21 Apr 2026

feedPlanet Mozilla

Mozilla Performance Blog: Telemetry Alerting Beta Announcement

We're happy to announce that the Telemetry Alerting beta is now open to everyone!

Monitoring for changes in telemetry probes that you own can be difficult to do on a regular and continuous basis. With telemetry alerting, that changes today! You can now quickly set up your timing distribution probes for automated monitoring on Windows with notifications through email or a Bugzilla bug.

To get started, if you only need email alerts, simply add monitor: True to the metadata section of your probe (example).

Example of an email alert.

If you would prefer to receive Bugzilla bugs when a change is detected, set the monitor field like so (example):

monitor:
 alert: True
 lower_is_better: True/False # Optional
 bugzilla_notification_emails:
 - <YOUR-BUGZILLA-EMAIL-HERE>

Example of an alert bug.

More information about telemetry alerting, and how to set up a probe can be found here in the documentation. There's also a dashboard that can show you all of the existing telemetry alerts along with some detection information. For now, we only support change detection on Windows for `timing_distribution` probes (see here for other desktop platforms, and android).

Please note that this is an open beta and we are actively looking for feedback on this system. If you hit any issues, or have any suggestions feel free to file a bug in the Testing :: Performance component or reach out to us in either #perf-help on Slack or in #perftest on Matrix.

Special thanks to Eduardo Filho for his support on the telemetry probe side, to Bas Schouten for his guidance and work on the CDF Squared detection technique, and to Andrej Glavic and Beatrice Acasandrei for their help in reviewing the Treeherder changes.

For a more detailed look at how this works, see this blog post.

21 Apr 2026 7:58pm GMT

The Mozilla Blog: What’s new in Firefox mobile: Less clutter, more control and a free built-in VPN

Mobile browsing hasn't kept up with how people actually use their phones.

Right now, even basic tasks can feel harder than they should. Finding what you need can mean scrolling through ads and filler content, keeping track of too many tabs, or thinking twice about how private your connection is.

A mobile browser should do more - and we're raising the bar. Firefox is rolling out a set of updates that build on our most popular desktop features and adapt them for how you browse on-the-go. Here's what's out now, and what's coming next.

Get the key points with Shake to Summarize

When you're following a recipe, reading a product review, or deciding whether a long article is worth your time, getting to the useful part can take longer than it should.

With Shake to Summarize, you can shake or tap your phone to generate a quick summary of the page. Currently available for iOS users in English, we're expanding availability to all iOS users in German, French, Spanish, Portuguese and Italian starting with Firefox 150 on April 21. We'll also soon be making Shake to Summarize available to Android users in English, so they too can get to the key points of any article in seconds.

Take control of how AI shows up

AI features are becoming a more common part of browsers - but not everyone wants the same experience. Firefox gives you a say in how they're used. With AI Controls, you can turn AI features off entirely, enable only the ones you want, or adjust things over time. Rolling out on Android and iOS beginning May 21.

Stay protected with a free, built-in VPN

Firefox's free built-in VPN covers up to 50 gigabytes of your browsing in Firefox each month, across desktop and mobile devices. It adds a layer of protection to your browsing activity by masking your IP address - especially useful when you're on public Wi-Fi. Unlike many "free VPNs" that rely on ads or selling user data to generate revenue, Firefox is built with a different model: no selling your browsing data, no injecting ads into your traffic. Instead, we offer a limited amount of browser-level protection for free, alongside Mozilla VPN, our paid, unlimited, full-device VPN service. Rolling out on Android soon.

Keep your tabs organized with Tab Groups

Tab Groups have been among the most-requested mobile features from our Mozilla community, and they're coming on mobile soon. You'll be able to group related tabs to stay organized, whether you're comparing restaurants, planning a trip or saving articles to read later.

We're also building toward smart groupings, where Firefox can automatically suggest tab groups for you. Rolling out on Android soon.

More updates, built around how you browse on mobile

Your phone comes with a browser. That doesn't mean it has to stay your default

"Firefox exists to give people a better way to experience the web, and that has to be just as true on mobile as it is on desktop," said Ajit Varma, head of Firefox. "For many people, their phone is their primary way of getting online, and they deserve a browser that's fast, intuitive and built around their needs. That's why we're investing in mobile more than ever before. We're building for the millions of people who choose Firefox every day, and giving even more people a reason to do the same."

Firefox is building a mobile experience designed around how people browse - with tools that help you move faster, stay organized and stay in control.

These updates begin rolling out in April with more on the way.

Take Firefox with you

Download Firefox mobile

The post What's new in Firefox mobile: Less clutter, more control and a free built-in VPN appeared first on The Mozilla Blog.

21 Apr 2026 7:36pm GMT

The Mozilla Blog: The zero-days are numbered

Multiple white cursor arrows scattered across a bright orange background.

Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148.

As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week's release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation.

As these capabilities reach the hands of more defenders, many other teams are now experiencing the same vertigo we did when the findings first came into focus. For a hardened target, just one such bug would have been red-alert in 2025, and so many at once makes you stop to wonder whether it's even possible to keep up.

Our experience is a hopeful one for teams who shake off the vertigo and get to work. You may need to reprioritize everything else to bring relentless and single-minded focus to the task, but there is light at the end of the tunnel. We are extremely proud of how our team rose to meet this challenge, and others will too. Our work isn't finished, but we've turned the corner and can glimpse a future much better than just keeping up. Defenders finally have a chance to win, decisively.

Until now, the industry has largely fought security to a draw. Vendors of critical internet-exposed software like Firefox take security extremely seriously and have teams of people who get out of bed every morning thinking about how to keep users safe. Nevertheless, we've all long quietly acknowledged that bringing exploits to zero was an unrealistic goal. Instead, we aimed to make them so expensive that only actors with functionally unlimited budgets can afford them, and that the cost of burning such an expensive asset disincentivizes those actors against casual use.

This is because security to date has been offensively-dominant: the attack surface isn't infinite, but it's large enough to be difficult to defend comprehensively with the tools we've had available. This gives attackers an asymmetric advantage, since they only need to find one chink in the armor.

We use defense-in-depth to apply multiple layers of overlapping defenses, but no layer is bulletproof. Firefox runs each website in a separate process sandbox, but attackers try to combine bugs in the rendering code with bugs in the sandbox to escape to a more privileged context. We've led the industry in building and adopting Rust, but we still can't afford to stop everything to rewrite decades of C++ code, especially since Rust only mitigates certain (very common) classes of vulnerabilities.

We pair defense-in-depth engineering with an internal red team tasked with staying on the leading edge of automated analysis techniques. Until recently, these have largely been dynamic analysis techniques like fuzzing. Fuzzing is quite fruitful in practice, but some parts of the code are harder to fuzz than others, leading to uneven coverage.

Elite security researchers find bugs that fuzzers can't largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't.

This can feel terrifying in the immediate term, but it's ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker's long-term advantage by making all discoveries cheap.

Encouragingly, we also haven't seen any bugs that couldn't have been found by an elite human researcher. Some commentators predict that future AI models will unearth entirely new forms of vulnerabilities that defy our current comprehension, but we don't think so. Software like Firefox is designed in a modular way for humans to be able to reason about its correctness. It is complex, but not arbitrarily complex1.

The defects are finite, and we are entering a world where we can finally find them all.

1 There's a risk that codebases begin to surpass human comprehension as a result of more AI in the development process, scaling bug complexity along with (or perhaps faster than) discovery capability. Human-comprehensibility is an essential property to maintain, especially in critical software like browsers and operating systems.

The post The zero-days are numbered appeared first on The Mozilla Blog.

21 Apr 2026 6:29pm GMT

Niko Matsakis: Symposium: community-oriented agentic development

I'm very excited to announce the first release of the Symposium project as well as its inclusion in the Rust Foundation's Innovation Lab. Symposium's goal is to let everyone in the Rust community participate in making agentic development better. The core idea is that crate authors should be able to vend skills, MCP servers, and other extensions, in addition to code. The Symposium tool then installs those extensions automatically based on your dependencies. After all, who knows how to use a crate better than the people who maintain it?

If you want to read more details about how Symposium works, I refer you to the announcement post from Jack Huey on the main Symposium blog. This post is my companion post, and it is focused on something more personal - the reasons that I am working on Symposium.

I believe in extensibility everywhere

The short version is that I believe in extensibility everywhere. Right now, the Rust language does a decent job of being extensible: you can write Rust crates that offer new capabilities that feel built-in, thanks to proc-macros, traits, and ownership. But we're just getting started at offering extensibility in other tools, and I want us to hurry up!

I want crate authors to be able to supply custom diagnostics. I want them to be able to supply custom lints. I want them to be able to supply custom optimizations. I want them to be able to supply custom IDE refactorings. And, as soon as I started messing around with agentic development, I wanted extensibility there too.

Symposium puts crate authors in charge

The goal of Symposium is to give crate authors, and the broader Rust community, the ability to directly influence the experience of people writing Rust code with agents. Rust is a really popular target language for agents because the type system provides strong guardrails and it generates efficient code - and I predict it's only going to become more popular.

Despite Rust's popularity as an agentic coding target, the Rust community right now are basically bystanders when it comes to the experience of people writing Rust with agents; I want us to have a means of influencing it directly.

Enter Symposium. With Symposium, Crate authors can package up skills etc and then Symposium will automatically make them available for your agent. Symposium also takes care of bridging the small-but-very-real gaps between agents (e.g., each has their own hook format, and some of them use .agents/skills and some use .claude/skills, etc).

Example: the assert-struct crate

Let me give you an example. Consider the assert-truct crate, recently created by Carl Lerche. assert-struct lets you write convenient assertions that test the values of specific struct fields:

assert_struct!(val, _ {
    items: [1, 2, ..],
    tags: #("a", "b", ..),
    ..
});

The problem: agents don't know about it

This crate is neat, but of course, no models are going to know how to use it - it's not part of their training set. They can figure it out by reading the docs, but that's going to burn more tokens (expensive, slow, consumes carbon), so that's not a great idea.

You could teach the agent how to use it…

In practice what people do today is to add skills to their project - for example, in his toasty crate, Carl has a testing skill that also shows how to use assert-struct. But it seems silly for everybody who uses the crate to repeat that content.

…but wouldn't it be better the crate could teach the agent itself?

With Symposium, teaching your agent how to use your dependencies should not be necessary. Instead, your crates can publish their own skills or other extensions.

The way this works is that the assert-struct crate defines the skill once, centrally, in its own repository1. Then there is a separate file in Symposium's central recommendations repository with a pointer to the assert-struct repository. Any time that the assert-struct repository updates that skill, the updates are automatically synchronized for you. Neat! (You can also embed skills directly in the rr repository, but then updating them requires a PR to that repo.)

Frequently asked questions

How do I add support for my crate to Symposium?

It's easy! Check out the docs here:

https://symposium.dev/crate-authors/supporting-your-crate.html

What kind of extensions does Symposium support?

Skills, hooks, and MCP Servers, for now.

Why does Symposium have a centralized repository?

Currently we allow skill content to be defined in a decentralized fashion but we require that a plugin be added to our central recommendations repository. This is a temporary limitation. We eventually expect to allow crate authors to adds skills and plugins in a fully decentralized fashion.

We chose to limit ourselves to a centralized repository early on for three reasons:

What if I want to add skills for crates private to my company? I don't want to put those in the central repository!

No problem, you can add a custom plugin source.

Are you aware of the negative externalities of LLMs?

I am, very much so. I feel like a lot of the uses of LLMs we see today are not great (e.g., chat bots hijack conversational and social cues to earn trust that they don't deserve) and to reconfirm peoples' biases instead of challenging their ideas. And I'm worried about the environmental cost of data centers and the way companies have retreated from their climate goals. And I don't like how centralized models concentrate economic power.2 So yeah, I see all that. And I also see how LLMs enable people to build things that they couldn't build before and help to make previously intractable problems soluble - and that includes more and more people who never thought of themselves as programmers3. My goal with Symposium and other projects is to be part of the solution, finding ways to leverage LLMs that are net positive: opening doors, not closing them.

Extensibility: because everybody has something to offer

Fundamentally, the reason I am working on Symposium is that I believe everybody has something unique to offer. I see the appeal of strongly opinionated systems that reflect the brilliant vision of a particular person. But to me, the most beautiful systems are the ones that everybody gets to build together4. This is why I love open source. This is why I love emacs5. It's why I love VSCode's extension system, which has so many great gems6.

To me, Symposium is a double win in terms of empowerment. First, it makes agents extensible, which is going to give crate authors more power to support their crates. But it also helps make agentic programming better, which I believe will ultimately open up programming to a lot more people. And that is what it's all about.

  1. Actually as of this posting, the assert-struct skill is embedded directly in the recommendations repo. But I opened a PR to put it on assert-struct and I'll port it over once it lands. ↩︎

  2. I'm very curious to do more with open models. ↩︎

  3. Within Amazon, it's been amazing to watch how many people who never thought of themselves as software developers are starting to build software. Considering the challenges the software industry has with representation, I find this very encouraging. Diverse teams are stronger, better teams! ↩︎

  4. None of this is to say I don't believe in good defaults; there's a reason I use Zed and VSCode these days, and not emacs, much as I love it in concept. ↩︎

  5. OMG. One of my friends college wrote this amazing essay some time back on emacs. Next time you're doomscrolling on the toilet or whatever, pop over to this essay instead. Fair warning, it's long, so it'll take you a while to read, but I think it nails what people love about emacs. ↩︎

  6. These days I'm really enjoying Zed, but I have to say, I really miss kahole/edamagit! Which of course is inspired by the magit emacs package. ↩︎

21 Apr 2026 4:24pm GMT

Firefox Developer Experience: Firefox WebDriver Newsletter 150

WebDriver is a remote control interface that enables introspection and control of user agents. As such, it can help developers to verify that their websites are working and performing well with all major browsers. The protocol is standardized by the W3C and consists of two separate specifications: WebDriver classic (HTTP) and the new WebDriver BiDi (Bi-Directional).

This newsletter gives an overview of the work we've done as part of the Firefox 150 release cycle.

Contributions

Firefox is an open source project, and we are always happy to receive external code contributions to our WebDriver implementation. We want to give special thanks to everyone who filed issues, bugs and submitted patches.

In Firefox 150, Khalid AlHaddad contributed several improvements:

WebDriver code is written in JavaScript, Python, and Rust so any web developer can contribute! Read how to setup the work environment and check the list of mentored issues for Marionette, or the list of mentored JavaScript bugs for WebDriver BiDi. Join our chatroom if you need any help to get started!

General

WebDriver BiDi

Marionette

21 Apr 2026 2:01pm GMT

16 Apr 2026

feedPlanet Mozilla

The Rust Programming Language Blog: Announcing Rust 1.95.0

The Rust team is happy to announce a new version of Rust, 1.95.0. Rust is a programming language empowering everyone to build reliable and efficient software.

If you have a previous version of Rust installed via rustup, you can get 1.95.0 with:

$ rustup update stable

If you don't have it already, you can get rustup from the appropriate page on our website, and check out the detailed release notes for 1.95.0.

If you'd like to help us out by testing future releases, you might consider updating locally to use the beta channel (rustup default beta) or the nightly channel (rustup default nightly). Please report any bugs you might come across!

What's in 1.95.0 stable

cfg_select!

Rust 1.95 introduces a cfg_select! macro that acts roughly similar to a compile-time match on cfgs. This fulfills the same purpose as the popular cfg-if crate, although with a different syntax. cfg_select! expands to the right-hand side of the first arm whose configuration predicate evaluates to true. Some examples:

cfg_select! {
    unix => {
        fn foo() { /* unix specific functionality */ }
    }
    target_pointer_width = "32" => {
        fn foo() { /* non-unix, 32-bit functionality */ }
    }
    _ => {
        fn foo() { /* fallback implementation */ }
    }
}

let is_windows_str = cfg_select! {
    windows => "windows",
    _ => "not windows",
};

if-let guards in matches

Rust 1.88 stabilized let chains. Rust 1.95 brings that capability into match expressions, allowing for conditionals based on pattern matching.

match value {
    Some(x) if let Ok(y) = compute(x) => {
        // Both `x` and `y` are available here
        println!("{}, {}", x, y);
    }
    _ => {}
}

Note that the compiler will not currently consider the patterns matched in if let guards as part of the exhaustiveness evaluation of the overall match, just like if guards.

Stabilized APIs

These previously stable APIs are now stable in const contexts:

Destabilized JSON target specs

Rust 1.95 removes support on stable for passing a custom target specification to rustc. This should not affect any Rust users using a fully stable toolchain, as building the standard library (including just core) already required using nightly-only features.

We're also gathering use cases for custom targets on the tracking issue as we consider whether some form of this feature should eventually be stabilized.

Other changes

Check out everything that changed in Rust, Cargo, and Clippy.

Contributors to 1.95.0

Many people came together to create Rust 1.95.0. We couldn't have done it without all of you. Thanks!

16 Apr 2026 12:00am GMT

15 Apr 2026

feedPlanet Mozilla

Mozilla Localization (L10N): Localizer Spotlight: Baurzhan

About you

My name is Baurzhan Muftakhidinov. I'm from Kazakhstan. I speak Kazakh, Russian, English and I have been contributing to Mozilla localization for more than 18 years.

From Linux Curiosity to Mozilla Localization

Q: How did you get involved in localization, and what drew you to Mozilla?

A: I came to Mozilla through Linux during my student years. I became interested in Linux at university, and very quickly I noticed how closely the open source world was connected: where there was Linux, Firefox was usually nearby.

When installing Linux distributions, one of the first things I noticed was language support. Many languages were available, but Kazakh was often missing or only partially supported. That made me ask a simple question: why is that, and what can be done about it?

Through Ubuntu's CD distribution program, I discovered Launchpad and began translating Firefox there. Around the same time, through a local Linux forum, I connected with Timur Timirkhanov, who already had experience with Mozilla localization. He helped me understand Mozilla's processes, pointed me to packages that needed translation, and opened a locale registration ticket for Kazakh in Bugzilla.

Soon after, Dauren Sarsenov joined, and in the beginning it was mainly the two of us working on Firefox. When Kazakh first appeared in a Firefox beta in spring 2009, we were extremely proud. It felt like a real milestone - not just translating isolated strings, but seeing a major global product appear in Kazakh.

For me, that was bigger than one browser. At the time, we were dreaming about a fully usable open source desktop in Kazakh, and Mozilla localization became one important part of that larger goal. What started as curiosity became a long-term commitment: making technology more accessible in Kazakh and proving that our language belongs in modern software.

Q: Which Mozilla products are closest to you? Do you use them regularly?

A: Firefox is definitely the product closest to me because I use it every day - both desktop and mobile. It never feels like I am translating something distant from my real life. I see the interface, the wording choices, and the practical impact of localization almost daily.

What makes Firefox especially meaningful is that it is both symbolic and practical. Symbolically, it showed that Kazakh could be present in one of the most important pieces of everyday software. Practically, it gave users a browser they could use in their own language. A browser is the gateway to the internet, so localizing Firefox means much more than translating one application.

I also use Thunderbird from time to time and visit MDN quite often. Even when I am not translating, I interact with Mozilla products as a user, so there is always a natural connection between volunteer work and daily habits.

People around me know me through Firefox localization more than through anything else. Very often I am simply "the person who translated Firefox into Kazakh." That says a lot about how visible Firefox has been.

Promoting Kazakh Localization and Building an Ecosystem

Q: How have you promoted Kazakh-localized software?

A: Most of my promotion work has been grassroots. In earlier years, I shared updates on Linux and open source forums, especially communities already interested in free software. Even when people were not personally interested in contributing, many showed strong support and encouragement. That confirmed that localization mattered beyond just the translation team.

One of my bigger efforts was creating a Debian-based Linux distribution from 2012 to 2015 called Kazsid. I built it partly to test how Kazakh localization worked across multiple applications in a real desktop environment. I included programs that already had Kazakh translations - Firefox, LibreOffice, desktop environments, and other tools - set Kazakh as the default language, and tested how everything worked together.

I shared the builds on forums, and some people downloaded and tried them. It was one of the most practical ways I encouraged interest in Linux and localized software.

Later, as translations matured upstream, maintaining a separate distribution was no longer necessary. That was actually a positive sign - users could install standard distributions and get the same localized experience.

Today I post updates on LinkedIn. It helps maintain visibility, even if it does not often bring in new contributors.

Working Independently - and Working Systematically

Q: What does the Kazakh localization community look like today?

A: At the moment, I am effectively the only active contributor across several major open source localization efforts in Kazakh, including Mozilla products, LibreOffice, GNOME, Xfce, and others.

In the early years, several people made meaningful contributions, but most eventually moved on. Timur helped significantly, especially in the earlier stages and in understanding Mozilla's processes, and I still occasionally consult trusted people when I need a second opinion.

The challenge for smaller languages is not only starting a translation but maintaining it over the long term. From early on, I was not thinking about one application. My goal was broader: to help create a real open source desktop experience in Kazakh. A browser translated into Kazakh is important, but a full ecosystem is even more meaningful. Sustainability is the hardest part.

Q: How do you approach quality when you are the main translator?

A: Direct user feedback is rare. So QA depends largely on my own testing, judgment, and systems.

I test software in real use, especially Firefox. In earlier years, I also used Nightly builds. Before settling on new terminology, I check dictionaries and reference materials. I consult fluent speakers when needed, and sometimes I discuss wording with my wife to see how natural it sounds.

My principle is that translations should feel clear and alive, not mechanically imported. I studied in Kazakh and remember the terms we were actually taught in IT-related subjects, and that background matters to me.

Because of my scripting background, I have written small tools in Python to help verify translations, track terminology, and maintain consistency. QA is not just "reading it once and hoping for the best." It is a combination of linguistic judgment, real usage, consultation, and automated checking.

More recently, I have been exploring how AI can assist localization. By testing translations through tools like the Google Gemini API and guiding terminology carefully, I have been able to close significant translation gaps. For Kazakh, newer models understand context much better than traditional machine translation systems. AI does not replace judgment, but it can make the work faster and more effective.

Professional Background

Q: How does your professional background influence your localization work?

Baurzhan at GIS Day 2025

A: My background is partly technical and partly analytical. I studied IT, worked as a Linux system administrator, and later moved into data analysis and GIS.

Those technical skills helped significantly. Automation makes a long-term localization effort much more manageable, especially when one person is doing most of the work.

Localization has strengthened my discipline and consistency. It requires patience and regular effort. Over time, I developed an instinct for terminology and phrasing - whether a term feels natural or artificial in context.

A Few Personal Notes

I have loved reading since I was four years old. My favorite genres are science fiction and popular science. Reading is still how I recharge.

I have lived in several cities in Kazakhstan, so I sometimes joke that I am a true nomad.

My family has always been supportive of my open source work. And when I run into a particularly difficult translation, I can still discuss it with my wife and get a fresh perspective.

15 Apr 2026 10:38pm GMT

Firefox Tooling Announcements: Happy BMO Push Day! (20260415.1)

Github Link

The following changes have been pushed to bugzilla.mozilla.org:

Discuss these changes in the BMO Matrix Room

1 post - 1 participant

Read full topic

15 Apr 2026 9:29pm GMT

Firefox Nightly: QR Codes, Speed Calculators, Better RAM Usage – These Weeks in Firefox: Issue 199

Highlights

Friends of the Firefox team

Resolved bugs (excluding employees)

Volunteers that fixed more than one bug

New contributors (🌟 = first patch)

Project Updates

Add-ons / Web Extensions

WebExtensions Framework
WebExtension APIs
Addon Manager & about:addons

DevTools

WebDriver

Lint, Docs and Workflow

New Tab Page

Search

Smart Window

Storybook/Reusable Components/Acorn Design System

UX Fundamentals

15 Apr 2026 8:44pm GMT

Mozilla Privacy Blog: Mozilla Urges the FTC to Tackle Harmful Design Practices

In response to concerns from both consumers and the industry, the US Federal Trade Commission (FTC) invited public comment on whether it should amend the current Rule Concerning the Use of Prenotification Negative Option Plans to address deceptive or unfair negative option practices.

Negative option marketing is a practice in which a seller treats a consumer's silence or failure to take action as consent to be charged for goods or services. This technique is often used in subscription services, where users may be guided toward accepting recurring charges through default selections or obscure disclosures. These design practices, also known as "dark patterns," successfully manipulate and influence user behavior on a systematic level and are often employed in all aspects of digital markets, not just with subscriptions.

As a browser developer, Mozilla is well-acquainted with the negative impacts of manipulative design. The web browser market provides a documented case study illustrating how operating systems deploy deceptive design practices to weaponize friction and status-quo bias to influence consumer behavior. As such, Mozilla was eager to provide feedback and encourage the Commission to examine the breadth of deceptive design practices that undermine choice.

Dark patterns are a byproduct of power asymmetry between companies and consumers. If we don't protect meaningful choice and effective competition now, we risk giving even more control to the biggest players - and losing what makes the web open and innovative in the first place.

The FTC has a critical opportunity, both in this rulemaking and more broadly, to modernize consumer protection for the realities of digital markets. We encourage the FTC to:

We welcome the opportunity to share our relevant experiences in the browser space and look forward to continuing the conversation.

Read our full comments to the FTC for more details on our recommendations.

The post Mozilla Urges the FTC to Tackle Harmful Design Practices appeared first on Open Policy & Advocacy.

15 Apr 2026 4:29pm GMT

Firefox Tooling Announcements: MozPhab 2.13.0 Released

Bugs resolved in Moz-Phab 2.13.0:

Discuss these changes in #engineering-workflow on Slack or #Conduit Matrix.

1 post - 1 participant

Read full topic

15 Apr 2026 3:30pm GMT

This Week In Rust: This Week in Rust 647

Hello and welcome to another issue of This Week in Rust! Rust is a programming language empowering everyone to build reliable and efficient software. This is a weekly summary of its progress and community. Want something mentioned? Tag us at @thisweekinrust.bsky.social on Bluesky or @ThisWeekinRust on mastodon.social, or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub and archives can be viewed at this-week-in-rust.org. If you find any errors in this week's issue, please submit a PR.

Want TWIR in your inbox? Subscribe here.

Updates from Rust Community

Official
Project/Tooling Updates
Observations/Thoughts
Rust Walkthroughs

Crate of the Week

This week's crate is Myth Engine, a high-performance, cross-platform rendering engine.

Thanks to Pan Xinmiao for the self-suggestion!

Please submit your suggestions and votes for next week!

Calls for Testing

An important step for RFC implementation is for people to experiment with the implementation and give feedback, especially before stabilization.

If you are a feature implementer and would like your RFC to appear in this list, add a call-for-testing label to your RFC along with a comment providing testing instructions and/or guidance on which aspect(s) of the feature need testing.

No calls for testing were issued this week by Rust, Cargo, Rustup or Rust language RFCs.

Let us know if you would like your feature to be tracked as a part of this list.

Call for Participation; projects and speakers

CFP - Projects

Always wanted to contribute to open-source projects but did not know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

No Calls for participation were submitted this week.

If you are a Rust project owner and are looking for contributors, please submit tasks here or through a PR to TWiR or by reaching out on Bluesky or Mastodon!

CFP - Events

Are you a new or experienced speaker looking for a place to share something cool? This section highlights events that are being planned and are accepting submissions to join their event as a speaker.

If you are an event organizer hoping to expand the reach of your event, please submit a link to the website through a PR to TWiR or by reaching out on Bluesky or Mastodon!

Updates from the Rust Project

519 pull requests were merged in the last week

Compiler
Library
Cargo
Rustdoc
Clippy
Rust-Analyzer
Rust Compiler Performance Triage

This week was negative, mainly caused by a type system fix and because we had to temporarily revert some attribute cleanups that previously improved performance.

Triage done by @panstromek. Revision range: e73c56ab..dab8d9d1

Summary:

(instructions:u) mean range count
Regressions ❌
(primary)		 0.4% [0.2%, 0.7%] 46
Regressions ❌
(secondary)		 0.5% [0.1%, 2.3%] 102
Improvements ✅
(primary)		 -0.5% [-0.6%, -0.4%] 4
Improvements ✅
(secondary)		 -0.4% [-0.6%, -0.2%] 5
All ❌✅ (primary) 0.4% [-0.6%, 0.7%] 50

4 Regressions, 1 Improvement, 5 Mixed; 6 of them in rollups 41 artifact comparisons made in total

Full report here

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

Final Comment Period

Every week, the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

Tracking Issues & PRs

Rust

Cargo

Compiler Team (MCPs only)

Rust RFCs

Leadership Council

No Items entered Final Comment Period this week for Language Reference, Language Team or Unsafe Code Guidelines.

Let us know if you would like your PRs, Tracking Issues or RFCs to be tracked as a part of this list.

New and Updated RFCs

Upcoming Events

Rusty Events between 2026-04-15 - 2026-05-13 🦀

Virtual
Asia
Europe
North America
South America

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Jobs

Please see the latest Who's Hiring thread on r/rust

Quote of the Week

the amount of times that I spend 15 min in the docs + coding which end up in a monstrous or().flatten().map().is_ok_and() only to get slapped by clippy saying replace your monster with this single function please is way too high 😀

- Teufelchen on RIOT off-topic matrix chat

Thanks to chrysn for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by:

Email list hosting is sponsored by The Rust Foundation

Discuss on r/rust

15 Apr 2026 4:00am GMT

14 Apr 2026

feedPlanet Mozilla

Firefox Application Security Team: Firefox Security & Privacy Newsletter 2026 Q1

Welcome to the Q1 2026 edition of the Firefox Security & Privacy Newsletter.

Security and privacy are foundational to Mozilla's manifesto and central to how we build Firefox. In this edition, we highlight key security and privacy work from Q1 2026, organized into the following areas:

Preface

Note: Some of the bugs linked below might not be accessible to the general public and restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received Firefox updates. If a link does not work for you, please accept this as a precaution for the safety of all Firefox users.

Firefox Product Security & Privacy

Collaboration with Anthropic: A few weeks ago, Anthropic's Frontier Red Team shared the results of a new AI-assisted vulnerability detection approach. Using this method, we have identified more than a dozen confirmed security issues, each supported by reproducible test cases. Learn more in our blog: Hardening Firefox with Anthropic's Red Team. Leveraging our Firefox Security expertise, we ended up finding dozens of additional vulnerabilities that were fixed in the following Firefox updates.

YouTube coverage of Firefox at pwn2own 2025: To demonstrate Firefox's focus on user security and Mozilla's commitment to openness, we invited LiveOverflow to follow us during the prestigious hacking competition pwn2own last year. LiveOverflow's four-party documentary provides behind-the-scenes coverage of our quick response to fixing two Firefox 0-day security bugs. The videos go from preparation (part 1), to exploit analysis (part 2) and disclosure (part 3), all the way to the rapid release of a Firefox update (part 4) for the 2-day event coverage.

Trustworthy JavaScript for the Open Web: Alongside partners from Meta, Proton AG, Cloudflare, and the Freedom of the Press Foundation, we presented our plans to improve the trustworthiness of JavaScript on the Web at Real World Crypto.

SafeBrowsing: Firefox 147 shipped with SafeBrowsing v5 support, allowing to protect users against malicious URLs. And starting with v149, Firefox blocks and revokes websites permissions for sites on the SafeBrowsing lists (Bug 1986300), leveling-up the built-in protection from online threats.

Stronger XSS Protection through the Sanitizer API: Starting with v148, Firefox was the first browser to add support for the Sanitizer API, helping prevent XSS attacks on the web. Learn more in our blog post, Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148, or tune in to the ShopTalk Show podcast, where Freddy Braun discusses the details of the Sanitizer API.

2048-bit Minimum for RSA Certificates: Firefox now enforces a minimum 2048-bit RSA key size for certificates issued by Mozilla's built-in root CAs. As publicly trusted CAs already meet this requirement, no significant impact to the broader web is expected.

Community Engagement

Bug Bounty Program Updates: As the threat landscape evolves, addressing the increasing volume of AI-assisted security bug reports, we're evolving our security program alongside it. With continued advances in browser security architecture, our bug bounty program is refining its incentives to prioritize the highest-impact research and the most critical classes of vulnerabilities while focusing on novelty. Learn more in our blogpost: Bug Bounty Program Updates 2026. We have also just updated our Bug Bounty hall of fame, to list all people who helped us find and fix security vulnerabilities in Q1 of 2026.

Web Security & Standards

Storage-Access Headers: Firefox 147 is shipping an extension of the Storage Access API to improve both web compatibility and parity with Chrome. These Storage Access headers allow web pages to opt out of storage isolation upfront and without the need to first load a document.

Going Forward

As a Firefox user, you automatically benefit from the security and privacy improvements described above through Firefox's regular automatic updates. If you're not using Firefox yet, you can download it to enjoy a fast, secure browsing experience-while supporting Mozilla's mission of a healthy, safe, and accessible web for everyone.

We'd like to thank everyone who helps make Firefox and the open web more secure and privacy-respecting.

See you next time with the Q2 2026 report.

- The Firefox Security and Privacy Teams

14 Apr 2026 11:00pm GMT

13 Apr 2026

feedPlanet Mozilla

Spidermonkey Development Blog: Benchmark Mode in SpiderMonkey

You ever get to the end of running benchmarks, maybe a long running one, and realize… "Oh no. I forgot to set that important option, and these results are useless"

Yeah. I have. Too many times.

So I've added --benchmark-mode and --strict-benchmark-mode to SpiderMonkey.

These options configure the shell for benchmarking, taking the wisdom of the team and boiling multiple shell options down to a single --benchmark-mode flag, and in --strict-benchmark-mode will abort the run if the shell is configured in a way where effective benchmarking is unlikely to be possible (e.g. benchmarking a debug build!)

The nice thing about nailing this down is that this is something we can point anyone to and know that their shell is following the rules any of us would follow.

The general design philosophy of benchmark mode is to disable things you wouldn't see enabled in Firefox in normal configuration, as well as debugging code that maybe makes sense for test suites but doesn't make sense for a benchmark.

Hopefully this is the end of me realizing that I forgot to pass --no-async-stacks yet again.

13 Apr 2026 5:00pm GMT

Mozilla Privacy Blog: Anti-hacking laws should not be used to lock up the open internet

Mozilla has joined EFF, the Alliance for Responsible Data Collection, Digital Medusa, and EleutherAI in filing an amicus brief in Amazon v. Perplexity, urging the Ninth Circuit not to stretch the Computer Fraud and Abuse Act (CFAA) far beyond its intended purpose.

We have said this before, and it remains true: laws designed to protect the security of the internet should not be used to undermine how people want to use it.

Our mission is grounded in the idea that the internet must remain open and accessible to all, and that privacy and security online are fundamental. Mozilla joined this brief because overly broad interpretations of computer crime laws can put those values at risk.

The CFAA is an anti-hacking law. It was meant to address break-ins to computer systems - not to criminalize tools that enable people to access and engage with information that is publicly available on the web. While there are no-doubt many challenging legal and policy questions around the growth and use of agentic AI tools, we believe expanding the reach of CFAA to address these issues would threaten innovation, chill the development of useful tools and services for researchers and journalists, and undermine competition online.

The post Anti-hacking laws should not be used to lock up the open internet appeared first on Open Policy & Advocacy.

13 Apr 2026 4:51pm GMT

The Servo Blog: Servo is now available on crates.io

Today the Servo team has released v0.1.0 of the servo crate. This is our first crates.io release of the servo crate that allows Servo to be used as a library.

We currently do not have any plans of publishing our demo browser servoshell to crates.io. In the 5 releases since our initial GitHub release in October 2025, our release process has matured, with the main "bottleneck" now being the human-written monthly blog post. Since we're quite excited about this release, we decided to not wait for the monthly blog post to be finished, but promise to deliver the monthly update in the coming weeks.

As you can see from the version number, this release is not a 1.0 release. In fact, we still haven't finished discussing what 1.0 means for Servo. Nevertheless, the increased version number reflects our growing confidence in Servo's embedding API and its ability to meet some users' needs.

In the meantime we also decided to offer a long-term support (LTS) version of Servo, since breaking changes in the regular monthly releases are expected and some embedders might prefer doing major upgrades on a scheduled half-yearly basis while still receiving security updates and (hopefully!) some migration guides. For more details on the LTS release, see the respective section in the Servo book.

13 Apr 2026 12:00am GMT