Firefox 127 out with DNS Prefetching, security updates, and more
Mozilla has released a new stable version of the organizations' Firefox web browser. Firefox 127.0 introduces several new features and important security fixes. It may also break media playback on certain sites.
All Firefox editions are updated as well to the following versions:
- Firefox 127 for Android
- Firefox ESR 115.12
- Firefox 128 Beta
- Firefox 128 Dev
- Firefox 129 Nightly
Executive Summary
- Firefox 127 addresses several security issues in the browser.
- Firefox ESR 128 will be released on July 9. 2024
- Option to add additional protections to the Firefox Password Manager on macOS and Windows devices.
- The browser supports a new DNS prefetching instruction now.
- Media elements on HTTPS websites that use HTTP will be upgraded. If that fails, they won't be loaded anymore.
Firefox 127.0 download and update
Firefox is updated automatically by default. Desktop users may check the installed version at any time by selecting Menu > Help > About Firefox. Doing so displays the current version and runs a check for updates. Any new version found is installed at this point.
Here are the official download locations:
- Firefox Stable download
- Firefox Beta download
- Nightly download
- Firefox ESR download
- Firefox for Android on Google Play
Firefox 127.0 changes
Security and privacy improvements
Firefox 127.0 ships with security and privacy improvements. Windows and macOS users may configure the browser to prompt for authentication when the built-in password manager is accessed.
The new option is called "Request device sign in to fill and manage passwords". It is located in the Preferences of the browser under Privacy. You can load about:preferences#privacy to jump there directly. Check the option, which is disabled by default, to add the protective feature.
The new release improves privacy on Linux by reducing fingerprinting information. Firefox will report 32-bit x86 Linux systems as x86_64 in Firefox's User-Agent string and a Web API.
HTTP Media upgrades on HTTPS pages
Firefox won't play HTTP media -- image, video, or audio files -- on HTTPS pages anymore, if it cannot upgrade the protocol to HTTPS. Files that cannot be upgraded will not be loaded by the browser anymore.
This can be undone by changing the following preferences:
- security.mixed_content.block_display_content to FALSE (this was on false on the test system)
- security.mixed_content.upgrade_display_content to FALSE
The console highlights whenever mixed-content has been upgraded. Firefox does not display an icon anymore to indicate mixed-content on a page.
Other changes and fixes
- New option to launch Firefox on Windows automatically when the operating system starts. The option is found in the Preferences under General. It is called Open Firefox automatically when your computer starts up.
- Support for rel="dns-prefetch" link hints. This allows developers to suggest domain names that should be looked up preemptively by the browser.
- The List all tabs widget has a new Close duplicate tabs action.
- On macOS, links and other focusable elements are not "tab-navigable". Users may restore the previous default in the settings.
- Firefox's built-in screenshot tool can now take screenshots of certain file types, including SVG and XML, as well as several internal about: pages. Performance was also improved.
Developer changes
- data: and javascript: URLs are now forbidden in the href attribute of the <base> element
- Using a <color-interpolation-method> is now supported in gradients created with certain methods.
- Firefox supports a number of new JavaScript "Set" methods.
- The lh and rlh line height units are supported in SVG.
- The asynchronous Clipboard API is supported fully.
- All HTML character references are now supported in Web Video Text Tracks Format (WebVTT).
Enterprise changes
- Added: DisableEncryptedClientHello to control Encrypted Client Hello.
- Added: PostQuantumKeyAgreementEnabled to control post-quantum key agreement for TLS.
- Added: HttpsOnlyMode to control HTTPS-Only Mode.
- Added: HttpAllowlist to add exceptions to HTTPS-Only Mode.
- Updated: Preferences policy to allow setting
- security.mixed_content.block_display_content
- security.mixed_content.upgrade_display_content
- Updated: UserMessaging policy no longer supports the WhatsNew option.
- Updated: ExtensionSettings policy was updated to add temporarily_allow_weak_signatures to allow installing extensions signed using deprecated signature algorithms.
Security updates / fixes
Mozilla fixed 15 unique security issues in Firefox 127. The aggregate severity rating is high and exploits in the wild are not mentioned.
Outlook
Firefox 128 will be released on June 9. 2024. It marks the beginning of a new ESR base, which will replace Firefox ESR 115.x eventually.
Recent Firefox news and tips
- Mozilla is investigating huge Telemetry performance issues in Firefox for Android
- Mozilla confirms it will add Tab Groups, Vertical Tabs, Profile Management to Firefox
Additional information / resources
- Firefox 127 release notes
- Firefox 127 for Developers
- Firefox 127 for Enterprise
- Firefox Security Advisories
- Firefox Release Schedule
Closing Words
Firefox 127 makes a few privacy and security changes. The option to protect saved passwords with the operating system's password or biometrics is a welcome option. The remaining changes are smaller. The next version will be a major release.
Have you tried Firefox recently? What is your take on the current state of the browser?
the new firefox will not let you add like ad blockers or vpn to the new firefox it is a mess up again they are doing what microsoft is doing messing up again don’t install the new firefox
In other news:
https://www.theregister.com/2024/06/14/mozilla_firefox_russia/
It’s funny to me people who complain about censorship also endorse Yandex.
I don’t like how the “new feature” about starting Firefox on boot is somehow linked with Studies:
https://support.mozilla.org/en-US/kb/open-firefox-automatically-when-you-start-computer
If I need to launch it automatically I’ll add it myself, thank you very much.
I don’t see that setting to Open FF autmatically…etc., on startup. When doing a search for it in settings, the msg reads: “Sorry! There are no results in Settings for “Open Firefox automatically when your computer starts up”.
That’s possibly because I have several profiles and have configured FF to display the profile menu options when launching it via the tray icon. That also prevents FF from installing the latest version automatically. I wouldn’t want FF to launch automatically on startup anyway.
All other “Prefetch” options have been disabled already including the one Martin mentioned back in 2015: https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links/
Happy to see no AI bloatware as of now. For disabling DNS Prefetching in about config see: https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
Meanwhile, reading somewhere over the rainbow: “DNS prefetching was implemented in Firefox 3.5 to improve page load time. This feature allows Firefox to perform domain name resolution proactively and in parallel for hyperlinks, images, CSS, JavaScript, and other webpage content.”
[https://kb.mozillazine.org/Network.dns.disablePrefetch#]
Is there a way to stack private windows with normal windows? The about:config command allowing that has apparently been purged by Mozilla, so there’s no options for it anymore officially.
Same anon again. Apparently the about:config pref removal was intentional which means Mozilla is overriding Windows users’ setting that lets them stack open windows from a single app on the Windows taskbar. Microsoft may object to this finding and do something about it.
Looks like Mozilla will be reverting the private browser stacking changes it made.
Link: https://connect.mozilla.org/t5/ideas/bring-back-the-option-to-group-the-private-and-normal-firefox/idc-p/59579/highlight/true#M34679
Quite frightening Firefox is Chromium’s only true competition. Switched all my devices to Firefox in preparation of manifest v3. No Chromium browser will be useable after it goes live.
does Mozilla ever add anything that matters to Firefox? every update is so small, it should be like a 0.0.1 release, even other browsers are more weekly than Mozilla does in their ‘major’ releases.
The only update that is relevant is for the web devs, but then, it’s Mozilla’s job to keep the browser updated with standards and nonstandards to keep compatibility with websites, anything else just address nothing.
Especially the HTTPS only mode, it’s dumb, and disabling stuff through ‘about’ page instead of a toggle in settings it’s terrible practice.
“every update is so small, it should be like a 0.0.1 release, even other browsers are more weekly than Mozilla does in their ‘major’ releases.”
Just be happy they didn’t add any AI bloat yet like Brave, Opera and Edge.
So much seethe for madeup concerns.
Let’s not forget that updates include security patches.
@Tom Hawack
Tom, if you cared so much about security patches you wouldn’t use Windows 7 anymore.
@Iron Heart, how do you manage to translate a comment which reminds that updates include security patches to one which emphasizes the importance of security patches? Have i ever written that I cared for my very concern? A global comment is basically a FYI one.
This said, many of us have their own privacy/security/digital environment recipes and there may very well be no contradiction but rather fine tuning when it comes to choosing one policy for an OS and another for the browser, its called flexibility, nuances as opposed to a modern trend called radicalism. Life is not this or that but most often some of this and some of that. Recipes are always arguable, they are argued here and elsewhere, no one is master of a whatever Truth. Coherence is one thing, formal logic is another.
“You’ve said yesterday that the sky is blue and now you it’s gray…” – “It’s raining today, sweetheart, that’s why”.
Ok, the ‘Sidebar Switch’ userChrome script no longer works. If I also use right click on the icon of the scripts ‘ExtensionOptionsMenu’ and ‘Tool Button’ nothing happens now.
And now the last tab cannot be closed. Good job, Firefox.
work on my machine. git gud.
Lots of websites uses dns-prefetch hint to load tons of ads and analytics on users, even before any content is loaded. Nice improvement /s
UBO disables indeed by default pre-fetching, globally (dashboard/settings/privacy).
There are also Firefox’s built-in about-config prefs :
// disable prefetching
pref(“network.dns.disablePrefetch”, true);
pref(“network.dns.disablePrefetchFromHTTPS”, true);
lpref(“network.prefetch-next”, false);
Pre-fetching or the art of exchanging privacy and good sens for the sake of a few milliseconds.
who browses the web, in 2024, with no ad blocker ???
madness
uBo disables that by default. You are using uBo, aren’t you? Aren’t you???
Why the war on http, I am planning on my personal website to be http because I want it to work on incredibly old systems (and I don’t care about traffic, mostly will be me viewing it).
As long as http elements on http pages continue loading, I guess…
Even if you’re creating a static personal website, and are not: collecting user input, running client-side scripts, cookies, offering downloads, etc. Your potential visitors could still benefit from you serving HTTPS.
If your browser is around twenty years old it won’t support the latest HTML Standard either. From about 20-years ago, you’re talking about obsolete relics like Firebird 0.5 and Internet Explorer 6.0. Windows XP supports MSIE 8.0 and Firefox 52, if you meant supporting an old OS. Every browser mentioned within this paragraph supports HTTPS.
Let’s Encrypt is not the correct type of encryption Certificate for ecommerce. The free ‘Let’s Encrypt’ certificate uses (X.509) a Domain Validation (DV) certificate. For validating the Domain that only ensures a secure connection to the website. You shouldn’t really use the Let’s Encrypt SSL for any commercial purposes.
The article seemed to be talking about “mixed content”, which refers to securely loaded web pages that use resources to be fetched via HTTP or another insecure protocol. For example, images on a HTTP [http://] only service being loaded within a HTTPS [https://] web page. Obviously (if loaded) that would result in making that HTTPS web page: insecure.
Hallowed be the memory of the Lost Souls.
Grand Prosecutor Jihana,
You almost get it – except: “If your browser is around twenty years old it won’t support the latest HTML Standard either” – the website is not using the latest html standard, turns out a static html stuff doesn’t need much “new” stuff.
“The article seemed to be talking about “mixed content””, I’m aware, I’m just noting that it’s not impossible for this to escalate in the future, as I am worried it might.
“Your potential visitors could still benefit from you serving HTTPS”, let me know how.
That’s a stupid question.
Also, I’ve nothing against incredibly old systems as they can be useful for many things but hooking them to the internet is also, stupid.
@Tachy,
This is not necessarily true, and reeks of “FUD” to me – as long as you are behind a firewall you can easily minimise risk. “Surfing the web” freely may be inadvisable but visiting some static old-school HTML websites which you’ve pre-approved, which don’t run javascript or adverts, on your home network – there is no risk here.
Besides, I am talking about things like the old Firefox fork for the Playstation 3 or the Opera browser for the Nintendo DS, and the built in browser on the Samsung S2 – none of which are particularly vulnerable.
That said I also believe that modern-day devices and browsers should just deal with loading the occasional http site without giving the end user a particularly hard time, as there are still plenty out there in the wild.
@bruh
Samsung S2! Phone launched somewhere around 2010 and you want Firefox to support it. Not sure if you can install any app on it given Android version requirement, nevermind Firefox latest version.
Thanks for the laugh though
@Yash, I didn’t say i wanted the latest version to support it, reading comprehension takes a hit today…
The user I replied to said: “connecting old systems to the internet is stupid”, I responded with some examples where there is no risk in doing so.
I then made a separate point about how I wish for modern browsers to behave, you must have read the comment in such a hurry that the sentences blurred together?
@bruh http is inherently more prone to vulnerabilities, it’s really not that hard to go https, just sign your own certificate or you know, keep using your ancient systems with ancient versions of browsers, I literally fail to see the issue? Not like the war on http will affect you since you will be using old versions
@Anonymous,
I don’t exclusively use old browsers, and I’d like my site to work on both old and new browsers – how is that hard to understand? So yes if modern browsers start getting really annoying about dealing with http, it will be a problem for me.
@bruh again I fail to see your issue, either use old versions of browsers to maintain your compatibility or suck it up and “upgrade”, even though https was created in 1994 and most browsers since 2018 have started dropping support.
@Anonymous,
It’s like talking to a brick wall… I’m making a site – a static html site that will not be manually maintained by me (I am writing a program to automate changes and updates).
I just want the site to work – using http for the sake of ancient browsers, but I also want that same website to be accessible on modern browsers, just in case that becomes necessary for some reason. At the present moment, it’s possible, and there are no issues, but I am worrying that in the future it might change, because you can see the attitude browser developers are taking towards http. That was the whole purpose of my first comment, to highlight a frustration that I can see coming down the line.
Not much of what you said even made sense, I think you don’t quite know what you’re on about. Also what have browsers been dropping support for since 2018?