Mozilla has released the so-anticipated version 60 of the popular cross-platform web browser Firefox. Our passionate developers at Browserling already installed it on our machines so that you don't have to wait for it to try it and test your web apps on it.

Firefox 60

Screenshot not enough? Try it yourself here:

What's new in Firefox 60?

  • Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file.
  • Enhancements to New Tab / Firefox Home, in particular, responsive layout that shows more content for users with wide-screen displays, highlights section includes web sites saved to Pocket, more options to reorder sections and content on the page, pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content.
  • Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies.
  • Applied Quantum CSS to render browser UI.
  • Added support for Web Authentication API, which allows USB tokens for website authentication.
  • Enhanced camera privacy indicators.
  • Added an option for Linux users to show or hide page titles in a bar at the top of the browser.
  • Improved WebRTC audio performance and playback for Linux users.
  • On-by-default support for draft-23 of the TLS 1.3 specification.
  • Locale added: Occitan (oc).
  • Changed the Windows shortcut for entering Reader View to F9, for better compatibility with keyboard layouts that use AltGr.
  • Bookmarks no longer support multiple keywords for the same URL unless the request has different POST data.
  • TLS certificates issued by Symantec before June 1st, 2016 are no longer trusted by Firefox.
  • Updated the Skia graphics library to milestone 66.

Changes for web developers in Firefox 60

Developer tools

  • In the CSS Pane rules view, the keyboard shortcuts for precise value increments have changed from Alt + Up/Down to Ctrl + Up/Down on Linux and Windows, to avoid clashes with default OS-level shortcuts.
  • Also in the CSS Pane rules view, CSS variable names will now auto-complete.
  • In Responsive Design Mode, a Reload when... dropdown has been added to allow users to enable/disable automatic page reloads when touch simulation is toggled, or simulated user agent is changed.
  • The view_source.tab preference has been removed so you can no longer toggle View Source mode between appearing in a new tab or new window. Page sources will always appear in new tabs from now on.

HTML

  • Pressing the Enter key in designMode and contenteditable now inserts <div> elements when the caret is in an inline element or text node which is a child of a block level editing host — instead of inserting <br> elements like it used to.

CSS

  • The align-content, align-items, align-self, justify-content, and place-content property values have been updated as per the latest CSS Box Alignment Module Level 3.
  • The paint-order property has been implemented.

JavaScript

  • ECMAScript 2015 modules have been enabled by default.
  • The Array.prototype.values() method has been added again.

New APIs

  • The Web Authentication API has been enabled.

DOM

  • In the Web Authentication API, the MakePublicKeyCredentialOptions dictionary object has been renamed PublicKeyCredentialCreationOptions.
  • The dom.workers.enabled pref has been removed, meaning workers can no longer be disabled.
  • The body property is now implemented on the Document interface, rather than the HTMLDocument interface.
  • PerformanceResourceTiming is now available in workers.
  • The PerformanceObserver.takeRecords() method has been implemented.
  • The KeyboardEvent.keyCode attribute of punctuation key becomes non-zero even if the active keyboard layout doesn't produce ASCII characters.
  • The Animation.updatePlaybackRate() method has been implemented.
  • New rules have been included for determining keyCode values of punctuation keys.
  • The Gecko-only options object storage option of the IDBFactory.open() method has been deprecated.
  • Promises can now be used within IndexedDB code.

Media and WebRTC

  • When recording or sharing media obtained using getUserMedia(), muting the camera by setting the corresponding track's MediaStreamTrack.enabled property to false now turns off the camera's "in use" indicator light, to help the user more easily see that the camera is not in use.
  • Removing a track from an RTCPeerConnection using removeTrack() no longer removes the track's RTCRtpSender from the peer connection's list of senders as reported by getSenders().
  • The RTCRtpContributingSource and RTCRtpSynchronizationSource objects' timestamps were previously being reported based on values returned by Date.getTime().
  • As per spec, the ConvolverNode() constructor now throws a NotSupportedError if the referenced AudioBuffer does not have 1, 2, or 4 channels.
  • The obsolete RTCPeerConnection event handler RTCPeerConnection.onremovestream has been removed.
  • The primary name for RTCDataChannel is now in fact RTCDataChannel, instead of being an alias for DataChannel.

Canvas and WebGL

  • If the privacy.resistFingerprinting preference is set to true, the WEBGL_debug_renderer_info WebGL extension will be disabled from now on.

Security

  • The X-Content-Type-Options header, when set to no-sniff, now follows the specification for JavaScript MIME types.

Other

  • Fetches that include credentials can now share connections with fetches that don't include credentials. For example, if the same origin requests some web fonts as well as some credentialed user data from the same CDN, both could share a connection, potentially leading to a quicker turnaround.

Removals from the web platformSection

CSS

  • The proprietary -moz-user-input property's enabled and disabled values are no longer available.
  • The proprietary -moz-border-top-colors, -moz-border-right-colors, -moz-border-bottom-colors, and -moz-border-left-colors properties have been removed from the platform completely.

JavaScript

  • The non-standard expression closure syntax has been removed.

Changes for add-on and Mozilla developers

Theme API

  • headerURL is now optional
  • When creating a browser theme, any text-shadow applied to the header text is removed if no headerURL is specified.
  • New properties are supported: tab_line, tab_selected, popup, popup_border, popup_text, tab_loading, icons, icons_attention, frame_inactive, button_background_active, button_background_hover.

Fixes in Firefox 60

  • CVE-2018-5154: Use-after-free with SVG animations and clip paths.
  • CVE-2018-5155: Use-after-free with SVG animations and text paths.
  • CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files.
  • CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer.
  • CVE-2018-5159: Integer overflow and out-of-bounds write in Skia.
  • CVE-2018-5160: Uninitialized memory use by WebRTC encoder.
  • CVE-2018-5152: WebExtensions information leak through webRequest API.
  • CVE-2018-5153: Out-of-bounds read in mixed content websocket messages.
  • CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache.
  • CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace.
  • CVE-2018-5166: WebExtension host permission bypass through filterReponseData.
  • CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger.
  • CVE-2018-5168: Lightweight themes can be installed without user interaction.
  • CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages.
  • CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer.
  • CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters.
  • CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update.
  • CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies.
  • CVE-2018-5176: JSON Viewer script injection.
  • CVE-2018-5177: Buffer overflow in XSLT during number formatting.
  • CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox.
  • CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced.
  • CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink.
  • CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar.
  • CVE-2018-5151: Memory safety bugs fixed in Firefox 60.
  • CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8.

Unresolved issues in Firefox 60

  • After disabling Sponsored Stories from the New Tab page settings, the next opened tab may still show a sponsored tile.
  • WebVR does not work on macOS with Vive headsets.

Have a great time cross-browser testing in Firefox 60 and Browserling!