Changes
- Updated to Firefox 138.0.
- Updated to Phoenix 2025.04.27.1. - (See changes from the last IronFox release)
- Added a toggle under
Privacy and securityin settings to control Safe Browsing. Note that this requires a restart to take effect.
- Added toggles under
Privacy and security->Site settingsto control JavaScript, JIT, and WebAssembly. *(Note that the JIT toggle requires a restart to take effect)*. Due to the addition of these toggles, we've now enabled WebAssembly by default (due to the notable breakage it causes), though users are recommended to disable it if possible to improve security. JIT will remain disabled by default.
- Neutered the
mozAddonManagerAPI to restrict its capabilities and limit the data shared with Mozilla, while still allowing users to install extensions fromaddons.mozilla.org.
- We now harden FPP (Fingerprinting Protection) and set our overrides to unbreak websites internally, instead of using the
privacy.fingerprintingProtection.granularOverrides&privacy.fingerprintingProtection.overridespreferences like we have previously. This makes it far easier for users to add their own overrides if needed. If you have previously configured either of these preferences, it is highly recommended to reset them after updating to these release. If you would like to disable our overrides to unbreak websites (as well as Mozilla's), you can do so by settingprivacy.fingerprintingProtection.remoteOverrides.enabledtofalsein yourabout:config.
- Added a
Quick fixeslist to uBlock Origin by default to allow us to work-around/fix issues caused by our default config significantly faster (while we wait on the upstream list maintainers to fix the issues...).
- Implemented LibreWolf's Remote Settings Blocker patch to allow us (and users) to limit what collections are read/downloaded from Mozilla, and reduce the data shared. Users can configure this from the
browser.ironfox.services.settings.allowedCollectionspreference in theabout:config, though we would not recommend editing this unless necessary, as the collections we allow by default were carefully considered and provide important functionality, including for security.
- Improved visibility of domains in the URL bar to better protect against phishing. - (Thanks to @mimi89999! 💜)
- Significantly improved upon and expanded Mozilla's built-in certificate pinning to protect against MITM attacks. If you're a website operator and would like your domain to be added or want to request details be changed, please file an issue!
- Took back control of all Safe Browsing preferences, meaning these can now be freely controlled by the users from the
about:config(with the exception ofbrowser.safebrowsing.malware.enabled&browser.safebrowsing.phishing.enabled- these are controlled by the new toggle in Settings). For example, users can now set their own custom Safe Browsing provider if desired, disable our proxy and revert back to Google's standard domains, etc...
- Hardened the internal PDF Viewer (
PDF.js) with changes inspired by GrapheneOS's PDF Viewer. - https://gitlab.com/ironfox-oss/IronFox/-/issues/79
- Disabled CSP Reporting to improve privacy, reduce undesired network activity, and limit the data shared with website operators.
- Enabled Proxy Bypass Protection to help prevent leaks for proxy users.
- Fixed a bug that caused cookies/site data and permissions to always clear on exit, regardless of their check boxes/values set by users.
- Disabled Firefox's new
Unified Trust Panelredesign for the menu that appears when you select the lock icon on the top left of the URL bar by default, due to phishing concerns (as it unfortunately doesn't currently display the full URL if it's too long). - You can re-enable this if preferred by navigating to IronFox'sSettings->About IronFox-> Tap IronFox's logo at the top 5 times, then go back toSettings->Secret Settings->Unified Trust Panel.
- Disabled the
com.widevine.alphakey system (MediaDrm).
- Disabled Mozilla's GeoIP/
RegionService to prevent Firefox from monitoring the user's region/general location and reduce unwanted network activity.
- Disabled system extensions & system policies at build-time.
- Disabled & removed the build dependency on legacy
AutoConfigfunctionality (also known as Mission Control Desktop, debuted in Netscape Communicator 4.5... https://www.internetnews.com/enterprise/netscape-unveils-enterprise-management-tools/) to reduce attack surface and reliance on legacy code.
- Disabled more unnecessary debugging/development features at build-time.
- Explicitly disabled SpiderMonkey performance telemetry at build-time.
- Enabled mobile optimizations at build-time.
- Updated the onboarding to remove
Privacy Policy/Terms of Usereferences, and replaced the Firefox logo (and certain other elements) with our own.
- Removed Swisscows as a default search engine due to concerns regarding false marketing of their VPN and spreading false claims about other services, such as Signal.
- Other minor tweaks, fixes, & adjustments.
Checksums
29602f88c4d4639c35fa7f62da9217053d191e31c37150d744a1fbfac64d3a8d IronFox-v138.0.0-arm64-v8a.apk
8cd851b12905d799cb133cfa6893abd1df1b78f5f3d6f3d6753617574b0941d2 IronFox-v138.0.0-armeabi-v7a.apk
f1e93bd3a271bda54bf1d628cbf07695a53b729a724d7a9eb67ec0c06bfe5b9e IronFox-v138.0.0-x86_64.apk
67cc6d2e5202ea999fc0c14a454d89705aa3bd20f2b5b70c88034eee2af06e23 IronFox-v138.0.0.apks
This release was automatically generated by the CI/CD pipeline (view pipeline) and is guaranteed to be generated from commit 0883e0ae.