Firefox 31 Released; Includes New ECMAScript 6 features
Mozilla has released Firefox 31, including the implentation of new ECMAScript 6 features, malware detection, and new features for game developers.
- New Array built-in: Array.prototype.fill() method fills all the elements of an array from a start index to an end index with a static value.
- New Math function: Math.clz32() returns the number of leading zero bits in the 32-bit binary representation of a number
- New String built-in: String.prototype.normalize() is available in Firefox Desktop, and returns the Unicode Normalization Form of a given string (if the value isn't a string, it will be converted to one first).
- New Object method Object.setPrototypeOf() sets the prototype (i.e., the internal [[Prototype]] property ) of a specified object to another object or null.
A full list of the features already supported in Firefox can be found here.
Mozilla elaborates on the latter in Firefox 31 for Developers:
By default, the Network Monitor shows a list of all the network requests made in the course of loading the page. Each request is displayed in its own row.
The Network Monitor is cleared each time you navigate to a new page or reload the current page. From Firefox 31 onwards you can override this behavior by checking "Enable persistent logs" in the Settings.
Firefox 31 also brings with it new malware detection built in. A high level overview of the feature is given on MozillaWiki:
The user-agent performs local lookups whenever a binary file is downloaded. If a local result is not found, the user-agent may perform a remote-lookup on Windows only.
When a binary file is downloaded, the user-agent extracts several pieces of metadata about the file, including:
- The target URL from which the file was downloaded, its referrer URL and any URLs in the redirect chain
- The SHA-256 hash of the contents of the file
- Any certificate verification information obtained through the Windows Authenticode APIs
- The length of the file in bytes
- The suggested filename for the download
Using this metadata, the user-agent performs a local lookups against a blocklist. If the download is supported, it checks an allowlist. If the binary is signed, then the code signing information is checked against the allowlist.
If any blocklist matches are found, the user-agent must not save the file to disk. If any allowlist matches are found, the user-agent may treat the binary as trusted and skip the remote lookup. If no matches are found and the binary was unsigned, the user-agent may send a remote lookup to the application reputation service.
The malware detection feature of Firefox 31 has not gone unremarked by the developer community. On the Slashdot article Firefox 31 Released, an anonymous user commented "the 'malware blocking for file downloads' is a severe invasion of privacy. It works by sending the URL of nearly every downloaded file to Google."
On Hacker News, similar sentiment was seen in the discussion Firefox 31.
I'm worried about the privacy implications of this. Especially given that the feature is hidden, and the only two ways to turn it off involve going into about:config, which most people don't even know exists. I wouldn't even know it was doing this if I hadn't read the changelog.
It should be noted that Sid Stamm, senior engineering manager of security and privacy at Mozilla, published an article entitled Improving Malware Detection in Firefox about the feature on July 23, and instructions for turning off malware detection are detailed on MozillaWiki here.
Stamm told InfoQ:
Any time Safe Browsing sends data back to Google, such as information about a suspected phishing page or malicious file, the information is only used to flag malicious activity and is not used anywhere else at Google. After two weeks, any associated information, such as your IP address, is stripped, and only the URL itself is retained.
Away from privacy concerns, the Firefox 31 release brings what the Mozilla Hack team describe in the article Resources for HTML5 Game Developers as "new features that help HTML5 game developers to code and debug sophisticated games."
Other notable improvements include the inclusion of a Canvas Debugger to the browser. The Mozilla Hack team said:
The Canvas Debugger allows you to trace through all canvas context calls that are used to generate a frame. Calls are color coded for specific calls for things like drawing elements or using a specific shader program.
The debugger is not only useful when developing a WebGL based game but can also be used when debugging a Canvas 2D based game.
Two very common issues that have been reported when using the Canvas Debugger are with animations generated using setInterval instead of requestAnimationFrame and inspecting canvas elements in an iFrame.
For more information about the Canvas Debugger, developers are encouraged to read Introducing the Canvas Debugger in Firefox Developer Tools. For a full list of changes in Firefox 31, users and developers should visit the release notes here.
There are many ways that InfoQ readers can contribute to Firefox, and Mozilla welcome newcomers who wish to be part of the project. A full list of options is available on the Mozilla Developer Network where there is also published a number of How To guides.
Why implement Object.setPrototypeOf()
Todd Montgomery Dec 19, 2014