|Tags||c gecko firefox web browser xul|
27.1.122 Feb 2017 14:05 minor feature: This is a stability and update to the browser. Changes/:. Implemented a in media handling to prevent crashes with Concurrent videos and/or rapidly starting/stopping video playback in The browser.. the way the Adobe Flash plugin is detected to prevent Confusion with other plugins that identify themselves as "Flash" (e.g. VLC).. Windows: Solved stability caused by the release build process, resulting in unexpected behavior (e.g. hangups).
27.1.010 Feb 2017 03:17 minor feature: This is a major update with lots of development and. It also Introduces the so-called "PMkit" modules, our effort to restore Compatibility with Jetpack/SDK extensions and making it possible for Extension developers to convert their SDK extensions with little effort to a Pale Moon compatible format. For more details please check the PMkit documentation on the developer wiki.... Changes/:. Reworked the media Back-end completely to use FFmpeg (including support For FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer Relying on gstreamer on Linux, as well as adding some improvements on Windows for media parsing and playing.. On Linux, Apple.mov files of the correct type will also be played through FFmpeg now, for those rare occasions where they are still in use, Considering there is no Quicktime plug-in available on that operating System.. Restored the classic about:config styling.. Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.. Improved cross-compartment wrapper handling when managing a large number of tabs.. Changed The way audio and video synchronization is calculated to account for slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.. Changed. The way scripts are handled when they are stopped from the unresponsive script" dialog, to prevent browser lockup. We will now. Stop all scripts in the affected compartment in one go.. several errors in the devtools.. a nasty crash caused by cross-origin referrers.. the installer to allow 64-bit versions of the browser to be installed on Vista again.. Added HTML5-spec clipboard handling for content (cut amp;copy only -- paste is not allowed for security reasons).. Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.. This Should make running SDK-based modules as PMkit extensions fairly simple For extension developers. See the introductory text to these release Notes. a css layout : make max-width affect cont
27.0.317 Dec 2016 14:25 minor feature: This is a and security update. Changes/:. certain network errors not displaying.. network error page styling.. the writing of DOM storage data to tabs (should solve. The "tabs not loading their contents" when migrating a profile And some other situations).. Disabled downloadable font unicode-ranges on non-Windows platforms.. Added a Google Fonts user-agent override for non-Windows Platforms so they don't send unicode-ranged composite fonts (Feature Detection? Google apparently still doesn't know what that is).. Re-enabled the reporting of CSS errors to the console by Default to prevent with some extensions who rely on this (e.g. Stylish).. and updated preferences for location bar suggestions.. several x64-specific in memory allocation code (regression ).. timer when resuming a computer from stand-by (regression ).. a number of branding and textual in the browser.. prompting for the saving of off-line data (previously always allowed without prompting).. a layout regression that would cause block elements Following left floats to not wrap to the next line if there wasn't Enough clearance.. a mismatch in Firefox extension compatibility-mode Installation where Firefox extensions served by addons.mozilla.org Would be marked incompatible when trying to install. Security-related and crash :. use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).. CSP bypass using the marquee tag (CVE-2016-9895).. a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD. use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898). an error in the buffer logic in http-chunked decoder.. a crash in generational GC code (not in use by default) DiD. a compartment mismatch in plug-in code. a crash trying to get a nonexistent property.. Improved MediaRecorder's observer safety.. a crash related to document history. DiD This means that the is "Defense-in-Depth": It is a that does not. Apply to an actively exploitable vulnerability in Pa
27.0.204 Dec 2016 00:05 minor feature: This is a minor update to address usability and security :. Enabled Firefox Compatibility mode by default for the useragent string.. Unfortunately Too many websites (and especially the big players who should know Better like Google, Apple and Microsoft) still require the "we must pretend to be Firefox if we want this site to work" status quo to be Maintained, because people still insist on using useragent sniffing to Determine "browser features", or even worse, discriminate against free Choice of browser by flat-out refusing service (I'm looking at you, Banking industry and cloud services!) when visiting websites just because companies don't Want to provide assistance to any but users on the main 3. HTML offers plenty of ways to do proper feature detection; site owners should use them. Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.. The built-in devtools are back, and with a facelift!. Thanks to some consistent community help, the built-in devtools, sorely Missed by a number of our users, are back. They've received a code and Style update and should be fully functional on the new platform. This Was originally planned for 27.1, but it was decided to include this as Soon as possible, not in the least to assist extension developers in Their efforts to adapt to Pale Moon 27.. Security : a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.
27.0.129 Nov 2016 22:45 minor feature: This is a release for some of the that popped up with the new milestone. Changes/:. removal of distribution/bundles/ copies of status bar code and ruby annotations code.. This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.. Backed out some media back-end changes to MSE playback on Twitch.tv and other similar sites.. Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).. a regression causing the "reset profile" button to not appear in about:support on the default profile. Worked around bad Netflix interface changes - it will now use a more compatible web UI. Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected). Aligned base status bar colors with default prefs.. status bar options not being remembered.. Added. an override for Amazon Prime videos so they won't stop us at the front door any longer when not using the Firefox Compatibility user agent mode. Re-applied proper branding text to in-app licensing.
27.0.024 Nov 2016 06:05 minor feature:
26.5.029 Sep 2016 16:45 minor feature: Changes:. Implemented a breaking CSP. content security policy) spec change; when a page with CSP is loaded. Over http, Pale Moon now interprets CSP directives to also include https Versions of the hosts listed in CSP if a scheme (http/https) isn't Explicitly listed. This breaks with CSP 1.0 which is more restrictive And doesn't allow this cross-protocol access, but is in line with CSP 2 Where this is allowed.. an with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. When specific networking errors would occur).. Improved the performance of canvas poisoning by explicitly parallelizing it. Security :. a potentially exploitable crash related to text writing direction. (CVE-2016-5280). Made. Checking for invalid PNG files more strict. Pale Moon will now reject More PNG files that have corrupted/invalid data that could otherwise Lead to potential security.. Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD. a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD. several memory safety and crashes. DiD This means that the is "Defense-in-Depth": It is a that does not. Apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by The same code when surrounding code changes, exposing the problem.
26.4.113 Sep 2016 03:16 minor feature: This is a minor and security release.... Changes/:. a crash in the XSS filter.. Slightly changed the address bar shading on secure sites to be more subtle and easily-blended.. the occurrence of "null" titles in bookmarks dragged from special folders.. an error initializing the browser due to trying to restore scratchpad Data from a stored session when having switched from a version with Devtools to a version without devtools, and the previous version had Scratchpad data saved.. some minor in scratchpad and gcli devtools. Security :. Updated the HSTS preload list to a much more updated source list. And performing our own checks on validity from now on to have the list be as accurate as possible.. Disabled Triple-DES cipher suites by default (mitigating SWEET32). Portable-only: Changed. The behavior to, by default, allow it to start a new copy or multiple Copies without checking if Pale Moon is already running on the system. You will need separate profiles to run multiple browsers concurrently.
26.4.018 Aug 2016 19:25 minor feature: Changes/:. Removed Google Search as a bundled search provider. If desired, you can Manually install it (or other search engines) after the update by Following the steps in the Manage Search Engines topic... the URL API to allow "stringification" of the object Per specification. This should make a number of websites happy.. Added the ES6 string.includes() function in addition to the pre-existing.contains() function for checking if a string contains another string. The.contains() Function is retained for compatibility with web and extension scripts That adhere to the ES6 pre-release specification up to and including RC3. the calculation of standalone SVG embeds width and height, which should. Solve some reported with html5 graphs being displayed Incorrectly.. Linux: improved memory allocation.. Updated the graphite font library to 1.3.9.. Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.. Updated the SQLite library to 3.13.0.. Download= properties of links are now honored from the context menu "Save" option.. a crash in the XSS filter.. a crash in the DOM error module.. Worked around a crash on Linux. Linux: Improved optimization and GCC6 compatibility (Note: compiling with GCC 6 is still not recommended and it may or may not work, depending on Your environment). Security :. (CVE-2016-5251)Potential URL spoofing in the address bar.. (CVE-2016-0718) Context-dependent crash in expat 2.1.0.. (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.. potentially exploitable crash in the array splice implementation.. potentially exploitable crash caused by badly formatted ICO files.. (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown.
26.3.302 Jul 2016 03:15 minor feature: Another Small update to address some breaking. Sorry for the Rapid-fire releases, everyone; this is not our intention. Changes/:. an additional found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).. an with news feeds not showing up when embedded in web pages. Removed recently-added parsing of the child-src. Content security policy directive, after some web compatibility with it came to light, as well as it becoming clear that the CSP spec Will see it removed in favor of the previous directive for embedded Content. This should some intermittent people have reported on e.g. the main google.com page and phpMyAdmin installations.
26.3.126 Jun 2016 03:15 minor feature: Changes/:. an with new tab button theming on dark toolbars.. Reverted the useragent identification of Firefox Compatibility mode to 38.9 to avoid WOFF2 font for sites that Don't use proper font deployment as recommended by the W3C.. Added a site-specific override for Google fonts to make sure it always works even if not using Firefox compatibility mode. workaround pending for a proper solution on Google's side). Adjusted the "dark color" detection routine to switch text to white at higher relative contrast levels. This will more ly match Windows 10's "flip point" for different Accent colors and is within the recommended range determined by the WCAG.
26.3.022 Jun 2016 03:15 minor feature: Changes/:. Added detection for dark system themes on Windows 10 and re-worked Windows 10 specific theming to better integrate into the OS And provide more clarity.. HTML5 media controls have been reworked to a horizontal volume control on all media, including HTML5 audio that was previously without an Element-control for volume.. Default HTML5 media volume preference added as media.default_volume -- fractional, default 1.0 (=100 ).. String.prototype.match() and.replace() are now fully spec compliant.. NSPR and NSS now correctly no longer enforce IA32 architecture Compatibility, getting the advantage of SSE2 like the rest of the code.. Worked around crashes in the XSS filter when navigating back in history Due to document fragments.. Instated a hard minimum of 10,000 places entries regardless of free disk Space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size, Which should be sane enough even on low-memory machines.. a typo in networking code introduced in 26.2.2 that Would cause on some sites due to adding extra forward slashes to The URL. Security :. a number of memory safety hazards and potentially exploitable crashes.. CVE-2016-2821 Use-after-free in the mozilla::dom::Element class. netaddr deserialization for AF_UNSPEC and AF_LOCAL.. a memory overrun error in the VP8 encoder. DiD. non-threadsafe re-use of pixman images to prevent potential race conditions. DiD. CVE-2016-2825 Partial Same Origin Policy violation. DiD This means that the is "Defense-in-Depth": It is a that does not. Apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by The same code when surrounding code changes, exposing the problem.
26.2.110 Apr 2016 03:26 minor feature: This is a small update to a problem with keyboard navigation of the user interface.
26.2.007 Apr 2016 00:45 minor feature: This is a major update and release.... Changes:. Implemented the URL API that's needed for a number of websites.. Changed Internal keystroke handling within the spec to better align with generally expected behavior. This should the infamous "backspace" on Facebook. Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing. Linux: gstreamer 1.0 support has been implemented and enabled by default (hats off to Travis!). From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported). Re-styled about:sessionrestore to use more available screen real estate for tab info.. Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).. (e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally). Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.. some hard-coded branding strings in Sync still reading "Firefox", and. Similarly changed sync information URLs to point to our relevant pages.. Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.. Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly). several with the default theme causing problems with behavior Due to styling (and friends). some miscellaneous in the internal jemalloc implementation.. Added a configure option to use the full jemalloc lib (jemalloc v3) if the. Builder so wishes (used for Linux, sys mallocs are not happy there Either, so for our generic binaries we switched to this lib now). Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.. layout of reflowed comboboxes without enough space.. a crash related to flexboxes overflowing themselves. (). Added a simple implementation for Weak Messagelisteners. (). a crash for
26.1.125 Feb 2016 03:15 minor feature: This is a release to improve stability and extension compatibility. Changes/:. a few oversights in the Firefox extension. compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions.. Changed memory handling to (hopefully) address the memory inflation some people have experienced with 26.1.0.. Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.
26.1.017 Feb 2016 03:15 minor feature: This is a web compatibility, stability and release. Changes/:. Disabled our ES6 Promise implementation introduced in 26.0. Since there were some severe with its implementation that caused a lot of inexplicable failures on websites. This means that some sites That insist on using Promises without checking availability and that do Not provide sufficient web client compatibility by way of server-side Libraries or polyfills will currently not work as-intended. Apologies For any inconvenience this may cause; providing a perfectly-working Implementation will be our top priority going forward.. Improved website compatibility with many sites and web applications by making our cookie gate less strict.. web compatibility with Google Hangouts and Yahoo Calendar. Changed the memory allocator on Windows platforms to a much. More modern full-library implementation of jemalloc, with miscellaneous Additional. This should give comparable speed to the system one And will allocate free memory more dynamically. This should like "huge animated gif choking" and inexplicable pauses when using Many tabs, scrolling (extremely) long pages, or viewing media.. a few rare crashing on Windows due to the build process. Reduced so-called "jank" on inner frame scrolling reflows.. Extension compatibility: partial implementation of Firefox 26 download. js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!). Added a "superstop" key combination ( Shift+Esc ) that will stop all. foreground and background) network activity, stop animated gifs, etc. even after the. Page itself has fully loaded (and the stop button not being available) - some web Applications may not like this if you use it since it will also cancel XHR requests, etc.. Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!). Updated the default theme to tweak/improve it some more (Thanks, Antonius32!) Security :. Updated the Graphi
26.0.308 Feb 2016 03:16 minor feature: This is a small release:. Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility. Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the grey" area of cookie behavior.. Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported.
26.0.027 Jan 2016 03:15 minor feature: This is a new milestone release! It's been in the works for a good number of Months, and has many hundreds of notable changes,, and Improvements that can't possibly all be listed here. These release notes for this version are a concise summary, lifting out The most prominent and important changes. You may find slightly more detailed Release notes on the forum. General release notes:. Pale Moon is now building on. The new Goanna engine instead of Gecko. Although relatives in Terms of web technology, they are not the same under the hood and any Reports of with the layout/rendering Engine should be as detailed as possible to allow us to pinpoint the cause of the and them just stating "it works in Firefox" really doesn't help us!). If you wish to report, please either use the tracker on GitHub or report a detailed description and steps to reproduce on the forum. We've had to reduce the number of supported languages for. Our language packs. With the need to move to our own full localization And lacking translators to support and maintain less common languages in use around the world, we've reduced our number of offered languages to a little over 30. The languages still supported should more than cover The common languages spoken around the globe. You will need to update Your language packs!. Although we've given this release extensive testing, it is Still possible you run into some website compatibility (usually Because of websites doing useragent sniffing) and e.g. some sites Displaying a mobile version if they do not recognize or incorrectly Recognize the new browser engine. Please always try contacting the webmasters first Before posting support requests at our address, since this is usually Not something we can provide solutions for, ourselves, and we end up Having to redirect you anyway. changes:. The layout parser/renderer has received many updates with. This change over to Goanna, improving web compatibility and standards Compliance in many areas. The brow
25.8.129 Nov 2015 03:15 minor feature: A small update to address two important :. for a crash that could occur at random since the update to 25.8.0.. for CSP (Content Security Policy) to be more lenient Towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.
25.7.315 Oct 2015 03:15 minor feature: This is a usability update needed due to the fact that Mozilla has shut down Their key exchange (J-PAKE) server along with the old Sync servers. This Was unexpected and required us to set up our own key server (testing Indicates this works as-expected, but please do report any on The forum) - which also required reconfiguration of the browser. Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code since it Requires a Mozilla server no longer present. If you need this Functionality, you must update to this version or later.
25.7.203 Oct 2015 03:15 minor feature: This is a stability update, addressing 2 critical hangs:. a critical hang caused by recursive reloads that might happen in iframes if its hash changed.. a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.
25.7.129 Sep 2015 03:15 minor feature: This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of The otherwise currently unmaintained OS updated regarding known Security vulnerabilities. changes:. Code cleanup: Removed the majority of remaining telemetry. Code (including the data reporting back-end and health report) to Prevent a few with partially removed code in earlier versions.. a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).. Permitted spec-breaking syntax in Regex character classes, Allowing ranges that would be permitted per the grammar rules in the Spec but not necessarily following the syntax rules. This impacts a Good number of (also higher profile) sites that use invalid ranges in Regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).. a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware Setups (e.g. playing a video with quadraphonic audio on a 4-speaker Setup).. an where site-specific dictionary selections Would be written to content preferences without the user's action, Potentially overwriting or clearing a previously-chosen dictionary.. Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers). Updated libnestegg to the most current version.. an where setting the location to an empty string could cause a reload loop. Security :. Changed the jemalloc poison address to something that is not a NOP-slide. DiD. a memory safety hazard in ConvertDialogOptions (CVE-2015-4521). a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in. ANGLE (CVE-2015-7179). an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175). a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504). an HTMLVideoElement Use-After-Free Remote
25.6.028 Jul 2015 03:15 minor feature: This release addresses some security issues and a range of usability improvements to the browser. Fixes/changes:. Canvas anti-fingerprinting option: Pale Moon now includes. the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.. Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled. Added a feature to prevent screen savers from kicking in. when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.. The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preference signon.ignoreAutocomplete to false.. Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.. Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming. Added a count for the number of matches in the find bar. it. will now list the total number of matches fou
25.5.011 Jun 2015 08:25 minor bugfix: Logjam fix: Refuse DHE keys with less than 1024 key bits. Search plugin updates to re-enable Google suggestions and reduce tracking. Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override. Fixed a crash during WebGL Conformance Tests for undefined indices. HSTS preload list updates. Status bar locale addition: cs. Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin). Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync). Disabled the Sync promo box in doorhangers. Updated libpng to version 1.5.22 . Fixed support for builds using newer freetype on Linux. (Axiomatic). Fixed --with-system-pixman builds. (Isaac Dunham). Updated SQLite to version 22.214.171.124. Changed the after-upgrade page loaded to the release notes instead of the home page. (and hoping people actually do take a moment to read them, preventing unnecessary support requests). Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis). Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites. Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script). Reorganized how pushed floats are handled in layout flow. Implemented a change to run the updater from the install directory instead of copying it. Fixed transparency of the Pale Moon document icon for 256x256. Updated padlock code: - Added mixed-mode shading, and reorganized shading pref values more logically. Updated NSPR to 4.10.8. Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes. Bumped the built-in site-specific UA compat mode overrides to v38. Fixed a compressed-cache crash due to
ManageYou can also help out here by:
← Update project
or flagging this entry for moderator attention.