Subject: CVS commit: pkgsrc/www/firefox
Date: 2022-05-13 16:12:53
Message id:

Log Message:
firefox: Update to 100.0

* Simplify some option logics.
* Add sunaudio and jack options as audio backends.


  * We now support captions/subtitles display on YouTube, Prime Video, and
    Netflix videos you watch in Picture-in-Picture. Just turn on the subtitles
    on the in-page video player, and they will appear in PiP.

  * Picture-in-Picture now also supports video captions on websites that use
    WebVTT (Web Video Text Track) format, like, Canadian
    Broadcasting Corporation, and many more.

  * On the first run after install, Firefox detects when its language does not
    match the operating system language and offers the user a choice between
    the two languages.

  * Firefox spell checking now checks spelling in multiple languages. To enable
    additional languages, select them in the text field's context menu.

  * HDR video is now supported in Firefox on Mac --- starting with YouTube!
    Firefox users on macOS 11+ (with HDR-compatible screens) can enjoy
    higher-fidelity video content. No need to manually flip any preferences to
    turn HDR video support on --- just make sure battery preferences are NOT set
    to "optimize video streaming while on battery".

  * Hardware accelerated AV1 video decoding is enabled on Windows with
    supported GPUs (Intel Gen 11+, AMD RDNA 2 Excluding Navi 24, GeForce 30).
    Installing the AV1 Video Extension from the Microsoft Store may also be

  * Video overlay is enabled on Windows for Intel GPUs, reducing power usage
    during video playback.

  * Improved fairness between painting and handling other events. This
    noticeably improves the performance of the volume slider on Twitch.

  * Scrollbars on Linux and Windows 11 won't take space by default. On Linux,
    users can change this in Settings. On Windows, Firefox follows the system
    setting (System Settings > Accessibility > Visual Effects > Always show

  * Firefox now supports credit card autofill and capture in the United

  * Firefox now ignores less restricted referrer policies --- including
    unsafe-url, no-referrer-when-downgrade, and origin-when-cross-origin
    --- for cross-site subresource/iframe requests to prevent privacy
    leaks from the referrer.


  * Users can now choose preferred color schemes for websites. Theme authors
    can now make better decisions about which color scheme Firefox uses for
    menus. Web content appearance can now be changed in Settings.

  * Beginning in this release, the Firefox installer for Windows is signed with
    a SHA-256 digest, rather than SHA-1. Update KB4474419 is required for
    successful installation on a computer running Microsoft Windows 7. For more
    details about this update, visit the Microsoft Technical Support website.

  * In macOS 11+ we now only rasterize the fonts once per window. This means
    that opening a new tab is fast, and switching tabs in the same window is
    also fast. (There's still work to do to share fonts across windows, or to
    reduce the time it takes to initialize these fonts.)

  * The performance of deeply-nested display: grid elements is greatly

  * Support for profiling multiple java threads has been added.

  * Soft-reloading a web page will no longer cause revalidation for all

  * Non-vsync tasks are given more time to run, which improves behavior on
    Google docs and Twitch.

  * Geckoview APIs have been added to control the start/stop time of capturing
    a profile.

  * Various security fixes.


  * Firefox has a new focus indicator for links which replaces the old dotted
    outline with a solid blue outline. This change unifies the focus indicators
    across form fields and links, which makes it easier to identify the focused
    link, especially for users with low vision.

  * New users can now set Firefox as the default PDF handler when setting
    Firefox as their default browser.

  * Some websites might not work correctly in Firefox version 100 due to
    Firefox's new three-digit number. You can read about it in our blog post

    See the Mozilla Support article Difficulties opening or using a website in
    Firefox 100 for possible workarounds you can use. There, you will also find
    instructions for reporting a broken website so that Mozilla can help fix
    the problem.

Mozilla Foundation Security Advisory 2022-16
#CVE-2022-29914: Fullscreen notification bypass using popups
#CVE-2022-29909: Bypassing permission prompt in nested browsing contexts
#CVE-2022-29916: Leaking browser history with CSS variables
#CVE-2022-29911: iframe Sandbox bypass
#CVE-2022-29912: Reader mode bypassed SameSite cookies
#CVE-2022-29910: Firefox for Android forgot HTTP Strict Transport Security
#CVE-2022-29915: Leaking cross-origin redirect through the Performance API
#CVE-2022-29917: Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
#CVE-2022-29918: Memory safety bugs fixed in Firefox 100


  * Fixed an issue for Windows users that prevented hardware video decoding on
    newer Intel drivers (bug 1762125)

  * Fixed an issue with text rendering in Bengali (bug 1763368)

  * Fixed a selection issue in the Download panel with drag and drop (bug

  * Fixed an issue preventing Zoom gallery mode for users who go to
    URLs instead of URLs (bug 1763801)


  * You can now toggle Narrate in ReaderMode with the keyboard shortcut \ 

  * You can find added support for search --- with or without diacritics ---
    in the PDF viewer.

  * The Linux sandbox has been strengthened: processes exposed to web content
    no longer have access to the X Window system (X11).

  * Firefox now supports credit card autofill and capture in Germany and


  * Various security fixes.

Mozilla Foundation Security Advisory 2022-13
#CVE-2022-1097: Use-after-free in NSSToken objects
#CVE-2022-28281: Out of bounds write due to unexpected WebAuthN Extensions
#CVE-2022-28282: Use-after-free in DocumentL10n::TranslateDocument
#CVE-2022-28283: Missing security checks for fetching sourceMapURL
#CVE-2022-28284: Script could be executed via svg's use element
#CVE-2022-28285: Incorrect AliasSet used in JIT Codegen
#CVE-2022-28286: iframe contents could be rendered outside the border
#CVE-2022-28287: Text Selection could crash Firefox
#CVE-2022-24713: Denial of Service via complex regular expressions
#CVE-2022-28289: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8
#CVE-2022-28288: Memory safety bugs fixed in Firefox 99