Release notes

These release notes are summaries of the most important changes for public releases.

v2024.11.23 Published 2024-11-23
This is a minor security and bugfix update.

Cleaned up some old unused code for pre-Windows 7 versions in the Windows installer.
Built on UXP commit: df16df5693
Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD
Addressed CVE-2024-10463.

v2024.10.24 Published 2024-10-23
This is a development, bugfix and security release.

Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
Improved buildability on NetBSD and PowerPC architectures with Altivec support.
Fixed building issues on Apple Silicon Mac with XCode 16.
Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
Dev: Implemented ES2023 Hashbang grammar proposal.
Cleanup some e10s and Reputation Check leftovers in Basilisk frontend code.
Fixed an issue with JavaScript's StructuredClone.
Built on UXP commit: 89e88ca6a0
Security issues addressed: CVE-2024-9396.
Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Implementation notes

By user request, primarily for advanced power users who need this for their local setups, 2 new preferences were introduced to control how the browser deals with same-origin and CORS.
- security.same_origin_policy.enabled, when set to false, will completely disable checking if scripts are allowed to be loaded based on the same-origin policy. Security warning: this is a really bad idea on the open web and you should never blanket disable the Same-Origin Policy check in a web browser for normal use.
- content.cors.bypass_preflight_request, when set to true, will no longer send CORS preflight requests or check preflight responses and always allow cross-origin requests. Note that this kind of request is normally only made if sending a request to a server might result in data changes server-side (e.g. POST). This preference only does something when CORS is already disabled; provided primarily for specific corner cases where CORS is disabled and preflight checks (providing an extra safety net for server data) need to be shut off too.
There are dragons hiding in these two preferences. Please handle them responsibly.

Old Releases

Old release notes from Basilisk Development Team releases can be found here.

Releases notes from releases by Moonchild Productions can be found here.