This has been one of my most reviled features of the modern web that autocomplete is almost universally turned off for passwords. This often even extends to integrated password managers. Could not be happier this has been changed, although for most of my life I'll still suffer behind an ESR version without it.
As one of the comments in the discussion notes, also possibly better for security. Manual entry is a negative incentive for complex passwords (reduces average complexity across the whole userbase). It also preferences keylogger attacks, which is one of the most widespread computer infections.
Probably what's being forced on them at work. That's generally the only place ESR is used. It's actually all it's meant for (large scale corporate/organization rollouts where they need to test and peg a specific version for use with web apps).
Though you can have Firefox ESR installed and use it as your primary while still having a copy of Firefox Portable handy for other user on a flash drive or even right in My Documents.
While I didn't make this change myself, I made the change that sparked this discussion (and was a part of the discussion). Been getting mails about it on both sides of the spectrum :P
It really was a illogical feature. Too much power to the website, and as one person put it, "When the browser fails to fill in my password for me, I must assume that the browser is broken".
This is going to cause trouble with several websites that use "password" inputs for other sensitive data like credit card numbers and SSNs. The discussion mentions that this is a misuse of the password input, but it's a very common misuse of it.
The discussion stresses that Firefox is the third major browser to implement this feature, but what I don't think they understand is that their username/password detection algorithm is the weakest of the three browsers.
If I create a form that contains a dozen fields, one of which is labeled "Owner's Email" (type=text) and another that is labeled "Owner's SSN" (type=password) with several fields in between, Firefox thinks this is a login and prompts the user to save this information. Chrome and IE are smart enough to recognize that just because an email address and password field were somewhere on the same form, that this isn't login information.
We've addressed this issue in the past by turning autocomplete=off for the SSN field, but now we'll have to re-implement input type=password using input type=text with some javascript. Otherwise, our users are going to accidentally click "Yes" at some point when prompted to save their password and have the form auto-filled for each subsequent entry.
I recently ran into an issue where the browser was auto-completing a mail server configuration form, assuming that it was the login for the site. Luckily, adding a value="" attribute to the password field fixed it for me (and still works in Firefox 30).
I heard from someone on the Chrome team that the reason that Chrome respects this behavior is that many of these websites will resort to "please use a supported browser such as: Safari" tactics if Chrome ignores autocomplete=off. Those were one of the worst parts of the web 5+ years ago and I'd hate to see them come back for FF users.
hmm, but didn't Chrome start ignoring autocomplete=off for password fields[1]? And Safari was already doing it, and now it's not even an option to turn it back on.
Hmm interesting, maybe they did. I heard this almost a year ago (Summer 2013) so they could have come around. If 2 or 3 of the major browser vendors would make this move it would put pressure on the webmasters (do people still say webmaster?) to just deal with it.
I love the change to prohibit non-whitelisted plugins. Together with the changes to Chrome to move away from NPAPI, hopefully we can kill off the majority of plugins across all browsers.
If we can get it down to just Flash and nothing else, hopefully a few years from now Mozilla's HTML5 implementation of Flash will take off (similar to PDF.js), which pushes Flash inside the browser sandbox, and ensures that it has no more privileges or capabilities than normal in-browser content.
Herm... I just want to point out the elephant in the room:
A new proprietary plugin is coming (which might reduce the need for Flash, but still), the EME CDM (content decryption module).
I'm afraid you'll never have "just Flash and nothing else". W3C EME is coming, unfortunately.
Note: If I'm not mistaken, most other browsers won't have CDM as a 'plugin' per se. Because they are proprietary browsers (IE, Safari, Opera, and Chrome, too), they can afford to make deals with devilish entities to make your machine execute code that makes your computer slower for no good reason (Because video decryption is useless. Come on, everything is already torrented anyway! This is so that CDM deciders can allow or disallow playback devices at will for the default user, and have power over device vendors). I don't know if Chromium will ever support EME, but it is in the same boat as firefox: plugin necessary.
So the proprietary browsers will integrate directly the CDM in their code, while for open-source browsers this would be repugnant (and impossible).
Hopefully it will be easy to keep the CDM plugin from ever being installed in firefox. I don't plan on ever using it - if a website requires a DRM plugin, then I will just abstain from viewing their content. I just hope I don't have to recompile firefox on my own just to make this possible.
ClickToPlugin on Safari is reeeeally good at finding the html5 alternative for Flash videos. It's actually the only thing that's keeping me on Safari, if only someone could port it to firefox…
Actually click-to-play is what made YouTube usable to me. Now it is broken and I had to write a user script to fix it. When I brows YouTube and search for something, I want to open several search results/related videos in background tabs. But idiotic YouTube auto-plays videos. Autoplay is one of my most hated anti-patterns. I wrote a user script/chrome plugin that replaces all video page links with base64 URLs that insert a hop to the actual video page (including preview image) so I can keep using YouTube like I want it. I made it so that when i directly click a link it still goes to the watch page directly.
The only problem with click-to-play is a lot of sites did their feature detect wrong and only try the HTML5 player if the browser doesn't list Flash support. If you use click-to-play, it still lists the Flash plugin as available so e.g. YouTube, Vimeo, etc. will load the Flash UI rather the faster, higher-quality path.
I allow my FF to have Flash click to play enabled on all sites except on YouTube. It can be set to be click to play for all sites and then you can add specific sites to be the exception.
I've looked for the interface to add exceptions in the plugin menus and couldn't find it...where is it? I'm currently using Flashblock, which is nice, but I'd rather deal with the problem "natively" if possible.
IIRC the site-specific permissions interface is getting an overhaul, but you can currently get there by right-clicking the page -> view page info -> permissions.
> IIRC the site-specific permissions interface is getting an overhaul
I had completely forgotten about that page but you're probably thinking about:
about:permissions
Don't think there's any GUI way to get to it, it feels like years since I last saw it. Also, I don't have any plug-ins so can't check if it lists those there.
Why does everyone around here want to kill off plugins? There are some jobs they simply do much more efficiently than an html5+javascript solution. All of the Javascript-based PDF readers I've had the displeasure of using have been slow and buggy. Flash is nice for animations and some kinds of games (javascript + html5 games have in my experience always had little errors like misaligned text, key input issues with existing browser use, the browser highlighting parts of the game as if it's a text document, and the bigger issue of speed - they've always been slow on more complex games compared to the same amount of complexity in a flash game. This makes me highly doubt that an "HTML5 implementation of Flash" will take off within a few years. It would probably be just as bad as PDF.js.)
Installers on Windows run with administrator privilege and can do anything they want, including modifying the Firefox binaries. We might end up with an arms race between adware vendors forcing their stuff into Firefox and Mozilla trying to disable it.
If an installer modified the binary, Firefox couldn't stop that. What installers actually do is move some plugin files into the global Firefox plugins folder, so they get loaded on next startup. Because you can't uninstall the global plugins from the user's account, they added a per-user setting that keeps track of which "global" plugins that user has allowed.
That wouldn't be anything new, and the system's malware detection should help. Although it's a hard problem if users insist on running random binaries, of course.
I'm still eagerly waiting for per tab volume control [0], a per tab activity monitor/profiler [1], the possibility to suspend tabs with practically no memory usage [2] and more options for searching the browsing history [3]. Besides that I find it counterintuitive that a revisit of an URL removes the entry of the previous visit. The result is an incomplete history. I wished they would change that.
I know it isn't necessarily the same, but volume controllers on Linux using Pulseaudio have per-source volume meters. I use them to turn off annoying banners and such.
I don't think tab volume control is trivial; NPAPI doesn't provide an audio API. So Flash on Win32 (for example) is just sending audio directly to the OS. (You can use the Windows volume controller to adjust Flash volume, at least.)
Technically, they could set LD_LIBRARY_PATH (or equivalent in Windows) and provide a sound API wrapper library that could control the volume. That sounds overkill, though.
That's https://bugzilla.mozilla.org/show_bug.cgi?id=454625 and the problem is that other browsers only sometimes allow changing line-height on them and some sites are depending on that (non-documented, not standardized) behavior...
Normally, it has been fixed in Firefox 30. This one was difficult to find, as it was due to a sophisticated combination:
1. preferences setup to cleanup history on shutdown;
2. no new thumbnails created during the session;
3. some specific scheduling of shutdown.
I wonder why this only seems to be a problem for some people... It has happened to me only once in the 1000's of times I have shutdown Firefox since version 29.
I know it happens to me because plugin-container never closes properly. The result is that the entire browser process stays open while the zombie plugin-container exists.
It happens for me more like five times a day. I am holding the rest of my machines on Firefox 28 till this is fixed. It is easier to cancel update message than to terminate the zombie process.
Yes, though in the same way that one yellow jacket is worse than none in the house. If you only have one every so often, you aren't that likely to hunt down every nest outside and around the house to kill them.
Well, I have needed to manually shutdown the Firefox process prior to Firefox 29 (every once in a great while) so having to do it once so far with the new version is not significant.
I am not saying it's not a real issue but why it's more a problem for some then others...
Each update up to Firefox 28 improved this issue somewhat; there's a small bug in 29 that made it worse again (not by much, statistically), and that bug is fixed in 30. So you can wait for the 30 update in 6 weeks, or you can move to the Beta channel (which is 30) until it hits Release.
(Personally, I run the Aurora channel - v31 right now on my machine - and I never have any problems.)
Well, it shouldn't do that automatically, as you might just genuinely try to run FF while it's running by mistake. But a button to do kill would be nice.
Running FF a second time works actually, all it does is signal to the current running FireFox to open a new window in the same process. The 'FF is already running' message comes-up when there is a zombie FF process going that's not responding to signals to open a window (or similar). I agree with you though, killing it off automatically isn't a very good solution, but having a button to close the current FF and restart would be nice.
If you click on the button/ launch the application it should make a best effort to show you a browser window. "Restore" a minimised window, raise a hidden window, offer to restart if necessary, etc..
"too many possible variations" sounds like a reason to me to have the browser support it - to add cross-site consistency to the element.
Once you know how the calendar on your OS/browser works, you know how the calendar on all the websites works. Also, adding accessibility for those with visual problems is a job to be performed once, by browser implementors, and can be completely ignored (at least for wrt calendars) by everyone who ever writes a website.
Learning keyboard shortcuts becomes worthwhile (or even just possible).
Overlaying the events from your personal calendar, say when hovering over a date, would make it possible to easily pick dates that coincide with (or avoid) the holidays associated with your particular culture - which your OS knows about, but J. Random Website doesn't - without leaving your browser. (Not all cultural holidays are as easily predictable 8 months in advance as Dec 25! Think of those based on lunar calendars, e.g. Easter)
Heck, I find it annoying when websites want to use custom drop-down lists or buttons. The drop-downs and buttons that my OS provides are beautiful, thanks very much, and easily recognisable to boot. I know just by looking at the page where the controls are and how they're going to act. If I want them to look and act differently, I can change that in one place, in my OS settings, and the controls all change in a totally consistent manner for every website ever written, except those that try to be clever and break my setup instead.
I can't believe I've heard some people complain that they thought that the standard controls are "too ugly". Well, get a prettier browser/theme/OS then!
I upvoted and tend to agree with you but I wonder if 90% of uses couldn't be addressed through a relatively small (hah!) amount of CSS customizability of the element.
It's nice when a touch device can display an appropriate calendar selector. Even if the selector is barebones, it's nice to not have something you know will work, rather than to wonder through a gallery of the latest calendar widgets and then get disappointed that it's written for an incompatible framework.
It's like asking "why are all these blank sheets of paper so similar?" Browsers are getting more minimal because browser chrome just gets in the way of the content.
Anyway they're not that similar. Firefox has a search bar, refresh button on the right, and no greyed-out "forward" button. Opera has the speed dial buttons. And Chrome would be the most "minimal" if it weren't for the extension icons over on the right.
It's irritating. I keep Chrome and Firefox both installed so I can test sites on them and it's not until I go to use an addon or Firebug that I realize I somehow ended up using Chrome as my browser for the day rather than my usual favorite Firefox.
Perhaps it's what is commonly understood as "what users want" on a windowed desktop OS... perhaps we need to look to new UI inputs/frameworks (mobile, voice) to break out of the current mold?
Firefox is getting more awesome with each update, but admittedly I'm kind of liking Chrome's implement first, standardize later approach to new features, which is why you can get a directoryReader in Chrome and drag and drop support for uploading entire directories. I wish Firefox had that, but it's not a standard so they're not implementing it.
Both Chrome and Firefox have the same approach of implementing first, standardizing later. For example, Firefox has had large swaths of ES6 implemented since 2006 or so.
Rather, it's not so much that they refuse to implement features until they're standardized, it's that each browser maker refuses to implement the features dreamed up by the other browser makers until they're standardized.
> Both Chrome and Firefox have the same approach of implementing first, standardizing later
>Rather, it's not so much that they refuse to implement features until they're standardized, it's that each browser maker refuses to implement the features dreamed up by the other browser makers until they're standardized.
Personally I prefer the "wait 'til standardized" approach better. Web standards have been dragged through the mud enough thanks to IE and its disregard for standards. We don't need Chrome running wild doing the same.
IE caused problems by not implementing standards (or not doing it correctly) On the contrary, Chrome is causing problems with implementing pretty much everything the devs come up in their offices or only partly implementing standards.
I prefer Chrome/Firefox's way of implementing proof of concepts before standardization; it's more pragmatic, less ivory-towery. It's the difference between agile development (what people used to call XP) and waterfall.
Rather than being developed in a closed room by a committee, features emerge in a sort of darwinian sense, in that usable features survive (they're played with, commented on, blogged about, critiqued), and bad ones tend to end up being ignored. And it works because good developers won't touch features that would break a site's cross-browser compatibility, but might sneak in stuff that can gracefully fall back. Thus the whole world becomes an "agile" test bed for a potential standard until everything slowly coalesces into a stable status quo.
Based on the notes in #812695[1] the longstanding text-corruption bug that's appeared in past releases should be fixed thanks to a change in how the layout's handled.
I love Firefox, but since I upgraded from 28 to 29, it has been crashing for me on Win 7 on a daily basis. Looking in about:crashes I have close to 30 crashes reported. The moment I upgraded to 30, it crashed. sigh
Same problem here, daily crashes. This started with Firefox 28 and I still have this problem with Firefox 30. I have no idea why, but some pages crash more often than others.
This happened on both OSX and Ubuntu(my laptop and workstation) at the same time when Firefox 28 was introduced.
You're not alone. I went years and years having Firefox never crash without an obvious reason (like a problematic page or plugin), but recently I've been having it crash once a day or so even with all plugins/addons disabled.
> The two major advantages of this model are security and performance. Security would improve because the content processes could be sandboxed (although sandboxing the content processes is a separate project from Electrolysis).
Still no keyring/OS password storage support? I'm all for storing all passwords in the password manager (including those with autocomplete="off") but anything that can read signons.sqlite has access to all passwords in cleartext (no average user uses the master password)
There seems to be a bug on the dev-tools in the Network tabs, I cannot see the labels that are normally at the bottom ("All | HTML | CSS ... "). It seems that the container that's wrapping them doesn't have enough height to show the text. This is on OS X 10.9.3. Anyone else having this issue?
Awesome! We can always use more people using the Nightly or Beta channels. Just be aware that you are not getting production quality code.
In general Nightly has been very stable for me, but sometimes things sneak in that are annoying or simply broken. If you can live with that, then welcome to Nightly! :-)
The only time I ever have problems with nightly is the first release of a new version. I wish I could set a config entry to wait for the second release of a new version.
I run Arch on most of my machines. It seems kind of contradictory to say this, but I like my official repo updated in system upgrades standard firefox, whereas all the other channels are in either third party repos or the AUR.
It's available as an option at build time (build switch). But it's not used in the official Mozilla builds which are still built against gstreamer 0.10.
While it's quite off topic, what's with FF version numbers? I mean just a few years back it was FF 3, 4, 5, and while I am not using it daily, I don't think it's a major change every time.
As scott_karana mentioned, Firefox has been doing "rapid release" since 2011. https://wiki.mozilla.org/RapidRelease There are 3 channels: Aurora (alpha), Beta, and Release. Every 6 weeks, stable features are pushed into the next channel. So there is a new release every 6 weeks, and if you want to live in the future, you can use the Beta or Aurora channel. https://www.mozilla.org/en-US/firefox/channel/
Edit: do you really want your grandkids to be stuck with version 5? :)
Mozilla adopted a rapid release cycle, similar to what Google does with Chrome. Everyone is always automatically updated and version numbers are less significant.
Very nice, but those designer tabs from FF29 still make my eyes bleed every time I see them, so I'm stuck on FF28. I wonder how many people are in the same situation :-|
Only someone who is completely unconcerned with the security of their computer since 29.0 and later fix critical bugs allowing for remote code execution. Seriously, I'd recommend doing one of the following:
1. Upgrade and use one of the theme and extension combinations to get a look you want.
2. Upgrade and just get used to the new look since it's similar to Chrome and others.
3. Downgrade to Firefox ESR 24.5.0 which IS fully secure.
If security is such a hot button worry wart issue, then it shouldn't be permissible for Mozilla developers to bind minor UI tweaks to security fixes. Firefox user interface changes should not be tightly coupled with essential security updates, since they introduce the hazard of many users refusing to comply with good security practices, simply because some asshole design wonk decided to enforce their tastes upon millions of users and disrupt existing, productive, habitual user interface behavior.
And by the way, it's absolutely possible to securely run an instance of Firefox 28 in a read-only, sandboxed, firewalled VM, restricted to connecting to specific trusted hosts.
Permitting a third party to control and modify your behavior by enforcing automatic updates in a manner that does not match your schedule can be an insidious security hazard unto itself. Organizations like Mozilla, Google, Apple and Microsoft have no interest in and no concept of what might be hugely disruptive to their end users, nor do they necessarily have any concept of a given environment's actual security posture. They simply cry "security" and then rampage all over everyone's shit with righteous entitlement.
Nope. I define my security practices (including whether I run a javascript-enabled browser at all), and I define my update schedule.
You should probably build your OS and all your software from scratch, cause it seems you have a problem with using software that doesn't meet your arbitrary guidelines.
Unfortunately, Pale Moon is significantly slower than Firefox due to it being based on the outdated ESR branch. See: http://portableapps.com/node/39509
Pale Moon, 24.5, Linux 32 bit, running on Debian squeeze 32 bit, on my system, is dramatically faster than Firefox 29.0.1.
Or rather, the latter is dramatically slower than 28.0, just about unusably slow. And this is true with a very minimum installation and usage, Session Manager and Track Package the only extensions, a version of Shockwave Flash auto installed the only plugin. As little as 3 windows with 7 tabs.
And it might just be my impression, but Pale Moon might have been faster than Firefox 28.0.
See my link. I performance tested Firefox, Pale Moon and CyberFox on the same hardware within Windows and posted the results. Maybe the current Debian build is a bit messed up. Debian does their own builds of Firefox through a special agreement with Mozilla (they aren't Mozilla builds).
Ah right. I'd confused it with Ubuntu. It's still odd, though. I wonder if other Debian users are seeing similar issues.
Out of curiosity, I ran the tests again on FF30 on Windows and Sunspider is about the same as FF28 was while PeaceKeeper and Dromaeo increased a couple percent.
Who cares if javascript execution is slower? You can speed that bit up by not allowing it to run in the first place. I would accept any speed of browser to avoid Australis.
It should remain a 'bug'. That's an invalid URL in the IMG tag and should be treated as such. The problem is some browsers 'helpfully' fix it and designers don't know they're writing invalid HTML.
Browsers like Internet Explorer 'fix' it so designers never know. Browsers like Firefox show it as properly broken so designers fix their mistakes. That's why it's always important to test your site in a proper browser.
Is it though? I know standards are important, but what does it really cost a browser maker to be able to resolve paths with backslashes? Similarly, is it really that big of a deal to support background-position-x and y? The prime example of something should have been a spec from the beginning.
There's an invalid URI within the IMG starting with http:\\ instead of http://. A mistake a beginner designer who's used to Windows directories would make. Some browsers like IE helpfully 'fix' this mistake and accept it so the beginner designers have no idea they're writing broken code. Other browsers like Firefox interpret it as written and show it as broken.
Yup! Release early, release often. Linux (kernel), Gnome, Ubuntu, Firefox, and Chrome (and lots more) are all on scheduled updates.
Edit: The advantage to rapid releases is that you can roll out minor updates when they're ready without having to wait for big ones, and you don't have to rush big ones for a deadline. If you miss one release, it's no a big deal because there's another one coming right up. Release when it's ready!
Yes, it is meaningless, and they intentionally hide the version number now - the download page doesn't even show it. But what could a major version number mean? GNU Emacs was on version 1.x for so long they dropped the leading "1." and promoted the minor version number to the major version. Ubuntu just numbers their releases after the date, e.g. 12.04 came out in April 2012.
Quote from Wikipedia that expresses my viewpoint on the subject:
> In principle [...] the major number is increased when there are significant jumps in functionality such as changing the framework which could cause incompatibility with interfacing systems, the minor number is incremented when only minor features or significant fixes have been added, and the revision number is incremented when minor bugs are fixed.
agree, these should be point releases I'd wager. However, they have to "keep up with the Joneses" (chrome, in this case) which has high numbered versions, I'm guessing...
The fact that you don't know what version you're on is intentional on both sides. Both Google and Mozilla realized that the version is meaningless and hid it.
Love this change. There's some good conversations in Bugzilla about it. [0]
[0]: https://bugzilla.mozilla.org/show_bug.cgi?id=956906