Release notes
These release notes are summaries of the most important changes for public releases.
Published 2025-04-23
This is a development, bugfix, stability, and security release.
- Implemented CSS two-location color stop logic. This allows
for two-location color stops (`
color x% y%
`) in gradients,
which is shorthand for `color x%, color y%
` where both
colors are equal.
- Our minimum GCC version requirement to build is now 9.1.
- Improved channel handling when CSP blocks network redirects.
- Implemented several fixes for CORS preflight requests.
- Added explicit whitelisting from CSP content loading of
javascript:
scheme URLs.
- Updated the ffvpx library to 6.0.1, this time preventing
video color range regressions. An update to 6.0 was previously backed
out in v2025.01.04.
- Updated the JPEG-XL library to 0.11.1 to pick up several
fixes and improve decoding compatibility of jxl files.
- Updated the SQLite library to 3.49.1.
- Fixed a spec compliance issue with DOMRect and DOMQuad
returning 0 if NaN was present. We now return NaN in that case, per
spec.
- Fixed a spec compliance issue with NTLM authentication. We
now compute Channel Binding Hashes using the certificate signature's
hash algorithm, per spec.
Note that particularly weak algorithms are not used and SHA256 will be
used as a minimum, instead, in those cases.
- Fixed a buildability issue on Mac with XCode 16.3.
- Added some additional safety checking to
SharedArrayBuffers
.
- Added some additional safety checking to XSLT compilation
and transformation.
- Windows only: Added a preference
widget.windows.follow_shortcuts_on_file_open
to control how Windows File Open dialogs handle shortcut links. See
implementation notes.
- Simplified some WASM code generation in the Ion JIT
compiler.
- Fixed a crash in loading external resource maps.
- Disabled potentially unsafe attempts at recovering JIT
operations.
- Fixed some minor linking issues in about:rights.
- Updated the embedded emoji font to fix incorrect display of
some of the wheelchair emoji.
- Built on UXP commit: d892468fd0
- Security issues addressed: CVE-2025-1934 (DiD), CVE-2025-3028 (DiD), and and CVE-2025-3033 (see
implementation notes)..
Implementation notes
- Windows only:
This version introduces a new (numeric) preference to control how the
"Open File" dialogs handle shortcut links in the file system.
A low-severity security issue (CVE-2025-3033) was found that in some specific circumstances could
allow a malicious actor to convince a user to upload an unintended file
from their file system with a specially-crafted shortcut file. To
mitigate this, a special flag can be passed to File Open dialogs which
prevent the dialogs from parsing shortcut links and navigating to
target files and folders based on the shortcut file contents. This can
be controlled with the newly-added preference. Since this flag, when
set, also prevents users from navigating "through" shortcuts to folders
(from e.g. the desktop) and would instead open/attach/upload the
shortcut file itself, this would be disruptive to many users'
workflows. Considering the major usability drawback and the
low-severity nature of the security issue (which would require considerable social engineering to
pull off), Basilisk, at least for the time being or until a better
solution is found, will continue allowing the following of shortcuts
and navigating through them to target folders and files in File Open
dialogs. If you are overly cautious, you may want to set this
preference to the value 0
which always prevents shortcut
parsing and following. For everyone else, just a warning to please stay
safe and never follow strange sequences of instructions from strangers
that you don't exactly know what they do (and never take their
explanations at face value).
Published 2025-02-22
This is a development, bugfix and security release.
- Changed the way cookies are handled internally to fix an
issue with cookie database corruption as a result of updates to domain
suffixes.
- Fixed an issue with Alternative-Services protocol
negotiation.
- Fixed a potential crash scenario with Structured Clone
operations. DiD
- Fixed a potential issue with line breaking if out of memory.
- Fixed a rare crash with opportunistic encryption.
- Minor code cleanup.
- Implemented a content sniffer for ADTS and raw AAC audio.
- Implemented
AbortSignal.abort()
and stub AbortSignal.timeout()
.
- Unprefixed the
:modal
CSS pseudo-class and
exposed it to content.
- Improved efficiency and performance of the Cycle Collector.
- Added a check for explicit expectance of a percentage value
in CSS HSL for the S and L components.
- Updated the cookie storage database to no longer use
BaseDomain. See implementation notes.
- Updated CSS grid handling to no longer apply auto
min-sizing when flex max-sizing (browser parity).
- Updated the root certificates in the internal trust store.
- Updated the Public Suffix List (eTLD) in the browser.
- Removed no longer specced URL
Constructor(DOMString
url, URL base)
.
- Changed the default Firefox Compatibility user-agent
version to 115.0.
- Fixed an issue where cloned
<audio>
or <video>
elements would not respect the original element's muted
state.
- Fixed a number of bugs and spec compliance issues in
WebCrypto.
- Fixed installer application naming issue causing failure to
detect running application.
- Fix an issue which was causing the search box on the new tab page to not work at all.
- Fixed a crash when
Interval
handlers are
present in scripts that are automatically terminated due to excessive
runtime.
- Fixed a crash in JS Structured Cloning when the input would
be bogus (CloudFlare-triggered crash).
- Fixed a crash in the XSLT stylesheet importing code.
- Disabled CSP reporting temporarily to work around memory
issues caused by CloudFlare's scripting. While CSP reporting is
important to inform webmasters of issues with their content security
policies, not having the browser eat up all memory is more critical. We
do intend to re-enable this when the issue is resolved on CloudFlare's
side.
- Improved CSS grid performance to avoid exponential
calculations and reflows caused by CloudFlare's scripting. This wasn't
a bug, per se, but could easily lock up with bad scripting if called
recursively.
- Added a few other small fixes that are tangentially related
to the code changes made.
- Updated NSS to 3.90.6 (custom) to pick up several security
fixes.
- Built on UXP commit: 7f2561312a
- Security issues addressed: CVE-2025-0239, CVE-2025-0238, and CVE-2025-1009.
Implementation notes
- When updating the browser to this version, a one-way
upgrade of the cookie database in your
browser profile is performed on first start. The new cookie database is
not backwards compatible, meaning you
cannot use the browser profiles that have been upgraded by this version
or later with any prior versions of the browser without data loss.
This is generally the case as most upgrades of user data storage are
one-way, but having all your cookies cleared unintentionally is
something most people prefer to avoid, hence this warning and a general
reminder of profile migrations to newer versions that may happen with
any (non-minor) browser upgrade.
Other notes
- Unfortunately CloudFlare has deployed scripts since the last Basilisk release that deliberately cause issues on independent browsers. If you are interested in learning more, check out the Pale Moon Forum thread where users are discussing this issue. Please consider reporting any and all occurrences of failing or looping CloudFlare checks on websites to CloudFlare as well as the owners of affected websites (you may have to temporarily use a Chromium-based browser to do this).
Old Releases
Old release notes from Basilisk Development Team releases can be found here.
Releases notes from releases by Moonchild Productions can be found here.