Mozilla has released the so-anticipated version 60 of the popular cross-platform web browser Firefox. Our passionate developers at Browserling already installed it on our machines so that you don't have to wait for it to try it and test your web apps on it.
Screenshot not enough? Try it yourself here:
What's new in Firefox 60?
- Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file.
- Enhancements to New Tab / Firefox Home, in particular, responsive layout that shows more content for users with wide-screen displays, highlights section includes web sites saved to Pocket, more options to reorder sections and content on the page, pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content.
- Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies.
- Applied Quantum CSS to render browser UI.
- Added support for Web Authentication API, which allows USB tokens for website authentication.
- Enhanced camera privacy indicators.
- Added an option for Linux users to show or hide page titles in a bar at the top of the browser.
- Improved WebRTC audio performance and playback for Linux users.
- On-by-default support for draft-23 of the TLS 1.3 specification.
- Locale added: Occitan (oc).
- Changed the Windows shortcut for entering Reader View to F9, for better compatibility with keyboard layouts that use AltGr.
- Bookmarks no longer support multiple keywords for the same URL unless the request has different POST data.
- TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted by Firefox.
- Updated the Skia graphics library to milestone 66.
Changes for web developers in Firefox 60
- In the CSS Pane rules view, the keyboard shortcuts for precise value increments have changed from Alt + Up/Down to Ctrl + Up/Down on Linux and Windows, to avoid clashes with default OS-level shortcuts.
- Also in the CSS Pane rules view, CSS variable names will now auto-complete.
- In Responsive Design Mode, a Reload when... dropdown has been added to allow users to enable/disable automatic page reloads when touch simulation is toggled, or simulated user agent is changed.
- The view_source.tab preference has been removed so you can no longer toggle View Source mode between appearing in a new tab or new window. Page sources will always appear in new tabs from now on.
- Pressing the Enter key in designMode and contenteditable now inserts
<div>elements when the caret is in an inline element or text node which is a child of a block level editing host — instead of inserting
<br>elements like it used to.
place-contentproperty values have been updated as per the latest CSS Box Alignment Module Level 3.
paint-orderproperty has been implemented.
- ECMAScript 2015 modules have been enabled by default.
- The Array.prototype.values() method has been added again.
- The Web Authentication API has been enabled.
- In the Web Authentication API, the
MakePublicKeyCredentialOptionsdictionary object has been renamed
dom.workers.enabledpref has been removed, meaning workers can no longer be disabled.
bodyproperty is now implemented on the
Documentinterface, rather than the
PerformanceResourceTimingis now available in workers.
PerformanceObserver.takeRecords()method has been implemented.
KeyboardEvent.keyCodeattribute of punctuation key becomes non-zero even if the active keyboard layout doesn't produce ASCII characters.
Animation.updatePlaybackRate()method has been implemented.
- New rules have been included for determining keyCode values of punctuation keys.
- The Gecko-only options object
storageoption of the
IDBFactory.open()method has been deprecated.
- Promises can now be used within IndexedDB code.
Media and WebRTC
- When recording or sharing media obtained using
getUserMedia(), muting the camera by setting the corresponding track's
MediaStreamTrack.enabledproperty to false now turns off the camera's "in use" indicator light, to help the user more easily see that the camera is not in use.
- Removing a track from an
removeTrack()no longer removes the track's
RTCRtpSenderfrom the peer connection's list of senders as reported by
RTCRtpSynchronizationSourceobjects' timestamps were previously being reported based on values returned by
- As per spec, the
ConvolverNode()constructor now throws a
NotSupportedErrorif the referenced
AudioBufferdoes not have 1, 2, or 4 channels.
- The obsolete
RTCPeerConnection.onremovestreamhas been removed.
- The primary name for
RTCDataChannelis now in fact
RTCDataChannel, instead of being an alias for
Canvas and WebGL
- If the
privacy.resistFingerprintingpreference is set to true, the
WEBGL_debug_renderer_info WebGLextension will be disabled from now on.
X-Content-Type-Optionsheader, when set to
- Fetches that include credentials can now share connections with fetches that don't include credentials. For example, if the same origin requests some web fonts as well as some credentialed user data from the same CDN, both could share a connection, potentially leading to a quicker turnaround.
Removals from the web platformSection
- The proprietary
-moz-user-inputproperty's enabled and disabled values are no longer available.
- The proprietary
-moz-border-left-colorsproperties have been removed from the platform completely.
- The non-standard expression closure syntax has been removed.
Changes for add-on and Mozilla developers
- headerURL is now optional
- When creating a browser theme, any
text-shadowapplied to the header text is removed if no
- New properties are supported: tab_line, tab_selected, popup, popup_border, popup_text, tab_loading, icons, icons_attention, frame_inactive, button_background_active, button_background_hover.
Fixes in Firefox 60
- CVE-2018-5154: Use-after-free with SVG animations and clip paths.
- CVE-2018-5155: Use-after-free with SVG animations and text paths.
- CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files.
- CVE-2018-5159: Integer overflow and out-of-bounds write in Skia.
- CVE-2018-5160: Uninitialized memory use by WebRTC encoder.
- CVE-2018-5152: WebExtensions information leak through webRequest API.
- CVE-2018-5153: Out-of-bounds read in mixed content websocket messages.
- CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace.
- CVE-2018-5166: WebExtension host permission bypass through filterReponseData.
- CVE-2018-5168: Lightweight themes can be installed without user interaction.
- CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages.
- CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer.
- CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters.
- CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update.
- CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies.
- CVE-2018-5176: JSON Viewer script injection.
- CVE-2018-5177: Buffer overflow in XSLT during number formatting.
- CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox.
- CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced.
- CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink.
- CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar.
- CVE-2018-5151: Memory safety bugs fixed in Firefox 60.
- CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8.
Unresolved issues in Firefox 60
- After disabling Sponsored Stories from the New Tab page settings, the next opened tab may still show a sponsored tile.
- WebVR does not work on macOS with Vive headsets.
Have a great time cross-browser testing with Browserling!
Email this blog post to your friends or yourself!
Enter a URL to test, choose platform, browser and version, and you'll get a live interactive browser in 5 seconds!