2025.02.13.1

The major focus of this release has been boring, under the hood changes - with the goal to clean up Phoenix and remove unnecessary preferences/files/etc.

---

• DESKTOP: Our configuration of uBlock Origin has been tweaked to significantly improve performance and efficiency. Specifically, we disabled HaGeZi's Threat Intelligence Feeds by default in favor of HaGeZi's Threat Intelligence Feeds - Mini, disabled HaGeZi - Multi PRO++ by default in favor of HaGeZi - Multi ULTIMATE - Mini, and disabled Dandelion Sprout's Annoyances List by default. Additionally, the HaGeZi - Fake, HaGeZi - Multi PRO mini, HaGeZi - Multi PRO++ mini, and HaGeZi - Pop-up Ads lists have been added to the built-in selection of filterlists, but are not enabled by default. Note that you may need to reset uBlock Origin by navigating to Settings -> Reset to default settings... to receive the updated configuration. You can back up your current settings using the Back up to file... option, and restore your settings after the reset is complete with the Restore from file... option

• Firefox Sync has been configured to not sync any items by default, meaning nothing is synced without explicit user consent (controlled via the checkboxes at about:preferences#sync) - services.sync.engine.addons, services.sync.engine.addresses, services.sync.engine.bookmarks, services.sync.engine.creditcards, services.sync.engine.history, services.sync.engine.passwords, services.sync.engine.prefs, & services.sync.engine.tabs -> false

• If Web Assembly (WASM) is disabled (javascript.options.wasm), WASM is now also disabled for extensions - javascript.options.wasm_trustedprincipals -> false

• Disabled adding downloads to recent documents by default - browser.download.manager.addToRecentDocs -> false

• DESKTOP: Disabled certain UI animations by default to improve Firefox's performance and responsiveness - ui.panelAnimations & ui.swipeAnimationEnabled -> 0, ui.prefersReducedMotion -> 1

• DESKTOP: Disabled Windows Media Foundation for protected content (DRM), but also enabled it for standard content - media.wmf.media-engine.enabled -> 3

• Set toolkit.telemetry.log.level, ui.hideCursorWhileTyping, ui.prefersReducedTransparency, ui.scrollToClick, & ui.useAccessibilityTheme to their default values, so that they can be easily set in the about:config... - toolkit.telemetry.loglevel -> Error, ui.prefersReducedTransparency & ui.useAccessibilityTheme -> 0, ui.scrollToClick -> 1

• YOUTUBE SPECIALIZED CONFIG: Disabled Trusted Types by default due to issues with Picture-in-Picture - dom.security.trusted_types.enabled -> false

• Various other tweaks, fixes, enhancements, and adjustments.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.01.1

---

• DESKTOP: Rather than automatically grabbing the latest version of our assets.json configuration file for uBlock Origin, we now specify a specific commit and download it directly from Phoenix's Codeberg repo. This helps to improve trust/transparency and security, by ensuring the file is only updated with the rest of Phoenix (rather than updating on its own) - meaning it's easier to audit, and keeps the user always in control. - assetsBootstrapLocation (Policy) & librewolf.uBO.assetsBootstrapLocation -> https://codeberg.org/celenity/Phoenix/raw/commit/08d147ee865c1d740540e8ec83c758d7a4df3e8b/uBlock/assets.json - https://codeberg.org/celenity/Phoenix/issues/48#issuecomment-2665313 #4 (comment)

• DESKTOP: Similar to the assets.json file, we now also specify both a specific commit and specific version for our included search engines/'extensions' in policies.json, and we explicitly disable automatic/out of band updates for them - meaning these 'extensions' are now also only updated alongside the rest of Phoenix, and never on their own. This further helps to improve transparency/auditability and protect users. - https://codeberg.org/celenity/Phoenix/issues/48#issuecomment-2665313 #4 (comment)

• DESKTOP: Similar to what we've already been doing on Android, we now manually enable various ETP/ETP Strict tracking protections/features. We still enable & enforce ETP Strict itself (meaning we're still covered by Mozilla's updates/enhancements); but unfortunately, Firefox doesn't honor/configure ETP Strict on its first launch, so we need to ensure we also enable these protections manually to always protect users. - https://codeberg.org/celenity/Phoenix/commit/4a6e135e3647ef34021e3786f28cc64914554335

• Set browser.policies.loglevel, geo.provider.network.logging.enabled, & permissions.memory_only to their default values, so that they can be easily set in the about:config... - browser.policies.loglevel -> error, geo.provider.network.logging.enabled & permissions.memory_only -> false

• Disabled the Beacon API (Navigator.sendBeacon) - beacon.enabled -> false - https://codeberg.org/celenity/Phoenix/commit/a3d7322f5de7fe72bf12753e2fa685497a827bcf

• Other minor tweaks, fixes, and enhancements.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.30.1

---

• DESKTOP: After careful consideration, Phoenix's default search engine is now DuckDuckGo. While not perfect, we believe DuckDuckGo has a strong track record and solid reputation for protecting user privacy, and we believe it's simply the most trustworthy/reputable privacy-respecting search engine currently available. Brave Search has been removed from Phoenix, though it can still be manually added from Brave's website if desired.

• DESKTOP: Paid search engines have been removed from Phoenix by default. This includes Kagi, Kagi HTML, MetaGer, Mullvad Leta (Brave), & Mullvad Leta (Google). Users who pay for these search engines can still manually add them if desired.

• DESKTOP: We now include our own recommended extensions and themes in the Recommendations tab of about:addons! See here for details on what extensions are included, why, and the criteria for inclusion. Feel free to make suggestions if we're missing an extension or theme you'd like to see!

• DESKTOP: We no longer enforce autoUpdate, autoUpdatePeriod, cnameUncloakEnabled, hyperlinkAuditingDisabled, prefetchingDisabled, & suspendUntilListsAreLoaded for uBlock Origin in our policies.json, as these settings are already uBlock Origin's defaults, and configuring them like this unfortunately locks the setting and prevents users from overriding if desired. Hopefully uBlock Origin will add support for configuring settings as only the default, rather than only having the option to enforce them (uBlockOrigin/uBlock-issues#3538). - https://codeberg.org/celenity/Phoenix/issues/56

• Disabled spoofing locale to en-US for all configs by default, due to usability concerns for non-English speakers. - privacy.spoof_english -> 0 (We still recommend spoofing your locale if you are fluent in English by setting privacy.spoof_english in your about:config back to 2)

• Added various new granular FPP overrides - see here and here for details.

• ANDROID: Removed our FPP override for apple.com, as Apple Maps simply isn't supported on Android, so it's unnecessary. - privacy.fingerprintingProtection.granularOverrides ->

• DESKTOP: uBlock Origin is now enabled in private windows by default, and our search 'extensions' are explicitly disabled in private windows. It should be noted that this currently only works on Nightly.

• Our search 'extensions' are now explicitly blocked from accessing restricted domains. - https://codeberg.org/celenity/Phoenix/commit/6dd7570be8d7a861995131cae0e0f37f5135d8ea

• ANDROID: Explicitly enabled SmartBlock - extensions.webcompat.enable_shims, extensions.webcompat.perform_injections, & extensions.webcompat.perform_ua_overrides -> true

• EXTENDED: WebRTC will now only use TURN servers/relays, rather than connecting via peer to peer directly. - media.peerconnection.ice.relay_only -> true

• DESKTOP: WebXR is still blocked by default, but it is now unlocked so that users may use it if desired.

• Explicitly disabled unprivileged extensions from accessing experimental APIs by default - extensions.experiments.enabled -> false

• Added an additional pref to ensure Early Hints are properly disabled - network.early-hints.over-http-v1-1.enabled -> false

• Enforced the use of Firefox's built-in certificates for installation & updates of extensions - extensions.install.requireBuiltInCerts & extensions.update.requireBuiltInCerts -> true

• Prevented automatic scanning/installation/enabling of extensions in Firefox's application directory - extensions.installDistroAddons -> false

• DESKTOP: Removed superfluous WebsiteFilter policy.

• YOUTUBE SPECIALIZED CONFIG: Disabled WebRTC for attack surface reduction - media.peerconnection.enabled -> false

• SPECIALIZED CONFIGS: Hardened WebRTC and updated the WebRTC overrides where needed to reflect changes described above - See ex. https://codeberg.org/celenity/Phoenix/commit/7a5892bb8da259de6d510347f2d49643f40e169c for details.

• Other minor tweaks, fixes, and enhancements.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.27.1

---

• ANDROID: Re-enabled the JIT Baseline Interpreter by default to fix severe performance issues. We still disable the JIT Baseline Interpreter on desktop, and even on Android, we still disable JIT via various other prefs. - javascript.options.blinterp -> true

• ANDROID: Manually enabled more ETP/ETP Strict protections - privacy.annotate_channels.strict_list.enabled, privacy.annotate_channels.strict_list.pbmode.enabled, privacy.partition.network_state, privacy.partition.serviceWorkers, privacy.query_stripping.redirect, & privacy.reduceTimerPrecision -> true

• Disabled sending 'daily usage pings' to Mozilla - datareporting.usage.uploadEnabled -> false

• Disabled CAPTCHA Detection Pings - captchadetection.actor.enabled -> false, captchadetection.loglevel -> Off

• Added additional prefs to prevent cross-origin sub-resources from opening HTTP authentication dialogs (These are especially important for ex. Thunderbird...) - network.auth.non-web-content-triggered-resources-http-auth-allow & network.auth.subresource-img-cross-origin-http-auth-allow -> false

• Disabled automatically clearing net monitor and web console log messages after page reloads/navigation - devtools.netmonitor.persistlog & devtools.webconsole.persistlog -> true

• Syntax is now highlighted when viewing page sources (view-source:) - view_source.syntax_highlight -> true

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.24.1

FYI: Users who manually installed Phoenix on macOS or GNU/Linux who used the sudo mv commands from the README are highly recommended to reinstall Phoenix with the updated steps, due to potential security issues. Thank you to doomedguppy for discovering & reporting this issue, and thank you to @Modaresisofthard for the prompt response and fix.

---

• Regardless of Firefox's DoH mode, we now always warn before falling back to the system's native DNS by default. - network.trr.display_fallback_warning & network.trr_ui.show_fallback_warning_option -> true

• Disabled Firefox's nonfunctional, legacy Safe Browsing API to ensure it's never used and for defense in depth. It's also now explicitly labeled in the case it is ever used for whatever reason. - browser.safebrowsing.provider.google.advisoryName -> Google Safe Browsing (Legacy), browser.safebrowsing.provider.google.gethashURL & browser.safebrowsing.provider.google.updateURL ->

• Explicitly enabled Firefox's native collector for sessionstore, as the old implementation is incompatible with per-site process isolation (Fission). - browser.sessionstore.disable_platform_collection -> false

• Added additional prefs to ensure Firefox's Cookie Banner Blocking is properly enabled and fully functional. - cookiebanners.cookieInjector.enabled & cookiebanners.service.enableGlobalRules.subFrames -> true

• Explicitly disabled EDNS Client Subnet (ECS) by default to prevent leaking general location data to authoritative DNS servers. - network.trr.disable-ECS -> true

• Sending headers for DoH requests are now explicitly disabled. - network.trr.send_accept-language_headers & network.trr.send_user-agent_headers -> false, network.trr.send_empty_accept-encoding_headers -> true

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.22.2

---

• Google Safe Browsing is now proxied on all Phoenix installations, regardless of platform. :D - This proxy is set-up using the servers we've set up for IronFox - which are hosted on Cloudflare (on our bucket located in the EU's jurisdiction...). You can see the source code behind our proxy here.

• DESKTOP: Fixed a bug that prevented users from installing extensions from addons.mozilla.org until refreshing the page.

• DESKTOP: Disabled HaGeZi's Badware Hoster Blocklist in uBlock Origin by default, due to causing too much breakage.

• DESKTOP: Enabled BadBlock - Click Tracking & Dandelion Sprout's Annoyances List in uBlock Origin by default.

• DESKTOP: Blocked the use of specific broad whitelists in uBlock Origin, that were only designed for/meant to be used on the DNS level.

• DESKTOP: Switched the links for HaGeZi's filterlists in uBlock Origin to use Codeberg, rather than GitLab (due to Codeberg's superior privacy policy...).

• DESKTOP: Added preferences back to phoenix.cfg, as some preferences appear to not take effect unless set there. We're still also keeping preferences set in phoenix.js though, for consistency and defense in depth.

• Other minor tweaks and improvements.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.22.1

---

• Extensions/themes are now checked for updates hourly by default rather than once every 24 hours... - extensions.update.interval -> 3600

• Timestamps are now shown in the web console by default. - devtools.webconsole.timestampMessages -> true

• DESKTOP: Google Safe Browsing is now proxied by default! :) It's using the servers we've set up for IronFox - which are hosted on Cloudflare (on our bucket located in the EU's jurisdiction...). Hopefully these will be working on Android soon.

• DESKTOP: Enabled Firefox's newer Felt privacy design for Private Browsing & Certificate Errors (browser.privatebrowsing.felt-privacy-v1 & security.certerrors.felt-privacy-v1 -> true)

• DESKTOP: Moved Phoenix's preferences from phoenix.cfg to phoenix.js, meaning our prefs are now applied globally at a single location.

• Heavily refined the overall build process, as well as did lots of minor tweaks, enhancements, clean-up, and re-organization.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.20.2

---

• Enabled Cookies Having Independent Partitioned State (CHIPS) by default - network.cookie.CHIPS.enabled -> true

• Enabled Smartblock Embeds/Placeholders by default - extensions.webcompat.smartblockEmbeds.enabled -> true

• ANDROID: Explicitly enabled a couple more ETP Strict protections - network.cookie.cookieBehavior.optInPartitioning.pbmode & network.cookie.cookieBehavior.trackerCookieBlocking -> true

• DESKTOP: Added an Unload tab option to the context menu when right clicking tabs - browser.tabs.unloadTabInContextMenu -> true

• DESKTOP: Fixed syntax errors with phoenix.js and policies.json... 😅

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.20.1

---

• Enabled light mode by default as part of our new approach to fingerprinting protection (as this matches ex. RFP)... - layout.css.prefers-color-scheme.content-override -> 1

• Updated specialized configs to use our new approach to fingerprinting protection. - (https://codeberg.org/celenity/Phoenix/issues/46)

• Explicitly disabled prefetching via proxy. - network.dns.prefetch_via_proxy -> false

• Explicitly disabled TLS 1.3 0-RTT for HTTP3. - network.http.http3.enable_0rtt -> false

• URLbar entries no longer open in new tabs by default. - browser.urlbar.openintab

• Removed the annoying Import data from another browser default bookmark - DisableProfileImport -> true

• Always ask is now shown in the permissions dropdown for camera and microphone (if that's their current status) - permissions.media.show_always_ask.enabled -> true

• Updated references to our Hardened config to Extended.

• ETP WebCompat is no longer disabled in our Extended configs, as it's harmless and actually useful. (We still disable dFPI heuristics though...) - privacy.antitracking.enableWebcompat

• Specialized configs are now based off of Extended No-Sync instead of No-Sync. The build process itself for specialized configs has also been heavily improved, and unnecessary prefs were removed.

• DESKTOP: Permission for websites to override keyboard shortcuts is now only blocked on Extended by default rather than all configs. - permissions.default.shortcuts

• DESKTOP - EXTENDED: WebRTC hardening prefs are now unlocked and can be manually toggled by users if desired. - media.peerconnection.ice.default_address_only & media.peerconnection.ice.no_host

• DISCORD & ELEMENT specialized configs: Permission to override keyboard shortcuts is no longer blocked by default. - permissions.default.shortcuts -> 0

• YOUTUBE specialized config: Fixed syntax errors.

• Replaced the browser.phoenix.*.applied prefs with browser.phoenix.*.status prefs - as this is far cleaner and easy to manage (as well as better organized...)

• Other minor tweaks, fixes, and enhancements...

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.19.1

---

• Changed our approach to fingerprinting protection - See https://codeberg.org/celenity/Phoenix/issues/46 for details.

• Unlocked the majority of preferences we previously had locked - See https://codeberg.org/celenity/Phoenix/issues/47 for details, as well as for the list of preferences we still lock...

• Disabled failIfMajorPerformanceCaveat in WebGL contexts due to fingerprinting concerns. - `webgl.disable-fail-if-major-performance-caveat' -> 'true'

• We no longer disable memory caching, as it can cause breakage in certain contexts, and there's simply no real benefit it brings (Not even Tor Browser sets this...). - browser.cache.memory.enable & browser.cache.memory.capacity

• Disabled the use of third-party/OS level root certificates. This is commonly abused by malware (including garbage antiviruses...) and these certificates are added to MITM traffic without user knowledge/consent. Users can still manually import their own certificate into Firefox's built-in certificate store - which I think is acceptable, because at least users this way are aware of the certificate(s) they're importing and why... - security.certerrors.mitm.auto_enable_enterprise_roots & security.enterprise_roots.enabled -> false

• We no longer enable CSS grid Masonry layout, as it could be fingerprintable (and generally best to just leave up to upstream...) - layout.css.grid-template-masonry-value.enabled

• We now explicitly disable JIT (Ion/WarpMonkey) for extensions. We already did by default, but since we now manually set it, it's exposed in the about:config for users to toggle if desired. - javascript.options.jit_trustedprincipals -> false

• Switched the target video resolution (when using Firefox's fingerprinting protection from 480p to 1080p - This is also the default on Nightly, and provides for a far better experience... - privacy.resistFingerprinting.target_video_res -> 1080

• Enabled Firefox's Cosmetic + UI Animations. Firefox already does this by default, but since we now manually set it, it's exposed in the about:config for users to toggle if desired. - toolkit.cosmeticAnimations.enabled -> true, ui.prefersReducedMotion -> 1

• Desktop: Removed more Mozilla URL tracking paramaters :/ - `browser.contentblocking.report.monitor.url' -> 'https://monitor.firefox.com/' & 'browser.contentblocking.report.monitor.sign_in_url' -> 'https://monitor.firefox.com/oauth/init'

• Android: Enabled Safe Browsing by default using Android's specific prefs. - browser.safebrowsing.features.malware.update & browser.safebrowsing.features.phishing.update -> true

• Lots of clean-up and unnecessary prefs removed + re-organization

• Other minor tweaks, fixes, and enhancements...

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)