Release notes

These release notes are summaries of the most important changes for public releases.

v2019.03.08 Published 2019-03-08
This is a development and security release.

Changed location to allow an empty string set on search to clear URL parameters.
Removed WebExtension support from the platform.
Implemented the "origin-clean" algorithm for ImageBitmap.
Switched to using C++11 thread-safe statics in the entire application.
Fixed several Skia security vulnerabilities (CVE-2018-18356, CVE-2018-18335 and CVE-2019-5785).
Fixed a crash due to frames in some uncommon situations.
Aligned textarea placeholder strings with the spec (preserve line breaks).
Removed the Windows maintenance service code.
Improved http basic auth DOS protection heuristics.
Fixed arrows on some toolkit controls.
Added a Netflix site-specific override to fix Silverlight playback.

v2019.02.11 Published 2019-02-11
This is a development and security release.

Removed experimental WebExtension support from the browser.
Please check your add-ons; you may need to find alternatives for extensions that are no longer supported.
For background to this change, please see the following forum announcement.
Removed more telemetry code from the platform.
Finalized spec compliance of the IntersectionObserver API, and enabled it by default.
Related this, also fixed a number of browser crashes.
Switched to the new ffmpeg decode API to avoid dropping of frames.
Removed Mozilla-proprietary AudioContext constructor, improving spec compliance of WebAudio.
Aligned Element.ScrollIntoView() with the spec.
Fixed a buffering issue in the WebP decoder that caused intermittent browser crashes.
Changed the Add-on Manager to the same one used by Pale Moon, unifying add-on handling.
Note: Some extensions that modify/style the Add-on Manager will have to be updated to work with Basilisk 2019 versions as a result.
Improved resource-efficiency for internal stopwatch timers.
Improved handling of incorrectly-encoded CTTS in media files, resolving some playback issues of videos.
Updated SQLite lib to 3.26.
Improved the Cycle Collector and Garbage Collector.
Set the Incremental Garbage Collection time slice to 20 ms for more efficient JavaScript memory handling (regression fix).
Improved fullscreen navigation bar handling in the situation it has focus when switching to full screen.
Aligned instanceof with the final ES6 spec.
Fixed a potential use-after-free in IndexedDB code. (DiD)
Improved proxy handling to avoid localhost getting proxied. (CVE-2018-18506)
Fixed several potentially-exploitable memory safety hazards and crashes. (DiD)
Improved Windows DIB clipboard data handling.

v2018.12.18 Published 2018-12-18
This is a development and security release.

Added a preference (network.http.upgrade-insecure-requests) to allow disabling requests for opportunistic encryption.
Removed more telemetry code from the platform.
Added experimental support for the AV1 video codec for MP4 containers (disabled by default).
Cleaned up some media handling code, removing obsolete components for older target platforms.
Ported all applicable security fixes from Gecko/64. Most of these fixes were merely defense-in-depth.
Fixed a crash when using http pipelining over some broken proxies.
Enhanced the WebP decoder to properly handle animated lossy and lossless WebP.
Removed VR hardware support (both display and input types) from the platform.
Updated the GMP update service URL to improve compatibility with DRM-encumbered media.
Removed support for Firefox Accounts and changed the Sync client to work with Sync 1.1 (Weave).
The default server for using Sync is now the Pale Moon Sync server.
Please see this announcement on the forum for more details.
Updated NSPR to 4.20.
Updated NSS to 3.41, finalizing our platform support for TLS 1.3.
Fixed a spec compliance issue with the location.protocol setter.

v2018.11.07 Published 2018-11-07
This is a bugfix release.

Fixed an issue that prevented the browser from starting properly on some systems after the most recent update.

v2018.11.04 Published 2018-11-04
This is a development and security release.

Removed more telemetry code from the platform.
Updated libnestegg from upstream.
Updated ffvpx library from upstream.
Web dev: Make all arguments to init*Event() optional except the first.
Ported all applicable security fixes from Gecko/63 and intermediate point releases.
Fixed an issue in session storage scripting that might prematurely throw an error and interrupt session restore.
Resolved an issue with long menus not scrolling if a submenu was open.
Cleaned up and updated some installer code.
Made caret width normal/thick behind CJK char configurable.
Fixed an issue with table border scaling at various zoom levels.
Updated handling of multimedia (on-going).
Fixed a corner case behavioral issue when an Outlook-sourced mail message is dropped to the browser.
Removed the unfinished and disabled in-browser translation code.
Updated the Reader View components.
Added experimental AV1 support for WebM videos (disabled by default).
Note: This is limited to WebM videos only at the moment, so it will not yet work on MP4 videos or MSE streaming (e.g. YouTube).
Fixed an issue with CSS grid element sizing.
Updated sidebar context menu behavior to be more in line with other browsers.
Fixed an issue where a separate content process could be launched despite e10s being disabled.
Disabled the reporting of CSS errors to the console by default to improve general performance.

v2018.09.27 Published 2018-09-28
This is a development and security release.

Added support for local-ref URLs in SVG USE elements.
Reinstated part of the searchplugin API that was removed by Mozilla, improving compatibility with search-engine modifying extensions.
Improved compiler compatibility with GCC 8.
Ported all applicable security patches from Gecko/62.
Fixed wrong SVG sizes with non-integer values for viewBox width/height.
Fixed a performance regression when many workers are in use simultaneously.
Improved browser session restore speed by skipping unnecessary notifications.
Fixed a crash with http authentication.
Fixed a performance issue caused by rapid-fire timers due to value overflow.
Fixed an issue with launching executable files not working.
Fixed an issue where sites allowed to store offline data could not be removed from the permission list.
Fixed an issue with common dialog boxes having incorrect sizes for their content.
Fixed a regression: ICC v4 color profiles would not be honored.
Remove the blocking of binary components in extensions.
Added a preference to enable (experimental!) asynchronous panning and zooming on desktop.
Fixed a potential crash when using SOCKS.
Fixed a potential privacy issue in non-standard environments. (CVE-2017-7797)
Fixed a memory leak when using SHA256 crypto.

v2018.09.05 Published 2018-09-05
This is a development release.

Added new DataTransfer constructor (spec compliance).
Aligned CSS layout flex grid with latest spec.
Made the MP4 reader less sensitive to corrupt data.
Improved media handling (ongoing).
Updated NSPR/NSS and enabled the use of latest draft TLS 1.3.
Changed the way network/cert errors are handled and displayed.
Fixed an ANGLE rendering issue (WebGL2 crash fix).
Added support for sbgp and sgpd boxes in EME.
Fixed "sticky" menus in High Contrast themes.
Updated zlib to 1.2.11.
Enabled Direct3D9 accelerated layers as a fallback if Direct3D11 can't be used.
Tuned the network stack for efficiency.
Fixed a number of performance issues with the browser.
Improved Mac OS X theming (unreleased).
Improved compatibility with GCC 8.
Reinstated RC4 and 3DES as weak cyphers as an option to enable use in non-standard environments (not enabled for the web by default).
Removed most telemetry calling code from C++ and the JS TelemetryStopwatch. This prevents most data gathering and improves performance.
Added an option (browser.newtabpage.add_to_session_history) to decide whether to store "about:newtab" in the session history for workflows of people wanting to use the back button to return to the QuickDial page.
Added an option (ui.menu.allow_content_scroll) to override the OS convention to prevent scrolling of content when contextual menus are open.
Added a horizontal scroll action option for mouse wheel.

v2018.07.18 Published 2018-07-18
This is a development and security release. We're only highlighting the most pertinent changes this time, since there have been over 450 of them.

Fixed an issue where windows would not be restored to their proper place if using custom device pixel ratios.
Removed the whole UITour system.
Removed the use of Disconnect if SafeBrowsing isn't built.
Updated the Readability/Reader View components.
Updated Cookie gating to be more strict.
Updated NSPR/NSS and enabled the use of TLS 1.3 by default.
Reinstated string.prototype.contains for compatibility (alias for .includes).
Updated kiss-fft to v1.4.0 (fork).
Fixed a serious memory leak in the WebP image decoder.
Fixed compatibility issues with Youtube Live, .
Improved legibility of fonts at certain scale levels on Windows.
Fixed Firefox-inherited SSL status ambiguity. SSLStatus.CipherName now actually displays the name. The full suite is still available in the (new) property CipherSuite.
Fixed some incorrect CSP handling.
Prohibited web access to the moz-icon:// scheme to solve privacy issues with it.
Fixed crash hazards in the editor.
Removed SSL error reporting telemetry.
Updated libwebp image decoder library to 1.0.0 + sec fixes.
Made it possible for UXP applications to run within a chrooted environment (provided it's compiled against glibc)
Ported several controlling preferences from Pale Moon (prompts.tab_modal.focusSwitch, browser.cache.backend, etc.)
Fixed security issues: CVE-2018-12363, CVE-2018-12366, CVE-2018-12364, CVE-2018-12359, CVE-2018-12367, and CVE-2018-12360.
Fixed a number of security, stability and memory safety hazards that did not have CVE numbers at the time of implementation.

v2018.06.01 Published 2018-06-01
This is a development and security release.

Updated our strings for soft-blocked items so people will cry less when we do our job and warn about known-problematic add-ons.
Fixed a regression in site-specific user-agent overrides that would prevent proper application on subdomains.
Improved the reader view API.
Removed more dead code from our tree (crashreporter components, gonk).
Removed DMD code.
Removed jprof profiler code.
Removed the SPS profiler.
Slimmed down IPC (ongoing).
Removed the Social API code.
Fixed some media back-end crashes and instabilities.
Updated the fetch API to be more web-compatible.
Limited maximum accepted image sizes for PNG images to prevent abuse/browser DoS.
Blocking of top-level data: navigations is now enabled by default.
Fixed security issues: CVE-2017-0381, CVE-2018-5174, CVE-2018-5155, CVE-2018-5173, CVE-2018-5177, CVE-2018-5159, CVE-2018-5167, CVE-2018-5154 and CVE-2018-5178.
Fixed a number of stability and memory safety hazards that do not have CVE numbers.

v2018.05.15 Published 2018-05-15
This is a development release.

Updated FFvpx lib to latest upstream.
Improved the memory allocator for multi-core and modern O.S. use.
Improved thread locking (mutexes).
Added support for FFmpeg 4.0/libavcodec 58.
Added some fixes for the performance timer API.
Improved consistency of color emoji display.
Fixed vertical lines in tabs on higher DPI screens.
Improved full-screen control animation.
Ported security and stability fixes from Mozilla.
Reinstated the use of xrender for proper Linux X11 performance.
Fixed unsafe "instanceof" negations.
Removed the e10s sandbox.
Removed dead widget code.
Removed legacy non-ICU Intl code.

v2018.04.27 Published 2018-04-27
This is a bugfix release.

Fixed an issue with the master password that could make the password store become inaccessible.
Clarified button labels in the password manager and cookie permissions manager.

v2018.04.26 Published 2018-04-26
This is a bugfix release.

Added blocking of top-level data: URLs.
Fixed several issues with docshell loads.
Resolved issues with application.ini not allowing non-mcp applications to be official and have their own vendor.
Regression fix: WebExtensions - commands API does not support shortcuts with space or numbers.
Regression fix: Set a sandboxName on the WebExtensions Content Script sandboxes.
Regression fix: (Windows) Security - Certificate Stores - NSSCertDBTrustDomain allows end-entities to be their own trust anchors.
Regression fix: Re-implemented several improvements for pointer events.
Regression fix: DOM - Fix incorrect TypeError: Response body is given with a null body status.
Re-introduced some site-specific overrides that were erroneously removed (fixes e.g. dailymotion).
Regression fix: Optimize operations on roots of deeply-nested frame trees (layout performance).
Tweaked fullscreen API settings (add unprefixed API calls, remove too-long duration black fade).
Removed Google Safebrowsing selections from preferences by default (it's disabled).
Reverted the incomplete addition of the pluralforms Intl API as it caused problems.
Fixed content permissions (e.g. cookies) access and storage.
Reverted NSS 3.35 to 3.32.1 for instability problems similar to Pale Moon.
TLS 1.3 has been disabled by default along with this change to not attempt to use a draft standard.

v2018.04.24 Published 2018-04-24
This is the first release on the re-forked and re-based UXP. Regressions are possible as a result. Please do let us know if you find something that regressed.

New release based on UXP (take 2) which is an earlier Mozilla fork-point.
Updated Javascript to fully cover ES6 and a good portion of the later specs.
Implemented (in ongoing fashion) additional spec compliance patches for HTML, DOM and various other standards.
Includes all previous security fixes.

v2018.03.21 Published 2018-03-21
This is a maintenance release.

Fixed CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList.
Fixed CVE-2018-5129: Out-of-bounds write with malformed IPC messages.
Fixed CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption.
Fixed CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources.
Fixed CVE-2018-5144: Integer overflow during Unicode conversion.
Fixed CVE-2018-5125: Memory safety bugs.
Fixed CVE-2018-5145: Memory safety bugs.
Fixed CVE-2018-5137: Path traversal on chrome:// URLs.

v2018.02.14 Published 2018-02-15
After this release, the current Basilisk will be in maintenance mode as we work on a re-forked UXP.

Restored source-editor commands for scratchpad and style editor menus.
Removed a bunch of Rust cruft.
Moved a number of flow decisions from run-time to build-time to slim the browser down.
Removed redundant Vista checks.
Removed unused crash reporter conditional code.
Enabled blocking of top-level data: URI navigations by default. If you need this functionality as a developer, flip security.data_uri.block_toplevel_data_uri_navigations. Note that this does not block manually entered data: URIs, only navigation to it from the browser.
Added the status line (response) to raw header display.
Removed b2g code.
WebExtensions: Content Script sandboxes will now have their sandboxName set.
Added an option to remove all session cookies for a specific domain.
Added a number of devtools improvements.
Fixed a number of crashes and instabilities in the browser.

v2018.02.02 Published 2018-02-02

Fixed border and caret widths for natural rounding.
Mitigated Meltdown/Spectre hazards.
Removed b2g code.
Fixed issues with ID-less web extensions and incorrect warnings in the add-on manager.
Removed unused internal extensions and components.
Fixed source editor controller commands.
Fixed X-Frame-Options sameorigin check to check all ancestors.
Fixed "sticky" menu colors in special accessibility ("high contrast") system themes.
Made XDR decoding more robust, fixing a good handful of JavaScript engine crashes.
Fixed security issues: CVE-2018-5099, CVE-2018-5093, CVE-2018-5113, CVE-2018-5095, CVE-2018-5098, CVE-2018-5111, CVE-2018-5109, CVE-2018-5122, CVE-2018-5091, CVE-2018-5097, CVE-2018-5102, CVE-2018-5104, and multiple potentially exploitable crashes and vulnerabilities that do not have a CVE assigned to them.

v2018.01.05 Published 2018-01-05

Fixed potential registry name collisions on Windows for file types and protocols.
Renamed Options to Preferences (Windows) and moved Preferences to the Tools menu (Linux).
Switched off automatic form filling of login credentials and added a preference to control this.
Completely removed the "Mozilla Settings Service" and "Blocklist service" client.
Fixed a margin issue for the navigation bar.
Adjusted the performance-timing resolution to prevent timing-based hardware-specific attacks ("Meltdown"/"Spectre").
Limited the number of shared Array Buffers for normal JS code to prevent allocation issues.
Disabled shared JS memory for the time being to make doubly-sure it can't be abused while "Spectre" is investigated further.

v2017.12.28 Published 2017-12-28

Fixed several compatibility issues with WebExtensions.
Disabled Mozilla's "system add-ons" service, which would allow Mozilla to remotely install add-ons.
Disabled Mozilla's "system settings" service, which would allow Mozilla to remotely change settings or block add-ons.
Updated SQLite lib to 3.21.0.
Added an option to block top-level data: URIs.
Removed referrers when opening links in new private windows.
Updated license and rights pages.
Changed the Feedback link to point to the forum instead of Mozilla.
Fixed an issue with exportFunction().
Fixed/enabled the use of Firefox Sync (Firefox Accounts).
Restored the toolkit Error Console for application troubleshooting.
Added '-jsconsole' and '-browserconsole' command-line arguments for launching of either console on startup.
Removed what was left of the underused Social API.
Changed the way element border rounding is done in Goanna to have natural rounding up/down of fractional sizes (IEEE 754).
Fixed a potential leak involving IndexedDB and private browsing mode.
Fixed a crash in ANGLE.

v2017.12.03 Published 2017-12-03

Linux-only update to fix a release channel/update problem.

v2017.11.30/v2017.12.01 Published 2017-12-01

Fixed add-on/GMP update calls to Mozilla services.
Enabled accessibility features.
Enabled parental Controls features (Windows only).
Changed blocklist hosting to self-hosted.
Removed leveraging the blocklist for CRL purposes.
Included the Universal Runtime Libraries with the browser.
No longer enforcing the "preferred" cipher suite profile on Http/2.
Added support for the worker-src CSP directive.
Fixed freetype glyph metrics in Skia (fixes Freetype 2.8.1+ issues).
Fixed an issue with ContentSecurityManager not passing the correct context.
Fixed a number of issues with Contenteditable elements.
Fixed a number of issues with pointer events.
Implemented "cookie-averse document objects" to mitigate cookie injection.
Fixed an issue with SVG text-based image masks.
Fixed the installer checking for Firefox instead of Basilisk.
Enabled the use of 64-bit plug-ins other than Flash and Silverlight.
Made the SVG texture cache more lenient to large-resolution SVG images.
Fixed several crashes and memory safety hazards.
Fixed several security bugs: CVE-2017-7837, CVE-2017-7832, CVE-2017-7830, CVE-2017-7835, CVE-2017-7831, CVE-2017-7838, CVE-2017-7839, CVE-2017-7828, CVE-2017-7840, and several others from Firefox 57 that do not have a CVE designation.

v2017.11.12/13 Published 2017-11-17

Initial release of Basilisk to the public.