Changes/fixes:
- Fixed a spec compliance issue with IDN that could potentially cause confusion of domain names.
- Fixed several intermittent thread sanity issues. DiD
- Fixed a potential UAF risk in certain situations in networking. DiD
- Fixed a potential crash risk (not exposed). DiD
- Fixed a potential spoofing risk using form validation. (CVE-2021-38508)
- Fixed a script sandbox escape issue through XSLT. (CVE-2021-38503)
- Added a preference to enable compatibility mode with earlier TLS 1.3 specifications. See implementation notes.
- Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 1 already applied, 4 DiD, 7 not applicable.
Implementation notes:
- A preference (security.ssl.enable_tls13_compat_mode) was added to allow users to enable TLS 1.3 compatibility mode that uses an older draft specification of the protocol. A restart of the browser is required when you change this preference. Please note that you should only use this option if you strictly require it for e.g. outdated proxies, load-balancers or middleware, as it potentially weakens your connection security.
- FUEL was removed (again). If extensions that used FUEL weren't updated to account for this since the clear warning 3 months ago when we removed it in 29.4.0 and temporarily reinstated it to give extension developers more time to address this issue, then they will no longer function properly with this release.