Later today, Mozilla will release an update that will bring the stable channel of the Firefox browser to version 26.
As with all stable updates before, we have taken a very close look at what is new and changed in the update, so that you can prepare yourself for it.
Firefox's other release channels, that is Beta, Aurora and Nightly, will also be updated in the next days and moved up a version. This means that Beta will hit Firefox 27, Aurora Firefox 28 and Nightly Firefox 29.
Especially the Nightly update is of importance, as it is likely the version that the new Australis interface will be launched in all versions of the browser.
Firefox 26 is already available on Mozilla's ftp server, and while you can head over to it to download it right now, it is not something that Mozilla encourages because if too many users do it, it puts too much strain on the server.
Plus, last minute updates can still force the organization to replace the version that it intended to release with a new one.
The better way is to use the internal update check to find out if the new version has been released officially. To do so tap on the Alt-key on your keyboard, and select Help > About Firefox from the context menu.
Firefox 26 introduces several new features and changes to the Firefox web browser, of which some will affect a lot of users.
All plug-ins default to click-to-play except Flash
Update: Only Java defaults to click to play, all other plug-ins remain their status.
Mozilla announced back in September that it would default all plug-ins but the Adobe Flash plug-in to click-to-play in Firefox 26.
What this means is that plug-ins will not be loaded automatically when websites load, but only on user request. This improves the security of the connection significantly, as websites cannot exploit old plug-in code or vulnerabilities in the last version of a plug-in anymore.
It does mean however that users will face challenges when it comes to accessing legit sites that require plug-ins. Instead of being able to use them right away, they need to allow the sites to load plug-ins.
For visual elements such as videos, an activate box should appear on the location of the element on the page. Firefox indicates that a plug-in is required by displaying the activate link in the center of the element.
In addition to that, you also find the plug-in indicator at the top of the page near the address of the website.
Clicking on the activate link has the same effect as clicking in the icon in the browser's main toolbar. Here you can select to allow the execution right now, or allow it and remember it for future sessions.
If you select the second option, it means that plug-in contents will be loaded automatically on the website from that moment on, so that you are not bothered anymore by the feature.
Tip: While all plug-ins default to Ask to Activate in Firefox 26 with the exception of Flash, it is possible to change that state in the plug-in manager. Do the following to do so:
Password manager now supports script-generated password fields
The default password manager in Firefox did not support script-generated password fields until now. Basically, what users did experience was that while passwords could be remembered by the password manager, auto-fill did not work out because of the dynamic nature of the login form.
This issue has now been resolved, and Firefox should not have any issues anymore saving and filling out passwords if script-generated are used.
Updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service)
The update fixes issues where Firefox was installed for limited user accounts on Windows. The main issue here was that Firefox could not be updated by the user of the account directly due to the limited rights of the account.
This meant that Firefox would not be updated until a system administrator would run the update, which in turn meant that the browser would be vulnerable to attacks targeting known vulnerabilities in the meantime.
The change allows updates to be performed if the Mozilla Maintenance Service is being used on the system.
Support for H.264 on Linux if the appropriate gstreamer plug-ins are installed
This improves HTML5 video compatibility on Linux, as H.264 contents can now be played using HTML5 Video provided that gstreamer plug-ins are installed.
Previously, support for this was added to several Windows operating systems as well.
Mozilla cannot distribute the necessary codecs with Firefox, but decided to use them if they are installed on the host system Firefox is running on.
Support for MP3 decoding on Windows XP, completing MP3 support across Windows OS versions
This is another one of those changes mentioned in the last paragraph. Native mp3 support has been added to Firefox running on Windows XP systems.
CSP implementation now supports multiple policies, including the case of both an enforced and Report-Only policy, per the spec
Mozilla implemented Content Security Policy (CSP) in Firefox 4. Back then, it was not based on W3C specification as there was none at the time.
Back in June 2013, CSP 1.0 was implemented in Firefox. The feature is used by webmasters to specify which domains are allowed to run scripts and styles on the web page a user is connecting to. It prevents cross-site scripting attacks among other things.
The update adds support for multiple policies to Firefox.
When a standalone JPEG image gets loaded in Firefox, the browser will now use EXIF orientation information to display its correct orientation.
The page loading times have been improved as Firefox is no longer decoding images that are not visible when they are downloaded. They are instead decoded when they become visible in the browser.
Other development related changes are:
Firefox 26 for Android follows the same release schedule as the desktop version of Firefox.
Security updates / fixes
A total of 14 security related issues have been fixed in Firefox 26. Of those, five have received the highest rating critical, three the rating of high, three the rating of moderate, and the remaining three a rating of low.
MFSA 2013-117 Mis-issued ANSSI/DCSSI certificate
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
Additional information / sources
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.