Firefox 119 release

The Firefox 119 web browser was released and a long-term support branch update was created - 115.4.0. The Firefox 120 branch has been transferred to the beta testing stage, the release of which is scheduled for November 21.

Key innovations in Firefox 119:

• An updated interface for the Firefox View page has been introduced, making it easier to access previously viewed content. The Firefox View page brings together information about active tabs, recently viewed pages, closed tabs, and tabs from other devices in one place. The new version of Firefox View provides information about all tabs open in any window, and also adds the ability to view your browsing history sorted by date or site.
• The ability to import add-ons from Chrome and browsers based on the Chromium engine is enabled. In the dialog for importing data from other browsers (“Import Data” on the about:preferences#general page), an option has appeared for transferring add-ons. The transfer involves a list of 72 add-ons, which compares the identifiers of identical add-ons that exist for Chrome and Firefox. If add-ons from the list are present when importing data from Chrome, Firefox installs the native Firefox version instead of the Chrome version of the add-on.
• Support for the ECH (Encrypted Client Hello) mechanism is included, which continues the development of ESNI (Encrypted Server Name Indication) and is used to encrypt information about TLS session parameters, such as the requested domain name. The key difference between ECH and ESNI is that instead of encrypting at the level of individual fields, ECH encrypts the entire TLS ClientHello message, which allows you to block leaks through fields that ESNI does not cover, for example, the PSK (Pre-Shared Key) field.
• The built-in PDF viewer's document editing capabilities now include support for inserting images and text annotations, in addition to the previously available freehand line drawing and attaching text comments. The new PDF editing mode is activated only for some users; to force it on the about:config page, you must activate the “pdfjs.enableStampEditor” setting.
• Changed settings related to restoring an interrupted session after exiting the browser. Unlike previous releases, information about not only active tabs, but also recently closed tabs will now be saved between sessions, allowing you to restore accidentally closed tabs after a restart and view a list of them in Firefox View. By default, the last 25 tabs opened in the last 7 days will be saved. Data about tabs in closed windows will also be taken into account and the list of closed tabs will be processed in the context of all windows at once, and not just the current window.
• The capabilities of the Total Cookie Protection mode have been expanded, in which a separate isolated Cookie storage is used for each site, which does not allow the use of Cookies to track movement between sites (all Cookies set from third-party blocks loaded on the site (iframe, js, etc.) .p.), are linked to the site from which these blocks were downloaded). The new version implements isolation of the URI scheme “blob:...” (Blob URL), which could potentially be used to convey information suitable for user tracking.
• For users of the enhanced tracking protection mechanism (ETP, Enhanced Tracking Protection), additional protection is enabled against indirect identification of users through font analysis - fonts visible to sites are limited to system fonts and fonts from standard language sets.
• The Firefox snap package provides support for using the native Ubuntu file selection dialog when accessing data from other browsers, as well as support for determining available features based on the installed version of xdg-desktop-portal.
• Added support for selecting a monitor to place a browser window running in Internet kiosk mode. The monitor is selected using the command line option “-kiosk-monitor”. The browser switches to full-screen mode immediately after launching in kiosk mode.
• Stopped detecting media content in files processed with the "application/octet-stream" MIME type. For such files, the browser will now prompt you to download the file rather than start playing it.
• In preparation for Firefox's inclusion of third-party Cookie blocking, the implementation of the Storage Access API has been updated to prompt the user for permission to access Cookie storage from an iframe when third-party Cookies are blocked by default. The new implementation has enhanced protection and added changes to avoid problems with sites.
• For custom elements (Custom Element), which extend the functionality of existing HTML elements, support for ARIA (Accessible Rich Internet Applications) attributes is included, making these elements more accessible to people with disabilities. Added the ability to set and read ARIA attributes directly for DOM elements (for example, buttonElement.ariaPressed = "true") without calling the setAttribute and getAttribute methods.
• The Cross-Origin-Embedder-Policy HTTP header, which controls the Cross-Origin isolation mode and allows you to define secure usage rules on the privileged operations page, has added support for the “credentialless” parameter to disable the transmission of credential-related information such as Cookies and client certificates.
• The attr() CSS function now has the ability to specify a second argument, the value of which will be used in situations where the specified attribute is missing or has an invalid value. For example, attr(foobar, "Default value").
• Added Object.groupBy and Map.groupBy methods for grouping array elements using the string value returned by the callback function, which is called for each array element, as the grouping key.
• Added methods: String.prototype.isWellFormed() to check for the presence of correctly formed Unicode text in a string (only complete “surrogate pairs” of compound characters are checked) and String.prototype.toWellFormed() for cleaning and converting Unicode text into the correct form .
• The WebTransport.createBidirectionalStream() and WebTransport.createUnidirectionalStream() methods have added support for the “sendOrder” property to set the relative priority of sent streams.
• The AuthenticatorAttestationResponse API offers new methods getPublicKey(), getPublicKeyAlgorithm() and getAuthenticatorData().
• The Web Authentication API has added support for credProps properties, which allow you to determine the presence of credentials after creation or registration.
• Added parseCreationOptionsFromJSON(), parseRequestOptionsFromJSON() and toJSON() methods to the PublicKeyCredential API to convert objects into a JSON representation suitable for serialization/deserialization and transfer to the server.
• In the tools for web developers, the interface for interactive work with CSS (Inactive CSS styles) has been improved, which includes the ability to identify CSS properties that do not affect the element, and also added full support for pseudo-elements, such as “::first-letter”, "::cue" and "::placeholder".
• The built-in JSON data viewer automatically switches to viewing raw data if the JSON data being viewed is incorrect or damaged.
• On the Windows platform, added support for a system setting that hides the cursor while typing.
• In the version for the Android platform, a crash that occurs when viewing a video in full screen has been eliminated. Added support for prefers-contrast and prefers-reduced-transparency media queries in the Android 14 environment.

In addition to innovations and bug fixes, Firefox 119 has fixed 25 vulnerabilities. The 17 vulnerabilities (16 combined under CVE-2023-5730 and CVE-2023-5731) that are marked as dangerous are caused by memory problems, such as buffer overflows and access to already freed memory areas. Potentially, these problems can lead to the execution of an attacker's code when opening specially designed pages. Another dangerous vulnerability (CVE-2023-5721) allows clickjacking to confirm or cancel some browser dialogs or warnings.

Source: opennet.ru