Firefox 51: Find out what is new
Mozilla Firefox 51.0 Stable was released on January 24, 2017 to the public by Mozilla via automatic updates and on Mozilla's website.
Note: If you are reading this article on January 24, 2017, you may not be able to upgrade FirefoxÂ to version 51 yet as Mozilla may not have enabled the new version through automatic updates. Releases are always available on Mozilla's FTP before they are made available via Firefox's built-in update mechanism.
Mozilla Firefox 51 is the latest stable version of the browser. The new version replaces previous stable versions, including Firefox 50.1, the last version Mozilla released prior to the Firefox 51 release.
All Firefox channels follow the same release schedule. This means that Firefox Beta, Aurora, Nightly and Firefox ESR are updated as well. Mozilla released Firefox Beta 52, Firefox Aurora 53, Firefox Nightly 54, and Firefox ESR 45.7 today as well.
- Firefox 51 is the new stable version of Firefox.
- Firefox 52 Beta, 53 Aurora, 54 Nightly, and ESR 45.7 are also available.
- The new Firefox version adds native support for FLAC audio and WebGL2, and displays a warning when login pages don't use a secure connection.
- It features other interesting new features including new privacy and security options.
Firefox 51 download and update
You may download the latest version of Firefox directly from the Mozilla website, or use the browser's automatic update capabilities to upgrade to the latest version.
To check for updates in Firefox, do the following:
- Tap on the Alt-key while the Firefox window is active.
- Select Help > About Firefox from the menu bar that is displayed.
Firefox will display the current version, and run a check for updates. Depending on how Firefox is configured, any updates found may be downloaded and installed automatically, or on user command.
You may download all editions of Firefox using the links below instead.
- Firefox Stable download
- Firefox Beta download
- Firefox Developer download
- Nightly download
- Firefox ESR download
- Firefox unbranded builds information
Firefox 51 Changes
FLAC (Free Lossless Audio Codec) support
Mozilla Firefox 51 supports FLAC audio playback natively (in both FLAC and OGG containers). FLAC is also supported in MP4 with and without Media Source Extensions.
This means among other things that you can play any FLAC file directly in Firefox without issues, and that streaming services may stream FLAC audio streams to Firefox.
See bug 1195723 FLAC support / Create FLAC MediaDataDemuxer for additional information.
Google added FLAC support in Chrome 56 as well.
Firefox 51 highlights insecure login pages
Mozilla Firefox 51 displays an insecure notification in the browser's address bar when you visit a login page in the browser that is not using https.
The notification shows the red "connection is not secure" strike-through icon when that happens. Firefox did not display any notification previously when sites used http for login pages.
Google Chrome will do the same starting with Chrome 56.
Battery Time precision limited for privacy
Privacy improvement: BatteryManager.chargingTime and BatteryManager.dischargingTime precision limited to avoid fingerprinting.
This means that services cannot use the data that these two functions provide anymore for fingerprinting, as it returns a rounded value to the closest 15 minutes now.
Password Manager Improvements
Firefox's built-in password manager received two improvements in this release. The first adds a new "show password" option to the save dialog. This provides you with an option to reveal the password that Firefox is about to save in its database.
The second allows you to save passwords for forms without "submit" events.
Other Firefox 51 changes
- Added Georgian (ka) and Kabyle (kab) locales, removed Belarusian (be) locale.
- Added support for Spatial Audio for 360 Videos on Facebook with Opus 255 Channel Mapping.
- Firefox 51 blocks automatic audio playback in non-active tabs.
- Firefox 51 has a new search reset feature.
- Firefox 51 shows the memory use of processes on about:performance.
- Improved reliability of browser data sync.
- New WoSign and StartCom certificates will no longer be accepted.
- SHA-1 certificates issued by public CA will no longer be accepted.
- The Firefox address bar shows an indicator if the zoom level is not the default on a page open in the web browser.
- The SocialAPI is deprecated.
- Updated to NSS 3.28.1.
- Use 2D graphics library (Skia) for content rendering
- Enable WebExtensions in a legacy add-on type.
- Network Monitor shows a blocked state for network requests.
- Social API deprecation: Social Bookmarks API, Social Chat, Social Status API, MozSocial removed. All social widgets but the Share panel are no longer available.
- The IndexedDB v2 implementation of Firefox is complete now.
- WebExtensions: Clipboard access supported.
- WebExtensions APIs: idle.queryState, idle.OnStateChanged, management.getSelf, management.uninstallSelf, runtime.getBrowserInfo, runtime.reload, and runtime.onUpdateAvailable.
- WebGL 2 is enabled by default introducing a range of new features to Firefox such as sync and query objects, or 3D textures.
- WebRTC supports the VP9 codec by default now. It is the second choice after VP8.
Firefox for Android
Coming soon. Release notes list no major changes. At least some of the changes of the desktop versions of Firefox are also part of the Android version of the browser.
Security updates / fixes
Security information is released by Mozilla after the official release of Firefox. We will update the information once Mozilla makes it available.
- CVE-2016-9894: Buffer overflow in SkiaGL
- CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
- CVE-2016-9895: CSP bypass using marquee tag
- CVE-2016-9896: Use-after-free with WebVR
- CVE-2016-9897: Memory corruption in libGLES
- CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
- CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
- CVE-2016-9904: Cross-origin information leak in shared atoms
- CVE-2016-9901: Data from Pocket server improperly sanitized before execution
- CVE-2016-9902: Pocket extension does not validate the origin of events
- CVE-2016-9903: XSS injection vulnerability in add-ons SDK
- CVE-2016-9080: Memory safety bugs fixed in Firefox 50.1
- CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
Firefox 51.0.1 was released on January 26, 2017. It is a bug fix release that fixes Geolocation not working on Windows, and another issue with add-ons that stated that they are not compatible with Firefox's new multi-process architecture but still marked as compatible by Mozilla.
Not released for Android devices.
Firefox 51.0.2 for Android
Mozilla released an update for Firefox for Android that brings the version to 51.0.2. Please note that this update was not released for the desktop versions of Firefox. The patch fixes a crash issue on x86 Android devices.
Firefox 51.0.3 for Android
Firefox 51.0.3 is only available for Android. Mozilla released the update on February 9, 2017. It includes security fixes, and fixes a build issue that caused crashes on some x86 architectures.
Additional information / sources
- Firefox 51 release notes
- Firefox 51.0.1 release notes
- Firefox 51 Android release notes
- Firefox 51.0.2 Android release notes
- Firefox 51.0.3 Android release notes
- Add-on compatibility for Firefox 51
- Firefox 51 for developers
- Site compatibility for Firefox 51
- Firefox Security Advisories
- Firefox Release Schedule
Now Read: The state of Mozilla Firefox
I’ve encountered two issues with Firefox 51 when not with previous Firefox 50.1 :
1- A setting so called a TOR contribution which appeared with Firefox 50.1 :
// TOR CONTRIBUTION (2) – enable first party isolation pref and OriginAttribute — WARNING: this may break some sites
user_pref(“privacy.firstparty.isolate”, false); // Default=false
– This setting is no longer hidden.
– If set to ‘true’ in FF51 there is at least this problem which occurs : the FF ‘Self-Destructing Cookie’ add-on no longer removes non whitelisted cookies, which is the core of it’s pertinence;
2- TLS maximum supported protocol version
// security.tls.version.max : maximum supported protocol version (highest version to initiate a connection with before falling back to lower versions).
user_pref(“security.tls.version.max”, 3); // Default=3
// 3 : TLS 1.2 is the minimum required / maximum supported encryption protocol. (This is the current default for the maximum supported version.)
// 4 : TLS 1.3 is the minimum required / maximum supported encryption protocol. (Available since FF49)
In Firefox 50.1 and before I had set this value to 4 but I just encountered at least two sites now called with FF51.0 that cannot be connected with max version set to 4 : restoring to 3 (default) solves the connection issue.
No issues if you’ve kept default FF settings. This concerns those who may have tweaked concerned settings as I do and did.
1. Pretty sure first-party isolation isn’t ready, so encountering bugs seems likely. You may want to poke the add-on developer and Mozilla in case they don’t know.
2. TLS 1.3 isn’t ready either, I think. Seems like this could actually be a bug FIXED in Firefox 51, something where Firefox 50 fell back to 1.2 silently while it was supposed to fail hard, with such a setting. Those sites could be “TLS 1.3 intolerant” ( https://bugzilla.mozilla.org/show_bug.cgi?id=1286694 )
Of course I have no idea, those are just guesses, but I’d be careful about enabling features still in development, especially privacy/security ones. Even if I was on Nightly I’d let Mozilla handle at which time such or such critical feature is ready to be turned on. YMMV of course.
FPI is so not ready. There are a ton of tickets for issues with gmail, soundcloud, facebook and so on.
https://bugzilla.mozilla.org/show_bug.cgi?id=1319773 – soundcloud
https://bugzilla.mozilla.org/show_bug.cgi?id=1319728 – youtube
https://bugzilla.mozilla.org/show_bug.cgi?id=1316019 – pixnet
https://bugzilla.mozilla.org/show_bug.cgi?id=1316536 – facebook
https://bugzilla.mozilla.org/show_bug.cgi?id=1319756 – instagram
https://bugzilla.mozilla.org/show_bug.cgi?id=1319761 – pinterest
https://bugzilla.mozilla.org/show_bug.cgi?id=1319767 – imgur
https://bugzilla.mozilla.org/show_bug.cgi?id=1319839 – gmail
Without wanting to read the details too much and get in over my head, the problem (I think) relates mainly to the login being from a different domain.
The pref (privacy.firstparty.isolate) is, if I understand it correctly which I probably am not, primarily for TBB, and indeed, the restriction is so tight (or the interpretation of how to implement differs) that there is another preference being written as I type to alleviate the strictness of FPI so not so many websites break : privacy.firstparty.isolate.restrict_opener_access – see https://bugzilla.mozilla.org/show_bug.cgi?id=1319773#c22
I’ll send an email to ‘Self-Destructing Cookies’ developer ‘Support E-mail’ address since one is provided on the add-on’s AMO page.
Try this add-on its similar to Self-Destructing Cookie:
You need to switch it to active mode to work.
The “2- TLS maximum supported protocol version” I reported above is no longer a problem with latest Firefox 51.0.1 which had added a “security.tls.version.fallback-limit” set to 3 by default, which means that “security.tls.version.max” can be set to 4 (= TLS 1.3 is maximum supported encryption protocol) and it will fall back to 3 in case of a problem.
I had tested “security.tls.version.max” = 4 with https://adguard.com/
On Firefox 51.0 : connection failed
On Firefox 51.0.1 : connection succeeded (new “security.tls.version.fallback-limit” left at default ‘3’)
BatteryManager.chargingTime and BatteryManager.dischargingTime are about:config entries? The only entry returned when I search for battery is dom.battery.enabled;false which defaults to true.
Also Mozilla’s site still gives me 50.1 links, so here are the 51 ones for Windows:
No those are API calls, not preferences. Sorry for not making that clearer.
Now that I think about it, wasn’t there discussion at Mozilla to remove Battery API access to websites, only keeping it for add-ons and Firefox itself ?
Did I dream about it ? Was it deemed unsuitable ? The reason was privacy.
“Remove web content access to Battery API” (https://bugzilla.mozilla.org/show_bug.cgi?id=1313580)
… it will ride the train in FF52.
Then, why these (dis)chargingTime changes ? How is it different from the Battery API ? I be a confused lad.
I don’t know. Seems kinda useless to me too. It’s for addons mostly I guess, but addons can already uniquely identify users if they want to. Maybe it was somewhat easy to implement and served as a good bug for a new employee/intern at mozilla or something, who knows. I be a confused lad too mate^^
From your bug link, it seems that they first decided to do something about (dis)chargingTime precision, which to be fair should be a very quick fix, and then figured the whole API could actually go without breaking web content. I like it when a privacy plan goes further than expected.
Heh .. https://developer.mozilla.org/en/docs/Web/API/Battery_Status_API : “Values for BatteryManager.chargingTime and BatteryManager.dischargingTime are always equal to Infinity.” Now that’s funny. But its not quite what it seems. If the device is plugged in and the power outlet is providing power, *then* it returns infinity, because it will never run out of power.
Anyway, I guess the API was opened up for web apps etc to be able to take appropriate action if your device battery was low – such as warn you or pause/stop things – eg IDK, maybe an in-game message in a full screen game?
But just like dozens of other web standards, no one wants it, no one uses it. See http://www.theregister.co.uk/2016/05/24/pointless_features_add_to_browser_bloat_and_insecurity/ . It’s a little old, but of the top 10,000 websites .. 1 used Vibration API, 3 used Gamepad API, 16 used Web Notifications, 30 used WebRTC and so on .. 1553 used SVG (earthling .. 15% dude, yikes, do you feel safe?). A lot of bloat and security surface TBH.
On the other hand, niche uses of the web can only be enabled with specific API.
For instance gaming needs WebGL, Gamepad API and Vibration API. Of course you don’t encounter one game every 10 pages visited, and of course one site will host many games when 1000 others will host none.
So it’s normal that these APIs are not used by many sites. This reasoning could apply for most APIs for all we know, but that doesn’t mean it would be fair or good for the web as a platform to remove them.
For the Battery API, it seems that not one site used it as expected by the spec (?), and everyone is using it for fingerprinting. In that case it’s good to remove it, and have browsers deal with low battery on their own.
Thanks Martin! Great post as usual and very helpful.
But ESR 45.6 was released back in December 2016 already. I still have the portableapps setup file and it’s dated 15.12.2016.
According to https://wiki.mozilla.org/RapidRelease/Calendar today’s ESR release should be 45.7.
You are right, thanks and corrected.
How can I make my Firefox look like yours?, it looks very nice and clean.
You need the add-on Classic Theme Restorer for that.
Ok, thanks!. I need to play with the settings because there are many of them to tweak the interface.
I think 51 also landed one-off Searches.
The latest FF51beta I checked, added the ‘browser.urlbar.oneOffSearches’ pref, although it was still set to false.
// 0819: disable one-off searches from the addressbar (FF51+)
Yup .. been tagged as 51 for ages. In version “Pants Konami” it was under section 9999 To Investigate. The next version “The House of the Rising Pants” already has it in (as above). Should really get this sucker githubbed
Are you ready for another diff-bomb to add to your 999 prefs to investigate? ;)
I’ll have to wait for portableapps to release FF51 before I can create a diff, but it’ll be coming soon.
Here’s a short preview created from the latest FF51beta, just to keep you busy xD
pref(“security.insecure_password.ui.enabled”, true); // prev: false
pref(“webgl.dxgl.enabled”, true); // prev: false
pref(“webgl.enable-webgl2”, true); // prev: false
security.block_script_with_wrong_mime fixes this exploit, PoC at http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
Yep, saw that one right when it was first released and created my own polyglot-jpeg-creator-script that same day xD
And now it’s useless, or so they say …
Might just have to wrap it in an SVG or something ;)
@earthling : I’m thinking of doing a new FF51 version 11 final release for Martin once we get our portable 51’s and check a few things, including your diffs dumpie. It’s been six months, so time for another article. But I’m a little scared, truth be told, that Tom will get it and say that it’s “just fine” xD
* version: 0.11 : The House of the Rising Pants
* “My mother was a tailor, she sewed my new blue pants”
That sounds great. Dropping pants would be nicer, but hey, you cannot have it all, right?
@Pants and @earthling seem to share several common points and I confess that the idea they be but one soul is a temptation I cannot evacuate rationally. And this is not only due to their common vision of a “just fine’ when the ping-pong of their dialogs appears to me as “built” …
Anyway, I appreciate your work, you know that :)
“Might just have to wrap it in an SVG or something ;)”
ALWAYS wrap your exploits in an SVG, that way you get two holes for the price of one, and who doesn’t like that!
Yay! WebGL 2. Now Unity can be reasonably back in browsers!
Well, not really, needs WebAssembly and SIMD, but that’s a good start.
Wait, didn’t a bunch of comments from today disappear ? Or am I on the wrong article, and the correct one was actually deleted ? It was about the removal of Social API.
Wrong article, here you go: https://www.ghacks.net/2016/08/06/firefox-51-socialapi-parts-removal/
Thanks! I failed to notice it was an old article that was linked to by our current article, and not a fresh one from today. Sorry :)
It’s already well into the 25th and Mozilla’s update servers still aren’t offering version 51.
It is available on the main download page, however.
I like this new version, some nice changes included. Having switched to a new MacBook Pro Touch Bar, my FF is now blazing fast! Shame about the relatively high battery usage, though.
Still no automatic update from inside Firefox?
Any words from Mozilla on this?
Mozilla announced it yesterday: https://blog.mozilla.org/blog/2017/01/24/gets-better-video-gaming-non-secure-web-warning/
If you don’t get the update, download the latest version manually and install it this way.
Yeah, I already know that blog post, but they don’t mention anything about a delayed roll-out or something.
This is strange, because, as far as I know, there hasn’t been any issue with the integrated update mechanism for almost two years I think, the updates were always available on the scheduled date in the release calendar (https://wiki.mozilla.org/RapidRelease/Calendar)
Issues with this update have also been mentioned here:
Also on mozillazine, with a possible explanation:
It’s now the 26th, and version 51 is still is not available via update from within the browser.
This is not good of Mozilla, as they have already disclosed the security holes.
Although I have updated manually by downloading from Mozilla’s site, most of the millions of Firefox users will not be willing to do that, or even be aware that a new version is supposed to be available.
Actually latest Firefox version is 51.0.1 downloadable from https://ftp.mozilla.org/pub/firefox/releases/ as well as from major sites.
Maybe was FF 50 auto-update delayed because 51.0.1 was in perspective?
Tom are you sure? I don’t see 51.0.1 listed there (did a search, no result). I see 51.0 as the last release version, and before that 50.1.0. Can you please re-check?
@Martin, we are both right : Firefox 51.0.1 has been removed from Mozilla Firefox release directory (https://ftp.mozilla.org/pub/firefox/releases/), now that Iâ€™ve installed it when it was available (2017-25-01-20:35GMT).
What are they up to? This is the first time I see a version removed from Mozilla Firefoxâ€™s release directory.
I know you often mention that available latest version on Mozilla Firefox’ release directory are to be considered with caution as they might be modified before the official final release, but this is the very first time I notice, not only a modification but a deliberate removal of a version on a Mozilla’s release directory.
I’ll keep 51.0.1 and wait …
Interesting. Bugzilla has this entry which may explain why it got pulled: https://bugzilla.mozilla.org/show_bug.cgi?id=1333663
Still no idea why they’d release it, but must be a high priority bug fix or security fix.
If it’s only a “Firefox 51.0.1 build1 partial generation fails due to clamav errors” then I’ll hesitate even less to restore FF 51.0 over 51.0.1.
Just checked 51.0.1 on VirusTotal and the detection ratio is 0/56 (http://preview.tinyurl.com/gvhpaqq)
ClamAV is not trully a reference as far as I know. Whatever it’s obviously a false positive
I’ve backuped FF51.0.1 on a server if anyone’s interested and if you, Martin, agree of course.
You’re not really still using FF 32-bit are you Martin?
I’m using everything :)
There’s a link to a demo called “After The Flood” in the blog you posted the link to Martin which takes me to https://playcanv.as/e/p/44MRmJRU/
But when I try to play the demo, it tells me WebGL 2.0 is needed even though I have FF 51 already installed.
I checked in about:config and “webgl.enable-webgl2” is set to “true” which is the default.
I tried rebooting in FF Safe Mode just in case an extension was the culprit, but it didn’t make any difference.
Any idea what the problem might be?
If anyone else has this problem, try updating your graphics driver maybe.
Please ignore my question concerning “After the Flood” which requires WebGL 2 not playing. I just created a new profile which resolved the problem.
To my knowledge, Apple hasn’t released any graphics card drivers updates for the ATI Radeon HD 4850, which is the graphics card installed on my iMac.
I tried creating a new profile but it hasn’t solved the problem!
Still getting the error message:
“This demo requires WebGL 2.0 support. Please update to the latest version of Mozilla Firefox.”
Firefox 51 enables WebGL 2 to 65% of computers, apparently, though this data is based on less than 10 days so it might not be representative, it might change within next month as more people update to Firefox 51. ( https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2017-01-18&keys=__none__!__none__!__none__&max_channel_version=release%252F51&measure=CANVAS_WEBGL2_SUCCESS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2017-01-18&table=0&trim=1&use_submission_date=0 )
WebGL has 99% compatibility, which is astounding, even Flash never went above 95%, and it was not Flash’s 3D functionality (75-85% IIRC), just Flash installs.
When WebGL was first released, compatibility was around 65% too, I think, maybe even 50%.
Reasons for that are:
– Hardware. Nothing to do, just wait for the market to upgrade.
– Hardware. Some work can be done on WebGL 2’s implementation to enable more hardware without users having to do anything but upgrade Firefox as it gets updated.
– Drivers. Graphics cards manufacturers fix their drivers which have issues, whether security, incompatibility with WebGL 2’s spec, etc. Some users will therefore become WebGL 2 compatible after a driver update.
I don’t have WebGL 2 working right now, I’m very surprised about it but I’ll update my 2 years old driver when I get a chance. And if that doesn’t work, I’ll post a bug report on Bugzilla for my graphics card so they can see if it can be enabled.
Not working in Chrome 56.0 either (despite enabling the appropriate flag). Getting the following error msg:
“Using Chrome? To enable WebGL 2.0, go to chrome://flags, set the WebGL 2.0 option to Enabled and restart your browser.”
I’m still on Aurora 50 – now that stable has finally caught up, I can update to Aurora 53
Re: WebGL2 – I noticed that ‘webgl.enable-webgl2’ is still (or again?) set to false by default in my FF51.0.1.
Maybe you guys might want to check that out before you update all your drivers.
Here latest Firefox 51.0.1 (x64) has,
webgl.enable-webgl2 : true (default)
webgl.webgl2-compat-mode : false (default)
Quite odd indeed that default settings aren’t the same for all users.
Thanks Tom, appreciate your input. As I already wrote on our little user.js thread, I have no clue what’s happening anymore. It must be one of my addons that interferes but it’s still weird that the pref shows as “default” and not “user set”.
I’ll figure it out eventually.
Another release with inability to disable Pocket through about:performance bug.
What is the new ‘AlternateServices’ empty text file Firefox creates in the profile directory used for?
Undocumented feature: Flash games get broken. For some reason after the update any flash game (for ex. http://www.kongregate.com/games/DivineGames/realm-grinder) runs as if the browser was being being run in a tiny resolution, like 800×600.
This is pretty bad as games start looking really ugly but also their UI tends to break.
I got no idea how Firefox even does this (I thought maybe I could fix a setting and go back to normal but no such luck for me)
As a bonus it also switched the default font to Times New Roman.
I really wish they’d just stop messing with the UI. Fix bugs, reduce footprint, security. Nothing more.
It’s on your end, i.e. only occurs on your computer. Game’s fine here. It could be due to an add-on, a corrupted update or something like that.
Try Firefox’s safe mode, which automatically restarts Firefox with all add-ons disabled. See if it works. If not, try Firefox’s repair mode or create a new profile. If that still doesn’t work, uninstall and reinstall. If that STILL doesn’t work, update your graphics driver ? (Or use another browser or ask for help on a more appropriate forum where people are better qualified)
If all the adds-on are disabled, Flash won’t work either presumably, so how can you test it?
I have experienced problems with Flash on particular websites too. Adobe say it’s FF’s fault.
Much to my disgust I had to install Chrome instead to run the sites in question.
Is there any way to disable the “Connection is not secure” for plain old HTTP websites now? This is nothing more than creeping nannyism, and is unwanted.