Firefox 91 patches 11 flaws, and starts the process of making the HTTPS-only setting the default, and better clears cookies to scrub browser trackers.

Mozilla on Tuesday refreshed Firefox to version 91, enhancing its cookie-clearing to more thoroughly scrub the browser of trackers, and beginning to make the HTTPS-only setting the default, starting with Private Windows.
image.png

The organization’s security engineers also patched 11 vulnerabilities, eight tagged as “High,” Firefox’s second-most-serious label. Two of the flaws were found only in the Linux edition of the browser, while another existed in the Android version only.

Firefox 91 can be downloaded for Windows, macOS, and Linux from Mozilla’s site. Because Firefox updates in the background, most users can relaunch the browser to install the latest version. To manually update on Windows, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” (On macOS, “About Firefox” can be found under the “Firefox” menu.) The resulting page or pop-up shows that the browser is already up to date or displays the upgrade process.

Mozilla last upgraded Firefox four weeks ago, on July 13.

Clears third-party cookies
Firefox 91 boosts the browser’s cookie-scrubbing capabilities by enabling what Mozilla called “Enhanced Cookie Clearing” when the user has set the browser’s tracking protection to the “Strict” level.

Simply put, rather than clear only the cookies for a specific domain — say, computerworld.com — Enhanced Cookie Clearing dumps not only the cookies and trackers used by that domain but also all cookie-based trackers that may have appeared on that page from other domains. (Trackers can be appended to all kinds of third-party page components, from photos to Facebook or Google sign-ins.)

“Embedded third-party resources complicate data clearing,” contended a trio of Mozilla employees in a post to the firm’s security blog. Before Enhanced Cookie Clearing, Firefox cleared data only for the domain specified by the user. If you were to clear storage for comfypants.com, Firefox deleted the storage of comfypants.com and left the storage of any sites embedded on it (facebook.com) behind. Keeping the embedded storage of facebook.com meant that it could identify and track you again the next time you visited comfypants.com.

Users must set “Enhanced Tracking Protection” to “Strict” in Firefox’s Settings pane to enable more complete cookie clearing. Any command to delete cookies — for instance, by clicking on the lock icon in the address bar and selecting “Clear cookies and site data…” — will then scrub the browser of third-party cookies, as well as those created by the active website.

HTTPS by default debuts
Firefox, like other browsers, has had HTTPS-first features in place for some time. (Firefox 83, which launched in November 2020, offered HTTPS-first as an option.)

With Firefox 91, Mozilla enabled a HTTPS by default setting for Private Window, the browser’s privacy-specific mode during which the browser doesn’t store cookies and browsing history.

Mozilla claimed that the new feature is a “major improvement in the way the browser handles insecure web page addresses.”

“Whenever you enter an insecure (HTTP) URL in Firefox’s address bar, or you click on an insecure link on a web page, Firefox will now first try to establish a secure, encrypted HTTPS connection to the website,” four Mozilla workers wrote in the post to the organization’s security blog. “In the cases where the website does not support HTTPS, Firefox will automatically fall back and establish a connection using the legacy HTTP protocol instead.”

Although the feature only applies to Privacy Window sessions as of Firefox 91, Mozilla said it would expand the functionality. “We expect that HTTPS by Default will expand beyond Private Windows in the coming months,” the four said without getting specific.
image.png

Google is on the same case; it plans to launch a HTTPS-first feature with Chrome 94, currently slated to release Sept. 21. In Chrome, the feature will be optional to start, but Google said it might make the setting “the default for all users in the future.”

Windows single-sign on
Elsewhere in Firefox 91, a new group policy — WindowsSSO — can be set by IT to let the browser retrieve credentials stored by Windows to log onto Microsoft accounts for accessing properties such as online Outlook and the Office 365 portal.

This single-sign on feature can also be enabled from the browser’s Settings pane on Windows. More information about that can be found here.

The next version, Firefox 92, will be released Sept. 7.