Later today, Mozilla will release an update that will bring the stable channel of the Firefox browser to version 26.
As with all stable updates before, we have taken a very close look at what is new and changed in the update, so that you can prepare yourself for it.
Firefox's other release channels, that is Beta, Aurora and Nightly, will also be updated in the next days and moved up a version. This means that Beta will hit Firefox 27, Aurora Firefox 28 and Nightly Firefox 29.
Especially the Nightly update is of importance, as it is likely the version that the new Australis interface will be launched in all versions of the browser.
Firefox 26 is already available on Mozilla's ftp server, and while you can head over to it to download it right now, it is not something that Mozilla encourages because if too many users do it, it puts too much strain on the server.
Plus, last minute updates can still force the organization to replace the version that it intended to release with a new one.
The better way is to use the internal update check to find out if the new version has been released officially. To do so tap on the Alt-key on your keyboard, and select Help > About Firefox from the context menu.
Firefox 26 What’s New
Firefox 26 introduces several new features and changes to the Firefox web browser, of which some will affect a lot of users.
All plug-ins default to click-to-play except Flash
Update: Only Java defaults to click to play, all other plug-ins remain their status.
Mozilla announced back in September that it would default all plug-ins but the Adobe Flash plug-in to click-to-play in Firefox 26.
What this means is that plug-ins will not be loaded automatically when websites load, but only on user request. This improves the security of the connection significantly, as websites cannot exploit old plug-in code or vulnerabilities in the last version of a plug-in anymore.
It does mean however that users will face challenges when it comes to accessing legit sites that require plug-ins. Instead of being able to use them right away, they need to allow the sites to load plug-ins.
For visual elements such as videos, an activate box should appear on the location of the element on the page. Firefox indicates that a plug-in is required by displaying the activate link in the center of the element.
In addition to that, you also find the plug-in indicator at the top of the page near the address of the website.
Clicking on the activate link has the same effect as clicking in the icon in the browser's main toolbar. Here you can select to allow the execution right now, or allow it and remember it for future sessions.
If you select the second option, it means that plug-in contents will be loaded automatically on the website from that moment on, so that you are not bothered anymore by the feature.
Tip: While all plug-ins default to Ask to Activate in Firefox 26 with the exception of Flash, it is possible to change that state in the plug-in manager. Do the following to do so:
- Load about:addons in the browser's address bar.
- Locate the plug-in that you want to change the activation state for, it should either read "Ask to Activate" or "Never Activate"
- Click on the menu and change it to the desired activation status. If you want it to load at all times automatically, select "Always Activate".
Password manager now supports script-generated password fields
The default password manager in Firefox did not support script-generated password fields until now. Basically, what users did experience was that while passwords could be remembered by the password manager, auto-fill did not work out because of the dynamic nature of the login form.
This issue has now been resolved, and Firefox should not have any issues anymore saving and filling out passwords if script-generated are used.
Updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service)
The update fixes issues where Firefox was installed for limited user accounts on Windows. The main issue here was that Firefox could not be updated by the user of the account directly due to the limited rights of the account.
This meant that Firefox would not be updated until a system administrator would run the update, which in turn meant that the browser would be vulnerable to attacks targeting known vulnerabilities in the meantime.
The change allows updates to be performed if the Mozilla Maintenance Service is being used on the system.
Support for H.264 on Linux if the appropriate gstreamer plug-ins are installed
This improves HTML5 video compatibility on Linux, as H.264 contents can now be played using HTML5 Video provided that gstreamer plug-ins are installed.
Previously, support for this was added to several Windows operating systems as well.
Mozilla cannot distribute the necessary codecs with Firefox, but decided to use them if they are installed on the host system Firefox is running on.
Support for MP3 decoding on Windows XP, completing MP3 support across Windows OS versions
This is another one of those changes mentioned in the last paragraph. Native mp3 support has been added to Firefox running on Windows XP systems.
CSP implementation now supports multiple policies, including the case of both an enforced and Report-Only policy, per the spec
Mozilla implemented Content Security Policy (CSP) in Firefox 4. Back then, it was not based on W3C specification as there was none at the time.
Back in June 2013, CSP 1.0 was implemented in Firefox. The feature is used by webmasters to specify which domains are allowed to run scripts and styles on the web page a user is connecting to. It prevents cross-site scripting attacks among other things.
The update adds support for multiple policies to Firefox.
When a standalone JPEG image gets loaded in Firefox, the browser will now use EXIF orientation information to display its correct orientation.
The page loading times have been improved as Firefox is no longer decoding images that are not visible when they are downloaded. They are instead decoded when they become visible in the browser.
- Social API now supports Social Bookmarking for multiple providers through its SocialMarks functionality
- There is no longer a prompt when websites use appcache
- Support for the CSS image orientation property
- New App Manager allows you to deploy and debug HTML5 webapps on Firefox OS phones and the Firefox OS Simulator
- IndexedDB can now be used as a "optimistic" storage area so it doesn't require any prompts and data is stored in a pool with LRU eviction policy, in short temporary storage
Other development related changes are:
- Several changes to CSS properties, --moz-text-blink has been removed, support for the image-orientation property, or position: sticky among others.
- Several changes to HTML elements, like HTMLInputElement.width and HTMLInputElement.height returning 0 now if the type is not an image.
- New EcmaScript 6 features like support for Generators (yield).
- Lots of changes to interfaces, APIs and DOM
- The Inspector supports remote now.
Firefox 26 for Android
Firefox 26 for Android follows the same release schedule as the desktop version of Firefox.
- about:home interface updated with top sites thumbnails, and ability to pin browser tabs to the Firefox homepage.
- The built-in password manager supports script-generated password fields now.
- Performance has been improved on some NVIDIA devices.
- CSP now supports multiple policies.
Security updates / fixes
A total of 14 security related issues have been fixed in Firefox 26. Of those, five have received the highest rating critical, three the rating of high, three the rating of moderate, and the remaining three a rating of low.
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
Additional information / sources
- Add-on compatibility for Firefox 26
- Firefox 26 for developers
- Firefox 26 release notes
- Firefox 26 Android release notes
- Firefox Security Advisories
- Site compatibility for Firefox 26