IronFox

---

IronFox is a fork of Divested Computing Group's Mull Browser, based on Mozilla Firefox. Our goal is to continue the legacy of Mull by providing a free and open source, privacy and security-oriented web browser for daily use.

While IronFox's home is GitLab, this repo is also mirrored to both Codeberg & GitHub.

Want to join the IronFox Community?

We'd love to see you over on Matrix (Recommended) and Discord!

Known Issues

Please see the list of known issues and workarounds before opening an issue!

Issues inherited from Mull that still apply to IronFox - (contents adapted from the DivestOS website)

• uBlock Origin is the only recommended and supported content blocker.
• Some fonts, particularly ones used for displaying Korean text, may not display correctly due the font restrictions by resist fingerprinting. Please do not disable RFP. This should be hopefully fixed in future versions such as v126.
• Dark Reader is known to be incompatible with IronFox's changes and will cause significant breakage/slowdowns.
• Dark mode for websites is disabled due to resist fingerprinting. Please do not disable RFP.
• Refresh rate is capped to 60hz due to resist fingerprinting. Please do not disable RFP.
• Multitouch gestures will not work due to resist fingerprinting. Please do not disable RFP.
• If audio/video content fails to play in private tabs navigate to about:config and change browser.privatebrowsing.forceMediaMemoryCache to false, this is however a privacy risk.
• IronFox disables the JavaScript JIT to increase security at the cost of slowing down webapps, complex websites, and the PDF viewer. Navigate to about:config and change javascript.options.ion and javascript.options.baselinejit to true to restore their performance, though this is not recommended.
• IronFox has strict certificate revocation checks. The CA revocation servers are occasionally down/blocked/inaccessible, so you may see a "Secure Connection Failed" error from time to time. Navigate to about:config and change security.OCSP.require to false, this is however a security and privacy risk.
• IronFox requires safe renegotiation for connections. Certain websites do not support this and will result in a "Secure Connection Failed" error. Please report these errors to the impacted websites. You can navigate to about:config and set security.ssl.require_safe_negotiation to false to disable the requirement for safe renegotiations, this is however a security and privacy risk.
• IronFox has strict certificate pinning. If you are using a proxy or VPN that does HTTPS manipulation, you may encounter a "Secure Connection Failed" error. Navigate to about:config and change security.cert_pinning.enforcement_level from 2 to 1 to disable strict certificate pinning; this is however a security and privacy risk.
• IronFox does not trust user-added CA certificates, you can optionally enable them at your own extreme risk: Settings > About IronFox > Tap IronFox logo until debug settings are enabled > back a menu > Secret Settings > Use third party CA certificates > Enabled, this is however a security and privacy risk.
• IronFox has stripped referrers. This often breaks loading of images on websites with hotlink protection. Navigate to about:config and change network.http.referer.XOriginPolicy from 2 to 1 (or 0 if you're still having issues), this is however a privacy risk.
• IronFox has visited link highlighting disabled by default. Navigate to about:config and change layout.css.visited_links_enabled to true if needed, this is however a privacy risk.
• IronFox has WebAssembly disabled by default. This is often used for web apps. Navigate to about:config and change javascript.options.wasm to true if needed, this is however a security risk.
• IronFox has WebGL disabled by default. This is often used for games and maps. Navigate to about:config and change webgl.disabled to false if needed, this is however a privacy risk.
• IronFox forcibly excludes private IP addresses from being leaked over WebRTC. This may cause issues with audio/video calls. Navigate to about:config and change media.peerconnection.ice.no_host to false if needed, this is however a privacy risk. If you still have issues, you should also set media.peerconnection.ice.default_address_only to false.
• If you want to access Onions using IronFox and Orbot: navigate to about:config and change network.dns.blockDotOnion to false. Tor Browser for Android however should be preferred.
• If you have issues playing some videos: navigate to about:config and change media.android-media-codec.preferred from true to false. This may reduce battery life.
• When adding a custom search engine that contains a `:` you must replace it with `%3A` to workaround an upstream substitution bug.
• Upstream issues: background timers, bookmark import/export, disable images, download location, duplicate tab, FIDO, Fission, isolatedProcess, language issues, open .html file, RFP canvas exception, Sync broken by RFP, touch gestures

Issues originating in IronFox

None yet.

You should also see here for a list of websites with known issues due to hardening, and what you may need to do to fix them. This list is maintained by Phoenix - so while it isn't specific to IronFox or Mull, many of these problems do still apply.

Building

IronFox makes it easier (and faster) to build the project locally. For example, prebuilt versions of wasi-sdk sysroot and llvm-project are used instead of building them locally. F-Droid builds still build those from source.

Build environment

You need to install a few packages on your machine to be able to build IronFox. Follow the below instructions based on the OS you're using.

When building on Ubuntu

sudo apt update
sudo apt install -y make \
        cmake \
        clang-18 \
        gyp \
        ninja-build \
        patch \
        perl \
        wget \
        tar \
        unzip \
        xz-utils \
        zlib1g-dev

Apart from the above packages, you need to install Python 3.9. You can use PPA from the deadsnakes team.

You also need to install JDK 8 AND JDK 17. JDK 17 should be set as the default JDK.

When building on Fedora 41

sudo dnf install -y \
    cmake \
    clang \
    gyp \
    java-1.8.0-openjdk-devel \
    java-17-openjdk-devel \
    m4 \
    make \
    ninja-build \
    patch \
    perl \
    python3.9 \
    shasum \
    xz \
    zlib-devel \
    wget \
    git

The above command installs all packages (including python3.9) that are required to build IronFox.

Build setup

• Setup F-Droid's gradle script to be available in your PATH:

  mkdir -p $HOME/bin
  wget https://gitlab.com/fdroid/fdroidserver/-/raw/master/gradlew-fdroid -O "$HOME/bin/gradle"
  chmod +x "$HOME/bin/gradle"
  
  export PATH=$HOME/bin:$PATH

• Disable Gradle Daemons and configuration cache:

  mkdir -p ~/.gradle
  echo "org.gradle.daemon=false" >> ~/.gradle/gradle.properties
  echo "org.gradle.configuration-cache=false" >> ~/.gradle/gradle.properties

• Create a new Python 3.9 virtual environment, then activate it:

  python3.9 -m venv env
  source env/bin/activate

• Ensure JDK 17 is the default JDK. You can check the current JDK version by running java --version in the terminal. Otherwise, you can temporarily set JDK 17 as the default by running:

  Don't forget to replace /path/to/jdk-17 below with the actual path of your JDK 17 installation!

  export JAVA_HOME=/path/to/jdk-17
  export PATH=$JAVA_HOME/bin:$PATH

  For instance, on Fedora 41, the default location of JDK 17 is /usr/lib/jvm/java-17-openjdk:

  export JAVA_HOME=/usr/lib/jvm/java-17-openjdk
  export PATH=$JAVA_HOME/bin:$PATH

• Ensure that the ANDROID_HOME variable points to a valid Android SDK installation. Otherwise, you can execute the following to install and set up the SDK:

  source ./scripts/setup-android-sdk.sh

Get & patch sources

Next, you need to download the source files to build. The scripts/get_sources.sh file can be used to download/clone the source files.

This may take some time depending on your network speed...

./scripts/get_sources.sh

If you need to fetch sources for a different version of Firefox than the one IronFox is currently based on, you'll have to modify the script directly.

Once the source files are downloaded and extracted, you need to source the scripts/paths_local.sh script (generated by get_sources.sh) to set up the required environment variables:

source scripts/paths_local.sh

Next, you need to patch the files with:

This must be run once after getting your sources.

./scripts/prebuild.sh <version-name> <version-code>

Here <version-name> is the display name of the version (e.g. v133.0.3) and <version-code> is the numeric identifier of the version you want to build. We follow version code convention similar to Mull. See version code convention.

Build

Finally, you can start the build process with:

./scripts/build.sh

Version code convention

Version codes are prepended with 3, followed by the actual version code, the CPU ABI identifier and the revision number:

3<actual-version><abi-identifier><revision>

CPU ABI identifier is one of the following:

Identifier	CPU ABI
0	armeabi-v7a
1	x86_64
2	arm64-v8a

Revision numbers start from 0 for each major release and are updated when we apply fixes to existing releases.

Example

Version code : 31330320

3       - version code prefix
13303   - version code for v133.0.3
2       - arm64-v8a
0       - initial build

Licenses

The scripts are licensed under the GNU Affero General Public License, version 3 or later.

Changes to patches are licensed according to the header in the files this patch adds or modifies (Apache 2.0 or MPL 2.0).

Phoenix is licensed under the GNU General Public License, version 3 or later.

Notices

Mozilla Firefox is a trademark of The Mozilla Foundation.

This is not an officially supported Mozilla product. IronFox is in no way affiliated with Mozilla.

IronFox is not sponsored or endorsed by Mozilla.

IronFox is not associated with DivestOS or Divested Computing Group in any manner.

Firefox source code is available at https://hg.mozilla.org.