

Firefox 39.0 released - tlo
https://www.mozilla.org/en-US/firefox/39.0/releasenotes/

======
mrspeaker
I love that the Fetch API is happening (has happened!):
[https://developer.mozilla.org/en-
US/docs/Web/API/Fetch_API](https://developer.mozilla.org/en-
US/docs/Web/API/Fetch_API)

    
    
        fetch(url).then(data => ...)
    

Not earth-shattering, but much more fun than XHR!

~~~
knodi123
Guess nobody told them,

[https://bachelorburnbook.files.wordpress.com/2013/07/image.p...](https://bachelorburnbook.files.wordpress.com/2013/07/image.png)

~~~
khuey
We've been making that joke internally at Mozilla for at least a year.

------
cesarb
> Disable use of RC4 except for temporarily whitelisted hosts

This is the one which has the greatest chance of giving people a headache. For
instance, one of the biggest banks here still uses only RC4 for its online
banking site. Its top-level hostname and a few of its auxiliary hostnames are
on the whitelist, but there's no guarantee that all the RC4-only auxiliary
hostnames it might use for some of its functionality are on the whitelist.

~~~
Sir_Cmpwn
Good. Breaking their websites is the only way some people will fix their
broken security.

~~~
owly
YES. Force them to upgrade their weak sites!

~~~
jbrooksuk
Which unfortunately costs time and money. Whilst yes, they should be up to
date and secure, banks are pretty big businesses and require more time.

One day they'll catch up.

~~~
edwintorok
After the CVE score for BEAST and RC4 got adjusted and the RFC 7465 was
introduced I've seen some payment systems update their system quite quickly
(in a matter of days), and if they didn't they'd probably fail their next PCI
audit:
[https://news.ycombinator.com/item?id=9198889](https://news.ycombinator.com/item?id=9198889)

Perhaps it helps if you write your payment site operator/bank _private_ emails
asking them to allow other ciphers beside RC4, mine looked like this (actual
site name removed):

    
    
      According to Qualys SSL Labs the site **** [2] only supports the RC4 cipher, 
      and thus is not RFC 7465 compliant [3], and Google Chrome qualifies the site as 
      "Your connection to **** is encrypted with obsolete cryptography."
    
      The site **** is even worse [4], it uses only 768-bit DH key exchange in some 
      situations (instead of 2048).
    
      There is an online tool [5] that you can use to generate/compare 
      configuration for popular web-servers, using the intermediate level is 
      recommended [6].
    
      For your information I sent a similar email last year to **** and they have 
      fixed their problems, and get a nice 'A' grade from SSLLabs now.
    
      Apparently this use of RC4 all comes down due to a mistake in NIST's 
      classification of the severity of the BEAST vulnerability [7], but both Google 
      Chrome[7] and Mozilla Firefox[8] are trying to avoid the use of RC4 completely, 
      and mitigating the BEAST vulnerability is no excuse for not providing good 
      ciphers (in addition to RC4 if you must) when my browser supports TLS 1.2 with 
      AES-GCM which is NOT vulnerable to the BEAST attack.
    
      I suggest you to include the Qualys SSL Labs test when testing sites for 
      PCI-DSS compliance, they are usually quite good at reporting the latest TLS 
      vulnerabilities for a server.
    
      [1] http://www.visaeurope.com/media/images/pci%20dss%20validated%20web%20listing%20march%202015-73-18412.pdf
      [2] https://www.ssllabs.com/ssltest/analyze.html?d=****
     This server accepts the RC4 cipher, which is weak. Grade capped to B.
     Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
      [3] https://tools.ietf.org/html/rfc7465
      [4] https://www.ssllabs.com/ssltest/analyze.html?d=****
     This server supports insecure Diffie-Hellman (DH) key exchange parameters. Grade set to F.
     Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
     The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
     This server accepts the RC4 cipher, which is weak. Grade capped to B.
      [5] https://mozilla.github.io/server-side-tls/ssl-config-generator/
      [6] https://wiki.mozilla.org/Security/Server_Side_TLS
      [7] https://code.google.com/p/chromium/issues/detail?id=375342#c30
      [8] https://bugzilla.mozilla.org/show_bug.cgi?id=1088915
      [9] https://www.ssllabs.com/ssltest/analyze.html?d=****

~~~
yuhong
Sadly the 768-bit DHE is hardcoded into older versions of Java, which is why I
suggested to them that they raise the limit to that instead of 1024-bit for
now.

------
bbx
Surprised by the inclusion of "CSS Scroll Snap Points":
[https://developer.mozilla.org/en-US/docs/Web/CSS/scroll-
snap...](https://developer.mozilla.org/en-US/docs/Web/CSS/scroll-snap-
points-y)

It basically allows to do _scroll hijacking_ [1] without any JavaScript, just
like this: [http://blog.gospodarets.com/demos/scroll-snap-full-
screen/](http://blog.gospodarets.com/demos/scroll-snap-full-screen/)

[1]: [http://trentwalton.com/2013/10/23/scroll-
hijacking/](http://trentwalton.com/2013/10/23/scroll-hijacking/)

~~~
jug
I'm torn.. I dislike scroll hijacking and in a sense don't want support for
this practice, _but_ at the same time I assume this will never go away and
then this seems less hacky and easier to make it work without ruining use on
various input devices and settings.

For example, I tried the demo and saw how the pages jumped to the nearest page
if I middle click and pulled down to go half way. Corner cases or anything
more complicated than simple wheel flips often don't seem to work if you hack
your own solution. Now the browser seems to have a much better idea of what's
going on. So.. That's nice. We'll get hijacks but at least they seem to be
much more robust? But at the same time I hope this won't make more designers
hijack scrolling or go overboard with this. :\

------
edwintorok
If all your passwords are gone/not working in the password manager after the
upgrade see this bug:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1146731](https://bugzilla.mozilla.org/show_bug.cgi?id=1146731)

------
ponyous
How much does Project Silk improves scrolling performance? Can you "feel" it?

Scrolling/motion performance is the only thing that is keeping me away from FF
at the moment - Even dev tools are getting amazingly good.

~~~
s_kilk
For what it's worth, I've just updated on OS X and scrolling feels just as
janky as ever.

~~~
tachion
Same here. But I'll keep using Firefox because I cant stand what Chrome is
doing with my cpu/memory/privacy and I want to keep Safari (the less 'usable'
browser) for work related stuff and Firefox for personal ones, on another
desktop space.

~~~
JupiterMoon
Two firefox profiles? One for work and one for personal?

Type "man firefox" into your terminal and you will see the relevant options
and can set up aliases and shortcuts appropriate for your separated browsing
needs.

~~~
cpeterso
There are some Firefox add-ons that let you run multiple profiles in separate
windows.

~~~
JupiterMoon
Firefox does this out of the box without any addons.

------
lobster_johnson
To those using FF, is there a way to get an "omnibar" similar to Safari?

For example, Safari usually suggests Wikipedia articles or other useful
autocompletions. FF only autocompletes from domain names, bookmarks and
history, it seems. It does have a separate search input in the toolbar, but
even that one doesn't do what Safari does; all the suggested autocompletes are
from Google, and additional search engines like Wikipedia or Amazon require
that you click on their icon to search.

There's an extension called Omnibar, but it doesn't seem to provide
suggestions from other than Google, bookmarks and history.

~~~
amluto
Firefox's URL bar is literally my favorite Firefox feature. It's quick, it
searches my local history much better than Chrome, and it doesn't leak
anything to the world.

If I want to search the Internet, I type in the search box.

------
XaspR8d
The preconnect relationship is intriguing; I hadn't been following the
adoption of resource hints.

Sidenote: I find it really interesting that the current spec suggests
preconnect and its siblings accept a probability attribute estimating how
likely connecting to different resources is.[1] Something funny to me about
making the directed-graph/state-machine nature of the internet finally show
through the markup.

[1] [http://www.w3.org/TR/resource-hints/#hint-
probability](http://www.w3.org/TR/resource-hints/#hint-probability)

------
chippy
"Drag and drop enabled for nodes in Inspector markup view "

This is going to make me never use Chrome dev tools again. Nice

~~~
jammaloo
I can't think of a situation that would make me want to move nodes around from
place to place. Where would that be useful?

~~~
st3fan
"Lets see how this document looks when I move this content over there"

------
azinman2
Yey for progress, but one of the most annoying things for me with FF is that
if I cmd-t for a new tab, I can't start typing right away for a new search and
have that get preserved. There's always some lag and only then do my keys get
transcribed. Safari and chrome don't have this problem, and it drives me
insane.

~~~
abrowne
That would annoy me too, but I've never noticed it. My main laptop is a Core 2
Duo, so not a speed demon. Have you tried with extensions disabled and/or with
a new profile?

~~~
azinman2
Believe so. But either way if its extensions well that sucks because I only
have like 2-3 and I want. Extensions shouldn't be written in a way that does
that -- chrome and safari don't have this problem and I have about 12 chrome
extensions.

------
JonnieCache
If you're wondering what "unicode 8 skin-tone emoji" is about, here you go:
[http://unicode.org/reports/tr51/#Diversity](http://unicode.org/reports/tr51/#Diversity)

Hmmmm, I'm on ff 40.0a2 and they don't render for me:
[http://emojipedia.org/man-with-dark-brown-skin-
tone/](http://emojipedia.org/man-with-dark-brown-skin-tone/)

~~~
nabla9
This is bullshit.

~~~
TazeTSchnitzel
How so? If you're white, perhaps you see no problem with making everyone's
skin white.

But the billions of people who _aren 't_ white might have a problem with it.

~~~
chimeracoder
> How so? If you're white, perhaps you see no problem with making everyone's
> skin white.

> But the billions of people who aren't white might have a problem with it.

I'm not white, and I have a problem with "skin tone" emoji.

Previously, skin tones for emoji were left up to the font creator. In
practice, this meant that they were usually lime green, neon blue, or Simpsons
yellow, all of which are cartoonish enough not to be evocative of any
particular real-life skintone.

I can't really imagine a situation in which drawing attention to the race of
an emoji character is desirable or even acceptable. I'm sure some exist, but
they're nowhere near important enough to be included in the actual standard
itself.

Beyond that, the skin tones used are incredibly reductive. Human skin tones
are not as simple as 6 different shades of brown. (I, for one, cannot match my
skin tone to any of the examples on the Unicode website). And if we want to
get philosophical, there are a number of ways in which race and culture are
encoded (literally) into emoji that are far more subtle, yet more significant,
than the color used to render the skin of the faces. In a way, it reminds me
of the picture-interpretation tests that they used to administer at Ellis
Island to "prove" that certain immigrants were not "fit" for life in the US,
though that's perhaps a topic for another day.

~~~
TazeTSchnitzel
> Beyond that, the skin tones used are incredibly reductive. Human skin tones
> are not as simple as 6 different shades of brown.

Yes, they are a bit more complicated. But 6 choices that correspond to a
widely-used system (Fitzpatrick) is far better than none.

~~~
chimeracoder
> correspond to a widely-used system (Fitzpatrick)

The fact that a system is widely used when classifying the impact of UV light
on melanoma does not imply that it has relevance in another.

> 6 choices is far better than none.

Actually, no, sometimes the "solution" is worse than the problem. It's quite
regressive to bake an outdated conception of the color theory of race into a
standard that aims to "educate and engage academic and scientific communities,
and the general public" (the stated mission of the Unicode Consortium).

As one of the "billions of people who _aren 't_ white" that you refer to in
your original comment, I find this approach more problematic than the existing
status quo (leaving it up to the font creators).

~~~
TazeTSchnitzel
> The fact that a system is widely used when classifying the impact of UV
> light on melanoma does not imply that it has relevance in another.

You may have a point there. But it is a classification of skin colour as well.

> It's quite regressive to bake an outdated conception of the color theory of
> race into a standard

Color theory of race? This isn't the Von Luschan chromatic scale, that was
used to enforce racial segregation. It's a simple colour selector based on
level of melanin.

It's not perfect, sure, but I think it's surely better to allow a choice of
skin shades than to make everyone white (the de facto result otherwise). You
might object that implementers could make everyone black, say, and that's also
true. But either way, you're enforcing a "default" skin colour, and there is
no such thing. Different human populations have different skin colours.

------
kozukumi
And yet there are still issues on my Sandy Bridge system with display
corruption even with the latest Intel drivers.

Also has anyone else noticed that Firefox is no longer keeping the page state
when navigating back? For example on Reddit go to the comments section,
minimize a few comments then navigate to a link then go back and none of the
minimized comments remain minimized, in Firefox prior to 38 things worked
correctly.

~~~
ErikDub
Yes I have noticed the exact same thing on Reddit lately. My guess it's
because they started sending "Cache-Control: no-cache" which prevents Firefox
to cache the page for the back button.

~~~
paralelogram
[https://bugzilla.mozilla.org/show_bug.cgi?id=567365](https://bugzilla.mozilla.org/show_bug.cgi?id=567365)

------
forscha
Probably unfair of me, but when browsers have a new .0 release, my brain
automatically thinks "Oh good, new security bugs."

~~~
notatoad
firefox is on a 6-week release schedule, and has been for a while. They
increment a by whole number each time, but the for both chrome and FF they
shouldn't really be thought of as .0 releases. It's a fairly minor,
incremental change.

------
ikeboy
So, they finally fixed Logjam, 1 month and a half after publication.

Chrome _still_ hasn't fixed it. Color me unimpressed.

~~~
conradk
Since Chromium is open source, you can contribute to the project. I'm sure if
you send a quality patch to the Chromium dev team to fix Logjam, they'd be
willing to review it.

Did you try to contribute to Chromium and Firefox to speed up fixing the
Logjam issue ?

~~~
ikeboy
>Did you try to contribute to Chromium and Firefox to speed up fixing the
Logjam issue?

No. The issue isn't that it's (so) hard to fix; the fix in 39 has been out for
a while, they just didn't want to release it for the stable release, which
means few people got it. (In fact, some distros apparently fixed their
versions earlier [1]).

On Firefox, you could manually fix it in 2 minutes [2]

I'm not familiar with the codebases, so it would take me longer to make a
patch, but it really should not take 2 months to release to stable a fix that
affected 8.4% [3] of popular websites, especially for a company like Google.

The tinfoil hat in me says certain things about this, considering that logjam
was likely known by the NSA, but then again I can't prove anything.

I'm a bit surprised there hasn't been more talk about this, actually. A major
security hole going unfixed for months after public disclosure should have had
more chatter.

[1]
[https://news.ycombinator.com/item?id=9702061](https://news.ycombinator.com/item?id=9702061)
[2] [http://techdows.com/2015/05/how-to-make-firefox-browser-
safe...](http://techdows.com/2015/05/how-to-make-firefox-browser-safe-against-
logjam-attack.html) [3] [https://weakdh.org/](https://weakdh.org/)

