Jump to content
CCleaner Community Forums
nodles

The Firefox/Mozilla Thread

Recommended Posts

https://blog.nightly.mozilla.org/2019/05/22/these-weeks-in-firefox-issue-59/

 These Weeks in Firefox: Issue 59
lina May 22, 2019

No responses yet
Highlights

    Wow, what a weekend! Hopefully your add-ons are all working now.
        A small set of users are still reporting add-on outages. We suspect that the Master Password and Anti-virus software are interfering with the original fix for those users. We’ve released 66.0.5 to try to handle those cases.
    Outreachy interns for this summer have been announced
        Mozilla is mentoring 8 students in this round. Thank you to all the mentors and all the applicants!
    The Google Summer of Code students and projects have been publicly announced! Check out what folks will be working on this summer!
    MattN wrote a blog post summarizing the Password Manager Improvements in Firefox 67

Friends of the Firefox team

Here’s a list of all resolved bugs.
Fixed more than one bug

    Chris Frey [:nautilus]
    Florens Verschelde :fvsch
    Kestrel
    lloan:[lloanalas]
    Mohd Umar Alam [:umaralam48]
    Neha
    Tim Nguyen :ntim

New contributors (🌟 = first patch)

    Chujun Lu fixed a bug where pressing the Enter key when putting a conditional breakpoint into the Debugger would incorrectly cause a linebreak
    🌟 DILIP fixed a spelling mistake in one of our console warning messages
    Chris Frey [:nautilus] converted the toolbar context menu strings to Fluent, and also fixed two other Fluent-related bugs
    jaril fixed a glitch where sometimes the Debugger would break on an exception unexpectedly
    Mariana Meireles got rid of some dead code in AboutRedirector
    🌟 Ananth fixed up a styling glitch in the Web Console for console.assert strings
    🌟 Myeongjun Go made it so that a better error message is emitted when WebExtensions attempt to insert a bookmark folder into the root folder
    🌟 Thomas made it so that we truncate very long strings in the DevTools Inspector info bar rather than let them overflow past the end of the screen
    🌟 Mohd Umar Alam [:umaralam48] made it so that the Synced Tabs toggle shows an option to “Hide” in the Synced Tabs list when the sidebar is open, and fixed a glitch where the History Sidebar toggle label was missing

Project Updates
Activity Stream

    A new Contextual Feature Recommendation for Sync is coming to the bookmark Star UI

"Sync your bookmarks everywhere" recommendation in the star UI

    A lot of improvements and fixes to the new Pocket New Tab, specifically around network failure states.

Add-ons / Web Extensions

    Rob Wu added browser console warnings in 68 for proxy APIs that will be deprecated in 71.
    Mark Striemer has finished nearly everything remaining for HTML about:addons MVP for 68.
    Shane Caraveo added cookieStoreId to webRequest APIs and exposed the private browsing flag in proxy/webRequest details.
    Luca Greco added the ability to submit an abuse report on an installed extension from about:addons.
    Kris Maglione fixed the theme header background image caching issue for converted LWTs (since they’re all static themes now).
    …and everyone is reviewing like crazy to get things in 68 as planned because this weekend was “relaxing downtime” before soft code freeze.

Applications
Lockwise

    Rebranding going on this week.
    The team is working on polishing the extension for an initial release, and then integrating the extension into desktop Firefox.

Firefox Accounts

    Ed and Vlad are finalizing the sign-in UX for Fenix, our next-generation Android browser 🚦
    Ed landed Rust APIs for FxA device registration and New Send Tab. Grisha is working on integrating this into Android Components so that Fenix can use it 📑

Sync and Storage

    Mark has an RFC for a sync manager in Rust, to orchestrate syncing of multiple data types 🔄
    Thom landed code to import Firefox for iOS bookmarks into the Rust bookmarks component. The next iOS release will use the bookmarks component, and offer bookmark editing! 🔖
    Ed is continuing to migrate our crypto backend to NSS 🔒
    Lina has been working on adding telemetry for Android and iOS 🔍, and enabled the new bookmark sync by default in Nightly and Beta 📚

Push

    Jonathan and JR are bringing Push for internal Mozilla consumers (New Send Tab, FxA verification) to Fenix! 📣

Browser Architecture

    RKV conversions have been rolled back for now while we investigate issues migrating from 32-bit to 64-bit builds.
    browser.html conversion ready to go, but waiting until the next cycle.
    Fluent cache for chrome documents ready to land. This will fix corner cases where DOM mutations might not trigger Fluent updates.

Developer Tools
Console

    Jefry Lagrange added a way to export console output to a file in bug 1517728.
    “Copy as Fetch” and “Use in console” have been added to the network monitor context menu in bug 1540054.
    When CSS warnings are displayed in the console, you can now expand them (like a console group) to reveal all the DOM nodes that this warning applies to. So it allows you to jump from a CSS warning in the console directly to the inspector.

Screenshot of expanded CSS warning showing affected elements
Debugger

    Work on DOM & Event breakpoints started
    Progress with captured stacks for various errors appearing in the Console panel (for web developers) or Browser Console window (for browser + addon developers).

Network

    Local HTTP requests are marked as secure now (bug).

Screenshot of `localhost` with green lock icon in Network monitor
Remote Debugging

    DevTools shortcuts now supported in about:devtools-toolbox (bug)
    Favicons and user friendly titles for about:debugging and about:devtools-toolbox (bug)

Screenshot of wrench and window favicons for debugging and toolbox

    Closable error messages (and UI cleanup) (bug)

Screenshot of "connection failed" error and "connection still pending" warning with close buttons
Documentation

    New MDN page for Logpoints
    Set a breakpoint page updated to show column breakpoints

Fission

    Subframe crashing UI landed
    Here’s a video demonstration
    Enn is working on getting BrowserTabChild ported to Fission
    mconley is going to work on getting PermitUnload working properly with out-of-process iframes

Lint

    l1nt, which checks for common mistakes in en-US files, and warns on ID conflicts between central/beta/release, is now enabled.
        Example on phabricator: https://phabricator.services.mozilla.com/D29001
        autoland: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&group_state=expanded&revision=2f1af0a1f129d6af5073c1b53fd15bc5bacb50b0&selectedJob=245063123

Mobile
Android Components

    Support for built-in WebExtensions has been added! The new Reader View feature component (in Fenix and Reference Browser) is built on top of this.

Password Manager

    Work continues on the breakdown of integrating the new management UI, a base patch for the desktop implementation is ready to land.
    Minimal scope for password generation via autocomplete was defined and most bugs have been filed.
    Data on adoption of autocomplete=“new-password” was gathered as part of the password generation investigation.

Performance

    New startup main-thread IO test will be enabled on non-debug Desktop builds soon!
    Patch to not load userContent.css in the parent process landed and bounced. After some discussion, we’ve decided to put loading userChrome.css and userContent.css behind a default-off pref
        This should allow us to avoid searching the disk for those files on start-up for users that don’t have those customizations, which will improve start-up performance.
        aswan did some detective work and found some nice places where we can improve start-up time in the AddonManager for brand new profiles
    dthayer is investigating compressing various things with lz4 rather than deflate
    Gijs has a patch underway to avoid reading chrome.manifest files when not necessary
    Gijs made file renaming / moving cheaper on Windows in the common case

Performance tools

    Welcoming Raj Meghpara, our new GSoC student! He’s going to work on Instruments import support for Firefox Profiler.
    Network tooltips are now displayed as soon as the line is hovered.
    The publishing flow has been streamlined (ux issue)

New look of publish panel in Firefox Profiler with inverted checkboxes

    More tools in the web console:

List of available profiler information in the console

    MOZ_PROFILER_HELP env variable gives help to profile Firefox startup.

Picture-in-Picture

    Holding to Nightly while we iterate.
    Please keep filing bugs against this meta bug if you notice anything strange. Thanks!
    Fixed
        Clicking on the Picture-in-Picture toggle no longer sends mouse events to content
        The toggle no longer appears when in fullscreen
        The controls (mostly) disappear after 3 seconds on the player window when not hovering
        Fixed strange borders showing up when switching focus between the player window and other windows
        Made the player window easier to resize
    Soon to be fixed
        Player buttons look strange on “tall” videos
        RTL support
        Keyboard accessibility
        And loads of polish!

Privacy/Security

    To combat malicious malware sites, Paul made us disallow add-on installation prompts in full-screen.
    Because it went so well, we are going to extend our experiment for requiring user interaction for Notification permission prompts to Beta.
        Another blog post coming soon
        We also landed the telemetry pieces to do the announced release measurements on permission prompt usage in 67 release. This will hopefully allow us to narrow down on a set of good heuristics for automatically blocking.
    Prathikshalanded the first piece of her internship project to simplify and robust-ify the way about:certerror communicates with the parent process.
    Jonas continues to remove all the eval() usage in our chrome-privileged code.
    Small improvements to DNS over HTTPS UI in settings/preferences let you pick from resolvers

Search and Navigation
Search

    Looking into consequences and prevention after the add-ons certificate problem: Search Service initialization should be more robust
    New Baidu search code deployed as system add-on

Quantum Bar

    Fixed 19 Bugs in the last 2 weeks
    Quantum Bar is enabled by default in Firefox 68 🎉🎉🎉
    Still working on a few remaining bugs
    Designing and discussing WebExtension APIs for the first experiment

Bleeding edge browsing

Download Firefox Nightly

Share this post


Link to post
Share on other sites
Quote

 

Google views ad blocking as a business risk and restricts ad blocking in Chrome

but with Mozilla's Firefox browser, uBlock Origin, uMatrix and Privacy Badger will continue to work. :-)

 

 

Share this post


Link to post
Share on other sites

So essentially then this version of SRWare Iron I'm using is the last version then if it the dev doesn't modify/undo what Google is doing.

Share this post


Link to post
Share on other sites

The new firefox branding seems to be launching

logo-master-wordmark-dark.9969bf7e6192.s

 

 

Share this post


Link to post
Share on other sites

belated ff 67.0.2 ...

 

11. juni 2019

 

Fixed

  • Fix JavaScript error ("TypeError: data is null in PrivacyFilter.jsm") in console which may significantly degrade sessionstore reliability and performance (bug 1553413)

  • Proxy authentication dialog box repeatedly pops up asking to authenticate after upgrading to Firefox 67 (bug 1548804)

  • Pearson MyCloud breaks if FIDO U2F is not Chrome's implementation (bug 1551282)

  • Starting in safe mode on Linux or macOS causes Firefox to think on the subsequent launch that the profile is too recent to be used with this version of Firefox (bug 1556612)

  • Linux distribution users can't easily install/use additional/different languages using the built-in preferences UI (bug 1554744)

  • Developer tools users can't copy the href/src content from various HTML tags via the context menu in the Inspector markup view (bug 1552275)

  • Custom home page is broken with clearing data on shutdown settings applied (bug 1554167)

  • Performance-regression for eclipse RAP based applications (bug 1555962)

  • macOS 10.15 crash fix (bug 1556076)

  • Can't start two downloads in parallel via <a download> anymore (bug 1542912)

Share this post


Link to post
Share on other sites

ff v60.7.1 esr

 

18. juni 2019

 

Fixed

Quote

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.

Developer

Share this post


Link to post
Share on other sites

ff.v68.0 esr is near :-) perhaps 9. july 2019

Share this post


Link to post
Share on other sites

ff v60.7.2 esr

 

20. june 2019

 

Fixed

 

Quote

CVE-2019-11708: sandbox escape using Prompt:Open

Reporter
Coinbase Security
Impact
high
Description

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer.

 

Share this post


Link to post
Share on other sites
Quote

Windows Background Intelligent Transfer Service (BITS) responsible for downloading Windows Updates is going to download Firefox updates in the background even when the browser is not running or closed in upcoming Firefox release. Mozilla to use BITS for Firefox 68 to update browser whereas from version 70 onwards they are going to use BITS via a dedicated “Background Update agent” to install Firefox updates.

 

https://techdows.com/2019/06/mozilla-to-use-bits-and-a-background-update-agent-to-update-firefox-on-windows.html

Share this post


Link to post
Share on other sites
6 hours ago, hazelnut said:

"the agent is aimed at users on slow connections"

I'm not buying that. That's an almost non-existent issue in this day and age. My cynical side thinks this will be for more than one way traffic <_<

Share this post


Link to post
Share on other sites
6 minutes ago, JDPower said:

"the agent is aimed at users on slow connections"

I'm not buying that. That's an almost non-existent issue in this day and age. My cynical side thinks this will be for more than one way traffic <_<

Obviously you've never been in rural america where even broadband speeds are as slow as a 1990s' modem

Share this post


Link to post
Share on other sites
17 minutes ago, Nergal said:

Obviously you've never been in rural america where even broadband speeds are as slow as a 1990s' modem

It's not exactly a rising issue that needs addressing. It's a bit like making the entire planet take vitamin C tablets cos there are still some people that get scurvy.

And those people in rural America have presumably coped perfectly well updating their browser for the last 20 years. Just doesn't add up to cynical old me ^_^

Share this post


Link to post
Share on other sites

Enabling BITS on nightly for me results in the update downloading only after pages have loaded

Share this post


Link to post
Share on other sites

ff v68.0

 

09. july 2019

 

New

  • Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars.

  • Improved extension security and discovery:

    • New reporting feature in about:addons allows you to report security and performance issues with extensions and themes.
    • Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension.
    • Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time.
  • Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences.

  • WebRender will roll out to Windows 10 users with AMD graphics cards.

  • Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed.

Fixed

  • Various security fixes

  • Local files can no longer access other files in the same directory.

Changed

  • Unified existing locales (bn-BD, bn-IN) under a single Bengali (bn) localization.

  • The following unmaintained translations have been removed: Assamese (as), English - South Africa (en-ZA), Maithili (mai), Malayalam (ml), Odia (or). Existing users will be migrated to the British English (en-GB) version.

  • When an HTTPS error caused by antivirus software is detected, Firefox will attempt to automatically fix it

  • Camera and microphone access now require an HTTPS connection.

  • The way non-default preferences are synced has changed. Please see this support article for more details

Enterprise

  • For all operating systems, we have a number of additional policies including:

    • New tab page configuration and disabling
    • Local file links
    • Download behavior
    • Search suggestions
    • Managed storage for using policies in Webextensions
    • Extension whitelisting and blacklisting by ID and website
    • A subset of commonly used Firefox preferences

    You can see a full list of policies here.

Developer

  • Firefox Developer Tools now offers a full page color contrast audit that identifies all elements on a page that fail color contrast checks.

  • Added about:compat, where website-specific workarounds are listed and may be toggled. These workarounds are meant as temporary fixes for various forms of website breakage for Firefox, while the website fixes them in due time. With about:compat, it is now easy to see all of the workarounds that are active in Firefox, and easy for website developers to disable a given workaround for testing purposes.

  • Introduces CSS Scroll Snap module that enforces scroll snap positions.

unresolved

  • The new URL bar implementation does not handle javascript: bookmarklets triggered via bookmark keywords correctly yet (bug 1552141)

Share this post


Link to post
Share on other sites

ff v60.8.0 esr

 

09. july 2019

 

Fixed

 

Security vulnerabilities fixed in Firefox ESR 60.8

Announced
July 9, 2019
Impact
critical
Products
Firefox ESR
Fixed in
  • Firefox ESR 60.8

#CVE-2019-9811: Sandbox escape via installation of malicious language pack

Reporter
Niklas Baumstark
Impact
high
Description

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.

References

#CVE-2019-11711: Script injection within domain through inner window reuse

Reporter
Boris Zbarsky
Impact
high
Description

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.

References

#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

Reporter
Gregory Smiley of Security Compass
Impact
high
Description

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

References

#CVE-2019-11713: Use-after-free with HTTP/2 cached stream

Reporter
Hanno Böck
Impact
high
Description

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.

References

#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

Reporter
Jonas Allmann
Impact
moderate
Description

Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used.

References

#CVE-2019-11715: HTML parsing error can contribute to content XSS

Reporter
Linus Särud
Impact
moderate
Description

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.

References

#CVE-2019-11717: Caret character improperly escaped in origins

Reporter
Tyson Smith
Impact
moderate
Description

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes.

References

#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

Reporter
Henry Corrigan-Gibbs
Impact
moderate
Description

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.

References

#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

Reporter
Luigi Gubello
Impact
moderate
Description

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.

References

#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

Reporter
Mozilla developers and community
Impact
critical
Description

Mozilla developers and community members Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

References

Share this post


Link to post
Share on other sites

ff v68.0 esr

 

09. july 2019

 

New

  • A number of features improve the browser experience in enterprise settings.

    • MSI installer file type is included in this release, helping make deployments in the Windows environment easier and more flexible.
    • Configuration profiles in macOS
    • The ability to read added certificates roots from the macOS Keychain

    • For all operating systems, we have a number of additional policies including:

    • New tab page configuration and disabling
    • Local file links
    • Download behavior
    • Search suggestions
    • Managed storage for using policies in Webextensions
    • Extension configuration (allow/deny) by ID and website
    • A subset of commonly used Firefox preferences

    You can see a full list of policies here.

  • User and enterprise added certificates are read from the operating system by default.

Fixed

  • Local files can no longer access other files in the same directory.

Changed

unresolved

  • Windows Background Intelligent Transfer Service (BITS) update download for proxy users with authentication will fall back to legacy update system on Windows (bug 1561200)

  • Service workers and push notifications remain disabled in Firefox ESR

Share this post


Link to post
Share on other sites

I jupdated to 68.0.1 and the contrast changed; all the screen colours in the Firefox browser now look 'washed out'.

Has anybody else been affected in this way?

EDIT.
Looks as if it may not have been FFx that caused this.
I had installed some CAD software yesterday, reverting back to the restore point from that installation seems to have cleared the issue.

Share this post


Link to post
Share on other sites

ff v68.0.1

 

18. july 2019

 

New

  • macOS releases are now signed by the Apple notary service, allowing Firefox to properly run on macOS 10.15 Beta releases

Fixed

  • Fixed missing Full Screen button when watching videos in full screen mode on HBO GO (bug 1562837)

  • Fixed a bug causing incorrect messages to appear for some locales when sites try to request the use of the Storage Access API (bug 1558503)

  • Users in Russian regions may have their default search engine changed (bug 1565315)

  • Built-in search engines in some locales do not function correctly (bug 1565779)

Share this post


Link to post
Share on other sites

ff v68.0.1 esr

 

18. july 2019

 

the same as ff v68.0.1

and

Enterprise

  • Enterprise Policy improvements:

    • SupportMenu policy doesn't always work (bug 1553290)
    • Allow the new ExtensionSettings policy to work with GPO on Windows (bug 1553586)
    • Allow the privacy.file_unique_origin pref to be controlled by policy (bug 1563759)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×