"For security reasons, data: and javascript: URIs no longer inherit the security context of the current page when the user enters them in the location bar; instead, a new, empty, security context is created. This means that script loaded by entering javascript: URIs in the location bar no longer has access to DOM methods and the like, for example. These URIs continue to work as before when used by script, however."
Sounds smart. It's extremely easy to get an unsophisticated user (heck, any user who isn't a web developer) to paste a random string of junk in to their URL bar - and doing so is a very nasty XSS vector that works no matter what precautions a site's developers have taken.
I'm sure I've heard of this attack being used successfully on Facebook, spread through messages that say "paste this in to your URL bar to get X".
Right. Apparently this "security" feature came about because people followed instructions on random facebook pages saying "paste this in your address bar to activate $RANDOM_FAKE_FACEBOOK_FEATURE".
You can still run Javascript via the Scratchpad (Web Developer -> Scratchpad, or hit Shift-F4).
Yeah, I caught this hanging out at the bottom of the list too... Immediately set to thinking how I'm gonna have to go rewrite the dozen or so bookmarklets I've written to support FF6
Mozilla is supporting a new version of websockets (https://bugzilla.mozilla.org/show_bug.cgi?id=640003) that as of a week ago did not work with a lot of popular libraries yet (socket.io). Its awesome to see better security features in place and I hope that library distributors are fast to follow up with changes in their library.
For what it’s worth, you have to update your client code to instantiate a MozWebSocket and update your server to support the latest protocol. I know, because I’ve done this today :) We’re using the em-websocket gem though which has been updated recently so it really wasn’t that difficult.
Meh, I've been using FF8 nightly for a few weeks and the memory improvements are modest at best. I just had to restart my browser because it got up to 650mb even after closing tabs.
Awesome! Please let us know if you find any problems with the touch events in Fx6 mobile. (You can contact me directly at mbrubeck@mozilla.com or file a bug at bugzilla.mozilla.org under the "Fennec" product.)
I think my favorite part is that they've finally added an auto-update feature. If you open about Firefox, it checks to determine whether or not you're up to date. Especially if they're going to be bringing out frequent releases, I don't want to be constantly reinstalling Firefox.
That's been there for a while - I'd prefer if they would silently update the browser in the background and active it on the next restart, just as Chrome does.
I hate being told that Firefox 5.0 or 6.0 is out, only to find out that there are barely any major changes in this seemingly major version. If you want to release more often and make it a more seemless process, the app should stop announcing each new version like a major release.
The app doesn't announce each new version unless you have add-ons that are incompatible with the new version (in which case you get a dialog telling you so), last I checked.
It does tell you that it's applying an update when you do the update startup, so far. That's likely to go away as well.
Good bye bookmarklets?