Firefox 148: AI Kill Switch, WebGPU in Service Workers, and Major Web API Additions
Mozilla's Firefox 148 ships a central AI control panel, new security APIs against XSS, WebGPU in Service Workers, and CSS anchor positioning — a significant release for both privacy-conscious users and web developers.
Mozilla released Firefox 148 on February 24, 2026, and it's one of the more developer-relevant browser updates in recent memory. The headline feature — a centralized AI control panel — may grab the attention of general users, but the underlying web platform additions are what makes this release worth paying close attention to if you build for the web.
The AI Kill Switch
As AI-powered browser features multiply (translations, chatbot sidebars, image descriptions, link previews), Firefox 148 introduces a dedicated "AI Control" settings page. Each feature can be individually set to one of three states:
- Available — visible and accessible to the user
- Enabled — activated via opt-in
- Blocked — completely hidden; any locally stored model data is deleted
Crucially, the global "Block AI improvements" toggle is enabled by default. This is a meaningful stance from Mozilla: AI features require explicit opt-in rather than opt-out. Supported chatbots include Anthropic Claude, ChatGPT, Microsoft Copilot, Google Gemini, and Mistral's Le Chat.
Settings persist across updates — a small but important detail, since previous browser AI experiments often reset preferences on major version bumps.
Mozilla has also decoupled remote browser configuration from telemetry. Users now receive feature flag updates without having to share usage data or participate in experimental studies — a privacy improvement that's easy to overlook but significant for enterprise and privacy-focused deployments.
WebGPU Arrives in Service Workers
For developers, the most technically impactful change may be WebGPU support in Service Workers. The GPU-accelerated graphics and compute interface is now available across all worker contexts, meaning computationally intensive workloads — machine learning inference, image processing, shared resource operations across tabs — can run in the background without blocking the main thread.
This brings Firefox in line with Chromium-based browsers and opens up architectures that were previously impossible without heavy workarounds.
Two New Security APIs: Trusted Types and Sanitizer
Firefox 148 ships two long-awaited security mechanisms that directly address Cross-Site Scripting (XSS) — still one of the most common web vulnerabilities.
Trusted Types API: Enforces that string inputs are transformed through a defined policy before reaching dangerous DOM sinks like innerHTML, eval, or document.write. Activated via a Content-Security-Policy header (require-trusted-types-for 'script'), it gives developers a declarative, enforceable way to prevent injection attacks rather than relying on ad-hoc sanitization.
Sanitizer API: Enables safe HTML manipulation through built-in methods — element.setHTML() and document.parseHTML(). These functions parse and clean HTML according to a configurable allowlist, potentially replacing third-party libraries like DOMPurify for common use cases. The API is now available in Firefox, Chrome, and Edge, making cross-browser adoption realistic.
Both APIs have been in the works for years. Having them in Firefox 148 means they're now broadly available — a green light for teams considering adoption.
JavaScript: Iterator.zip() and Iterator.zipKeyed()
From the Joint Iteration Proposal (TC39), Firefox 148 adds Iterator.zip() and Iterator.zipKeyed(). These methods combine multiple iterators into grouped tuples — similar to zip() in Python or Rust:
const nums = [1, 2, 3][Symbol.iterator]();
const letters = ['a', 'b', 'c'][Symbol.iterator]();
for (const [num, letter] of Iterator.zip(nums, letters)) {
console.log(num, letter); // 1 'a', 2 'b', 3 'c'
}
This is a welcome addition for functional-style code that works with streams, generators, or paired data structures.
CSS: Anchor Positioning and shape()
Two CSS additions round out the developer story:
position-try-order — Controls the priority order of fallback positions in CSS Anchor Positioning. When a positioned element would overflow the viewport, this property determines which fallback to try first. Useful for tooltips, dropdowns, and floating UI elements that need to stay in view.
shape() function — Allows defining freeform shapes for clip-path using CSS units rather than SVG path syntax. Unlike the existing path() function, shape() is responsive and works with relative units — making complex, viewport-responsive clip shapes practical without JavaScript.
Worth the Update
Firefox 148 is a release that benefits both ends of the spectrum: privacy-conscious users get explicit control over AI features with sensible defaults, and developers get a meaningful set of new primitives — WebGPU in workers, XSS prevention APIs, zip iterators, and responsive clip-path shapes.
The Trusted Types and Sanitizer APIs in particular are features the security community has been pushing for years. Their broad cross-browser support now makes them viable targets for adoption in production codebases.
Sources: