Posted by May 5, 2018
on Mozilla has released the so-anticipated version 60 of the popular cross-platform web browser Firefox. Our passionate developers at Browserling already installed it on our machines so that you don't have to wait for it to try it and test your web apps on it.
Screenshot not enough? Try it yourself here:
What's new in Firefox 60?
- Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file.
- Enhancements to New Tab / Firefox Home, in particular, responsive layout that shows more content for users with wide-screen displays, highlights section includes web sites saved to Pocket, more options to reorder sections and content on the page, pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content.
- Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies.
- Applied Quantum CSS to render browser UI.
- Added support for Web Authentication API, which allows USB tokens for website authentication.
- Enhanced camera privacy indicators.
- Added an option for Linux users to show or hide page titles in a bar at the top of the browser.
- Improved WebRTC audio performance and playback for Linux users.
- On-by-default support for draft-23 of the TLS 1.3 specification.
- Locale added: Occitan (oc).
- Changed the Windows shortcut for entering Reader View to F9, for better compatibility with keyboard layouts that use AltGr.
- Bookmarks no longer support multiple keywords for the same URL unless the request has different POST data.
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted by Firefox.
- Updated the Skia graphics library to milestone 66.
Changes for web developers in Firefox 60
Developer tools
- In the CSS Pane rules view, the keyboard shortcuts for precise value increments have changed from Alt + Up/Down to Ctrl + Up/Down on Linux and Windows, to avoid clashes with default OS-level shortcuts.
- Also in the CSS Pane rules view, CSS variable names will now auto-complete.
- In Responsive Design Mode, a Reload when... dropdown has been added to allow users to enable/disable automatic page reloads when touch simulation is toggled, or simulated user agent is changed.
- The view_source.tab preference has been removed so you can no longer toggle View Source mode between appearing in a new tab or new window. Page sources will always appear in new tabs from now on.
HTML
- Pressing the Enter key in designMode and contenteditable now inserts
<div>
elements when the caret is in an inline element or text node which is a child of a block level editing host — instead of inserting<br>
elements like it used to.
CSS
- The
align-content
,align-items
,align-self
,justify-content
, andplace-content
property values have been updated as per the latest CSS Box Alignment Module Level 3. - The
paint-order
property has been implemented.
JavaScript
- ECMAScript 2015 modules have been enabled by default.
- The Array.prototype.values() method has been added again.
New APIs
- The Web Authentication API has been enabled.
DOM
- In the Web Authentication API, the
MakePublicKeyCredentialOptions
dictionary object has been renamedPublicKeyCredentialCreationOptions
. - The
dom.workers.enabled
pref has been removed, meaning workers can no longer be disabled. - The
body
property is now implemented on theDocument
interface, rather than theHTMLDocument
interface. PerformanceResourceTiming
is now available in workers.- The
PerformanceObserver.takeRecords()
method has been implemented. - The
KeyboardEvent.keyCode
attribute of punctuation key becomes non-zero even if the active keyboard layout doesn't produce ASCII characters. - The
Animation.updatePlaybackRate()
method has been implemented. - New rules have been included for determining keyCode values of punctuation keys.
- The Gecko-only options object
storage
option of theIDBFactory.open()
method has been deprecated. - Promises can now be used within IndexedDB code.
Media and WebRTC
- When recording or sharing media obtained using
getUserMedia()
, muting the camera by setting the corresponding track'sMediaStreamTrack.enabled
property to false now turns off the camera's "in use" indicator light, to help the user more easily see that the camera is not in use. - Removing a track from an
RTCPeerConnection
usingremoveTrack()
no longer removes the track'sRTCRtpSender
from the peer connection's list of senders as reported bygetSenders()
. - The
RTCRtpContributingSource
andRTCRtpSynchronizationSource
objects' timestamps were previously being reported based on values returned byDate.getTime()
. - As per spec, the
ConvolverNode()
constructor now throws aNotSupportedError
if the referencedAudioBuffer
does not have 1, 2, or 4 channels. - The obsolete
RTCPeerConnection
event handlerRTCPeerConnection.onremovestream
has been removed. - The primary name for
RTCDataChannel
is now in factRTCDataChannel
, instead of being an alias forDataChannel
.
Canvas and WebGL
- If the
privacy.resistFingerprinting
preference is set to true, theWEBGL_debug_renderer_info WebGL
extension will be disabled from now on.
Security
- The
X-Content-Type-Options
header, when set tono-sniff
, now follows the specification for JavaScript MIME types.
Other
- Fetches that include credentials can now share connections with fetches that don't include credentials. For example, if the same origin requests some web fonts as well as some credentialed user data from the same CDN, both could share a connection, potentially leading to a quicker turnaround.
Removals from the web platformSection
CSS
- The proprietary
-moz-user-input
property's enabled and disabled values are no longer available. - The proprietary
-moz-border-top-colors
,-moz-border-right-colors
,-moz-border-bottom-colors
, and-moz-border-left-colors
properties have been removed from the platform completely.
JavaScript
- The non-standard expression closure syntax has been removed.
Changes for add-on and Mozilla developers
Theme API
- headerURL is now optional
- When creating a browser theme, any
text-shadow
applied to the header text is removed if noheaderURL
is specified. - New properties are supported: tab_line, tab_selected, popup, popup_border, popup_text, tab_loading, icons, icons_attention, frame_inactive, button_background_active, button_background_hover.
Fixes in Firefox 60
- CVE-2018-5154: Use-after-free with SVG animations and clip paths.
- CVE-2018-5155: Use-after-free with SVG animations and text paths.
- CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files.
- CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer.
- CVE-2018-5159: Integer overflow and out-of-bounds write in Skia.
- CVE-2018-5160: Uninitialized memory use by WebRTC encoder.
- CVE-2018-5152: WebExtensions information leak through webRequest API.
- CVE-2018-5153: Out-of-bounds read in mixed content websocket messages.
- CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache.
- CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace.
- CVE-2018-5166: WebExtension host permission bypass through filterReponseData.
- CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger.
- CVE-2018-5168: Lightweight themes can be installed without user interaction.
- CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages.
- CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer.
- CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters.
- CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update.
- CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies.
- CVE-2018-5176: JSON Viewer script injection.
- CVE-2018-5177: Buffer overflow in XSLT during number formatting.
- CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox.
- CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced.
- CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink.
- CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar.
- CVE-2018-5151: Memory safety bugs fixed in Firefox 60.
- CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8.
Unresolved issues in Firefox 60
- After disabling Sponsored Stories from the New Tab page settings, the next opened tab may still show a sponsored tile.
- WebVR does not work on macOS with Vive headsets.
Have a great time cross-browser testing in Firefox 60 and Browserling!
Email this blog post to your friends or yourself!
Try Browserling!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!