Mozilla's Firefox got a bit hotter today with the official release of version 3.6, a noteworthy update of the popular open source Web browser. It's an incremental improvement that introduces a modest assortment of new features and expands the browser's support for emerging Web standards. It will add fuel to the fire as the flame-throwing fox continues to scorch Internet Explorer's declining marketshare, bringing more choice and openness to the Web.

It's been roughly six months since the release of Firefox 3.5, Mozilla's last major update. This new release is less ambitious, but just as solid. Although there aren't a lot of significant user-facing features to talk about, there are some compelling improvements for Web developers. In this review we will look at both sides of the browser.

Personas

One of the most visible new features in this release for regular end users is the Personas system, which brings support for lightweight theming to Firefox. It allows users to apply a custom visual style to the browser's user interface elements, including the toolbars, menus, tabs, and status bar. It's intended to provide a simple alternative to Firefox's existing theming engine. Unlike conventional Firefox themes—which can profoundly alter the look, feel, and behavior of the program at a multitude of different levels—a Persona is like a decal that you can apply to the top layer.

The Personas feature was first introduced by Mozilla Labs in in 2007, where it was created as a hobby project by Mozilla's Chief Innovation Officer (yes, that's his real title) Chris Beard. At the time, Beard was the vice president of the Labs group and was interested in exploring some possibilities for lowering the barrier to entry for theming and blurring the boundary between Web content and the browser's user interface.

The Personas feature has been available to users through a browser add-on, but now the project has matured and Mozilla has made it a built-in part of the browser. Mozilla recently launched a Personas Gallery, which has over 35,000 individual Personas, most of which are unforgivably hideous. The skins in the gallery exhibit a diverse assortment of visual elements, ranging from images of the popular singer Lady Gaga to anime characters, marijuana leaves, and various Firefox logos.

Although many of them are garish abominations that make the browser look like a mutant circus with leprosy, there are some fairly nice ones that can spice up your toolbar with a bit of extra color. In the Abstract category, you can find some simple gradients and textures that aren't too distracting. I grudgingly admit to liking the Star Trek set even though it's kind of tacky.

To boldly go where no user interface... ever should

When you hover your mouse cursor over an item in the Gallery, the Persona will be applied instantly in preview mode, meaning that it will revert when you move your cursor away. To apply a Persona, you just have to click the "Wear It" link that will appear over the thumbnail in the gallery when you hover. The individual Personas will show up on the theme list in the browser's preference dialog you. You can switch between Personas just like regular themes. It's worth noting, however, that you cannot use a Persona and a full theme at the same time. When you enable a Persona, Firefox will switch back to the default theme and then apply the Persona on top of that.

PluginCheck: protecting users from plug-in vulnerabilities

Mozilla has a pretty strong track record on delivering fast fixes and pushing its users onto the most recent version of Firefox. This helps insulate users from security vulnerabilities and ensures that they benefit from the latest bug fixes. Unfortunately, not all software vendors are as mindful. Vulnerabilities in Adobe's Flash plug-in, for example, are becoming increasingly notorious as malware distribution vectors and can sometimes expose users to security risks.

Mozilla says that users don't always understand the role that plug-ins play in the Web experience and might not even realize that they have plug-ins installed. This is a major impediment to giving users the ability to protect their own security. The PluginCheck system is a new feature that Mozilla has introduced to address some of the problems caused by faulty browser plug-ins. It gives the browser the ability to make the user aware when a vulnerable plug-in is detected.

Image Credit: Mozilla's Jonathan Nightingale

The PluginCheck feature is made possible by a Web service that Mozilla launched last year which matches the user's plugin versions against a remote database of plug-in information. The backend Web service, called PFS2, is also used to help users find the appropriate plug-ins to enable support for certain kinds of content.

In order to function properly, the browser has to periodically phone home in order to request information from the plugin database—much like what Firefox does already to check for browser and add-on updates. For PluginCheck, the browser sends the PFS2 server the user's Firefox version number, operating system name, and browser locale (the language that is used in the user interface). The server will respond by providing a JSON data structure that includes detailed metadata about the latest version and previous vulnerable versions, including URLs with information about the relevant vulnerabilities. You can see documentation for the PFS2 Web API on the Mozilla website.

PluginCheck is only one part of Mozilla's plugin protection arsenal. The browser already has a plug-in blacklist system that can be used in an emergency to forcefully disable plug-ins that have extreme defects. As some readers may recall, Mozilla put the blacklist to use last year when a serious vulnerability was uncovered in Microsoft's WPF plugin for Firefox.