Old Release notes
These release notes are summaries of the most important changes for public releases.
Published 2024-08-16
This is a major development, bugfix, stability and security release.
- Added a context menu item when right-clicking a tab to duplicate the tab.
- Fixed issues with automated version numbers when building Basilisk on platforms that do not use the GNU date utility such as MacOS, FreeBSD, and Solaris/Illumos.
- Implemented GitHub Actions for automated MacOS builds.
- Fixed crashes on sites that use WebRTC on MacOS.
- Removed migration tools for migrating profiles from other browsers. They were old and outdated and did not work correctly anyway.
- Replaced the old unofficial Serpent branding with a new unofficial branding and unofficial logo called Snake.
- Enable SSL/TLS pipelining by default.
- Updated YouTube user agent overrides. Reinstate Spotify user agent override.
- Fixed a crash in CSS grid layout.
- Set hidden HTML elements to actually always be hidden.
- Updated NSS to 3.90.4.
- Updated SQLite to 3.46.0.
- Fixed an issue with setting of cookies.
- Fixed an issue in Linux IPC code.
- Fixed an issue with DNS prefetching (disabled by default).
- Implemented the missing parts of the html5
<dialog>
element, including modal handling and custom backdrops.
- Implemented coarser, user-configurable granularity for the
canvas poisoning anti-fingerprinting measure. See implementation notes.
- Implemented new CSS viewport units
svw
, svh
,
svmin
, svmax
, lvw
, lvh
,
lvmin
, lvmax
, dvw
, dvh
,
dvmin
and dvmax
.
- Implemented new CSS logical viewport units
vb
,
vi
, svb
, svi
, lvb
,
lvi
, dvb
and dvi
.
- Removed the archaic and wholly outdated FIPS security
module code.
- Removed the archaic DBM support code for storing of
passwords in DBM format files.
- Removed the
-moz
prefix from -moz-fit-content
,
aligning with the current CSS standard fit-content
value.
- Updated our build system by adopting parts of the old
autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build
requirement. If you build from source, you may want to review your
dependencies with this change.
- Fixed issues when building with GCC 14.* and Clang 16.*.
- Fixed issues with emoji sequence clusters causing incorrect
rendering of emoji glyphs in some cases.
- Made some arguments to the legacy
XPathEvaluator/XPathExpression interfaces optional for web
compatibility.
- Fixed a crash when reporting JavaScript module exporting
errors.
- Updated checking of special cookie prefixes to be
case-insensitive in accordance with the current RFC 6265 (bis-11+).
- Fixed issues with external protocol handlers.
- Fixed an issue where autocomplete pop-ups would stay open
in some circumstances.
- Fixed an issue with potentially bad file names being
entered by the user to "Save As...".
- Fixed several crashes and race conditions.
- Made the nonce length for http digest auth configurable.
- Fixed various potential issues with font loading, parsing and handling.
- Cleaned up error reporting for workers and normalized error messages.
- Implemented the bulk of the CSS "cascade layers" spec (
@layer{}
).
This implementation is not 100% complete yet, but should satisfy common
use of CSS cascade layers on the web.
- Implemented support for
Sec-Fetch-*
headers,
implementing another mechanism to deal with site security. See this
part of the spec for a primer on what this does.
- Implemented support for
Sec-Fetch-*
headers,
implementing another mechanism to deal with site security. See this
part of the spec for a primer on what this does.
- Basilisk will now block access to the reserved address
0.0.0.0 on non-Windows operating systems. See implementation notes.
- Dev: Aligned rounding behavior and precision ranges of
toFixed
and related functions with the spec. See implementation notes.
- Dev: Added the
navigator.webdriver
attribute
for web compatibility (always false as we do not support
browser automation APIs).
- Re-implemented the Durstenfeld shuffle for plugin
enumeration that was unfortunately dropped with one of our past
rebases, to strengthen fingerprinting resistance.
- Fixed an issue with character clusters (e.g. for text
selection) resulting from a regression surrounding our improvements for
emoji handling.
- Fixed an issue with setting DOM color values. DiD
- Slightly improved password form handling, detecting
previously unsupported field orders.
- Code cleanup:
- Removed unused code related to the (incomplete) FoxEye
experiment.
- Removed support code for LibAV and (very) old versions of
FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this
version forward (Linux).
- Removed click event dispatching code that is no longer
relevant.
- Cleaned up internal macro use in CSS code (this does not
impact any exposed APIs or code).
- Removed the hidden
network.dns.disablePrefetchFromHTTPS
pref. DNS prefetching should not be treated differently for http and
https.
- Built on UXP commit: 8868552b24
- Security issues addressed: CVE-2024-4772 DiD, CVE-2024-4771,
CVE-2024-4769, CVE-2024-4770, CVE-2024-5699, CVE-2024-5702 DiD, CVE-2024-5690,
CVE-2024-5698 DiD,
CVE-2024-5688 DiD,
CVE-2024-5692, CVE-2024-6611, CVE-2024-6612 DiD , CVE-2024-7531, and several other security issues (some more DiD) that do not have CVE
numbers assigned to them.
Implementation notes
- While we have had canvas data poisoning as an option for a
very long time, it was pointed out that
having a fast rotation on the poisoning leading to new and unique
canvas hashes every time a user would navigate was a red flag to
trackers that poisoning is being employed, mitigating its intent. A
different implementation of canvas poisoning was created that will
still provide human-imperceptible data manipulation of canvases leading
to bogus hashes for trackers, but now in such a way that this hash will
not change for a courser, but variable time frame. This time frame
defaults to 5 minutes in this release, which may be tweaked in the
future if necessary, but is also entirely user-configurable between 1
second and 8 hours with the preference
canvas.poisondata.interval
(indicated in seconds).
- Basilisk will no longer allow connecting to the "this
machine" special reserved address 0.0.0.0 (and IPv6 equivalents
[::]/[::0.0.0.0]) on operating systems other than Windows. This is to
mitigate potentially unrestricted access to local resources on
UNIX-like operating systems due to the way the network stack operates
there. If needed for your use case, you can control this behavior
through the preference
network.dns.blockQuad0
-- if set
to true
, any attempt to connect to the reserved addresses
will result in an error.
- We aligned behavior of number conversions with what is
generally expected on the web by mainstream browser engines and/or
updated specs. Specifically,
toFixed
no longer accepts
negative precision ranges, and toExponential
will now
round up at the midpoint in the decimal significand.
- Initially, the mechanisms
BroadcastChannel
and MessagePort
implicitly called for dispatched events
to not be trusted, but since browsers marked them as trusted, this was
in conflict with the spec. Eventually, the spec for this was changed to
make them trusted in this case. Basilisk now follows this behavior as
well.
Published 2024-05-11
This is a bugfix release.
- Fixed an issue in v2024.05.01 where the preferences panel was broken.
- Built on UXP commit: 55b33fb02b
Published 2024-05-07
This is a development, stability and security release.
- Implemented support for single-use
<link
rel=preload>
meta tag. This implementation allows use of it
without specifying a second <link rel={type}>
meta
tag to actually load the linked document which was originally intended
for this tag (to hint to a browser it should pre-load the document for
fast painting).
- Implemented CSP v3 keywords
script-src-elem
, script-src-attr
,
style-src-elem
and style-src-attr
.
- Added support for Emoji 15.1.
- Implemented
webkitURL
legacy window alias for
URL for web compatibility.
- Implemented CSS shorthands
margin-block
, margin-inline
,
padding-block
and padding-inline
.
- Added support for querying CPU capabilities (SSE2/AVX/AVX2)
to the Navigator interface. For privacy reasons this is not exposed to
the web, but can be used by extensions.
- Removed site-specific override for Amazon.com due to
breakage.
- Fixed an issue where empty MIME type registrations would
break some parts of the UI.
- (Linux only) Pasting URLs to content now by default does
not navigate to that URL.
- If content-paste-navigation is enabled (via
middlemouse.contentLoadURL
),
navigation is now restricted to pasting to active body type elements
(to prevent unwanted navigation when pasting URLs to input boxes, for
example).
- Fixed a problem with JS modules preventing
ExportEntries
from working.
- (Linux only) Fixed a build issue when building with a
system-supplied cairo library (unsupported).
- Fixed an issue where workers could lock up the browser with
SetInterval
with an out-of-bounds (too small)
value. This is now clamped to 4ms matching the HTML spec.
- Fixed a few usability issues with the built-in developer
tools.
- Fixed a potential crash in web workers.
- Fixed a potential overflow issue in image maps.
- Fixed an issue with attributes on duplicate html tags.
- Aligned the behavior of internal pointer structures to be
more
uniform. DiD
- Fixed broken mousewheel scrolling if building with
--disable-npapi
.
- Fixed a minor issue with XUL tree display in some
circumstances.
- Dev: Aligned canvas
Path2D.addPath
with the
updated spec. It now supports DOMMatrix
as opposed to SVGMatrix
.
- Removed Stylo (Gecko Rust style system) leftovers from the
source tree.
- Fixed a few potential emoji display issues. As usual, it is proven time and time again that emoticons are better :)
- Fixed some issues with workers.
- Fixed an issue with ctrl+c copying in devtools.
- Fixed crashes when run under WINE because of its lack of
support for
IDXGIKeyedMutex
.
- Fixed a crash when dealing with a specific (unmaintained)
extension.
- Added
.xrm-ms
files to the executable warning
list on Windows.
- Added sanity checks on HTTP/2 header sizes.
- Fixed a potential issue in the JavaScript JIT compiler.
- Pulled a few fixes from upstream for the OpenType Sanitizer.
- Added a fix to avoid a potential issue when assigning a
media data buffer.
- Built on UXP commit: 55b33fb02b
- Security issues addressed: CVE-2024-1551, CVE-2024-2610, CVE-2024-3863, CVE-2024-3302,
CVE-2024-3857 DiD,
CVE-2024-3859 and CVE-2024-3861 DiD.
Published 2024-02-03
This is a new milestone release.
- Implemented a restricted version of the asynchronous
clipboard API (navigator.clipboard). This API is restricted to writing
only for obvious security considerations. It supports both plaintext
and the standard DataTransfer methods. We did not implement the
reinvented wheel concept of ClipboardItem objects.
- Implemented support for SHA-2 (SHA-256/SHA-512/etc.)
signatures for OCSP stapled responses.
- Implemented
PromiseRejectionEvent
. Although
this is rarely actually used, some common JS libraries (you know who
you are!) use it as a feature level canary and start loading (broken!) Promise
shims if it is not found, causing compatibility issues and broken
websites due to the shims.
- Aligned microtasks and Promises scheduling with the current
spec and expected behavior.
- We now no longer send
click
events to top
levels of the document hierarchy when using non-primary buttons (use auxclick
,
instead, to capture these events).
- Greatly improved the performance of box shadows.
- Greatly improved the performance of file/data uploads over
HTTP/2 (most of the secure websites out there).
- Fixed several issues related to focus and content selection.
- Fixed issues with the use of
focus-within
caused by unexpected processing of DOM events.
- Fixed an issue with CSP not behaving as-expected when using
importScripts()
, and fixed a number of
additional CSP-related issues.
- Fixed a web compatibility issue with CORS preflights not
sending the original request's referrer policy or referrer header.
- Fixed a spec compliance issue with
StructuredClone
.
- Fixed a crash due to clamping code introduced for
SetInterval
and SetTimeout
timers.
- Fixed crashes when dynamic imports are canceled (e.g. by
navigation).
- Changed
<input type=file>
to now have
its .files
property be writable following a spec change
and recommendation.
- We are now requiring and building against the C++17
language standard.
- Updated the in-tree ffvpx lib to 6.0.
- Added a preference to allow users to completely disable
reporting of CSP errors to webmasters. Using this is strongly
discouraged as it will provide essential troubleshooting information to
webmasters setting up CSP, and does not pose a privacy issue, but for
those who really want it, it can now be fully disabled. The preference
is
security.csp.reporting.enabled
.
- Updated the IntersectionObserver interface to now also
accept documents for the observer root instead of only HTML elements.
- Cleaned up various bits of code surrounding GMP, memory
allocation, system libraries, vestigial Android code, freetype2 and
developer tools.
- Improved efficiency of handling D3D textures.
- Added initial and experimental Mac PowerPC and Big Endian
support.
- Added preferences for the user to control whether or not
the tab page title should be included in the window title or not. In
Private Browsing mode, the default is now to not show the title in the
window. This was done to avoid potential leakage to system logs (e.g.
GNOME shell logs or Windows event logs) of websites visited through the
recorded window title. The new preferences are
privacy.exposeContentTitleInWindow
and privacy.exposeContentTitleInWindow.pbm
for normal
mode and Private Browsing mode, respectively.
- Fixed several crashes in DOM and relating to dynamic
JavaScript module imports.
- Removed a restriction on Fetch preflight redirects,
following a spec update.
- Improved the handling of web workers if they get aborted
mid-action.
- Linux releases on both x86_64 and aarch64 are now built with GCC 11 and Oracle Linux 8.
- Linux aarch64 releases are no longer considered to be in beta. Autoupdates will now work for Linux aarch64 builds moving forward.
- Linux aarch64 builds are now available with both GTK2 and GTK3.
- Refactored easy build shell script to use Oracle Linux 8 and GCC 11.
- Refactored easy build shell script to work on both x86_64 and aarch64.
- Changed some default Basilisk networking preferences to better respect privacy and security out of the box.
- Fixed broken security section in the Page Info window.
- Built on UXP commit: 541c5f9f45
- Security issues addressed: CVE-2023-6863, CVE-2023-6858, CVE-2024-0746, CVE-2024-0741,
CVE-2024-0743 DiD,
CVE-2024-0750 DiD, and
CVE-2024-0753.
- UXP Mozilla security patch summary: 7 fixed, 4 DiD, 1 rejected (which was DiD at best), 34 not
applicable.
Published 2023-12-08
This is a minor development and security update.
Important: as of this version, our beta FreeBSD binaries require at least FreeBSD 13.
- We no longer support the data: protocol inside SVG's <use> statements.
- Enabled more validation/error checking for WebGL on Windows to prevent potential crashes.
- Improved secure context checking for iframes.
- Fixed the handling of relative paths in URLs starting with multiple forward slashes.
- Linux ARM64 was built with Clang instead of GCC due to issues with GCC on that platform.
- Built on UXP commit: a4da712f91
- Security issues addressed: CVE-2023-6204, CVE-2023-6210, CVE-2023-6209 and CVE-2023-6205 DiD
- UXP Mozilla security patch summary: 3 fixed, 1 DiD, 14 not applicable.
Published 2023-11-05
This is a major development and security update.
- Added an initial implementation of the ReadableStreams API,
improving web compatibility with sites that apparently use this API in
utilitarian fashion.
- Added support for transparency in WebM videos for the edge
case of using
<video>
elements for transparent
animated images. Major caveat: this will massively impact performance
of video playback if an alpha channel is present in the video.
- Added support for
crypto.randomUUID
to allow
website scripting to generate random UUIDs (universally unique
identifiers) through the WebCrypto interface.
- Removed the user-agent override for Netflix, since they
have stopped supporting the Silverlight browser plugin. Basilisk no
longer has a way to provide Netflix DRM-controlled playback with them
dropping it, so there is no longer a reason to try and force
compatibility.
- Updated the user-agent override for Spotify. While it is
possible to use the website with this, it suffers from the same DRM
issue and not all media will be playable (only non-encumbered media can
be played in Basilisk like podcasts). Your mileage may vary.
- Implemented timer nesting and clamping for workers,
preventing timer hangs on bad website code.
- Improved handling of drawing SVG images on canvases without
explicit width or height attributes. We now follow the css-sizing-3
Intrinsic Sizes spec.
- Improved performance of our memory allocator.
- Updated libvpx to 1.6.1.
- Cleaned up and updated some media playback code.
- Removed the last vestiges of EME/DRM code from UXP, since
this will never be supported in any application building on it due to
the media industry's draconic policies around FOSS.
- Removed support for DRM from Basilisk as a followup to the EME/DRM removal in UXP.
- Removed simd.js,
moving actually used SIMD handling to C++.
- Removed the use of libav in our source, replacing its
supply of FFT with the equivalent from FFMpeg.
- Fixed potential type confusion in IonMonkey due to 3-byte
opcodes.
- Fixed an issue with tooltips persisting even if the browser
window would have lost focus.
- Fixed
PerformanceObserver
navigation and
resource timing (default
disabled for privacy); our implementation now fully passes conformance
tests.
- Fixed an issue where top-level SVG images would not be
correctly
clipped by positioned elements, giving the impression of wrong
z-ordering as the SVG would overlap other elements.
- Dev: Updated
setInterval
to fall back to 0 if
no duration is supplied.
- Dev: Updated
ResizeObserver
to a recent spec
change, now returning
an array of results for borderBoxSize
and contentBoxSize
instead of an
object.
- Dev: Updated
Intl.NumberFormat
and DefaultNumberOption()
to follow spec updates. Most importantly for web compatibility, we now
allow the "maximumFractionDigits" option in Intl.NumberFormat
to be less than the default minimum fraction digits for the chosen
locale, following the general consensus in TC39 around this issue.
- Increased leniency (removed upper limit) of GLSL versions
as they tend to be fully backwards compatible.
- Fixed various crashes.
- Added a safeguard to the sec-gpc
header (Global Privacy Control) so it cannot be inadvertently
overwritten.
- Removed the 360 Secure Browser profile migrator from Basilisk.
- WebRTC Spec Improvements.
- Add ability toggle WebRTC and WebAssembly under Tools->Preferences->Content.
- Enable PerformanceObserver by default in Basilisk.
- Built on UXP commit: 4001b58a3e
- Security fixes: addressed CVE-2023-5722, CVE-2023-5723,
CVE-2023-5724, CVE-2023-5727 and several other issues without a CVE
number assigned to them.
- UXP Mozilla security patch summary: 6 fixed, 2 DiD, 19
not
applicable.
Published 2023-10-03
This is a bugfix and a critical security update.
- Added WASM sign extension opcodes.
- Added GTK version to "Help->About" on GTK builds.
- Removed some unused Android/b2g/iOS code from Basilisk.
- Removed some obsolete Crash Reporter and Error Reporting code from Basilisk.
- Remove some unused code related to Mozilla telemetry from Basilisk.
- Remove some unused stub functions from Basilisk.
- Remove obsolete prefs related to the previously mentioned code removals from Basilisk.
- Rewrite some code in Basilisk to use the text preprocessor at build time instead of AppConstants at run time.
- Set Basilisk to always ask where to save files by default.
- Fixed an issue in BigInt typedArray costructors.
- Added some safety checks for Performance Observers.
- Fixed JSON BigInt regressions.
- Upgraded usrsctp library to a version over 5 years newer, fixing various security issues and potential bugs in sites using WebRTC DataChannels.
- Fixed an issue with libvpx encoding (CVE-2023-5217)
- Fixed an issue with dead Promise wrappers in JavaScript DiD
- Fixed an issue with Alternative Services DiD
- Built on UXP commit: 00084ea49c
Published 2023-09-15
This is a critical security update.
- Fixed a WebP decoder issue (CVE 2023-4863)
- Rebase our PDF.js version on files from the Seamonkey PDF.js addon as well as files ported from Firefox 60.9.0. This upgrades our PDF.js version to 2.3.235, which pulls in almost 3 years of security updates and bugfixes.
- Following the discussion in this forum post, we've introduced GTK2 builds of Basilisk for Linux.
- Built on UXP commit: 3ae2972950
Published 2023-09-12
This is a major development update, further improving web compatibility and fixing bugs.
- Implemented the
BigInt
primitive type for JavaScript. See implementation notes.
- Implemented Big(U)Int64 array support.
- Implemented ergonomic brand checks for JavaScript class fields.
- Aligned the Performance API with the Timeline v2 spec.
- Aligned the handling of flex/grid percentages resolving against the parent with other browsers. See implementation notes.
- Added or updated several user-agent overrides for problematic websites.
- Added 2 preferences to allow users to disable CSS animations and transitions. See implementation notes.
- Improved compatibility with MacOS 14.
- Fixed an important, intermittent JavaScript crash related to garbage collection.
- Fixed several crashes.
- Fixed several debug build related issues.
- Fixed an issue building on SunOS related to the spelling library.
- Updated PDF.js to 1.6.467 from Firefox 53.
- Developer: Added ASan support for building with MSVC.
- Developer: Implemented automated builds using GitHub Actions and automated process of mirroring Basilisk to GitHub.
- Added the
.xll
file extension to the executable extensions list.
- Built on UXP commit: 2d48de9998
- Security issues addressed: several potential security issues that do not have a CVE number. DiD
- UXP Mozilla security patch summary: 1 fixed, 3 DiD, 17 not applicable.
Implementation notes
- The
BigInt
primitive (base number format) in
JavaScript allows JavaScript to handle excessively large integers
(whole numbers). This primitive is especially useful for specialized
scientific applications that need very large yet accurate numbers, but
has seen widespread adoption for an as of yet unknown reason as part of
web frameworks, causing general web compatibility issues for Basilisk
when scripts expect BigInt support and instead have an error thrown. We
have now implemented this primitive for use so we no longer have
compatibility issues with these frameworks. It is still unknown why
BigInt is in use there and for what. Critical
note: BigInt
might be tempting to consider for
JS-backed cryptography but this is very ill-advised, as BigInt
operations are, by their nature, not
constant-time and allow timing and side-channel attacks.
- Flex and grid item sizes in percentages would previously be
resolved against the parent like other elements, according to a very
long-standing practice that stems from the Internet Explorer days.
Mainstream browsers have, however, made an exception for flex items and
grid items to no longer do this. We have now made the same exception
for these types of elements which should solve layout issues on some
websites (notably reserving too much space for items, often resulting
in very large areas of whitespace or items being pushed out of view).
- Two preferences were added (
layout.css.animation.enabled
and layout.css.transition.enabled
) to allow users to
completely disable CSS-based animations and transition effects. This
was a request by users as both a performance and accessibility
consideration. Please note that in some cases, disabling animations and
transitions may have an impact on final web page layout, so you may run
into some issues when disabling these animations and transitions as the
web pages were designed to use them.
Published 2023-07-18
This is a major development update, further improving web compatibility.
-
Added the (hidden) preference
browser.history.menuMaxResults
to allow users to control how many history entries are listed in the menu. Setting this to 0
will hide history menu entries altogether, and any positive number configures how many entries the entries are limited to. The default if not defined is 15
.
- Switched C++ language level used to C++14 on all platforms.
- Web compatibility and scripting improvements:
- Implemented geometry
.from*
static constructors for web compatibility.
- Implemented partial support for CSS
calc()
in color
keywords.
- Implemented Array "find from last" feature (
findLast
and findLastIndex
).
- Implemented Object.hasOwn(object,property).
-
Implemented several additional Intl API methods and functions. This improves web compatibility with sites making use of things like
hourCycle
, advanced DateTimeFormat
, Intl.Locale
, and Intl
as a constructor.
- Cleaned up some unused code.
- Removed support for Mozilla "experiment" type extensions.
-
Improved the JavaScript garbage collector's sweeping. This should fix a few intermittent crashes and improve performance.
-
Implemented some structural changes to the source to make future porting easier, and preparing for switching to C++17.
-
Removed handling of symlinks for directory listings to prevent potential security issues by walking symlinks when uploading. This effectively reverts a change made in Firefox 50 where this functionality was introduced. A case of "Not such a good idea after all" ;-)
- Updated the list of extensions on Windows treated as "executable".
- Security issues addressed: CVE-2023-37208.
- Made preparations for requiring Authorization in CORS ACAH preflight.
Since no browser honors this part of the spec at the moment this is left disabled until there is consensus among browsers.
- Fixed intermittent crashes related to the performance API.
- Fixed intermittent issues with JavaScript malfunctioning in chrome scripts (causing faults in the UI and extensions).
- Added ability to specify build version in mozconfig when compiling Basilisk.
- Built on UXP commit: 3b029cdfe4
- UXP Mozilla security patch summary: 2 fixed, 2 rejected, 20 not applicable.
Published 2023-06-20
This is a small bugfix and stability update.
There were no applicable Mozilla security bugs this time around.
- Fixed a crash in devtools in some OOM situations.
- Fixed crashes when internal script execution was blocked by extensions.
- Fixed crashes with WebComponents'
::slotted
selector.
- Disabled incremental cycle collector by default to avoid performance regressions.
- Updated the default override for chase.com to work around issues.
- Built on UXP commit: b4af6b6265
Published 2023-05-17
This is another important, major development update.
With this version we should have restored web compatibility with the majority of reported problematic websites. If you were previously running into websites being problematic in Basilisk, it may be a good idea to try them again with this release.
Special thanks to Job Bautista, martok, dbsoft, FranklinDM and Travis, and all other UXP contributors for continuing their hard work making this a reality!
This updates the UXP/Goanna platform version to 6.2.
- Implemented dynamic module imports. See implementation notes.
- Implemented exporting of async functions in modules.
- Implemented JavaScript class fields. See implementation notes.
- Implemented logical assignment operators
||=
, &&=
and ??=
.
- Implemented a solution for websites using the officially deprecated ambiguous
window.event
. This is disabled by default but can be enabled through about:config's dom.window.event.enabled
preference. See implementation notes.
- Implemented
self.structuredClone()
- Implemented
Element.replaceChildren
. Once again primarily a web developer note.
- Improved Shadow DOM
:host
matching.
- Implemented WebComponents' CSS
::slotted()
and related functionality.
- Improved page caching in our memory allocator.
- Added support for FFmpeg 6.0, especially important for bleeding-edge Linux distros.
- Fixed a potential drawing deadlock for images, specifically SVG. This solves a number of hang-on-shutdown scenarios.
- Fixed various crashes related to WebComponents and our recent JavaScript work.
- Fixed various build-from-source issues on secondary target platforms.
- Fixed handling of async (arrow) functions declared inside constructors.
- Fixed various small JavaScript conformance issues.
- Fixed an issue where JavaScript (only in modules) would not properly create async wrappers.
- Updated the DOM Performance API to the current spec (User Timing L3).
See implementation notes, especially if you intend to use this in web content for critical functionality.
- Updated keypress event handling to send keypress events on Ctrl+Enter.
- Updated internal JavaScript structures to make future porting easier, as well as improve JavaScript performance.
- Updated window handling and styling on Mac.
- Updated the Freetype lib to 2.13.0.
- Updated the Harfbuzz lib to 7.1.0.
- Updated our DNS lookup calls to use
inet_ntop()
instead of the deprecated inet_ntoa()
.
- Updated the Fetch API to use the global's base URL instead of the entry document's base URL for spec compliance.
- We no longer support the outmoded
fontconfig
on GTK systems.
- We no longer parse or return the body of known-empty responses from servers (content-length of 0, or in case of HEAD or CONNECT methods).
- Implemented scaled font caching on GTK, improving performance.
- Fixed a build issue when building for Linux on ARM64 on later distros.
- Split out more parts of the browser into separate .dll files on Windows to reduce compiler strain and an oversized xul.dll
- Removed mozilla::AlignedStorage (code cleanup).
- Builds for FreeBSD now use xz for packaging instead of bzip2.
- Merged the preference
dom.getRootNode.enabled
into the dom.webcomponents.enabled
pref. See implementation notes.
- Fixed a potential DoS issue with JPEG decoding.
- Fixed a potential issue in Windows widget code that could lead to crashes.
- Disabled potentially hazardous external protocols on Windows.
- Added known-problematic .dlls to the internal blocklist.
- Built on UXP commit: 58308a5c7a
- Security issues addressed: CVE-2023-32209, CVE-2023-32214 and several others that do not have a CVE designation.
- UXP Mozilla security patch summary: 4 fixed, 1 rejected, 27 not applicable.
Implementation notes
- JavaScript modules have various methods of being loaded
into web page content. One of the later introduced methods is a
function-style import() declaration, so-called "dynamic module imports"
that has been used by various web frameworks, causing issues for Basilisk resulting in blank pages in most cases (since the websites would
not actually use document structure HTML, but rather JavaScript to
create content, all from imported modules). This has been a major web
compatibility issue lately and we're pleased to announce that this
complex bit of machinery has been implemented.
- JavaScript's language specification is continuing to be
watered down from a prototyping language towards a more "C-like"
hybrid. As part of that effort, JavaScript classes were introduced in
ECMAScript 6, and now further expanded in ES2022 with class fields and
private class fields/methods, as well as statics. We should have a
complete implementation of this now, which constitutes the more
important parts of the ES2022 language update.
- The use of the outdated Microsoft Internet Explorer global
window.event
has been a pervasive web compatibility issue for us, especially since
it was officially deprecated and we never implemented this ambiguous
and unreliable property that is highly-context sensitive. Websites
should use the event as passed into the event handler to get the event
source instead. However, since neither Chrome nor Firefox have dropped
this and seem to be playing a game of "chicken", it remains in use on
the web. To deal with this conflict, we have now implemented the
equivalent behind a preference to enable users to (temporarily) use the
global window.event
while webmasters update their
websites. We hope the Google camp will finally drop this one soon so we
can be done with this legacy quirk.
- The DOM Performance API was updated to the User Timing
level 3 spec. It should be critically noted that the DOM Performance
API was never designed to be used as a matter of course on published
content, and was designed only for page performance analysis use by web
designers. Of course, as part of making dev tools available to the web,
a lot of abuse ensued because of the accurate navigation and timing
measurements that this API can provide (looking at you, Google!).
Because of tight integration with web content analysis, the older spec
implementation we had was causing issues and actually breaking some
services, so we updated it, but with a few important key differences:
- In Basilisk, we keep navigation timing disabled because
it's a notable privacy issue for the data it can gather (exact
navigational events and timings). If you're a web dev and need these
timing measurements, you can enable them with
dom.enable_performance_navigation_timing
.
- Our implementation, contrary to the spec, does not allow
unlimited recording of performance events (effectively logging every
page event!) which can also rapidly eat up memory. Instead we enforce a
sane default quota that should be roomy enough for all legitimate use,
but prevents runaway resource use or extensive logging of user actions.
- If the set quota is reached, a warning will be printed in
the console and the recorded performance events will be thrown away. If
you (foolishly) rely on Performance API events for your web application
to function, be aware this may cause compatibility issues as the API
was, again, not designed to be used in such a fashion. For event
handling, there are much better alternatives available which do not
involve extensive recording of user data or relying on a developer tool
API.
- We've historically implemented the DOM
getRootNode
function
as it was being used in the wild as a standalone function, however its
main intent has always been to be a helper function part of Shadow
DOM/WebComponents. As such we have now merged the preference into the
WebComponents preference, enabling and disabling it along with the rest
of our WebComponents implementation.
Published 2023-05-01
This is a bugfix and security release.
Note: macOS, Linux aarch64, and FreeBSD beta builds will identify as 2023.04.30
- Fixed a crash in CompareDocumentPosition with Shadow DOM.
- Fixed a crash with display:contents styling.
- Added a preference to disable the TLS 1.3 protocol downgrade sentinel (see implementation notes).
- Changed the way large clipboard copy/paste operations are handled, improving privacy (see implementation notes).
- Improved filename safety when saving files to prevent potential environment leaks (bis).
- Improved sanity checks of MIME type headers.
- Built on UXP commit: eadb5678b3
- Security issues addressed: CVE-2023-29545 and CVE-2023-29539.
- UXP Mozilla security patch summary: 2 fixed, 1 rejected, 49 not applicable.
Implementation notes
- Some proxies and middleware boxes improperly handle the TLS
1.3 protocol handshake causing an insecure downgrade to TLS 1.2. With
our recent update of NSS, Basilisk no longer allows this kind of
protocol downgrade when trying to establish a TLS 1.3 connection to a
server. The resulting error is ssl_error_rx_malformed_server_hello with
an inability to connect to the server. To enable users to still connect
to the servers or devices in question, we've added an option to switch
off the downgrade sentinel. To switch it off as a temporary workaround,
set security.tls.hello_downgrade_check to false.
- If copy and paste operations to/from the browser are
performed, Basilisk writes clipboard contents to disk in a temporary
cache file if the copy/paste amount is particularly large, to avoid
using large amounts of memory to hold this data. The average
paste/clipboard size doesn't tend to hit this limit in which case it is
just held in memory.
Previously, these cache files, while in the O.S. temporary file
location (%TEMP% or /tmp), would not be consistently cleaned up,
potentially causing privacy issues if persisted. This was changed to
using auto-cleaning anonymous temp files, improving user privacy and
relying less on the O.S. or user performing cleanup of temporary file
storage. Thanks to Sandra for pointing this out and providing the patch.
Published 2023-04-05
This is a major update which introduces WebComponents support among other things. Thank you to all of the UXP contributors who worked to make this possible.
Basilisk is now available in beta for macOS and FreeBSD
- Shadow DOM and CustomElements, collectively making up WebComponents, have been enabled by default which should bring much broader web compatibility to the browser for many a site that uses web 2.0+ frameworks. See implementation notes.
- Tab titles in the browser now fade if they are too long instead of using ellipses, to provide a little more readable space to page titles. Note that this may require some updates to tab extensions or themes.
- A number of site-specific overrides have been updated or removed because they are no longer necessary or current with the platform developments in terms of web compatibility. We could use your help evaluating the ones that are still there; see the issue on the Pale Moon repo.
- Updated our promises and async function implementation to the current spec.
- Implemented
Promise.any()
- Fixed several crashes related to regular expression code.
- Improved regular expression object handling so it can be properly garbage collected.
- Fixed some VP8 video playback.
- Fixed an issue where the caret (text cursor) would sometimes not be properly visible.
- Updated the embedded emoji font.
- Implemented the
:is()
and :where()
CSS pseudo-classes.
- Implemented complex selectors for the
:not()
CSS pseudo-class.
- Implemented the
inset
CSS shorthand property.
- Implemented the
env()
environment variable CSS function. See implementation notes.
- Implemented handling for RGB encoded video playback (instead of just YUV).
- Implemented handling for full-range videos (0-255 luminance levels) giving better video playback quality.
- Removed the WebP image decoder pref. See implementation notes.
- Enabled the Web text-to-speech API by default (only supported on some operating systems).
- Updated NSPR to 4.35 and NSS to 3.79.4
- Cleaned up unused "tracking protection" plumbing. See implementation notes.
- Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).
- Fixed several intermittent and difficult-to-trace crashes.
- Improved content type security of
jar:
channels. DiD
- Improved JavaScript JIT code generation safety. DiD
- Fixed potential crash scenarios in the graphics subsystem. DiD
- Improved filename safety when saving files to prevent potential environment leaks.
- Introduced Basilisk beta builds for FreeBSD, aarch64 Linux, ARM macOS, and Intel macOS. (thanks dbsoft!)
- Built on UXP commit: ce68156cf4
- Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several others that do not have a CVE.
- UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable.
Published 2023-03-07
This is a bugfix update.
- Revert tab title fading feature that was added in v2023.03.04. Caused various issues with tab titles and addons such as Tab Mix Plus.
- Built on UXP commit: 83aff65a42
Published 2023-03-05
This is a bugfix and security update.
- Fixed a crash in the new regular expression code.
- Added
{Extended_Pictographic}
unicode property escape to regular expressions.
- Fixed a regression in regular expressions for literal parsing of invalid ranges.
- Updated NSS to pick up fixes.
- Built on UXP commit: 83aff65a42
- Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and CVE-2023-0767.
- UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not applicable.
Published 2023-01-26
This is a new milestone release.
Primary focus for this milestone is web compatibility, in particular Regular Expression extensions, standards compliance issues and further JPEG-XL support.
This milestone now offers full coverage of the ECMAScript 2016-2020 JavaScript specifications, with the exception of BigInt primitives.
Special thanks to Martok, Job Bautista and FranklinDM without whom this milestone would not have been possible.
Most important changes:
- Implemented Regular Expression named capture groups.
- Implemented Regular Expression unicode property escapes.
- Re-implemented Regular Expression lookaround/lookbehind (without crashing this time ;) ).
- Implemented progressive decoding for JPEG-XL.
- Implemented animation for JPEG-XL.
- Renamed CSS
offset-*
properties to inset-*
to align with the latest spec and the web.
- Fixed CSS inheritance and padding issues in some cases.
- Aligned parsing of incorrectly duplicated HSTS headers with expected behavior (discard all but the first one).
- Implemented a method to avoid memory exhaustion in case of (very) large resolution animated images.
- Updated the JPEG-XL and Highway libraries to a recent, stable version.
- Cleaned up some unused CSS prefixing code.
- Improved the ability to link on *nix operating systems with other linkers than gcc's default.
- Stability improvements (potential crash fixes).
- Built on UXP commit: 5a4478b409
- Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several others that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable.
Published 2023-01-08
This is a major development, bugfix and security release.
- Added support for the JPEG-XL image format.
- Implemented regular expressions lookaround/lookbehind.
- Aligned CORS header parsing with the updated spec. See implementation notes.
- We no longer fire keypress events for non-printable keys. See implementation notes.
- Added support for MacOS 13 "Ventura" in the platform, primarily benefitting White Star.
- Fixed potentially problematic thread locking code on *nix platforms.
- Fixed some small issues in the display and operation of the Web Developer tools.
- Removed unused but performance-impacting panning and tab animation measuring code. (telemetry leftovers)
- Improved code for SunOS builds.
- Updated Internationalization data for time zones.
- Fixed a buffer overflow for Mac builds.
- Fixed an issue with plugins not receiving keypress events properly.
- Added some extra sanity checks to our zip/jar/xpi reader to avoid issues with corrupt archives.
- Aligned cookie checks with RFC 6265 bis. See implementation notes.
- Removed obsolete code in Windows widgets that could cause potential issues with long paths and file names on supported versions.
- Fixed several crashes.
- Built on UXP commit: 528db2cbd8
- Security issues addressed: CVE-2022-45411, CVE-2022-46876, CVE-2022-46874 and several others that do not have a CVE number
- UXP Mozilla security patch summary: 6 fixed, 1 DiD, 1 deferred, 45 not applicable.
Implementation notes
- RFC 6265 has been worked on with draft changes describing how cookies are actually being handled in the real world, in the bis versions of the RFC. While these changes have not yet been finalized, browsers in general do adhere to the latest available bis version of this RFC. Specifically, the long-standing exceptions for cookie names and values have been formalized, e.g. having quoted values. Our behavior has changed in that we now once again accept Tab characters (0x09) which is the one excluded control character from the range that is otherwise forbidden. We also no longer apply these checks exclusively to those in http headers, and any way of setting cookies must now adhere to the valid range. Cookies that fail these range checks for valid characters will be ignored.
- CORS support has been updated to the current spec. Most importantly, Basilisk now accepts wildcard entries ("*") for the CORS statements Access-Control-Expose-Headers, Access-Control-Allow-Headers and Access-Control-Allow-Method. Note that wildcards are ignored (according to the spec) when credentials are passed.
- Basilisk will no longer fire the keypress events in content when the key pressed is a non-printable key. This is in response to issues where webmasters would use rudimentary and naïve input-restricting scripts in onkeypress handlers that would not take into account editing keys or navigation keys, causing issues for users trying to enter data into forms (and e.g. finding they could no longer use backspace, cursor keys or tab). This aligns our behavior with other browsers for web compatibility, although it should be considered a website error expecting not all keypresses to be intercepted in keypress events.
Published 2022-11-05
This is a security and compatibility update.
Note: The Basilisk branding has been removed from the Basilisk repository.
- Added detection suport for the newly-released MacOS 13 (Ventura).
- Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674) DiD
- Fixed potentially undefined behavior in our thread locking code. DiD
- Fixed a potentially exploitable crash in the refresh driver.
- Fixed potentially undefined behavior when base-64 decoding. DiD
- Implemented a texture size cap for WebGL to prevent potential issues with some graphics drivers. DiD
- Updated site-specific overrides to address issues with ZoHo.
- Built on UXP commit: 71ae69aea8
- UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable.
Published 2022-09-28
This is a major development, bugfix and security release.
Note: The default serch engines have changed. Please verify that your configuration still uses your preferred search engine.
- Implemented
.at(index)
JavaScript method on built-in indexables (Array
, String
, TypedArray
).
- Implemented the use of EventSource in workers.
- Enabled the sending of the Origin: header by default on same-origin requests.
- Changed how Basilisk is built. We have made build system changes to reduce build times and pressure on the linker on all platforms. Note that Basilisk is not yet built with Visual Studio 2022. This change will be done in the next release.
- Changed how Basilisk handles standalone wave audio files (.wav). See implementation notes.
- Improved string normalization.
- Updated the handling of CSS "supports" to now accept unparenthesized strings (spec update).
- Fixed various issues when building for Mac OS X.
- Fixed various C++ standard conformance issues in the source code.
- Fixed several issues building on SunOS and Linux with various configurations and gcc versions.
- Fixed an issue with regular expressions'
dotAll
syntax and usage. See implementation notes.
- Switched custom hash map to
std::unordered_map
where prudent.
- Cleaned up and updated IPC thread locking code.
- Removed spacing for accessibility focus rings in form controls to align styling of them with expected metrics.
- Removed the unnecessary control module for building with non-standard configurations of the platform.
- Removed the
-moz
prefix from min-content
and max-content
CSS keywords where it was still in use.
- Updated the search engines included with Basilisk. Basilisk now includes the same search engines as Pale Moon.
- Fix issue where PDF.js was completely broken in the previous release.
- Fixed an important stability and performance issue related to hardware acceleration.
- Implemented Global Privacy Control in the Basilisk settings.
- Fix issue where the 32-bit Windows installer would not execute on 32-bit Windows systems.
- Remove Mozilla related default bookmarks. Update default bookmarks.
- Update compatmode override for Firefox to 102.0.
- Update user agent overrides to improve compatibility with Facebook.
- Built on UXP commit: 456b5450a4
- Security fixes: CVE-2022-40956 and CVE-2022-40958.
- UXP Mozilla security patch summary: 2 fixed, 11 not applicable.
Published 2022-08-06
This is a major update.
Very Important: This is the first public release from the Basilisk Development team. As such, the vendor name in the application has changed. This means the profile directory has changed. See here for more info.
You will have to perform a manual update if you are currently running Basilisk 2022.01.27 as it was compiled without an updater.
Note: Many things have changed since 2022.01.27 and 2022.08.06. We've tried to note all changes here but it is very likely something was missed.
- Fixed several application crash scenarios. DiD
- Fixed a number of thread locking/mutex issues. DiD
- Fixed a leak of content types due to inconsistent error reporting. (CVE-2022-22760)
- Fixed an issue with iframe sandboxing not being properly applied. (CVE-2022-22759)
- Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet.
- Fixed an issue with drag-and-drop. (CVE-2022-22756)
- Fixed a potential crash due to truncated WAV files.
- Fixed a memory safety issue with XSLT. (CVE-2022-26485)
- Fixed a potential crash issue on bing.com.
- Fixed some thread locking issues. DiD
- Worked around a Mesa driver bug that could cause crashes.
- Fixed a potential resource access issue in devtools. DiD
- Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD).
- Implemented Global Privacy Control, taking the place of the unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that you do not want them to share or sell your data.
- Implemented "optional chaining" (thanks, FranklinDM!).
- Implemented setBaseAndExtent for text selections.
- Implemented queueMicroTask() "pseudo-promise" callbacks.
- Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect.
- Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility.
- Improved performance of parallel web workers in JavaScript.
- Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
- Updated various in-tree libraries.
- Added support for extended VPx codec strings in media delivery via MSE (RFC-6381).
- Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
- Fixed several crashes and stability issues.
- Removed all Google SafeBrowsing/URLClassifier service code.
- Restored Mac OS X code and buildability in the platform.
- Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation.
- Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems.
- Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users.
- Removed more Android/Fennec code (on-going effort to clean up our code).
- Removed the Marionette automated testing framework.
- Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number.
- Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility.
- Fixed various crash scenarios in XPCOM.
- Fixed an important stability and performance issue related to hardware acceleration.
- Fixed a long-standing issue where dynamic datalist updates for
<select>
and similar elements wouldn't properly update the option list.
- Disabled broken links to MDN articles in developer tools.
- Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
- Enabled the date picker for
<input type=date>
. See implementation notes.
- Re-enabled the use of FIPS mode for NSS. See implementation notes.
- Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios.
- Improved memory handling in the graphics subsystem of Goanna.
- Updated FFvpx to v4.2.7
- Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites.
- Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows.
- Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes.
- Improved the way data is transferred to and from canvases to prevent memory safety issues.
- Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP).
- Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number.
- Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows.
- Fixed a potential issue with revoked site certificates when connecting through a proxy.
- Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo.
- Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number.
- Implemented CSS white-space: break-spaces for web compatibility.
- Implemented Intl.RelativeTimeFormat for web compatibility.
- Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
- Implemented support for async generator methods in JavaScript.
- Added preliminary support for building on Apple Silicon like M1/M2 SoC.
- Added support for building with Visual Studio 2022.
- Improved the handling of CSS "sticky" elements in tables.
- Improved stack size limits on all platforms. See implementation notes.
- Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
- Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
- Updated many in-tree third-party libraries to pick up various performance and stability improvements.
- Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe.
- Removed some leftover (and unused) telemetry code in the platform and front-end.
- Fixed an issue with VP9 video playback on Windows on some systems.
- Fixed an issue with the add-ons manager not properly handling empty update URLs.
- Fixed a major performance regression on *nix based systems due to incorrect thread handling.
- Fixed volume handling when building with the sndio audio back-end.
- Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler.
- Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes.
- Basilisk profile directory changed to reflect vendor change in application.
- Restore ability to build Basilisk on Mac OS X.
- Removal of telemetry code from Basilisk.
- Built on UXP commit: b110549cbd
- UXP Mozilla security patch summary: 11 fixed, 14 Did, 4 rejected, 91 not applicable