This is a development, bugfix and security update.
New features:
- Implemented ES2018 Proxy ownKeys duplicate-key invariant.
- Implemented ES2022 Error.cause property.
- Implemented support for oklab and oklch color spaces in CSS.
- Implemented ES2024 object.GroupBy.
- Implemented the remainder of the ES2023 Change Array by Copy proposal (toSpliced(), with(), and TypedArray versions of toReversed(), toSorted() and with()).
- Implemented AudioNode constructors.
- Implemented support for nested CSS grammar.
- Implemented the window.MathMLElement global.
Changes/fixes:
- Fixed a crash related to WeakRef use.
- Fixed stack exhaustion crashes as a result of top-level await in modules.
- Updated our expat parser library to 2.7.4, fixing various issues.
- Updated url.CanParse() to allow custom schemes.
- Updated document.currentScript to align with the currently used spec.
- Fixed a crash due to infinite recursion.
- Fixed a crash on MacOS due to WebGL attribute arrays.
- Fixed a crash related to pointer @media queries in CSS.
- Fixed a crash related to the spellchecker when handling input fields in Shadow DOM.
- Future-proofed whitespace handling in ParseDate in light of Unicode variable whitespace use.
- Removed irrelevant plugin preferences when plugin support isn't built into the browser (non-standard builds/forks).
- Improved support for the mimalloc memory allocator.
- Improved support for LoongArch CPUs.
- Added special handling for certain MacOS system fonts.
- Removed leftover code for unsupported Itanium, 32-bit Sparc and other old architectures.
- Added a workaround for CloudFlare image resizing, since it requires more opaque URL handling to function.
This workaround is controlled with the new preference network.url.cloudflare_image_resizing.enabled (default true). See implementation notes.
- Security issues addressed: CVE-2026-4707 (DiD), CVE-2026-4690 (DiD), CVE-2026-4727 (DiD), and others without a CVE designation.
A note that Mozilla-relevant security issues CVE-2025-59375 and CVE-2026-4726 had already been addressed in the browser before this release.
Implementation notes:
- CloudFlare offers an image resizing service to its clients, which takes a complex string in the URL to control the resizing process. The workaround implemented in this version will treat anything after /cdn-cgi/image/ as opaque path data (on all websites, considering the wide-spread nature of CloudFlare as a CDN, on many top-level domains). Without this workaround, image resizing like this does not work and results in HTTP 403 (forbidden) errors.
This workaround does break with our normal way of parsing URLs, so if it causes trouble with sites with this particular path prefix, try changing the preference (to false, to disable this workaround) and see if it helps, and let us know (on the forum or repo).
