2025.03.05.1

---

• DESKTOP: Added Mullvad Leta back as a default search engine, as it's now free to use

• DESKTOP: Spoofed the HTTP User Agent in all Phoenix configs by default - https://codeberg.org/celenity/Phoenix/issues/53

• DESKTOP: Stopped clearing cookies on exit by default *(This was Phoenix's intended behavior, but recent changes in Firefox 136 caused issues...) - privacy.clearOnShutdown.cookies, privacy.clearOnShutdown.offlineApps, & privacy.clearOnShutdown_v2.cookiesAndStorage -> false

• Temporarily disabled Trusted Types by default, as it's unfortunately still too buggy/experimental... - dom.security.trusted_types.enabled -> false - ex. https://codeberg.org/celenity/Phoenix/issues/70

• ANDROID: Unlocked HTTPS-Only Mode preferences, as it's unfortunately not yet possible to add exceptions like on desktop... - (dom.security.https_only_mode & dom.security.https_only_mode_pbm) - https://gitlab.com/ironfox-oss/IronFox/-/issues/48

• Enabled insecure form field warnings, even on local IP addresses - security.insecure_field_warning.ignore_local_ip_address -> false

• Added new sanitization preferences to accommodate for recent changes in Firefox 136 - privacy.clearHistory.browsingHistoryAndDownloads, privacy.clearHistory.formdata, privacy.clearSiteData.browsingHistoryAndDownloads, privacy.clearSiteData.formdata, privacy.clearOnShutdown_v2.browsingHistoryAndDownloads, privacy.clearOnShutdown_v2.downloads, privacy.clearOnShutdown_v2.formdata, privacy.cpd.downloads, privacy.cpd.formdata, privacy.cpd.history, & privacy.cpd.sessions -> true

• DESKTOP: Disabled clearing cookies at about:preferences#privacy -> Cookies and Site Data -> Manage Data... by default (as it ignores Allow exceptions...) - privacy.clearHistory.cookiesAndStorage, privacy.clearSiteData.cookiesAndStorage, privacy.cpd.cookies, & privacy.cpd.offlineApps -> false

• SPECIALIZED CONFIGS: Re-enabled the Bookmarks Toolbar by default, but set to only show on new tabs (about:home) - browser.toolbars.bookmarks.visibility -> newtab

• Other minor tweaks, fixes, clean-up/organization, & enhancements

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.28.1

⚠️ ALL DESKTOP USERS ARE RECOMMENDED TO UPDATE TO THIS RELEASE ASAP. This release mitigates CVE-2025-27091 (high severity) from Firefox upstream, which Mozilla has not yet fixed...

---

• Disabled OpenH264 to mitigate CVE-2025-27091, and due to other security concerns... - media.ffmpeg.allow-openh264, media.gmp-gmpopenh264.enabled, media.gmp-gmpopenh264.provider.enabled, & media.gmp-gmpopenh264.visible -> false

• Temporarily disabled Download Spam Prevention by default, as it's unfortunately still too buggy/experimental... - browser.download.enable_spam_prevention -> false

• DESKTOP: Fixed a bug that prevented uBlock Origin's assets.json from updating after first set-up - Note that you MUST reset uBlock Origin by navigating to Settings -> Reset to default settings... to receive the updated configuration. You can back up your current settings using the Back up to file... option, and restore your settings after the reset is complete with the Restore from file... option. Apologies for any convenience, the fix here should help ensure this isn't a problem in the future...

• DESKTOP: Disabled the ability for uBlock Origin's built-in filterlists to use filters requiring trust, due to security concerns.

• DESKTOP: Added new filterlists to uBlock Origin that allow the user to block SVG, WebGL, WebGPU, and WebRTC per-site. Users are highly recommended to use these filters (with the exception of WebGPU - very few websites use it so we fully disable it via dom.webgpu.enabled, though this filter may prove useful for the future if WebGPU does become adopted...), and see if it suits them - due to the significant privacy & security advantages. Block SVG is located under Malware protection, security, while Block WebGL and Block WebRTC are located under Multipurpose. This is especially important for Phoenix Extended users, as it's likely we'll stop completely disabling WebGL (webgl.disabled) in the future, due to this list. - Please report any breakage caused by these lists here.

• Hardened extension CSP policies to disable WebAssembly (without breaking Firefox Translations... ;)) & upgrade insecure network requests - https://codeberg.org/celenity/Phoenix/commit/58eca0f015c2beacc216182085ddcc37e0348064

• Enabled Add-on Distribution Control (Install Origins) by default - extensions.install_origins.enabled -> true

• Enabled the Sanitizer API by default - dom.security.sanitizer.enabled -> true

• Set Firefox to sync with Remote Settings hourly, rather than once a day by default, as Remote Settings is used for various security-critical functionality (Ex. CRLite/revocation checks, malicious add-on blocklists, etc), so we want to make sure users are up to date ASAP - services.settings.poll_interval -> 3600

• DESKTOP: The Firefox logo is now hidden on about:home by default - browser.newtabpage.activity-stream.logowordmark.alwaysVisible -> false

• SPECIALIZED CONFIGS: Stopped automatically loading websites on browser launch - as uBlock Origin is unfortunately unable to filter on the profile's first launch

• SPECIALIZED CONFIGS: The search bar is now hidden from about:home by default - browser.newtabpage.activity-stream.showSearch -> false

• Other minor tweaks, fixes, & enhancements

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.21.1

---

• Re-enabled WebAssembly (WASM) for extensions (when WASM is disabled) to unbreak Firefox Translations - javascript.options.wasm_trustedprincipals -> true - https://codeberg.org/ironfox-oss/IronFox/issues/15

• DESKTOP: Removed Ecosia, Qwant, and Qwant Junior as default search engines, due to privacy concerns

• DESKTOP (Flatpak): Added support for Phoenix Extended & specialized configs - (See updated instructions here and here)

• DESKTOP (macOS): Fixed an issue that prevented Phoenix Extended & specialized configs from being properly applied in certain cases

• DESKTOP: Added specialized configs for Apple Maps & Google Maps

• SPECIALIZED CONFIGS: Disabled PDF.js by default - pdfjs.disabled -> true

• SPECIALIZED CONFIGS: Disabled tab hover previews by default - browser.tabs.hoverPreview.enabled & browser.tabs.hoverPreview.showThumbnails -> false

• SPECIALIZED CONFIGS: Enabled cursor (arrow key) navigation by default - accessibility.browsewithcaret -> true

• Enabled H264 hardware decoding by default - media.webrtc.hw.h264.enabled -> true

• DESKTOP (non-macOS): All preferences have been removed from phoenix.cfg & policies.json - now they are all configured exclusively by phoenix-desktop.js to improve organization & efficiency.

• DESKTOP (macOS): All preferences have been removed from policies - now they are all configured exclusively by phoenix.cfg, to improve organization & efficiency.

• DESKTOP: Removed unnecessary entries from our built-in cookie blocklist to improve performance

• Other minor tweaks, fixes, & enhancements

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.18.1

Phoenix now officially supports Flatpaks! 🎉. Simply install phoenix-flatpak rather than phoenix or phoenix-arch from your package manager. If you prefer, you can also just run the installation script - where Flatpaks have now also been added as an option after selecting your distribution.

The only caveat is that your Firefox Flatpak must be installed on the system level. We unfortunately don't yet support user Flatpaks, but we're hoping to in the near future.

Additionally, Phoenix for macOS has significantly improved - most notably: you are now no longer required to give your Terminal the App Management permission to receive updates!, resulting in a significant security improvement for your system.

NOTE: To continue receiving updates, macOS users must run the migration script with the command below, depending on your location of Firefox:

System:

bash -c "$(wget -O- https://codeberg.org/celenity/Phoenix/raw/branch/pages/macos/migration/system.sh 2>/dev/null)"

User:

bash -c "$(wget -O- https://codeberg.org/celenity/Phoenix/raw/branch/pages/macos/migration/user.sh 2>/dev/null)"

After running the migration script, macOS users must also run the new installation script:

bash -c "$(wget -O- https://codeberg.org/celenity/Phoenix/raw/branch/pages/installer_scripts/macos_install.sh 2>/dev/null)"

Apologies for any inconvenience caused here... but I hope this major security improvement and step forward for Phoenix will make up for it. ;)

---

• Disabled automatic updates for OpenSearch engines by default due to security & privacy concerns - browser.search.update -> false

• Disabled timezone spoofing (-JSDateTimeUTC) for chipotle.com to fix order confirmation/estimated arrival times by default

• DESKTOP: Specified type for preferences configured in policies to ensure that they are always set correctly...

• DESKTOP: Specified specific add-on IDs in links for extensions installed from the AMO in our recommendations and policies - (Credit to Brace)

• SPECIALIZED CONFIGS: Disabled geolocation, narrator, and tab groups by default - browser.tabs.groups.enabled, geo.provider.use_corelocation, geo.provider.use_geoclue, & narrate.enabled -> false, geo.provider.network.url ->

• Removed various (mostly regional) search engines with questionable privacy practices for ESR/Thunderbird (Dove - https://codeberg.org/celenity/Phoenix/commit/fdb894425fc4ac5dcfd0fa284fe289ecd1980266

• Organized and cleaned up more preferences...

• Other minor tweaks, fixes, & adjustments

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.14.1

---

• DESKTOP: Disabled the Windows Media Foundation Engine for video playback, due to display issues encountered by some users (notably on www.youtube.com) - media.wmf.media-engine.enabled -> 0

• DESKTOP: Disabled sharing unnecessary version info as part of Firefox Sync - services.sync.sendVersionInfo -> false

• DESKTOP: Enabled Tab Groups by default - browser.tabs.groups.enabled -> true

• Updated the default list of languages automatically translated with Firefox Translation - browser.translations.alwaysTranslateLanguages -> bg,ca,cs,da,de,el,en,es,et,fi,fr,hr,hu,id,it,ja,ko,lv,lt,nl,pl,pt,ro,ru,sk,sl,sr,sv,tr,uk,vi,zh-Hans

• DESKTOP: Disabled sidebar animations by default to improve Firefox's performance and responsiveness - sidebar.animation.enabled -> false

• Removed various (mostly regional) search engines with questionable privacy practices for ESR/Thunderbird (Dove - https://codeberg.org/celenity/Phoenix/commit/fdb894425fc4ac5dcfd0fa284fe289ecd1980266

• Organized and cleaned up more preferences...

• Other minor tweaks, fixes, & adjustments

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.13.1

The major focus of this release has been boring, under the hood changes - with the goal to clean up Phoenix and remove unnecessary preferences/files/etc.

---

• DESKTOP: Our configuration of uBlock Origin has been tweaked to significantly improve performance and efficiency. Specifically, we disabled HaGeZi's Threat Intelligence Feeds by default in favor of HaGeZi's Threat Intelligence Feeds - Mini, disabled HaGeZi - Multi PRO++ by default in favor of HaGeZi - Multi ULTIMATE - Mini, and disabled Dandelion Sprout's Annoyances List by default. Additionally, the HaGeZi - Fake, HaGeZi - Multi PRO mini, HaGeZi - Multi PRO++ mini, and HaGeZi - Pop-up Ads lists have been added to the built-in selection of filterlists, but are not enabled by default. Note that you may need to reset uBlock Origin by navigating to Settings -> Reset to default settings... to receive the updated configuration. You can back up your current settings using the Back up to file... option, and restore your settings after the reset is complete with the Restore from file... option

• Firefox Sync has been configured to not sync any items by default, meaning nothing is synced without explicit user consent (controlled via the checkboxes at about:preferences#sync) - services.sync.engine.addons, services.sync.engine.addresses, services.sync.engine.bookmarks, services.sync.engine.creditcards, services.sync.engine.history, services.sync.engine.passwords, services.sync.engine.prefs, & services.sync.engine.tabs -> false

• If Web Assembly (WASM) is disabled (javascript.options.wasm), WASM is now also disabled for extensions - javascript.options.wasm_trustedprincipals -> false

• Disabled adding downloads to recent documents by default - browser.download.manager.addToRecentDocs -> false

• DESKTOP: Disabled certain UI animations by default to improve Firefox's performance and responsiveness - ui.panelAnimations & ui.swipeAnimationEnabled -> 0, ui.prefersReducedMotion -> 1

• DESKTOP: Disabled Windows Media Foundation for protected content (DRM), but also enabled it for standard content - media.wmf.media-engine.enabled -> 3

• Set toolkit.telemetry.log.level, ui.hideCursorWhileTyping, ui.prefersReducedTransparency, ui.scrollToClick, & ui.useAccessibilityTheme to their default values, so that they can be easily set in the about:config... - toolkit.telemetry.loglevel -> Error, ui.prefersReducedTransparency & ui.useAccessibilityTheme -> 0, ui.scrollToClick -> 1

• YOUTUBE SPECIALIZED CONFIG: Disabled Trusted Types by default due to issues with Picture-in-Picture - dom.security.trusted_types.enabled -> false

• Various other tweaks, fixes, enhancements, and adjustments.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.02.01.1

---

• DESKTOP: Rather than automatically grabbing the latest version of our assets.json configuration file for uBlock Origin, we now specify a specific commit and download it directly from Phoenix's Codeberg repo. This helps to improve trust/transparency and security, by ensuring the file is only updated with the rest of Phoenix (rather than updating on its own) - meaning it's easier to audit, and keeps the user always in control. - assetsBootstrapLocation (Policy) & librewolf.uBO.assetsBootstrapLocation -> https://codeberg.org/celenity/Phoenix/raw/commit/08d147ee865c1d740540e8ec83c758d7a4df3e8b/uBlock/assets.json - https://codeberg.org/celenity/Phoenix/issues/48#issuecomment-2665313 #4 (comment)

• DESKTOP: Similar to the assets.json file, we now also specify both a specific commit and specific version for our included search engines/'extensions' in policies.json, and we explicitly disable automatic/out of band updates for them - meaning these 'extensions' are now also only updated alongside the rest of Phoenix, and never on their own. This further helps to improve transparency/auditability and protect users. - https://codeberg.org/celenity/Phoenix/issues/48#issuecomment-2665313 #4 (comment)

• DESKTOP: Similar to what we've already been doing on Android, we now manually enable various ETP/ETP Strict tracking protections/features. We still enable & enforce ETP Strict itself (meaning we're still covered by Mozilla's updates/enhancements); but unfortunately, Firefox doesn't honor/configure ETP Strict on its first launch, so we need to ensure we also enable these protections manually to always protect users. - https://codeberg.org/celenity/Phoenix/commit/4a6e135e3647ef34021e3786f28cc64914554335

• Set browser.policies.loglevel, geo.provider.network.logging.enabled, & permissions.memory_only to their default values, so that they can be easily set in the about:config... - browser.policies.loglevel -> error, geo.provider.network.logging.enabled & permissions.memory_only -> false

• Disabled the Beacon API (Navigator.sendBeacon) - beacon.enabled -> false - https://codeberg.org/celenity/Phoenix/commit/a3d7322f5de7fe72bf12753e2fa685497a827bcf

• Other minor tweaks, fixes, and enhancements.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.30.1

---

• DESKTOP: After careful consideration, Phoenix's default search engine is now DuckDuckGo. While not perfect, we believe DuckDuckGo has a strong track record and solid reputation for protecting user privacy, and we believe it's simply the most trustworthy/reputable privacy-respecting search engine currently available. Brave Search has been removed from Phoenix, though it can still be manually added from Brave's website if desired.

• DESKTOP: Paid search engines have been removed from Phoenix by default. This includes Kagi, Kagi HTML, MetaGer, Mullvad Leta (Brave), & Mullvad Leta (Google). Users who pay for these search engines can still manually add them if desired.

• DESKTOP: We now include our own recommended extensions and themes in the Recommendations tab of about:addons! See here for details on what extensions are included, why, and the criteria for inclusion. Feel free to make suggestions if we're missing an extension or theme you'd like to see!

• DESKTOP: We no longer enforce autoUpdate, autoUpdatePeriod, cnameUncloakEnabled, hyperlinkAuditingDisabled, prefetchingDisabled, & suspendUntilListsAreLoaded for uBlock Origin in our policies.json, as these settings are already uBlock Origin's defaults, and configuring them like this unfortunately locks the setting and prevents users from overriding if desired. Hopefully uBlock Origin will add support for configuring settings as only the default, rather than only having the option to enforce them (uBlockOrigin/uBlock-issues#3538). - https://codeberg.org/celenity/Phoenix/issues/56

• Disabled spoofing locale to en-US for all configs by default, due to usability concerns for non-English speakers. - privacy.spoof_english -> 0 (We still recommend spoofing your locale if you are fluent in English by setting privacy.spoof_english in your about:config back to 2)

• Added various new granular FPP overrides - see here and here for details.

• ANDROID: Removed our FPP override for apple.com, as Apple Maps simply isn't supported on Android, so it's unnecessary. - privacy.fingerprintingProtection.granularOverrides ->

• DESKTOP: uBlock Origin is now enabled in private windows by default, and our search 'extensions' are explicitly disabled in private windows. It should be noted that this currently only works on Nightly.

• Our search 'extensions' are now explicitly blocked from accessing restricted domains. - https://codeberg.org/celenity/Phoenix/commit/6dd7570be8d7a861995131cae0e0f37f5135d8ea

• ANDROID: Explicitly enabled SmartBlock - extensions.webcompat.enable_shims, extensions.webcompat.perform_injections, & extensions.webcompat.perform_ua_overrides -> true

• EXTENDED: WebRTC will now only use TURN servers/relays, rather than connecting via peer to peer directly. - media.peerconnection.ice.relay_only -> true

• DESKTOP: WebXR is still blocked by default, but it is now unlocked so that users may use it if desired.

• Explicitly disabled unprivileged extensions from accessing experimental APIs by default - extensions.experiments.enabled -> false

• Added an additional pref to ensure Early Hints are properly disabled - network.early-hints.over-http-v1-1.enabled -> false

• Enforced the use of Firefox's built-in certificates for installation & updates of extensions - extensions.install.requireBuiltInCerts & extensions.update.requireBuiltInCerts -> true

• Prevented automatic scanning/installation/enabling of extensions in Firefox's application directory - extensions.installDistroAddons -> false

• DESKTOP: Removed superfluous WebsiteFilter policy.

• YOUTUBE SPECIALIZED CONFIG: Disabled WebRTC for attack surface reduction - media.peerconnection.enabled -> false

• SPECIALIZED CONFIGS: Hardened WebRTC and updated the WebRTC overrides where needed to reflect changes described above - See ex. https://codeberg.org/celenity/Phoenix/commit/7a5892bb8da259de6d510347f2d49643f40e169c for details.

• Other minor tweaks, fixes, and enhancements.

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.27.1

---

• ANDROID: Re-enabled the JIT Baseline Interpreter by default to fix severe performance issues. We still disable the JIT Baseline Interpreter on desktop, and even on Android, we still disable JIT via various other prefs. - javascript.options.blinterp -> true

• ANDROID: Manually enabled more ETP/ETP Strict protections - privacy.annotate_channels.strict_list.enabled, privacy.annotate_channels.strict_list.pbmode.enabled, privacy.partition.network_state, privacy.partition.serviceWorkers, privacy.query_stripping.redirect, & privacy.reduceTimerPrecision -> true

• Disabled sending 'daily usage pings' to Mozilla - datareporting.usage.uploadEnabled -> false

• Disabled CAPTCHA Detection Pings - captchadetection.actor.enabled -> false, captchadetection.loglevel -> Off

• Added additional prefs to prevent cross-origin sub-resources from opening HTTP authentication dialogs (These are especially important for ex. Thunderbird...) - network.auth.non-web-content-triggered-resources-http-auth-allow & network.auth.subresource-img-cross-origin-http-auth-allow -> false

• Disabled automatically clearing net monitor and web console log messages after page reloads/navigation - devtools.netmonitor.persistlog & devtools.webconsole.persistlog -> true

• Syntax is now highlighted when viewing page sources (view-source:) - view_source.syntax_highlight -> true

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)

2025.01.24.1

FYI: Users who manually installed Phoenix on macOS or GNU/Linux who used the sudo mv commands from the README are highly recommended to reinstall Phoenix with the updated steps, due to potential security issues. Thank you to doomedguppy for discovering & reporting this issue, and thank you to @Modaresisofthard for the prompt response and fix.

---

• Regardless of Firefox's DoH mode, we now always warn before falling back to the system's native DNS by default. - network.trr.display_fallback_warning & network.trr_ui.show_fallback_warning_option -> true

• Disabled Firefox's nonfunctional, legacy Safe Browsing API to ensure it's never used and for defense in depth. It's also now explicitly labeled in the case it is ever used for whatever reason. - browser.safebrowsing.provider.google.advisoryName -> Google Safe Browsing (Legacy), browser.safebrowsing.provider.google.gethashURL & browser.safebrowsing.provider.google.updateURL ->

• Explicitly enabled Firefox's native collector for sessionstore, as the old implementation is incompatible with per-site process isolation (Fission). - browser.sessionstore.disable_platform_collection -> false

• Added additional prefs to ensure Firefox's Cookie Banner Blocking is properly enabled and fully functional. - cookiebanners.cookieInjector.enabled & cookiebanners.service.enableGlobalRules.subFrames -> true

• Explicitly disabled EDNS Client Subnet (ECS) by default to prevent leaking general location data to authoritative DNS servers. - network.trr.disable-ECS -> true

• Sending headers for DoH requests are now explicitly disabled. - network.trr.send_accept-language_headers & network.trr.send_user-agent_headers -> false, network.trr.send_empty_accept-encoding_headers -> true

---

Codeberg: See here for more details.

GitLab: See here for more details.

GitHub: See here for more details.

---

:)