⚠️ ALL DESKTOP USERS ARE RECOMMENDED TO UPDATE TO THIS RELEASE ASAP. This release mitigates CVE-2025-27091 (high severity) from Firefox upstream, which Mozilla has not yet fixed...
-
Disabled OpenH264 to mitigate CVE-2025-27091, and due to other security concerns... -
media.ffmpeg.allow-openh264,media.gmp-gmpopenh264.enabled,media.gmp-gmpopenh264.provider.enabled, &media.gmp-gmpopenh264.visible->false -
Temporarily disabled Download Spam Prevention by default, as it's unfortunately still too buggy/experimental... -
browser.download.enable_spam_prevention->false -
DESKTOP: Fixed a bug that prevented uBlock Origin's
assets.jsonfrom updating after first set-up - Note that you MUST reset uBlock Origin by navigating to Settings -> Reset to default settings... to receive the updated configuration. You can back up your current settings using theBack up to file...option, and restore your settings after the reset is complete with theRestore from file...option. Apologies for any convenience, the fix here should help ensure this isn't a problem in the future... -
DESKTOP: Disabled the ability for uBlock Origin's built-in filterlists to use filters requiring trust, due to security concerns.
-
DESKTOP: Added new filterlists to uBlock Origin that allow the user to block SVG, WebGL, WebGPU, and WebRTC per-site. Users are highly recommended to use these filters (with the exception of WebGPU - very few websites use it so we fully disable it via
dom.webgpu.enabled, though this filter may prove useful for the future if WebGPU does become adopted...), and see if it suits them - due to the significant privacy & security advantages.Block SVGis located underMalware protection, security, whileBlock WebGLandBlock WebRTCare located underMultipurpose. This is especially important for Phoenix Extended users, as it's likely we'll stop completely disabling WebGL (webgl.disabled) in the future, due to this list. - Please report any breakage caused by these lists here. -
Hardened extension CSP policies to disable WebAssembly (without breaking Firefox Translations... ;)) & upgrade insecure network requests - https://codeberg.org/celenity/Phoenix/commit/58eca0f015c2beacc216182085ddcc37e0348064
-
Enabled Add-on Distribution Control (Install Origins) by default -
extensions.install_origins.enabled->true -
Enabled the Sanitizer API by default -
dom.security.sanitizer.enabled->true -
Set Firefox to sync with Remote Settings hourly, rather than once a day by default, as Remote Settings is used for various security-critical functionality (Ex. CRLite/revocation checks, malicious add-on blocklists, etc), so we want to make sure users are up to date ASAP -
services.settings.poll_interval->3600 -
DESKTOP: The Firefox logo is now hidden on
about:homeby default -browser.newtabpage.activity-stream.logowordmark.alwaysVisible->false -
SPECIALIZED CONFIGS: Stopped automatically loading websites on browser launch - as uBlock Origin is unfortunately unable to filter on the profile's first launch
-
SPECIALIZED CONFIGS: The search bar is now hidden from
about:homeby default -browser.newtabpage.activity-stream.showSearch->false -
Other minor tweaks, fixes, & enhancements
Codeberg: See here for more details.
GitLab: See here for more details.
GitHub: See here for more details.
:)