox/help/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3gwMDAsTBZbkNwAAAB1pVFh0Q29tbWVudAAAAAAAQ3JlYXRlZCB3aXRoIEdJTVBkLmUHAAABNElEQVQ4y8WSsU0DURBE3yyWIaAJaqAAN4DPSL6AlIACKIEOyJEgRsIgOOkiInJqgAKowNg7BHdn7MOksNl+zZ//dvbDf5cAiklp22BdVtXdeTEpDYDB9m1VzU6OJuVp2NdEQCaI96fH2YHG4+mDduKYNMYINTcjcGbXzQVDEAphG0k48zUsajIbnAiMIXThpW8EICE0RAK4dvoKg9NIcTiQ589otyHOZLnwqK5nLwBFUZ4igc3iM0d1ff8CMC6mZ6Ihiaqq3gi1aUAnArD00SW1fq5OLBg0ymYmSZsR2/t4e/rGyCLW0sbp3oq+yTYqVgytQWui2FS7XYF7GFprY921T4CNQt8zr47dNzCkIX7y/jBtH+v+RGMQrc828W8pApnZbmEVQp/Ae7BlOy2ttib81/UFc+WRWEbjckIAAAAASUVORK5CYII=" ID="rdf:#$22iCK1">@firefox_help@</A>
+- <DT><A HREF="https://www.mozilla.org/@AB_CD@/firefox/customize/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3gwMDAsTBZbkNwAAAB1pVFh0Q29tbWVudAAAAAAAQ3JlYXRlZCB3aXRoIEdJTVBkLmUHAAABNElEQVQ4y8WSsU0DURBE3yyWIaAJaqAAN4DPSL6AlIACKIEOyJEgRsIgOOkiInJqgAKowNg7BHdn7MOksNl+zZ//dvbDf5cAiklp22BdVtXdeTEpDYDB9m1VzU6OJuVp2NdEQCaI96fH2YHG4+mDduKYNMYINTcjcGbXzQVDEAphG0k48zUsajIbnAiMIXThpW8EICE0RAK4dvoKg9NIcTiQ589otyHOZLnwqK5nLwBFUZ4igc3iM0d1ff8CMC6mZ6Ihiaqq3gi1aUAnArD00SW1fq5OLBg0ymYmSZsR2/t4e/rGyCLW0sbp3oq+yTYqVgytQWui2FS7XYF7GFprY921T4CNQt8zr47dNzCkIX7y/jBtH+v+RGMQrc828W8pApnZbmEVQp/Ae7BlOy2ttib81/UFc+WRWEbjckIAAAAASUVORK5CYII=" ID="rdf:#$32iCK1">@firefox_customize@</A>
+- <DT><A HREF="https://www.mozilla.org/@AB_CD@/contribute/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3gwMDAsTBZbkNwAAAB1pVFh0Q29tbWVudAAAAAAAQ3JlYXRlZCB3aXRoIEdJTVBkLmUHAAABNElEQVQ4y8WSsU0DURBE3yyWIaAJaqAAN4DPSL6AlIACKIEOyJEgRsIgOOkiInJqgAKowNg7BHdn7MOksNl+zZ//dvbDf5cAiklp22BdVtXdeTEpDYDB9m1VzU6OJuVp2NdEQCaI96fH2YHG4+mDduKYNMYINTcjcGbXzQVDEAphG0k48zUsajIbnAiMIXThpW8EICE0RAK4dvoKg9NIcTiQ589otyHOZLnwqK5nLwBFUZ4igc3iM0d1ff8CMC6mZ6Ihiaqq3gi1aUAnArD00SW1fq5OLBg0ymYmSZsR2/t4e/rGyCLW0sbp3oq+yTYqVgytQWui2FS7XYF7GFprY921T4CNQt8zr47dNzCkIX7y/jBtH+v+RGMQrc828W8pApnZbmEVQp/Ae7BlOy2ttib81/UFc+WRWEbjckIAAAAASUVORK5CYII=" ID="rdf:#$42iCK1">@firefox_community@</A>
+- <DT><A HREF="https://www.mozilla.org/@AB_CD@/about/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH3gwMDAsTBZbkNwAAAB1pVFh0Q29tbWVudAAAAAAAQ3JlYXRlZCB3aXRoIEdJTVBkLmUHAAABNElEQVQ4y8WSsU0DURBE3yyWIaAJaqAAN4DPSL6AlIACKIEOyJEgRsIgOOkiInJqgAKowNg7BHdn7MOksNl+zZ//dvbDf5cAiklp22BdVtXdeTEpDYDB9m1VzU6OJuVp2NdEQCaI96fH2YHG4+mDduKYNMYINTcjcGbXzQVDEAphG0k48zUsajIbnAiMIXThpW8EICE0RAK4dvoKg9NIcTiQ589otyHOZLnwqK5nLwBFUZ4igc3iM0d1ff8CMC6mZ6Ihiaqq3gi1aUAnArD00SW1fq5OLBg0ymYmSZsR2/t4e/rGyCLW0sbp3oq+yTYqVgytQWui2FS7XYF7GFprY921T4CNQt8zr47dNzCkIX7y/jBtH+v+RGMQrc828W8pApnZbmEVQp/Ae7BlOy2ttib81/UFc+WRWEbjckIAAAAASUVORK5CYII=" ID="rdf:#$52iCK1">@firefox_about@</A>
++ <DT><A HREF="https://www.parabola.nu/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABL0lEQVQ4jWNgoCcoq16VU1GzygnEBtEVDWuV8GooKFuhWVG3uiM3d5UokG4qr1szAaa5vGbVt4ralacwNDU0rGIrr10VBVG0+lxhwyqVsqqVtRW1q6eD5IvL19oB2V+B+D9QzQu4xtDQVZylVavygRKHqurWOlbUrknKK12qWlCwWLK8elUFA8N/xvLy5VYVtas+gzWDDVi9E2QjT1XdcufymjWpQJt1cXmnvHwVP1DzR7hmIC6vW+kOtpnYQKysW30arrlm9RVi9cFBRfXKJTADympWJZNsQFnN6rUQA1adAQU2SZqBXmUGBtozUDiU1qxQJtl2oCY3kO2l1avCSdYMAsBAWwyM2plkaS4p6eYGOv1YQ0MDB1kGlFWuDChuWKZBlmYQqK5eJU22ZkIAAEIlnQZQkzITAAAAAElFTkSuQmCC">Parabola GNU/Linux-libre</A>
++ <DT><A HREF="https://www.parabola.nu/packages/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABL0lEQVQ4jWNgoCcoq16VU1GzygnEBtEVDWuV8GooKFuhWVG3uiM3d5UokG4qr1szAaa5vGbVt4ralacwNDU0rGIrr10VBVG0+lxhwyqVsqqVtRW1q6eD5IvL19oB2V+B+D9QzQu4xtDQVZylVavygRKHqurWOlbUrknKK12qWlCwWLK8elUFA8N/xvLy5VYVtas+gzWDDVi9E2QjT1XdcufymjWpQJt1cXmnvHwVP1DzR7hmIC6vW+kOtpnYQKysW30arrlm9RVi9cFBRfXKJTADympWJZNsQFnN6rUQA1adAQU2SZqBXmUGBtozUDiU1qxQJtl2oCY3kO2l1avCSdYMAsBAWwyM2plkaS4p6eYGOv1YQ0MDB1kGlFWuDChuWKZBlmYQqK5eJU22ZkIAAEIlnQZQkzITAAAAAElFTkSuQmCC">Parabola GNU/Linux-libre Packages</A>
++ <DT><A HREF="https://wiki.parabola.nu/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABL0lEQVQ4jWNgoCcoq16VU1GzygnEBtEVDWuV8GooKFuhWVG3uiM3d5UokG4qr1szAaa5vGbVt4ralacwNDU0rGIrr10VBVG0+lxhwyqVsqqVtRW1q6eD5IvL19oB2V+B+D9QzQu4xtDQVZylVavygRKHqurWOlbUrknKK12qWlCwWLK8elUFA8N/xvLy5VYVtas+gzWDDVi9E2QjT1XdcufymjWpQJt1cXmnvHwVP1DzR7hmIC6vW+kOtpnYQKysW30arrlm9RVi9cFBRfXKJTADympWJZNsQFnN6rUQA1adAQU2SZqBXmUGBtozUDiU1qxQJtl2oCY3kO2l1avCSdYMAsBAWwyM2plkaS4p6eYGOv1YQ0MDB1kGlFWuDChuWKZBlmYQqK5eJU22ZkIAAEIlnQZQkzITAAAAAElFTkSuQmCC">Parabola GNU/Linux-libre Wiki</A>
++ <DT><A HREF="https://labs.parabola.nu/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABL0lEQVQ4jWNgoCcoq16VU1GzygnEBtEVDWuV8GooKFuhWVG3uiM3d5UokG4qr1szAaa5vGbVt4ralacwNDU0rGIrr10VBVG0+lxhwyqVsqqVtRW1q6eD5IvL19oB2V+B+D9QzQu4xtDQVZylVavygRKHqurWOlbUrknKK12qWlCwWLK8elUFA8N/xvLy5VYVtas+gzWDDVi9E2QjT1XdcufymjWpQJt1cXmnvHwVP1DzR7hmIC6vW+kOtpnYQKysW30arrlm9RVi9cFBRfXKJTADympWJZNsQFnN6rUQA1adAQU2SZqBXmUGBtozUDiU1qxQJtl2oCY3kO2l1avCSdYMAsBAWwyM2plkaS4p6eYGOv1YQ0MDB1kGlFWuDChuWKZBlmYQqK5eJU22ZkIAAEIlnQZQkzITAAAAAElFTkSuQmCC">Parabola GNU/Linux-libre Labs</A>
++ </DL><p>
++ <DT><H3 ID="rdf:#$ZvPhC3">Free Software Foundation</H3>
++ <DL><p>
++ <DT><A HREF="https://www.fsf.org/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAIAAACQkWg2AAAACXBIWXMAAAsTAAALEwEAmpwYAAADG0lEQVQoFQEQA+/8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQECAAAAAAAAAAAAAAAAAAAA2qOp7tTXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAP///wAAAAAAAOCyt7pUXQcSEgcQDwAAAP///wAAAAAAAAD//x9NSDqNhQEBAQQAAAAAAAAAAAAAAAAQJiQGDQ0aPToZPjoAAQEAAAAAAAAAAAABAQEpZV4AAAAAAAAAAAAA////////////////pSIv05KZ////////////////////////////////AAAAAQAAAP///6krNwAAAAAAAPHc3ggSEQcSEQAAAAAAAAAAABY3NEGelQAAAAAAAAEBAQEAAAD///+YARAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGDg1g690CBgYAAAABAQEEAAAAAAAAS7etAAAAAAAAwGVtHklFIlJOAAAAAAAAAAAAAAAA+/X2BwYGAAAAAAAABAAAAAAAAB1IQwAAAAAAAAYNDBAmJB1IQwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAgL//v4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAQEB//7/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAECAv/+/gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD////////////////cqK3qzM////////////////////////////////8AAAABAAAA////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGuLjDf9F8oBAAAAAElFTkSuQmCC">Free Software Foundation</A>
++ <DT><A HREF="https://www.gnu.org/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgBAMAAACBVGfHAAAAGFBMVEVFRUV+fn6mpqa/v7/Ozs7Y2Njg4OD8/Pwuhn+TAAAAAWJLR0QAiAUdSAAAAAlwSFlzAAALEQAACxEBf2RfkQAAAAd0SU1FB9MBDhQ6Gd8s57cAAAEVSURBVBgZBcGxVtpgGADQL9gHSBzqSognzMixmcWWzB6pmRHhnyvku6/fewMAIPD3TwHmQxHs6vr+A16bphNum/vV0x429201hcPjAGBTDZGnR/Kw1U181+u4HXvOdSxjUcztz8jjg1xGVBG9XPYxt4PviKiaWLg168iXtbrq+mPT1utjNcR1U73deRnL43M2sRgj3+oYs8uL3rLphPd2QWmHbMu/VS/cnk6UdtSW657g9yBlcZ0UAkUWzPvyRaAYmfd+HT4IZtvC59ibEJxXiqJjQpBpNEufBYE0McoOAunGhRMEFIPc7h4goJigQEBxk8u7AgEpL3IEAUZfcgAByGFXQACm5+4MAuB19QMEgI8CAgDgP4rivVgoKP6ZAAAAAElFTkSuQmCC">The GNU Operating System and the Free Software Movement</A>
++ <DT><A HREF="https://libreplanet.org/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAACfElEQVQ4jZXTS0hUcRTH8f+9M3fGd0gRRq1a2bZdBAotWtS6TQtB6IHgKzRy0UKqjRaRCAq+R21MDMsUR83JR5fJxhmaK2lzsWAWw+ToEHJxgnFm7reFIgza66z/58P/dzhHcESZpsluIsFPwyCVSmGa5lHPEEIIkdGYTqPPvqUlP4fK8nJ2DINYNEq71YJ3fv4QlAGkUynaj+VRdfUK7580M52rEN/ZYWNjg2GrjEMSPFXsmOn0YcA0TZ4V5tNZUkJTTTWfJiZIJhJ8U1VczwcZs0o4JUHzufM0ZGcf/OQASCaTxGIxDMNA00P8iEbpuXyJ8Tw77+wWJhWZQYuVbiHoFIKwpmUC4XCYzc1NDMMgHo9z8+IFvl6/xsf7D9ArbjOpyAxLEt1C0CUErfvJDwBd14lEImxvb/N9fR1fgY3egmyWsq0sO/poUyw4pb3mLiFolyRM09wDEokEfr+fUChEJBJh4HgBS7kKn92zLIy9ZriqklFZwiEEHfsRRp1O0un0HpDa3cU9M8PKygp3Tp5AzbKgZlmYt1uYtkn02q0MyYKmnBxWNI27Nhtut5tkMrkHmKZJbWkpqqryQpFxKTJTisyEVeaVRWJIlqgpLuZRWRkejwe/34/P58ucwZvWVhYXF5l2uejIzeHGqbM4ZYmB/dy1hUV8mJpibm4On8/H1tbW4T1YXV3F6/WysLDA5Pg4nfsDe5yfz8OiIjweD5qmEQwGf7/KwWCQtbU1NE2jRZbpEoI2SWKqr49lVUXX9T/fAkAgEKC/e5SW6mo6hKD+zGn6e0bw+/x/PyaA9S/rvOwfobGukfpbddyraMDR7iCwHPg34H9KCCF+Abts3KCj/p6aAAAAAElFTkSuQmCC">LibrePlanet</A>
++ <DT><A HREF="https://www.h-node.org/" ICON="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAABgElEQVQ4jaXRz2uSARzHcb0vlRGEzTVWISU1BVkFYTIyjNK1pKcxHA+yhWMWIamHYikFgpoLIi9jwegi3QbL9SzdLmMbM9J+DkJBgm5RDvEPeHeQHOyQz0OH9+V7ePGBr0pqpPmfVPsP8a0AR4MnMEwf48x9K0s/E8oAY9iEMOvD+8yP2qVjrhhRBnSN61n5sIpULqC+pGHh8wNlgEY8jPQXcGh4VXukDND5evYAl46odIuXtYdKAANSudAChO52/XeMZMohecCbcoGdH99Y+7LO72adT9+/4nh8nYOjBl7/SsoB8gBkpHk8T0S2K++pN3fRin3cfnFDHvCuWkI9rEMvHGEo5gbAHnXhnLF1BpZLeRaLOVT2A8Q3A5wMngXgWtKLxX9KPqC+rCWQvYkpeK4NWKcGOgO50ts2MJJ0cPreeQDciTHMchZYIhcwh2wcuqjn+ccwGm9v6wsTxxn0dVgQXZ7Ek3Agpq6QrcaQGmmebtxFSDkRU1fJVmL/BpT2ByV/3eDMhinRAAAAAElFTkSuQmCC">h-node</A>
+ </DL><p>
+ </DL><p>
+diff --git a/devtools/client/locales/en-US/connection-screen.dtd b/devtools/client/locales/en-US/connection-screen.dtd
+index 674a408..d27e97f 100644
+--- a/devtools/client/locales/en-US/connection-screen.dtd
++++ b/devtools/client/locales/en-US/connection-screen.dtd
+@@ -24,7 +24,7 @@
+ <!-- LOCALIZATION NOTE (remoteHelp, remoteDocumentation, remoteHelpSuffix):
+ these strings will be concatenated in a single label, remoteDocumentation will
+ be used as text for a link to MDN. -->
+-<!ENTITY remoteHelp "Firefox Developer Tools can debug remote devices (Firefox for Android and Firefox OS, for example). Make sure that you have turned on the ‘Remote debugging’ option in the remote device. For more, see the ">
++<!ENTITY remoteHelp "Iceweasel Developer Tools can debug remote devices. Make sure that you have turned on the ‘Remote debugging’ option in the remote device. For more, see the ">
+ <!ENTITY remoteDocumentation "documentation">
+ <!ENTITY remoteHelpSuffix ".">
+
+diff --git a/devtools/client/locales/en-US/sourceeditor.properties b/devtools/client/locales/en-US/sourceeditor.properties
+index 01447e3..0bc043e 100644
+--- a/devtools/client/locales/en-US/sourceeditor.properties
++++ b/devtools/client/locales/en-US/sourceeditor.properties
+@@ -4,7 +4,7 @@
+
+ # LOCALIZATION NOTE These strings are used inside the Source Editor component.
+ # This component is used whenever source code is displayed for the purpose of
+-# being edited, inside the Firefox developer tools - current examples are the
++# being edited, inside the Iceweasel developer tools - current examples are the
+ # Scratchpad and the Style Editor tools.
+
+ # LOCALIZATION NOTE The correct localization of this file might be to keep it
+diff --git a/devtools/client/locales/en-US/toolbox.dtd b/devtools/client/locales/en-US/toolbox.dtd
+index 53385de..fb9a95a 100644
+--- a/devtools/client/locales/en-US/toolbox.dtd
++++ b/devtools/client/locales/en-US/toolbox.dtd
+@@ -117,7 +117,7 @@ values from browser.dtd. -->
+ - checkbox that toggles remote debugging, i.e. devtools.debugger.remote-enabled
+ - boolean preference in about:config, in the options panel. -->
+ <!ENTITY options.enableRemote.label3 "Enable remote debugging">
+-<!ENTITY options.enableRemote.tooltip "Turning this option on will allow the developer tools to debug remote Firefox instance like Firefox OS">
++<!ENTITY options.enableRemote.tooltip "Turning this option on will allow the developer tools to debug remote Iceweasel instance like Iceweasel OS">
+
+ <!-- LOCALIZATION NOTE (options.enableWorkers.label): This is the label for the
+ - checkbox that toggles worker debugging, i.e. devtools.debugger.workers
+@@ -146,7 +146,7 @@ values from browser.dtd. -->
+ <!-- LOCALIZATION NOTE (options.selectDefaultTools.label): This is the label for
+ - the heading of group of checkboxes corresponding to the default developer
+ - tools. -->
+-<!ENTITY options.selectDefaultTools.label "Default Firefox Developer Tools">
++<!ENTITY options.selectDefaultTools.label "Default Iceweasel Developer Tools">
+
+ <!-- LOCALIZATION NOTE (options.selectAdditionalTools.label): This is the label for
+ - the heading of group of checkboxes corresponding to the developer tools
+diff --git a/devtools/client/locales/en-US/webide.dtd b/devtools/client/locales/en-US/webide.dtd
+index 5e1a80c..8f375da 100644
+--- a/devtools/client/locales/en-US/webide.dtd
++++ b/devtools/client/locales/en-US/webide.dtd
+@@ -2,7 +2,7 @@
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
+
+-<!ENTITY windowTitle "Firefox WebIDE">
++<!ENTITY windowTitle "Iceweasel WebIDE">
+
+ <!ENTITY projectMenu_label "Project">
+ <!ENTITY projectMenu_accesskey "P">
+@@ -59,7 +59,7 @@
+ <!ENTITY projectButton_label "Open App">
+ <!ENTITY runtimeButton_label "Select Runtime">
+
+-<!-- We try to repicate Firefox' bindings: -->
++<!-- We try to repicate Iceweasel' bindings: -->
+ <!-- quit app -->
+ <!ENTITY key_quit "W">
+ <!-- open menu -->
+diff --git a/devtools/client/locales/en-US/webide.properties b/devtools/client/locales/en-US/webide.properties
+index 2368ad7..05e39c7 100644
+--- a/devtools/client/locales/en-US/webide.properties
++++ b/devtools/client/locales/en-US/webide.properties
+@@ -2,8 +2,8 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+-title_noApp=Firefox WebIDE
+-title_app=Firefox WebIDE: %S
++title_noApp=Iceweasel WebIDE
++title_app=Iceweasel WebIDE: %S
+
+ runtimeButton_label=Select Runtime
+ projectButton_label=Open App
+@@ -54,10 +54,10 @@ error_runtimeVersionTooRecent=The connected runtime has a more recent build date
+ addons_stable=stable
+ addons_unstable=unstable
+ # LOCALIZATION NOTE (addons_simulator_label): This label is shown as the name of
+-# a given simulator version in the "Manage Simulators" pane. %1$S: Firefox OS
++# a given simulator version in the "Manage Simulators" pane. %1$S: Iceweasel OS
+ # version in the simulator, ex. 1.3. %2$S: Simulator stability label, ex.
+ # "stable" or "unstable".
+-addons_simulator_label=Firefox OS %1$S Simulator (%2$S)
++addons_simulator_label=Iceweasel OS %1$S Simulator (%2$S)
+ addons_install_button=install
+ addons_uninstall_button=uninstall
+ addons_adb_label=ADB Helper Add-on
diff --git a/pcr/iceweasel-hardening/mozconfig b/pcr/iceweasel-hardening/mozconfig
new file mode 100644
index 000000000..7349e3ccd
--- /dev/null
+++ b/pcr/iceweasel-hardening/mozconfig
@@ -0,0 +1,46 @@
+ac_add_options --enable-application=browser
+
+ac_add_options --prefix=/usr
+ac_add_options --enable-release
+ac_add_options --enable-gold
+ac_add_options --enable-pie
+ac_add_options --enable-rust
+
+# Release Iceweasel branding
+ac_add_options --disable-official-branding
+ac_add_options --with-branding=debian/branding
+ac_add_options --enable-update-channel=release
+MOZ_ADDON_SIGNING=1
+MOZ_REQUIRE_SIGNING=1
+
+# System libraries
+ac_add_options --with-system-nspr
+ac_add_options --with-system-nss
+ac_add_options --with-system-icu
+ac_add_options --with-system-jpeg
+ac_add_options --with-system-zlib
+ac_add_options --with-system-bz2
+ac_add_options --with-system-libevent
+ac_add_options --with-system-libvpx
+ac_add_options --enable-system-hunspell
+ac_add_options --enable-system-sqlite
+ac_add_options --enable-system-ffi
+ac_add_options --enable-system-pixman
+
+# Features
+ac_add_options --enable-startup-notification
+ac_add_options --disable-updater
+ac_add_options --disable-crashreporter
+
+STRIP_FLAGS="--strip-debug"
+
+# Parabola features
+ac_add_options --disable-safe-browsing
+ac_add_options --disable-url-classifier
+ac_add_options --disable-eme
+ac_add_options --disable-gamepad
+
+# Other
+mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/moz-objdir
+
+# vim:set ft=sh:
diff --git a/pcr/iceweasel-hardening/mozilla-1253216.patch b/pcr/iceweasel-hardening/mozilla-1253216.patch
new file mode 100644
index 000000000..c9252da5f
--- /dev/null
+++ b/pcr/iceweasel-hardening/mozilla-1253216.patch
@@ -0,0 +1,12 @@
+diff -up firefox-48.0/js/src/jit/AtomicOperations.h.old firefox-48.0/js/src/jit/AtomicOperations.h
+--- firefox-48.0/js/src/jit/AtomicOperations.h.old 2016-07-27 09:42:43.148175449 +0200
++++ firefox-48.0/js/src/jit/AtomicOperations.h 2016-07-27 09:41:13.000000000 +0200
+@@ -340,7 +340,7 @@ AtomicOperations::isLockfree(int32_t siz
+ # elif defined(__aarch64__)
+ # include "jit/arm64/AtomicOperations-arm64.h"
+ # else
+-# include "jit/none/AtomicOperations-none.h" // These MOZ_CRASH() always
++# include "jit/none/AtomicOperations-ppc.h"
+ # endif
+ #elif defined(JS_CODEGEN_X86) || defined(JS_CODEGEN_X64)
+ # include "jit/x86-shared/AtomicOperations-x86-shared.h"
diff --git a/pcr/iceweasel-hardening/mozilla-build-arm.patch b/pcr/iceweasel-hardening/mozilla-build-arm.patch
new file mode 100644
index 000000000..774147bbb
--- /dev/null
+++ b/pcr/iceweasel-hardening/mozilla-build-arm.patch
@@ -0,0 +1,24 @@
+diff -up firefox-46.0/media/webrtc/trunk/webrtc/build/common.gypi.arm firefox-46.0/media/webrtc/trunk/webrtc/build/common.gypi
+--- firefox-46.0/media/webrtc/trunk/webrtc/build/common.gypi.arm 2016-04-25 12:03:12.486027089 +0200
++++ firefox-46.0/media/webrtc/trunk/webrtc/build/common.gypi 2016-04-25 12:05:55.714644873 +0200
+@@ -312,20 +312,6 @@
+ 'defines': [
+ 'WEBRTC_ARCH_ARM',
+ ],
+- 'conditions': [
+- ['arm_version>=7', {
+- 'defines': ['WEBRTC_ARCH_ARM_V7',
+- 'WEBRTC_BUILD_NEON_LIBS'],
+- 'conditions': [
+- ['arm_neon==1', {
+- 'defines': ['WEBRTC_ARCH_ARM_NEON',],
+- }],
+- ['arm_neon==0 and arm_neon_optional==1', {
+- 'defines': ['WEBRTC_DETECT_ARM_NEON',],
+- }],
+- ],
+- }],
+- ],
+ }],
+ ['os_bsd==1', {
+ 'defines': [
diff --git a/pcr/iceweasel-hardening/remove-default-and-shell-icons-in-packaging-manifest.patch b/pcr/iceweasel-hardening/remove-default-and-shell-icons-in-packaging-manifest.patch
new file mode 100644
index 000000000..6bc67b30a
--- /dev/null
+++ b/pcr/iceweasel-hardening/remove-default-and-shell-icons-in-packaging-manifest.patch
@@ -0,0 +1,34 @@
+diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in
+index cffcff1..85d28cc 100644
+--- a/browser/installer/package-manifest.in
++++ b/browser/installer/package-manifest.in
+@@ -653,11 +653,6 @@
+ @RESPATH@/chrome/toolkit.manifest
+ @RESPATH@/chrome/recording.manifest
+ @RESPATH@/chrome/recording/*
+-#ifdef MOZ_GTK
+-@RESPATH@/browser/chrome/icons/default/default16.png
+-@RESPATH@/browser/chrome/icons/default/default32.png
+-@RESPATH@/browser/chrome/icons/default/default48.png
+-#endif
+ @RESPATH@/browser/features/*
+
+ ; [Webide Files]
+@@ -670,17 +665,10 @@
+ @RESPATH@/browser/chrome/devtools.manifest
+ @RESPATH@/browser/@PREF_DIR@/devtools.js
+
+-; shell icons
+-#ifdef XP_UNIX
+-#ifndef XP_MACOSX
+-; shell icons
+-@RESPATH@/browser/icons/*.png
+ #ifdef MOZ_UPDATER
+ ; updater icon
+ @RESPATH@/icons/updater.png
+ #endif
+-#endif
+-#endif
+
+ ; [Default Preferences]
+ ; All the pref files must be part of base to prevent migration bugs
diff --git a/pcr/iceweasel-hardening/vendor.js b/pcr/iceweasel-hardening/vendor.js
new file mode 100644
index 000000000..84489482b
--- /dev/null
+++ b/pcr/iceweasel-hardening/vendor.js
@@ -0,0 +1,351 @@
+pref("extensions.getAddons.search.url", "https://directory.fsf.org/wiki/GNU_IceCat");
+pref("extensions.getAddons.link.url", "https://directory.fsf.org/wiki/GNU_IceCat");
+pref("extensions.getAddons.search.browseURL", "https://directory.fsf.org/wiki/GNU_IceCat");
+pref("accessibility.blockautorefresh", true);
+pref("browser.meta_refresh_when_inactive.disabled", true);
+pref("extensions.webservice.discoverURL", "https://directory.fsf.org/wiki/GNU_IceCat");
+pref("app.faqURL", "https://libreplanet.org/wiki/Group:IceCat/FAQ");
+pref("app.update.auto", false);
+pref("app.update.checkInstallTime", false);
+pref("app.update.enabled", false);
+pref("app.update.staging.enabled", false);
+pref("app.update.url", "about:blank");
+pref("beacon.enabled", false);
+pref("breakpad.reportURL", "about:blank");
+pref("browser.EULA.override", true);
+pref("browser.aboutHomeSnippets.updateUrl", "about:blank");
+pref("browser.apps.URL", "about:blank");
+pref("browser.cache.disk.enable", false);
+pref("browser.cache.offline.enable", false);
+pref("browser.casting.enabled", false);
+pref("browser.search.order.US.1", "");
+pref("browser.search.order.US.2", "");
+pref("browser.search.order.US.3", "");
+pref("gecko.handlerService.schemes.mailto.0.name", "");
+pref("browser.disableResetPrompt", true);
+pref("browser.display.max_font_attempts",10);
+pref("browser.display.max_font_count",10);
+pref("browser.display.use_document_fonts", 0); // Prevent font fingerprinting
+pref("browser.download.manager.addToRecentDocs", false);
+pref("browser.download.manager.retention", 1);
+pref("browser.download.manager.scanWhenDone", false); // prevents AV remote reporting of downloads
+pref("browser.download.useDownloadDir", false);
+pref("browser.eme.ui.enabled", false);
+pref("browser.fixup.alternate.enabled", false);
+pref("browser.formfill.enable", false);
+pref("browser.history.allowPopState", false); // HTML5 privacy https://bugzilla.mozilla.org/show_bug.cgi?id=500328
+pref("browser.history.allowPushState", false);
+pref("browser.history.allowReplaceState", false);
+pref("browser.link.open_newwindow.restriction", 0); // Bug 9881: Open popups in new tabs (to avoid fullscreen popups)
+pref("browser.newtab.preload", false);
+pref("browser.newtabpage.directory.ping", "about:blank");
+pref("browser.newtabpage.directory.source", "about:blank");
+pref("browser.newtabpage.enabled", false);
+pref("browser.newtabpage.enhanced", false);
+pref("browser.newtabpage.introShown", true);
+pref("browser.pocket.api", "about:blank");
+pref("browser.pocket.enabled", false);
+pref("browser.pocket.enabledLocales", "about:blank");
+pref("browser.pocket.oAuthConsumerKey", "about:blank");
+pref("browser.pocket.site", "about:blank");
+pref("browser.pocket.useLocaleList", false);
+pref("browser.preferences.inContent",false);
+//pref("browser.privatebrowsing.autostart", true);
+pref("browser.rights.3.shown", true);
+pref("browser.safebrowsing.appRepURL", "about:blank");
+pref("browser.safebrowsing.enabled", false);
+pref("browser.safebrowsing.malware.enabled", false);
+pref("browser.safebrowsing.provider.mozilla.gethashURL", "about:blank");
+pref("browser.safebrowsing.provider.mozilla.updateURL", "about:blank");
+pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
+pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
+pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
+pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
+pref("browser.safebrowsing.downloads.remote.enabled", false);
+pref("browser.safebrowsing.downloads.remote.url", "");
+pref("browser.safebrowsing.provider.google.gethashURL", "");
+pref("browser.safebrowsing.provider.google.updateURL", "");
+pref("browser.safebrowsing.provider.google.lists", "");
+pref("browser.search.geoSpecificDefaults.url", "about:blank");
+pref("browser.search.geoSpecificDefaults", false);
+pref("browser.search.geoip.url", "about:blank");
+pref("browser.search.suggest.enabled", false);
+pref("browser.search.update", false);
+pref("browser.selfsupport.url", "about:blank");
+pref("browser.send_pings", false);
+pref("browser.sessionstore.privacy_level", 2);
+pref("browser.shell.checkDefaultBrowser", false);
+pref("browser.slowStartup.maxSamples", 0);
+pref("browser.slowStartup.notificationDisabled", true);
+pref("browser.slowStartup.samples", 0);
+pref("browser.snippets.enabled", false);
+pref("browser.snippets.geoUrl", "about:blank");
+pref("browser.snippets.statsUrl", "about:blank");
+pref("browser.snippets.syncPromo.enabled", false);
+pref("browser.snippets.updateUrl", "about:blank");
+pref("browser.startup.homepage_override.buildID", "20100101");
+pref("browser.startup.homepage_override.mstone", "9001.0.0");
+pref("browser.syncPromoViewsLeftMap", "{\"addons\":0, \"passwords\":0, \"bookmarks\":0}"); // Don't promote sync
+pref("browser.newtabpage.remote", false);
+pref("browser.tabs.crashReporting.sendReport", false);
+pref("browser.tabs.remote.desktopbehavior", false);
+pref("browser.toolbarbuttons.introduced.pocket-button", true);
+pref("browser.uitour.enabled", false); // https://trac.torproject.org/projects/tor/ticket/19047
+pref("browser.urlbar.maxRichResults", 0);
+pref("browser.webapps.checkForUpdates", 0);
+pref("browser.webapps.updateCheckUrl", "about:blank");
+pref("browser.zoom.siteSpecific", false);
+pref("camera.control.autofocus_moving_callback.enabled", false);
+pref("camera.control.face_detection.enabled", false);
+pref("captivedetect.canonicalURL", "about:blank");
+pref("datareporting.healthreport.about.reportUrl", "about:blank");
+pref("datareporting.healthreport.documentServerURI", "about:blank");
+pref("datareporting.healthreport.service.enabled", false); // Yes, all three of these must be set
+pref("datareporting.healthreport.uploadEnabled", false);
+pref("datareporting.policy.dataSubmissionEnabled", false);
+pref("datareporting.policy.dataSubmissionPolicyVersion", 2);
+pref("datareporting.policy.firstRunTime", 0);
+pref("device.sensors.enabled", false);
+pref("devtools.debugger.remote-enabled", false); // https://developer.mozilla.org/docs/Tools/Remote_Debugging/Debugging_Firefox_Desktop#Enable_remote_debugging
+pref("devtools.devices.url", "about:blank");
+pref("devtools.gcli.imgurUploadURL", "about:blank");
+pref("devtools.gcli.jquerySrc", "about:blank");
+pref("devtools.gcli.lodashSrc", "about:blank");
+pref("devtools.gcli.underscoreSrc", "about:blank");
+pref("devtools.remote.wifi.scan", false); // http://forum.top-hat-sec.com/index.php?topic=4951.5;wap2
+pref("devtools.remote.wifi.visible", false);
+pref("devtools.webide.adaptersAddonURL", "about:blank");
+pref("devtools.webide.adbAddonURL", "about:blank");
+pref("devtools.webide.addonsURL", "about:blank");
+pref("devtools.webide.enabled", false); //https://trac.torproject.org/projects/tor/ticket/16222
+pref("devtools.webide.simulatorAddonsURL", "about:blank");
+pref("devtools.webide.templatesURL", "about:blank");
+pref("dom.battery.enabled", false); // fingerprinting due to differing OS implementations
+pref("dom.enable_performance", false);
+pref("dom.event.clipboardevents.enabled",false);
+pref("dom.gamepad.enabled", false); // bugs.torproject.org/13023
+pref("dom.indexedDB.enabled", false);
+pref("dom.enable_user_timing", false);
+pref("dom.event.highrestimestamp.enabled", false);
+pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
+pref("dom.mozApps.signed_apps_installable_from", "about:blank");
+pref("dom.netinfo.enabled", false); // Network Information API provides general information about the system's connection type (WiFi, cellular, etc.)
+pref("dom.network.enabled",false); // fingerprinting due to differing OS implementations
+pref("dom.push.enabled", false);
+pref("dom.push.serverURL", "");
+pref("dom.presentation.discovery.enabled", false);
+pref("dom.presentation.discoverable", false);
+pref("dom.storage.enabled", false);
+pref("dom.telephony.enabled", false); // https://wiki.mozilla.org/WebAPI/Security/WebTelephony
+pref("dom.vibrator.enabled", false);
+pref("dom.vr.enabled", false);
+pref("dom.vr.cardboard.enabled", false);
+pref("dom.vr.oculus.enabled", false);
+pref("dom.vr.oculus050.enabled", false);
+pref("dom.vr.poseprediction.enabled", false);
+pref("dom.vr.add-test-devices", 0);
+pref("dom.workers.sharedWorkers.enabled", false); // See https://bugs.torproject.org/15562
+pref("dom.idle-observers-api.enabled", false); // disable idle observation
+pref("experiments.enabled", false);
+pref("experiments.manifest.uri", "about:blank");
+pref("extensions.blocklist.detailsURL", "about:blank");
+pref("extensions.blocklist.enabled", false);
+pref("extensions.blocklist.itemURL", "about:blank");
+pref("extensions.blocklist.url", "about:blank");
+pref("extensions.bootstrappedAddons", "{}");
+pref("extensions.databaseSchema", 3);
+pref("extensions.enabledScopes", 1);
+// Don't disable our bundled extensions in the application directory
+pref("extensions.autoDisableScopes", 11);
+pref("extensions.shownSelectionUI", true);
+pref("extensions.getAddons.cache.enabled", false); // https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/
+pref("extensions.getAddons.get.url", "about:blank");
+pref("extensions.getAddons.getWithPerformance.url", "about:blank");
+pref("extensions.getAddons.recommended.url", "about:blank");
+pref("extensions.pendingOperations", false);
+pref("extensions.pocket.api", "about:blank");
+pref("extensions.pocket.enabled", false);
+pref("extensions.shownSelectionUI", true);
+pref("extensions.ui.lastCategory", "addons://list/extension");
+pref("extensions.update.autoUpdateDefault", false);
+pref("extensions.update.enabled", false); // Fingerprints all installed addons, best to let the user decide when to run updates manually.
+pref("extensions.update.background.url", ""); // User can still update manually, but we disable background updates.
+pref("extensions.systemAddon.update.url", ""); // The system add-ons infrastructure that's used to ship Hello and Pocket in Firefox
+pref("font.default.x-western", "sans-serif");
+pref("general.appname.override", "Netscape");
+pref("general.appversion.override", "5.0 (Windows)");
+pref("general.buildID.override", "20100101");
+pref("general.oscpu.override", "Windows NT 6.1");
+pref("general.platform.override", "Win32");
+pref("general.productSub.override", "20100101");
+pref("general.useragent.compatMode.firefox", true);
+pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0");
+pref("general.useragent.vendor", "");
+pref("general.useragent.vendorSub", "");
+pref("general.warnOnAboutConfig", false);
+pref("geo.enabled", false);
+pref("geo.wifi.uri", "about:blank");
+pref("gfx.direct2d.disabled", true);
+pref("gfx.downloadable_fonts.fallback_delay", -1);
+pref("gfx.font_rendering.opentype_svg.enabled", false); // https://wiki.mozilla.org/SVGOpenTypeFonts - iSEC Partners Report recommends to disable this
+pref("healthreport.uploadEnabled", false);
+pref("identity.fxaccounts.auth.uri", "about:blank");
+pref("intl.charset.default", "windows-1252");
+pref("intl.locale.matchOS", true);
+pref("javascript.options.asmjs", false); // Multiple security advisories, low level js
+pref("javascript.options.wasm", false); // https://hacks.mozilla.org/2016/03/a-webassembly-milestone/
+pref("javascript.use_us_english_locale", true);
+pref("javascript.options.typeinference", false);
+pref("javascript.options.baselinejit.content", false);
+pref("javascript.options.ion.content", false); // https://trac.torproject.org/projects/tor/ticket/9387#comment:43
+pref("keyword.enabled", false);
+pref("layers.acceleration.disabled", true);
+pref("layout.css.visited_links_enabled", false);
+pref("lightweightThemes.update.enabled", false); // We can update our themes manually, may fingerprint the user.
+pref("loop.copy.throttler", "about:blank");
+pref("loop.enabled",false); //Disable Firefox Hello
+pref("loop.facebook.appId", "about:blank");
+pref("loop.facebook.enabled", false);
+pref("loop.facebook.fallbackUrl", "about:blank");
+pref("loop.facebook.shareUrl", "about:blank");
+pref("loop.feedback.baseUrl", "about:blank");
+pref("loop.feedback.formURL", "about:blank");
+pref("loop.feedback.manualFormURL", "about:blank");
+pref("loop.gettingStarted.url", "about:blank");
+pref("loop.learnMoreUrl", "about:blank");
+pref("loop.legal.ToS_url", "about:blank");
+pref("loop.legal.privacy_url", "about:blank");
+pref("loop.linkClicker.url", "about:blank");
+pref("loop.oauth.google.redirect_uri", "about:blank");
+pref("loop.oauth.google.scope", "about:blank");
+pref("loop.remote.autostart", false);
+pref("loop.server", "about:blank");
+pref("loop.soft_start_hostname", "about:blank");
+pref("loop.support_url", "about:blank");
+pref("loop.throttled2",false);
+pref("mathml.disabled", true); // https://www.torproject.org/projects/torbrowser/design
+pref("media.audio_data.enabled", false);
+pref("media.autoplay.enabled", false);
+pref("media.cache_size", 0);
+pref("media.eme.apiVisible", false); // Disable Freedom Violating DRM Feature
+pref("media.eme.enabled", false);
+pref("media.getusermedia.screensharing.allowed_domains", ""); // We really don't want to be promoting Cisco and Cloudflare in a whitelist here.
+pref("media.getusermedia.screensharing.enabled", false);
+pref("media.gmp-eme-adobe.enabled", false);
+pref("media.gmp-gmpopenh264.enabled", false);
+pref("media.gmp-manager.url", "about:blank"); // Disable Gecko media plugins: https://wiki.mozilla.org/GeckoMediaPlugins
+pref("media.gmp-manager.url.override", "data:text/plain");
+pref("media.gmp-provider.enabled", false);
+pref("media.gmp.trial-create.enabled", false);
+pref("media.navigator.enabled", false);
+pref("media.peerconnection.enabled", false); // Disable WebRTC interfaces
+pref("media.peerconnection.ice.default_address_only", true);
+pref("media.video_stats.enabled", false);
+pref("media.webspeech.recognition.enable", false);
+pref("media.webspeech.synth.enabled", false);
+pref("network.allow-experiments", false);
+pref("network.http.altsvc.enabled", false);
+pref("network.http.altsvc.oe", false); // https://trac.torproject.org/projects/tor/ticket/16673
+pref("network.dns.disablePrefetch", true);
+pref("network.http.connection-retry-timeout", 0);
+pref("network.http.max-persistent-connections-per-proxy", 256);
+pref("network.http.pipelining", true);
+pref("network.http.pipelining.aggressive", true);
+pref("network.http.pipelining.max-optimistic-requests", 3);
+pref("network.http.pipelining.maxrequests", 10);
+pref("network.http.pipelining.maxrequests", 12);
+pref("network.http.pipelining.read-timeout", 60000);
+pref("network.http.pipelining.reschedule-timeout", 15000);
+pref("network.http.pipelining.ssl", true);
+pref("network.http.proxy.pipelining", true);
+pref("network.http.speculative-parallel-limit", 0);
+pref("network.jar.block-remote-files", true); // https://bugzilla.mozilla.org/show_bug.cgi?id=1173171
+pref("network.jar.open-unsafe-types", false);
+pref("network.manage-offline-status", false); // https://trac.torproject.org/projects/tor/ticket/18945
+pref("network.predictor.enabled", false); // https://trac.torproject.org/projects/tor/ticket/16625
+pref("network.prefetch-next", false);
+pref("network.protocol-handler.external-default", false);
+pref("network.protocol-handler.external.mailto", false);
+pref("network.protocol-handler.external.news", false);
+pref("network.protocol-handler.external.nntp", false);
+pref("network.protocol-handler.external.snews", false);
+pref("network.protocol-handler.warn-external.mailto", true);
+pref("network.protocol-handler.warn-external.news", true);
+pref("network.protocol-handler.warn-external.nntp", true);
+pref("network.protocol-handler.warn-external.snews", true);
+pref("network.proxy.no_proxies_on", ""); // For fingerprinting and local service vulns (#10419)
+pref("network.proxy.socks", "127.0.0.1");
+pref("network.proxy.socks_port", 9050);
+pref("network.proxy.socks_remote_dns", true);
+pref("network.proxy.type", 0); // Setup for TOR for default proxy, but do not enable by default.
+pref("network.security.ports.banned", "9050,9051,9150,9151");
+pref("network.websocket.max-connections", 0);
+//pref("nglayout.initialpaint.delay", 0); http://www.mozdev.org/pipermail/fasterfox/2006-January/000509.html
+pref("noscript.forbidMedia", true);
+pref("offline-apps.allow_by_default", false); // https://support.mozilla.org/en-US/questions/1014708
+pref("pdfjs.disabled", true); // https://www.exploit-db.com/exploits/37958/
+pref("permissions.memory_only", true);
+pref("pfs.datasource.url", "about:blank"); // Fingerprints the user, not HTTPS. Remove it.
+pref("pfs.filehint.url", "about:blank");
+pref("plugin.disable", true); // Disable to search plugins on first start
+pref("plugin.expose_full_path", false);
+pref("plugin.state.flash", 0);
+pref("plugin.state.libgnome-shell-browser-plugin", 0); // disable Gnome Shell Integration
+pref("plugins.click_to_play", true);
+pref("plugins.enumerable_names", "about:blank");
+pref("plugins.hideMissingPluginsNotification", true);
+pref("plugins.hide_infobar_for_missing_plugin", true);
+pref("plugins.hide_infobar_for_outdated_plugin", true);
+pref("plugins.notifyMissingFlash", false);
+pref("privacy.announcements.enabled", false);
+pref("privacy.donottrackheader.enabled", false); // http://www.howtogeek.com/126705/why-enabling-do-not-track-doesnt-stop-you-from-being-tracked/
+pref("privacy.donottrackheader.value", 1);
+pref("privacy.thirdparty.isolate", 2); // Always enforce third party isolation
+pref("privacy.trackingprotection.enabled", true);
+pref("privacy.trackingprotection.pbmode.enabled", true);
+pref("security.OCSP.enabled", 0); // https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol#Privacy_concerns
+pref("security.OCSP.require", false);
+pref("security.ask_for_password", 0);
+pref("security.cert_pinning.enforcement_level", 2); // https://trac.torproject.org/projects/tor/ticket/16206
+pref("security.enable_tls_session_tickets", false);
+pref("security.mixed_content.block_active_content", true); // Note: Can be disabled for user experience. https://bugzilla.mozilla.org/show_bug.cgi?id=878890
+pref("security.nocertdb", false);
+pref("security.ssl.errorReporting.url", "");
+pref("security.ssl.errorReporting.enabled", false);
+pref("security.ssl.disable_session_identifiers", true);
+pref("security.ssl.enable_false_start", true);
+pref("security.ssl.require_safe_negotiation", true);
+pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
+pref("security.ssl3.rsa_seed_sha", true);
+pref("security.tls.insecure_fallback_hosts.use_static_list", false);
+pref("security.tls.unrestricted_rc4_fallback", false);
+pref("security.tls.version.max", 3);
+pref("security.tls.version.min", 1);
+pref("services.kinto.base", "");
+pref("services.sync.engine.addons", false);
+pref("services.sync.engine.prefs", false); // Never sync prefs, addons, or tabs with other browsers
+pref("services.sync.engine.tabs", false);
+pref("services.sync.prefs.sync.addons.ignoreUserEnabledChanges", false);
+pref("services.sync.prefs.sync.extensions.update.enabled", false);
+pref("services.sync.serverURL", "about:blank");
+pref("services.sync.jpake.serverURL", "about:blank");
+pref("signon.autofillForms", false); // disable cross-site form exposure from password manager - http://kb.mozillazine.org/Signon.autofillForms
+pref("signon.rememberSignons", false);
+pref("social.directories", "");
+pref("social.enabled", false);
+pref("social.remote-install.enabled", false);
+pref("social.shareDirectory", "");
+pref("social.toast-notifications.enabled", false);
+pref("social.whitelist", "");
+pref("startup.homepage_override_url", "");
+pref("startup.homepage_welcome_url", "");
+pref("svg.in-content.enabled", true);
+pref("toolkit.telemetry.enabled", false);
+pref("toolkit.telemetry.server", "about:blank");
+pref("toolkit.telemetry.archive.enabled", false);
+pref("ui.key.menuAccessKeyFocuses", false); // Disable "alt" as a shortcut key to open full menu bar. Conflicts with "alt" as a modifier
+pref("webgl.disable-extensions", true);
+pref("webgl.disabled", true);
+pref("webgl.min_capability_mode", true);
+pref("xpinstall.signatures.required", true); // Requires AMO signing key for addons
+pref("xpinstall.whitelist.add", "");