<div dir="ltr"><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt" id="gmail-docs-internal-guid-957faccf-7fff-48e2-3b17-40ac732e8e3a"><span style="font-size:16pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Firefox Security & Privacy Newsletter 2020-Q1</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Here comes our second edition of the Firefox Security & Privacy Newsletter.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The shareable link for this newsletter and the back issues is at </span><a href="https://wiki.mozilla.org/Firefox_Security_Newsletter" style="text-decoration:none"><span style="font-size:11pt;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">https://wiki.mozilla.org/Firefox_Security_Newsletter</span></a><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. This link also promises readable and stable markup across transports ;-)<br></span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. </span><a href="https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#keeping-private-information-private" style="text-decoration:none"><span style="font-size:11pt;font-family:Arial;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">We de-restrict fixed security bugs after a grace-period</span></a><span style="font-size:11pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Privacy</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(153,153,153);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Preventing tracking and online surveillance</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The Anti-Tracking team shipped </span><a href="https://blog.mozilla.org/firefox/how-to-block-fingerprinting-with-firefox/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">fingerprinting protections</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> as part of the Firefox 72 release. This is following a long period of </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1527013" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">evaluating and fixing website breakage</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, so it’s a big milestone for the team.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Erica landed our initial implementation of </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1599262" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">purging tracking cookies</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> in Nightly. This will enable ETP to better protect against so-called bounce trackers that track users through first-party redirections.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The first pieces of </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1549587" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">dynamic first-party isolation</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> (DFPI) landed in Nightly. DFPI is an experimental approach to isolating all third party cookies and storage, similar to FPI (which is enabled by default in the Tor Browser and is also supported by Firefox). The most important difference between DFPI and FPI is that DFPI will adhere to exceptions granted through the storage access API and thus ensure better web compatibility.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Se-Yeon </span><a href="https://github.com/mozilla-services/shavar-prod-lists#list-versioning-and-release-process" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">implemented versioning</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> for our Shavar blocklists that power Enhanced Tracking Protection (ETP), Fingerprinting and Cryptomining protections.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Core Security</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(153,153,153);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Securing/hardening the Firefox Platform</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Freddy started enumerating flags and prefs that would dramatically reduce Firefox security. We’re collecting and removing them one by one to kill exploit chains that require just a single-byte overwrite in </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1602485" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">bug 1602485</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. First patches have already landed, kudos to volunteer Masatoshi Kimura [:emk] for his excellent work!</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">This January, Security Researchers from Qihoo 360 ATA identified an active attack against Firefox users. With their test case and great help from the JavaScript team we could ship a </span><a href="https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">security release as Firefox 72.0.1</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> on the next day. Kudos to our Engineers, Release Managers and Security staff for jumping on this issue so quickly!</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">We’ve also made some progress to hinder patch gapping. We know that attackers frequently watch commit logs of popular open source software to find vulnerabilities that have been fixed but not yet shipped to our end users. Minimizing this gap has long since been part of our </span><a href="https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">practices for fixing security bugs in Firefox</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. To help leak data and metadata about security vulnerabilities, </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1420510" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Tom has implemented a hook for hg.mozilla.org</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> that disallows pushing patches for security bugs to Continuous Integration. Furthermore, Bugzilla has also started hiding security bugs in dependency and regression fields if a user does not have access (</span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1591549" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">bug 1591549</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">), but more to come.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The Firefox site isolation project “Fission” is almost ready for testing in Firefox Nightly. There are some </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1584157" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">known issues with mixed content blocking</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, but you can </span><a href="https://wiki.mozilla.org/Project_Fission#Enabling_Fission" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">enable fission</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> by setting the prefs “fission.autostart” and “gfx.webrender.all” to true.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Bugs worth highlighting:</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">We </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1602474" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">removed a very, very old testing API called </span><span style="font-size:11pt;font-family:"Courier New";color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">enablePrivilege</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, that gave normal web pages extra privileges beyond Web APIs. The API was used in exploit chains and made attacks easier than they should have been.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Firefox is </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1605308" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">no longer going to use ShellExecuteByExplorer</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> when launching executable files in the download folder, this helps protect against attackers placing malicious DLLs in the same folder.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Folks from the JS team have </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1607494" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">disabled JIT optimizations for JavaScript in Proxy Auto Configuration (PAC)</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> files as they are currently run in the parent process.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Fuzzing</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(153,153,153);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Automated security testing, analysis and more</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Christian Holler deployed </span><a href="https://clang.llvm.org/docs/ThreadSanitizer.html" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">ThreadSanitizer</span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap"> (TSan)</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> in our</span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1590162" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap"> CI with Mochitests and XPCShell Tests enabled</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. This will prevent new data races from being added to the code base. Existing races are handled by an extensive suppression list and will be gradually fixed. TSan has already found several security-related issues and otherwise hard to diagnose correctness problems.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">For another sanitizer, </span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">UndefinedBehaviorSanitizer </span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">(UBSan), </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1404547" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Tyson Smith has enabled the ‘enum’ check in CI</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> to detect e.g. loads of invalid values for a certain enum type.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The JavaScript engine is receiving more and more parser upgrades as new syntax is being added (e.g. </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1566141" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">nullish coalescing</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">). In order to test these changes more thoroughly, Christian has written an experimental libFuzzer target for the JS parser, which has already found what looks like </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1596706" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">the smallest security bug</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> on file so far.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The fuzzing team has also started to centralize </span><a href="https://firefox-source-docs.mozilla.org/tools/fuzzing/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">fuzzing documentation</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, stay tuned for more coming soon!</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Security Ecosystem</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(153,153,153);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Security policy development and communicating security-related information to interested parties (not end-users).</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Tom has updated our </span><a href="https://wiki.mozilla.org/Security_Severity_Ratings" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Security Severity Ratings</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> page. Most notably, </span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">critical</span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> is reserved for bugs that pose immediate danger to our users. There is no longer a technical difference between critical and high bugs, and we’ll use </span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:italic;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">critical</span><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> to emphasize risk for our users.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">We have also separated ratings with clearer examples for our </span><a href="https://wiki.mozilla.org/Security_Severity_Ratings/Web" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Web</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> and </span><a href="https://wiki.mozilla.org/Security_Severity_Ratings/Client" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Client</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> products.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Freddy and Tom have launched the new </span><a href="https://blog.mozilla.org/attack-and-defense/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Attack and Defense Blog</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, a new outlet to talk about the technical details of our work to a new audience of bug bounty hunters, security researchers, engineers and technologists of all colors.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Mozilla joined the newly formed </span><a href="https://privacycg.github.io/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Privacy Community Group of the W3C</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> (Privacy CG), along with other major browser vendors and industry representatives. In the CG we are discussing the standardization and advancement of technologies that ensure privacy on the web.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Kathleen has been working hard to help Apple actively make use of the </span><a href="https://www.ccadb.org/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Common CA Database (CCABD)</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. The CCADB is a repository of information about Certificate Authorities (CAs), and their root and intermediate certificates. It is used by a number of root store operators - not only is this a resource that Mozilla can be proud of but it's also very important for the security of the Web PKI. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Our Mozilla CA program has a new lead! We’re saying good-bye to Wayne Thayer and are welcoming Ben Wilson to our group!</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Firefox Security</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(153,153,153);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Features, products and services to help users be more secure on the web</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">DNS-Over-HTTPS</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> was </span><a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">rolled out to all Firefox users in the US</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, with the initial set of trusted resolvers being Cloudflare and NextDNS. This is an incredible milestone for the private and encrypted web and credit to the tireless work of the team behind DoH in Firefox. In addition to this, the team also rolled out a </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1613790" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">DoH performance study</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> to test the real-word latency of different resolvers.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The folks working on Lockwise, the Firefox password manager, shipped an incredible number of fixes and improvements in Q1, to name a few:</span></p><ul style="margin-top:0px;margin-bottom:0px"><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Bianca added support for </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1595244" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">detecting password input fields</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> using </span><a href="https://github.com/mozilla/fathom" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Fathom</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, a machine learning framework for meaningfully recognizing DOM elements on a page.</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Matthew made us </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1608513" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">support importing passwords</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> and other profile data from the new Microsoft Edge.</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Jared enabled an </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1194529" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">additional prompt for OS account credentials</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> before revealing passwords on about:logins. While this doesn’t change the general security considerations of storing passwords without a master password, it does provide an obstacle for local snoopers who don’t have the time or ability to craft a more targeted local attack.</span></p></li><li dir="ltr" style="list-style-type:disc;font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">On mobile, we did a number of releases for the Android and iOS Apps for Lockwise, as well as better integration with the new upcoming Firefox Preview for Android.</span></p></li></ul><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The Crypto Engineering team shipped </span><a href="https://groups.google.com/d/msg/mozilla.dev.platform/BHWxTOsmNeU/RVog7fSrAAAJ" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Intermediate Preloading</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, which mitigates some of the most common certificate errors by loading known intermediate CAs ahead of time.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">J.C. Jones wrote a series of blog posts </span><a href="https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">introducing CRLite</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, another exciting innovation from our Crypto Engineering team. CRLite provides a more efficient and private way to perform certificate revocation checks. It is currently being tested in Nightly.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The Firefox 72 release shipped our </span><a href="https://blog.mozilla.org/firefox/block-notification-requests/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">restrictions against notification permission spam</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. You can read more about our </span><a href="https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">initial experiments</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, the </span><a href="https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">restrictions in detail</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> and </span><a href="https://hacks.mozilla.org/2019/11/upcoming-notification-permission-changes-in-firefox-72/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">what this means for web developers</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">The </span><a href="https://monitor.firefox.com/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Firefox Monitor</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> team added a new feature to their service: </span><a href="https://blog.mozilla.org/firefox/resolve-data-breaches/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Breach Resolutions</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, which allow you to mark the breaches that you’ve dealt with as resolved and get some peace of mind.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Paul </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1357107" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">removed nsContentblocker</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, an old mechanism for blocking literally any type of content that could be loaded through Firefox. The content blocker had to check permissions before any network request could happen, so it would show up in performance profiles, but Telemetry showed that it was virtually unused.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Outreachy intern Kendall completed her intern project that adds </span><a href="https://blog.mozilla.org/security/2020/02/06/multi-account-containers-sync/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Firefox Sync support to the Multi-Account Containers add-on</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Dana made Firefox </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1024871" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">stop offering to import CA certificates when browsed to</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. This functionality was kept around for a long time because of legacy reasons, but has always been a considerable security risk. We’re happy to see it gone! To import custom root certificates, you can still always use the certificate manager in about:preferences.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Dana also made it so that Firefox can use client certificates provided by the operating system on Windows and macOS, which will significantly benefit our enterprise users! </span><a href="https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Her blog post</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> explains our approach and also gives tips on how to achieve the same thing on Linux.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Julian landed the first version of our </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1613063" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">experimental HTTPS-Only Mode</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> in Nightly. It currently works mostly under the hood, preventing insecure connections from happening in Firefox, but additional improvements, such as UI integration are in the works.</span></p><h2 dir="ltr" style="line-height:1.38;margin-top:18pt;margin-bottom:6pt"><span style="font-size:16pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Web Security</span></h2><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(153,153,153);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Making websites more secure</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">It's the Boot for TLS 1.0 and TLS 1.1</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">: We’re committed to improving security for all of our users by disabling support for TLS1.0 and TLS 1.1. However, we have re-enabled TLS 1.0 and 1.1 in Firefox 74 and 75 Beta to better enable access to sites sharing critical and important information during this time.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Firefox 74 shipped </span><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Feature Policy</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, which allows websites to prevent iframes from using advanced features (mostly those that are otherwise restricted by web permissions). As part of this we also shipped Permission Delegation, which enables sites to delegate their own permissions to embedded iframes through Feature Policy. This was originally </span><a href="https://docs.google.com/document/d/1x5QejvpyQ71LPWhMLsaM1lWCfSsBsSQ8Dap9kJ6uLv0/edit#heading=h.jvj3q1vhn2yo" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">proposed and implemented by the Chrome team</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> and we agree that this approach makes it much easier to build a comprehensible permissions UI, so we’re happy to ship it in Gecko.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Kevin and Ben have been continuing our efforts to include </span><a href="https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">verified cryptographic primitives in NSS</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. This work ensures that our cryptographic libraries are free of common, and at times subtle, crypto bugs. Most recently, ChaCha20, Poly1305 and ChaCha20-Poly1305 for AVX2 have been </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1612493" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">integrated</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. Kevin has also updated our </span><a href="https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Delegated Credentials</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> implementation to match the most current Internet Engineering Task Force (IETF) </span><a href="https://tools.ietf.org/html/draft-ietf-tls-subcerts-07" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">draft</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">. Interoperability testing with Cloudflare has gone well and this feature is now enabled in Nightly. It will remain there until the Delegated Credentials draft gets ratified by the IETF.   </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Sebastian and Christoph fixed a bug in our implementation of the “X-Content-Type-Options: nosniff” header for page loads that do not provide a MIME type. Starting from </span><a href="https://blog.mozilla.org/security/2020/04/07/firefox-75-will-respect-nosniff-for-page-loads/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Firefox 75, we will respect 'nosniff' for Page Loads</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">Chris landed our implementation of </span><a href="https://w3c.github.io/webappsec-fetch-metadata/" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Fetch Metadata Request Headers</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap"> in </span><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1508292" style="text-decoration:none"><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">Bug 1508292</span></a><span style="font-size:11pt;font-family:"Open Sans",sans-serif;color:rgb(0,0,0);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap">, which is a W3C working draft that gives websites additional context to protect themselves against cross-site attacks.</span></p></div>