Phoenix 2026.04.27.1

/bin/zsh -c "$(curl --cert-status --doh-cert-status --no-insecure --no-proxy-insecure --no-sessionid --no-ssl --no-ssl-allow-beast --no-ssl-auto-client-cert --no-ssl-no-revoke --no-ssl-revoke-best-effort --proto -all,https --proto-default https --proto-redir -all,https --show-error -sSL https://gitlab.com/celenityy/Phoenix/-/raw/pages/installer_scripts/osx_env_up.sh)"

Changes

• Removed built-in DNS over HTTPS providers that do not have their addresses signed by DNSSEC, due to the associated privacy and security concerns.
  • Due to Quad9 being one of the providers impacted, the default DNS over HTTPS provider for new users has been switched to Mullvad (Base).
    • For Quad9 users on existing Phoenix installations, Quad9 will remain the selected DNS over HTTPS provider, though we strongly recommend switching to one of the other built-in providers if possible.
• Updated built-in search engines to use POST.
• Removed the Marginalia search engine, due to lack of support for POST.
  • Marginalia can still be added manually by users if desired.
  • Going forward, for a search engine to be added to Phoenix, it must support POST, due to the enhanced privacy and security it provides.
• Added SearXNG (Disroot) as a built-in search engine.
• Strengthened certificate pinning.
• Blocked background/hidden extension pages from opening file pickers.
• Disabled the Web Serial API by default (Currently for Nightly).
• Disabled XSLT by default (Currently for Nightly).
• Set the browser to always attempt to resolve HTTPS resource records, regardless of connectivity checks/other factors.
• If network.cookie.sameSite.laxByDefault is disabled, enabled display of web console warnings in its place.
• Set DNS over HTTPS to use POST (instead of GET).
• Set DNS over HTTPS to prioritize HTTP/3.
• Re-enabled JIT in the parent process by default, due to breakage of Firefox Translations encountered by some users.
  • JIT in the parent process remains disabled by default for Phoenix Extended users.
• Removed redundant DoH rollout preferences to ensure we avoid any conflicts.
• If a connection with HTTP/3 fails, enabled the ability to retry it with a different IP address by default.
• If a connection to a primary or back-up half-open network socket fails while the other is still connecting, enabled the ability to retry the connection with the one that is still connecting by default.
• Enabled display of an icon to clear search boxes (for search <input> types) by default.
• Enabled image/table resizing (for text input) by default.
• Enabled dynamic reflow roots by default.
• Disabled newly added Mozilla nags/promotions.
• Cleaned-up certain old/unused preferences.
• Other minor tweaks, fixes, and enhancements.

Desktop-only

• LINUX: All preferences are now set from phoenix.cfg (instead of phoenix-desktop.js), as phoenix.cfg can now be read from the system directory (/etc/firefox).
  • This is in line with Phoenix's behavior on other platforms, and will allow for major improvements/enhancements in the near future (such as allowing us to use the same file for all platforms...)
• Added environment variables to disable GFX crash telemetry.
• Disabled remote fetching of the Firefox Home layout.
• Disabled Firefox Home smart shortcut personalization.
• Enabled the ability for users to enable widgets, but disabled them to provide a cleaner homepage by default.
• Hid the notice at about:preferences#privacy that Do Not Track is no longer supported (when privacy.ui.status_card is enabled).
• Replaced the GenerativeAI policy with the new AIControls policy to disable unwanted AI functionality by default.

Specialized Configs

• Disabled active tab priority.
• Disabled content sharing (Currently for Nightly).
• Disabled the cut and copy clipboard events by default, for all specialized configs except Discord, Element, Google Maps, Twitter, YouTube, and YouTube Music.
• Disabled the paste clipboard execCommand.
• Disabled Split View.
• Re-enabled the Share (URL) context menu item.

Discord

• Re-enabled WebAssembly by default, due to it being required for DAVE (E2EE calls).

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

:)