Release notes

These release notes are summaries of the most important changes for public releases.

v2025.02.22 Published 2025-02-22
This is a development, bugfix and security release.

Changed the way cookies are handled internally to fix an issue with cookie database corruption as a result of updates to domain suffixes.
Fixed an issue with Alternative-Services protocol negotiation.
Fixed a potential crash scenario with Structured Clone operations. DiD
Fixed a potential issue with line breaking if out of memory.
Fixed a rare crash with opportunistic encryption.
Minor code cleanup.
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented AbortSignal.abort() and stub AbortSignal.timeout().
Unprefixed the :modal CSS pseudo-class and exposed it to content.
Improved efficiency and performance of the Cycle Collector.
Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
Updated the root certificates in the internal trust store.
Updated the Public Suffix List (eTLD) in the browser.
Removed no longer specced URL Constructor(DOMString url, URL base).
Changed the default Firefox Compatibility user-agent version to 115.0.
Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
Fixed a number of bugs and spec compliance issues in WebCrypto.
Fixed installer application naming issue causing failure to detect running application.
Fix an issue which was causing the search box on the new tab page to not work at all.
Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
Fixed a crash in the XSLT stylesheet importing code.
Disabled CSP reporting temporarily to work around memory issues caused by CloudFlare's scripting. While CSP reporting is important to inform webmasters of issues with their content security policies, not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlare's side.
Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlare's scripting. This wasn't a bug, per se, but could easily lock up with bad scripting if called recursively.
Added a few other small fixes that are tangentially related to the code changes made.
Updated NSS to 3.90.6 (custom) to pick up several security fixes.
Built on UXP commit: 7f2561312a
Security issues addressed: CVE-2025-0239, CVE-2025-0238, and CVE-2025-1009.

Implementation notes

When updating the browser to this version, a one-way upgrade of the cookie database in your browser profile is performed on first start. The new cookie database is not backwards compatible, meaning you cannot use the browser profiles that have been upgraded by this version or later with any prior versions of the browser without data loss.
This is generally the case as most upgrades of user data storage are one-way, but having all your cookies cleared unintentionally is something most people prefer to avoid, hence this warning and a general reminder of profile migrations to newer versions that may happen with any (non-minor) browser upgrade.

Other notes

Unfortunately CloudFlare has deployed scripts since the last Basilisk release that deliberately cause issues on independent browsers. If you are interested in learning more, check out the Pale Moon Forum thread where users are discussing this issue. Please consider reporting any and all occurrences of failing or looping CloudFlare checks on websites to CloudFlare as well as the owners of affected websites (you may have to temporarily use a Chromium-based browser to do this).

v2025.01.04 Published 2025-01-04
This is a development, bugfix and security release.

Implemented Regular Expression "match indices" (/d) feature.
Updated handling of referrer policies to adhere to the updated spec.
CSS font variations keywords no longer throw an error. See implementation notes.
CSS border-radius will now also apply to element outlines.
Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.
Refreshed the built-in list of effective top-level domains.
Fixed several application crashes.
Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).
Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).
Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base.
Ported the "ghostbuster" functionality from Pale Moon 33.4.0.
Built on UXP commit: b3b852b877
Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).

Implementation notes

The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Basilisk throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse the -variations keywords allowing variation alternative font-faces to be loaded, even if no base font was specified. To webmasters only supplying @font-face entries with variations keywords: please understand the intent of this CSS 4 spec and always provide a base font entry (graceful fallback).

Old Releases

Old release notes from Basilisk Development Team releases can be found here.

Releases notes from releases by Moonchild Productions can be found here.