codeberg celenity/Phoenix 2025.04.27.1
on Codeberg

latest releases: 2025.09.07.1, 2025.08.06.1, 2025.07.30.1...
4 months ago

NOTE FOR MACOS USERS:

This release adds environment variables for macOS users to disable Mozilla's Crash Reporter (like we already set for Linux), which will be set by default for new Phoenix installations going forward, but won't have an impact on current installs. While it's not required to add these environment variables to continue using Phoenix, macOS users with existing installations are highly recommended to add them due to the privacy benefits. You can easily set them up by running the following script: 

/bin/zsh -c "$(curl --cert-status --doh-cert-status --no-insecure --no-proxy-insecure --no-sessionid --no-ssl --no-ssl-allow-beast --no-ssl-auto-client-cert --no-ssl-no-revoke --no-ssl-revoke-best-effort --proto -all,https --proto-default https --proto-redir -all,https --show-error -sSL https://gitlab.com/celenityy/Phoenix/-/raw/pages/installer_scripts/macos_env.sh)"

NOTE: Additionally, macOS (Intel) is now officially supported. Simply run the installation script (or do a manual installation if you prefer...), and choose Intel when prompted. :) This is in addition to various other improvements to the macOS install/uninstall scripts.

It should also be noted that as of this release, Swisscows has been removed a default search engine due to concerns regarding false marketing of their VPN and spreading false claims about other services, such as Signal.

  • DESKTOP: Updated our uBlock Origin config (assets.json) per latest upstream changes.

    See details: https://codeberg.org/celenity/Phoenix/commit/0d26adf11e2c0e62a053ebb0cf3edb78ab9331ea + https://github.com/gorhill/uBlock/commits/master/assets/assets.json

  • DESKTOP: Added a 'Quick fixes' list to uBlock Origin + enabled it by default to allow us to fix issues caused by our config/default filterlists significantly faster (while waiting on the respective author to fix the issue upstream).

    See details: https://codeberg.org/celenity/Phoenix/src/branch/pages/uBlock/quick-fixes.txt

  • ANDROID: Temporarily excluded various captive portal domains from DNS over HTTPS by default to avoid breakage, as Firefox on Android currently doesn't have a UI to fallback (unlike Desktop).

    See details: https://codeberg.org/celenity/Phoenix/commit/f1a13b77521942740248a66e7b74442392c0e0ef

    network.trr.excluded-domains -> aainflight.com,acwifi.com,aircanadawifi.com,airtime.geemedia.com,alaskawifi.com,amtrakconnect.com,amtrakwifi.com,ana-inflight-wifi.com,app-yoda.arubathena.com,aruba.odyssys.net,arubanetworks.com,arubanetworks.com.cn,asset-acms.anuvu.cloud,auth.hpe.com,bap.aws.opennetworkexchange.net,btwifi.com,captive.o2wifi.co.uk,captive-2020.aio.cloudauth.net,captive-2022.aio.cloudauth.net,captivemgr.o2wifi.net.uk,captiveportal-login.belex.com,carnivalwifi.com,cbp-guest.cbp.dhs.gov,cdnhotspot.afd.azureedge.net,cdnhotspot.azureedge.net,central.access.network,cfr-mprtuam-01.cops.us1.pr.anuvu.cloud,checkout.aa.com,cloud.imedia.ie,connect.edge.ihg.com,connect-edge.ihg.com,connected.xfinity.com,controller.access.network,cust.blueprintrf.com,deltawifi.com,device-yoda2.arubadev.cloud.hpe.com,dlrguest-captive.disney.com,ee-wifi.ee.co.uk,etihadwi-fly.com,fedsso.yum.com,flyfi.com,freewlan.sbb.ch,gogoinair.com,gogoinflight.com,gp1.wendys.com,guestinternet.com,guestinternet.com.s3-website-us-east-1.amazonaws.com,hiltonwifi.com,hotspotportals.com,hs.imedia.ie,httpforever.com,iceportal.de,inflight.pacwisp.net,inflight-wifi.com,inflightinternet.com,internal2-public-device-nc-nlb-b71ba3c951b09682.elb.us-west-2.amazonaws.com,internal2-public-device-nlb-2e2273d4267c0682.elb.us-west-2.amazonaws.com,internetupgrade.marriott.com,kong-gtw-portal-apse2prod5-lb-1386339370.ap-southeast-2.elb.amazonaws.com,kong-gtw-portal-eu-lb-1104785228.eu-central-1.elb.amazonaws.com,kong-gtw-portal-mec1prod6-lb-2104849938.me-central-1.elb.amazonaws.com,kong-gtw-portal-production-lb-686216184.us-west-1.elb.amazonaws.com,kong-gtw-portal-use1prod2-lb-291057632.us-east-1.elb.amazonaws.com,krisworld.singaporeair.com,kw.sq.com,landing.sbb.ch,loggedin.wifigem.it,login.attwifi.com,login.cloud5.com,login.cloudi-fi.net,login.innflux.com,login.wifigem.com,login.windstream.com,login-awe-cluster.attwifi.com,login-federated.windstream.com,lounge.aa.com,lpv.attwifi.com,lufthansa-flynet.com,managedwifi.xfinity.com,massportwifi.com,marriottwifi.com,medallionclass.com,mscwifi.com,msftguest-virtual.partners.extranet.microsoft.com,mt1.datavalet.io,network-auth.com,neverssl.com,nossl.com,ofc-yoda2.arubadev.cloud.hpe.com,onboard.eurostar.com,onboard.sbb.ch,onboardicafe.com,portal.ac2.mist.com,portal.ac5.mist.com,portal.ac6.mist.com,portal.eu.mist.com,portal.gc1.mist.com,portal.gc2.mist.com,portal.gc3.mist.com,portal.mist.com,portal.moovmanage.com,qa-connect-edge.ihg.com,rcs.arubathena.com,rcs-m.arubathena.com,rcs-ng-yoda2.arubadev.cloud.hpe.com,regio-guide.de,rsc.att.com,rsc.wayport.net,rougewifi.com,sbux-j3.datavalet.io,sbux-portal.globalreachtech.com,sbux-portal.odyssys.net,secure.11os.com,secure.datavalet.io,secure.wayport.net,secure-login.attwifi.com,service.thecloud.net,shop.ba.com,singaporeair-krisworld.com,sso.wendys.com,stage.connect.edge.ihg.com,starbucks-east.datavalet.io,stay.marriottbonvoy.com,southwestwifi.com,thalysnet.com,thd.cloudauth.net,timhortonswifi.com,tvgreyhound.com,unitedprivatescreening.com,unitedwifi.com,universal-orlando.ampthink.com,viasat.com,virginwifi.com,wanderingwifi.com,we.windstream.com,weconnect.wendys.com,wifi.airasia.com,wifi.bahn.de,wifi.cathaypacific.com,wifi.delta.com,wifi.esa.com,wifi.kfc.com,wifi1.kfc.com,wifi2.kfc.com,wifi.panerabread.com,wifi.singaporeair.com,wifi.sncf,wifi.starbucks.com,wifi.tgv-lyria.com,wifi.tgvlyria.com,wifi.united.com,wifi.united.com.edgekey.net,wifi.we.co,wifi.xfinity.com,wifi-viarail.ca,wifi-xdb.boingohotspot.net,wifihotspot.io,wifilauncher.com,wifilauncher.com.s3-website.us-east-1.amazonaws.com,wifilrn-ch2-1p.xfinity.com,wifionboard.com,wirelessportal.americanexpress.com,wirelessportal.americanexpress.com.akadns.net,wirelessportal2.americanexpress.com.akadns.net,wlb1-1579773356.us-east-1.elb.amazonaws.com,yoda-cgqa.arubathena.com,yoda-cgqa-elb.arubathena.com,yoda2-ofc-nlb-f4f923213a2189c7.elb.us-west-2.amazonaws.com,yoda2-public-device-nlb-8343995ce4714f6f.elb.us-west-2.amazonaws.com,yoda2-rcs-nlb-0c9df3882f3f7416.elb.us-west-2.amazonaws.com,zugportal.de

  • Enforced the internal Content Security Policy (CSP).

    See details: https://developer.mozilla.org/docs/Web/HTTP/Guides/CSP

    security.browser_xhtml_csp.report-only -> false

  • Explicitly disabled JPEG-XL by default due to security concerns in its current state.

    See details: https://github.com/mozilla/standards-positions/pull/1064

    image.jxl.enabled -> false

  • Prevented bypassing DNS over HTTPS for '/etc/HOSTS' entries by default to protect against HOSTS file hijacking.

    See details: https://codeberg.org/celenity/Phoenix/commit/7ac281d87af2f65ed900e7f10f093311b472cfe5

    network.trr.exclude-etc-hosts -> false

  • Prevented websites from automatically refreshing by default on all configs instead of just 'Extended'.

    browser.meta_refresh_when_inactive.disabled -> true

    DESKTOP: accessibility.blockautorefresh -> true

  • Stopped setting a stricter media autoplay policy in Phoenix 'Extended', due to it causing breakage and not really being privacy/security related (though still nice to have).

    See details: https://codeberg.org/celenity/Phoenix/commit/e8fa1a3215d8693c728620551b4ee0fae09a83dd

    media.autoplay.blocking_policy -> 0

  • Disabled add-on metadata updates by default.

    See details: https://blog.mozilla.org/addons/how-to-opt-out-of-add-on-metadata-updates/

    extensions.getAddons.cache.enabled -> false

  • DESKTOP: Disabled Firefox Sync feature recommendations.

    identity.fxaccounts.toolbar.syncSetup.panelAccessed -> true

  • Disabled Firefox Translations feature recommendations.

    browser.translations.panelShown -> true

  • Disabled Mozilla's GeoIP/Region Service.

    browser.region.local-geocoding -> false
    browser.search.region -> US

  • Disabled Mozilla 's Terms of Use.

    datareporting.policy.dataSubmissionPolicyAcceptedVersion -> 999
    datareporting.policy.dataSubmissionPolicyNotifiedTime -> 999999999

    DESKTOP: In addition to these prefs, we're also using the new SkipTermsOfUse policy:

    SkipTermsOfUse -> true

  • SPECIALIZED CONFIGS: Disabled AMRemoteSettings.

    See details: https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/docs/AMRemoteSettings-overview.rst + https://searchfox.org/mozilla-central/source/toolkit/mozapps/extensions/AddonManager.sys.mjs

    extensions.remoteSettings.disabled -> true

  • SPECIALIZED CONFIGS: Disabled Geolocation network scanning for redundancy.

    geo.provider.network.scan -> false
    network.wifi.scanning_period -> 0

  • SPECIALIZED CONFIGS: Disabled Remote Permissions.

    See details: https://searchfox.org/mozilla-central/source/extensions/permissions/docs/remote.rst + https://searchfox.org/mozilla-central/source/extensions/permissions/RemotePermissionService.sys.mjs + https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/remote-permissions/changeset?_expected=0

    permissions.manager.remote.enabled -> false

  • Disabled spoofing WebGL renderer info on 'moviezapiya.fun' by default to fix breakage.

    See details: https://codeberg.org/celenity/Phoenix/issues/95

    privacy.fingerprintingProtection.granularOverrides -> {"firstPartyDomain":"moviezapiya.fun","overrides":"-WebGLRenderInfo"}

  • ANDROID: Allowed 'gsi.go.jp', 'harkins.com', 'megacloud.blog', 'megacloud.store', 'nperf.com' & 'pogospike.com' to extract randomized canvas data by default (if the target is enabled) to fix breakage.

    See details: https://codeberg.org/celenity/Phoenix/commit/d0a57128f03f9e6381bb5a22b900901faecb7013 + https://codeberg.org/celenity/Phoenix/commit/7868acadf94ee47a8b69d46eef1c25b8076989b8 + https://codeberg.org/celenity/Phoenix/commit/e6d8e52c01a732b57d5681ac258abe586c3d48fb

    privacy.fingerprintingProtection.granularOverrides -> {"firstPartyDomain":"gsi.go.jp","overrides":"-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"},{"firstPartyDomain":"harkins.com","overrides":"-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"},{"firstPartyDomain":"megacloud.blog","overrides":"-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"},{"firstPartyDomain":"megacloud.store","overrides":"-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"},{"firstPartyDomain":"nperf.com","overrides":"-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"},{"firstPartyDomain":"pogospike.com","overrides":"-CanvasExtractionBeforeUserInputIsBlocked,-CanvasImageExtractionPrompt"}

  • ANDROID: Disabled spoofing screen coordinates on 'letterboxd.com' by default to properly display the mobile page instead of desktop.

    See details: https://github.com/webcompat/web-bugs/issues/150661

    privacy.fingerprintingProtection.granularOverrides -> {"firstPartyDomain":"letterboxd.com","overrides":"-ScreenRect"}

  • DESKTOP: Blocked canvas data extraction before user input on 'cloudflare.com', 'riverside.fm', 'stacksocial.com', 'tiktok.com', 'tileman.io', 'usps.com', & 'yahoo.com' by default.

    See details: https://codeberg.org/celenity/Phoenix/commit/d5b6477c783ed715e704c129ab3b364f7884419e + https://codeberg.org/celenity/Phoenix/commit/b3616823f0b82998e7bdec0e48d40b6e0643c452 + https://codeberg.org/celenity/Phoenix/commit/17c90cf95bb632d1cc1636719da9fd2ff920c5bb

    privacy.fingerprintingProtection.granularOverrides -> {"firstPartyDomain":"cloudflare.com","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"},{"firstPartyDomain":"riverside.fm","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"},{"firstPartyDomain":"stacksocial.com","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"},{"firstPartyDomain":"tiktok.com","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"},{"firstPartyDomain":"tileman.io","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"},{"firstPartyDomain":"usps.com","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"},{"firstPartyDomain":"yahoo.com","overrides":"+CanvasExtractionBeforeUserInputIsBlocked"}

  • DESKTOP: Disabled spoofing screen coordinates on 'barnesandnoble.com' by default to unbreak account sign-in.

    privacy.fingerprintingProtection.granularOverrides -> {"firstPartyDomain":"barnesandnoble.com","overrides":"-ScreenRect"}

  • DESKTOP: Disabled pausing on debugger statements by default.

    devtools.debugger.pause-on-debugger-statement -> false

  • DESKTOP: Enabled display of default/browser styles in the Inspector by default.

    devtools.inspector.showUserAgentStyles -> true

  • Added 'classify-client.nonprod.webservices.mozgcp.net', 'classify-client.prod.webservices.mozgcp.net', 'location.services.mozilla.com', 'locprod2-elb-us-west-2.prod.mozaws.net', 'nonprod.classify-client.nonprod.webservices.mozgcp.net', & 'prod.classify-client.prod.webservices.mozgcp.net' to the internal domain blocklist.

    network.dns.localDomains -> classify-client.nonprod.webservices.mozgcp.net,classify-client.prod.webservices.mozgcp.net,location.services.mozilla.com,locprod2-elb-us-west-2.prod.mozaws.net,nonprod.classify-client.nonprod.webservices.mozgcp.net,prod.classify-client.prod.webservices.mozgcp.net'

  • APPLE MAPS SPECIALIZED CONFIG: Added 'securemetrics.apple.com.cn', 'securemvt.apple.com.cn', & 'smoot-api-glb.v.aaplimg.com' to the internal domain blocklist.

    See details: https://codeberg.org/celenity/Phoenix/commit/5aacd001fce8087518444dfc7da107000bd88a30

    network.dns.localDomains -> securemetrics.apple.com.cn,securemvt.apple.com.cn,smoot-api-glb.v.aaplimg.com

  • GOOGLE MAPS + YOUTUBE SPECIALIZED CONFIGS: Added 'app-ads-services.com' to the internal domain blocklist.

    network.dns.localDomains -> app-ads-services.com

  • NIGHTLY: Enabled isolation of resources (ex. referrers & cookies) injected by extensions by default - Currently only supported on Firefox Nightly.

    privacy.antitracking.isolateContentScriptResources -> true

  • Added built-in example 'templates'/internal preferences to make it easier for users to set custom FPP (Fingerprinting Protection) overrides if needed.

    See details: https://codeberg.org/celenity/Phoenix/commit/ea8b20c4748acb96ed4b3e365d1d7d5efb6ce81b

    privacy.fingerprintingProtection.granularOverrides.0.example -> [{"firstPartyDomain":"example1.invalid","overrides":"+ProtectionIWantToEnableOnThisWebsite,-ProtectionIWantToDisableOnThisWebsite"},{"thirdPartyDomain":"example2.invalid","overrides":"+ThirdPartyDomainsAreSupportedTheSameWayToo"}]
    privacy.fingerprintingProtection.overrides.0.example -> +ProtectionIWantToEnableGlobally,-ProtectionIWantToDisableGlobally

  • Added a built-in note/internal preference so people don't freak out when they see RFP (Resist Fingerprinting) isn't enabled...

    See details: https://codeberg.org/celenity/Phoenix/commit/538ee9f7c423371a02e5a688b29173c29c500d33

    privacy.resistFingerprinting.0.note -> RFP is disabled on purpose.
    privacy.resistFingerprinting.1.note -> We use a hardened configuration of FPP instead.
    privacy.resistFingerprinting.2.note -> Using RFP is not recommended or supported.

  • Other tweaks & fixes

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

:)

Check out latest releases or
releases around celenity/Phoenix 2025.04.27.1

Don't miss a new Phoenix release

NewReleases is sending notifications on new releases.

Get notifications