Firefox Changes

Subjective selection of those changes to Firefox, which are probably relevant for admins or helpdesk.

How to read this:

Normal text describes potentially important changes.
Italic text contains my comments, often tells how to disable the new feature.
Grey items are changes which are also noteworthy, but will probably not cause you headache.

When will this page be updated:

Want to be informed when this page gets a major update? Follow me on twitter.
Is something important missing, or anything wrong? Please tell me!
This page will probably be updated whenever a new ESR comes out (see schedule), and maybe a few times inbetween.

Sources: Most info was extracted from the release notes (also the ones for beta and aurora). If you want more, read the notes for developers, Compatibility Notes, Tracking, Meeting Notes. To be completely overwhelmed follow the links "complete list of changes" in each of the release notes.

click here for preliminary info for version 46 to 52

VERY PRELIMINARY INFO FOR VERSIONS 34 TO 38:

hotfix restore safebrowsing

43.0.4 undo blocking of sha-1 certificates, because many security devices and web interfaces of home routers stopped working
          alternative: set security.pki.sha1_enforcement_level to 0

hotfix re-enable high-res youtube videos

43.0.3 undo blocking of NVidia DLLs, because it made the problem worse instead of fixing it

43.0.2 add sha-256 signing certificate, to meet new signing requirement
       security fix

43.0.1 prepare to use SHA-256 signing certificate for Windows builds, to meet new signing requirement

43.0.0 many security fixes
       turns off safebrowsing (accidentally)
       will reject sha1-certificates starting January 1st 2016

42 ??

41 ??

40.0
  Compatibility: faster Plugin-Initialization
     apparently none of the beta-testers plays Farmville.

39.0.3 ??

39.0 ??

38.2.0 ??

38.1.1 ??

38.1.0 ??

38.0.5
  Privacy: Keep track of articles and videos with ???Pocket???
  Privacy: Share the active tab or window in a Hello conversation
  Noteworthy improvement: Clean formatting for articles and blog posts with Reader View

38.0.1
  a few fixes

see also https://mike.kaply.com/2015/05/05/firefox-esr-38-overview/

38.0
  UI: preferences moved from separate window to a tab
  unclear: Ruby annotation support
     https://hacks.mozilla.org/2015/03/ruby-support-in-firefox-developer-edition-38/
  unclear: Improved page load times via speculative connection warmup
  unclear: BroadcastChannel API implemented
     https://hacks.mozilla.org/2015/02/broadcastchannel-api-in-firefox-38/
  unclear: Implemented Encrypted Media Extensions (EME) API to support
     encrypted HTML5 video/audio playback (Windows Vista or later only)
     https://support.mozilla.org/kb/enable-drm
  wtf: Automatically download Adobe Primetime Content Decryption Module (CDM) 
     for DRM playback through EME (Windows Vista or later only)
     https://support.mozilla.org/kb/enable-drm
  unclear: WebRTC now has multistream and renegotiation support
  present for hackers: Implemented DOM3 Events KeyboardEvent.code

37.0.2
  several fixes

37.0.1
  disabled Disabled HTTP/2 AltSvc

37.0
  phone home & UI: pop-up request for rating ("Heartbeat", feedback system)
     https://wiki.mozilla.org/Advocacy/heartbeat
     disable: pref ("browser.selfsupport.url", "")
  phone home: OneCRL centralized certificate revocation
  Compatibility: Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
    https://bitsup.blogspot.com/2015/03/opportunistic-encryption-for-firefox.html
  UI: Yandex set as default search provider for the Turkish locale

36.0.4
  one security fix

36.0.3
  one security fix

36.0.1
  several fixes

36.0
  Compatibility: No longer accept insecure RC4 ciphers whenever possible
  Compatibility: Phasing out Certificates with 1024-bit RSA Keys
  Compatibility: some addons might fail
     https://blog.mozilla.org/addons/2015/01/13/compatibility-for-firefox-36/ 
  UI: For users who removed the Share & Hello buttons, this new version brings them back unexpectedly
     (https://bugzilla.mozilla.org/show_bug.cgi?id=1136300)

35.0.1
  lots of bug fixes

35.0
  Feature: Firefox Hello with new ???rooms-based conversations model???
  Feature: Access the Firefox Marketplace from the Tools menu and optional toolbar button
  UI: "New search UI improved and enabled for more locales", whatever that means
  UI & Compatibility: Plugin-Finder-Service removed
     Firefox will not offer to install missing plugins, for example the Flash player, if a web page needs it.
     MISSING IN THE RELEASE NOTES!

34.0.5
  UI: Default search engine changed to Yahoo! for North America

34.0
  Feature: Firefox ???Hello??? real-time communication client
     disable: loop.enabled = false
  UI: Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales
  UI: "Improved search bar (en-US only)", whatever that means
  Compatibility: Disabled SSLv3

Version 33

phone home: if you enter a one-word URL, Firefox will do a web search, instead of going to that server.
You can whitelist URLs by creating a boolean pref with name "browser.fixup.domainwhitelist.", followed by the word to be whitelisted.
More info: "snappier searches".
phone home: search suggestions on the Firefox Start (about:home) and new tab (about:newtab) pages.
feature: video-format H.264 using a binary plugin from Cisco (running in a sandbox).
to disable it: set media.gmp-gmpopenh264.enabled to false,
to remove it: set media.gmp-gmpopenh264.provider.enabled to false.
lots of bloat, for example cubic-bezier curves editor (only for developers).

Version 32

phone home: malware download detection (see v31) now sends file-info to Google.
new cache leaves old cache data on disk, and makes its own read-ahead.
password manager stores historical use information (why?).
security enhancement: public key pinning (static list of CAs responsible for some selected sites).
performance issues on Windows XP.
bloat: web audio editor (only for developers).

ESR 31

Version 31

bug: steals .pdf and .ogg file associations, and insists to use slow and buggy integrated pdf viewer.
more info
bug: breaks Google Maps (only Windows XP & Linux)
bug: some certificates fail
compatibility: the installer deletes the directory 'distribution'.
compatibility: preferences capability.policy.* removed (except checkloaduri for file:// URIs).
security: detect malware downloads with local white & blacklist. Can be disabled by settting browser.safebrowsing.appRepURL to empty string, or by disabling the whole safebrowsing feature.
bloat: very many new developer tools.
maybe new UI for settings (german text, did not find english version)

See also this blog posting (includes Thunderbird changes).

Why so many new features in an ESR version?!?

Version 30

Plugins need whitelisting, otherwise they are blocked (click-to-play). Flash is not on the whitelist. This does not affect plugins that are part of an extension.
UI: sidebars button "enables faster access to social, bookmark, & history sidebars".
compatibility: outdated and insecure NTLM-authentication deactivated.
compatibility: breaks Citrix Receiver.

Version 29

new sync for bookmarks, history, passwords, open tabs.
Incompatible with old sync, no migration available so far, requires new Firefox account, different setup method.
If you had disabled sync by hiding its setup, this change probably makes it reachable again.
new UI ("Australis"):
- The Firefox menu on the left was replaced with a rectangle full of tiles on the right.
- The big orange menu button in the upper left corner was replaced with a small line-triplett on the right side of the address bar.
  The original main menu from the time before the orange button can still be re-enabled (F10, View, Toolbars, Menu Bar), and the triple-line thingy can be removed with "#PanelUI-button {display:none !important}" in userChrome.css.
- The what's new page for this version (shown on the first run) contains a slideshow (only if viewed with Firefox 29), which explains the new UI, highlights the new "menu"-"button", and shows the tiles.
  Even if you usually have the "what's new" page disabled, for this version it probably is important to let it show up. The relevant pref is "browser.startup.homepage_override.mstone".
- The add-on bar was removed, its contents were moved to the navigation bar.
  Some addons do not like this, need an update.
- and new UI customization
This sounds like trying to salvage the UI of the abandoned Metro-app, by implanting it into the desktop version. The addon ClassicThemeRestorer can undo many Australis-changes. Pale Moon is a free clone of Firefox that will keep the standard user interface.

Version 28 after April 1st

blocks all plugins (except latest flash) with click-to-play.
A few plugins were put on a temporary plugin whitelist.

Version 28

supports videocodec VP9 and audiocodec Opus for WebM videos.
removed support for spdy/2.

Version 27

better encryption: enabled TLS 1.1 and TLS 1.2 by default.
If some web pages stop working, change "security.tls.version.max" temporarily back from 3 to 1.
optional faster transfer protocol: added support for SPDY 3.1.

Version 26

Java: ClickToPlay (to be extended to all plugins, except latest flash)
workaround: java whitelist deployment.
Update-Service fixed: Silent automatic updates now work, even if users have no write permission.
If you do not want auto-updates: double-check that "app.update.enabled" is locked to false.

Version 25

Feature 'welcome back' offers to erase the profile if it is older than 60 days.
The most important part of every automatic function is the switch to turn it off:
lockPref("browser.disableResetPrompt", true);
UI: The find bar is no longer shared between tabs

ESR 24

Version 23

Compatibility: "Mixed Content blocking" blocks active mixed content (allows passive mixed content).
(more info, useful addons: toggle, display)
Compatibility: <blink> removed
UI: several options removed (javascript, load images, always show tab bar)
UI: logo updated

Version 22

Feature: WebRTC enables voice chat and telephone calls inside the browser.
Privacy: and it allows to find your real IP address, even if you go through a VPN.
disable: media.peerconnection.enabled = false
Feature: connect speculatively to the server, before you actually click on a link (more info)
Privacy: and it allows to spy on you, for example spammers can verify your email address (explanation)
disable: network.http.speculative-parallel-limit = 0 (source)

Version 21

Config Compatibility: again major changes in directory structure.
The file 'override.ini' and the directories 'defaults/preferences', 'defaults/profile', 'extensions', 'plugins', and 'searchplugins' have been moved to a newly created subdirectory 'browser'. The function of the directory 'plugin' can be restored by setting the pref 'plugins.load_appdir_plugins' to true. It is still possible to set the AutoConfig-prefs 'general.config.filename' and '.obscure_value' in 'defaults/pref'.
Phone Home: health report

Version 20

UI: Download does not open new window, flashes green arrow
Feature: can access camera and microphone
Feature: Private Browsing now per-window

Version 19

Feature: PDF-viewer built in
You can disable this by setting the pref pdfjs.disabled to true

ESR 17

Version 14

Config Compatibility: directory structure changed, ignores your preference settings.
Some config files from defaults/pref must be moved to defaults/preferences to be effective. That new directory does not exist, you must create it. It is still possible to set the Autoconfig-prefs 'general.config.filename' and '.obscure_value' in a file in defaults/pref. By the way its filename should start with letter a, for example 'autoconfig.js'.

Version 13

Feature: reset profile. Can be triggered from about:support, and from the safe mode dialog (automatically triggered after consecutive startup crashes).
Do not deploy Firefox profiles by putting them into default user profile, and do not use add-user scripts to modify them. Mozilla recommends to use the directory 'browser/defaults', or the autoconfig feature. Settings made there will survive the reset.

ESR 10