Firefox browser – Devstyler.io https://devstyler.io News for developers from tech to lifestyle Wed, 14 Jul 2021 07:14:29 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.5 What’s in the latest Firefox update? 90 unblocks Facebook sign-ins, updates in background https://devstyler.io/blog/2021/07/14/what-s-in-the-latest-firefox-update-90-unblocks-facebook-sign-ins-updates-in-background/ Wed, 14 Jul 2021 07:14:29 +0000 https://devstyler.io/?p=59181 ...]]> Mozilla bumped Firefox to version 90, launching an enhanced version of its anti-tracking technology that allows exceptions for logging in to sites with the user’s Facebook credentials.

The outfit’s engineers also patched nine vulnerabilities, five tagged as “High,” Firefox’s second-most-serious label. Two of the nine were found only in the Android edition of the browser, but none were marked “Critical,” the direst flaw category.

Firefox 90 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon. The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

Unblocks Facebook log-ins

For June’s jump to version 89, Mozilla delivered an extensively tweaked user interface (UI) previously known by the code name “Proton.” Mozilla touted the changes as a significant look and feel overhaul, and said it was “designed to win you back” to the open-source browser, which has continued to slump in popularity. After a major effort upgrade, the follow-up, Firefox 90, was relatively sparse on new and shiny features meant to tempt users to abandon rivals.

In Firefox 90, anti-tracking “reacts by quickly unblocking the Facebook login script just in time for the sign-in to proceed smoothly,” according to Thomas Wisniewski and Arthur Edelstein, web compatibility engineer and senior product manager for privacy and security, respectively. In other words, the usual block is temporarily lifted long enough for authentication, at which point the block resumes so that a user is protected while navigating to other websites.

It seems odd that Mozilla, which prides itself on its privacy stance, and more specifically, with blocking trackers, has decided to initiate the feature with Facebook, whose privacy and tracking reputations are, to put it kindly, lamentable.

Background updates, but only for Windows

Background updates, which Mozilla broached in April, finally arrived in Firefox 90 for Windows users.

Prior to version 90, Firefox updated itself only when the browser was running. Much like rivals, including Chrome and Edge, Firefox looked for pending updates and upgrades when it was launched, then downloaded them in the background. The update or upgrade was not actually installed until the browser was restarted. Thus, users who left Firefox open indefinitely or spent weeks between system reboots might well be running an insecure version, even though a patched edition was available and already on their machine.

As of Firefox 90 on Windows, the browser will check for updates every seven hours when it’s not in use. Mozilla will, as it typically does, roll out this feature in stages, so not everyone will notice it immediately. Users can, however, enable the feature through the about config pane. Instructions for doing so can be found here.

Not our fault!

Elsewhere in Firefox 90, Mozilla added a diagnostic tool to the Windows version that users can reach by typing about third-party in the address bar and pressing Enter or Return. Some software, Mozilla said, loads code into browsers, Firefox included. “Sometimes, these applications load harmful modules that cause Firefox crashes, reduced performance, or compatibility issues,” Mozilla contended.

Mozilla seemed most interested in users not blaming Firefox for problems actually caused by these freeloading modules. “You may not notice that a malicious or unexpected module has been loaded and it may cause problems that appear to be Firefox issues,” Mozilla added.

]]>
Firefox Is Testing New Site Isolation Feature https://devstyler.io/blog/2021/05/20/firefox-is-testing-new-site-isolation-feature/ Thu, 20 May 2021 11:22:00 +0000 https://devstyler.io/?p=51689 ...]]> Mozilla is currently testing a new security architecture for its Firefox browser in nightly and beta channels that sees each site be put into its own operating system process.

As it currently stands, when Firefox launches, it starts a privileged parent process, eight processes for web content, up to two additional semi-privileged web content processes, and four utility processes for web extensions, GPU operations, networking, and media decoding.

With the set number of processes, the potential exists for a malicious site to be placed into a process already in use by another site and giving it access to shared process memory. Using a Spectre-like attack, the malicious site could access data from other sites in the same process.

The current situation means any ads, or embedded pages and subframes, are placed into the same process as the parent page regardless of whether they are the same site or not. With Site Isolation, each of the embedded elements that are not part of the same site will have their own process, with the client operating system to provide memory protections and security guarantees. Mozilla senior platform engineer Anny Gakhokidze commented:

“In a more dangerous scenario, a malicious site could embed a legitimate site within a subframe and try to trick you into entering sensitive information. In the case of a successful Spectre-like attack, a top-level site might access sensitive information it should not have access to from a subframe it embeds (and vice-versa) — the new Site Isolation security architecture within Firefox will effectively make it even harder for malicious sites to execute such attacks.”

Additionally, Firefox will treat http and https versions of a site as different sites, meaning they get put in separate processes. The feature will make use of a community-maintained list of domains that function as effective top-level domains and need to have each subdomain treated as a separate site.

Gakhokidze added the new architecture will improve Firefox in other ways, such as one site chewing up compute resources or having its garbage collected should not “degrade the responsiveness” of other pages, nor should a page crashing impact pages in other processes.

Site Isolation was first unveiled by Firefox at the start of 2019 when it was dubbed Project Fission. Chrome has had its own version of isolation for some time. Users running Firefox Nightly that want to enable Site Isolation can head to about: preferences#experimental, toggle the Fission checkbox and restart. Those running beta or release channel need to head to about: config, set fission. autostart to true, and restart.

A number of known issues on the Project Fission page state there is excessive memory usage and problems with X11 connector exhaustion to content.

]]>