Policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`.
+Unfortunately, JSON files do not support comments, but you can add extra entries to the JSON to use as comments. You will see an error in about:policies, but the policies will still work properly. For example:
+
+```
+{
+ "policies": {
+ "Authentication": {
+ "SPNEGO": ["mydomain.com", "https://myotherdomain.com"]
+ }
+ "Authentication_Comment": "These domains are required for us"
+ }
+}
+```
+
| Policy Name | Description
| --- | --- |
| **[`3rdparty`](#3rdparty)** | Set policies that WebExtensions can access via chrome.storage.managed.
If `Fingerprinting` is set to true, fingerprinting scripts on websites are blocked.
+If `EmailTracking` is set to true, hidden email tracking pixels and scripts on websites are blocked. (Firefox 112)
+
`Exceptions` are origins for which tracking protection is not enabled.
**Compatibility:** Firefox 60, Firefox ESR 60 (Cryptomining and Fingerprinting added in 70/68.2, Exceptions added in 73/68.5)\
toolkit.legacyUserProfileCustomizations.stylesheets (Firefox 95, Firefox ESR 91.4)
ui.
widget.
+xpinstall.signatures.required (Firefox ESR 102.10, Firefox ESR only)
```
as well as the following security preferences:
| Preference | Type | Default
| If set to true, adds the words "Not Secure" for insecure sites.
| security.insecure_connection_text.pbmode.enabled | bool | false
| If set to true, adds the words "Not Secure" for insecure sites in private browsing.
-| security.insecure_field_warning.contextual.enabled | bool | true
-| If set to false, remove the warning for inscure login fields.
| security.mixed_content.block_active_content | boolean | true
| If false, mixed active content (HTTP and HTTPS) is not blocked.
| security.osclientcerts.autoload | boolean | false
| If true, client certificates are loaded from the operating system certificate store.
+| security.OCSP.enabled | integer | 1
+| If 0, do not fetch OCSP. If 1, fetch OCSP for DV and EV certificates. If 2, fetch OCSP only for EV certificates
+| security.OCSP.require | boolean | false
+| If true, if an OCSP request times out, the connection fails.
+| security.ssl.enable_ocsp_stapling | boolean | true
+| If false, OCSP stapling is not enabled.
| security.ssl.errorReporting.enabled | boolean | true
| If false, SSL errors cannot be sent to Mozilla.
| security.tls.enable_0rtt_data | boolean | true