Release notes

These release notes are summaries of the most important changes for public releases.

v2024.10.24 Published 2024-10-23
This is a development, bugfix and security release.

Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
Improved buildability on NetBSD and PowerPC architectures with Altivec support.
Fixed building issues on Apple Silicon Mac with XCode 16.
Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
Dev: Implemented ES2023 Hashbang grammar proposal.
Cleanup some e10s and Reputation Check leftovers in Basilisk frontend code.
Fixed an issue with JavaScript's StructuredClone.
Built on UXP commit: 89e88ca6a0
Security issues addressed: CVE-2024-9396.
Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Implementation notes

By user request, primarily for advanced power users who need this for their local setups, 2 new preferences were introduced to control how the browser deals with same-origin and CORS.
- security.same_origin_policy.enabled, when set to false, will completely disable checking if scripts are allowed to be loaded based on the same-origin policy. Security warning: this is a really bad idea on the open web and you should never blanket disable the Same-Origin Policy check in a web browser for normal use.
- content.cors.bypass_preflight_request, when set to true, will no longer send CORS preflight requests or check preflight responses and always allow cross-origin requests. Note that this kind of request is normally only made if sending a request to a server might result in data changes server-side (e.g. POST). This preference only does something when CORS is already disabled; provided primarily for specific corner cases where CORS is disabled and preflight checks (providing an extra safety net for server data) need to be shut off too.
There are dragons hiding in these two preferences. Please handle them responsibly.

v2024.09.13 Published 2024-09-13
This is a minor security and bugfix update.

Introduced i686/32-bit x86 Linux binaries. These require SSE2 support or later to run. They are built on the same Oracle Linux 8/GCC 11 platform as our x86_64 and aarch64 builds.
Added option to network preferences to toggle DNS prefetching on/off. Unlike Pale Moon, we will continue to leave this off by default.
Backed out support for FFmpeg 7.0/libavcodec 61 (Linux) due to it causing a major regression in WebAudio (broken on all platforms). This is being worked on to re-land at a later date.
Restricted the NotifyPaintEvent interface to chrome code only; there is no reason (other than potential tracking/fingerprinting) to have this accessible from content.
Fixed a potentially exploitable issue in JavaScript (FetchName).
Fixed a code correctness issue in XPConnect when creating sandboxes. DiD
Added a warning for using externally handled usenet protocols.
Built on UXP commit: 2697dd162f
Security issues addressed: CVE-2024-8383 and CVE-2024-8381.

Old Releases

Old release notes from Basilisk Development Team releases can be found here.

Releases notes from releases by Moonchild Productions can be found here.