Mozilla just released Firefox 88 and we rushed to install it on our virtual browser cloud. In this blog post, we'll summarize the new features and changes in this Firefox version so that you know what to expect when cross-browser testing your webapps in it.

Firefox 88 About Dialog

Try Browserling on Firefox 88 now!

New in Firefox 88

  • Enhanced privacy protection - To protect against cross-site privacy leaks, Firefox 88 now isolates window.name data to the website that created it.
  • JavaScript support in PDF forms - Firefox 88 now executes JavaScript in PDF forms that's used for input validation and other interactive features.
  • Smooth pinch-zooming in Linux - As Linux has evolved with new touchpad drivers, Firefox 88 now supports smooth pinch-zoom gesture on Linux.
  • Margin units in Print Dialog are now localized - Depending on your location, margin units are now automatically selected in centimeters or inches.

Changes in Firefox 88

  • Less nagging - Firefox 88 will not prompt for access to your microphone or camera if you've already granted access to the same device on the same site in the same tab within the past 50 seconds. This new grace period reduces the number of times you're prompted to grant device access.
  • Take a screenshot has been moved - The "Take a Screenshot" feature was removed from the Page Actions menu in the url bar. To take a screenshot, right-click to open the context menu. You can also add a screenshots shortcut directly to your toolbar via the Customize menu. Open the Firefox menu and select Customize.
  • FTP is gone - FTP support has been disabled, and its full removal is planned for an upcoming release. Addressing this security risk reduces the likelihood of an attack while also removing support for a non-encrypted protocol.

Developer's Corner

The following section summarizes changes that affect web developer's work.

Switch between raw/formatted JSON

There's now a "Raw" switch in the developer tools that lets you switch between a raw JSON response and formatted JSON response. It can be found in the request/response tab:

Switch between raw and formatted JSON

CSS Changes

  • The default monospace font for MacOS has been changed to Menlo.
  • The :user-valid and :user-invalid pseudo-classes have been implemented.

JavaScript Changes

  • Added support for RegExp match indices.

Network Changes

  • FTP has been disabled on all releases (preference network.ftp.enabled now defaults to false).

Security Changes

  • The localhost URLs will refer to the loopback ip address (127.0.0.1), increasing the overall security of the connection.

DOM API Changes

  • Code can now use the new static method AbortSignal.abort() to return an AbortSignal that is already set as aborted.

Media Changes

  • If the number of tracks being recorded changes, an InvalidModificationError is thrown from the MediaRecorder.start().

Changes for add-on developers

  • Url can now be used to limit the properties for which the tabs.onUpdated event is triggered.

Changes in Firefox 88 for Android

  • Search engine suggestion feature makes it easier to search the web.
  • Fixed an issue where video playing in fullscreen or picture-in-picture mode would not display correctly on sites using a desktop viewport.

Unresolved Issues in Firefox 88

  • Some purchased video content may not play correctly due to a recent Widevine plugin update (this will be addressed in an upcoming bug fix release).

Security Fixes in Firefox 88

  • CVE-2021-23994: Out of bound write due to lazy initialization.
  • CVE-2021-23995: Use-after-free in Responsive Design Mode.
  • CVE-2021-23996: Content rendered outside of webpage viewport.
  • CVE-2021-23997: Use-after-free when freeing fonts from cache.
  • CVE-2021-23998: Secure Lock icon could have been spoofed.
  • CVE-2021-23999: Blob URLs may have been granted additional privileges.
  • CVE-2021-24000: requestPointerLock() could be applied to a tab different from the visible tab.
  • CVE-2021-24001: Testing code could have enabled session history manipulations by a compromised content process.
  • CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an encoded URL.
  • CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to null-reads.
  • CVE-2021-29944: HTML injection vulnerability in Firefox for Android's Reader View.
  • CVE-2021-29946: Port blocking could be bypassed.
  • CVE-2021-29947: Memory safety bugs fixed in Firefox 88.

Have fun cross-browser testing in Firefox 88!