Tags

2025.02.28.1

⚠️ **ALL DESKTOP USERS ARE RECOMMENDED TO UPDATE TO THIS RELEASE ASAP**. This release mitigates [CVE-2025-27091](https://www.cve.org/CVERecord?id=CVE-2025-27091) *(high severity)* from Firefox upstream, [which Mozilla has not yet fixed]( https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2025-27091)...
____

* Disabled OpenH264 to mitigate [CVE-2025-27091](https://www.cve.org/CVERecord?id=CVE-2025-27091), and due to [other security concerns](https://codeberg.org/celenity/Phoenix/commit/12f161dce776b313e611851492e3f79f6f143f69)... - `media.ffmpeg.allow-openh264`, `media.gmp-gmpopenh264.enabled`, `media.gmp-gmpopenh264.provider.enabled`, & `media.gmp-gmpopenh264.visible` -> `false`

* Temporarily disabled [Download Spam Prevention](https://bugzilla.mozilla.org/show_bug.cgi?id=1731668) by default, as it's unfortunately still too buggy/experimental... - `browser.download.enable_spam_prevention` -> `false`

* **DESKTOP**: Fixed a bug that prevented uBlock Origin's `assets.json` from updating after first set-up - **Note that you MUST reset uBlock Origin by navigating to Settings -> Reset to default settings... to receive the updated configuration**. You can back up your current settings using the **`Back up to file...`** option, and restore your settings after the reset is complete with the **`Restore from file...`** option. Apologies for any convenience, the fix here should help ensure this isn't a problem in the future...

* **DESKTOP**: Disabled the ability for uBlock Origin's built-in filterlists to [use filters requiring trust](https://github.com/gorhill/uBlock/wiki/Dashboard:-My-filters#allow-custom-filters-requiring-trust), due to security concerns.

* **DESKTOP**: Added new filterlists to uBlock Origin that allow the user to block **SVG**, **WebGL**, **WebGPU**, and **WebRTC** per-site. Users are **highly** recommended to use these filters *(with the exception of **WebGPU** - very few websites use it so we fully disable it via `dom.webgpu.enabled`, though this filter may prove useful for the future if WebGPU does become adopted...)*, and see if it suits them - due to the significant privacy & security advantages. **`Block SVG`** is located under **`Malware protection, security`**, while **`Block WebGL`** and **`Block WebRTC`** are located under **`Multipurpose`**. This is **especially** important for Phoenix **Extended** users, as it's likely we'll stop completely disabling WebGL *(`webgl.disabled`)* in the future, due to this list. - **Please report any breakage caused by these lists [here](https://codeberg.org/celenity/BadBlock/issues).**

* Hardened extension CSP policies to disable WebAssembly *(without breaking Firefox Translations... ;))* & upgrade insecure network requests - https://codeberg.org/celenity/Phoenix/commit/58eca0f015c2beacc216182085ddcc37e0348064

* Enabled [Add-on Distribution Control](https://groups.google.com/g/firefox-dev/c/U7GpHE4R-ZY) *(Install Origins)* by default - `extensions.install_origins.enabled` -> `true`

* Enabled the [Sanitizer API](https://github.com/WICG/sanitizer-api) by default - `dom.security.sanitizer.enabled` -> `true`

* Set Firefox to sync with [Remote Settings](https://remote-settings.readthedocs.io/) hourly, rather than once a day by default, as Remote Settings is used for various security-critical functionality *(Ex. CRLite/revocation checks, malicious add-on blocklists, etc)*, so we want to make sure users are up to date ASAP - `services.settings.poll_interval` -> `3600`

* **DESKTOP**: The Firefox logo is now hidden on `about:home` by default - `browser.newtabpage.activity-stream.logowordmark.alwaysVisible` -> `false`

* **SPECIALIZED CONFIGS**: Stopped automatically loading websites on browser launch - as uBlock Origin is unfortunately unable to filter on the profile's first launch

* **SPECIALIZED CONFIGS**: The search bar is now hidden from `about:home` by default - `browser.newtabpage.activity-stream.showSearch` -> `false`

* Other minor tweaks, fixes, & enhancements
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2024.02.21.1...2025.02.28.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2024.02.21.1...2025.02.28.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2024.02.21.1...2025.02.28.1) for more details.
___

:)

2025.02.21.1

____

* Re-enabled WebAssembly (WASM) for extensions *(when WASM is disabled)* to unbreak Firefox Translations - `javascript.options.wasm_trustedprincipals` -> `true` - https://codeberg.org/ironfox-oss/IronFox/issues/15

* **DESKTOP**: Removed **Ecosia**, **Qwant**, and **Qwant Junior** as default search engines, due to privacy concerns

* **DESKTOP** *(Flatpak)*: Added support for Phoenix `Extended` & specialized configs - *(See updated instructions [here](https://phoenix.celenity.dev#extended-installation) and [here](https://phoenix.celenity.dev#specialized-configs))*

* **DESKTOP** *(macOS)*: Fixed an issue that prevented Phoenix `Extended` & specialized configs from being properly applied in certain cases

* **DESKTOP**: Added specialized configs for **Apple Maps** & **Google Maps**

* **SPECIALIZED CONFIGS**: Disabled PDF.js by default - `pdfjs.disabled` -> `true`

* **SPECIALIZED CONFIGS**: Disabled tab hover previews by default - `browser.tabs.hoverPreview.enabled` & `browser.tabs.hoverPreview.showThumbnails` -> `false`

* **SPECIALIZED CONFIGS**: Enabled cursor *(arrow key)* navigation by default - `accessibility.browsewithcaret` -> `true`

* Enabled H264 hardware decoding by default - `media.webrtc.hw.h264.enabled` -> `true`

* **DESKTOP** *(non-macOS)*: All preferences have been removed from `phoenix.cfg` & `policies.json` - now they are **all** configured exclusively by `phoenix-desktop.js` to improve organization & efficiency.

* **DESKTOP** *(macOS)*: All preferences have been removed from policies - now they are **all** configured exclusively by `phoenix.cfg`,to improve organization & efficiency.

* **DESKTOP**: Removed unnecessary entries from our built-in cookie blocklist to improve performance

* Other minor tweaks, fixes, & enhancements
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2024.02.18.1...2025.02.21.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2024.02.18.1...2025.02.21.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2024.02.18.1...2025.02.21.1) for more details.
___

:)

2024.02.18.1

**Phoenix now officially supports Flatpaks! 🎉**. Simply install `phoenix-flatpak` rather than `phoenix` or `phoenix-arch` from your package manager. If you prefer, you can also just run the [installation script](https://phoenix.celenity.dev#install) - where Flatpaks have now also been added as an option after selecting your distribution.

The only caveat is that your Firefox Flatpak **must** be installed on the **system** level. We unfortunately don't yet support **user** Flatpaks, but we're hoping to in the near future.

Additionally, Phoenix for **macOS** has significantly improved - most notably: **you are now no longer required to give your Terminal the `App Management` permission to receive updates!**, resulting in a significant security improvement for your system.

**NOTE:** To continue receiving updates, macOS users **must** run the migration script with the command below, depending on your location of Firefox:

**System**:
```sh
bash -c "$(wget -O- https://codeberg.org/celenity/Phoenix/raw/branch/pages/macos/migration/system.sh 2>/dev/null)"
```

**User**:
```sh
bash -c "$(wget -O- https://codeberg.org/celenity/Phoenix/raw/branch/pages/macos/migration/user.sh 2>/dev/null)"
```

After running the migration script, macOS users must **also** run the new installation script:

```sh
bash -c "$(wget -O- https://codeberg.org/celenity/Phoenix/raw/branch/pages/installer_scripts/macos_install.sh 2>/dev/null)"
```

Apologies for any inconvenience caused here... but I hope this major security improvement and step forward for Phoenix will make up for it. ;)
____

* Disabled [automatic updates for OpenSearch engines](https://developer.mozilla.org/docs/Web/XML/Guides/OpenSearch#supporting_automatic_updates_for_opensearch_plugins) by default due to security & privacy concerns - `browser.search.update` -> `false`

* Disabled timezone spoofing *(`-JSDateTimeUTC`)* for `chipotle.com` to fix order confirmation/estimated arrival times by default

* **DESKTOP**: Specified `type` for preferences configured in policies to ensure that they are always set correctly...

* **DESKTOP**: Specified specific add-on IDs in links for extensions installed from the AMO in our recommendations and policies - *(Credit to [Brace](https://codeberg.org/divested/brace/commit/a3122affe756a610c737071342f5ad550ea0acfc))*

* **SPECIALIZED CONFIGS**: Disabled geolocation, narrator, and tab groups by default - `browser.tabs.groups.enabled`, `geo.provider.use_corelocation`, `geo.provider.use_geoclue`, & `narrate.enabled` -> `false`, `geo.provider.network.url` -> ` `

* Removed various *(mostly regional)* search engines with questionable privacy practices for ESR/Thunderbird *([Dove](https://dove.celenity.dev)* - https://codeberg.org/celenity/Phoenix/commit/fdb894425fc4ac5dcfd0fa284fe289ecd1980266

* Organized and cleaned up more preferences...

* Other minor tweaks, fixes, & adjustments
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.02.14.1...2024.02.18.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.02.14.1...2024.02.18.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.02.14.1...2024.02.18.1) for more details.
___

:)

2025.02.14.1

____

* **DESKTOP**: Disabled the Windows [Media Foundation Engine](https://learn.microsoft.com/windows/win32/medfound/about-the-media-foundation-sdk) for video playback, due to display issues encountered by some users *(notably on `www.youtube.com`)* - `media.wmf.media-engine.enabled` -> `0`

* **DESKTOP**: Disabled sharing unnecessary version info as part of [Firefox Sync](https://support.mozilla.org/kb/sync) - `services.sync.sendVersionInfo` -> `false`

* **DESKTOP**: Enabled [Tab Groups](https://www.ghacks.net/2024/12/03/how-to-enable-tab-groups-in-firefox/) by default - `browser.tabs.groups.enabled` -> `true`

* Updated the default list of languages automatically translated with [Firefox Translation](https://support.mozilla.org/kb/website-translation) - `browser.translations.alwaysTranslateLanguages` -> `bg,ca,cs,da,de,el,en,es,et,fi,fr,hr,hu,id,it,ja,ko,lv,lt,nl,pl,pt,ro,ru,sk,sl,sr,sv,tr,uk,vi,zh-Hans`

* **DESKTOP**: Disabled sidebar animations by default to improve Firefox's performance and responsiveness - `sidebar.animation.enabled` -> `false`

* Removed various *(mostly regional)* search engines with questionable privacy practices for ESR/Thunderbird *([Dove](https://dove.celenity.dev)* - https://codeberg.org/celenity/Phoenix/commit/fdb894425fc4ac5dcfd0fa284fe289ecd1980266

* Organized and cleaned up more preferences...

* Other minor tweaks, fixes, & adjustments
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.02.13.1...2025.02.14.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.02.13.1...2025.02.14.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.02.13.1...2025.02.14.1) for more details.
___

:)

2025.02.13.1

The major focus of this release has been boring, under the hood changes - with the goal to clean up Phoenix and remove unnecessary preferences/files/etc.
____

* **DESKTOP**: Our [configuration of uBlock Origin](https://codeberg.org/celenity/Phoenix/wiki/Content-Blocking.md) has been tweaked to **significantly** improve performance and efficiency. Specifically, we disabled ` HaGeZi's Threat Intelligence Feeds` by default in favor of ` HaGeZi's Threat Intelligence Feeds - Mini`, disabled `HaGeZi - Multi PRO++` by default in favor of `HaGeZi - Multi ULTIMATE - Mini`, and disabled `Dandelion Sprout's Annoyances List` by default. Additionally, the `HaGeZi - Fake`, `HaGeZi - Multi PRO mini`, `HaGeZi - Multi PRO++ mini`, and `HaGeZi - Pop-up Ads` lists have been added to the built-in selection of filterlists, but are **not** enabled by default. **Note that you may need to reset uBlock Origin by navigating to `Settings` -> `Reset to default settings...` to receive the updated configuration**. You can back up your current settings using the **`Back up to file...`** option, and restore your settings after the reset is complete with the **`Restore from file...`** option

* Firefox Sync has been configured to **not** sync any items by default, meaning nothing is synced without explicit user consent *(controlled via the checkboxes at `about:preferences#sync`)* - `services.sync.engine.addons`, `services.sync.engine.addresses`, `services.sync.engine.bookmarks`, `services.sync.engine.creditcards`, `services.sync.engine.history`, `services.sync.engine.passwords`, `services.sync.engine.prefs`, & `services.sync.engine.tabs` -> `false`

* If Web Assembly (WASM) is disabled *(`javascript.options.wasm`)*, WASM is now *also* disabled for extensions - `javascript.options.wasm_trustedprincipals` -> `false`

* Disabled adding downloads to `recent documents` by default - `browser.download.manager.addToRecentDocs` -> `false`

* **DESKTOP**: Disabled certain UI animations by default to improve Firefox's performance and responsiveness - `ui.panelAnimations` & `ui.swipeAnimationEnabled` -> `0`, `ui.prefersReducedMotion` -> `1`

* **DESKTOP**: Disabled [Windows Media Foundation](https://learn.microsoft.com/windows/win32/medfound/about-the-media-foundation-sdk) for protected content *(DRM)*, but also enabled it for standard content - `media.wmf.media-engine.enabled` -> `3`

* Set `toolkit.telemetry.log.level`, `ui.hideCursorWhileTyping`, `ui.prefersReducedTransparency`, `ui.scrollToClick`, & `ui.useAccessibilityTheme` to their default values, so that they can be easily set in the `about:config`... - `toolkit.telemetry.loglevel` -> `Error`, `ui.prefersReducedTransparency` & `ui.useAccessibilityTheme` -> `0`, `ui.scrollToClick` -> `1`

* **YOUTUBE SPECIALIZED CONFIG**: Disabled [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) by default [due to issues with Picture-in-Picture](https://bugzilla.mozilla.org/show_bug.cgi?id=1947672) - `dom.security.trusted_types.enabled` -> `false`

* Various other tweaks, fixes, enhancements, and adjustments.
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.02.01.1...2025.02.13.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.02.01.1...2025.02.13.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.02.01.1...2025.02.13.1) for more details.
___

:)

2025.02.01.1

____

* **DESKTOP**: Rather than automatically grabbing the latest version of our `assets.json` configuration file for uBlock Origin, we now specify a specific commit and download it directly from Phoenix's Codeberg repo. This helps to improve trust/transparency and security, by ensuring the file is only updated with the rest of Phoenix (rather than updating on its own) - meaning it's easier to audit, and keeps the user always in control. - `assetsBootstrapLocation` *(Policy)* & `librewolf.uBO.assetsBootstrapLocation` -> `https://codeberg.org/celenity/Phoenix/raw/commit/08d147ee865c1d740540e8ec83c758d7a4df3e8b/uBlock/assets.json` - https://codeberg.org/celenity/Phoenix/issues/48#issuecomment-2665313 https://github.com/celenityy/Phoenix/issues/4#issuecomment-2627740229

* **DESKTOP**: Similar to the `assets.json` file, we now also specify both a specific commit and specific version for our included search engines/'extensions' in `policies.json`, and we explicitly disable automatic/out of band updates for them - meaning these 'extensions' are now **also** only updated alongside the rest of Phoenix, and never on their own. This further helps to improve transparency/auditability and protect users. - https://codeberg.org/celenity/Phoenix/issues/48#issuecomment-2665313 https://github.com/celenityy/Phoenix/issues/4#issuecomment-2627740229

* **DESKTOP**: Similar to what we've already been doing on Android, we now manually enable various ETP/ETP Strict tracking protections/features. We still enable & enforce ETP Strict itself *(meaning we're still covered by Mozilla's updates/enhancements)*; but unfortunately, Firefox doesn't honor/configure ETP Strict on its first launch, so we need to ensure we also enable these protections manually to always protect users. - https://codeberg.org/celenity/Phoenix/commit/4a6e135e3647ef34021e3786f28cc64914554335

* Set `browser.policies.loglevel`, `geo.provider.network.logging.enabled`, & `permissions.memory_only` to their default values, so that they can be easily set in the `about:config`... - `browser.policies.loglevel` -> `error`, `geo.provider.network.logging.enabled` & `permissions.memory_only` -> `false`

* Disabled the [Beacon API](https://developer.mozilla.org/docs/Web/API/Beacon_API) *([`Navigator.sendBeacon`](https://udn.realityripple.com/docs/Web/API/Navigator/sendBeacon))* - `beacon.enabled` -> `false` - https://codeberg.org/celenity/Phoenix/commit/a3d7322f5de7fe72bf12753e2fa685497a827bcf

* Other minor tweaks, fixes, and enhancements.
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.30.1...2025.02.01.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.30.1...2025.02.01.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.30.1...2025.02.01.1) for more details.
___

:)

2025.01.30.1

____

* **DESKTOP**: After careful consideration, Phoenix's default search engine is now **[DuckDuckGo](https://duckduckgo.com/)**. While not perfect, we believe DuckDuckGo has a strong track record and solid reputation for protecting user privacy, and we believe it's simply the most trustworthy/reputable privacy-respecting search engine currently available. **Brave Search has been removed from Phoenix, though it can still be manually added from Brave's website if desired.**

* **DESKTOP**: Paid search engines have been removed from Phoenix by default. This includes `Kagi`, `Kagi HTML`, `MetaGer`, `Mullvad Leta (Brave)`, & `Mullvad Leta (Google)`. Users who pay for these search engines can still manually add them if desired.

* **DESKTOP**: We now include our own recommended extensions and themes in the `Recommendations` tab of `about:addons`! See [here](https://phoenix.celenity.dev/extension-recommendations) for details on what extensions are included, why, and the criteria for inclusion. Feel free to make suggestions if we're missing an extension or theme you'd like to see!

* **DESKTOP**: We no longer enforce `autoUpdate`, `autoUpdatePeriod`, `cnameUncloakEnabled`, `hyperlinkAuditingDisabled`, `prefetchingDisabled`, & `suspendUntilListsAreLoaded` for uBlock Origin in our `policies.json`, **as these settings are already uBlock Origin's defaults**, and configuring them like this unfortunately locks the setting and prevents users from overriding if desired. Hopefully uBlock Origin will add support for configuring settings as only the default, rather than only having the option to enforce them (https://github.com/uBlockOrigin/uBlock-issues/issues/3538). - https://codeberg.org/celenity/Phoenix/issues/56

* Disabled spoofing locale to `en-US` for all configs by default, due to usability concerns for non-English speakers. - `privacy.spoof_english` -> `0` *(We still recommend spoofing your locale if you **are** fluent in English by setting `privacy.spoof_english` in your `about:config` back to `2`)*

* Added various new granular FPP overrides - see [here](https://codeberg.org/celenity/Phoenix/commit/0428ad97966f01805172c023e654e9fe4ad43e60) and [here](https://codeberg.org/celenity/Phoenix/commit/146d65032b0450fa306a4a7c5091a02b7bbd1c3e) for details.

* **ANDROID**: Removed our FPP override for `apple.com`, as Apple Maps simply isn't supported on Android, so it's unnecessary. - `privacy.fingerprintingProtection.granularOverrides` -> ` `

* **DESKTOP**: uBlock Origin is now enabled in private windows by default, and our search 'extensions' are explicitly disabled in private windows. It should be noted that this currently **only** works on Nightly.

* Our search 'extensions' are now explicitly blocked from accessing [restricted domains](https://support.mozilla.org/kb/quarantined-domains). - https://codeberg.org/celenity/Phoenix/commit/6dd7570be8d7a861995131cae0e0f37f5135d8ea

* **ANDROID**: Explicitly enabled [SmartBlock](https://support.mozilla.org/kb/smartblock-enhanced-tracking-protection) - `extensions.webcompat.enable_shims`, `extensions.webcompat.perform_injections`, & `extensions.webcompat.perform_ua_overrides` -> `true`

* **EXTENDED**: WebRTC will now *only* [use TURN servers/relays](https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/40#note_2884663), rather than connecting via peer to peer directly. - `media.peerconnection.ice.relay_only` -> `true`

* **DESKTOP**: WebXR is still blocked by default, but it is now **unlocked** so that users may use it if desired.

* Explicitly disabled unprivileged extensions from accessing experimental APIs by default - `extensions.experiments.enabled` -> `false`

* Added an additional pref to ensure Early Hints are properly disabled - `network.early-hints.over-http-v1-1.enabled` -> `false`

* Enforced the use of Firefox's built-in certificates for installation & updates of extensions - `extensions.install.requireBuiltInCerts` & `extensions.update.requireBuiltInCerts` -> `true`

* Prevented [automatic scanning/installation/enabling of extensions in Firefox's application directory](https://support.mozilla.org/kb/deploying-firefox-with-extensions) - `extensions.installDistroAddons` -> `false`

* **DESKTOP**: Removed superfluous `WebsiteFilter` policy.

* **YOUTUBE SPECIALIZED CONFIG**: Disabled WebRTC for attack surface reduction - `media.peerconnection.enabled` -> `false`

* **SPECIALIZED CONFIGS**: Hardened WebRTC and updated the WebRTC overrides where needed to reflect changes described above - See ex. https://codeberg.org/celenity/Phoenix/commit/7a5892bb8da259de6d510347f2d49643f40e169c for details.

* Other minor tweaks, fixes, and enhancements.
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.27.1...2025.01.30.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.27.1...2025.01.30.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.27.1...2025.01.30.1) for more details.
___

:)

2025.01.27.1

____

* **ANDROID**: Re-enabled the JIT Baseline Interpreter by default to fix severe performance issues. We still disable the JIT Baseline Interpreter on desktop, and even on Android, we still disable JIT via various other prefs. - `javascript.options.blinterp` -> `true`

* **ANDROID**: Manually enabled more ETP/ETP Strict protections - `privacy.annotate_channels.strict_list.enabled`, `privacy.annotate_channels.strict_list.pbmode.enabled`, `privacy.partition.network_state`, `privacy.partition.serviceWorkers`, `privacy.query_stripping.redirect`, & `privacy.reduceTimerPrecision` -> `true`

* Disabled sending 'daily usage pings' to Mozilla - `datareporting.usage.uploadEnabled` -> `false`

* Disabled [CAPTCHA Detection Pings](https://searchfox.org/mozilla-central/source/toolkit/components/captchadetection) - `captchadetection.actor.enabled` -> `false`, `captchadetection.loglevel` -> `Off`

* Added additional prefs to prevent cross-origin sub-resources from opening HTTP authentication dialogs *(These are especially important for ex. Thunderbird...)* - `network.auth.non-web-content-triggered-resources-http-auth-allow` & `network.auth.subresource-img-cross-origin-http-auth-allow` -> `false`

* Disabled automatically clearing net monitor and web console log messages after page reloads/navigation - `devtools.netmonitor.persistlog` & `devtools.webconsole.persistlog` -> `true`

* Syntax is now highlighted when viewing page sources *(`view-source:`)* - `view_source.syntax_highlight` -> `true`
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.24.1...2025.01.27.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.24.1...2025.01.27.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.24.1...2025.01.27.1) for more details.
___

:)

2025.01.24.1

**FYI:** Users who **manually** installed Phoenix on **macOS** or **GNU/Linux** who used the **`sudo mv`** commands from the `README` are highly recommended to reinstall Phoenix with the [updated steps](https://codeberg.org/celenity/Phoenix#manual-installation), [due to potential security issues](https://codeberg.org/celenity/Phoenix/issues/48). Thank you to [doomedguppy](https://codeberg.org/doomedguppy) for discovering & reporting this issue, and thank you to [Seyed Mohamad Amin Modaresi](https://codeberg.org/gnu1) for the prompt response and fix.
____

* Regardless of Firefox's DoH mode, we now always warn before falling back to the system's native DNS by default. - `network.trr.display_fallback_warning` & `network.trr_ui.show_fallback_warning_option` -> `true`

* Disabled Firefox's [nonfunctional](https://security.googleblog.com/2018/01/announcing-turndown-of-deprecated.html), [legacy Safe Browsing API](https://code.google.com/archive/p/google-safe-browsing/wikis/Protocolv2Spec.wiki) to ensure it's never used and for defense in depth. It's also now explicitly labeled in the case it is ever used for whatever reason. - `browser.safebrowsing.provider.google.advisoryName` -> `Google Safe Browsing (Legacy)`, `browser.safebrowsing.provider.google.gethashURL` & `browser.safebrowsing.provider.google.updateURL` -> ` `

* Explicitly enabled Firefox's native collector for sessionstore, as the old implementation is incompatible with per-site process isolation *([Fission](https://wiki.mozilla.org/Project_Fission))*. - `browser.sessionstore.disable_platform_collection` -> `false`

* Added additional prefs to ensure Firefox's Cookie Banner Blocking is properly enabled and fully functional. - `cookiebanners.cookieInjector.enabled` & `cookiebanners.service.enableGlobalRules.subFrames` -> `true`

* Explicitly disabled [EDNS Client Subnet (ECS)](https://wikipedia.org/wiki/EDNS_Client_Subnet) by default to prevent leaking general location data to authoritative DNS servers. - `network.trr.disable-ECS` -> `true`

* Sending headers for DoH requests are now explicitly disabled. - `network.trr.send_accept-language_headers` & `network.trr.send_user-agent_headers` -> `false`, `network.trr.send_empty_accept-encoding_headers` -> `true`
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.22.2...2025.01.24.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.22.2...2025.01.24.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.22.2...2025.01.24.1) for more details.
___

:)

2025.01.22.2

____

* Google Safe Browsing is now proxied on **all** Phoenix installations, regardless of platform. :D - This proxy is set-up using the servers we've set up for [IronFox](https://ironfoxoss.org) - which are hosted on Cloudflare *(on our bucket located in the EU's jurisdiction...)*. You can see the source code behind our proxy [here](https://gitlab.com/ironfox-oss/safebrowsing-proxy).

* **DESKTOP**: Fixed a bug that prevented users from installing extensions from `addons.mozilla.org` until refreshing the page.

* **DESKTOP**: Disabled HaGeZi's Badware Hoster Blocklist in uBlock Origin by default, due to causing too much breakage.

* **DESKTOP**: Enabled BadBlock - Click Tracking & Dandelion Sprout's Annoyances List in uBlock Origin by default.

* **DESKTOP**: Blocked the use of specific broad whitelists in uBlock Origin, that were only designed for/meant to be used on the DNS level.

* **DESKTOP**: Switched the links for HaGeZi's filterlists in uBlock Origin to use Codeberg, rather than GitLab *(due to Codeberg's superior privacy policy...)*.

* **DESKTOP**: Added preferences back to `phoenix.cfg`, as some preferences appear to not take effect unless set there. We're still also keeping preferences set in `phoenix.js` though, for consistency and defense in depth.

* Other minor tweaks and improvements.
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.22.1...2025.01.22.2) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.22.1...2025.01.22.2) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.22.1...2025.01.22.2) for more details.
___

:)

2025.01.22.1

____

* Extensions/themes are now checked for updates **hourly** by default rather than once every 24 hours... - `extensions.update.interval` -> `3600`

* Timestamps are now shown in the web console by default. - `devtools.webconsole.timestampMessages` -> `true`

* DESKTOP: Google Safe Browsing is now proxied by default! :) It's using the servers we've set up for [IronFox](https://ironfoxoss.org) - which are hosted on Cloudflare *(on our bucket located in the EU's jurisdiction...)*. Hopefully these will be working on Android soon.

* DESKTOP: Enabled Firefox's newer `Felt privacy` design for Private Browsing & Certificate Errors (`browser.privatebrowsing.felt-privacy-v1` & `security.certerrors.felt-privacy-v1` -> `true`)

* DESKTOP: Moved Phoenix's preferences from `phoenix.cfg` to `phoenix.js`, meaning our prefs are now applied globally at a single location.

* Heavily refined the overall build process, as well as did lots of minor tweaks, enhancements, clean-up, and re-organization.
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.20.2...2025.01.22.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.20.2...2025.01.22.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.20.2...2025.01.22.1) for more details.
___

:)

2025.01.20.2

____

* Enabled [Cookies Having Independent Partitioned State (CHIPS)](https://developer.mozilla.org/docs/Web/Privacy/Privacy_sandbox/Partitioned_cookies) by default - `network.cookie.CHIPS.enabled` -> `true`

* Enabled Smartblock Embeds/Placeholders by default - `extensions.webcompat.smartblockEmbeds.enabled` -> `true`

* ANDROID: Explicitly enable a couple more ETP Strict protections - `network.cookie.cookieBehavior.optInPartitioning.pbmode` & `network.cookie.cookieBehavior.trackerCookieBlocking` -> `true`

* DESKTOP: Added an `Unload tab` option to the context menu when right clicking tabs - `browser.tabs.unloadTabInContextMenu` -> `true`

* DESKTOP: Fixed syntax errors with `phoenix.js` and `policies.json`... 😅
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.20.1...2025.01.20.2) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.20.1...2025.01.20.2) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.20.1...2025.01.20.2) for more details.
___

:)

2025.01.20.1

____

* Enabled light mode by default as part of our new approach to fingerprinting protection *(as this matches ex. RFP)*... - `layout.css.prefers-color-scheme.content-override` -> `1`

* Updated specialized configs to use our new approach to fingerprinting protection. - (https://codeberg.org/celenity/Phoenix/issues/46)

* Explicitly disabled prefetching via proxy. - `network.dns.prefetch_via_proxy` -> `false`

* Explicitly disabled TLS 1.3 0-RTT for HTTP3. - `network.http.http3.enable_0rtt` -> `false`

* URLbar entries no longer open in new tabs by default. - `browser.urlbar.openintab`

* Removed the annoying `Import data from another browser` default bookmark - `DisableProfileImport` -> `true`

* `Always ask` is now shown in the permissions dropdown for camera and microphone *(if that's their current status)* - `permissions.media.show_always_ask.enabled` -> `true`

* Updated references to our `Hardened` config to `Extended`.

* ETP WebCompat is no longer disabled in our `Extended` configs, as it's harmless and actually useful. *(We still disable dFPI heuristics though...)* - `privacy.antitracking.enableWebcompat`

* Specialized configs are now based off of `Extended No-Sync` instead of `No-Sync`. The build process itself for specialized configs has also been heavily improved, and unnecessary prefs were removed.

* **DESKTOP**: Permission for websites to override keyboard shortcuts is now only blocked on `Extended` by default rather than all configs. - `permissions.default.shortcuts`

* **DESKTOP** - **EXTENDED**: WebRTC hardening prefs are now unlocked and can be manually toggled by users if desired. - `media.peerconnection.ice.default_address_only` & `media.peerconnection.ice.no_host`

* **DISCORD** & **ELEMENT** specialized configs: Permission to override keyboard shortcuts is no longer blocked by default. - `permissions.default.shortcuts` -> `0`

* **YOUTUBE** specialized config: Fixed syntax errors.

* Replaced the `browser.phoenix.*.applied` prefs with `browser.phoenix.*.status` prefs - as this is far cleaner and easy to manage (as well as better organized...)

* Other minor tweaks, fixes, and enhancements...
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.19.1...2025.01.20.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.19.1...2025.01.20.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.19.1...2025.01.20.1) for more details.
___

:)

2025.01.19.1

____

* Changed our approach to fingerprinting protection - See https://codeberg.org/celenity/Phoenix/issues/46 for details.

* Unlocked the majority of preferences we previously had locked - See https://codeberg.org/celenity/Phoenix/issues/47 for details, as well as for the list of preferences we still lock...

* Disabled `failIfMajorPerformanceCaveat` in WebGL contexts due to fingerprinting concerns. - `webgl.disable-fail-if-major-performance-caveat' -> 'true'

* We no longer disable memory caching, as it can cause breakage in certain contexts, and there's simply no real benefit it brings *(Not even Tor Browser sets this...)*. - `browser.cache.memory.enable` & `browser.cache.memory.capacity`

* Disabled the use of third-party/OS level root certificates. This is commonly abused by malware (including garbage antiviruses...) and these certificates are added to MITM traffic without user knowledge/consent. Users can still manually import their own certificate into Firefox's built-in certificate store - which I think is acceptable, because at least users this way are aware of the certificate(s) they're importing and why... - `security.certerrors.mitm.auto_enable_enterprise_roots` & `security.enterprise_roots.enabled` -> `false`

* We no longer enable [CSS grid Masonry layout](https://developer.mozilla.org/docs/Web/CSS/CSS_grid_layout/Masonry_layout), as it could be fingerprintable *(and generally best to just leave up to upstream...)* - `layout.css.grid-template-masonry-value.enabled`

* We now explicitly disable JIT (Ion/WarpMonkey) for extensions. We already did by default, but since we now manually set it, it's exposed in the `about:config` for users to toggle if desired. - `javascript.options.jit_trustedprincipals` -> `false`

* Switched the target video resolution (when using Firefox's fingerprinting protection from 480p to 1080p - This is also the default on Nightly, and provides for a far better experience... - `privacy.resistFingerprinting.target_video_res` -> `1080`

* Enabled Firefox's Cosmetic + UI Animations. Firefox already does this by default, but since we now manually set it, it's exposed in the `about:config` for users to toggle if desired. - `toolkit.cosmeticAnimations.enabled` -> `true`, `ui.prefersReducedMotion` -> `1`

* **Desktop**: Removed more Mozilla URL tracking paramaters :/ - `browser.contentblocking.report.monitor.url' -> 'https://monitor.firefox.com/' & 'browser.contentblocking.report.monitor.sign_in_url' -> 'https://monitor.firefox.com/oauth/init'

* **Android**: Enabled Safe Browsing by default using Android's specific prefs. - `browser.safebrowsing.features.malware.update` & `browser.safebrowsing.features.phishing.update` -> `true`

* Lots of clean-up and unnecessary prefs removed + re-organization

* Other minor tweaks, fixes, and enhancements...
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.14.1...2025.01.19.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.14.1...2025.01.19.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.14.1...2025.01.19.1) for more details.
___

:)

2025.01.14.1

____

* Disabled the use of system accent colors due to fingerprinting concerns - `widget.non-native-theme.use-theme-accent` -> `false`

* Fixed the URL for [BeaconDB](https://beacondb.net/) - `geo.provider.network.url` -> `https://api.beacondb.net/v1/geolocate` *(Thanks to @lucasmz https://codeberg.org/celenity/Phoenix/pulls/45 💜)*

* **Desktop**: Explicitly opted out of the origin trial for [Privacy-Preserving Attribution](https://support.mozilla.org/kb/privacy-preserving-attribution) **in policies.json** for defense in depth - `dom.origin-trials.private-attribution.state` -> `2`

* **Android**: Fully enabled Bounce Tracking Protection *(part of [ETP Strict](https://support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop#w_strict-enhanced-tracking-protection))* - `privacy.bounceTrackingProtection.mode` -> `1`
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.13.1...2025.01.14.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.13.1...2025.01.14.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.13.1...2025.01.14.1) for more details.
___

:)

2025.01.13.1

____

* Set additional preferences to ensure DNS Prefetching is fully disabled for defense in depth - `dom.prefetch_dns_for_anchor_http_document` & `dom.prefetch_dns_for_anchor_https_document` -> `false`

* Similarly, set the maximum amount of connections for Preconnect to `0`... - `network.early-hints.preconnect.max_connections` -> `0`

* Disabled saving clipboard history locally and/or to the cloud... - `clipboard.copyPrivateDataToClipboardCloudOrHistory` -> `false`

* Set `file://` URLs to open in a separate content process - `browser.tabs.remote.separateFileUriProcess` -> `true`

* Enabled [Opaque Response Blocking](https://github.com/annevk/orb) - `browser.opaqueResponseBlocking` & `browser.opaqueResponseBlocking.javascriptValidator` -> `true`

* Enabled SHIP (Session History In Parent), as it's required for Per-site process isolation (Fission) - `fission.disableSessionHistoryInParent` -> `false`

* Explicitly opted out of the origin trial for [Privacy-Preserving Attribution](https://support.mozilla.org/kb/privacy-preserving-attribution) for defense in depth - `dom.origin-trials.private-attribution.state` -> `2`

* Enforced blocking access to the AddonManager over insecure protocols - `extensions.webapi.testing.http` -> `false`

* Additionally, blocked certain Mozilla developer websites from accessing the AddonManager... - `extensions.webapi.testing` -> `false`

* Enforced always running web extensions out of process - `extensions.webextensions.remote` -> `true`

* Enabled [COEP: credentialless](https://developer.chrome.com/blog/coep-credentialless-origin-trial) - `browser.tabs.remote.coep.credentialless` -> `true`, `dom.origin-trials.coep-credentialless.state` -> `1`

* Prevented `remoteTypes` from triggering process switches they shouldn't be able to... - `browser.tabs.remote.enforceRemoteTypeRestrictions` -> `true`

* Switched setting Quad9 as the default DoH provider by now using `network.trr.default_provider_uri` instead of `network.trr.custom_uri` & `network.trr.uri` - `network.trr.default_provider_uri` -> `https://dns.quad9.net/dns-query`, `network.trr.custom_uri` & `network.trr.uri` -> ` `

* Minor tweaks & re-organization
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.12.2...2025.01.13.1) for more details.

GitLab: See [here](https://gitlab.com/celenity/Phoenix/-/compare/2025.01.12.2...2025.01.13.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.12.2...2025.01.13.1) for more details.
___

:)

2025.01.12.2

____

* Minor, Android-specific update: to officially begin locking & enforcing important prefs, just like we do on desktop... - See https://codeberg.org/celenity/Phoenix/commit/756643bedf9c271d9597c8c64cc690cc97243d2b for details
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.12.1...2025.01.12.2) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.12.1...2025.01.12.2) for more details.
___

:)

2025.01.12.1

____

* Disabled JIT within Firefox's main process - `javascript.options.main_process_disable_jit` -> `true`

* Disabled the JIT [Baseline Interpreter](https://firefox-source-docs.mozilla.org/js/index.html#javascript-jits) - `javascript.options.blinterp` -> `false`

* Disabled marking JIT code pages as **both** writable **and** exeuctable - `javascript.options.content_process_write_protect_code` -> `true`

* Enabled `fdlibm` for `Math.sin`, `Math.cos`, and `Math.tan`, [as it is less fingerprintable](https://groups.google.com/a/mozilla.org/g/dev-platform/c/0dxAO-JsoXI/m/eEhjM9VsAgAJ) - `javascript.options.use_fdlibm_for_sin_cos_tan` -> `true`

* Disabled [Preconnect](https://github.com/uBlockOrigin/uBlock-issues/issues/2913) - `network.preconnect` -> `false`

* Disabled [Early Hints](https://developer.mozilla.org/docs/Web/HTTP/Status/103) - `network.early-hints.enabled` & `network.early-hints.preconnect.enabled` -> `false`

* Explicitly disabled [AI/"ML Autofill"](https://searchfox.org/mozilla-central/source/toolkit/components/formautofill/MLAutofill.sys.mjs) by default - `extensions.formautofill.ml.experiment.enabled` -> `false`

* Fully disabled the use of SharedArrayBuffer using window.postMessage, regardless of context  - `dom.postMessage.sharedArrayBuffer.bypassCOOP_COEP.insecure.enabled` & `dom.postMessage.sharedArrayBuffer.withCOOP_COEP` -> `false`

* Enforced various important security preferences - See https://codeberg.org/celenity/Phoenix/commit/df260a8161046f333ac49bb7544336fcdfd4bd24 & https://codeberg.org/celenity/Phoenix/commit/24c193f0d0310e19f05b89a0e43cb4b71a62b5ed for details...

* Desktop: Enforced applying Content Security Policy (CSP) to the internal `browser.xhtml` - `security.browser_xhtml_csp.enabled` -> `true`

* Desktop: Locked `general.config.obscure_value` to prevent severe breakage... - `general.config.obscure_value` -> `0`

* Minor tweaks/fixes & re-organization
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/2025.01.06.1...2025.01.12.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/2025.01.06.1...2025.01.12.1) for more details.
___

:)

2025.01.06.1

____

* Enabled support for [Trusted Types](https://developer.mozilla.org/docs/Web/API/Trusted_Types_API) (Like Chromium). - `dom.security.trusted_types.enabled` -> `true`

* CSP assertions for `about:` pages are no longer skipped. *(This was already the default behavior for standard Firefox releases, but now we enforce it - which is particularly useful for ex. Thunderbird, where it actually isn't enabled by default...)* - `dom.security.skip_about_page_has_csp_assert` -> `false`

* Explicitly disabled the [Network Information API](https://developer.mozilla.org/docs/Web/API/Network_Information_API). Firefox already disables it by default, but now we directly enforce it. - `dom.netinfo.enabled` -> `false`

* Disabled [Event Telemetry](https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15549) on Desktop *(Already disabled on Android)* - this is likely covered by our other telemetry prefs, but useful for defense in depth. - `privacy.imageInputTelemetry.enableTestMode` -> `false`

* Blocked insecure object subrequests in mixed content. - `security.mixed_content.block_object_subrequest` -> `true`

* Minor tweaks/fixes
___

Codeberg: See [here](https://codeberg.org/celenity/Phoenix/compare/05January2025v1...2025.01.06.1) for more details.

GitHub: See [here](https://github.com/celenityy/Phoenix/compare/05January2025v1...2025.01.06.1) for more details.
___

:)