Release notes

These release notes are summaries of the most important changes for public releases.

v2025.10.10 Published 2025-10-10
This Basilisk release integrates all Pale Moon changes from 33.8.1 through 33.9.0.1, introducing major web platform improvements, enhanced standards compliance, Linux stability fixes, and multiple security patches. There may be changes in this release that are not documented.

Implemented CSS4 revert keyword and the clip keyword for overflow.
Implemented CSS axis-shorthand parsing of overflow, resolving unscrollable areas on some websites.
Implemented color-mix() (RGB and HSL color spaces).
Implemented @supports(selector(<complex selector>)) and CSS Cascade Layers via @layer.
Implemented clip-path:<geometry-box> usage without explicit paths.
Implemented overflow-inline and overflow-block properties.
Implemented :autofill and :focus-visible CSS pseudo-classes.
Implemented the prefers-reduced-motion media query.
Implemented a minimal visualViewport API.
Un-prefixed user-select, :read-only, and :read-write to align with the current CSS4 specification.
Improved parsing of X-Content-Type-Options: nosniff and corrected regressions from earlier updates.
Changed @import processing to follow order of appearance in stylesheets.
Aligned TypedArray constructors with the ECMAScript spec (invalid or undefined initializers now return empty arrays).
Improved multi-header Cache-Control parsing.
Address bar focus state now correctly resets when navigating to #fragment anchors.
Cookies without valid names are now rejected per RFC 6265; nameless cookies (beginning with =) are no longer accepted.
Added FFmpeg 7.0 / libavcodec 61 support for improved multimedia compatibility.
Fixed border-image sub-property update bug.
Fixed scrollbar-width inheritance handling.
Explicitly initialized fontconfig on Linux startup to fix missing font issues.
Fixed color-depth reporting inconsistencies on Linux.
Fixed VPX and ffvpx build issues on PowerPC and non-assembly architectures.
Fixed a memory safety issue in gradient color-stop handling.
Improved DevTools “Copy as cURL” reliability.
Adjusted CSP URI reporting and data-load restrictions for <object> elements to better follow modern web standards.
Fixed WebAssembly table size limit handling to align with other engines.
Fixed crashes and regressions introduced in prior <object> restriction code.
Fixed address bar dropdown highlight styling regression.
Numerous Defense-in-Depth and memory safety improvements across components.
Built on UXP commit: 545d52572d
Security issues addressed: CVE-2025-10536, CVE-2025-10533 (DiD), CVE-2025-9181, CVE-2025-8031, CVE-2025-8028 (DiD), CVE-2025-8037, CVE-2025-8029, and additional non-CVE fixes.

Implementation notes

overflow: clip now fully conforms to the CSS specification. Clipped overflow is hidden and unscrollable. If only one axis is specified, the other remains visible but cannot be scrolled.
clip-path:<geometry-box> can now be used without a path definition, resolving prior cases where blank content appeared.
visualViewport is minimally implemented for desktop environments: fixed (0,0) origin, root scrollframe dimensions, and scale factor = 1.0.
TypedArrays with invalid or undefined initializers no longer throw; they return a zero-length array instead.
Cookies: nameless cookies (starting with =) are now rejected outright. Cookies without an equals sign are interpreted as valueless named cookies, improving RFC compliance and preventing malformed cookie injection.

v2025.07.04 Published 2025-07-04
This is a major development, bugfix and security release.

Basilisk now includes all non-ubiquitous image and media types in the navigation Accept: header, as discussed in the relevant whatwg fetch spec issue.
Implemented .toJSON() for DOMRect, DOMPoint and DOMMatrix.
Added a base implementation of the SVGGeometryElement API. This is currently limited to .pathLength, getTotalLength() and getPointAtLength(distance)for SVG paths.
Added a base-64/character validity grammar check for CSP nonces.
Enabled JPEG-XL support unconditionally.
Improved desktop ARM media capabilities.
Improved our handling of CSP checks (multiple improvements surrounding loading principal checks).
Added several Mac-specific file types to be treated as executables.
Updated the emoji font to Unicode 16.0.0.
Updated SQLite library to 3.50.1.
Updated NSS to 3.90.7.1 to fix some issues with some sites due to prior root certificate updates.
Updated code dealing with internal URL rewrites for Youtube.
Changed the Firefox compatibility mode version to 128.
Changed how .click() on <A> elements is handled. See implementation notes.
Changed DOMMatrix's rotate() and rotateSelf() functions to accept 3D rotation instead of 2D, per spec.
Changed CSS parameter animation to round values instead of truncating them, per spec.
This affects all integer properties (e.g. z-order) and font-stretching.
Changed HTML element attribute parsing to additionally escape < and > characters, per spec.
Fixed a regression in XUL <tree> elements where column selection would omit the first-defined column.
Fixed a minor issue in DOMSVGPoint finity checks.
Fixed some minor platform issues and updated Mac SDK checks.
Fixed an issue when device contrast values would be unset in Mac or Windows+DirectWrite.
Fixed an issue in the "Copy as curl" feature which could potentially mangle URLs.
Fixed an issue with FontFaceSet loading.
Removed support for very old libavcodec versions (before v58).
Removed the CSP referrer directive as it's no longer in the spec.
Removed preloading of a number of media libraries on Windows. See implementation notes.
Removed the allowance of <A> in image maps. Only <area> is now supported.
Removed several obsolete and unused preferences from about:config.
Removed obsolete NPN preferences and calls. NPN has long since been replaced by ALPN.
Removed obsolete SVGZoomEvent interface and handlers.
Built on UXP commit: e52eaa961c
Security issues addressed: CVE-2025-6429, CVE-2025-6424 (DiD) and CVE-2025-6426.

Implementation notes

Normally, when a script issues a simulated click on an element, that click is issued on the document the element is in. Unfortunately there has been a perceived bug in mainstream browsers where this didn't happen on anchors (<A>, hyperlinks) and the browser would navigate even if that anchor was not actually in a web page document (i.e. just created as a reference in scripting). This was eventually made an accepted behaviour in the specification as an exception, describing this bug as expected behavior. Basilisk has now changed how it handles .click() events on anchors to follow this behavior. This primarily impacts some select "download button" behavior on the web where this behavior quirk for anchors is relied on.
Previously, Basilisk would preload a number of media .dll files into the browser, causing resource use even if there was no media to be decoded or played back in the browsing session yet. This was primarily done in inherited Mozilla code for EME to work. Since we don't support in-browser DRM, this preloading is wholly unnecessary and has been removed.

Old Releases

Old release notes from Basilisk Development Team releases can be found here.

Releases notes from releases by Moonchild Productions can be found here.