Hooray! Firefox 59 just came out today and we just got it installed on our browser cloud so that you can test your webapps with it already.

Firefox 59

You can try it even from here:

What's new in Firefox 59?

  • Performance enhancements: Faster load times for content on the Firefox Home page, faster page load times by loading either from the networked cache or the cache on the user’s hard drive (Race Cache With Network), improved graphics rendering using Off-Main-Thread Painting (OMTP) for Mac users (OMTP for Windows was released in Firefox 58).
  • Drag-and-drop to rearrange Top Sites on the Firefox Home page, and customize new windows and tabs in other ways.
  • Added features for Firefox Screenshots: Basic annotation lets the user draw on and highlight saved screenshots, Recropping to change the viewable area of saved screenshots, Enhanced WebExtensions API including better support for decentralized protocols and the ability to dynamically register content scripts.
  • Improved Real-Time Communications (RTC) capabilities.
  • Implemented RTP Transceiver to give pages more fine grained control over calls.
  • Implemented features to support large scale conferences.
  • Added support for W3C specs for pointer events and improved platform integration with added device support for mouse, pen, and touch screen pointer input.
  • Added the Ecosia search engine as an option for German Firefox.
  • Added the Qwant search engine as an option for French Firefox.
  • Added settings in about:preferences to stop websites from asking to send notifications or access your device’s camera, microphone, and location, while still allowing trusted websites to use these features.
  • Firefox Private Browsing Mode will remove path information from referrers to prevent cross-site tracking.

Changes for web developers in Firefox 59

Developer tools

  • The Network Monitor Response tab now shows a preview of the rendered HTML — if the response is HTML.
  • Cookie information shown in the Storage Inspector now includes a sameSite column showing what the same-site status of each cookie is.
  • The Rulers tool now includes a readout showing the current dimensions of the viewport.
  • In Responsive Design Mode, you can now set the screen dimensions using the cursor keys.
  • The Raw headers display in the Network Monitor Headers tab now includes the response's status code.


  • The <textarea> element's autocomplete attribute has been implemented.
  • Removed the non-standard version parameter of the <script> element's type attribute.


  • The overscroll-behavior property and its associated longhand properties — overscroll-behavior-x and overscroll-behavior-y — have been implemented, and it has been enabled by default on all releases.
  • The behavior of "unusual elements" when given a display value of contents has been updated as per spec.
  • position sticky is now supported on appropriate HTML table parts.
  • calc() is now supported in <color> values — rgb(), rgba(), hsl(), and hsla().
  • calc() in media query values is now supported.
  • The @document at-rule has been limited to use only in user and UA sheets.
  • Implement the font-optical-sizing property.
  • Removed the proprietary mozmm <length> unit.
  • The proprietary -moz-border-top-colors,-moz-border-right-colors, -moz-border-bottom-colors, and -moz-border-left-colors properties have been limited to usage in chrome code only.


  • Non-standard conditional catch clauses have been remove.


  • PointerEvents have been enabled in Firefox Desktop.
  • The non-standard method Event.getPreventDefault() has been removed
  • The propretary Navigator.mozNotification property and DesktopNotification interface have been removed, in favor of the standard Notifications API.
  • The proprietary window.external.addSearchEngine() method has been removed.
  • The non-standard Firefox-only HTMLMediaElement property mozAutoplayEnabled has been removed.


  • The EventTarget() constructor has been implemented.
  • The Response() constructor can now accept a null value for its body parameter, as per spec.


  • Support for SMIL's accessKey feature has been removed.

DOM events

  • The Event.composedPath() method has been implemented.

Service workers

  • The service worker Clients API can now find and communicate with windows in a separate browser process.
  • Nested about:blank and about:srcdoc iframes will now inherit their parent's controlling service worker.
  • When a service worker provides a Response to FetchEvent.respondWith(), the Response.url value will not be propagated to the intercepted network request as the final resolved URL.
  • FetchEvent.respondWith() will now trigger a network error if the FetchEvent.request.mode is "same-origin" and the provided Response.type is "cors".

Media and WebRTC

  • The MediaStreamTrack property MediaStreamTrack.muted, along with the events mute and unmute and the corresponding event handlers, onmute and onunmute, have been implemented.
  • Firefox 59 on Android now supports Apple's HTTPS Live Streaming (HLS) protocol for both audio and video.
  • The RTCRtpReceiver methods getContributingSources() and getSynchronizationSources() have been implemented to provide information about the sources of each RTP stream.
  • The RTCRtpTransceiver interface has now been implemented, since the Firefox implementation of WebRTC now supports transceivers, with RTCPeerConnection and other interfaces updated to use them per the latest specification.
  • The RTCPeerConnection.addTransceiver() method has been added. In addition, the behavior of addTrack() has been updated to create a transceiver as required.
  • Support for WebVTT regions was implemented in Firefox 58 but disabled by default.
  • Firefox now supports WebVTT REGION definition blocks whose settings list has one setting per line instead of all of the settings being on the same line of the WebVTT file.


  • The CSSNamespaceRule interface and its namespaceURL and prefix properties have been implemented.


  • Top-level navigation to data: URIs has been blocked.
  • The SAMEORIGIN directive of the X-Frame-Options header has been changed so that it checks not only the top-level IFrame is in the same origin, but all its ancestors as well.
  • Image resources loaded from different origins to the current document are no longer able to trigger HTTP authentication dialogs.
  • HTTP authentication now uses utf-8 encoding for usernames and passwords for parity with other browsers, and to avoid potential problems.
  • Everyday the HSTS preload list is updated from Google. Normally this doesn't warrant a note, but in this release new TLDs were included, notably .app and .dev.

Other changes for web developers

  • Support for the non-standard pcast: and feed: protocols has been removed from Firefox.

Changes for add-on and Mozilla developers

Theme updates

  • New properties: colors.background_tab_text, colors.toolbar_field_border
  • All color properties now support both Chrome-style arrays and CSS color values.

New browser settings

  • Added contextMenuShowEvent, openBookmarksInNewTabs, openSearchResultsInNewTabs, and proxyConfig settings

New tabs APIs

  • Added tabs.captureTab(), tabs.hide(), and tabs.show() functions.
  • The contextMenus API now supports a "bookmark" context.
  • New contentScripts API enables runtime registration of content scripts.
  • New pageAction, browserAction, SidebarAction APIs:
  • browserAction/pageAction/sidebarAction.set* functions now accept null to undo changes.
  • browserAction.isEnabled(), pageAction.isShown(), sidebarAction.isOpen() functions.
  • New option in page_action to show page actions by default.
  • New values for protocol_handers: "ssb" for Secure Scuttlebutt communications, "dat" for DATproject and "ipfs", "ipns", "dweb" for IPFS
  • New privacy.websites setting "cookieConfig".
  • Support in cookies API for first-party isolation.
  • New option upgradeToSecure in webRequest.

Bug fixes in Firefox 59

  • CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList.
  • CVE-2018-5128: Use-after-free manipulating editor selection ranges.
  • CVE-2018-5129: Out-of-bounds write with malformed IPC messages.
  • CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption.
  • CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources.
  • CVE-2018-5132: WebExtension Find API can search privileged pages.
  • CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized.
  • CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions.
  • CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts.
  • CVE-2018-5136: Same-origin policy violation with data: URL shared workers.
  • CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources.
  • CVE-2018-5138: Android Custom Tab address spoofing through long domain names.
  • CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol.
  • CVE-2018-5141: DOS attack through notifications Push API.
  • CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs.
  • CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar.
  • CVE-2018-5126: Memory safety bugs fixed in Firefox 59.
  • CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7.


Unresolved issues in Firefox 59

  • Windows 7 users using accessibility services (like the Windows On-Screen Keyboard) may observe browser crashes after the update to Firefox 59. As a workaround, affected users can prevent external apps from triggering accessibility services in Firefox.
  • No sound in Firefox 58 and 59 on Linux in some configurations.

Have fun cross-browser testing your webapps in Firefox 59!