Firefox 68 release

Submitted by web browser release Firefox 68and mobile version Firefox 68 for the Android platform. The release is categorized as a long-term support (ESR) branch, with updates released throughout the year. In addition, an update of the previous branch long term support 60.8.0. Coming soon to the stage beta testing the Firefox 69 branch, which is scheduled for release on September 3rd, will be transferred.

All innovations:

• The new add-on manager (about:addons) is enabled by default, completely rewritten using HTML/JavaScript and standard web technologies as part of an initiative to rid the browser of XUL and XBL-based components. The new interface for each add-on in the form of tabs provides the ability to view the full description, change settings and manage access rights without leaving the main page with a list of add-ons.
  

  Instead of separate buttons for controlling the activation of add-ons, a context menu is proposed. Disabled add-ons are now clearly separated from active ones and listed in a separate section.

  

  A new section has been added with add-ons recommended for installation, the composition of which is selected depending on the installed add-ons, settings and statistics on the user's work. Add-ons are accepted into the list of contextual recommendations only if they meet Mozilla's requirements in the field of security, usefulness and usability, as well as efficiently and effectively solve actual problems that are of interest to a wide audience. Proposed additions undergo a full security review of each update;

  

• Added a button to report problems with add-ons and skins to Mozilla. For example, through the proposed form, you can warn developers when malicious activity is detected, problems with displaying sites due to an add-on, non-compliance with the declared functionality, the appearance of an add-on without user action, or problems with stability and performance.
  

• A new implementation of the Quantum Bar address bar is included, which is almost identical in appearance and capabilities to the old Awesome Bar address bar, but differs in a complete reworking of the internals and rewriting of the code with the replacement of XUL / XBL with a standard Web API. The new implementation greatly simplifies the process of extending functionality (supports the creation of add-ons in the WebExtensions format), removes hard bindings to browser subsystems, makes it easy to connect new data sources, has higher performance and responsiveness of the interface. Of the noticeable changes in behavior, only the need to use the Shift + Del or Shift + BackSpace combinations (it used to work without Shift) is noted to remove browsing history entries from the result of the prompt displayed at the start of typing;
• Implemented a full-fledged dark theme for the reader mode (reader view), when enabled, all elements of the window and panel design are also displayed in dark shades (previously switching between dark and light mode in the Reader View concerned only the area with text content);
  

• In strict blocking of unwanted content (strict), in addition to all known motion tracking systems and all third-party cookies, JavaScript inserts that mine cryptocurrencies or track users using hidden identification methods are now also blocked. Previously, lock data was enabled via explicit selection in custom lock mode. Blocking is carried out by additional categories (fingerprinting and cryptomining) in the Disconnect.me list;
  

• Continued gradual inclusion of the compositing system Servo WebRender, written in the Rust language and taking out page content rendering operations on the GPU side. Using WebRender instead of Gecko's built-in CPU-based compositing engine, GPU-based shaders are used to perform page element summary rendering operations, resulting in a significant increase in rendering speed and reducing CPU load.

  In addition to users with NVIDIA graphics cards since
  Firefox 68 support WebRender will be enabled for Windows 10 based systems with AMD graphics cards. You can check WebRender activation on the about:support page. To force it to be enabled in about:config, enable the "gfx.webrender.all" and "gfx.webrender.enabled" settings, or by running Firefox with the MOZ_WEBRENDER=1 environment variable set. On Linux, WebRender support is more or less stabilized for Intel graphics cards with Mesa 18.2+ drivers;

• Added a section to the hamburger menu on the right side of the address bar panel for quick access to account settings in Firefox Account;
• A new built-in "about:compat" page has been added that lists workarounds and patches for compatibility with certain sites that do not work correctly in Firefox. Changes made for compatibility in the simplest cases are limited to changing the “User Agent” identifier if the site is hard-wired to certain browsers. In more complex situations, JavaScript code is run in the context of the site to correct compatibility issues;
  

• Due to potential stability issues when switching the browser to a single-process mode of operation, in which the formation of the interface and processing of the contents of the tabs is done in the same process, from about:config removed "browser.tabs.remote.force-enable" and "browser.tabs.remote.force-disable" settings that could be used to disable multiprocessing (e10s). Also, setting the "browser.tabs.remote.autostart" option to "false" will no longer automatically disable multi-processing on desktop versions of Firefox, in official builds, and on startup without enabling automated test execution mode;
• Implemented the second phase of expanding the number of API calls that available only when the page is opened in a protected context (Secure Context), i.e. when opened over HTTPS, through localhost, or from a local file. Pages opened outside of a secure context will now block requests to call getUserMedia() to access media sources (eg camera and microphone);
• Provided automatic error handling when accessing via HTTPS, emerging due to the activity of anti-virus software. Problems appear when Avast, AVG, Kaspersky, ESET, and Bitdefender antiviruses include the Web protection module, which analyzes HTTPS traffic by substituting its certificate into the list of Windows root certificates and replacing the originally used site certificates with it. Firefox uses its own list of root certificates and ignores the system list of certificates, so it perceives such activity as a MITM attack.

  The problem was solved by automatically enabling the setting "security.enterprise_roots.enabled", which additionally imports certificates from the system storage. In the case of using a certificate from the system store, and not built into Firefox, a special indicator has been added to the menu called from the address bar with information about the site. The setting is automatically enabled when a MITM interception is detected, after which the browser tries to re-establish a connection, and if the problem has disappeared, the setting is saved. It is argued that such manipulation does not pose a threat, since if the system certificate store is compromised, the attacker can also compromise the Firefox certificate store (does not count possible substitution certificates equipment manufacturers who can apply to implement MITM, but are blocked when using the Firefox certificate store);

• Local files opened in the browser will no longer be able to access other files in the current directory (for example, when opening an html document sent by mail in Firefox on the Android platform, a JavaScript insert in this document could view the contents of a directory with other saved files);
• Changed method for synchronizing settings changed via the about:config interface. Now only the settings that are present in the white list, which is defined in the "services.sync.prefs.sync" section, are synchronized. For example, to synchronize the browser.some_preference parameter, you need to set the value "services.sync.prefs.sync.browser.some_preference" to true. To allow synchronization of all settings, the "services.sync.prefs.dangerously_allow_arbitrary" parameter is provided, which is disabled by default;
• Implemented a technique for dealing with annoying requests to grant the site additional permissions to send push notifications (access to the Notifications API). From now on, such requests will be silently blocked if there is no explicit user interaction with the page (mouse click or keystroke);
• In a business environment (Firefox for Enterprise) added support additional policies browser customization for employees. For example, an administrator can now add a section to the menu to contact the local helpdesk, add links to intranet resources on the page for opening a new tab, disable contextual search suggestions, add links to local files, configure file download behavior, define white and black lists of valid and invalid add-ons, activate certain settings;
• Resolved an issue that could cause settings to be lost (prefs.js file corrupted) if the process was terminated abnormally (for example, when the power was turned off without shutting down or when the browser crashed);
• Added support Scroll Snap, a set of scroll-snap-* CSS properties that allow you to control the slider's breakpoint when scrolling and the alignment of content that slides, as well as snap to elements during inertial scrolling. For example, you can set up scrolling with a shift along the borders of the image or with the centering of the image;
• JavaScript implements a new numeric type BigInt, which allows you to store integers of arbitrary size, for which the Numbers type is not enough (for example, identifiers and exact times had to be stored as strings in the past);
• Added the ability to pass the "noreferrer" option when calling window.open() to block leakage of information about the Referrer when opening a link in a new window;
• Added the ability to use the .decode() method with an HTMLImageElement to load and decode elements before adding them to the DOM. For example, this feature can be used to make it easier to instantly replace compact placeholder images with high-res options that are loaded later, as it lets you know when the browser is ready to display the new image in its entirety.
• The developer tools provide tools for auditing the contrast of text elements, which can be used to identify elements that are incorrectly perceived by people with visual impairments or impaired color perception;
  

• A button has been added to the inspection mode for emulating print output, which allows you to determine the elements that may be invisible when printed;
  

• The web console has expanded information that is displayed along with warnings about problems with CSS. Including added a link to the relevant nodes. The console also has the ability to filter output using regular expressions (for example, "/(foo|bar)/");
  

• Added the ability to adjust the spacing between letters in the font editor;
• In the storage inspection mode, added the ability to delete records from local and session storage by selecting the appropriate elements and pressing the Back Space key;
• Added the ability to block certain URLs, resend the request, and copy HTTP headers in JSON format to the clipboard in the network activity inspection panel. New features are available by selecting the appropriate options in context menu, displayed when right-clicking the mouse;
• The built-in debugger now has a search function in all files of the current project by pressing Shift + Ctrl + F;
• Changed setting to enable display of system addons: in about:debugging, instead of devtools.aboutdebugging.showSystemAddons, the parameter devtools.aboutdebugging.showHiddenAddons is now proposed;
• When installed in Windows 10, a shortcut is placed in the taskbar. Windows also adds the ability to use BITS (Background Intelligent Transfer Service) to continue downloading updates even if the browser has been closed;
• Improved rendering performance in the Android version. Added API WebAuthn (Web Authentication API) to connect to the site using a hardware token or fingerprint sensor. Added API visual viewport through which you can determine the actual visible area, taking into account the display of the on-screen keyboard or scaling. New installations no longer automatically load the Cisco OpenH264 Plugin for WebRTC.

In addition to innovations and bug fixes in Firefox 68, the a series of vulnerabilities, of which several are marked as critical, i.e. can lead to malicious code being executed when specially designed pages are opened. Details of the security issues that have been fixed are not available at this time, and a list of vulnerabilities is expected to be published within a few hours.

Firefox 68 was the last release to form an update to Firefox Classic for Android. Starting with Firefox 69 due September 3rd, new releases of Firefox for Android will not be released, and the fixes will be delivered in the form of updates to the Firefox 68 ESR branch. The classic Firefox for Android will be replaced by a new mobile browser developed by the Fenix ​​project and using the GeckoView engine and a set of libraries Mozilla Android Components. Currently under the name of Firefox Preview for testing already proposed first preview release of the new browser (today опубликовано corrective update 1.0.1 of this pre-release, but it has not yet been posted to Google Play).

Source: opennet.ru