Firefox 48 Release: Find out what is new

Firefox 48 Stable will be released on August 2, 2016 according to the Firefox release schedule. Firefox 48 is a major release that makes add-on signing mandatory on Stable and Beta versions of the browser, and introduces multi-process functionality to the first batch of users (who don't run any add-ons).

Firefox 47.0.1 and earlier versions can be updated to Firefox 48. Additionally, updates for Firefox Beta, Developer, Nightly and Firefox ESR are released on August 2, 2016 as well.

Firefox Beta is updated to 49.0, Firefox Developer to 50.0, Firefox Nightly to 51.0, and Firefox ESR to 45.3.

Executive Summary

1. Firefox extension signing is enforced on Stable and Beta versions of Firefox. Users can no longer disable the requirement. Developer, Nightly, ESR and unbranded builds are provided that still ship with the functionality.
2. About 1% of Firefox 48 users who don't run add-ons will have the new multi-process architecture enabled for them.
3. Support for Mac OSX 10.6, 10.7 and 10.8 ends. Firefox will continue to function on those platforms, but won't receive new features or security updates anymore.

Firefox 48 download and update

The majority of Firefox users will receive 48 via the browser's update mechanics. Firefox supports automatic updates but may also be configured for manual checks or no checks at all.

Please note that the new version is released on August 2, 2016, and that it may not be available at the time of publication of this review.

You may check for updates by tapping on the Alt-key on the keyboard, and selecting Help > About Firefox from the menu. This runs a manual check for updates, and displays the current version and channel.

If Firefox is configured to download and install updates automatically, that is what is going to happen if the update is picked up. If not, you get options to download and install it manually instead.

You may download all editions of Firefox using the links below instead.

• Firefox Stable download
• Firefox Beta download
• Firefox Developer download
• Nightly download
• Firefox ESR download
• Firefox unbranded builds information

Firefox 48 Changes

Add-on signing enforcement

Firefox Stable and Beta users may no longer disable add-on signing in their versions of the browser. This blocks them from installing unsigned add-ons in Firefox. Unsigned add-ons are all add-ons that have not been submitted to Mozilla for signing.

Firefox displays "This add-on could not be installed because it has not been verified" when you try to install an unsigned add-on in Stable or Beta versions of the browser.

This means that it is no longer possible to install add-ons from third-party sources in Firefox, or old add-ons, if they have not been signed.

There is no way around this other than switching to another Firefox channel that still offers a switch to turn the functionality off.

Firefox Developer, Nightly, ESR and unbranded builds fall in that category.

Multi-process Firefox roll out

The second major change is the roll out of multi-process Firefox. The feature separates content which, according to Mozilla, improves the browser's stability, performance and security.

About 1% of users who have not installed a single add-on in Firefox will get it in the beginning. Mozilla plans to increase the figure over time.

Load about:support and check the "multiprocess windows" value to find out whether it is enabled in the browser.

Check out our Firefox multi-process overview for additional details.

Firefox Download Protection improvements

Firefox 48 ships with several changes designed to protect users better against unwanted or outright malicious downloads.

First of all, Firefox 48's Safe Browsing implementation supports the two new categories potentially unwanted software and uncommon downloads.

The first warns Firefox users when they download executable files that may contain adware, the second when a file is not very popular.

The change goes hand in hand with user interface changes. The download icon, displayed by default in the main Firefox toolbar, displays malicious downloads with a red exclamation mark, and potentially unwanted programs or uncommon applications with a yellow exclamation mark.

That's not all though. When you click on the download icon to display the last downloads, the default action for each download may either be open or remove.

For potentially unwanted downloads and uncommon downloads, open is the default action indicated by a folder icon. For file downloads identified as malicious it is remove and indicated by an x-icon.

Downloaded files are not opened or removed right away though. Firefox displays prompts that explain the risks of opening the file or allowing the download.

The following three screenshots show the prompts for potentially unwanted, uncommon and malicious downloads in that order.

Experienced users may override any of the prompts or warnings by right-clicking on files and selecting the "allow download" option. This is useful if a download is marked as problematic erroneously.

Firefox users find more control over the download protection functionality under Security in the preferences.

The new "block dangerous and deceptive content" preference is listed on about:preferences#security. You may turn the feature off completely there, or turn if off for dangerous downloads, or unwanted or uncommon downloads separately.

Note: You may notice that the options to "block reported attack sites" and "block reported web forgeries" are no longer provided. While I have no confirmation yet, it appears that "block dangerous and deceptive content" fills that role now.

Experienced users may control safe browsing on about:config or in a user.js file just like before:

• browser.safebrowsing.malware.enabled - Set this to false to block malware protection and unwanted downloads protection.
• Up to Firefox 49: browser.safebrowsing.enabled - This preference turns off phishing protection.
• From Firefox 50 on: browser.safebrowsing.phishing.enabled - Set this to false to turn off phishing protection.

All Safe Browsing preferences are listed on the Mozilla Wiki.

Other changes

• Windows: Tab (switch buttons) and Shift-F10 (pop-up menus) work now in customize mode.
• GNU/Linux: Better Canvas performance with Skia support.
• Media Parser developed using Rust and implemented in Firefox 48.
• Firefox 48 ships with a blocklist against plugin fingerprinting.
• The new "Get Add-ons" page launches in Firefox 48.
• Bookmark or open tab hits in Firefox's address bar use "super smart icons" to let you know.
• Starting with Firefox 49, SSE2 CPU extensions are going to be required on Windows.
• Windows Remote Access Service modem Autodial is gone.
• Fixed WebRTC issues that Jabra & Logitech C920 webcam users experienced.
• WebExtensions support is considered stable. Yes, you may install (some) Google Chrome extensions in Firefox 48.

Developer Changes

Temporary Add-on Reloading

Add-on developers and users may load temporary add-ons in Firefox using the about:debugging page. This can be useful for add-on testing during development, or testing an add-on without installing it permanently in the browser.

Any change made to a temporary loaded add-on required the browser to be restarted. This changes with Firefox 48, as it is now possible to reload extension that are temporarily loaded. (Bug 1246030)

Firebug theme

Firefox 48 ships with a new Developer theme. Besides dark and light variants, it is now also possible to load the Firebug theme which resembles the popular Firefox developer add-on.

Firebug functionality is or will be integrated in Firefox natively, and the add-on itself won't receive any more updates because of it.

Other Developer changes

• DOM Inspector (Bug 1201475)
• Font Inspector enabled by default (Bug 128121)
• HTTP Log Inspection in Web Console (Bug 1211525)
• Improved CSS properties suggestions (Bug 1168246)
• Position of elements can be changed in content now (Bug 1139187)

Check the resources section at the bottom of the article for links to full Developer change logs.

Firefox for Android

Making Firefox the default browser is easier on Android 6 and up

To make Firefox the default on Android 6 Marshmallow and higher, do the following:

1. Tap on Settings.
2. Select Apps.
3. Tap on the gear icon.
4. Tap on Default Apps.
5. Tap Browser app.
6. Tap Firefox on the list.

The previous process which is still valid for older Android versions required a lengthy process detailed here.

Other Firefox 48 for Android changes

1. Add frequently visited sites to the home screen for faster access.
2. Amazon product search suggestions now supported.
3. Firefox 48 for Android users get control over web notifications.
4. Firefox restores tabs by default. You may change that under Advanced Settings.
5. Mobile history is prioritized over desktop history.
6. New action bar for Android 6 and higher that floats near selected text.
7. New Firefox for Android users get clearer options to sync from the history panel.
8. Qwant is a search option for French, United Kingdom English and German locales.
9. Reading List moved to the Bookmarks panel.
10. Support for Android 2.3 has ended.
11. Sync Tabs is now in the History panel.
12. Video controls got a new look.

Security updates / fixes

Security updates and fixes are announced after the release of Firefox 48. This guide will be updated when that happens.

2016-84 Information disclosure through Resource Timing API during page navigation
2016-83 Spoofing attack through text injection into internal error pages
2016-82 Addressbar spoofing with right-to-left characters on Firefox for Android
2016-81 Information disclosure and local file manipulation through drag and drop
2016-80 Same-origin policy violation using local HTML file and saved shortcut file
2016-79 Use-after-free when applying SVG effects
2016-78 Type confusion in display transformation
2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
2016-76 Scripts on marquee tag can execute in sandboxed iframes
2016-75 Integer overflow in WebSockets during data buffering
2016-74 Form input type change from password to text can store plain text password in session restore file
2016-73 Use-after-free in service workers with nested sync events
2016-72 Use-after-free in DTLS during WebRTC session shutdown
2016-71 Crash in incremental garbage collection in JavaScript
2016-70 Use-after-free when using alt key and toplevel menus
2016-69 Arbitrary file manipulation by local user through Mozilla updater and callback application path parameter
2016-68 Out-of-bounds read during XML parsing in Expat library
2016-67 Stack underflow during 2D graphics rendering
2016-66 Location bar spoofing via data URLs with malformed/invalid mediatypes
2016-65 Cairo rendering crash due to memory allocation issue with FFMpeg 0.10
2016-64 Buffer overflow rendering SVG with bidirectional content
2016-63 Favicon network connection can persist when page is closed
2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)

Additional information / sources

• Firefox 48 release notes
• Firefox 48 Android release notes
• Add-on compatibility for Firefox 48
• Firefox 48 for developers
• Site compatibility for Firefox 48
• Firefox Security Advisories
• Firefox Release Schedule

Now You: Which feature or change are you the most excited about? Did we miss a new feature or change? Let us know in the comments.