consider blocking remote jar files at Low Security
Mozilla recently blocked remote jar files by default:
https://bugzilla.mozilla.org/show_bug.cgi?id=1215235
Then they had to re-enable the remote jar files again in the release, because users of IBM iNotes (some sort of webmail thing) ran into an incompatibility.
https://bugzilla.mozilla.org/show_bug.cgi?id=1255139
In any case, Mozilla's intention is to block by default again in the future. So when that happens, if not sooner, we should ensure that our security slider is not re-enabling remote jar files at Low Security.