Firefox 37: find out what is new
Mozilla will release new versions of the Firefox web browser for all supported channels later today.
This brings the stable version of the browser to version 37 while Beta, Aurora and Nightly versions are upgraded to 38, 39 and 40 respectively.
Firefox's Extended Support Release will be upgraded as well to version 31.6.
To find out which channel you are using type about:support in the web browser's address bar and check the version under application basics near the top of the page that opens up.
The guide below provides you with information about changes that went into Firefox 37.
Firefox 37 download and update
Firefox 37 is already available on Mozilla's public FTP server. It is usually not a good idea to download it from there directly as last minute changes may make a different build the release build.
While this does not happen often, it did happen in the past.
Probably the best way to upgrade is to run a manual update check in the browser. You do that by tapping on the Alt-key on your keyboard and selecting Help > About Firefox from the menu bar at the top that is displayed when you do that.
Mozilla hosts all downloads and you can download them from the site as well to upgrade or install anew. Use the following links to do so (note: the recent updates may not be available yet).
Firefox 37 Changes
Firefox 37 does not introduce many new features in the browser that are visible to users.
Media Source Extensions (MSE) on YouTube
When you visit YouTube's HTML5 video player page you will notice that Firefox 37 supports Media Source Extension now on the site.
While you could force support previously by changing browser preferences on the about:config page of the browser, that is no longer necessary at least not for Media Source Extensions and MSE & H.264 which are both enabled by default now on the site.
Tip: To enable MSE & WebM VP9 which is shown as not supported right now do the following:
- Load about:config in the browser's address bar.
- Confirm you will be careful if the warning appears.
- Search for media.mediasource.webm.enabled
- Double-click on it to toggle its value (to true).
Reload YouTube's HMTL5 check page and you should see that the last option is supported as well now on the site.
This feature is limited to YouTube by default. To change that modify the preference media.mediasource.youtubeonly and set its value to false using the method listed above.
You may run into issues on some sites if you enable that feature globally though. If you do, repeat the process to disable it again.
Heartbeat user rating system
Heartbeat adds a User Voice like system to Firefox allowing Mozilla to get user feedback directly from users of the browser.
I covered Heartbeat when it first appeared back in February and suggest you read the article that I wrote back then for additional information about it.
If you don't want to participate in Heartbeat at all, do the following to disable the feature in the browser:
- Open the about:config page again as outlined above.
- Search for browser.selfsupport.url.
- Double-click the parameter and set its value to blank.
To undo the change, right-click on the preference and select reset from the context menu.
Bunch of security improvements
Security improvements are usually not something that are visible to users. The following paragraph lists the improvements that went into Firefox 37.
- Bing Search uses HTTPS by default now.
- Disabled insecure TLS fallback.
- TLS False Start optimization requires a cipher suite using AEAD construction.
- Extended SSL error reporting to report non-certificate errors.
- Improved protection against site impersonation
- Support for local revoked intermediary certificates blocklist
- Added support for e-mail name constraints in certificates.
- Improved certificate and TLS communication security by removing support for DSA
- Opportunistically encrypt HTTP traffic if the server supports it.
Developer Changes
New Security panel in Network Monitor
The security panel lists security-related information about the selected entry in the network panel. This includes connection details such as the protocol version and cipher suite used but also certificate information and security features used by the connection.
New Animations panel in Page Inspector
If the selected element on a page is animated, Firefox displays the Animations panel which displays information about it and provides you with play and pause buttons to control it.
Other developer changes
- Debugger panel supports about:// and chrome:// URIs.
- Logging of weak ciphers in web console.
- WebSocket now available in Web Workers.
- IndexedDB now accessible from worker threads.
Firefox for Android
The majority of changes of the desktop version of Firefox were also implemented in the Android version. I suggest you check out the changelog if you are interested in those. Below is a selection of features unique to Firefox for Android.
Tablet interface updates
Tablet interface updates launched in Firefox 37 for Android. You will probably notice right away that tabs are on top now in the new interface.
Other changes include a redesigned tabs tray displaying all open tabs in the browser. You find additional information about the new interface on Medium.
Minor changes
- Support for sending videos to Matchstick devices.
- URL bar displays the url instead of the page title by default now.
Security updates / fixes
Security updates are released a short while after the Firefox 37 release. I'll add those once they become available publicly.
- MFSA 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
- MFSA 2015-41 PRNG weakness allows for DNS poisoning on Android
- MFSA 2015-40 Same-origin bypass through anchor navigation
- MFSA 2015-39 Use-after-free due to type confusion flaws
- MFSA 2015-38 Memory corruption crashes in Off Main Thread Compositing
- MFSA 2015-37 CORS requests should not follow 30x redirections after preflight
- MFSA 2015-36 Incorrect memory management for simple-type arrays in WebRTC
- MFSA 2015-35 Cursor clickjacking with flash and images
- MFSA 2015-34 Out of bounds read in QCMS library
- MFSA 2015-33 resource:// documents can load privileged pages
- MFSA 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
- MFSA 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
- MFSA 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
Additional information / sources
- Firefox 37 release notes
- Firefox 37 Android release notes
- Add-on compatibility for Firefox 37
- Firefox 37 for developers
- Site compatibility for Firefox 37
- Firefox Security Advisories
Now Read: Firefox Release Schedule
A better way to disable this new piece of bells and whistles is to create “browser.selfsupport.enabled” and set it to FALSE.
Also, it is disabled if one of the following so-called features is disabled:
* Firefox Health Report (FHR) (“datareporting.healthreport.service.enabled” FALSE) [1]
* Tour presenting the horrible Australis UI (“browser.uitour.enabled” guess what FALSE)
source:
http://lxr.mozilla.org/mozilla-central/source/browser/modules/SelfSupportBackend.jsm
[1] “Firefox Health Report” checkbox in “Options > Advanced” does not control “datareporting.healthreport.service.enabled”, but “datareporting.healthreport.uploadEnabled”. You can obliterate that one too.
Can’t patch this: Mozilla pulls encryption feature after just a WEEK: http://www.theregister.co.uk/2015/04/07/mozilla_crypto_encryption_snafu_pull/
Ever since I updated my browser to version 37.0.1 from 36.0.4, I have been encountering a painting bug when switching tabs. After checking a bit and finding the proper bug report in their Bugzilla tracker (see https://bugzilla.mozilla.org/show_bug.cgi?id=1067470 for that), it seems like the problem has been getting worse ever since it was first reported in November of 2014 if the number of duplicates are anything to go by.
It is such a pity that other browsers aren’t ready yet (or will probably never reach that point), because it looks like I’m going to have to live with this bug for months and that would usually be motivation enough to go out there and look for something better. Well, until a proper alternative to Opera 12 (mostly rebuilt in Firefox) exists, I’m stuck with this.
Hi Martin,
Since updating to Fx 37.01 I have a problem with the size of videos not displaying the correct size: they are either too small or too big.
Some examples:
http://prntscr.com/6q3dhm
http://prntscr.com/6qatpa
http://prntscr.com/6pkah0
I disabled Silverlight and Flash player plugins but videos still play on RAI site (the one I used for the screens) but it got sorted on Youtube so don’t know what to try next.
Few days ago I also switched to an HD monitor but considering all those videos play fine on Chrome the problem must be on Firefox.
Any suggestion please?
Thank you.
Have you tried Firefox Safe Mode? Hold down Shift before you start the browser.
Hi Martin, thanks for the suggestion.
I actually tried with a brand new profile and the problem is not present so, I suppose, it must be some addon.
If I find out the culprit I will post back to let others know.
Cheers.
So apparently FF37 was released a few days ago but when I check for updates 36..0.4 is the latets, what gives?
Also disabling DSA whilst I agree is good for security I think they need to add a way to overide it given 1000s of sites still have DSA as their only method of access.
Mozilla pulled Fx37 because of a bug.
Even though Chrome is my default browser, I like to keep Fx current as well. Going to Help-About only would update me from 36.0.3 to 36.0.4 until tonight, when 37.0.1 was offered and successfully installed. I guess the moral is “Patience is a virtue.” :-)
@Martin – Did I just miss it or did you not include the new “Opportunistic Encryption” feature of version 37 in the article? Just wondering.
http://www.tomshardware.com/news/firefox-37-opportunistic-encryption-security,28857.html
Kirk thanks, yep I missed that.
Heh, you’re welcome. It’s nice to know (in my old…er age) that I can still notice something that’s not there to be noticed…or something like that.
…yea, maybe it’s time to re-evaluate these FF settings I have used (for speed and security), and updated, for years. Are they all still valid? Have I missed any?
breakpad.reportURL=remove | browser.bookmarks.max_backups=2 | browser.chrome.site_icons=f | browser.chrome.favicon=f | browser.newtabpage.enabled = f | browser.newtab.url-change about:newtab to about:blank | browser.sessionhistory.max_entries=5 | browser.sessionstore.max_tabs_undo=3 | browser.sessionstore.max_windows_undo=1 | browser.tabs.animate =f | browser.urlbar.autofill = f* | dom.popup_maximum=5 | dom.storage.enabled = f | geo.enabled=f | layout.spellcheckDefault=2 | media.peerconnection.enabled=f (WebRTC) | network.http.max-persistent-connections-per-server=12 | network-prefetch-next=f | services.sync=set most boolean to false | network.seer* = f | network.websocket* = f |
Also set *telemetry*, chat, online*, crash, google, safebrowsing, health, xtb* = f | browser.urlbar.maxRichResults=0 |
…and now “heartbeat…” (NOTE: “*”=multiple related entries to confirm).
Also, THANK YOU for your years of valid and useful data!
MRK
Those look decent as far as I know. I would add beacon.enabled = f, network.dns.disablePrefetch = true and browser.pagethumbnails.capturing_disabled = true. browser.history.allowPopState, browser.history.allowPushState, and browser.history.allowReplaceState could be set to false, too.
Thanks – missed “datareporting”, and also “browser.pagethumbnails.capturing_disabled = true” is not found.
Do you know of any other FF sites for Linux that harden it and make it secure (as is possible)?
” Martin Brinkmann March 31, 2015 at 11:40 pm #
Check this out, it explains how you can remove the plugin (and a new one): https://www.ghacks.net/2015/03/31/primetime-content-decryption-module-by-adobe-what-is-it/”
THANK YOU Martin! With your help, I have removed this plugin.
Thank you for the Download link. Better than a 3rd party download!
Martin, in previous versions, you told us how to remove from the pluggins “OpenH264 Video Codes….
With this 37.0 version, I again have this plugin. You reference no longer works for me. Could you show us how to remove this plugin? I have it set to Never Activate, but would to remove it.
They’ve fixed the download link. Now you can just click on the link next to preferred language and download from “all” page.
Check this out, it explains how you can remove the plugin (and a new one): https://www.ghacks.net/2015/03/31/primetime-content-decryption-module-by-adobe-what-is-it/
” Niks March 31, 2015 at 1:19 pm #
They removed full installer file links. On this page https://www.mozilla.org/en-US/firefox/all/ all links are to stub installers.”
You can still get the full download at other sites, Major Geeks for one.
I too think that Mozilla is trying everyone’s patience.
I think this change is mainly bcoz they might release x64 versions and the stub can install the s/w according to the system architecture.
I’d suggest them to split the links in “all” page similar to linux downloads.
Don’t need to d/w from 3rd party sites. There is an easier method for direct download.
Just copy the url, for example “en-US” link:
https://download.mozilla.org/?product=firefox-stub&os=win&lang=en-US
Now, edit the link as:
https://download.mozilla.org/?product=firefox-37.0-SSL&os=win&lang=en-US
What I did is just removed “-stub” from the link and typed the “version number” with “-SSL” and then press “Enter”.
@Martin:
Clarification on download of Firefox for Android Apk from ftp servers:
Since the beta version of Firefox for Android v37, the ftp downloads of android-arm is split into two: api-9 and api-11.
Source: https://ftp.mozilla.org/pub/mozilla.org/mobile/releases/37.0/
How to know which one is suitable for which android versions/handsets?
I suppose Mozilla is referring to the minimum Android SDK. Api 9 would require a device running Android 2.3 or newer while Api 11 Android 3.0 or newer. This is just my guess though but it would make sense.
My friend tried the api-11 apk with android 4.0.x since Android v4.0.3-v4.0.4 is API 15. It was successful.
For more info on the API version for the android versions, you can visit:
https://en.wikipedia.org/wiki/Android_version_history
For android v2.3.7 and “below” can install Firefox api-9 apk
For android v3.0 and “above” can install Firefox api-11 apk.
So, are u referring to api-11?
You mean if I recommend it? Since I have not tried either, I cannot do that. I would try Api 11 though.
So, according to your guess, which api is best-suited for devices running android v4.0.x, 4.x.x, 5.x?
I’m asking this mainly bcoz, if both api supports the above android versions, then it’ll lead to more confusion among downloaders from ftp servers or third-party sites. Also, it may lead to many fake apk spreading with malware.
Is there any documentation regarding the api differentiation in mozilla / wiki support pages/sites?
I’d pick the newer which is the better choice most of the time.
You can also set https rules in the NoScript extension, under “Advanced -> Https”
Example rules you can use:
*bing.com*
*.deviantart.com*
*.deviantart.net*
Very good for stupid sites that keep reverting to non-secure content, allows you to force them to always use the secure version.
Or use https everywhere add-on.
I had loop.enabled set to false in about:config and Firefox 37 changed it back to true. I do not want or need this feature and do not appreciate Mozilla changing my settings without notice.
I don’t remember when I have changed it to false but I updated today and it is still set to false.
Perhaps it had something to do with Classic Theme Restorer then. Who knows. On the positive side YouTube is working much better with 37.
They have removed they way to disable social api too. What do they have to gain by adding bloat?
Since Google’s search deal ended, Firefox’s top priority seems to be more endorsement/ad revenue…
And their newest bloat: Heartbeat! WTF is wrong with you Mozilla…
“Bing Search uses HTTPS by default now.”
Not in my case. I test searched from Searchbox and it is not HTTPS.
That’s strange, it is listed as a feature and working when I try it in the recent version. Did you add Bing Search manually by chance?
Could be. But when I go to Bing directly and try to search, there is no HTTPS either. Google and Yahoo are HTTPS.
The biggest ‘change’ or ‘feature’ is how hard Mozilla is now pushing to try and get users install Firefox on Android. Soon as you restart the upgraded 37 version, you get smacked with this:
https://www.mozilla.org/en-GB/firefox/37.0/whatsnew/
When the “whatsnew” page is nothing more than “For flip sake, we’ve got zero market share on Android, would you PLEASE install Firefox on your phone!!!?” we’re in trouble. You’ve done very well Martin to find anything to report about in terms of changes, let alone new ‘features’!
They removed full installer file links. On this page https://www.mozilla.org/en-US/firefox/all/ all links are to stub installers.
I downloaded a 39.3MB setup-file (danish Firefox) from that page
They have changed it since the time we commented on that.
Came here to comment on that. What a silly move. It’s as if they were trying to upset people on purpose. If someone more than 2 computers and a network storage this only serves to annoy such user.
what about 64-bit version, any news, cause it’s in beta?
x64 is available as nightly and works fine for months now.
Download here:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/
If you want it in another language, you need a language pack:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central-l10n/win32/xpi/
You might want to disable Electrolysis in the options, because some addons might not work with it.
Everything else (addons/plugins(flash)) work just fine.
My only beef with Nightly is sometimes it can’t update (stuck in a loop forever repeating – restart now to update), or other times there are multiple updates in a single day/hour. But other than that, all my add-ons seem to work fine. The bonus over the 32b version. It loads A LOT faster now!
@ bobeslaw
it was just in ftp. and there was not in http website of firefox:
https://www.mozilla.org/en-US/firefox/beta/all/
v37 Final has not x64 and even its beta x64 was not official. 38 Final will release it.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/38.0b1/win64/en-US/
really not official beta? then how come it’s was in Mozilla’s ftp from 37 beta 2?
Does not seem to be available as a stable version yet.
“It is usually not a good idea to download it from there directly as last minute changes may make a different build the release build.”
You have probably no clue Martin how some technews sites are/were trying to outrun their competitors in some sick races every time when new Firefox build was posted on Mozilla servers; it’s like these installers were secretly hidden from the whole world and editors risk their lifes in order to deliver readers piece of software. They didn’t even care that build may be as you mentioned changed in last minutes – “screw this, we’re the first!”
And as for telemetry, they should ALWAYS ask users.