We have a global security level (see about:preferences#privacy ) which is … wait for it … used to control some “security” items - i.e we don’t use it to make fingerprinting/“privacy” harder or relax compat issues etc
We would prefer to find solutions that work across all levels and threat models
Don’t panic
location is gated behind a prompt, but TB also disables the API
camera/microphone are also gated behinds permissions and require user actions, and are protected per tab/per session in other ways - gUM (get user media) has undergone some nice changes lately. But even then TB does not currently allow webRTC, and enumeration of devices is protected with RFP (privacy.resistFingerprinting)
fonts
we already tightly control what local/system fonts are allowed - there is no need to block fonts
Soon
autoplay settings: we already have an open issue to enforce the same defaults for everyone:- see TZP
my TB: autoplaypolicy disallowed, allowed-muted | allowed-muted
not sure if you meant a typing fingerprint = hard to solve
if you meant sites can see what you type, then use safest security level, but even then I’m a little lost, because you clearly meant to type info on the site
if you meant security from 3rd parties over forms/passwords etc - that’s a little out of my expertise, but we do isolate/partition by third first party (I think we do for form data), and sanitize form data on close
popups
back in the before times, popups were legion … these days they are not really an issue. Would have to check what we do in particular that is different from upstream