Firefox 57 Brings Better Sandboxing on Linux (bleepingcomputer.com) 124
Catalin Cimpanu, writing for BleepingComputer: Firefox 57, set to be released tomorrow, will ship with improvements to the browser's sandbox security feature for Linux users. The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files. Chrome has always run inside a sandbox. Initially, Firefox ran only a few plugins inside a sandbox -- such as Flash, DRM, and other multimedia encoding plugins.
Firefoxalypse (Score:5, Insightful)
Re: Firefoxalypse (Score:3, Insightful)
The Firefox develops gave plenty of notice of this change, allowing add-on developers lots of time to upgrade and ensure their add-ons still work. This increases the speed of the browser dramatically. Don't blame the Firefox developers who are creating a better product. Blame the lazy add-on developers who haven't upgraded their add-ons. Alternatively, use an ESR release. Regardless, stop whining.
Re: Firefoxalypse (Score:1)
Only waterfox has no problem being both fast and support xul pluggins.
Yoi call people who have developed a fully functional codebase lazy because the don't adjust their priorities in line with a dick move.
Re: (Score:1)
If it matters that much to you, volunteer your own time, fork Firefox 56, and maintain it yourself. Firefox is open source so you have the freedom to do that. Anything else is whining and making demands of other people's time when they have no obligation to you. Stop complaining and fork Firefox if you care so much.
Re: (Score:3)
freeze128 doesn't appear to be demanding anything of anyone. He is just observing that he dreads upgrading (just as I observed that I won't be upgrading and will be switching browsers).
Re: (Score:2)
It sure doesn't help.
Re: (Score:2, Insightful)
Except that Waterfox is not its own browser, it's wholly reliant on whatever the Firefox developers do. Once they stop overworking themselves by maintaining Firefox's legacy while updating it, and just pull out those bits, Waterfox will be fucked. Daydreaming about how easy it is to maintain XUL is just not going to get it done. There is no covert army of coders just waiting to take up the torch; if such a team existed they would have fixed the problems before things got to this point.
The whole "lazy" angle
Re: (Score:2)
Only waterfox has no problem being both fast and support xul pluggins.
Do you have benchmarks to prove it? I'd like to see the numbers on latest Waterfox versus Firefox 57, comparing both with and without add-ons installed.
Re: (Score:1, Insightful)
But Mozilla has removed APIs so many of the plugins are impossible to implement again.
Re: (Score:2, Insightful)
It's not that they removed them, but they simply haven't (or won't) implement them. The reason, as far as I can tell, is that they refuse to admit that there are better (or simply different) ways to design the interface.
Re: (Score:3, Insightful)
The Firefox develops gave plenty of notice of this change, allowing add-on developers lots of time to upgrade and ensure their add-ons still work. ...
The amount of advance notice is irrelevant. The fact that the switch to Web Extensions is being driven by the calendar rather than the readiness of the software is the problem.
The new add-on interface still lacks functionality. There are many things that a Web Extension simply can't do, but that can be done by traditional Firefox add-ons. To add insult to injury, the Mozilla team isn't treating these gaps as a high priority. Their attitude seems to be "tell us what you're missing and maybe we'll add it late
Re: Firefoxalypse (Score:5, Informative)
Out of 37 extensions I use, there are WebExt equivalents for, *drumroll* 11. That much only because I spent some time looking for replacements.
APIs that would be required to reimplement those extensions aren't even coded yet, and any code that gets merged (which usually takes months) needs additional 18 weeks to percolate into an unstable ("non-ESR") release. With Firefox 52 EOL in June, the chances enough of extensions required for sane use will be ready by then are about nil. And the default, with nothing for privacy but tons of junk like Pocket or Telemetry, is almost as far from sanity as Chromium.
I guess it's time to look into packaging Waterfox or another fork.
Re: (Score:1)
If you want to stay at v56 a while, which is what I plan to do until the whole extension clusterfuck gets sorted out:
sudo apt-mark hold firefox firefox-locale-en
I don't use as many extensions as you, but still a solid half of the 12 or so I use have no v57 version, and many of them can't given the API limitations.
This thing is being pushed out too early. First reach feature parity, THEN ship it.
.
Re: (Score:2)
I guess it's time to look into packaging Waterfox or another fork.
Pale Moon has come a long way, the compatibility issues and frequent crashes are both gone.
Re: (Score:2)
Re: (Score:2)
AdBlock Plus (the WebExt version is useless, BTW), bug489729. CanvasBlocker, Classic Theme Restorer, Cookie Monster, Decentraleyes, DNSSEC/TLSA Validator, Download Status Bar, some poo Youtube downloader I won't grace with naming, Font Information, Google Privacy, google-no-tracking-url, Html Validator, HTTP/2 Indicator, HTTPS Everywhere, I don't care about cookies, Iceweasel Branding, KeysDisable, Last tab close button, No Coin, Open in Browser, OverbiteFF, Perspectives, Privacy Settings, RequestPolicy Con
Re: (Score:2)
Seriously, how many do you actually need though? Two or three?
Re: (Score:2)
Seriously, how many do you actually need though? Two or three?
Need: AdBlock Plus, bug489729, Classic Theme Restorer (for sane UI), Cookie Monster, DNSSEC/TLSA Validator, I don't care about cookies (EU sites are useless otherwise), Open in Browser (you can't view a goddamn diff otherwise!!!1!elebenty-one!), RequestPolicy, Sage, YesScript (too many sites have anti-AdBlock javascript).
Want for privacy: Canvas Blocker, Decentraleyes, Google Privacy, google-no-tracking-url, Smart Referer.
The rest merely make life nicer. And indeed, OverbiteFF is dead weight.
Re: (Score:2)
WOW! You are the second person I know to have more than 10ish. I know one person with 20's and they claim to be a plugin addict. I have 10, and think that's on the higher side. I set most people up with uBlock or Disconnect and that's it.
Going over your extentions, some appear to duplicate what already exists. Examples: can use google to translate page. Can shift click to force right click. Seams many of your plugins wouldn't be needed if you used NoScript.
FF 57 with no NoScript, ment that I use Pale Moon
Re: (Score:2)
Sadly, a majority of web pages are unusable or seriously degraded with NoScript. Even Slashdot is uncomfortable to read.
That's why I use RequestPolicy to kill most third-party stuff, but default to allowing first-party scripts. Certain offenders then get smacked down with YesScript.
Re: Firefoxalypse (Score:1)
The real danger is that once these users try Chrome, even with only a subset of their preferred extensions, they'll see how much faster it is than Firefox and won't want to switch back to Firefox. I've tried the Firefox 57 betas and they're still noticeably slower than Chrome. It was possible to put up with Firefox's slowness when it still supported lots of useful extensions. But with that benefit disappearing there will be no reason to use Firefox, and actually a lot of reasons to not use it.
Re: Firefoxalypse (Score:5, Insightful)
That's great, except for the part where some plugins CANNOT be implemented under the new API.
And the part where a whole ecosystem of perfectly good extensions created by volunteers for free is being discarded without a viable replacement for many of them.
Bug 1325692 marked as wontfix (Score:2)
The Firefox develops gave plenty of notice of this change, allowing add-on developers lots of time to upgrade and ensure their add-ons still work.
Yet they mark some admittedly missing WebExtension functionality as "wontfix". See comment 11 by Andy McKay to Bug 1325692 - [commands] Explicit support for overriding built-in keyboard shortcuts by WebExtensions [mozilla.org]: "Removing flags, this API is not going to be written in time to for Firefox 57."
Re: Firefoxalypse (Score:4, Insightful)
Let me enlighten you about a secret of software projects: if you want to be taken seriously as a platform for third-party developers, breakage-on-upgrade is never acceptable. And accusing them of being lazy is an excellent way of driving them away.
Which staves off the problem only temporarily. I would suggest the waterfox fork, or possibly palemoon.
You first.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
then run the LTS for a while. AFAICT, the plan is they're going to increase the featureset available to plugins afer 57.0. with luck what you want will mostly be available by the time the LTS expires.
Re: (Score:2)
But, people who are already running 56 have no trivial LTS option - in a recent release (54?) Mozilla declared that backwards compatibility is not supported (I'd check the release notes again but find them extremely hard/counter-intuitive to find on the new FF website design - apparently it's focused on looking "cool" and trying to "sell" rather than focusing on trying to be functional and on providing information). Sure, you could reenter all your passwords, export/import your bookmarks (to some non FF for
Re: (Score:3, Informative)
I dread updating to Firefox 57, because it will break all of my plugins.
Apparently some editions of version 57 will continue to support "legacy" (bootstrap, XUL, etc) addons [mozilla.org] via a preference setting, including the developer and unbranded versions. This might be an option if you really want to upgrade to 57 but still want your addons.
Personally 56 is the end of the Firefox line for me. I completely reject the horrible Australis interface and the push towards the gimped and incapable Chrome-style Web Extensions. Firefox had a good run, but its Chromification is now complete an
Re:Firefoxalypse (Score:4, Insightful)
I've heard this so many times it seems like Chrome/Edge propaganda now. Why so negative on the visuals of the browser? WHO GIVES A FLIPPITY DO DAH what the browser looks like? Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?
Fine, quit Firefox, but they are adding more and more support for privacy while all the other browsers are removing it or don't give to diddly flips about it. Hand over your data to GOOGLE using a chrome WHICH LOOKS LIKE AUSTRALIS ANYWAYS!
*Caps for emphasis on the total idiocy of these kinds of remarks.
Repeat after me, ditching software A because it's ugly for software B that is also ugly is stupid logic.
Re: (Score:2)
Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?
YES. The size of buttons and other UI elements, the colourfulness and skilfulness of the icon design to make icons clear and pretty, and the fact that the UI functionality is even there in the first place (bookmarks sidebar, separate search bar, status bar, live bookmarks toolbar, etc.) are all important.
Re: (Score:2)
Good thing those are all still there in 57 then. (Except maybe live bookmarks; I'm not sure about that.)
Re: (Score:2)
>"Why so negative on the visuals of the browser? WHO GIVES A FLIPPITY DO DAH what the browser looks like? Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?"
It is not just how it looks but how it operates. Some of us want tabs on bottom. Some of us want sane, traditional "file" menus for fast access and easy training. Some of us want a status bar. Some of us want predictable forward, back, reload, and home buttons that are together, don't disappear in context, or ar
Re: (Score:2)
Some of us want sane, traditional "file" menus
The menus are in Firefox on Windows. Turn on the Menu Bar via the Hamburger menu -> Customize -> Toolbars options (or press F10 to turn them on and then select View -> Toolbars -> Menu Bar to keep them on).
Some of us want predictable forward, back, reload, and home buttons that are together, don't disappear in context, or are not combined into some moving monster.
That's how Firefox 57's UI is working for me. I use the Light theme (one of the three themes included in Firefox 57 by default) with the Compact density setting. See the Customize settings page.
And it is unclear if those will ever gain the ACTUAL improvements Mozilla has added to Firefox for performance, memory usage, and security.
So just use Firefox and customize the UI CSS [ghacks.net] if you really want to [github.com].
Re: (Score:2)
Why so negative on the visuals of the browser?
Aside from the fact that I find it subjectively ugly, I dislike it because I think the design is unusable outside of a very base case of 2-4 tabs. Tabs-on-top is also a huge pain in the ass when using Remote Desktop or anything else that puts a bar along the top of the screen. It also goes against all OS design guidelines by removing the window title bar and system menus which makes muscle memory around those UI elements worthless. I could go on, but it doesn't really matter.
Is that REALLY the criteria you judge software on? The shape of the buttons and tabs?
Of course. These UI elements
Re: (Score:2)
It also goes against all OS design guidelines by removing the window title bar and system menus
You can turn on the Menu Bar in Firefox via the UI Customize settings (Hamburger menu -> Customize) or by pressing F10 to turn them on and selecting View -> Toolbars -> Menu Bar to keep them on.
So far I've been content to fix these problems using a UI addon, but every single one of those is made non-functional in version 57.
You can customize the UI via the built-in Customize settings. You can also modify the UI CSS [ghacks.net] if you really want to [github.com].
watching it turn into a mini-me of Chrome is soul-crushing. Honestly, I'm really hoping that the 57 fiasco
Firefox isn't a mini-me of Chrome and there is no fiasco. Relax. Don't worry, be happy [youtube.com]. You'll feel better.
Re: (Score:2)
Aside from the fact that I find it subjectively ugly, I dislike it because I think the design is unusable outside of a very base case of 2-4 tabs. Tabs-on-top is also a huge pain in the ass when using Remote Desktop or anything else that puts a bar along the top of the screen. It also goes against all OS design guidelines by removing the window title bar and system menus which makes muscle memory around those UI elements worthless. I could go on, but it doesn't really matter.
You can hide the connection bar [ravingroo.com]. There's also Tree Style Tabs [mozilla.org].
Re: (Score:2)
You can add the title bar back through the UI customization.
It's almost as if you haven't actually made any effort, and jumped straight to baseless complaints instead.
Re: (Score:3)
Re: (Score:1)
Same here, even though I didn't have a problem with Australis, so I'll stick with ESR for a few months and then move to Pale Moon. There's an Adblock Plus XUL-based fork for Pale Moon, so everything is ready for the move.
Re:Firefoxalypse (Score:4, Informative)
There's an Adblock Plus XUL-based fork for Pale Moon
Adblock Plus works in Firefox 57 [mozilla.org]. Personally, I use uBlock Origin [mozilla.org].
Re:Firefoxalypse (Score:4, Informative)
Why don't you just go back to the still maintained Seamonkey suite? It supports all the best FF extensions.
Re: (Score:2)
Seamonkey is dead in the water. Once XUL support is removed it will be gone.
Re: (Score:2)
Even this sandbox is broken, as it breaks any non-trivial audio that requires a plugin.
Port the plug-in to Web Audio API (Score:2)
Then download the source code for the plug-in, exercise your right under the source code's free software license to transpile it to JavaScript and port it to the Web Audio API, and use one of the *monkey extensions to insert it into every page that requires said plug-in. Or hire someone to.
Re: (Score:2)
Then download the source code for the plug-in, exercise your right under the source code's free software license to transpile it to JavaScript and port it to the Web Audio API, and use one of the *monkey extensions to insert it into every page that requires said plug-in. Or hire someone to.
How exactly do I "transpile" a honest LD_PRELOAD library (and its dependencies) to JavaScript? And how do you propose to call ioctls from JavaScript injected into a page?
Emscripten (Score:2)
How exactly do I "transpile" a honest LD_PRELOAD library (and its dependencies) to JavaScript?
First you obtain its source code, and then you use Clang with the Emscripten or WebAssembly target.
And how do you propose to call ioctls from JavaScript injected into a page?
By writing a shim that translates audio ioctls to their corresponding Web Audio API calls. In some cases, it may be easier to delete all the operating system integration, keeping only the codec proper, and write a new Web Audio API integration.
Re: (Score:2)
easier to delete all the operating system integration, keeping only the codec proper, and write a new Web Audio API integration
That can work if all you want is some codec, rather than making audio work at all. That "Web Audio API" won't work if the browser itself can't output sound.
Re: (Score:2)
In the HTML5 model, integration with the operating system's audio output API is the responsibility of the browser, not the plug-in. If your browser can't play sound, your browser is broken.
Re: (Score:1)
Noscript is still flagged Legacy. I won't upgrade until it's available.
I run Adblock Plus, Ublock Origin, and Noscript. They're all turned up to 11, and they still manage to block different things.
Re: (Score:2)
Noscript, instead of all the grandstanding is apparently simply not portable. The functionality needed in the API does not exist.
In before a bunch of knights in shining armour start quoting Noscript's author from months ago. Yeah, he said it might be possible and that it was a high priority to firefox team themselves to get it working. And even with that level of support, it still hasn't been done. Draw the relevant conclusions and understand you're being lied to.
Re: (Score:2)
Why both ABP and uBO? They overlap completely. Replace ABP with Privacy Badger instead.
Re: (Score:1)
I don't dread it, because I won't do it. After over a decade of loyal FF use, 56 is the end of the road for me as I've only found a comparable WebExtension plugin to ONE of the seven or so plugins I rely on. A major reason I have been loyal to FF, and tolerated its performance issues related to memory over the years, is because of the plugins.
I actually regret upgrading to 56 from 55 -- performance dropped into a abyss upon installation (I now keep an about:memory tab open all the time so every so often I c
Re: (Score:2)
I can click on 'minimize memory' which resolves
Sounds like you've got add-on problems. You should see if the problem persists with all add-ons disabled and maybe reset to a clean profile if you've been changing about:config settings (see about:support).
Re: (Score:2)
I've considered doing that, but since the problem cropped up simultaneously with the install of 56 and without any upgrades to add-ons (I don't allow automatic upgrades), I figure that probably isn't worth my time given that the lack of add-ons I want in 57 mean I'll be abandoning FF anyway -- small odds of buying a few more weeks or couple months (before some security problem goes unfixed in obsoleted 56) isn't worth the effort.
Re: (Score:2)
(I forgot to mention also, I don't screw around with about:config settings hardly ever -- and certainly not in the past couple of years).
Re: (Score:2)
I figure that probably isn't worth my time
It's trivial to do. Go to about:support and click on "Restart with Add-ons Disabled" to run Firefox in safe mode. When you're finished with safe mode, exit Firefox and run it up again normally. There isn't much effort required.
Re: (Score:2)
So what do you plan to do? Fork the FF 55 codebase, or start your own browser engine from scratch?
If it's the latter, please be kind enough to share it with the rest of us.
Re: (Score:2)
Probably sell out and switch to Chrome -- but I've not spent much time in it so plans could change (the only time I use it now is when some web site, unfortunately more frequent recently, doesn't work in FF but does in Chrome - presumably because the site doesn't bother to test as well on FF any more).
But, nope, I'm not forking FF 55 and taking it over :) That's not the sort of system or code (or politics) I enjoy working on.
Re: (Score:2)
Re: (Score:1)
Re:How about giving users a choice? (Score:5, Informative)
including some used for security
Like what? uBlock Origin works in Firefox 57 [mozilla.org], so does Adblock Plus [mozilla.org], so does Ghostery [mozilla.org], so does Privacy Badger [mozilla.org], so does HTTPS Everywhere [mozilla.org], etc. The only one missing from AMO at the moment is NoScript but that will be released soon [mozilla.org].
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Bug 1325692 [mozilla.org] causes data loss by making it impossible to disable the Ctrl+Q shortcut to quit. In the XUL era, one would use Keybinder, but the replacements for Keybinder are incompatible with the Linux version of Firefox because of bug 1325692.
Re: (Score:2)
It's ctrl+shift+Q in FF57, not just ctrl+Q. If you have session saving turned off, it will also warn you before closing the browser.
Re: (Score:2)
It's ctrl+shift+Q
That solves being close to "close current tab", but it's dangerously close to "switch one tab to the left" (Ctrl+Shift+Tab).
Re: (Score:2)
For me, I use different fingers for those two shortcuts, so it makes it rather difficult to mix them up by mistake.
Download Link... (Score:5, Informative)
A question for Mozilla (Score:5, Funny)
Is it called "Firefox 57" because that's how many users are left?
Re: (Score:2)
Is it called "Firefox 57" because that's how many users are left?
I thought it was homage to Wesley Snipes Passenger 57 :)
Cripplefox (Score:1)
Re: (Score:2)
Don't worry, google only wants your blood.
Why Chrome and not Chromium? (Score:4, Interesting)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Part of the problem is that there's really no standard "Chromium" as they all differ depending on who built it and what they decided to include/exclude. However, Google specifies exactly what's in Chrome so if someone says Chrome you know exactly what they are talking about.
The same thing exists actually on the Firefox side. While the source code is open, Mozilla owns the Firefox trademark and keeps pretty strict rules on what you can call Firefox should you start distributing your own builds. So the Chr
Original Article (Score:3)
Re: (Score:1)
That's entirely fitting given how little Linux users have given a shit about Firefox and in contributing to it ever since they decided to care more about the licensing of some icons. You get back what you give; it goes both ways.
Re: (Score:3)
dropping flash support
That's what everyone is doing [fortune.com], even Adobe themselves [theverge.com]. Flash is dead. You are in the first stage of grief [wikipedia.org]. Time to move on.
Re: (Score:2)
The next step is to dig up the contact information for the authors of each animation and game on Newgrounds and ask them to port them to HTML5. How would we go about that?
Re: (Score:2)
The next step is to dig up
No, the next step is to get Adobe to release a WebAssembly build of the Flash run time. And if Adobe doesn't care about Flash enough to do that then tough luck, kid.
It seems like you're in stage 3 of grief: bargaining.
I had a games website once (Score:1)
My games website was somewhat popular (1000s of views per day and this was the mid-90s so was a kind of big thing then) and I had a guy who regularly updated it for me. One day I decided to overhaul the design to make it something I thought looked more appropriate. I asked the guy and he said he didn't like it and preferred the current one but I was sure I was right so I ploughed ahead and replaced the site with the new design. He left, and the site viewership dwindled down and never recovered.
Mozilla ki
Tree Style Tabs ported (Score:2)
Piro's Tree Style Tabs has been ported to 57:
https://addons.mozilla.org/en-... [mozilla.org]
So I'm on board. No other browser offers this functionality still and its my must have feature. Vivaldi has something similar, but not the same.
I wish Video DownloadHelper would get ported though. That could be a problematic change.
Re: (Score:2)
I wish Video DownloadHelper would get ported
Version 7 has been released [mozilla.org] with Firefox 57 support.
Re: (Score:2)