31 Mar 2026

feedPlanet Mozilla

Firefox Tooling Announcements: MozPhab 2.10.0 Released

Bugs resolved in Moz-Phab 2.10.0:

Discuss these changes in #engineering-workflow on Slack or #Conduit Matrix.

1 post - 1 participant

Read full topic

31 Mar 2026 8:30pm GMT

Thunderbird Blog: Thunderbird Monthly Development Digest: March 2026

Welcome back from the Thunderbird development team!

Reflecting back, the first quarter of the year has been a mix of deep technical focus and forward-looking planning. Much of the team's energy has gone into tackling some of the more complex, "gnarly" parts of our projects to land key milestones. In parallel, we've been laying the groundwork for what's next from ongoing hiring efforts to aligning our goals with broader company initiatives that support the roadmap ahead.

Security & Hardening

We've continued to make good progress on improving Thunderbird's security and privacy model, not just at a technical level, but in ways that are more usable and transparent for everyday users.

Unobtrusive Signatures

Kai recently presented his work at the IETF on Unobtrusive Signatures, which aims to make email signatures more reliable and less intrusive. The goal is to ensure message authenticity can be verified automatically and consistently, without requiring constant user attention or confusing workflows.

Improving Key Safety and Revocation

We're also exploring better ways to handle key revocation. Today, users often have no reliable way to know when a key should no longer be trusted. A proposed revocation service aims to improve how this information is distributed, while avoiding overly centralized or privacy-invasive approaches.

Moving Beyond "Encrypted or Not"

A major shift underway is how we present trust in encrypted email.

Instead of treating encryption as a simple on/off state, we're moving toward a graduated confidence model. Thunderbird will evaluate the strength of each recipient's key whether it's manually verified, CA-backed, or unverified, and present an overall confidence level to the user.

This allows encryption to work more automatically, while still giving users clear insight into how much trust they can place in a given message. Kai has worked with the design team and internal subject matter experts to refine the UX in this area and is getting close to a final UI.

Ongoing Security Fixes and Improvements

Alongside these larger initiatives, Kai, Magnus, and Justin have been actively triaging and addressing security issues and long-standing feature gaps. Recent work includes:

Together, these efforts reflect a broader direction: making strong security more accessible, while ensuring users remain informed and in control.

Exchange Email Support

Since our last update in February, the team has been moving quickly and has now completed Phase 1 and Phase 2 of the Graph API implementation for email, with Phase 3 already underway.

These phases focused on establishing a solid foundation and delivering core functionality required for real-world usage. Highlights include:

With these milestones in place, Phase 3 is now underway, focusing on deeper message handling (such as fetching message headers) and continued feature expansion.

Keep track of our Graph API implementation here.

Add-ons, Extensions and Experiments

While onboarding a new junior team member, John has also made a strong impact on the add-ons ecosystem, reaching an important milestone in the effort to move away from legacy, insecure experiments.

A key piece of this work is the VFS Toolkit, which leverages the Origin Private File System and introduces a more secure and maintainable way for WebExtensions to interact with the file system. As part of this, John developed a provider that allows extensions to access a user's local home folder through a controlled interface.

Under the hood, this works by combining WebExtensions with a small native helper application. The extension communicates with this helper via native messaging, allowing safe, permissioned access to local files, something that modern WebExtensions cannot do directly

The current focus is to enhance the Calendar API ahead of the next ESR release with some of this work tracked here.

Linux System Tray - Contributor Spotlight

We'd like to give a special shoutout this month to Christophe Henry, who has gone above and beyond with an ambitious contribution to improve Thunderbird's system tray integration on Linux.

This work isn't a small patch and spans multiple parts of the codebase, including JavaScript, C++, and Rust, and even bridges into XPCOM interfaces. The goal is to unify how unread mail indicators and tray icons behave across platforms, which is a surprisingly complex problem once you account for the differences between Linux environments, Windows, and macOS.

What really stood out was the level of persistence behind this contribution. Over multiple iterations, Christophe worked through build failures, lint issues, platform quirks, and detailed review feedback, all while tackling tricky problems like image encoding, system tray APIs, and cross-language integration.

This kind of work is rarely straightforward, and often requires deep dives into unfamiliar parts of the stack. Seeing it pushed forward with this level of care and determination is exactly what makes open source collaboration so powerful.

Thank you for the dedication and effort! It truly makes a difference.

Calendar UI Rebuild - Front End Team shoutout

A huge shoutout to the Front End team, who recently met in person in London for a work week and absolutely delivered.

Getting the chance to collaborate face-to-face made a real difference. The team came together to align on priorities, cut through complexity, and focus on what mattered most - and the results speak for themselves. They successfully pushed through the Event Read and Enhancements milestones at an impressive pace, clearing the path to shift full attention onto the First Time User Experience (FTUE) work.

It's not easy to balance quality, speed, and coordination across a distributed team, but this was a great example of what happens when everything clicks. Thoughtful planning, strong collaboration, and excellent execution all came together to move things forward in a big way.

Stay tuned to our milestones here:

First Time User Experience (FTUE)

Following that strong push on Calendar, the front end team turned their focus to the First Time User Experience and made remarkable progress in a very short time.

In just a few weeks, the majority of the FTUE work has been completed, with only a handful of smaller items remaining in review. This included not only delivering the core experience, but also laying the groundwork for future improvements (such as early components of the "Sign in with Thundermail" flow, already available behind a preference).

Pulling together a milestone of this size on such a tight timeline is no small feat. It reflects both the clarity of planning coming out of the work week, and the team's ability to execute quickly without losing sight of the bigger picture.

Maintenance, Upstream adaptations, Recent Features and Fixes

Over the past couple of months, the team has continued to navigate changes from upstream dependencies that occasionally impact build stability, test reliability, and CI. While this is a normal part of working in a large, shared ecosystem, it does require ongoing attention, particularly when tracking down the root cause of regressions and ensuring Thunderbird-specific changes remain on solid ground. Some days it feels like a full-time job!

Alongside this, we've seen strong support from both the team and the wider contributor community, with a steady stream of fixes and improvements landing across the codebase.

This collective effort has resulted in a number of impactful patches landing recently, with the following being particularly helpful:

If you would like to see new features as they land, and help us find some early bugs, you can try running daily and check the pushlog to see what has recently landed. This assistance is immensely helpful for catching problems early.

-

Toby Pilling

Senior Manager, Desktop Engineering

The post Thunderbird Monthly Development Digest: March 2026 appeared first on The Thunderbird Blog.

31 Mar 2026 11:30am GMT

The Servo Blog: February in Servo: faster layout, pause and resume scripts, and more!

Servo 0.0.6 includes some exciting new features:

Plus a bunch of new DOM APIs:

Servo 0.0.6 showing ‘transform-style: preserve-3d’, ‘vertical-align’ shorthand with ‘baseline-shift’, objects being previewed in DevTools when passed to console.log(), pausing script execution in DevTools, and opening a modal `<dialog>` with `<button command>`

This is a big update, so here's an outline:

Work in progress

We've started working on accessibility support for web content (@alice, @delan, #42333, #42402), gated by a pref (--pref accessibility_enabled). Each webview will be able to expose its own accessibility tree, which the embedder can then integrate into its own accessibility tree. As part of this work:

We've started implementing document.execCommand() (@TimvdLippe, #42621, #42626, #42750), gated by a pref (--pref dom_exec_command_enabled). This feature is also enabled in experimental mode, and together with contenteditable, it's critical for rich text editing on the web. The work done in February includes:

Developer tools

DevTools has seen some big improvements in February!

When enabled in servoshell, the DevTools server is more secure by default, listening only on localhost when only a port number is specified (@Narfinger, #42502). You can open the port for remote debugging by passing a full SocketAddr, such as --devtools=[::]:6080 or --devtools=0.0.0.0:6080.

In the Inspector tab, you can now edit DOM attributes, and the DOM tree updates when attributes change (@simonwuelker, #42601, #42785). You can now list the event type and phase of event listeners attached to a DOM node as well (@simonwuelker, #42355).

In the Console tab, objects can now be previewed when passed to console.log() and friends (@simonwuelker, #42296, #42510, #42752), and boolean values are now syntax highlighted (@pralkarz, #42513).

In the Debugger tab, you can now pause and resume script execution, both manually and when breakpoints are hit (@eerii, @atbrakhi, #42599, #42580, #42874). We've also started working on other debugger features (@atbrakhi, @eerii, #42306), including stepping execution (@eerii, @atbrakhi, #42844, #42878, #42906), so once again stay tuned!

servoshell

Back in August, we added a servo:preferences page to servoshell that allows you to set some of Servo's most common preferences at runtime (@jdm, #38159).

Servo 0.0.6 showing the ‘servo:preferences’ page, with controls for experimental mode, disabling the HTTP cache, and setting the ‘User-Agent’ header

servoshell now has a servo:config page (@arihant2math, #40324), allowing you to set any preference, even internal ones. Note that preference changes are not yet persistent, and not all prefs take effect when changed at runtime.

Servo 0.0.6 showing the ‘servo:config’ page, with a search field and a list of preferences, some of which are in bold since they have been changed from their default values

You can now press F5 to reload the page in servoshell (@Narfinger, #42538), in addition to pressing Ctrl+R or ⌘R.

We've fixed a regression where the caret stopped being visible in the location bar (@mrobinson, #42470).

Embedding API

Servo is now easier to build offline, using the complete source tarball included in each release (@jschwe, #42852). Go to a release on GitHub, then download servo-[version]-src-vendored.tar.gz to get started.

You can now add and remove user stylesheets with User­Content­Manager::add­_stylesheet and remove­_stylesheet, and remove user scripts with User­Content­Manager::remove­_script (@mukilan, #42288). Previously user stylesheets were only configurable via servoshell's --user-stylesheet option.

Before opening any context menus on behalf of web content, Servo now closes any context menus that were opened by web content (@mrobinson, #42487), to avoid UI problems on some platforms. This is done by calling WebView­Delegate::hide­_embedder­_control before calling show­_embedder­_control in those cases.

Input method events from web content now indicate whether or not the virtual keyboard should be shown (@stevennovaryo, @mrobinson, #42467), with the new Input­Method­Control::allow­_virtual­_keyboard method. Generally the virtual keyboard should only be shown when the page has sticky activation.

We're reworking our gamepad API, with WebView­Delegate::play­_gamepad­_haptic­_effect and stop­_gamepad­_haptic­_effect being replaced by a new API that (as of the end of February at least) is known as GamepadProvider (@atbrakhi, #41568). The old methods are no longer called (#43743), and may be removed at some point.

We now have better diagnostic output when we fail to create an OpenGL context (@mrobinson, #42873), including when the OpenGL versions supported by the device are too old.

Servo::constellation_sender was removed (@jdm, #42389), since it was never useful to embedders.

We've also made some changes to Preferences:

More on the web platform

If you navigate to a video file or audio file as a document, the player now has controls (@webbeef, #42488).

Images now rotate according to their EXIF metadata by default (@rayguo17, #42567), like they would once we add support for 'image-orientation: from-image'.

We're implementing system-font-aware font fallback (@mrobinson, #42466), with support for this on macOS landing this month (@mrobinson, #42776). This allows Servo to render text in scripts that are not covered by web fonts or any of the fonts on Servo's built-in lists of fallback fonts, as long as they are covered by fonts installed on the system.

Servo now supports the newer pointermove, pointerdown, pointerup, and pointercancel events (@webbeef, #41290). The older touchmove, touchstart, touchend, and touchcancel events continue to be supported.

The default language in 'Accept-Language' and navigator.language is now taken from the $LANG environment variable if present (@webbeef, #41919), rather than always being set to en-US.

<input type=color> now supports any CSS color value (@simonwuelker, #42275), including the more complex values like color-mix(). We've also landed the colorspace attribute (@simonwuelker, #42279), but only in the web-facing side of Servo for now, not the embedding API or in servoshell.

'vertical-align' is now a shorthand for 'alignment-baseline' and 'baseline-shift' (@Loirooriol, #42361), and scrollParent on HTMLElement is now a function per this recent spec update (@TimurBora, #42689).

Cookies are now more conformant (@sebsebmc, #42418, #42427, #42435). 'Expires' and 'Max-Age' attributes are now handled correctly in 'Set-Cookie' headers, get() and getAll() on CookieStore now trim whitespace in cookie names and values, and the behaviour of set() on CookieStore has been improved.

<iframe> elements are now more conformant in how load events are fired on the element and its contentWindow (@TimvdLippe, #42254), although there are still some bugs. This has long behaved incorrectly in Servo, and it has historically caused many problems in the Web Platform Tests.

IndexedDB is now more conformant in our handling of transactions (@Taym95, #41508, #42732), and when opening and closing connections (@gterzian, @Taym95, #42082, #42669).

We've started implementing Largest Contentful Paint timings (@shubhamg13, #42024), and we've landed a bunch of improvements to how First Contentful Paint timings work in Servo:

new WebSocket() now resolves relative URLs (@webbeef, #42425).

requestFullscreen() on Element now requires user activation (@stevennovaryo, #42060).

performance.getEntries() now returns PerformanceResourceTiming entries for navigations in <iframe> (@muse254, #42270).

When geolocation is enabled (--pref dom_geolocation_enabled), navigator­.geolocation­.get­Current­Position() and watch­Position() now support the optional errors argument (@arihant2math, #42295).

We now support the '-webkit-text-security' property in CSS (@mrobinson, #42181), which is not specified anywhere but required for MotionMark.

Performance and stability

Our about:memory page now knows how to report many new kinds of memory usage, including the DevTools server (@Narfinger, #42478, #42480), WebGL (@sagudev, #42570), localStorage and sessionStorage (@arihant2math, #42484), and some of the memory used by IndexedDB (@arihant2math, #42486). We've also started internally tracking the memory usage of the media subsystem (@Narfinger, #42504) and WebXR (@Narfinger, #42505).

Layout has seen a lot of performance work in February, with our main focus being on improving incremental layout of the box tree and fragment tree.

We now have our first truly incremental box tree layout (@mrobinson, @Loirooriol, @lukewarlow, #42700), rather than our previous "dirty roots"-based approach. Depending on how they were damaged, some boxes for floats (as above, #42816), independent formatting contexts (as above, #42783), and their descendants (as above, #42582) can now be reused, and they avoid damaging their parents (as above, #42847). We also destroy boxes with 'display: none' earlier in the layout process (as above, #42584).

Incremental fragment tree layout is improving too! Whereas we previously had to decide whether to run fragment tree layout in an "all or nothing" way, we can now reuse cached fragments in independent formatting contexts (@mrobinson, @Loirooriol, @lukewarlow, #42687, #42717, #42871). We can also measure how much work is being done on each layout (as above, #42817).

Servo uses shared memory for many situations where copying data over channels would be too expensive, such as for images and fonts. In multiprocess mode (--multiprocess), we use the operating system to create the shared memory in a way that can be shared with other processes, such as shm_open(3) or CreateFileMappingW, but this consumes resources that can sometimes be exhausted. We only need to use those kinds of shared memory in multiprocess mode, so we've reworked Servo to use Arc<Vec<u8>> in single-process mode (@Narfinger, #42083), which should avoid resource exhaustion.

Parsing web pages is complicated: we want pages to render incrementally as they stream in from the network, and we want to prefetch resources, but scripts can call document.write(), which injects markup "on the spot". This is further complicated if that markup also contains a <script>.

We've recently landed some fixes to Servo's async parser (@simonwuelker, #42882, #42910), which handles these issues more efficiently. This is currently an obscure and somewhat buggy feature (--pref dom­_servoparser­_async­_html­_tokenizer­_enabled), but if we can get the feature working more reliably (#37418), it could halve the energy Servo spends on parsing, lower latency for pages that don't use document.write(), and even improve the html5ever API for the ecosystem.

We've also landed optimisations for 'Content-Security-Policy' (@Narfinger, #42716), IntersectionObserver (@Narfinger, @mrobinson, @stevennovaryo, #42366, #42390), layout queries (@webbeef, #42327), the bfcache (@Narfinger, #42703), loading images (@Narfinger, #42684), and checks for multiprocess mode (@Narfinger, #42782), as well as the interfaces between Servo and SpiderMonkey (@sagudev, #42135, #42576).

We've continued our long-running effort to use the Rust type system to make certain kinds of dynamic borrow failures impossible (@Gae24, @pralkarz, @BryanSmith00, @sagudev, @Narfinger, @TimvdLippe, @kkoyung, @TimurBora, @onsah, #42342, #42294, #42370, #42417, #42619, #42616, #42637, #42640, #42662, #42679, #42681, #42665, #42667, #42699, #42712, #42725, #42729, #42726, #42720, #42738, #42737, #42735, #42751, #42805, #42809, #42780, #42820, #42715, #42635, #42880, #42846).

Bug fixes

We've landed some fixes for issues preventing Servo from being built on Windows arm64 (@dpaoliello, @npiesco, #42371, #42341). Work to enable Windows arm64 as a build platform is ongoing (@npiesco, #42312).

<img height> now takes the default <img width> from the aspect ratio of the image (@Loirooriol, #42577), rather than using a width of 300px by default. <svg width=0> and <svg height=0> now take the default width and height (respectively) from the aspect ratio of the <svg viewBox> (@Loirooriol, #42545).

We've fixed a bug in the result of layout queries, such as getBoundingClientRect(), on inline <svg> (@jdm, @Loirooriol, #42594), and we've fixed layout bugs related to 'display: table-cell' (@Loirooriol, #42778), 'display: list-item' (@Loirooriol, #42825, #42864), 'inset: auto' (@Loirooriol, #42586), 'width: max-content' (@mrobinson, @Loirooriol, @lukewarlow, #42574), 'align-self: last baseline' (@rayguo17, #42724), 'list-style-image' (@lukewarlow, #42332), 'content: <image>' (@lukewarlow, #42332), negative 'margin' (@Loirooriol, #42889), and ink overflow (@mrobinson, #42403).

HTML and CSS bugs:

JavaScript and DOM bugs:

WebDriver bugs:

We've fixed crashes in DevTools, in the Inspector tab (@eerii, @mrobinson, #42330), when exiting Servo while DevTools is connected (@simonwuelker, #42543), when setting breakpoints (@atbrakhi, #42810), and after clients disconnect (@simonwuelker, #42583).

We've fixed crashes in layout, when using 'background-repeat: round' (@mrobinson, #42303), when using 'list-style-image' or 'content: <image>' (@lukewarlow, #42332), when calling elementFromPoint() on Document (@mrobinson, @Loirooriol, @lukewarlow, #42822), and when handling layout queries like getBoundingClientRect() on inline <svg> (@jdm, @Loirooriol, #42594).

We've fixed crashes related to stylesheets, when removing stylesheets from the DOM (@TimvdLippe, #42273), when changing the href of a <link rel=stylesheet> (@TimvdLippe, #42481), and when loading stylesheets with --layout-threads=1 (@mrobinson, @Loirooriol, @lukewarlow, #42685).

We've also fixed crashes when using multitouch input (@yezhizhen, #42350), when using MediaStreamAudioSourceNode (@mrobinson, #42914), when calling add() on HTMLOptionsCollection (@mrobinson, #42263), when calling elementFromPoint() on Document or ShadowRoot(), when we fail to open a database for IndexedDB (@jdm, @mrobinson, #42444), and when certain pages are run with a mozjs debug build (@Gae24, #42428).

Donations

Thanks again for your generous support! We are now receiving 6985 USD/month (−0.4% from January) in recurring donations. This helps us cover the cost of our speedy CI and benchmarking servers, one of our latest Outreachy interns, and funding maintainer work that helps more people contribute to Servo.

Servo is also on thanks.dev, and already 32 GitHub users (-1 from January) that depend on Servo are sponsoring us there. If you use Servo libraries like url, html5ever, selectors, or cssparser, signing up for thanks.dev could be a good way for you (or your employer) to give back to the community.

We now have sponsorship tiers that allow you or your organisation to donate to the Servo project with public acknowlegement of your support. If you're interested in this kind of sponsorship, please contact us at join@servo.org.

6985 USD/month
10000

Use of donations is decided transparently via the Technical Steering Committee's public funding request process, and active proposals are tracked in servo/project#187. For more details, head to our Sponsorship page.

31 Mar 2026 12:00am GMT