Firefox 101 Stable: security fixes and classic download behavior restored
Mozilla plans to release Firefox 101 to the Stable channel on May 31, 2022. The new version of the open source web browser is a smaller release that includes some improvements and security fixes.
Mozilla released updates to Firefox's other channels as well. Firefox 91.10.0 ESR, Extended Support Release, and Firefox 101 for Android have been released as well. All development channels of the browser have been upgraded next to that: Firefox Beta and Developer were moved to version 102, and Firefox Nightly to version 103.
Executive Summary
- Firefox 101 Stable is a security update that addresses security issues in the browser.
- Firefox 102 is the next ESR release. It will be released next month.
Firefox 101.0 download and update
Firefox 101 is available already. The browser's built-in updating system may not pick up the update at the time of writing, but it should become available later on May 31, 2022. If you are reading this after May 31, you should receive the update immediately when you run a check for it.
Select Firefox Menu > Help > About Firefox to display the installed version of the browser. Firefox runs a check for updates when the window opens to download and install any update that it finds.
Here are the links to the official download repositories.
- Firefox Stable download
- Firefox Beta download
- Nightly download
- Firefox ESR download
- Firefox for Android on Google Play
Firefox 101.0 new features and improvements
Return of the classic download prompt
The big new improvement in Firefox 101 is one that is not highlighted in the official release notes. Mozilla changed the download behavior of the browser in Firefox version 97, which it released in January 2022.
Firefox used to display a prompt to the user, giving them options to open or save the file. The new download prompt copied the behavior of Chromium-based browsers; this meant that Firefox started the download immediately.
While there was an option to modify the behavior by enabling "always ask you where to save files" in the preferences, it did not replicate the full functionality of the classic download prompt.
Now, with Firefox 101, comes an option to restore the old prompt:
- Load about:preferences in the Firefox address bar.
- Scroll down to the Applications group on the page.
- Switch the default option "save files" to "ask whether to open or save files" on the page.
Other changes
- Mozilla notes that Firefox users may assign custom actions to any "non-configured MIME type" after download completion.
- Firefox supports using multiple microphones during video conferencing. The browser supports switching between microphones, provided that the conferencing service provider supports the functionality.
- Firefox for Android supports using a magnifier for forms on Android 9 and later, which improves the usability of forms in the browser.
Developer Changes
- Sites may use the prefer-contrast media query to determine if a user has requested a higher or lower contrast.
- The viewport sizes small, large and dynamic have been introduced
- Constructable stylesheets are now supported.
- AV1 codec parameters are parsed properly now in media support queries.
- The WebDriver BiDi protocol is enabled by default in this version of Firefox
- Several Manifest V3 APIs and changes added:
- Scripting API added for add-on developers, "which provides features to execute a script, insert and remove CSS, and manage the registration of content scripts".
- Action API added, "which takes over the features of the browserAction API in Manifest V3 extensions".
- Addition of the "host_permissions" manifest key, which is available for Manifest V3 extensions.
- The "background" manifest key property "persistent" can be set to false under the control of preferences: for Manifest V2, the extensions.eventPages.enabled preference, and in Manifest V3, the extensions.manifestV3.enabled preference.
- Content script execution environment has changed for Manifest V3 extensions.
Enterprise changes
Known Issues
none listed.
Security updates / fixes
Security updates are revealed after the official release of the web browser. You find the information published here after release.
Outlook
Firefox 102 will be released on June 28, 2022, according to the release schedule; this marks the launch of the new Firefox ESR base version as well. Firefox ESR 91.x will reach end of support on September 20, 2022.
Firefox extension reviews and news
Recent Firefox news and tips
- Mozilla is rolling out Total Cookie Protection to more Firefox users
- Firefox 100.0.1 released with improved Windows process isolation
- Mozilla expects to launch extensions Manifest V3 support in Firefox in late 2022
- Firefox 101 Beta brings back the download prompt allowing users to choose whether to open or save files
Additional information / sources
- Firefox 101 release notes
- Firefox 101 for Developers
- Firefox for Enterprise 100 - release notes
- Firefox Security Advisories
- Firefox Release Schedule
Edge (possibly other Chromium browsers as well) allows me to run downloaded executables without explicitly saving them to a folder (it saves them to a temporary subfolder). There used to be a XUL extension for FF that did that, but I haven’t seen a similar WE.
Is there a way to do it in in FF?
Not specific to Firefox 101 but I’ve always forgotten to share the following which occurred a few versions ago :
I had noticed that the caret in the urlbar would blink 5 times than remain static and that bothered me : I’ve never seen an app, a software where the caret doesn’t blink, or stops blinking …
The change had been proposed on Bugzilla in these terms :
“Add support to nsCaret to stop blinking after a set of cycles”
[https://bugzilla.mozilla.org/show_bug.cgi?id=1159263]
“We have feedback from partners that blinking cursors can increase power usage. We already have “ui.caretBlinkTime” to control the duration of a blink cycle, but we could add code to stop blinking after a few seconds.”
Blinking cursors can increase power usage?! By what, 0.01%? I remain stunned immaculate when I read that (“stunned’ only!).
To fix this and get back a normal blinking caret in the urlbar :
// Caret Blink : SET COUNTER BEFORE NO BLINK ( -1=NEVER )
pref(“ui.caretBlinkCount”, -1); // DEFAULT=5 — [HIDDEN PREF]
Et voila. If anyone can explain the extra power usage I’ll offer him/her my best greetings from Paris :=)
A promise is a promise: greetings from Paris (or close to) :=)
I’m quite surprised that a blinking caret may indeed increase power usage as it seems, that it has a 5 seconds default timeout on Win10/11 (Win7 here).
Blinking for blinking : I use quite many animated PNGs (APNG), mainly as toolbar icons replacements when it comes to the browser (i.e. to show clearly a process/extension active or not) and I get to wonder now if this impacts excessively the GPU … bothers visitors!
Wow, the caret blinking indeed wakes up the iGPU from its idle state. Task Manager indicates it as 0.1 usage, but that component receives now more power as a result of that blinking cursor. Personally I hate blinking things, and as a consequence have disabled all the UI animations within my OS; regardless that option is probably best left untouched on mobile devices.
And yes, that happens in Chromium as well, annoyingly enough. I always wanted that damned thing to be static, potentially a different colour like blue, but not this blinking mess.
Maybe much more, because BS coders:
VS Code uses 13% CPU when focused and idle (macOS 10.12)
https://github.com/microsoft/vscode/issues/22900
The caret blinking forever wastes CPU/power (macOS 10.15)
https://bugzilla.mozilla.org/show_bug.cgi?id=1724405
Seems like an issue of macOS and using VS code. I didn’t profile my CPU usage on Windows/Arch, but I doubt, this issue is present there or neither was.
Caret blinking timeout (5 seconds) is apparently default behavior on Windows 10/11.
You can change this by adding the following DWORD (32-bit) registry key:
HKEY_CURRENT_USER\Control Panel\Desktop\CaretTimeout and setting it to a very high number.
Just stunned? Grand, I am already “pining for the fords” after I read some of that. Though I don’t plan on joining the bleedin’ choir invisible too soon if I get a say in it.
Thanks for these useful tweaks, will add them to my collection.
Minor update, at least over the hood.
For those who’ve installed the userChromeJS ‘protocol’ by xiaoxiaoflood, files have been updated for Firefox 101 :
[https://github.com/xiaoxiaoflood/firefox-scripts]
Firefox is the only real alternative to Brave, Chromium and the other botnets.
Even if you never opt and and disable all that cr*p bat ledger process is still running in the background you can verify it easily. They repeatedly ignored this issue for years. Closed the github issue with “wontfix” claiming its part of the “Rewards Everywhere™” referencing an empty github thread. Defend your botnet fanbois, might as well use Chromium.
[https://github.com/brave/brave-browser/issues/5429]
[https://github.com/brave/brave-browser/issues/8846]
Ad browser apologists inbound!
@Frankel
Your links do not demonstrate that Brave sends personally identifiable information, no matter how hard you wish for it. What they do show is that Brave Rewards runs as separate processes and that those needlessly consume RAM and CPU, hence the bug reports. The entire premise of Brave Rewards is that it is a local algorithm that does ad matching directly on the device instead of outside servers. Hence, even when it runs, it is never a privacy threat.
The topmost comment under a Firefox article is anti-Brave and is spreading rather massive FUD. This is just sad.
I think Martin’s removal of replies was for a reason. Why do you keep inciting hate?
You are desperately trying to defend your beloved browser because you want to convince other people to join you and your ideas, without any regard if that makes sense or not because the best browser or software for that matter is pretty much pointless if you – for whatever reasons – do not like it or do not feel comfortable with it then putting pressure on the average user will do no good and he certainly will switch back to old habits. Some users use Vivaldi because it offers some UI improvements over vanilla Chromium, others entirely only care about the privacy aspects. Personally I do not think that makes an killer argument because Chrome, Brave, Firefox and all other bigger Browsers constantly evolve and adopt to new threats. I believe a good Browser is defined by its community and the developers interacting with it.
This is a Firefox thread and not a Brave thread. Do you see me coming in Brave threads to talk bad about Brave?
Cannot implement a working TOR mode:
[https://www.coindesk.com/tech/2021/02/22/brave-browser-was-exposing-addresses-in-tor-mode-for-months/]
Manipulates URLs for monetary gains:
[https://www.theverge.com/2020/6/8/21283769/brave-browser-affiliate-links-crypto-privacy-ceo-apology]
Useragent is fingerprintable without even running client side JS:
[https://www.ctrl.blog/entry/brave-user-agent-detection.html]
@Frankel
> I think Martin’s removal of replies was for a reason. Why do you keep inciting hate?
Counter-question: Why do you keep spreading FUD? I think debunking FUD is not the same as “inciting hate” (devoid of meaning in our day, by the way, because it’s overused). Martin has removed your stuff too. I am not living in Martin’s head, his reasons for emoving stuff are obscure and if he lets your FUD / misinformation stand in the first place, his moderation is not working as it should at all. Why need I care at this point, if stuff like yours that is obviously pushing lies and misinfo is allowed to remain?
> Cannot implement a working TOR mode:
This happened due to the implementation of CNAME uncloaking which no other Chromium browser has. They entered new territory there and bugs happen then, believe it or not. It was fixed upon being reported on GitHub.
Firefox had similar leaks, e.g. leaking the entire add-on list. Should I go on and on about this as well? Digging out things that are fixed now and very unintentional is boring character assassination.
> Manipulates URLs for monetary gains:
Yeah, so does Firefox on every single Google search URL. It’s called non-invasive user counting and is a non-problematic way of funding the browser. You probably click on dozens of referral links every single day.
Privacy impact on the user: 0
Hypocrisy level of yours: 100
> Useragent is fingerprintable without even running client side JS
This only tells an adversary that Brave is being used. Brave has 60+ million users, and this information (Brave being the browser used) is not enough to uniquely identify anyone. A website can also tell from your user agent that you are using Firefox, and again, the impact is 0 because there are millions of Firefox users.
Privacy impact on the user: 0
It’s okay the other people will just see the links and think for themselves.
@Frankel
> It’s okay the other people will just see the links and think for themselves.
You are very deceptive here and your links are meant to push false narratives to uninformed users. You disgust me. I said what needed to be said about your fake news.
I literally don’t care for your dogmatic preaching. The links well help other people to think for themselves.
Thanks for you post, 3 BAT (Basic Attention Tokens) have been deposited into your Brave ledger!
[https://www.coindesk.com/tech/2021/02/22/brave-browser-was-exposing-addresses-in-tor-mode-for-months/]
[https://www.cpomagazine.com/data-privacy/brave-privacy-browser-caught-automatically-adding-affiliate-links-to-cryptocurrency-urls/]
The next level of apologetics will be that you should only TOR browser for Tor network and onion routing. Now the brain tease: Why even offer a TOR mode if it is broken? All honest mistakes! Just like the afiliate links, but hey, those are okay as they don’t actually “transmits personally identifiable information” :)))
We now have reached Ayn Rand levels of dialectics to justify blatant AnCap “””ethics”””. You may continue to twitch and discredit me all you want. People will think for themselves in here, no matter your policing of comments about Brave and Firefox.
Addendum:
Since IH usually ignores all arguments or cherry picks the weakest out of them or rephrases them via strawman, I might just drop one more:
[https://www.ctrl.blog/entry/brave-user-agent-detection.html]
> Brave may not have its own HTTP User-Agent request header, but even the order of Brave’s HTTP request headers are in themselves unique to Brave. No client side JavaScript required.
No clientside JS required to see Brave stick out like a sore thumb on the entire internet? Ouch! Major design failure. This lion is announcing its presence with a massive roar, but not out of pride, but because a certain fox fox got its fangs on the lion’s b*lls.
@Frankel
> The next level of apologetics will be that you should only TOR browser for Tor network and onion routing.
Uhm… yeah? What is the controversy here? A browser using Blink can’t emulate the fingerprint of a browser using Gecko and vice versa. So even when Brave’s Tor mode hides your IP address, it does not have the common fingerprint of the Tor Browser Bundle. Brave actually says to use the TBB if you want to do more than hide your IP address, right when you enter Brave’s Tor mode.
> Now the brain tease: Why even offer a TOR mode if it is broken?
You act as if the Tor mode is Brave’s main selling point, LOL. No, it isn’t.
I don’t have to justify features that are used only by a minority of Brave users, actually I don’t use the Tor mode either. So my response to this is: Who cares? If you know about Tor then you know about fingerprinting, and that Brave does not have the same FP as the Tor Browser Bundle.
> All honest mistakes!
Yes. The bug causing the leak was introduced when they implemented CNAME uncloaking for Brave Shields, a feature which no other Chromium-based browser has. So they were entering new territory here, and this can produce bugs. They fixed the bug when it was reported on GitHub.
According to you, why did it happen? Are you insinuating that the ISPs or the state were paying Brave Software to introduce the bug? That’s called a conspiracy theory, my main man, and is not really consistent with them fixing the bug immediately upon hearing of it. If it was intentional, they would have deleted the bug report and would have done nothing.
Btw, Firefox had various leaks of its own some of which included the full add-on list which could uniquely identify you. But hey, when Mozilla does it, it is a bug, when Brave does it, it’s a big conspiracy. LOL.
> Just like the afiliate links
You do realize that generic (= not generated per user) referrals can’t uniquely identify users, right? The referral just said: “Hey, I am a Brave user!” and nothing more. The same happens when Firefox adds its own referral to the resulting URL whenever you perform a Google search (this is the basis of Google’s payments to Mozilla, btw, this is how Firefox’s traffic on Google is measured), but then, I guess, when Firefox does it, it is a good way of granting the browser desperately needed funding from big Daddy Google, when Brave does it, the motives have to be inherently evil and sinister even though the motive is the same. It’s called double standards.
> your policing of comments
Thanks to you, the topmost comment is full of trolling that is meant to provoke. When your trolling is corrected by facts, this gives you the opportunity to claim bullshit like “policing comments” etc. It’s getting boring. I was trying to be nice when I said you were an ignorant, actually, because what you really are is someone performing malicious, provocative trolling.
> Ouch! Major design failure.
Dude, Brave has 50+ million users. The only thing the HTTP request header is telling you is that the browser the person is using is Brave. This is not that valuable with 50+ million people using the browser, I would not be surprised if it had its own user agent. This info has no actual impact on user privacy.
Your “points”, if we can call it that, have been brought up ad nauseam here, and have never been valid or even particularly interesting. Why do you think you dumping them here for the 100th time adds anything new to the discussion? I actually yawned when I read your parroted nonsense, since it wasn’t the first time.