Basilisk Browser (64-bit)

What's new in this version:

Basilisk Browser 2022.11.04 (64-bit)
Fixed:
- a potential heap Use-After-Free risk in Expat
- potentially undefined behavior in our thread locking code
- a potentially exploitable crash in the refresh driver
- potentially undefined behavior when base-64 decoding

- Added detection suport for the newly-released MacOS 13 (Ventura)
- Implemented a texture size cap for WebGL to prevent potential issues with some graphics drivers
- Updated site-specific overrides to address issues with ZoHo
- UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable


Basilisk Browser 2022.09.28 (64-bit)
This is a major development, bugfix and security release:
- Note: The default serch engines have changed. Please verify that your configuration still uses your preferred search engine.
- Implemented .at(index) JavaScript method on built-in indexables (Array, String, TypedArray)
- Implemented the use of EventSource in workers
- Enabled the sending of the Origin: header by default on same-origin requests
- Changed how Basilisk is built. We have made build system changes to reduce build times and pressure on the linker on all platforms. Note that Basilisk is not yet built with Visual Studio 2022. This change will be done in the next release
- Changed how Basilisk handles standalone wave audio files (.wav). See implementation notes
- Improved string normalization
- Updated the handling of CSS "supports" to now accept unparenthesized strings (spec update)
- Updated the handling of flex containers in web pages for web compatibility
- Fixed various issues when building for Mac OS X
- Fixed various C++ standard conformance issues in the source code
- Fixed several issues building on SunOS and Linux with various configurations and gcc versions
- Fixed an issue with regular expressions' dotAll syntax and usage. See implementation notes
- Switched custom hash map to std::unordered_map where prudent
- Cleaned up and updated IPC thread locking code
- Removed spacing for accessibility focus rings in form controls to align styling of them with expected metrics
- Removed the unnecessary control module for building with non-standard configurations of the platform
- Removed the -moz prefix from min-content and max-content CSS keywords where it was still in use
- Updated the search engines included with Basilisk. Basilisk now includes the same search engines as Pale Moon
- Fix issue where PDF.js was completely broken in the previous release
- Fixed an important stability and performance issue related to hardware acceleration
- Implemented Global Privacy Control in the Basilisk settings
- Fix issue where the 32-bit Windows installer would not execute on 32-bit Windows systems
- Remove Mozilla related default bookmarks. Update default bookmarks
- Update compatmode override for Firefox to 102.0
- Update user agent overrides to improve compatibility with Facebook
- Security fixes: CVE-2022-40956 and CVE-2022-40958
- UXP Mozilla security patch summary: 2 fixed, 11 not applicable


Basilisk Browser 2022.08.06 (64-bit)
This is a major update:
- Very Important: This is the first public release from the Basilisk Development team. As such, the vendor name in the application has changed. This means the profile directory has changed. See here for more info. You will have to perform a manual update if you are currently running Basilisk 2022.01.27 as it was compiled without an updater.
Note: Many things have changed since 2022.01.27 and 2022.08.06. We've tried to note all changes here but it is very likely something was missed:
- Fixed several application crash scenarios
- Fixed a number of thread locking/mutex issues
- Fixed a leak of content types due to inconsistent error reporting
- Fixed an issue with iframe sandboxing not being properly applied
- Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet.
- Fixed an issue with drag-and-drop
- Fixed a potential crash due to truncated WAV files.
- Fixed a memory safety issue with XSLT
- Fixed a potential crash issue on bing.com.
- Fixed some thread locking issues
- Worked around a Mesa driver bug that could cause crashes
- Fixed a potential resource access issue in devtools
- Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD).
- Implemented Global Privacy Control, taking the place of the unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that you do not want them to share or sell your data.
- Implemented "optional chaining"
- Implemented setBaseAndExtent for text selections
- Implemented queueMicroTask() "pseudo-promise" callbacks
- Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect
- Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility
- Improved performance of parallel web workers in JavaScript
- Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
- Updated various in-tree libraries
- Added support for extended VPx codec strings in media delivery via MSE (RFC-6381).
- Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
- Fixed several crashes and stability issues
- Removed all Google SafeBrowsing/URLClassifier service code
- Restored Mac OS X code and buildability in the platform
- Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation
- Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems.
- Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users.
- Removed more Android/Fennec code (on-going effort to clean up our code).
- Removed the Marionette automated testing framework.
- Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number.
- Implemented "nullish coalescing operator" for web compatibility.
- Fixed various crash scenarios in XPCOM.
- Fixed an important stability and performance issue related to hardware acceleration.
- Fixed a long-standing issue where dynamic datalist updates forand similar elements wouldn't properly update the option list.
- Disabled broken links to MDN articles in developer tools.
- Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
- Enabled the date picker for. See implementation notes
- Re-enabled the use of FIPS mode for NSS. See implementation notes
- Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios
- Improved memory handling in the graphics subsystem of Goanna
- Updated FFvpx to v4.2.7
- Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites
- Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows
- Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes
- Improved the way data is transferred to and from canvases to prevent memory safety issues
- Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP)
- Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number
- Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows
- Fixed a potential issue with revoked site certificates when connecting through a proxy
- Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo
- Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number
- Implemented CSS white-space: break-spaces for web compatibility
- Implemented Intl.RelativeTimeFormat for web compatibility
- Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
- Implemented support for async generator methods in JavaScript
- Added preliminary support for building on Apple Silicon like M1/M2 SoC
- Added support for building with Visual Studio 2022
- Improved the handling of CSS "sticky" elements in tables
- Improved stack size limits on all platforms. See implementation notes.
- Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
- Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
- Updated many in-tree third-party libraries to pick up various performance and stability improvements
- Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe
- Removed some leftover (and unused) telemetry code in the platform and front-end
- Fixed an issue with VP9 video playback on Windows on some systems
- Fixed an issue with the add-ons manager not properly handling empty update URLs
- Fixed a major performance regression on *nix based systems due to incorrect thread handling
- Fixed volume handling when building with the sndio audio back-end
- Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler
- Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes
- Basilisk profile directory changed to reflect vendor change in application
- Restore ability to build Basilisk on Mac OS X
- Removal of telemetry code from Basilisk
- UXP Mozilla security patch summary: 11 fixed, 14 Did, 4 rejected, 91 not applicable


Basilisk Browser 2022.01.27 (64-bit)
- This is a security update
- Important: This is the final public release of Basilisk from the original developer. As such, it comes without an internal updater and will not check for future updates to the application.
- To remain updated and secure, it is recommended at this point that you look for a different web browser like Pale Moon to continue browsing in a safe and secure manner.
- Be mindful of hacks: There are currently no people eligible to continue Basilisk as a product under the Basilisk name. If you see any future updates claiming/pretending to be official Basilisk or an official continuation, they are most likely scams and should not be trusted with your browsing.
- Improved application library loading security
- Fixed an issue in JavaScript serialization
- Fixed a potential out-of-bounds issue in IndexedDB
- Fixed a potential issue in widget data handling code
- Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams
- Fixed an issue in the DOM FileReader code
- Updated NSS to 3.52.3 to address a security issue
- Updated the installer to fix a rights elevation issue
- Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.


Basilisk Browser 2021.12.13 (64-bit)
Security update:
- Added some extra sanity checks to timers and text fragments
- Added a potential crash safeguard in program threading logic
- Mozilla Security Patch Summary: 5 fixed, 3 DiD, 10 not applicable


Basilisk Browser 2021.11.14 (64-bit)
- Fixed overall browser bustage due to branch confusion and telemetry removal


Basilisk Browser 2021.09.27 (64-bit)
This is a development, bugfix and security update:
- Implemented promise.allSettled()
- Implemented global origin on windows and workers
- Improved performance of memory allocations
- Updated SQLite to 3.36.0
- Fixed several crashes
- Security issues addressed: CVE-2021-38492
- Mozilla Security Patch Summary: 1 fixed, 7 DiD, 22 not applicable


Basilisk Browser 2021.07.19 (64-bit)
Fixed and security update:
- Enabled brotli compression for http for sites that support it
- Implemented EventTarget as a constructor
- Updated Windows 10 toolkit styling
- Updated the port blacklist (removed 10080)
- CSS: Implemented calc() and animation support for stroke-dashoffset
- Added support for checking boolean preferences to chrome CSS style sheets, to support more advanced theming options
- Added support for dynamic dark color capable themes in CSS
- Updated ResizeObserver implementation to a more recent specification
- Removed a metric ton of Macintosh code
- Removed obsolete system theme support from the layout engine
- Fixed several crashes
- Linux: blocked particularly old versions of Mesa/Nouveau drivers due to issues
- Security issues addressed: CVE-2021-30547 and several other issues that don't have a CVE number
- Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD, 2 deferred (DiD), 12 not applicable


Basilisk Browser 2021.04.27 (64-bit)
Fixed and security updates:
- Enabled the scrollbar-width CSS keyword by default
- Removed unit restriction on SVG width and height attributes
- Implemented prefers-color-scheme CSS keyword (defaults to "light")
- Added CSS values smooth, high-quality and pixelated to the image-rendering keyword
- Implemented Intl.NumberFormat.formatToParts() to allow deconstruction of localized number formats by scripts
- Reinstated the dom.details_element.enabled preference and fixed a rendering issue with summary/details html elements
- Fixed an issue with CSP .nonce attributes on elements
- Added port restrictions for WebRTC PeerConnections to prevent network abuse through WebRTC connections
- Fixed an overflow in clip paths, potentially causing them to be rendered incorrectly
- Added a warning to opening from history if it would spawn many new tabs
- Fixed forcing an icon type image even for invalid icons in search plugins
- Security issues addressed: CVE-2021-23986, CVE-2021-23981 and defense-in-depth fixes for CVE-2021-29946, CVE-2021-23994, several crashes and potential document parser confusion
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 5 defense-in-depth, 21 not applicable


Basilisk Browser 2021.03.17 (64-bit)
- Changed the version of NSS to a custom build to address certificate import and (hopefully also) keygen issues
- Updated the embedded emoji font for Yet More Professions With All Skin Colors&tm;
- Updated the YouTube Studio useragent for compatibility


Basilisk Browser 2021.03.11 (64-bit)
- Added support for missing ES2019 JavaScript functions and specifications
- Folder uploads through input elements now require user interaction on Windows 10
- Mitigated a potential problem with history location/state change updates if used in rapid succession
- Updated various libraries for compatibility and security
- Security issues fixed: CVE-2021-23973, CVE-2021-23974
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 19 not applicable

Fixed:
- several memory safety hazards and potential browser crashes
- an issue with useragent updates
- a problem with WebCrypto failing to work properly with AES-GCM


Basilisk Browser 2021.02.06 (64-bit)
- Added a preference (browser.tabs.allowTabDetach) to control whether "tearing off" of tabs is allowed
- Updated some needed user-agent overrides for web compatibility with a few large sites
- Added support for the scrollbar-width CSS keyword
- Fixed a javascript performance issue
- Enabled several platform features by default for web compatibility
- Removed the use of in page content
- Fixed several memory safety hazards and potential browser crashes
- Security issues fixed: CVE-2021-23962, CVE-2021-23953 and ZDI-CAN-12197
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 6 defense-in-depth, 22 not applicable


Basilisk Browser 2021.01.05 (64-bit)
- This is a development and security update
- Fixed the display of dates and times to honor what the user has set in their regional settings
- Disabled the use of the legacy database format for stored passwords and certificates
- Worked around crashes and run-time issues with module scripts
- Moved the global user-agent override to the networking component. Please note that this may interfere with some "user agent spoofing" extensions
- Fixed a website layout issue with table-styled elements potentially overlapping when placed inside a flexbox
- Updated the list of prohibited ports the browser can use
- Updated NSS to 3.59.1
- Security issues fixed: CVE-2020-26978 and CVE-2020-35112
- Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 16 not applicable


Basilisk Browser 2020.11.25 (64-bit)
- Aligned CSS tab-size with the specification and un-prefixed it
- Updated Brotli library to 1.0.9
- Updated JAR lib code
- Cleaned up HPKP leftovers
- Disabled the DOM filesystem API by default
- Removed Phone Vibrator API
- Fixed an issue where the software uninstaller would not remove the program files it should
- Fixed a devtools crash related to timeline snapshots
- Fixed several data race conditions
- Security issues fixed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several memory safety hazards
- Unified XUL Platform Mozilla Security Patch Summary: 5 fixed, 4 defense-in-depth, 3 rejected, 19 not applicable


Basilisk Browser 2020.10.28 (64-bit)
- Change log not available for this version


Basilisk Browser 2020.10.05 (64-bit)
- Change log not available for this version


Basilisk Browser 2020.09.11 (64-bit)
- Updated JavaScript module loading in accordance with the spec for web compatibility
- Disabled a function related to WebComponents to prevent mis-detection
- Improved compatibility with websites that try to style standard form elements
- Updated the SQLite library to 3.33.0
- Changed media errors to be a more generic response, improving user privacy
- Improved code stability (fixed a number of crashes)
- Updated the NSS library for various connection security fixes
- Security issues addressed in this release: CVE-2020-15664, CVE-2020-15666, CVE-2020-15667, CVE-2020-15668 and CVE-2020-15669
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 1 defense-in-depth, 1 rejected, 9 not applicable


Basilisk Browser 2020.08.05 (64-bit)
- Change log not available for this version


Basilisk Browser 2020.06.10 (64-bit)
- Implemented URLSearchParams' sort() function
- Implemented ES2020 globalThis for web compatibility
- Implemented node.getRootNode() for web compatibility
- Improved our WebM media parser to be more tolerant to different encoding styles.
- Improved our MP3 media parser to be more tolerant to different encoding styles and particularly tiny files/stream chunks.
- Improved performance of table drawing for more corner cases
- Changed the way images without a src are handled in page layouts to align with the Chrome-pushed spec.
- Added modern MIPS support
- Split out the ICU data file from xul.dll on Windows
- Fixed a regression in WebAudio channel handling due to a landed security fix.
- Fixed a regression preventing scripting from properly disabling input controls
- Fixed an issue with border radius sometimes not being honored in tables
- Fixed some build issues in non-standard configurations.
- Removed more telemetry code
- Removed the in-browser speech recognition engine and API
- Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
- Changed handling of braille blanks in the ui (CVE-2020-12409)
- Mitigated a potential timing attack against DSA keys in NSS (CVE-2020-12399)
- Mitigated a potential use-after-free hazard in EME code.
- Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 7 not applicable


Basilisk Browser 2020.05.08 (64-bit)
- On-going work for implementing ShadowDOM v1, aligning the way DOM works as-needed
- On-going work for solving dependency issues in C++ throughout the entire tree
- Removed unused Contextual Identity Service
- Implemented URLSearchParams sort()
- Enabled DOM High resolution timestamps
- Removed support for obsolete NV 3DVision stereoscopic hardware
- Fixed a potential vulnerability in the zip file reader. DiD
- Fixed a potential vulnerability in the JavaScript JIT compiler related to aliases. DiD
- Ported several upstream devtools fixes (addresses CVE-2020-12392 and CVE-2020-12393)
- Ported upstream sctp fix (addresses CVE-2020-6831)
- Improved memory safety of come WebAudio calls
- Improved memory safety in the XUL window destructor. DiD
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 DiD (Defense-in-depth), 15 not applicable


Basilisk Browser 2020.04.17 (64-bit)
- This is a small compatibility update
- Enabled building of AV1 codec support (for real this time)


Basilisk Browser 2020.04.15 (64-bit)
- Changed site-specific overrides to use an operating system macro instead of hard-coding a version
- Changed the way hardware acceleration is set on various operating systems
- Fixed an incorrect preference preventing automatic updates by default
- Changed the geolocation service requests to https thanks to a generous service donation by IP-API.com
- Changed the security storage database type to SQLite
- Enabled AV1 support in all builds; this was erroneously not built in recent releases
- Fixed several potential crashes
- Re-imported the ExtensionStorage js module for use by browser extensions
- Removed the use of high-resolution Windows system timers from the layout refresh driver; this should help with some performance and battery life issues
- Fixed an issue with element outlines sometimes being drawn too large
- Fixed an issue with grid cell sizing
- Fixed an issue with layout frames (e.g. selection popups) being wrongly positioned
- Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine
- Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
- Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
- Updated our sctp library code with several upstream fixes
- Fixed an issue with the release of document content viewers (CVE-2020-6819). Defense-in-depth
- Fixed an issue with handling functions with rest parameters. Defense-in-depth
- Removed HTTP Public Key Pinning (HPKP)
- Removed HSTS preloading list support since these lists are no longer efficient


Basilisk Browser 2020.03.11 (64-bit)
- This is a small bugfix and compatibility update
- Cleaned up front-end code
- Fixed behavior for YouTube to prevent the deprecated interface being selected again


Basilisk Browser 2020.03.04 (64-bit)
This is a major development update:
- New modular setup for building: Basilisk has been split off from the UXP platform repository and will be maintained as its own application with UXP as a platform module
- Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
- Aligned document.open() with the overhauled specification
- Implemented promise-based media playback
- Enabled seeking to next frame in media files
- Improved table drawing performance again after the rewrite for sticky positioning making it slow
- Aligned the way DOM styles are computed with mainstream browser behavior
- Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers
- Implemented an NSS performance optimization for Master Password use with limited effect
- Implemented non-standard legacy CSSStyleSheet rules functions
- Implemented the html5 element. To switch this on, flip dom.dialog_element.enabled to true
- Implemented CustomElements v1. (preffed, not functional yet due to reliance on shadowDOM)
- Implemented rule processing stub for font-variation-settings
- Implemented optional catch binding (ES2019)
- Changed the way hardware acceleration is controlled from applications
- Updated CSP processing to allow custom scheme wildcards to be specified without a port
- Removed the (unused) DOM promise implementation
- Disabled some logging in production builds
- Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications
- Completely removed showModalDialog
- Performed various tree-wide code cleanups
- Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
- Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text
- Removed a bunch of Android support code
- Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice
- Fixed several crashes
- Fixed a parsing issue with tags
- Fixed an issue with form elements sometimes being incorrectly disabled
- Fixed a potential pointer issue issue in cubeb. (DiD)
- Fixed a crash due to ES6 modules (CVE-2020-9545)


Basilisk Browser 2020.02.18 (64-bit)
- Fixed an issue in CSP blocking requests without a port for custom schemes
- Fixed a potentially hazardous crash in layers
- Fixed random crashes on some sites using IndexedDB
- Changed the way the application can be invoked from the command-line to prevent a whole class of potential exploits involving modified omnijars
- Fixed an issue in the HTML parser after using HTML5 template tags, allowing JavaScript parsing and execution when it should not be allowed, risking XSS vulnerabilities on sites relying on correct operation of the browser. (CVE-2020-6798)
- Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 2 DiD, 10 not applicable


Basilisk Browser 2020.02.06 (64-bit)
- This is a small bugfix and compatibility update
- Backed out regular expression lookbehind code for causing crashes
- Fixed an issue where some poorly-implemented FTP servers could hang the browser
- Changed behavior for YouTube to prevent the deprecated interface being selected by default


Basilisk Browser 2020.01.12 (64-bit)
- This is a security, bugfix and development update
- Please note: from this release forward, windows archives are compressed with 7-zip, and Linux tarballs with xz
- Added sticky positioning feature to HTML table parts
- Removed the non-standard watch()/unwatch() debugging features. Some Firefox extensions will have to be updated to compensate for this
- Fixed retrieving of certificates in the certificate exception dialog
- Updated multiple third-party libraries, fixing numerous bugs
- Removed Adobe PrimeTime EME CDM support
- Enabled basic implementation of module type scripting
- Implemented additional JavaScript features (regex lookbehind, regex dot-all flag, regex .matchAll(), promise .finally())
- Disabled HPKP preload list and the HPKP feature by default
- Added support for Emoji 12 (Unicode 12.0)
- Updated NSS to 3.41.4 to address CVE-2019-11756 and CVE-2019-11745
- Security issues fixed: CVE-2019-17019, CVE-2019-17026, and several potentially exploitable crashes and memory safety hazards that don't have a CVE number
- Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 15 DiD, 28 not applicable


Basilisk Browser 2019.10.31 (64-bit)
- This is a security and bugfix update
- Updated timezone data for internationalization functions
- Fixed the option to use hardware acceleration over RDP for Windows 8.1 and 10
- Fixed an issue with inner window navigation potentially leaking
- Fixed a startup crash caused by Qihoo 360 Safeguard/360 Total Security
- Ported some expat parser fixes from upstream
- Ported several NSS upstream fixes to our build
- Aligned handling of U+0000 in the html5 parser with expectations
- Added size checks to WebGL data buffering
- Fixed build issues with newer glibc versions
- Fixed build issues for ARM targets
- Worked around a gcc9 compiler issue that would prevent building with it
- Security issues fixed: CVE-2019-15903, CVE-2019-11757, CVE-2019-11763 and several potentially exploitable crashes and memory safety hazards that don't have a CVE number
- Unified XUL Platform Mozilla Security Patch Summary: 6 fixed, 6 DiD, 1 rejected, 24 not applicable


Basilisk Browser 2019.09.12 (64-bit)
- Fixed an issue where saving a webpage to disk would sometimes drop tags from the document
- Fixed an issue with click-to-play plugin content throwing up a blank notification
- Fixed an issue in the renderer where region intersections would sometimes return the wrong result
- This fixes a regression caused by the fix for CVE-2016-5252
- Fixed security issues: CVE-2019-11744, CVE-2019-11752, CVE-2019-11737, CVE-2019-11746, CVE-2019-11750, CVE-2019-11747 and CVE-2019-11738
- Unified XUL Platform Mozilla Security Patch Summary: 7 fixed, 1 DiD, 1 already covered, 22 not applicable


Basilisk Browser 2019.09.03 (64-bit)
- Implemented JavaScript parser improvements and several TC39 spec revisions for web compatibility
- Improved performance of the JavaScript engine
- Added support for gzip-compressed SVG-in-Opentype fonts
- Updated internationalization code to support updated time zones and the Japanese Reiwa era
- Updated NSS to a custom version to have better encryption strength for master passwords
- Added several performance improvements to DOM, the rendering engine and the parser
- Improved general security of access to FTP-sourced resource
- Changed the way file access is handled from scripts to prevent cross-file access
- Fixed SVG alignment issues causing blurry display of SVGs
- Added support for Matroska media containers and AAC audio
- Fixed security issues: CVE-2019-11719, CVE-2019-11711, CVE-2019-11715, CVE-2019-11717, CVE-2019-11714 (DiD), CVE-2019-11729 (DiD), CVE-2019-11727 (DiD), CVE-2019-11730 (DiD), CVE-2019-11713 (DiD) and several networking and memory-safety hazards that do not have CVE numbers.
- Fixed several memory safety hazards and crashes


Basilisk Browser 2019.06.08 (64-bit)
- Removed unused code: contextual identity, crash reporter leftovers, SecurityUI telemetry, "enhanced" new tab tiles
- Updated the installer and internal updater
- Removed all Firefox Accounts code and replaced the Sync client for compatibility
- Implemented JavaScript parser improvements and the TC39 toString() revision proposal for web compatibility
- Improved handling of url() tokens in CSS to better handle incorrect syntax
- Updated the embedded emoji font for broader emoji coverage
- Fixed print failure for some web pages
- Fixed Linux XRender performance issues over remote connections (e.g. X2Go)
- Improved JavaScript engine performance: dead compartment collection
- Fixed an address bar focus issue in Private Browsing mode
- Improved rendering performance for certain websites (with complex event regions)
- Implemented several ECMAScript 2019 features (String trimStart/trimEnd, Array flat/flatMap, Symbol description
- Fixed security issues: CVE-2019-7317, CVE-2019-11701, CVE-2019-11698, CVE-2019-9817 (DiD), CVE-2019-11700, CVE-2019-11696 and CVE-2019-11693
- Fixed several memory safety hazards and crashes


Basilisk Browser 2019.03.27 (64-bit)
- Added several site-specific overrides for web compatibility
- Aligned http "Accept:" headers with the fetch spec, with the exception of image requests to continue allowing content negotiation
- Fixed potential denial-of-service issues involving FTP (loading of subresources and spamming errors)
- Aligned URLSearchParams with the spec
- Fixed a corner case for flexbox layouts, improving rendering of some websites
- Fixed Widevine compatibility issues
- Fixed security issues: CVE-2019-9791, CVE-2019-9792, CVE-2019-9796, CVE-2019-9801, CVE-2019-9793, CVE-2019-9794, CVE-2019-9808, CVE-2019-9790, CVE-2019-9797, CVE-2019-9804 and ZDI-CAN-8368
- Fixed several memory safety hazards and crashes
- Windows binaries are now code-signed again (including the setup program for the installer)


Basilisk Browser 2019.03.08 (64-bit)
- Changed location to allow an empty string set on search to clear URL parameters
- Removed WebExtension support from the platform
- Implemented the "origin-clean" algorithm for ImageBitmap
- Switched to using C++11 thread-safe statics in the entire application
- Fixed several Skia security vulnerabilities (CVE-2018-18356, CVE-2018-18335 and CVE-2019-5785)
- Fixed a crash due to frames in some uncommon situations
- Aligned textarea placeholder strings with the spec (preserve line breaks)
- Removed the Windows maintenance service code
- Improved http basic auth DOS protection heuristics
- Fixed arrows on some toolkit controls
- Added a Netflix site-specific override to fix Silverlight playback


Basilisk Browser 2019.02.11 (64-bit)
- Removed experimental WebExtension support from the browser
- Please check your add-ons; you may need to find alternatives for extensions that are no longer supported
- For background to this change, please see the following forum announcement
- Removed more telemetry code from the platform
- Finalized spec compliance of the IntersectionObserver API, and enabled it by default
- Related this, also fixed a number of browser crashes
- Switched to the new ffmpeg decode API to avoid dropping of frames
- Removed Mozilla-proprietary AudioContext constructor, improving spec compliance of WebAudio
- Aligned Element.ScrollIntoView() with the spec
- Fixed a buffering issue in the WebP decoder that caused intermittent browser crashes
- Changed the Add-on Manager to the same one used by Pale Moon, unifying add-on handling
- Note: Some extensions that modify/style the Add-on Manager will have to be updated to work with Basilisk 2019 versions as a result
- Improved resource-efficiency for internal stopwatch timers
- Improved handling of incorrectly-encoded CTTS in media files, resolving some playback issues of videos
- Updated SQLite lib to 3.26
- Improved the Cycle Collector and Garbage Collector
- Set the Incremental Garbage Collection time slice to 20 ms for more efficient JavaScript memory handling (regression fix)
- Improved fullscreen navigation bar handling in the situation it has focus when switching to full screen
- Aligned instanceof with the final ES6 spec
- Fixed a potential use-after-free in IndexedDB code
- Improved proxy handling to avoid localhost getting proxied
- Fixed several potentially-exploitable memory safety hazards and crashes
- Improved Windows DIB clipboard data handling


Basilisk Browser 2018.12.18 (64-bit)

- Added a preference (network.http.upgrade-insecure-requests) to allow disabling requests for opportunistic encryption
- Removed more telemetry code from the platform
- Added experimental support for the AV1 video codec for MP4 containers (disabled by default)
- Cleaned up some media handling code, removing obsolete components for older target platforms
- Ported all applicable security fixes from Gecko/64. Most of these fixes were merely defense-in-depth
- Fixed a crash when using http pipelining over some broken proxies
- Enhanced the WebP decoder to properly handle animated lossy and lossless WebP
- Removed VR hardware support (both display and input types) from the platform
- Updated the GMP update service URL to improve compatibility with DRM-encumbered media
- Removed support for Firefox Accounts and changed the Sync client to work with Sync 1.1 (Weave)
- The default server for using Sync is now the Pale Moon Sync server
- Please see this announcement on the forum for more details
- Updated NSPR to 4.20
- Updated NSS to 3.41, finalizing our platform support for TLS 1.3
- Fixed a spec compliance issue with the location.protocol setter


Basilisk Browser 2018.11.07 (64-bit)
- Fixed an issue that prevented the browser from starting properly on some systems after the most recent update


Basilisk Browser 2018.11.04 (64-bit)
- Removed more telemetry code from the platform
- Updated libnestegg from upstream
- Updated ffvpx library from upstream
- Web dev: Make all arguments to init*Event() optional except the first
- Ported all applicable security fixes from Gecko/63 and intermediate point releases
- Fixed an issue in session storage scripting that might prematurely throw an error and interrupt session restore
- Resolved an issue with long menus not scrolling if a submenu was open
- Cleaned up and updated some installer code
- Made caret width normal/thick behind CJK char configurable
- Fixed an issue with table border scaling at various zoom levels
- Updated handling of multimedia (on-going)
- Fixed a corner case behavioral issue when an Outlook-sourced mail message is dropped to the browser
- Removed the unfinished and disabled in-browser translation code
- Updated the Reader View components
- Added experimental AV1 support for WebM videos (disabled by default)
- Note: This is limited to WebM videos only at the moment, so it will not yet work on MP4 videos or MSE streaming (e.g. YouTube)
- Fixed an issue with CSS grid element sizing
- Updated sidebar conext menu behavior to be more in line with other browsers
- Fixed an issue where a separate content process could be launched despite e10s being disabled
- Disabled the reporting of CSS errors to the console by default to improve general performance


Basilisk Browser 2018.09.27 (64-bit)
- This is a development and security release
- Added support for local-ref URLs in SVG USE elements
- Reinstated part of the searchplugin API that was removed by Mozilla, improving compatibility with search-engine modifying extensions
- Improved compiler compatibility with GCC 8
- Ported all applicable security patches from Gecko/62
- Fixed wrong SVG sizes with non-integer values for viewBox width/height
- Fixed a performance regression when many workers are in use simultaneously
- Improved browser session restore speed by skipping unnecessary notifications
- Fixed a crash with http authentication
- Fixed a performance issue caused by rapid-fire timers due to value overflow
- Fixed an issue with launching executable files not working
- ixed an issue where sites allowed to store offline data could not be Fremoved from the permission list
- Fixed an issue with common dialog boxes having incorrect sizes for their content
- Fixed a regression: ICC v4 color profiles would not be honored
- Remove the blocking of binary components in extensions
- Added a preference to enable (experimental!) asynchronous panning and zooming on desktop
- Fixed a potential crash when using SOCKS
- Fixed a potential privacy issue in non-standard environments
- Fixed a memory leak when using SHA256 crypto