Release notes

These release notes are summaries of the most important changes for public releases.

v2025.04.23 Published 2025-04-23
This is a development, bugfix, stability, and security release.

Implemented CSS two-location color stop logic. This allows for two-location color stops (`color x% y%`) in gradients, which is shorthand for `color x%, color y%` where both colors are equal.
Our minimum GCC version requirement to build is now 9.1.
Improved channel handling when CSP blocks network redirects.
Implemented several fixes for CORS preflight requests.
Added explicit whitelisting from CSP content loading of javascript: scheme URLs.
Updated the ffvpx library to 6.0.1, this time preventing video color range regressions. An update to 6.0 was previously backed out in v2025.01.04.
Updated the JPEG-XL library to 0.11.1 to pick up several fixes and improve decoding compatibility of jxl files.
Updated the SQLite library to 3.49.1.
Fixed a spec compliance issue with DOMRect and DOMQuad returning 0 if NaN was present. We now return NaN in that case, per spec.
Fixed a spec compliance issue with NTLM authentication. We now compute Channel Binding Hashes using the certificate signature's hash algorithm, per spec.
Note that particularly weak algorithms are not used and SHA256 will be used as a minimum, instead, in those cases.
Fixed a buildability issue on Mac with XCode 16.3.
Added some additional safety checking to SharedArrayBuffers.
Added some additional safety checking to XSLT compilation and transformation.
Windows only: Added a preference widget.windows.follow_shortcuts_on_file_open to control how Windows File Open dialogs handle shortcut links. See implementation notes.
Simplified some WASM code generation in the Ion JIT compiler.
Fixed a crash in loading external resource maps.
Disabled potentially unsafe attempts at recovering JIT operations.
Fixed some minor linking issues in about:rights.
Updated the embedded emoji font to fix incorrect display of some of the wheelchair emoji.
Built on UXP commit: d892468fd0
Security issues addressed: CVE-2025-1934 (DiD), CVE-2025-3028 (DiD), and and CVE-2025-3033 (see implementation notes)..

Implementation notes

Windows only: This version introduces a new (numeric) preference to control how the "Open File" dialogs handle shortcut links in the file system.
A low-severity security issue (CVE-2025-3033) was found that in some specific circumstances could allow a malicious actor to convince a user to upload an unintended file from their file system with a specially-crafted shortcut file. To mitigate this, a special flag can be passed to File Open dialogs which prevent the dialogs from parsing shortcut links and navigating to target files and folders based on the shortcut file contents. This can be controlled with the newly-added preference. Since this flag, when set, also prevents users from navigating "through" shortcuts to folders (from e.g. the desktop) and would instead open/attach/upload the shortcut file itself, this would be disruptive to many users' workflows. Considering the major usability drawback and the low-severity nature of the security issue (which would require considerable social engineering to pull off), Basilisk, at least for the time being or until a better solution is found, will continue allowing the following of shortcuts and navigating through them to target folders and files in File Open dialogs. If you are overly cautious, you may want to set this preference to the value 0 which always prevents shortcut parsing and following. For everyone else, just a warning to please stay safe and never follow strange sequences of instructions from strangers that you don't exactly know what they do (and never take their explanations at face value).

v2025.02.22 Published 2025-02-22
This is a development, bugfix and security release.

Changed the way cookies are handled internally to fix an issue with cookie database corruption as a result of updates to domain suffixes.
Fixed an issue with Alternative-Services protocol negotiation.
Fixed a potential crash scenario with Structured Clone operations. DiD
Fixed a potential issue with line breaking if out of memory.
Fixed a rare crash with opportunistic encryption.
Minor code cleanup.
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented AbortSignal.abort() and stub AbortSignal.timeout().
Unprefixed the :modal CSS pseudo-class and exposed it to content.
Improved efficiency and performance of the Cycle Collector.
Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
Updated the root certificates in the internal trust store.
Updated the Public Suffix List (eTLD) in the browser.
Removed no longer specced URL Constructor(DOMString url, URL base).
Changed the default Firefox Compatibility user-agent version to 115.0.
Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
Fixed a number of bugs and spec compliance issues in WebCrypto.
Fixed installer application naming issue causing failure to detect running application.
Fix an issue which was causing the search box on the new tab page to not work at all.
Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
Fixed a crash in the XSLT stylesheet importing code.
Disabled CSP reporting temporarily to work around memory issues caused by CloudFlare's scripting. While CSP reporting is important to inform webmasters of issues with their content security policies, not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlare's side.
Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlare's scripting. This wasn't a bug, per se, but could easily lock up with bad scripting if called recursively.
Added a few other small fixes that are tangentially related to the code changes made.
Updated NSS to 3.90.6 (custom) to pick up several security fixes.
Built on UXP commit: 7f2561312a
Security issues addressed: CVE-2025-0239, CVE-2025-0238, and CVE-2025-1009.

Implementation notes

When updating the browser to this version, a one-way upgrade of the cookie database in your browser profile is performed on first start. The new cookie database is not backwards compatible, meaning you cannot use the browser profiles that have been upgraded by this version or later with any prior versions of the browser without data loss.
This is generally the case as most upgrades of user data storage are one-way, but having all your cookies cleared unintentionally is something most people prefer to avoid, hence this warning and a general reminder of profile migrations to newer versions that may happen with any (non-minor) browser upgrade.

Other notes

Unfortunately CloudFlare has deployed scripts since the last Basilisk release that deliberately cause issues on independent browsers. If you are interested in learning more, check out the Pale Moon Forum thread where users are discussing this issue. Please consider reporting any and all occurrences of failing or looping CloudFlare checks on websites to CloudFlare as well as the owners of affected websites (you may have to temporarily use a Chromium-based browser to do this).

Old Releases

Old release notes from Basilisk Development Team releases can be found here.

Releases notes from releases by Moonchild Productions can be found here.