Enable WebGL (as click-to-play only)
In #3323 (closed), we reviewed WebGL for API-based fingerprinting issues. The conclusion is that if we set webgl.min_capability_mode and webgl.disable-extensions, our primary API-level fingerprinting concerns are addressed.
Additionally, #6253 (closed) lists another related fingerprinting defense to rendering vectors (#6041 (closed)), but so long as WebGL remains click-to-play, I think #6253 (closed) is not a blocker to enabling WebGL in a click-to-play limited sense.
However, I am still terrified by the vulnerability surface represented by WebGL on the graphics driver end. Because much of that code lives in kernel or at least at UID 0 priv level, it will prove very difficult to actually properly sandbox.. Worse, many drivers are very likely not network-hardened or designed to handle untrusted input. See also: http://www.contextis.com/resources/blog/webgl/
Hence, I think WebGL will probably have to remain a second-class click-to-play tech for the foreseeable future, even if "enabled".