Note that this is a new feature for Firefox's PDF reader, but not a new feature of PDFs in general.
Adobe had to update reader back in like... 2008?... to prompt before loading external resources. Because companies were embedding Google Analytics into PDFs.
> Because companies were embedding Google Analytics into PDFs.
Wow! This is daft. Thank the FLOSS gods for things like Pi-Hole because I never realised this. And if I hadn't blocked Google Analytics there, this would have been a sad state of affairs.
I have an idea. Why not allow embedding a full browser engine inside of a PDF, complete with tabs and extensions? I hate having to leave Adobe Acrobat in order to read my Gmail, so I think this feature could be really useful. Anyone who builds a PDF can include their own custom browser that their users will love.
Well if you can run interactive javascript then you're mostly there, PDF is pretty much Turing complete so you can just crosscompile a browser into it using javascript to take care of the interactive parts, though you might need to rewrite the rendering logic.
JS embedding isn't unique to Firefox. This is Firefox catching up with an old feature from Adobe Acrobat. PDFs with embedded JS have been Turing complete for years, in readers that run the JS. Just like PDFs with embedded Flash content.
The PDF layout language isn't Turing complete on its own.
Back when I started playing D&D again, some friends stumbled across a PDF of "MPMB's character sheet" or something.
Basically, it was a PDF full of scripting and options and such, that let you:
* Choose which content you wanted to use (i.e. content from which sources)
* Choose which rules you wanted to use (in case you wanted to use optional rules)
* Choose your class, race, and background, and handle them appropriately
* Level up your character, prompting you to choose spells, feats, abilities, etc. from every option available to you based on your current character options
* Manage your inventory
* Import and export your character data
* Import and export source data
It was pretty insane. Granted, it was also insanely slow (presumably due to limitations of what data you can store in a PDF and how), but for a bunch of tech-savvy newbies to 5th edition D&D, it was vastly better than the other options and helped us discover a lot of character features that we'd missed when overwhelmed at first.
I still wish they'd put it into literally anything more performant, like an electron app or something. Yes, it was that bad.
One thing to be aware of is that just the super-basic stuff is included in a free account. For example a 3rd level Rogue can choose a specialty subclass, and only Thief is available for free, other subclasses like Arcane Trickster you have to pay a couple bucks for.
This issue makes it seem that Components.utils.Sandbox is used when included in firefox, which would be the browser's own JS engine (but confined to a sandbox), and quickjs in other settings (say a website). https://github.com/mozilla/pdf.js/issues/12487
But I can't find Components.utils.Sandbox being referenced in the code on github. So maybe they decided to use quickjs for all use cases? The issue with quickjs is that it's written in C which is an unsafe language. wasm has bad binary security [0] so exploits are easier to create given some memory safety violation. The environment that calls the wasm is extremely privileged compared to random websites, so if a wasm exploit could convince the environment to do something, it would be major trouble.
You can create a Policy File on Linux named "/etc/firefox/policies/policies.json" to disable pdf through out the system, here is a snippet for just pdf:
NY state tax forms have all sorts of verifications and automatic calculations that I assume are implemented using PDF JS. Previously you had to use Adobe Reader, hopefully this means I can use Firefox now.
pdf documents are usually not created by web developers but by other people and then uploaded to the website. all it takes is a way to have someones computer infect a pdf with malicious js code, which, (if such an infection is possible) is way more likely to slip through than an attacker embedding malicious js into the website itself.
It's horrible for security but it can be really useful. This guy made an entire Dungeons & Dragons character sheet generator embedded into a PDF and I probably wouldn't have ever played D&D without it: https://www.flapkan.com/
I looked at the source code briefly and it's on the order of 10K lines of Javascript.
> The amount of complexity that one can put into a PDF is both surprising and a tad frightening.
off-topic, but fwiw: the pocorgtfo16.pdf[1] is a polyglot that is valid PDF, a ZIP archive, and a Bash script that runs a Python webserver which hosts Kaitai Struct’s WebIDE which, allows you to view the file’s own annotated bytes.
I thought they always required JS to be enabled. I have JS disabled by default in uBlock Origin, and the inbuilt Firefox PDF viewer doesn't work unless I whitelist and enable JS temporarily for the page. Only then can I read my PDF.
Right, so the question becomes: "What controls are in place?"
Does the JS run in a true sandbox? Inside, outside, or beside the usual browser sandbox? Are network requests allowed? Filesystem access? Are granular permissions required/available?
I want to block JS in PDFs, by default, like I do in web pages.
I'd also be happy to hear that the JS runtime in PDFs is run in a tight document sandbox, operates only on a highly constrained DOM-equivalent, and has zero network or filesystem access. Seems reasonable.
>The ‘Take a Screenshot’ feature was removed from the Page Actions menu in the url bar.
Odd, this is the only place I accessed it from. Not a big deal as it's still on the context menu and also can be added as a tool bar item but I am curious the rationalization behind this change. That seemed like a great place to have it to me.
When I first tried to use it, I knew of the feature but couldn't find it. They probably have metrics on it being underutilized so they want to bring it forward a bit or so.
But I think the whole "page actions" button is too hidden. I think screenshot belongs there, and the issue is that most people don't know without being told that "page actions" is something that even exists.
It's great btw to take screenshot of loooong web pages smoothly.
the right click screenshot is one of the most useful features i didn't know i need; it's super convenient to not have to precisely draw the rectangle to share a meme or report a bug.
Choosing to screenshot the entire page seems to be cropping off most of the right side on every site I've tried so far. Is that a known bug? It would be really useful otherwise.
I likely would as well if I remembered it. I have always had a problem recalling key combinations across all the applications I use which is why I rely on context menus and tool bars heavily. I've called out VSCode on this a few times as well as it is a memorization fest to work efficiently in there without proper toolbars. It's not just this but I have memory issues in general which have only gotten worse as I've aged. Easy discoverability / access in UI design is a big focus for me.
Yep, but I find it to be a really poor paradigm for efficient work if you don't remember them. Having to search the command palette is much slower than being able to set up a toolbar of often used functions. Don't get me wrong, the command palette is great to have but if you can't memorize all those functions then it's a really poor replacement.
For efficiency Key combo > toolbar > command palette. I just hate to be forced into #3 because #2 doesn't exist. (not to mention that the developers make crazy arguments in the forums about why they refuse to impliment it... but that's all off topic)
When is the context menu not be available? If the website is overriding the right click action, keep shift pressed while clicking to gain back control.
I can see why they are doing it but I'll really miss FTP support. A lot of public data continuous to be distributed through FTPs and for a long time Firefox has been the easiest way to browse them.
Agreed, I was on a public FTP site about a month ago browsing through old support files. Now I'll have to configure a client for it.
Edit: this might be a small opportunity for some of the native FTP apps to jump in and handle the links. Click an FTP link in the browser and launch my FTP client with the details passed through.
> The ‘Take a Screenshot’ feature was removed from the Page Actions menu in the url bar. To take a screenshot, right-click to open the context menu. You can also add a screenshots shortcut directly to your toolbar via the Customize menu. Open the Firefox menu and select Customize…
...why. Obviously it's easy to add it to the overflow bar, but it was handy having it there. Especially on pages that block right-clicking (including for good reasons, like games).
God I hate it when sites do that. There's a service that I pay for which disables right click, spams copyright notice modals every single time I try to copy any text and replaces the text I copied with useless copyright messages. It's so incredibly obnoxious it makes me want to scrape their content off their website out of pure spite.
It's more 'override right click' and is useful for eg. Google Docs to use application-specific context actions. Unfortunately I agree that most sites override it just to disable it, though.
Here[1]'s the why: With the removal of the meatball menu in the proton work, we'd like to move the Take a Screenshot button to the toolbar to allow users to hide it or put it in the overflow menu rather than being visible all the time.
???
Edit: Also great to see how they brush over existing users who have pinned the screenshot action to the toolbar, which is something you can do with all page actions (who knew?!).
We had discussed it before as a possibility, but I just confirmed with Romain that it's out of scope.
For reference, ~15k users have screenshots pinned to the URL bar and engaged with it within a 1 month period.
So apparently 15k people did know and now have to manually fix the regression, assuming they know how to do it. I still find it creepy that they gather data this specific, and of course users who disable "telemetry" mean nothing to them, they don't exist.
> I still find it creepy that they gather data this specific
I'd be super happy if gathering such specific data by any application meant to the developers "15k users are using this feature, there is no way we can break their workflow" instead of "there's only 15k users out of [x], that's just 0.x%, we can ignore them".
> I still find it creepy that they gather data this specific
I personally have never cared—there is nothing that can be learned about me (aside from being a power user, which I don't care about being public knowledge) from technical features I use. I absolutely block everything personal using uBlock Origin + Privacy Badger + FF's built in stuff, but I definitely see the value in tracking feature use.
> Firefox will not prompt for access to your microphone or camera if you’ve already granted access to the same device on the same site in the same tab within the past 50 seconds. This new grace period reduces the number of times you’re prompted to grant device access.
This is a super nice little QoL improvement, but I'd love to be able to configure this to be even longer (optimally by domain, but I'd love a global setting too).
True, there's not a huge difference. I just tend to prefer to reaffirm my permissions on occasion than permanently allow them. Similar to how I appreciate that most website occasionally require you to re-login.
I don't know if this is a good thing or a bad thing, but it was only added to Mac fairly recently too, maybe around a year ago. And for a while it was behind an about:config setting as well.
I have this and Safari both open to github.com on my macos box. This site has an animation showing recent github activity on a globe. It's coded in javascript, AFAIK.
Firefox is using 55% of my CPU, whilst Safari is using 3%.
As someone who used Firefox exclusively back in the day (and mozilla before that), I will continue to try tests like this every time a new Firefox is released. Maybe, someday, the energy contrast will be less dramatically in Safari's favour, and I'll switch back to Firefox.
I did the same test on my M1 Air. Safari is using 40% CPU while Firefox is 55%. Not sure why there's such a large difference between your results and mine.
My guess is that the OP doesn't have hardware acceleration for Firefox on his GPU configuration. You probably don't either with your numbers. I have about 3-4% CPU usage on GitHub.com using Firefox, and my GPU is at about 20% load from the 3D being drawn.
after reading your comment I checked again and realized that activity monitor has a column for %GPU as well under the CPU tab. So here's the eyeball average after watching the GitHub page for about a minute.
Firefox 88 (no extensions, private mode):
CPU% 55 (avg) 61 (peak)
GPU% 65 (avg) 77 (peak)
Safari (no extensions):
CPU% 33 (avg) 40 (peak)
GPU% 33 (avg) 40 (peak) <- same numbers for both CPU and GPU in safari.
I remember creating a moderately large spreadsheet in Google Docs last year. Safari unloaded the page and forced a refresh every time I switched away. Firefox would hang recomputing formulas and only Chrome scaled well.
I'm looking to move to Safari by default. I just need to get over some UI differences. It drives me nuts that Firefox doesn't use the native context menus (I use "Look Up" constantly) and Text Shortcuts don't work. There's a bug for this filed literally 20 years ago.
Each browser has different trade offs and those may not change over time. I'm glad Safari fits your needs.
I found it! It's the "Look up & data detectors" setting under System Preferences > Trackpad. For whatever reason mine was set to "Force Click with one finger" which I never use and had trouble consistently activating. The other option is "Tap with three fingers."
Side note: I don't know how often this happens but it's kinda cool that Firefox went straight from 87.0 to 88.0 without any sub-versions. They didn't seem to have any security/bug patches, they just got it right on the first try.
I definitely noticed like "huh, it's weird we haven't had a new Firefox version to deploy yet this month". I'm used to seeing a point release nearly as soon as I deploy the previous Firefox version, lol. It isn't the first time, but it's infrequent enough to be kinda notable when they go an entire cycle without a point release.
<cranky>Perhaps in the olden days when various releases were somewhat fundamental in nature - not sure it's quite so impressive when we've had 3 'major' releases this year already</cranky>
Somewhat related is how libraries like three.js don't follow semver and only use a single incrementing version number. Reading the changelogs, it also looks like they never make any mistakes. It seems that there has never been a point in three.js's history where there's been a critical security flaw or bug severe enough to justify incrementing the version number solely for a bugfix. I have no idea how they do it.
Personally I would prefer to keep things as simple as possible, but unlike the maintainers of those projects, when it comes to making releases, I'm not perfect.
Does anyone know if there is an RSS feed for release notes? I couldn't find one, and the usual adding feed.xml to the URL trick didn't work in any of the instances I tried.
... which has been awesome, but I note I didn't get an item for this new version - looks like as of a couple weeks ago they have moved to a new mailing list system so this feed is gone.
Disappointed. There is so much low hanging fruit in the GUI department:
- have bookmarks/history stay on the page you open it on (and no other)
- have bookmarks and history occupy a full page, instead of shoveled into a GUI element, dialog style
- option to collapse tabs into a page (tab)
- make the "tabs window" (the downward arrow after +) a tab, so the tabs can be sorted, searched in, or copied from, as html, to a file (I now get a rather useless list of 100 tabs)
- have navigation to all of these pages, along with recent Downloads and options like Help and New Private Tab, right from the New Tab page, and leave the hamburger menu for page specific actions.
And more. But even without Firefox is a great browser.
Yes, I can't believe Firefox is still using a 15 years old bookmark/history dialog with atrocious UI. Completely unusable for anything but the most superficial inspection of your browsing history.
What do you dislike about it? Specifically, what about it makes it "unusable" for bookmark management, and what UI changes would constitute an improvement?
I strongly prefer it to the apparent alternative, which seems to be an HTML-native interface in a tab. In fact I think doing that to preferences (about:preferences) was a step in the wrong direction. Not only is the result rather ugly (IMHO), I'm constantly losing my preferences tab among my other tabs, whereas a separate window with a native UI has a single instance (more appropriate for preferences) and doesn't get commingled with web pages.
They recently removed bookmark descriptions and the justification I read was that it was old code and hard to maintain, so maybe we're lucky and they'll improve that UI next.
> - make the "tabs window" (the downward arrow after +) a tab, so the tabs can be sorted, searched in, or copied from, as html, to a file (I now get a rather useless list of 100 tabs)
If you go to about:performance, you can double-click on a Tab entry, and it will jump you to that tab.
> And as "megabar" update has shown, this new "tab" style will probably be reverted in future redesign.
Did they really revert the megabar? I can't find anything about that with searches. (I fixed it to look exactly like the old design with usercss, so I can't easily check myself.)
As a side note, anyone using TreeStyleTab is probably immune from Mozilla's awful tab style revamp, as the tabs in TST are styled using CSS by the extension.
That's extremely funny, thanks. Kinda reminds me of what people have been saying about Google for a decade now - starting projects and sunsetting them with no coherent story or end goal. This case seems particularly ironic because they insisted on keeping the change despite widespread dislike.
Looking at latest Firefox Developer Edition, where new tabs and menus has landed, sadly the megabar is still the same. Sorry, if I misunderstood initial message and gave false hope. But hey, at least context menu is back to text back/forward actions instead of icons. Everything keeps going in circle.
Too bad AVIF images are still not supported (only behind a feature flag). Hopefully they will be able to solve the last bugs [1] that prevent this feature from being shipped.
Does Firefox not import profiles from old versions? I upgraded 85->88 and got the message "this installation has a new profile" and am missing all my history, bookmarks and addons.
Is this update why I got the 'Refresh or safe mode' dialog? I foolishly clicked and now I'm trying to restore stuff from the 'Old Firefox data' directory. This was not nice, I started thinking I was getting hacked. Esp. when it asked me for the master password five times in a row. Man is this browser rough.
And you still have to manually configure Firefox to use the native full-screen-api so you can use the macOS menubar to chance your volume. Horrible, just horrible ...
But I'm currently on Firefox Nightly and pretty happy about the recent UX/UI changes.
Still no update on super-high CPU usage of Twitch on Firefox, an issue that has been open for at least 4 years [1][2].
I really want to like Firefox and I want there to be viable alternatives to Chrome but when playing video back at 360p (not joking) grinds my 1.5 year old Macbook Pro to a halt on a popular website... I just can't use it.
I don't know if this is a video codec issue, a CSS/JS issue that Twitch manages to trigger or what but it's a problem.
A good way to get traction on a Firefox performance bug is to provide a profile. You don't need to install any new software. Instructions for recording a Firefox performance profile:
Well, that's worse because it's a bigger issue. If you look through some of the bugs (there are several) you'll see suggestions of turning off chat to mitigate the issue but this raises even more questions:
1. Why don't users have to do that with Chrome?
2. While it does help, the video-without-chat CPU+GPU usage is still higher than Chrome's CPU+GPU usage for video-with-chat.
If that also applies to Youtube or other services and has been open for 4+ years then... yeah, big problem.
Non-solution, but have you seen https://github.com/streamlink/streamlink-twitch-gui? It runs natively using streamlink, and streamlink can use e.g. mpv and use minimal CPU, instead using hardware acceleration (or not run whatever JavaScript Twitch decides to run, at least).
Workaround, but I use mpv with youtube-dl. Offers rewinding, pausing (buffering for minutes), frame-by-frame stepping, slow motion.. You can just type `mpv http://twitch.tv/user_name`
I thought FTP support had been removed a long time ago for some reason! I have very fond memories of FTP but I guess its time has come. I probably haven't used it for 10 years at this point.
FTP is still pretty much alive in research as well (well, until now). I also used it in the past week. I understand it has flaws, but... I don't know, this seems yet another nail in the Old Web coffin.
"Has flaws" is an understatement. FTP does not play well with the current way the web is set up. Any firewalling or NAT is a pain unless you have the firewall introspect the FTP commands, which is easy for plain FTP because it's plain text and unencrypted, but once you start encrypting the transport it gets more complex, and you need to add support for that in the firewall. There's also often two connection channels, one for control and one for data.
Just be aware that any FTP upload capability offered is likely a serious pain for the admins on the other side. Even if they finally get it configured well enough to mostly forget about, they'll have to dive back in every time they upgrade any infrastructure along the path to it. It's much easier to just pass a TCP port though, which is what scp/sftp (the SSH variant, not the misnamed ftp/s variants some clients used to advertise as it) is much easier, and if you use rsync, includes easy recovery.
> FTP does not play well with the current way the web is set up. Any firewalling or NAT is a pain unless you have the firewall introspect the FTP commands,
That is true only for active mode FTP. Firefox (and many other clients) already used passive mode FTP by default, which passes through NATs and firewalls just fine without need for special help.
Active FTP is a problem if the client is firewalled or behind NAT. Passive mode is a problem if the server is firewalled or behind NAT. The client makes both connections to the server, but still using a second arranged port, so any firewalling on the server has to either be aware of the specific port requested, or a wide range of ports needs to be directly passed through. This is what I was talking about with FTP aware firewalls.
This is what the ip_conntrack_ftp and ip_nat_ftp Linux kernel modules are, a way to make iptables more FTP aware by supplementing iptables at the kernel level.
This is also what OpenBSD's ftp-proxy utility is for, a way to deal with this without resorting to privileged specialty packet processing code, and a way to bypass not being able to see into encrypted traffic.
The fact that these workarounds exist is a testament to how hard FTP has been to deal with in the modern era of the web.
> I don't think FTP is ever going to fully die. It is still a typical way to deploy your files when using a shared web hosting that does not offer SSH.
Surely those abominations are almost dead now though, in the age of the low-overhead VMs?
Some parts of the tech world seem quick to forget that smaller (and sometimes bigger) non-tech companies do exist. Sometimes non professional people create and deploy websites either as hobbyists or simply because there is no budget to hire a proper tech guy.
Wordpress is still a huge part of the Web and is running fine on shared hosting. And yes it can be an appropriate and cost effective choice for smaller sites even in 2021.
Also adding to that, the one time I did migrate a project from shared hosting to a dockerized VM solution was when the hoster was not supporting the needed PHP version anymore. Meaning hopelessly too old to ever update.
SFTP is not only just preferable but so unrelated to FTP that it frustrates me that it's often brought up in the same sentence... why did they call it that.. uhg.
We’re kind of crazy and use WebDAV. Big upsides besides upload support were built in support in Windows Explorer, running over a single port / http, and https support.
I would have been happier if it had just be locked down to secure connections only. I have used FTP to quickly share files to colleagues at times and this will be broken now. I'm sure I was in a very minimal percentage but it was handy to just send someone an FTP link. Now if I don't want to have to upload it to an external service I will have to share it through my web server which brings up all kinds of MIME type issues, etc. I know, edge use case.
I wouldn't say that Firefox specifically is worse at it than other browsers though, but I kind of agree with parent comment that the "new web" doesn't care about printing.
On more and more pages I encounter issues like the printer only printing out the cookie warning window, or just the left navigation bar, etc. and none of the actual page content that I wanted to print. Or content goes up to the first in-line advertisement and then cuts of there with just blank pages coming out of the printer after that. Or weird pagination issues where there's text on page 1 and text on page 2, but there's a bunch of text missing in between that is otherwise visible fine on the screen.
I'm talking about web pages that don't specifically have a "print" button on them. If it looks like the page is using a fancy layout I typically now just do a screenshot and print the resulting .png.
I just switched from FF to Brave. Despite the unnecessarily built-in adblocking (I prefer blocking on router level + 2nd layer via ublock) and the BAT stuff, it is a good browser. It feels so fast and snappy. I wished FF was as fast.
The best I ever did for performance was switching away from macOS. Sure, Safari and Chrome is really fast on Mac hardware/macOS, but nothing beats the performance of Firefox on Linux.
Sure, and FF for Linux was always second to FF for Windows, where the experience was better than both platforms.
On Linux hardware accel is still iffy, on macOS they implemented support for CoreAnimation one or two years ago, and still looks out of place with the rest of the OS.
> Sure, and FF for Linux was always second to FF for Windows, where the experience was better than both platforms.
Not for me on desktop with a pretty well specced machine, Firefox still runs better on Linux than Windows and I constantly boot into the other during one day.
Good or bad specced machine, it's fun seeing the Firefox process use 150% CPU when playing a 4K video with no hardware acceleration. Meanwhile it uses 15% CPU on Windows.
Yeah, what on Earth does he even mean by "too political". I've never seen Mozilla make "political" statements beyond their user privacy rhetoric, which Brave is far more aggressive about.
Mozilla has increasingly become more of a political organization than a technology one. Where it used to focus on stewardship of the Mozilla code, its scope has now shifted to broadly "building a better internet".
The Mozilla mission 2005:
"Established in July, 2003, with start-up support from America Online's Netscape division, the Mozilla Foundation exists to provide organizational, legal, and financial support for the Mozilla open-source software project."
The Mozilla mission 2021:
"Our mission is to ensure the Internet is a global public resource, open and accessible to all. An Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent."
This shift has manifested itself in different ways which broadly align with American left politics. The homepage and blog are speckled with articles promoting diversity initiatives, endorsing BLM, calling for systemic change, endorsing net neutrality, and fighting misinformation.
Mozilla is also one of the organizations at the forefront of sanitizing language it deems problematic in any way:
The amount of complexity that one can put into a PDF is both surprising and a tad frightening.