Tech News - Full-Stack Web Development

Earlier this month, the Firefox team released the Firefox Preview 3.0 with various features to make browsing and bookmarking safer and easier. This release features a default Enhanced Tracking Protection feature for all users, and notifications support for long-running downloads. Key features in Firefox Preview 3.0 Enhanced tracking protection The Enhanced tracking protection will protect you from ads, analytics, cryptomining and fingerprinting trackers. Open links in private tabs by default Firefox Preview 3.0 lets you open pages directly in private browsing, so you can search and browse without saving any history on the browser. Option to clear browsing information on exit The Quit option in the menu automatically deletes your browsing history every time they exit Firefox through that Quit option. Option to choose what information should be synced across devices  In this release you can choose what types of browsing information should be synced across devices. Set an autoplay or background behavior The latest Firefox Preview gives you lots of options for playing video and audio on phones, including background playback and auto-play settings. See and manage downloads You can easily download files from various sites within Firefox Preview. A progress bar displays in the Notifications panel when the download begins, giving you the ability to pause/resume or cancel the download. If the download fails, tap Try Again to restart it. If the download is successful, a confirmation pop-up displays where you can tap Open to open the file. Updated browser menu An updated browser menu has replaced the Quick Action bar present in older versions of Firefox. Manually add search engines Firefox Preview gives the ability to set a default search engine. There are a variety of search engines to choose from such as Google and Bing. You can also manually add other search engines and set them as your default. Move the navigation bar to the top or bottom By default, the Firefox Preview navigation bar displays at the bottom of the app. However, you can move it to the top of the app if desired. Force enable zoom With this, you’ll always have the ability to zoom in when accessing various websites. You can use the + sign that displays at the bottom of every website within Firefox Preview to zoom in if necessary. To know more about this release in detail, check out the official Firefox blog page. Firefox 70 released with better security, CSS, and JavaScript improvements The new WebSocket Inspector will be released in Firefox 71 Mozilla brings back Firefox’s Test Pilot Program with the introduction of Firefox Private Network Beta Firefox 69 allows default blocking of third-party tracking cookies and cryptomining for all users Scroll Snapping and other cool CSS features come to Firefox 68

Last week, Raymond Hill, the developer behind uBlock Origin shared that the extension’s dev build 1.22.5rc1 was rejected by Google's Chrome Web Store (CWS). uBlock Origin is a free and open-source browser extension widely used for content-filtering and adblocking.  Google stated that the extension did not comply with its extension standards as it bundles up different purposes into a single extension. An email to Hill from Google reads, “Do not create an extension that requires users to accept bundles of unrelated functionality, such as an email notifier and a news headline aggregator.” Hill on a GitHub issue mentioned that this is basically “stonewalling” and in the future, users may have to switch to another browser to use uBlock Origin. He does plans to upload the stable version. He commented, “I will upload stable to the Chrome Web Store, but given 1.22.5rc2 is rejected, logic dictates that 1.23.0 will be rejected. Actually, logic dictates that 1.22.5rc0 should also be rejected and yet it's still available in the Chrome Web Store.” Users’ reaction on Google rejecting the uBlock Origin dev build This news sparked a discussion on Hacker News and Reddit. Users speculated that probably this outcome is the result of the “crippling” update Google has introduced in Chrome (beta and dev versions currently): deprecating the blocking ability of the WebRequest API. The webRequest API permits extensions to intercept requests to modify, redirect, or block them. The basic flow of handling a request using this API is, Chrome receives the request, asks the extension, and then gets the result. In Manifest V3, the use of this API will be limited in its blocking form. While the non-blocking form of the API, which permit extensions to observe network requests will be allowed.  In place of webRequest API, Google has introduced the declarativeNetRequest API. This API allows adding up to 30,000 rules, 5000 dynamic rules, and 100 pages. Due to its limiting nature, many ad blocker developers and maintainers have expressed that this API will impact the capabilities of modern content blocking extensions. Google’s reasoning for introducing this change is that this API is much more performant and provides better privacy guarantees. However, many developers think otherwise. Hill had previously shared his thoughts on deprecating the blocking ability of the webRequest API.  “Web pages load slow because of bloat, not because of the blocking ability of the webRequest API -- at least for well-crafted extensions. Furthermore, if performance concerns due to the blocking nature of the webRequest API was their real motive, they would just adopt Firefox's approach and give the ability to return a Promise on just the three methods which can be used in a blocking manner.” Many users also mentioned that Chrome is using its dominance in the browser market to dictate what type of extensions are developed and used. A user commented, “As Chrome is a dominant platform, our work is prevented from reaching users if it does not align with the business goals of Google, and extensions that users want on their devices are effectively censored out of existence.” Others expressed that it is better to avoid all the drama by simply switching to some other browser, mainly Firefox. “Or you could cease contributing to the Blink monopoly on the web and join us of Firefox. Microsoft is no longer challenging Google in this space,” a user added. While some others were in support of Google saying that Hill could have moved some of the functionalities to a separate extension. “It's an older rule. It does technically apply here, but it's not a great look that they're only enforcing it now. If Gorhill needed to, some of that extra functionality could be moved out into a separate extension. uBlock has done this before with uBlock Origin Extra. Most of the extra features (eg. remote font blocking) aren't a huge deal, in my opinion.” How Google reacted to the public outcry Simeon Vincent, a developer advocate for Chrome extensions commented on a Reddit discussion that the updated extension was approved and published on the Chrome Web Store.  “This morning I heard from the review team; they've approved the current draft so next publish should go through. Unfortunately it's the weekend, so most folks are out, but I'm planning to follow up with u/gorhill4 with more details once I have them. EDIT: uBlock Origin development build was just successfully published. The latest version on the web store is 1.22.5.102.” He also further said that this whole confusion was because of a “clunkier” developer communication process. When users asked him about the Manifest V3 change he shared, “We've made progress on better supporting ad blockers and content blockers in general in Manifest V3. We've added rule modification at runtime, bumped the rule limits, added redirect support, header modification, etc. And more improvements are on the way.” He further added, “But Gorhill's core objection is to removing the blocking version of webRequest. We're trying to move the extension platform in a direction that's more respectful of end-user privacy, more secure, and less likely to accidentally expose data – things webRequest simply wasn't designed to do.” Chrome ignores the autocomplete=off property In other Chrome related news, it was reported that Chrome continues to autofill forms even if you disable it using the autocomplete=off property. A user commented, “I've had to write enhancements for Web apps several times this year with fields which are intended to be filled by the user with information *about other users*. Not respecting autocomplete="off" is a major oversight which has caused a lot of headache for those enhancements.” Chrome decides on which field should be filled with what data based on a combination of form and field signatures. If these do not match, the browser will resort to only checking the field signatures.  A developer from the Google Chrome team shared, “This causes some problems, e.g. in input type="text" name="name", the "name" can refer to different concepts (a person's name or the name of a spare part).” To solve this problem the team is working on an experimental feature that gives users the choice to “(permanently) hide the autofill suggestions.”  Check out the reported issue to know more in detail. Google Chrome developers “clarify” the speculations around Manifest V3 after a study nullifies their performance hit argument Is it time to ditch Chrome? Ad blocking extensions will now only be for enterprise users Chromium developers propose an alternative to webRequest API that could result in existing ad blockers’ end GitHub updates to Rails 6.0 with an incremental approach React DevTools 4.0 releases with support for Hooks, experimental Suspense API, and more!

Yesterday, the OpenJS Foundation announced that Node Version Manager (NVM) is joining the organization as an incubating project. It is the first new project to enter the OpenJS Foundation’s incubation process since the Node.js Foundation and JSF merger. The merger happened in March this year for accelerating the development of JavaScript, combined governance structure, and more. “nvm is joining the OpenJS Foundation as an incubating project, and upon successful completion of onboarding, it will become an “At-Large” project. An “At -Large” project is one which is “stable projects with minimal needs,” the announcement reads. Node Version Manager (NVM) and its functions NVM is a tool that allows programmers to seamlessly switch between different versions of Node.js. It comes in handy when you are working on different Node.js projects or want to check your library for maximum backward compatibility. It is a POSIX-compliant bash script and supports multiple types of shells including Sh, Zsh, Dash, Ksh, except Fish. NVM also makes installing node a very easy process by handling the compilation for systems that don’t have prebuilt binaries available. You can install multiple versions of node in a single system, each with its own node_modules directory for global package installs. Since NVM stores globally installed modules inside the user directory, it removes the need for sudo when used with npm. NVM is an important part of the Node.js and JavaScript ecosystem. Joining the OpenJS Foundation will help in its further development, stability, and governance. “By joining the OpenJS Foundation, there are multiple organizational and infrastructure areas that will be better supported, helping both current users and future users including ensuring no single point of failure for the nvm.sh domain, GitHub repo, and more,” OpenJS Foundation wrote in the announcement. Check out the official announcement by the OpenJS Foundation to know more in detail. Node.js and JS Foundation announce intent to merge; developers have mixed feelings 12 Visual Studio Code extensions that Node.js developers will love [Sponsored by Microsoft] 5 reasons Node.js developers might actually love using Azure [Sponsored by Microsoft] Electron 5.0 ships with new versions of Chromium, V8, and Node.js Introducing Node.js 12 with V8 JavaScript engine, improved worker threads, and much more

Yesterday, Mr Macintosh website reported of Google Chrome Keystone updated to remove the /var symlink on NON SIP protected Mac computers, causing account and booting issues. Few MacAdmins started to report that their systems would not boot properly. And they had following issues:   1. After rebooting the affected system it would Kernel Panic. The system will reboot only to KP again 2. User Logs out and the system shows the Setup Assistant. 3. The System Kernel Panics into a boot Loop.   The MacOS versions 10.9 – 10.14 Mojave were affected by this. It seems the issue affects all Macs that have SIP (System Integrity Protection) Disabled or turned off. Google Chrome keystone update causes booting issues AVID users were some of the first to report the issue. They said that AVID Media Creators use 3rd Party Graphics cards connected to their Mac Pro. When the issue hit yesterday, it was thought that AVID was the main cause of the problems since all the users experiencing the issue had AVID software. Only later after a MacAdmins dived deep in an investigation. After investigation from some of the top minds in the MacAmins Slack Chat #varsectomy channel it was found that the Google Chrome Keystone Updater was at the heart of the issue. How to check if the /var symlink was modified You can check to see if the /var symlink was modified by running the following command. ls -ldO /var The following outputs appear. The first one below means that your /var volder is SIP protected (notice the restrictedflag) and the proper sym link /var -> private/var lrwxr-xr-x@ 1 root wheel restricted,hidden 11 Apr 1 2018 /var -> private/var The next one means that your symlink is broken and the folder is NOT SIP Protected. drwxr-xr-x 5 503 wheel - 170 Sep 24 14:37 /var If you find /var in this condition you are affected! If you LOGOUT, SHUTDOWN OR RESTART your Mac will NOT Boot! You will need to boot into recovery, repair the /var symlink and reset the restricted flags. And there are two ways to fix the issue. First is to fix from MacAdmins User Juest and second is from Google Support, you need to use commands while booting through macOS Recovery. Community hates automatic updates from Google Chrome On Hacker News, users are discussing about sudden updates on Google Chrome Keystone which cause such issues and prefer using Safari or Firefox instead of Chrome. One of them commented, “I've always hated that "service" (more like malware given this news) like everything else that installs itself into the autolaunch sequence without permission, and remove* it whenever I notice/remember it, but it keeps coming back whenever I touch Google Chrome, which I prefer not to use in favor of Safari/FireFox because of reasons like this. Things like these (including secretly signing you into Search when you sign into YouTube† or refusing to support PiP on iPadOS/macOS) just solidify Google's image in my mind as a forever scummy, intrusive company that I wish I could leave behind like I did Microsoft, but sadly Google Search and YouTube still don't have good enough alternatives yet.” Another user commented, “The trends that Google has spearheaded have had a real effect on me over the years. I feel alienated from my computer. Subtle things will just change. If I really dig I might be able to find out why, but I don't have the time, so I just accept it. Usually very small things that are barely noticeable. My Chromecast extension disappeared and was integrated into the browser. My brain could not help but notice this benign change, which caused a hard to place sense of unease. Or when Google decided to remove rotation from the home screen on Android 2.3 -- it wasn't a huge problem, but I could have sworn that something changed. Users were conflicted, many convincing themselves that the homescreen never rotated at all. It has made me not trust my computer. I second guess myself much more. If some option no longer exists, I wonder if it was just my imagination or if it was quietly deprecated while I wasn't looking. Does it even matter? I think that we are being trained to see devices as ephemeral, and not to get too attached to them.” To know more about Google Chrome Keystone update and the issue regarding this, check out the Mr. Macintosh website. Other interesting news in web development Google Chrome 76 now supports native lazy-loading Google Chrome to simplify URLs by hiding special-case subdomains Google Chrome will soon support LazyLoad, a solution to lazily load below-the-fold images and iframes

Yesterday, Joshua Litt from the Google Chromium team announced to add support for top-level await in V8. V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others. It implements ECMAScript and WebAssembly, and runs on Windows 7 or later, macOS 10.12+, and Linux systems that use x64, IA-32, ARM, or MIPS processors. V8 can run standalone, or can be embedded into any C++ application. The official documentation page on Google Chromium reads, “Adds support for parsing top level await to V8, as well as many tests.This is the final cl in the series to add support for top level await to v8.” Top-level await support will ease running JS script in V8 As per the latest ECMAScript proposal on top-level await allows the await keyword to be used at the top level of the module goal. Top-level await enables modules to act as big async functions: With top-level await, ECMAScript Modules (ESM) can await resources, causing other modules who import them to wait before they start evaluating their body. Earlier developers used IIFE for top-level awaits, a JavaScript function that runs as soon as it is defined. But there are certain limitations in using IIFE, that is with await only available within async functions, a module can include await in the code that executes at startup by factoring that code into an async function. And this pattern will be immediately invoked with IIFE and it is appropriate for situations where loading a module is intended to schedule work that will happen some time later. While Top-level await function lets developers rely on the module system itself to handle all of these, and make sure that things are well-coordinated. Community is really happy to know that top-level support has been added to V8. On Hacker News, one of the users commented, “This is huge! Finally no more need to use IIFE's for top level awaits”. Another user commented, “Top level await does more than remove a main function. If you import modules that use top level await, they will be resolved before the imports finish. To me this is most important in node where it's not uncommon to do async operations during initialization. Currently you either have to export a promise or an async function.” To know more about this read the official Google Chromium documentation page. Other interesting news in web development New memory usage optimizations implemented in V8 Lite can also benefit V8 LLVM WebAssembly backend will soon become Emscripten’s default backend, V8 announces V8 7.5 Beta is now out with WebAssembly implicit caching, bulk memory operations, and more  

Last week, Google announced the release of Chrome 78 beta. Its stable version is scheduled to release in October this year. Chrome 78 will release with a couple of new APIs including the CSS Properties and Values API and Native File System API. Key updates in Chrome 78 beta The CSS Properties and Values API The Houdini’s CSS Properties and Values API will be supported in Chrome 78. The Houdini task force consists of engineers from Mozilla, Apple, Opera, Microsoft, HP, Intel, and Google. In CSS, developers can define user-controlled properties using CSS custom properties, also known as CSS variables. However, the CSS custom properties do have a few limitations that make them difficult to work with. The CSS Properties and Values API addresses these limitations by allowing the registration of properties that have a value type, an initial value, and a defined inheritance behavior. The Native File System API Chrome 78 will support the Native File System API, which will enable web applications to interact with files on the user’s local device like IDEs, photo and video editors, text editors, and more. After permission to access local files is received, the API will allow web applications to read or save changes directly to files and folders on the user’s device. The SMS Receiver API Websites send a randomly generated one-time-password (OTP) to verify a phone number. This way of verification is cumbersome as it requires a user to manually enter or copy and paste the password into a form. Starting with Chrome 78, users will be able to skip this manual interaction completely with the help of the SMS Receiver API. It provides websites an ability to programmatically obtain OTPs from SMS as a solution “to ease the friction and failure points of manual user input of SMS codes, which is prone to error and phishing.” Origin trials Chrome 78 introduces origin trials that allow developers to try new features and share their feedback on “usability, practicality, and effectiveness to the web standards community.” Developers can register to enable an origin trial feature for all users on their origin for a fixed period of time. To know what features are available as an origin trial, check out the Origin Trials dashboard. Among the deprecations are, disallowing synchronous XHR during page dismissal and the removal of XSS Auditor. On a discussion on Hacker News, users were skeptical about the new Native File System API. A user commented, “I’m not sure about how to think about the file system API. On one hand, is great to see that secure file system access is possible in-browser, which allows most electron apps to be converted into PWAs. That’s great, I no longer need to run 5 different chromium instances. On the other hand, I’m really not sure if I like the future of editing Microsoft Office documents in the browser. I heavily believe that apps should have an integrated UX (with appropriate OS-specific widgets) because it allows coherency and familiarity.” To know what else is coming in Chrome 78, check out the official announcement by Google. Other news in Web Development Safari Technology Preview 91 gets beta support for the WebGPU JavaScript API and WSL New memory usage optimizations implemented in V8 Lite can also benefit V8 GitHub updates to Rails 6.0 with an incremental approach

Yesterday, Apple released Safari 13 for iOS 13, macOS 10.15 (Catalina), macOS Mojave, and macOS High Sierra. This release comes with opt-in dark mode support, FIDO2-compliant USB security keys support, updated Intelligent Tracking Prevention, and much more. Key updates in Safari 13 Desktop-class browsing for iPad users Starting with Safari 13, iPad users will have the same browsing experience as macOS users. In addition to displaying websites same as the desktop Safari, it will also provide the same capabilities including more keyboard shortcuts, a download manager with background downloads, and support for top productivity websites. Updates related to authentication and passwords Safari 13 will prompt users to strengthen their passwords when they sign into a website. On macOS, users will able to use FIDO2-compliant USB security keys in Safari. Also, support is added for “Sign in With Apple” to Safari and WKWebView. Read also: W3C and FIDO Alliance declare WebAuthn as the web standard for password-free logins Security and privacy updates A new permission API is added for DeviceMotionEvent and DeviceOrientationEvent on iOS. The DeviceMotionEvent class encapsulates details like the measurements of the interval, rotation rate, and acceleration of a device. Whereas, the DeviceOrientationEvent class encapsulates the angles of rotation (alpha, beta, and gamma) in degrees and heading. Other updates include updated third-party iframes to prevent them from automatically navigating the page. Intelligent Tracking Prevention is updated to prevent cross-site tracking through referrer and link decoration. Performance-specific updates While using Safari 13, iOS users will find that the initial rendering time for web pages is reduced. The memory consumption by JavaScript including for non-web clients is also reduced. WebAPI updates Safari 13 comes with a new Pointer Events API to enable consistent access to mouse, trackpad, touch, and Apple Pencil events. It also supports the Visual Viewport API that adjusts web content to avoid overlays, such as the onscreen keyboard. Deprecated features in Safari 13 WebSQL and Legacy Safari Extensions are no longer supported. To replace your previously provided Legacy Safari Extensions, Apple provides two options. First, you can configure your Safari App Extension to provide an upgrade path that will automatically remove the previous Legacy Safari Extension when it is installed. Second, you can manually convert your Legacy Safari Extension to a Safari App Extension. In a discussion on Hacker News, users were pleased with the support for the Pointer Events API. A user commented, “The Pointer Events spec is a real joy. For example, if you want to roll your own "drag" event for a given element, the API allows you to do this without reference to document or a parent container element. You can just declare that the element currently receiving pointer events capture subsequent pointer events until you release it. Additionally, the API naturally lends itself to patterns that can easily be extended for multi-touch situations.” Others also expressed their concern regarding the deprecation of Legacy Safari Extensions. A user added, “It really, really is a shame that they removed proper extensions. While Safari never had a good extension story, it was at least bearable, and in all other regards its simply the best Mac browser. Now I have to take a really hard look at switching back to Firefox, and that would be a downgrade in almost every regard I care about. Pity.” Check out the official release notes of Safari 13 to know more in detail. Other news in web development New memory usage optimizations implemented in V8 Lite can also benefit V8 5 pitfalls of React Hooks you should avoid – Kent C. Dodds Firefox 69 allows default blocking of third-party tracking cookies and cryptomining for all users

Last month, the creator of the Feathers web-framework, David Luecke announced the release of Feathers 4. This release brings built-in TypeScript definitions, a framework-independent authentication mechanism, improved documentation, security updates in database adapters, and more. Feathers is a web framework for building real-time applications and REST APIs with JavaScript or TypeScript. It supports various frontend technologies including React, VueJS, Angular, and works with any backend. Read also: Getting started with React Hooks by building a counter with useState and useEffect It basically serves as an API layer between any backend and frontend: Source: Feathers Unlike traditional MVC and low-level HTTP frameworks that rely on routes, controllers, or HTTP requests and response handlers, Feathers uses services and hooks. This makes the application easier to understand and test and lets developers focus on their application logic regardless of how it is being accessed. This also enables developers to add new communication protocols without the need for updating their application code. Key updates in Feathers 4 Built-in TypeScript definitions The core libraries and database adapters in Feathers 4 now have built-in TypeScript definitions. With this update, you will be able to create a TypeScript Feathers application with the command-line interface (CLI). Read also: TypeScript 3.6 releases with stricter generators, new functions in TypeScript playground, better Unicode support for identifiers, and more A new framework-independent authentication mechanism Feathers 4 comes with a new framework-independent authentication mechanism that is both flexible and easier to use. It provides a collection of tools for managing username/password, JSON web tokens (JWT) and OAuth authentication, and custom authentication mechanisms. The authentication mechanism includes the following core modules: A Feathers service named ‘AuthenticationService’ to register authentication mechanisms and create authentication tokens. The ‘JWTStrategy’ authentication strategy for authenticating JSON web token service methods calls and HTTP requests. The ‘authenticate’ hook to limit service calls to an authentication strategy. Security updates in database adapters The database adapters in Feathers 4 are updated to include crucial security and usability features, some of which are: Querying by id: The database adapters now support additional query parameters for ‘get’, ‘remove’, ‘update’, and ‘patch’. In this release, a ‘NotFound’ error will be thrown if the record does not match the query, even if the id is valid. Hook-less service methods: Starting from this release, you can call a service method by simply adding ‘a _’ in front instead of using a hook. This will be useful in the cases when you need the raw data from the service without triggering any of its hooks. Multi updates: Mulitple update means you can create, update, or remove multiple records at once. Though it is convenient, it can also open your application to queries that you never intended for. This is why, in Feathers 4, the team has made multiple updates opt-in by disabling it by default. You can enable it by explicitly setting the ‘multi’ option. Along with these updates, the team has also worked on the website and documentation. “The Feathers guide is more concise while still teaching all the important things about Feathers. You get to create your first REST API and real-time web-application in less than 15 minutes and a complete chat application with a REST and websocket API, a web frontend, unit tests, user registration and GitHub login in under two hours,” Luecke writes. Read Luecke’s official announcement to know what else has landed in Feathers 4. Other news in web 5 pitfalls of React Hooks you should avoid – Kent C. Dodds Firefox 69 allows default blocking of third-party tracking cookies and cryptomining for all users How to integrate a Medium editor in Angular 8

Yesterday, Mozilla relaunched its Test Pilot Program for the second time, alongside the release of Firefox Private Network Beta. The Test Pilot Program provides Firefox users with a way to try out its newest features and share their feedback with Mozilla. Mozilla first introduced the Test Pilot Program as an add-on for Firefox 3.5 in 2009 and relaunched it in 2016. However, in January this year, it decided to close this program in the process of evolving its “approach to experimentation even further.” While the name is the same, the difference is that the features you will get to try now will be much more stable. Explaining the difference between this iteration of Test Pilot Program and the previous ones, the team wrote in the announcement, “The difference with the newly relaunched Test Pilot program is that these products and services may be outside the Firefox browser, and will be far more polished, and just one step shy of general public release.” Firefox Private Network Beta The first project available for beta testing under this iteration of the Test Pilot Program is Firefox Private Network. It is currently free and available to Firefox for desktop users in the United States only. Firefox Private Network is an opt-in, privacy-focused feature that gives users access to a private network when they are connected to a free and open Wi-Fi. It will encrypt the web addresses you visit and the data you share. Your data will be sent through a proxy service by Mozilla’s partner, Cloudflare. It will also mask your IP address to protect you from third-party trackers around the web. Source: Mozilla Read also: Firefox 69 allows default blocking of third-party tracking cookies and cryptomining for all users Users have already started testing the feature. A user on Hacker News shared, “I just got done testing this, it assigns a U.S. IPv6 address and uses the Cloudflare Warp network. My tests showed a very stable download speed of 150.3 Mbps and an upload speed of 13.8 Mbps with a latency of 31ms.” Another user commented, “I quite like the fact that once this goes mainstream, it'd help limit surveillance and bypass censorship on the web in one fell swoop without having to install or trust 3p other than the implicit trust in Mozilla and its partners (in this case, Cloudflare). Knowing Cloudflare, I'm sure this proxy is as much abt speed and latency as privacy and security.” Some users were also skeptical about the use of Cloudflare in this feature. “As much as I like the idea of baking better privacy tools into the browser, it's hard for me to get enthusiastic about the idea of making Cloudflare even more of an official man-in-the-middle for all network traffic than they already are,” a user added. Others also recommended to try Tor proxy instead, “I'd like to point out though, that, one could run a Tor proxy (it also has a VPN mode) on their phones [0] today to work around censorship and surveillance; anonymity is a bit tricky over tor-as-a-proxy. The speeds over Tor are decent and nothing you can't tolerate whilst casual web browsing. It is probably going to be free forever unlike Firefox's private network.” Read also: The Tor Project on browser fingerprinting and how it is taking a stand against it Read Mozilla’s official announcement to know more in detail. Other news in web development Laravel 6.0 releases with Laravel vapor compatibility, LazyCollection, improved authorization response and more GitHub updates to Rails 6.0 with an incremental approach Wasmer’s first Postgres extension to run WebAssembly is here!

After running the pre-release version of Rails 6.0 for months in production, the GitHub application was deployed to production on its official release last month. Yesterday, GitHub shared how its upgrade team was able to make the transition from Rails 5.2 to 6.0 smoothly just after 1.5 weeks of the release. Rails 6.0 was released with several amazing features including action mailbox, multiple database support, parallel testing, and more last month. GitHub is not only using it but has also made significant contributions to this release. It submitted over 100 pull requests for documentation improvements, bug fixes, performance improvements. Its contributions also included updates to the new features in the framework: parallel testing and multiple database support. “For many GitHub contributors, this was the first time sending changes to the Rails framework, demonstrating that upgrading Rails not only helps GitHub internally, but also improves our developer community as well,” GitHub wrote in the announcement. GitHub’s approach to this update was incremental. Instead of waiting for the final release, it upgraded every week by pulling in the latest changes from Rails master and running its tests against that new version. This enabled them to identify regressions quickly and early. The weekly updating process also made it easy to find these regressions because they were dealing with only a week’s worth of commits. GitHub now plans to use this co-development approach for future releases as well. It wrote, “Once our build for Rails 6.0 was green, we’d merge the pull request to master, and all new code that went into GitHub would need to pass in Rails 5.2 and the newest master build of Rails. Upgrading every week worked so well that we’ll continue using this process for upgrading from 6.0 to 6.1.” Following this approach has not only helped in improving the GitHub application in terms of security, performance, and new features but has also improved the working experience with the GitHub codebase for its engineers. This sparked a discussion on Hacker News were developers also recommended taking an incremental approach for upgrading one’s application. A user commented, “Incremental updates may require more time to complete, as an API may be refactored multiple times over many versions. However, the confidence in moving incrementally is well worth it IMHO. If you don't have an extensive enough test suite or poor/missing QA process (or both!), doing a big bang upgrade is going to both be extremely painful and very error-prone. It's worthwhile to keep up to date. It's probably not worthwhile to upgrade ASAP after a release, but you don't want to wait too long.” Another user added, “...they could have waited but if one has the developer resources, it's better to be proactive instead of waiting for an official release and all of a sudden try to upgrade and run into a lot of unforeseen issues.” Check out the official announcement to know more in detail. Other news in web development GitHub now supports two-factor authentication with security keys using the WebAuthn API The first release candidate of Rails 6.0.0 is now out! GitLab considers moving to a single Rails codebase by combining the two existing repositories

On Tuesday, Mozilla announced the release of Firefox 69. This release comes with default blocking of third-party tracking cookies and cryptomining, for all users. The team has also worked on a patch to minimize power consumption by Firefox Nightly for macOS users, which will possibly land in Firefox 70. In another announcement, Mozilla shared its plans for implementing Chrome’s Manifest V3 changes. Key updates in Firefox 69 Enhanced Tracking Protection on by default for all Browser cookies are used to store your login state, website preferences, provide personalized content, and more. However, they also facilitate third-party tracking. In addition to being a threat to user privacy, they can also end up slowing down your browser, consuming your data, and creating user profiles. The tracked information and profiles can also be sold and used for purposes that you did not consent for. With the aim to prevent this, the Firefox team came up with the Enhanced Tracking Protection feature. In June this year, they made it available to new users by default. With Firefox 69, it is now on by default and set to the ‘Standard’ setting for all users. It blocks all known third-party tracking cookies that are listed by Disconnect. Protection against cryptomining and browser fingerprinting There are many other ways through which users are tracked or their resources are used without their consent. Unauthorized cryptominers run scripts to generate cryptocurrency that requires a lot of computing power. This can end up slowing down your computers and also drain your battery. There are also fingerprinting scripts that store a snapshot of your computer’s configuration when you visit a website, which can be used to track your activities across the web. To address these, the team introduced an option to block cryptominers and browser fingerprinting in  Firefox Nightly 68 and Beta 67. Firefox 69 includes the option to block cryptominers in the “Standard Mode”, which means it is on by default. To block fingerprinting users need to turn on the “Strict Mode.” We can expect the team to make it enabled by default in a future release. Read also: Mozilla adds protection against fingerprinting and Cryptomining scripts in Firefox Nightly and Beta A stricter Block Autoplay feature Starting with Firefox 69, the Block Autoplay will block all media with sound from playing automatically by default. This means that users will be able to block any video from autoplaying, not just those that autoplay with sound. Updates for Windows 10 users Firefox 69 brings support for the Web Authentication HMAC Secret extension via Windows Hello for Windows 10 users. The HMAC Secret extension will allow users to sign-in to their device even when it is offline or in airplane mode. This release also comes with Windows hints to appropriately set content process priority levels and a shortcut on the Win10 taskbar to help users easily find and launch Firefox. Improved macOS battery life Firefox 69 comes with improved battery life and download UI. To minimize battery consumption, Firefox will switch back to the low-power GPU on macOS systems that have a dual graphics card. Other updates include JIT support for ARM64 and Finder now shows download progress for files being downloaded. Not only main releases, but the team is also putting efforts into making Firefox Nightly more power-efficient. On Monday, Henrik Skupin, a senior test engineer at Mozilla, shared that there is about 3X decrease in power usage by Firefox Nightly on macOS. We can expect this change to possibly land in version 70, which is scheduled for October 22. https://twitter.com/whimboo/status/1168437524357898240 Updates for developers Debugger updates: With this release, debugging an application that has event handlers is easier. The debugger now includes the ability to automatically break when the code hits an event handler. Also, developers can now save the scripts shown in the debugger's source list pane via the Download file context menu option. The Resize Observer API: Firefox 69 supports the Resize Observer API by default. This API provides a way to monitor any changes to an element’s size. It also notifies the observer each time when the size changes. Network panel updates: The network panel will now show the resources that got blocked because of CSP or Mixed Content. This will “allow developers to best understand the impact of content blocking and ad blocking extensions given our ongoing expansion of Enhanced Tracking Protection to all users with this release,” the team writes. Re-designed about:debugging: In Firefox 69, the team has now migrated remote debugging from the old WebIDE into a re-designed about:debugging. Check out the official release notes to know what else has landed in Firefox 69. Mozilla on Google’s Manifest V3 Chrome is proposing various changes to its extension platform called Manifest V3. In a blog post shared on Tuesday, Mozilla talked about its plans for implementing these changes and how it will affect extension developers. One of the significant updates proposed in Manifest V3 is the deprecation of the blocking webRequest API, which allows extensions to intercept all inbound and outbound traffic from the browser. It then blocks, redirects, or modifies the intercepted traffic. In place of this API, Chrome is planning to introduce declrativeNetRequest API, which limits the blocking version of the webRequest API. According to Manifest V3, the declarativeNetRequest API will be treated as the primary content-blocking API in extensions. Read also: Google Chrome developers “clarify” the speculations around Manifest V3 after a study nullifies their performance hit argument Explaining the impact of this proposed change if implemented, Mozilla wrote, “This API impacts the capabilities of content blocking extensions by limiting the number of rules, as well as available filters and actions. These limitations negatively impact content blockers because modern content blockers are very sophisticated and employ layers of algorithms to not only detect and block ads, but to hide from the ad networks themselves.” Mozilla further shared that it does not have any immediate plans to remove blocking WebRequest API. “We have no immediate plans to remove blocking webRequest and are working with add-on developers to gain a better understanding of how they use the APIs in question to help determine how to best support them,” Mozilla wrote in the announcement. However, Mozilla is willing to consider other changes that are proposed in Manifest V3. It is planning to implement the proposal that requires content scripts to have the same permissions as the pages where they get injected. Read the official announcement to know more in detail about Mozilla’s plans regarding Manifest V3. Other news in web JavaScript will soon support optional chaining operator as its ECMAScript proposal reaches stage 3 #Reactgate forces React leaders to confront community’s toxic culture head on Google Chrome 76 now supports native lazy-loading

Yesterday, the React team announced the release of React DevTools 4.0 for Chrome, Firefox, and Edge. In addition to better performance and navigation experience, this release fully supports React Hooks and provides a way to test the experimental Suspense API. Key updates in React DevTools 4.0 Better performance by reducing the “bridge traffic” The React DevTools extension is made up of two parts: frontend and backend. The frontend portion includes the components tree, the Profiler, and all the other things that are visible to you. On the other hand, the backend portion is the one that is invisible. This portion is in charge of notifying the frontend by sending messages through a “bridge”. In previous versions of React DevTools, the traffic caused by this notification process was one of the biggest performance bottlenecks. Starting with React DevTools 4.0, the team has tried to reduce this bridge traffic by minimizing the amount of messages sent by the backend to render the Components tree. The frontend can request more information whenever required. Automatically logs React component stack warnings React DevTools 4.0 now provides an option to automatically append component stack information to the console in the development phase. This will enable developers to identify where exactly in the component tree failure has happened. To disable this feature just navigate to the General settings panel and uncheck the “Append component stacks to warnings and errors.” Source: React Components tree updates Improved hooks support: Hooks allow you to use state and other React features without writing a class. In React DevTools 4.0, hooks have the same level of support as props and state. Component filters: Navigating through large component trees can often be tiresome. Now, you can easily and quickly find the component you are looking for by applying the component filters. "Rendered by" list and an owners tree: React DevTools 4.0 now has a new "rendered by" list in the right-hand pane that will help you quickly step through the list of owners. There is also an owners tree, the inverse of the "rendered by" list, which lists all the things that have been rendered by a particular component. Suspense toggle: The experimental Suspense API allows you to “suspend” the rendering of a component until a condition is met. In <Suspense> components you can specify the loading states when components below it are waiting to be rendered. This DevTools release comes with a toggle to let you test these loading states. Source: React Profiler changes Import and export profiler data: The profiler data can now be exported and shared among other developers for better collaboration. Source: React Reload and profile: React profiler collects performance information each time the application is rendered. This helps you identify and rectify any possible performance bottlenecks in your applications. In previous versions, DevTools only allowed profiling a “profiling-capable version of React.” So, there was no way to profile the initial mount of an application. This is now supported with a "reload and profile" action. Component renders list: The profiler in React DevTools 4.0 displays a list of each time a selected component was rendered during a profiling session. You can use this list to quickly jump between commits when analyzing a component’s performance. You can check out the release notes of React DevTools 4.0 to know what other features have landed in this release. React 16.9 releases with an asynchronous testing utility, programmatic Profiler, and more React Native 0.60 releases with accessibility improvements, AndroidX support, and more React Native VS Xamarin: Which is the better cross-platform mobile development framework?

On Monday, the CEO and Co-founder of Dark, Ellen Chisa, announced the project had raised $3.5 million in funding in a Medium post. Dark is a holistic project that includes a programming language (Darklang), an editor and an infrastructure. The value of this, according to Chisa, is simple: "developers can code without thinking about infrastructure, and have near-instant deployment, which we’re calling deployless." Along with Chisa, Dark is led by CTO, Paul Biggar, who is also the founder of CircleCI, the CI/CD pioneering company. The seed funding is led by Cervin Ventures, in participation with Boldstart, Data Collective, Harrison Metal, Xfactor, Backstage, Nextview, Promus, Correlation, 122 West and Yubari. What are the key features of the Dark programming language? One of the most interesting features in Dark is that deployments take a mere 50 milliseconds. Fast. Chisa says that currently the best teams can manage deployments around 5–10 minutes, but many take considerably longer, sometimes hours. But Dark was designed to change this. It's purpose-built, Chisa seems to suggest, for continuous delivery. “In Dark, you’re getting the benefit of your editor knowing how the language works. So you get really great autocomplete, and your infrastructure is set up for you as soon as you’ve written any code because we know exactly what is required.” She says there are three main benefits to Dark’s approach: An automated infrastructure No need to worry about a deployment pipeline ("As soon as you write any piece of backend code in Dark, it is already hosted for you,” she explains.) Tracing capabilities are built into your code. "Because you’re using our infrastructure, you have traces available in your editor as soon as you’ve written any code. There's undoubtedly a clear sense - whatever users think of the end result - that everything has been engineered with an incredibly clear vision. Dark has been deployed on SaaS platform and project tracking tools Chisa highlights how some customers have already shipped entire products on Dark. Chase Olivieri, who built Altitude, a subscription SaaS providing personalized flight deals, using Drark is cited by Chisa, saying that "as a bootstrapper, Dark has allowed me to move fast and build Altitude without having to worry about infrastructure, scaling, or server management." Downside of Dark is programmers have to learn a new language Speaking to TechCrunch, Chisa admitted their was a downside to Dark - you have to learn a new language. "I think the biggest downside of Dark is definitely that you’re learning a new language, and using a different editor when you might be used to something else, but we think you get a lot more benefit out of having the three parts working together." Chisa acknowledged that it will require evangelizing the methodology to programmers, who may be used to employing a particular set of tools to write their programs. But according to her the biggest selling point is that it will remove the complexity around deployment by bringing an integrated level of automation to the process. Is Darklang basically like AWS Lambda? The community on Hacker News compares Dark with AWS Lambda, with many pessimistic about its prospects. In particular they are skeptical about the efficiency gains Chisa describes. "It only sounds maybe 1 step removed from where aws [sic] lambda’s are now," said one user. "You fiddle with the code in the lambda IDE, and submit for deployment. Is this really that much different?” Dark’s Co-founder, Paul Biggar responded to this in the thread. “Dark founder here. Yes, completely agree with this. To a certain extent, Dark is aimed at being what lambda/serverless should have been." He continues by writing: "The thing that frustrates me about Lambda (and really all of AWS) is that we're just dealing with a bit of code and bit of data. Even in 1999 when I had just started coding I could write something that runs every 10 minutes. But now it's super challenging. Why is it so hard to take a request, munge it, send it somewhere, and then respond to it. That should be trivial! (and in Dark, it is)" The team has planned to roll out the product publicly in September. To find out more more about Dark, read the team's blog posts including What is Dark, How Dark is a functional language, and How Dark allows deploys in 50ms. The V programming language is now open source – is it too good to be true? “Why was Rust chosen for Libra?”, US Congressman questions Facebook on Libra security design choices Rust’s original creator, Graydon Hoare on the current state of system programming and safety

A vulnerability in the stack protection feature in LLVM's Arm backend becomes ineffective when the stack protector slot is re-allocated. This was notified as a vulnerability note in the Software Engineering Institute of the CERT Coordination Center. The stack protection feature is optionally used to protect against buffer overflows in the LLVM Arm backend. A cookie value is added between the local variables and the stack frame return address to make this feature work. After storing this value in memory, the compiler checks the cookie with the LocalStackSlotAllocation function. The function checks if the value has been changed or overwritten. It is terminated if the address value is found to be changed.  If a new value is allocated later on, the stack protection becomes ineffective as the new stack protector slot appears only after the local variables which it is supposed to protect. It is also possible that the value gets overwritten by the stack cookie pointer. This happens when the stack protection feature is rendered ineffective.  When the stack protection feature becomes ineffective, the function becomes vulnerable to stack-based buffer overflow. This can cause the return address to be changed or the cookie to be overwritten itself, thus causing an unintended value to be passed through the check. The proposed solution for the stack vulnerability is to apply the latest updates from both the LLVM and Arm. This year saw many cases of buffer overflow vulnerabilities. In the June release of VLC 3.0.7, many security issues were resolved. One of the high security issues resolved was about the stack buffer overflow in the RIST Module of VLC 4.0.  LLVM WebAssembly backend will soon become Emscripten’s default backend, V8 announces Google proposes a libc in LLVM, Rich Felker of musl libc thinks it’s a very bad idea Introducing InNative, an AOT compiler that runs WebAssembly using LLVM outside the Sandbox at 95% native speed

At Build 2019, Microsoft showcased Web Template Studio (WebTS), a cross-platform Visual Studio Code extension, which is built by a team of Microsoft Garage interns. Yesterday, the tech giant open sourced the extension under the MIT license and announced its availability on VS Marketplace. The Visual Studio Code extension is currently only available in preview form. Explaining the vision behind developing this extension, Kelly Ng, one of the Software engineering intern who helped build it said, “A lot of times in a hackathon, you spend the whole hackathon just setting all of that up before you can start programming. With our tool, you can hook everything up in just 5 or 6 minutes.” What is Microsoft Web Template Studio? Written in TypeScript and React, Microsoft WebTS allows developers to easily create new web applications with the help of its “dev-friendly wizard”. It is built along the same lines of a Visual Studio extension, Windows Template Studio, which simplifies and accelerates the creation of Universal Windows Platform (UWP) apps. With this extension, you can generate boilerplate code for a full-stack web application by selecting your choice of front-end frameworks, back-end frameworks, pages, and cloud services. Right now, WebTS only supports React.js for frontend and Node.js for backend. In the future, the team plans to add more frameworks like Angular and Vue. The extension comes with various app page templates including blank page, common layouts, and pages that implement common patterns like grid or list. You just need to choose from these pages to add a common UI into your web app. Once you are done doing all that, you just need to specify which Azure cloud services you want to use for your project. Currently, the extension supports Azure Cosmos DB for storage and Azure Functions for compute. If you want to use the extension, just head over to Visual Studio Marketplace’s Web Template Studio page and click install. The project is still in its initial stages and the team plans to support more frameworks and services as it grows with the help of the community. In case you want to contribute, check out its GitHub repository. You can read the full announcement at Microsoft Blog. Microsoft Build 2019: Microsoft showcases new updates to MS 365 platform with focus on AI and developer productivity Microsoft Build 2019: Introducing Windows Terminal, application packed with multiple tab opening, improved text and more Microsoft announces ‘Decentralized Identity’ in partnership with DIF and W3C Credentials Community Group