Web browser released and Firefox 68.6 for the Android platform. In addition, an update has been long term support . Coming soon to the stage the branch of Firefox 75, which is scheduled for release on April 7 (project for 4-5 weeks ). For Firefox 75 beta branch shaping for Linux in Flatpak format.
:
- Linux builds use isolation mechanism , aimed at blocking the exploitation of vulnerabilities in third-party function libraries. At this stage, isolation is enabled only for the library Responsible for rendering fonts. RLBox compiles the C/C++ code of the isolated library into low-level WebAssembly intermediate code, which is then packaged as a WebAssembly module, whose permissions are set in relation to this module only. The assembled module works in a separate memory area and does not have access to the rest of the address space. If the vulnerability is exploited in the library, the attacker will be limited and will not be able to access the memory areas of the main process or transfer control outside the isolated environment.
- DNS over HTTPS mode (DoH, DNS over HTTPS) for US users. The default DNS provider is CloudFlare (mozilla.cloudflare-dns.com Π² Roskomnadzor), and NextDNS is available as an option. Change provider or enable DoH in countries other than the US, in the network connection settings. You can read more about DoH in Firefox at .
- support for TLS 1.0 and TLS 1.1 protocols. To access sites over a secure communication channel, the server must provide support for at least TLS 1.2. According to Google, currently about 0.5% of web page downloads continue to be carried out using outdated versions of TLS. Shutdown made in accordance with IETF (Internet Engineering Task Force). The reason for not supporting TLS 1.0/1.1 is the lack of support for modern ciphers (for example, ECDHE and AEAD) and the requirement to support old ciphers, the reliability of which is questionable at the present stage of development of computer technology (for example, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA support is required, MD5 is used to check integrity and authentication and SHA-1). Trying to use TLS 1.0 and TLS 1.1 since Firefox 74 will throw an error. You can return the ability to work with obsolete versions of TLS through the setting security.tls.version.enable-deprecated = true or using the button on the page with an error displayed when entering a site with the old protocol.
- The release note recommends an add-on , which automatically blocks third-party Facebook widgets used for authentication, comments, and likes. Facebook identity settings are isolated in a separate container, making it difficult for the user to identify with the sites they visit. The ability to work with the main Facebook site is preserved, but it is isolated from other sites.
For more flexible isolation of arbitrary sites, an add-on is offered with the implementation of the concept of context containers. Containers provide the ability to isolate different types of content without creating separate profiles, which allows you to separate information from individual groups of pages. For example, you can create separate, isolated from each other, areas for personal communication, work, shopping and banking, or arrange for the simultaneous use of different user accounts on the same site. Each container uses separate storage for Cookies, Local Storage API, indexedDB, cache, and OriginAttributes content.
- Added setting "browser.tabs.allowTabDetach" to about:config to prevent tabs from being detached in new windows. Randomly disconnecting a tab is one of the most annoying Firefox bugs that you can fix 9 years. The browser allows you to drag the tab into a new window with the mouse, but under certain circumstances, the tab is detached into a separate window and in the process of working with careless mouse movement while clicking on the tab.
- support for add-ons that are installed bypass and not tied to user profiles. The change only affects the installation of add-ons in shared directories (/usr/lib/mozilla/extensions/, /usr/share/mozilla/extensions/ or ~/.mozilla/extensions/) handled by all instances of Firefox on the system (no user affinity) . This method is usually used to pre-install add-ons in distributions, to unsolicited substitution with third-party applications, to integrate malicious add-ons, or to ship an add-on separately with its own installer. In Firefox 73, previously forced add-ons were automatically moved from the public directory to individual user profiles and can now be through the regular add-ons manager.
- The Lockwise browser add-on, which offers an "about:logins" interface for managing saved passwords, has added sorting in reverse order (from Z to A).
- WebRTC has increased protection against leakage of information about the internal IP address during voice and video calls using the "β, hiding the local address behind a dynamically generated random identifier determined through Multicast DNS.
- Changed the location of the picture-in-picture view toggle to override the next image button in the Instagram photo batch upload interface.
- In JavaScript operator "?.", designed for a one-time check of the entire chain of properties or calls. For example, by specifying "db?.user?.name?.length" it is now possible to refer to the value of "db.user.name.length" without preliminary checks. If any element is treated as null or undefined, the output will be "undefined".
- support on sites and add-ons for the Object.toSource() method and the global uneval() function.
- New event added and associated property , which allow you to call the handler when the user changes the interface language.
- HTTP header processing enabled () that allows sites to prevent the insertion of resources (such as images and scripts) loaded from other domains (cross-origin and cross-site). The header can take two values: "same-origin" (allows only requests for resources with the same scheme, hostname, and port number) and "same-site" (allows only requests from the same site).
Cross-Origin-Resource-Policy: same-site
- HTTP header enabled by default , which allows you to control the behavior of the API and enable certain features (for example, you can disable access to the Geolocation API, camera, microphone, full screen transition, autoplay, encrypted-media, animation, Payment API, XMLHttpRequest synchronous behavior, etc.). For iframe blocks, the attribute "β, which can be used in the page code to assign rights to certain iframe blocks.
Feature-Policy: microphone 'none'; geolocation 'none'
If the site allows work with a resource for a specific iframe through the βallowβ attribute, and a request is received from the iframe to obtain permissions to work with this resource, the browser now displays the permissions dialog in the context of the main page and delegates the user-verified rights to the iframe (instead of a separate confirmations for iframe and main page). But, if the main page does not have permissions to the resource requested via the allow attribute, the iframe's access to the resource is immediately , without displaying a dialog to the user.
- CSS property ' is enabled by default', which defines the position of underlining the text (for example, when displaying text vertically, you can arrange underlining on the left or right, and when displaying horizontal text, not only from below, but also from above). Additionally, in CSS properties that control the underline style ΠΈ added support for using percentage values.
- In a CSS property , which defines the style of the line around the elements, the default value is "auto" (previously it was due to problems in GNOME).
- To the JavaScript debugger the ability to debug nested Web Workers, the execution of which can be suspended and debugged step by step using breakpoints.
- The interface for inspecting web pages provides warnings for CSS properties depending on the positioned elements z-index, top, left, bottom and right.
- For Windows and macOS, the ability to import profiles from the Microsoft Edge browser based on the Chromium engine has been implemented.
In addition to innovations and bug fixes in Firefox 74, , of which 10 (collected under ΠΈ ) are flagged as potentially allowing malicious code to be executed when specially designed pages are opened. Recall that memory problems, such as buffer overflows and access to already freed memory areas, have recently been marked as dangerous, but not critical.
Source: opennet.ru