Trainspotting: Firefox 37, Developer Edition and More

Welcome to Trainspotting, a new series on Mozilla Hacks designed to help the busy Web developer keep up with what’s new, what’s changed and what is coming soon in all of the Firefoxes, the Web platform, and the tools for building the Web!

Mozilla develops Gecko and Firefox on a “train model” – we branch the code and ship a release on a time-based schedule (every six weeks). If a feature is not finished, it’s reverted or disabled and has to, as we say, ride the next train. This means we ship new features, performance improvements, and bug fixes to users every six weeks, instead of having to wait up to 18 months.

Trainspotting will publish every six weeks when we branch the code – and we’ll point out any changes that might require action or cause compatibility issues, as well as new features that Web developers would want to take advantage of.

Firefox 37

For a detailed list of all noted changes in the release, check out the official release notes for Firefox 37. Below is a list of notable features, links to documentation, and anything that requires action by developers or site operators.

Desktop Features

  • A subset of the Media Source Extensions (MSE) API has been implemented and is enabled to allow native playback of HTML5 video on websites such as YouTube. You can read about the various MSE APIs and their usage on MDN.
  • Bing search now uses HTTPS. Hurray for private and secure searching!
  • Heartbeat is a new feedback feature in Firefox desktop: Each day a random subset of Firefox users will be shown a notification bar with an opportunity to provide feedback on their experience. You can see screenshots and read more about how it works on the Heartbeat project page.

Firefox for Android

This time around, Firefox for Android is getting a security and stability release. The biggest user-facing changes—improved performance of file downloads, and the addition of some new locales: Albanian, Burmese, Lower Sorbian, Songhai, Upper Sorbian, Uzbek. Read the full list of security fixes for Firefox Android 37 and the full release notes.

HTML5 & Web Platform

There are a bunch of new Web platform features that you can now use in production content in Firefox 37, and here are a few examples:

Keep reading the Firefox 37 for Developers article on MDN for a detailed look at all the rest.

Developer Tools

If you’re using Firefox Developer Edition these additions won’t be news, but if you’ve been doing your development in the release build, there are a few new features to note:

Security

Firefox 37 has a bunch of security changes. Most of these do not require any action, however if you are a site operator you should definitely look to see if any of these changes impact you. Big thanks to David Keeler, security engineer for Firefox, for his help deciphering this section of the release notes.

  • We removed support for DSA in certificates and TLS, because we found that almost nobody was using these. If you’re a site operator and your certificate was signed with a DSA algorithm, contact your CA and get a new certificate. You can check with `openssl x509 -in {certificate file} -text -noout` and search for “Signature Algorithm.” If you do have one of these certificates and do not change it, users will see an override-able error.
  • HTTP/2 AltSvc is temporarily disabled due to a bug. We implemented HTTP/2 AltSvc support for opportunistic encryption. This feature allows encryption over TLS for unauthenticated connections that would otherwise be clear text. Configuration is very simple, and Patrick McManus has written instructions for how to set it up on your server.
  • We have disabled insecure TLS version fallback. If a secure site isn’t working, you can try setting the “security.tls.version.fallback-limit” preference in about:config to 1 and see if it works then. If you see this anywhere, please file a Tech Evangelism bug, noting the URL of the site, so we can work with the operators to update it. Site operators should make sure their servers aren’t TLS-intolerant, which you can do with the SSL Labs tool.
  • Users can now report SSL connection problems for a variety of non-certificate-related errors. For example, if a user encounters a non-override-able TLS error, they can now send a report to Mozilla directly from the error page. The information in the report consists of the domain you were trying to reach, the certificates the server sent, the time, which error was encountered, and some user agent information. We use this information to work with site operators to fix their configurations, and to improve our software that detects these issues, so please do send reports. Check out a screenshot of what this looks like.
  • TLS False Start optimization now requires a cipher suite using AEAD construction. If you’re running a server and false start isn’t working as expected, try using an AEAD cipher suite. Learn more about AEAD at Wikipedia and in RFC 5288. The only AEAD cipher suite that Firefox supports at this time is AES-GCM.
  • We now log usage of weak ciphers to the web console. For example, if you visit a site with a SHA-1 certificate with the web console open you’ll now see a message like, “This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1. Learn more…” If you run a site and your certificate was signed with SHA-1, get a new certificate from your CA.

Firefox Beta

In six short weeks Beta will be available for general release, becoming Firefox 38. Here’s some of what’s coming your way:

  • All Firefox preferences are now in a new tab-based UI.
  • Improved page-load times with speculative connection warmup.
  • MSE support on Mac OS X.
  • EME support for encrypted media playback.
  • Web platform features: WebSockets in Web Workers, KeyboardEvent.code, and the BroadcastChannel API.

Read the Firefox 38 Beta release notes for the full list.

Firefox Developer Edition

This release of Firefox Developer edition (which will be Firefox 39) is frankly kind of ridiculous. The developer tools are getting precariously close to something indistinguishable from magic. Huge props to the developer tools team for what you’re about to see.

  • Developer Tools: Wi-Fi debugging of Firefox OS devices from WebIDE, drag and drop of nodes in the Inspector’s markup view, Web Console input history persistence, localhost works with WebSocket connections when you’re offline, and the cubic bezier tooltip now shows a gallery of pre-sets you can choose from to make your CSS animations super slick.
  • Web platform features include the “switch” role in Aria 1.1, CSS scroll snap points, Cache API, Fetch API, <link rel=”preconnect”> and more.

Read the full release notes for this release of Firefox Developer Edition.

Nightly

The nightly branch of Firefox is where a lot of features are in active development. It’s a place where you can test experimental Web APIs and see user-facing browser features that are not yet ready for hundreds of millions of users. You might see a crash or two, you might lose you session data, but you also might experience the vision and wonder of what the future holds. It’s the Mos Eisley of browsers – a dangerous place, but we stick around for the action.

There are a number of features that have landed and are shipping nightly builds either enabled by default or by pref:

  • E10s – Web content runs in a separate process from the browser UI.
  • Partial implementation of Service Workers.
  • Shumway – Flash implemented in JavaScript is enabled for some sites.

Thus concludes the first edition of Trainspotting. Let us know what you think in the comments, and what you’d like to see more of!

About Dietrich Ayala

Dietrich is a technical evangelist at Mozilla. He's worked on Firefox, Firefox OS and a number of other Mozilla projects for over a decade. He's currently traveling around Asia speaking and writing about Mozilla, Firefox and the Web.

More articles by Dietrich Ayala…


5 comments

  1. tranche

    Wow cool : we have IndexDB Web Workers !

    Firefox improvement is impressive.
    As a webapp developer I’m still worried about one things, and maybe it’s the most hated unimplemented feature for webapp : the missing of Date input support in Firefox : https://bugzilla.mozilla.org/show_bug.cgi?id=888320
    And the fact that there is nobody working on it.
    Hope I will read in a couple of “Trainspoting” the support for this feature … before IE/Spartan support it.

    April 8th, 2015 at 02:27

  2. Christian

    Thank you for this summary. Good work.

    There is the command missing in the openssl command:
    `openssl -in {certificate file} -text -noout` should read:
    `openssl x509 -in {certificate file} -text -noout`

    Best regards
    Christian

    April 8th, 2015 at 07:34

    1. dietrich

      Good catch, I’ve updated the post. Thanks Christian!

      April 8th, 2015 at 10:35

  3. Ping

    I think there is a bug in the dom inspector. When the dom is zoomed by CSS transform. The mask shown by the inspector is not the correct size.

    April 13th, 2015 at 18:20

    1. dietrich

      Hi Ping! Thanks for letting us know.

      Can you provide more information? The DevTools team developer that I asked said he couldn’t reproduce the problem.

      Do you have a URL of the page that we could test?

      Thanks!

      April 13th, 2015 at 19:51

Comments are closed for this article.