Firefox 109: Manifest V3 support, security fixes and improvements

Martin Brinkmann
Jan 17, 2023
Updated • Jan 17, 2023
Added information about the security updates.
Firefox
|
41

Firefox 109.0 Stable is the latest version of Mozilla's Firefox web browser. The new release of the open source web browser introduces support for Manifest V3 extensions, improved security on Windows devices, and security fixes.

All Firefox development channels and Firefox ESR, Extended Support Release, are updated around the same time. Firefox Beta and Developer channels move to version 110 and Firefox Nightly moves to version 111. Firefox ESR 102.7 is the latest version.  Firefox for Android 109 will also be released today.

Executive Summary

  • Firefox 109.0 Stable is the first stable release that supports Manifest V3 extensions. These may now be installed from Mozilla's addons repository and other sources.
  • The new version fixes 10 security issues that have severity ratings of high or lower.

Firefox 109 download and update

You can check the installed version by selecting Menu > Help > About Firefox.

Here are the official download locations:

Firefox 109.0 new features and improvements

Manifest V3 extensions

Firefox 109.0 is the first Stable release of Firefox that supports Manifest V3 extensions. Firefox continues to support Manifest V2 extensions. The update introduces a new extension button that lists all extensions and their site permissions, provided that these extensions are not pinned to the Firefox toolbar.

Selecting the cogwheel icon next to an extension displays the pin option to place it prominently on the Firefox toolbar. A right-click on pinned icons displays an option to unpin them. Unpinned extensions are moved to the Extensions menu automatically.

Mozilla reassured Firefox users that it would not follow Google's lead on making Manifest V3 the exclusive option for extensions. Google has been criticized heavily for the initial drafts that it put out, as it would have had a serious impact on content blockers, privacy extensions and some other types of extensions.

Google made changes to the Manifest V3, and while the company did address some critical issues, it did not resolve them all to the satisfaction of its critics.

Firefox will support Manifest V2 and V3 extensions, which means that users of the browser get the best of both worlds.

Other changes and fixes

  • The Code Guard exploit protection is now activate in the media playback utility process to improve security on Windows.
  • Firefox partitions storage in third-party contexts automatically "to align with other browsers and provide better Web compatibility".
  • The latest Colorways are no longer available in Firefox. Active and saved Colorway themes may still be accessed via about:addons > Themes. The themes were introduced in Firefox 106 as a temporary option.
  • The recently introduced Firefox View feature includes a new option to remove recently closed websites from the Firefox View history view.
  • Firefox View empty state messages for Tab Pickup and Recently Closed have been updated.
  • Spanish and Argentinian builds of Firefox come with a built-in dictionary now for the Firefox spellchecker.
  • Firefox's native HTML date picker may be used with just the keyboard now, which improves accessibility for screen reader users and users who prefer to use the keyboard.
  • The shortcuts CTRL or CMD + trackpage or mouse-wheel scroll the page on Mac OS now instead of zooming.

Developer

  • Manifest V3 is supported. Extensions that use Manifest V3 may now be signed and released to Mozilla's Extensions Store.
  • Default Content Security Policy for Manifest V3 was updated to upgrade insecure requests by default to HTTPS. Extensions that require HTTP need to override the policy.
  • Property secretKeyLength was added to webRequest.SecurityInfo. It returns the length in bits of the secret key in the security properties of a web request.
  • Fixed two WebDriver bugs and improved functionality.
  • Scrollend API is now supported.
  • Content-visibility CSS property supports the auto value.

Enterprise changes

Mozilla lists three fixes and one policy change on the support page that lists the Firefox 109 changes for Enterprise:

  • Locking the HTTPS-Only preference did not disable the controls in the preferences.
  • Private browsing shortcuts are no longer created when the feature is disabled via policy. Does not apply to ESR.
  • New PrivatBrowsingShortcut option added to install to prevent the creation of the shortcut during installation. Does not apply to ESR.
  • The policy DisplayBookmarksToolbar has new options to show the toolbar on the New Tab page.

 

Known Issues

None listed.

Security updates / fixes

Mozilla fixed 10 security issues in Firefox 109. The maximum severity rating is high, there are no critical fixes or exploits in the wild.

Outlook

Firefox 110 Stable and Firefox 102.8 ESR will be released on February 14, 2023.

Firefox extension reviews and news

Recent Firefox news and tips

Additional information / sources

Summary
Firefox 109: Manifest V3 support, security fixes and improvements
Article Name
Firefox 109: Manifest V3 support, security fixes and improvements
Description
Firefox 109.0 Stable is the latest version of Mozilla's Firefox web browser. It includes support for Manifest V3 extensions and fixes security issues.
Author
Publisher
Ghacks Technology news
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Anonymous said on January 31, 2023 at 1:06 pm
    Reply

    Bit late to the party, but want to point out something from the 109 security fixes, since I do not agree with the “sweeping under the rug” comment about ‘The maximum severity rating is high, there are no critical fixes or exploits in the wild.’

    It includes 2 ‘arbitrary file read’ issues. While it does not in itself pwn the browser or mean RCE, being vulnerable to trivially having files pulled is not something to dismiss.
    When any site you visit, without any approval on your part, can take any file it wants (full ‘file://’ context) then you have a big leaky problem.
    So, make your own considerations about how many sensitive files may have been lifted before this got plugged. +crooks (and others) inside the perimeter using it.

    https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/

  2. yanta said on January 18, 2023 at 10:55 pm
    Reply

    Every time I start up my PC I get a flood of several hunfred entries in my event log. This is before even starting Firefox. It’s trying to connect to 34.107.221.82. Fortunately they are being blocked. I’ve disabled the default browser check task and it still tries to connect. I need to install wireshark and see what other IPs this program is trying to connect.

    I haven’t been able to figure out yet how to stop it phoning home when Windows starts. There are no Run entries, or tasks that I can find.

    1. anonymous said on January 22, 2023 at 7:32 pm
      Reply

      @yanta said:
      “Every time I start up my PC I get a flood of several hunfred entries in my event log. This is before even starting Firefox. It’s trying to connect to 34.107.221.82….

      I haven’t been able to figure out yet how to stop it phoning home when Windows starts. There are no Run entries, or tasks that I can find.”

      34.107.221.82 is the IP address for detectportal.firefox.com. This is a service Firefox uses to check if it has Internet access. You can disable this by setting the following preference in about:config to false:

      network.captive-portal-service.enabled

    2. Tom Hawack said on January 18, 2023 at 11:42 pm
      Reply

      @yanta, are you sure the “flood of several hundred entries” (all) relate to Firefox?

      Firefox doesn’t start with the device’s reboot so any connection to Firefox servers at the PC’s start may only concern Mozilla’s Maintenance Service.

      Installing the Maintenance Service is an option (checked by default) offered at Firefox install.

      You may either uninstall Firefox (that won’t remove your profile(s) then re-install it and uncheck the Maintenance Service option, OR have a look at :

      ‘How to Opt-out or Disable or Uninstall Mozilla Maintenance Service’
      [https://techdows.com/2012/10/opt-outdisableuninstall-mozilla-maintenance-service.html]

      Other than Firefox’s maintenance service (which applies as well to Thunderbird if I remember correctly) there is no connection to Firefox on one’s PC start.

      Hope that helps.

  3. Dean said on January 18, 2023 at 11:16 am
    Reply

    eventually they all will support Manifest V3…because it’s all about making money…once Google implement this. All other browsers will fallow. Firefox already preparing. lol despite what they said.

  4. Anonymous said on January 17, 2023 at 8:38 pm
    Reply

    “Mozilla reassured Firefox users that it would not follow Google’s lead on making Manifest V3 the exclusive option for extensions.”

    Just not yet:

    https://www.ghacks.net/2022/09/09/ublock-origin-minus-an-experimental-manifest-v3-compatible-extension/#comment-4549141

  5. Tom Hawack said on January 17, 2023 at 8:28 pm
    Reply

    I just discovered that Firefox 109.0 brings a new feature : ‘Redirect tracking protection’ :

    “Redirect tracking protection – Privacy, permissions, and information security | MDN”
    [https://developer.mozilla.org/en-US/docs/Web/Privacy/Redirect_tracking_protection]

    You’ll notice, in Winows’ (at least Windows 7) ifolder ProgramData\Mozilla-[ID] a long list of :
    cache2.[DATE].purge.bg_rm-cachePurge-[ID] files. All 0-bytes here.

    I’ll have to investigate for myself the pertinence of this new feature.
    Does anyone have further info than what is provided in above-mentioned Mozilla MDN article?

    1. Karl said on January 17, 2023 at 8:38 pm
      Reply

      Good evening, Tom.

      “I’ll have to investigate for myself the pertinence of this new feature.”

      Let us know what your investigation shows. I still have not updated to the latest version.

      1. Tom Hawack said on January 17, 2023 at 9:32 pm
        Reply

        Good evening Kar, (looks like we’re in similar times zones :=)

        A first quick comment about the ‘Redirect tracking protection’ is that I’ve disabled it given it relies on the ‘Tracking Protection’ feature and that this feature is disabled here (for several reasons too long to summarize here and now).

        – THIS IS NOT AN ADVICE, ONLY MY CHOICE GIVEN GLOBAL SYSTEM AND FIREFOX SETTINGS
        – NEVER CONSIDER THIS WITH A FIREFOX OUT-OF-THE-BOX AND/OR NON TWEAKED OS

        // DISABLE TRACKING PROTECTION
        lockPref(“privacy.trackingprotection.enabled”, false);
        lockPref(“privacy.trackingprotection.pbmode.enabled”, false);
        lockPref(“privacy.trackingprotection.cryptomining.enabled”, false);
        lockPref(“privacy.trackingprotection.socialtracking.enabled”, false);
        lockPref(“privacy.trackingprotection.fingerprinting.enabled”, false);
        //
        // DISABLE PASSIVE TRACKING PROTECTION
        lockPref(“privacy.trackingprotection.annotate_channels”, false); // DEFAULT=true
        lockPref(“privacy.annotate_channels.strict_list.enabled”, false); // DEFAULT=true
        lockPref(“privacy.trackingprotection.lower_network_priority”, false); // DEFAULT=false

        // DISABLE REDIRECT TRACKING PROTECTION
        // https://developer.mozilla.org/en-US/docs/Web/Privacy/Redirect_tracking_protection
        lockPref(“privacy.purge_trackers.enabled”, false);
        lockPref(“network.cache.shutdown_purge_in_background_task”, false);

        Therefor I have no use for ‘Redirect tracking protection’ as it seems.
        Good side effect (though of course not a reason) : disabling it avoids disk writings every 3 minutes or so.
        Many settings are considered dynamic here, I seldom say/think “always” or “never”, so nothing is definitive concerning ‘Redirect tracking protection’, the disabling is for the time being.

        Otherwise Firefox 109.0 didn’t break anything crucial (for me).

        A slight CSS issue regarding [#personal-bookmarks toolbarbutton.bookmark-item] which no longer centers its contained text/title … no big bargain but it does show that under-the-hood CSS modifications are often included in new versions. Firefox is so deeply (heavily?!) tweaked (UI and a mountain of CSSs), about-config prefs and more … that I perceive immediately if someone touched my Kawasaki (I mean if any developer unwillingly touched my settings, lol) when most of us using the browser as it is won’t notice tiny details. Super Tom does, as you see, lol.

        Read you later, alligator!

      2. Tom Hawack said on January 17, 2023 at 9:54 pm
        Reply

        I forgot to mention for those of us who’d be surprised by the prefs locked with ‘lockPref : the reason is that I use Firefox’s Autoconfig [https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig] rather than the better known user.js file. Obvious advantages and one con : applies to ALL Firefox profiles. I have but one, otherwise I’d have to reconsider the scheme, for instance some settings handled by Autoconfig and some others via the traditional and per-profile user.js … Autoconfig settings are viewed in about:policies, ‘Documentation’ for the list, ‘Active’ if … actve.

  6. E said on January 17, 2023 at 8:25 pm
    Reply

    Firefox 109.0 broke clearing Cache on shutdown… great. :/

    Since updating I was noticing a ton of junk files being created when closing the browser.

    (The folder with the junk files in question resides in your ProgramData folder and named “Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38”.)

    https://i.imgur.com/dP8njcH.png

    Well after doing some digging it seems to be 100% related to clearing Cache on shutdown.

    https://i.imgur.com/1MtxKxU.png

    If you had that enabled ( privacy.sanitize.sanitizeOnShutdown; set to true ) then you are probably getting those above “cache2.2023-0X-XX-XX-XX-XX5.purge” files building up…

    1. Tom Hawack said on February 7, 2023 at 4:56 pm
      Reply

      It has nothing to do with the caches but with the ‘Redirect tracking protection’ feature :
      [https://developer.mozilla.org/en-US/docs/Web/Privacy/Redirect_tracking_protection]

      // NOT ADVISED UNLESS YOU KNOW WHAT YOU’RE DOING
      // DISABLE REDIRECT TRACKING PROTECTION
      pref(“privacy.purge_trackers.enabled”, false);
      pref(“network.cache.shutdown_purge_in_background_task”, false);

      See my comment hereafter [Tom Hawack said on January 17, 2023 at 9:32 pm]

    2. Anonymous said on February 4, 2023 at 7:01 am
      Reply

      @E – Do you know if this was fixed in 109.0.1 ?

      1. Anonymous said on February 4, 2023 at 10:47 pm
        Reply

        Not on my system it is not.

      2. Anonymous said on February 5, 2023 at 2:27 pm
        Reply

        While awaiting a fix (hopefully) Can you manually delete the old .purge 0 byte prior files from the folder?

      3. Anonymous said on February 7, 2023 at 2:32 pm
        Reply

        Does anyone know how to make Askvg.com aware of this problem? That site is usually pretty good at coming up with FF solutions.

    3. Karl said on January 17, 2023 at 8:47 pm
      Reply

      What the heck. Thanks for letting us know. Yes, I have clearing of all data (checkboxes in your screenshot) checked. Hmm, seems like I may not be in a rush to updated to the latest version this time either. There seem to almost always be something that pops up after a release that is resolved in a quick fix a few days later. :/

      1. John G. said on January 17, 2023 at 10:33 pm
        Reply

        Same problem here, thanks for the solution!

      2. Anonymous said on February 5, 2023 at 2:53 pm
        Reply

        What’s the “solution”???

  7. Karl said on January 17, 2023 at 8:24 pm
    Reply

    Hello everybody. I have not updated to the latest version yet. Below is yet another change from Mozilla that I do not want or need.

    “The shortcuts CTRL or CMD + trackpage or mouse-wheel scroll the page on Mac OS now instead of zooming.”

    …does anyone know if there is a way to make the zoom function return to CMD + mouse-wheel?

    Thanks!

    1. Anonymous said on January 17, 2023 at 10:54 pm
      Reply

      Command scroll is page scroll, no longer zoom, option scroll is back and forward thru history. SMH!

    2. IngrownMink4 said on January 17, 2023 at 8:43 pm
      Reply

      If you would like to restore the previous zooming behavior, set the mousewheel.with_control.action and mousewheel.with_meta.action prefs to “3” in about:config.

      1. Karl said on January 20, 2023 at 6:50 pm
        Reply

        Just an updated now after that I have updated to the latest version, I changed both prefs to 3 and the zoom function did indeed return to cmd + scroll, just as it should be. Many thanks again for the quick tip!

      2. Karl said on January 17, 2023 at 8:53 pm
        Reply

        Hello IngrownMink4,

        Thank you very much for that info. Yes, that is what I want. I will try this out once I have updated to the latest version.

  8. Anonymous said on January 17, 2023 at 7:57 pm
    Reply

    I wonder if Firefox fanboys will stop saying the FUD how Manifestv3 is killing adblockers so ‘switch to Firefox’.
    Why would Firefox push an update that supports the ‘killer of adblockers’? that’s how their little wishful thinking of ‘we will gain marketshare because of manifestv3’ just doesn’t make sense.

    The only difference is Firefox said they will support WebRequest API “for now”, because they know developers will switch to manifestv3 and move on, they are not going to keep MV2 only for firefox.

    They reality of a browser where marketshare goes down every day, just like how web developers aim at Chromium browsers and barely think about Firefox.

  9. Dostojny Kocur said on January 17, 2023 at 7:37 pm
    Reply

    Cain I reorder the extensions in that new extensions menu somehow?

    1. Anymouse said on January 18, 2023 at 8:48 am
      Reply

      Right click pin unpin places at top, or see https://old.reddit.com/10exwv7

  10. Rockin' Jerry said on January 17, 2023 at 4:19 pm
    Reply

    Is the new unified extensions icon driving you crazy and you want the old way of adding your extension icons on the toolbar? Change or add the following:

    extensions.unifiedExtensions.enabled = False

    Add it to your user.js file:

    user_pref(“extensions.unifiedExtensions.enabled”, false);

    1. Anonymous said on January 18, 2023 at 5:17 am
      Reply

      Thank you. I wish Mozilla would stop copying Google’s dumb ideas.

    2. Anonymous said on January 17, 2023 at 11:10 pm
      Reply

      Thank you very much!

    3. Tom Hawack said on January 17, 2023 at 7:45 pm
      Reply

      I had done the same : pref(“extensions.unifiedExtensions.enabled”, false);

      The documentation about this ‘unified extensions’ button, the concept behind it brings more confusion than clarity IMO :
      [https://support.mozilla.org/en-US/kb/unified-extensions]

      I believe most users want a browser’s 1st-level fundamentals and not gadgets which complicate things.
      Everything ‘Unified extensions’ does is accessible within the fundamentals, no need to use shortcuts when shortcuts mess up a journey : like in life, the shortest path in terms of distance is not always the shortest in terms of time, not to mention that one shortcut gadget added to another fills the mind when intuitive reasoning on the basis of what is common to all browsers (and to good sense) allows a user’s automatism to take the relay.

      The very idea of updates every 4 weeks is absurd when you notice that one out of three maybe is essential and that the others get filled with useless gadgets, as if there had to be something new within 4 weeks : better to shut up than to speak nonsense : same with updates.

      I’m a Firefox user but I must say that the Brave browser and its 1 digit version number is relaxing. Of course Mozilla’s reasoning to jump to 4 weeks’ updates was to catch up with big version numbers comparable to Chrome’s. This participates to show how Firefox appears to be running after Chrome when it could, placidly, run for itself. There is IMO obviously a company’s philosophy which has been set on the wrong tracks and carries on as running after a high-speed train with a 19th century locomotive. Drive for yourself, Mozilla, experience your own identity : it’ll be for everyone’s satisfaction.

    4. Anonymous said on January 17, 2023 at 6:52 pm
      Reply

      Thanks, it WAS driving me crazy. :thumbsup:

    5. John G. said on January 17, 2023 at 6:32 pm
      Reply

      Thanks, I don’t know why Firefox has this icon placed in such this way, it can’t be moved.

  11. VivaldiIsTheOnlyOne said on January 17, 2023 at 3:33 pm
    Reply

    Firefox is dying. They have lost over 50 mln users January 7th 2019-January 9th 2023. https://data.firefox.com/dashboard/user-activity

    1. Tony said on January 17, 2023 at 5:14 pm
      Reply

      “Vivaldi is The Only One”….

      Says the ant to the mountain.

      If you’re relying on Firefox data, it could be that privacy-oriented users that use Firefox are savvy enough to stop Mozilla’s own tracking.

      1. Anonymous said on January 17, 2023 at 7:51 pm
        Reply

        @Tony

        Sure Tony… there are 50 million “privacy-oriented users” (whatever that means lol) who disabled telemetry.
        Literally Firefox users barely know anything about internet but sure, 50 million users in 3 years decided little by little supposedly do something about it.

        Just accept people are dropping Firefox, even Edge in few years surpassed it.

        @VivaldiIsTheOnlyOne

        Tony is right about Vivaldi, if you complain about Firefox dying, then what about Vivaldi? Firefox at least gets almost half a billion dollars from Google, but Vivaldi?
        They have no vision, they have no developers, they have just the slowest chromium browser available, yeah, it has some customization, but everything is slow, some features don’t even work together, they glitch vivaldi to the point it crashes or you have to restart browser.

        But Vivaldi has 2 million users or something, and people can’t even turn off the ‘pinging’ to Vivaldi servers, that means, Vivaldi doesn’t care about users and their privacy.

        Plus Vivaldi doesn’t do anything to stop Google from tracking when you update extensions and you download components and all.

        I mean, their adblocker is bad, same developer working on it, works on sync so he pretty much said he couldn’t improve adblocker because he was working on sync first, then they said it will work even with MV3 but then they contradict themselves saying it might break a little, not like an extension but it will break and they will have to fix it.
        Building an adblocker takes time, so imagine, if in 3 or something years, they haven’t done anything but give you a basic adblocker where the most advanced thing is rewrite feature, then I don’t know… Especially when MV3 is around the corner, that means MV3 extensions will be 100% better than Vivaldi native adblocker.
        Vivaldi adblocker is mediocre because any extension works faster than the ‘native’ one. You can test it by using uBlock, you will see uBlock doing the work, but Vivaldi’s also is doing some work which will mess with uBlock features like redirect/redirect-rule.

        So… no, Vivaldi is just terrible, not even open source, slow, the Blink engine runs in an iframe inside Vivaldis idea of an UI where the UI is just made with HTML technologies = slow and high memory.
        A bunch of Google services on by default, Bing as default search engine, partners list (that includes Bing) on by default.
        Working on useless features like Mail in the browser and rss and a mastodon instance which is just an echo chamber of nothing since Vivaldi will remove your whatever you say if they don’t like it, which pretty much means 90% of anything you might say.

        So maybe Firefox fanboys and Vivaldi’s fanboys should just stay in the corner quiet and use it but don’t pretend one is better than the other.

      2. Tony said on January 17, 2023 at 11:04 pm
        Reply

        “Sure Tony… there are 50 million “privacy-oriented users” (whatever that means lol) who disabled telemetry.
        Literally Firefox users barely know anything about internet ”

        So you admit you don’t understand what a privacy-oriented user is and then proceed to attack the technical incompetence of Firefox users. You’ve invalidated any seriousness in the rest of your post.

      3. VivaldiIsTheOnlyOne said on January 17, 2023 at 9:18 pm
        Reply

        I didn’t mention Vivaldi in any of my comments but here you are with a triggered rant.

        I don’t care about open source, I don’t care about privacy provided by the browser or phoning home – all of that can be cut off at the level of dns and firewall. Firefox makes ridiculous DNS requests like there’s no tomorrow even with telemetry set to off.

        Who cares about their adblocker when there’s ublock.

        If you have bought a slow PC or a mac than it might be slow. On a 6c/12t 32gb machine it’s fast as hell.

      4. VivaldiIsTheOnlyOne said on January 17, 2023 at 5:16 pm
        Reply
      5. Tony said on January 17, 2023 at 11:00 pm
        Reply

        While I agree that they don’t respect disabling telemetry, that article is not relevant any longer. There are ways, inside and outside of Firefox, to prevent their snooping.

      6. Johnno said on January 17, 2023 at 11:07 pm
        Reply

        Yeah I agree, the easiest way for most people I think is to simply use the arkenfox user.js file.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.