Basilisk Changelog

What's new in Basilisk 2024.02.03

Feb 4, 2024

Implemented a restricted version of the asynchronous clipboard API (navigator.clipboard). This API is restricted to writing only for obvious security considerations. It supports both plaintext and the standard DataTransfer methods. We did not implement the reinvented wheel concept of ClipboardItem objects.
Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for OCSP stapled responses.
Implemented PromiseRejectionEvent. Although this is rarely actually used, some common JS libraries (you know who you are!) use it as a feature level canary and start loading (broken!) Promise shims if it is not found, causing compatibility issues and broken websites due to the shims.
Aligned microtasks and Promises scheduling with the current spec and expected behavior.
We now no longer send click events to top levels of the document hierarchy when using non-primary buttons (use auxclick, instead, to capture these events).
Greatly improved the performance of box shadows.
Greatly improved the performance of file/data uploads over HTTP/2 (most of the secure websites out there).
Fixed several issues related to focus and content selection.
Fixed issues with the use of focus-within caused by unexpected processing of DOM events.
Fixed an issue with CSP not behaving as-expected when using importScripts(), and fixed a number of additional CSP-related issues.
Fixed a web compatibility issue with CORS preflights not sending the original request's referrer policy or referrer header.
Fixed a spec compliance issue with StructuredClone.
Fixed a crash due to clamping code introduced for SetInterval and SetTimeout timers.
Fixed crashes when dynamic imports are canceled (e.g. by navigation).
Changed <input type=file> to now have its .files property be writable following a spec change and recommendation.
We are now requiring and building against the C++17 language standard.
Updated the in-tree ffvpx lib to 6.0.
Added a preference to allow users to completely disable reporting of CSP errors to webmasters. Using this is strongly discouraged as it will provide essential troubleshooting information to webmasters setting up CSP, and does not pose a privacy issue, but for those who really want it, it can now be fully disabled. The preference is security.csp.reporting.enabled.
Updated the IntersectionObserver interface to now also accept documents for the observer root instead of only HTML elements.
Cleaned up various bits of code surrounding GMP, memory allocation, system libraries, vestigial Android code, freetype2 and developer tools.
Improved efficiency of handling D3D textures.
Added initial and experimental Mac PowerPC and Big Endian support.
Added preferences for the user to control whether or not the tab page title should be included in the window title or not. In Private Browsing mode, the default is now to not show the title in the window. This was done to avoid potential leakage to system logs (e.g. GNOME shell logs or Windows event logs) of websites visited through the recorded window title. The new preferences are privacy.exposeContentTitleInWindow and privacy.exposeContentTitleInWindow.pbm for normal mode and Private Browsing mode, respectively.
Fixed several crashes in DOM and relating to dynamic JavaScript module imports.
Removed a restriction on Fetch preflight redirects, following a spec update.
Improved the handling of web workers if they get aborted mid-action.
Linux releases on both x86_64 and aarch64 are now built with GCC 11 and Oracle Linux 8.
Linux aarch64 releases are no longer considered to be in beta. Autoupdates will now work for Linux aarch64 builds moving forward.
Linux aarch64 builds are now available with both GTK2 and GTK3.
Refactored easy build shell script to use Oracle Linux 8 and GCC 11.
Refactored easy build shell script to work on both x86_64 and aarch64.
Changed some default Basilisk networking preferences to better respect privacy and security out of the box.
Fixed broken security section in the Page Info window.
Security issues addressed: CVE-2023-6863, CVE-2023-6858, CVE-2024-0746, CVE-2024-0741, CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753.
UXP Mozilla security patch summary: 7 fixed, 4 DiD, 1 rejected (which was DiD at best), 34 not applicable.

New in Basilisk 2023.12.09 (Dec 11, 2023)

New in Basilisk 2023.11.05 (Nov 6, 2023)

This is a major development and security update:
Added an initial implementation of the ReadableStreams API, improving web compatibility with sites that apparently use this API in utilitarian fashion.
Added support for transparency in WebM videos for the edge case of using <video> elements for transparent animated images. Major caveat: this will massively impact performance of video playback if an alpha channel is present in the video.
Added support for crypto.randomUUID to allow website scripting to generate random UUIDs (universally unique identifiers) through the WebCrypto interface.
Removed the user-agent override for Netflix, since they have stopped supporting the Silverlight browser plugin. Basilisk no longer has a way to provide Netflix DRM-controlled playback with them dropping it, so there is no longer a reason to try and force compatibility.
Updated the user-agent override for Spotify. While it is possible to use the website with this, it suffers from the same DRM issue and not all media will be playable (only non-encumbered media can be played in Basilisk like podcasts). Your mileage may vary.
Implemented timer nesting and clamping for workers, preventing timer hangs on bad website code.
Improved handling of drawing SVG images on canvases without explicit width or height attributes. We now follow the css-sizing-3 Intrinsic Sizes spec.
Improved performance of our memory allocator.
Updated libvpx to 1.6.1.
Cleaned up and updated some media playback code.
Removed the last vestiges of EME/DRM code from UXP, since this will never be supported in any application building on it due to the media industry's draconic policies around FOSS.
Removed support for DRM from Basilisk as a followup to the EME/DRM removal in UXP.
Removed simd.js, moving actually used SIMD handling to C++.
Removed the use of libav in our source, replacing its supply of FFT with the equivalent from FFMpeg.
Fixed potential type confusion in IonMonkey due to 3-byte opcodes.
Fixed an issue with tooltips persisting even if the browser window would have lost focus.
Fixed PerformanceObserver navigation and resource timing (default disabled for privacy); our implementation now fully passes conformance tests.
Fixed an issue where top-level SVG images would not be correctly clipped by positioned elements, giving the impression of wrong z-ordering as the SVG would overlap other elements.
Dev: Updated setInterval to fall back to 0 if no duration is supplied.
Dev: Updated ResizeObserver to a recent spec change, now returning an array of results for borderBoxSize and contentBoxSize instead of an object.
Dev: Updated Intl.NumberFormat and DefaultNumberOption() to follow spec updates. Most importantly for web compatibility, we now allow the "maximumFractionDigits" option in Intl.NumberFormat to be less than the default minimum fraction digits for the chosen locale, following the general consensus in TC39 around this issue.
Increased leniency (removed upper limit) of GLSL versions as they tend to be fully backwards compatible.
Fixed various crashes.
Added a safeguard to the sec-gpc header (Global Privacy Control) so it cannot be inadvertently overwritten.
Removed the 360 Secure Browser profile migrator from Basilisk.
WebRTC Spec Improvements.
Add ability toggle WebRTC and WebAssembly under Tools->Preferences->Content.
Enable PerformanceObserver by default in Basilisk.
Security fixes: addressed CVE-2023-5722, CVE-2023-5723, CVE-2023-5724, CVE-2023-5727 and several other issues without a CVE number assigned to them.
UXP Mozilla security patch summary: 6 fixed, 2 DiD, 19 not applicable.

New in Basilisk 2023.10.03 (Oct 3, 2023)

New in Basilisk 2023.09.15 (Sep 16, 2023)

New in Basilisk 2023.09.12 (Sep 13, 2023)

Implemented the BigInt primitive type for JavaScript. See implementation notes.
Implemented Big(U)Int64 array support.
Implemented ergonomic brand checks for JavaScript class fields.
Aligned the Performance API with the Timeline v2 spec.
Aligned the handling of flex/grid percentages resolving against the parent with other browsers. See implementation notes.
Added or updated several user-agent overrides for problematic websites.
Added 2 preferences to allow users to disable CSS animations and transitions. See implementation notes.
Improved compatibility with MacOS 14.
Fixed an important, intermittent JavaScript crash related to garbage collection.
Fixed several crashes.
Fixed several debug build related issues.
Fixed an issue building on SunOS related to the spelling library.
Updated PDF.js to 1.6.467 from Firefox 53.
Developer: Added ASan support for building with MSVC.
Developer: Implemented automated builds using GitHub Actions and automated process of mirroring Basilisk to GitHub.
Added the .xll file extension to the executable extensions list.
Security issues addressed: several potential security issues that do not have a CVE number. DiD
UXP Mozilla security patch summary: 1 fixed, 3 DiD, 17 not applicable.
Implementation notes
The BigInt primitive (base number format) in JavaScript allows JavaScript to handle excessively large integers (whole numbers). This primitive is especially useful for specialized scientific applications that need very large yet accurate numbers, but has seen widespread adoption for an as of yet unknown reason as part of web frameworks, causing general web compatibility issues for Basilisk when scripts expect BigInt support and instead have an error thrown. We have now implemented this primitive for use so we no longer have compatibility issues with these frameworks. It is still unknown why BigInt is in use there and for what. Critical note: BigInt might be tempting to consider for JS-backed cryptography but this is very ill-advised, as BigInt operations are, by their nature, not constant-time and allow timing and side-channel attacks.
Flex and grid item sizes in percentages would previously be resolved against the parent like other elements, according to a very long-standing practice that stems from the Internet Explorer days. Mainstream browsers have, however, made an exception for flex items and grid items to no longer do this. We have now made the same exception for these types of elements which should solve layout issues on some websites (notably reserving too much space for items, often resulting in very large areas of whitespace or items being pushed out of view).
Two preferences were added (layout.css.animation.enabled and layout.css.transition.enabled) to allow users to completely disable CSS-based animations and transition effects. This was a request by users as both a performance and accessibility consideration. Please note that in some cases, disabling animations and transitions may have an impact on final web page layout, so you may run into some issues when disabling these animations and transitions as the web pages were designed to use them.

New in Basilisk 2023.07.18 (Jul 19, 2023)

This is a major development update, further improving web compatibility.
Added the (hidden) preference browser.history.menuMaxResults to allow users to control how many history entries are listed in the menu. Setting this to 0 will hide history menu entries altogether, and any positive number configures how many entries the entries are limited to. The default if not defined is 15.
Switched C++ language level used to C++14 on all platforms.
Web compatibility and scripting improvements:
Implemented geometry .from* static constructors for web compatibility.
Implemented partial support for CSS calc() in color keywords.
Implemented Array "find from last" feature (findLast and findLastIndex).
Implemented Object.hasOwn(object,property).
Implemented several additional Intl API methods and functions. This improves web compatibility with sites making use of things like hourCycle, advanced DateTimeFormat, Intl.Locale, and Intl as a constructor.
Cleaned up some unused code.
Removed support for Mozilla "experiment" type extensions.
Improved the JavaScript garbage collector's sweeping. This should fix a few intermittent crashes and improve performance.
Implemented some structural changes to the source to make future porting easier, and preparing for switching to C++17.
Removed handling of symlinks for directory listings to prevent potential security issues by walking symlinks when uploading. This effectively reverts a change made in Firefox 50 where this functionality was introduced. A case of "Not such a good idea after all" ;-)
Updated the list of extensions on Windows treated as "executable".
Security issues addressed: CVE-2023-37208.
Made preparations for requiring Authorization in CORS ACAH preflight.
Since no browser honors this part of the spec at the moment this is left disabled until there is consensus among browsers.
Fixed intermittent crashes related to the performance API.
Fixed intermittent issues with JavaScript malfunctioning in chrome scripts (causing faults in the UI and extensions).
Added ability to specify build version in mozconfig when compiling Basilisk.
UXP Mozilla security patch summary: 2 fixed, 2 rejected, 20 not applicable.

New in Basilisk 2023.06.20 (Jun 20, 2023)

New in Basilisk 2023.05.17 (May 17, 2023)

This updates the UXP/Goanna platform version to 6.2.
Implemented dynamic module imports. See implementation notes.
Implemented exporting of async functions in modules.
Implemented JavaScript class fields. See implementation notes.
Implemented logical assignment operators ||=, &&= and ??=.
Implemented a solution for websites using the officially deprecated ambiguous window.event. This is disabled by default but can be enabled through about:config's dom.window.event.enabled preference. See implementation notes.
Implemented self.structuredClone()
Implemented Element.replaceChildren. Once again primarily a web developer note.
Improved Shadow DOM :host matching.
Implemented WebComponents' CSS ::slotted() and related functionality.
Improved page caching in our memory allocator.
Added support for FFmpeg 6.0, especially important for bleeding-edge Linux distros.
Fixed a potential drawing deadlock for images, specifically SVG. This solves a number of hang-on-shutdown scenarios.
Fixed various crashes related to WebComponents and our recent JavaScript work.
Fixed various build-from-source issues on secondary target platforms.
Fixed handling of async (arrow) functions declared inside constructors.
Fixed various small JavaScript conformance issues.
Fixed an issue where JavaScript (only in modules) would not properly create async wrappers.
Updated the DOM Performance API to the current spec (User Timing L3).
See implementation notes, especially if you intend to use this in web content for critical functionality.
Updated keypress event handling to send keypress events on Ctrl+Enter.
Updated internal JavaScript structures to make future porting easier, as well as improve JavaScript performance.
Updated window handling and styling on Mac.
Updated the Freetype lib to 2.13.0.
Updated the Harfbuzz lib to 7.1.0.
Updated our DNS lookup calls to use inet_ntop() instead of the deprecated inet_ntoa().
Updated the Fetch API to use the global's base URL instead of the entry document's base URL for spec compliance.
We no longer support the outmoded fontconfig on GTK systems.
We no longer parse or return the body of known-empty responses from servers (content-length of 0, or in case of HEAD or CONNECT methods).
Implemented scaled font caching on GTK, improving performance.
Fixed a build issue when building for Linux on ARM64 on later distros.
Split out more parts of the browser into separate .dll files on Windows to reduce compiler strain and an oversized xul.dll
Removed mozilla::AlignedStorage (code cleanup).
Builds for FreeBSD now use xz for packaging instead of bzip2.
Merged the preference dom.getRootNode.enabled into the dom.webcomponents.enabled pref. See implementation notes.
Fixed a potential DoS issue with JPEG decoding.
Fixed a potential issue in Windows widget code that could lead to crashes.
Disabled potentially hazardous external protocols on Windows.
Added known-problematic .dlls to the internal blocklist.
Security issues addressed: CVE-2023-32209, CVE-2023-32214 and several others that do not have a CVE designation.
UXP Mozilla security patch summary: 4 fixed, 1 rejected, 27 not applicable.
Implementation notes:
JavaScript modules have various methods of being loaded into web page content. One of the later introduced methods is a function-style import() declaration, so-called "dynamic module imports" that has been used by various web frameworks, causing issues for Basilisk resulting in blank pages in most cases (since the websites would not actually use document structure HTML, but rather JavaScript to create content, all from imported modules). This has been a major web compatibility issue lately and we're pleased to announce that this complex bit of machinery has been implemented.
JavaScript's language specification is continuing to be watered down from a prototyping language towards a more "C-like" hybrid. As part of that effort, JavaScript classes were introduced in ECMAScript 6, and now further expanded in ES2022 with class fields and private class fields/methods, as well as statics. We should have a complete implementation of this now, which constitutes the more important parts of the ES2022 language update.
The use of the outdated Microsoft Internet Explorer global window.event has been a pervasive web compatibility issue for us, especially since it was officially deprecated and we never implemented this ambiguous and unreliable property that is highly-context sensitive. Websites should use the event as passed into the event handler to get the event source instead. However, since neither Chrome nor Firefox have dropped this and seem to be playing a game of "chicken", it remains in use on the web. To deal with this conflict, we have now implemented the equivalent behind a preference to enable users to (temporarily) use the global window.event while webmasters update their websites. We hope the Google camp will finally drop this one soon so we can be done with this legacy quirk. will finally drop this one soon so we can be done with this legacy quirk.
The DOM Performance API was updated to the User Timing level 3 spec. It should be critically noted that the DOM Performance API was never designed to be used as a matter of course on published content, and was designed only for page performance analysis use by web designers. Of course, as part of making dev tools available to the web, a lot of abuse ensued because of the accurate navigation and timing measurements that this API can provide (looking at you, Google!). Because of tight integration with web content analysis, the older spec implementation we had was causing issues and actually breaking some services, so we updated it, but with a few important key differences:
In Basilisk, we keep navigation timing disabled because it's a notable privacy issue for the data it can gather (exact navigational events and timings). If you're a web dev and need these timing measurements, you can enable them with dom.enable_performance_navigation_timing.
Our implementation, contrary to the spec, does not allow unlimited recording of performance events (effectively logging every page event!) which can also rapidly eat up memory. Instead we enforce a sane default quota that should be roomy enough for all legitimate use, but prevents runaway resource use or extensive logging of user actions.
If the set quota is reached, a warning will be printed in the console and the recorded performance events will be thrown away. If you (foolishly) rely on Performance API events for your web application to function, be aware this may cause compatibility issues as the API was, again, not designed to be used in such a fashion. For event handling, there are much better alternatives available which do not involve extensive recording of user data or relying on a developer tool API.
We've historically implemented the DOM getRootNode function as it was being used in the wild as a standalone function, however its main intent has always been to be a helper function part of Shadow DOM/WebComponents. As such we have now merged the preference into the WebComponents preference, enabling and disabling it along with the rest of our WebComponents implementation.

New in Basilisk 2023.05.01 (May 1, 2023)

New in Basilisk 2023.04.04 (Apr 6, 2023)

Shadow DOM and CustomElements, collectively making up WebComponents, have been enabled by default which should bring much broader web compatibility to the browser for many a site that uses web 2.0+ frameworks. See implementation notes.
Tab titles in the browser now fade if they are too long instead of using ellipses, to provide a little more readable space to page titles. Note that this may require some updates to tab extensions or themes.
A number of site-specific overrides have been updated or removed because they are no longer necessary or current with the platform developments in terms of web compatibility. We could use your help evaluating the ones that are still there; see the issue on the Pale Moon repo.
Updated our promises and async function implementation to the current spec.
Implemented Promise.any()
Fixed several crashes related to regular expression code.
Improved regular expression object handling so it can be properly garbage collected.
Fixed some VP8 video playback.
Fixed an issue where the caret (text cursor) would sometimes not be properly visible.
Updated the embedded emoji font.
Implemented the :is() and :where() CSS pseudo-classes.
Implemented complex selectors for the :not() CSS pseudo-class.
Implemented the inset CSS shorthand property.
Implemented the env() environment variable CSS function. See implementation notes.
Implemented handling for RGB encoded video playback (instead of just YUV).
Implemented handling for full-range videos (0-255 luminance levels) giving better video playback quality.
Removed the WebP image decoder pref. See implementation notes.
Enabled the Web text-to-speech API by default (only supported on some operating systems).
Updated NSPR to 4.35 and NSS to 3.79.4
Cleaned up unused "tracking protection" plumbing. See implementation notes.
Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).
Fixed several intermittent and difficult-to-trace crashes.
Improved content type security of jar: channels. DiD
Improved JavaScript JIT code generation safety. DiD
Fixed potential crash scenarios in the graphics subsystem. DiD
Improved filename safety when saving files to prevent potential environment leaks.
Introduced Basilisk beta builds for FreeBSD, aarch64 Linux, ARM macOS, and Intel macOS. (thanks dbsoft!)
Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several others that do not have a CVE.
UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable.

New in Basilisk 2023.03.07 (Mar 8, 2023)

New in Basilisk 2023.03.04 (Mar 5, 2023)

New in Basilisk 2023.01.26 (Jan 26, 2023)

New in Basilisk 2023.01.07 (Jan 8, 2023)

New in Basilisk 2022.11.04 (Nov 6, 2022)

New in Basilisk 2022.09.28 (Sep 29, 2022)

Implemented .at(index) JavaScript method on built-in indexables (Array, String, TypedArray).
Implemented the use of EventSource in workers.
Enabled the sending of the Origin: header by default on same-origin requests.
Changed how Basilisk is built. We have made build system changes to reduce build times and pressure on the linker on all platforms. Note that Basilisk is not yet built with Visual Studio 2022. This change will be done in the next release.
Changed how Basilisk handles standalone wave audio files (.wav). See implementation notes.
Improved string normalization.
Updated the handling of CSS "supports" to now accept unparenthesized strings (spec update).
Updated the handling of flex containers in web pages for web compatibility.
Fixed various issues when building for Mac OS X.
Fixed various C++ standard conformance issues in the source code.
Fixed several issues building on SunOS and Linux with various configurations and gcc versions.
Fixed an issue with regular expressions' dotAll syntax and usage. See implementation notes.
Switched custom hash map to std::unordered_map where prudent.
Cleaned up and updated IPC thread locking code.
Removed spacing for accessibility focus rings in form controls to align styling of them with expected metrics.
Removed the unnecessary control module for building with non-standard configurations of the platform.
Removed the -moz prefix from min-content and max-content CSS keywords where it was still in use.
Updated the search engines included with Basilisk. Basilisk now includes the same search engines as Pale Moon.
Fix issue where PDF.js was completely broken in the previous release.
Fixed an important stability and performance issue related to hardware acceleration.
Implemented Global Privacy Control in the Basilisk settings.
Fix issue where the 32-bit Windows installer would not execute on 32-bit Windows systems.
Remove Mozilla related default bookmarks. Update default bookmarks.
Update compatmode override for Firefox to 102.0.
Update user agent overrides to improve compatibility with Facebook.
Security fixes: CVE-2022-40956 and CVE-2022-40958.
UXP Mozilla security patch summary: 2 fixed, 11 not applicable.

New in Basilisk 2022.08.06 (Aug 7, 2022)

Fixed several application crash scenarios. DiD
Fixed a number of thread locking/mutex issues. DiD
Fixed a leak of content types due to inconsistent error reporting. (CVE-2022-22760)
Fixed an issue with iframe sandboxing not being properly applied. (CVE-2022-22759)
Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet.
Fixed an issue with drag-and-drop. (CVE-2022-22756)
Fixed a potential crash due to truncated WAV files.
Fixed a memory safety issue with XSLT. (CVE-2022-26485)
Fixed a potential crash issue on bing.com.
Fixed some thread locking issues. DiD
Worked around a Mesa driver bug that could cause crashes.
Fixed a potential resource access issue in devtools. DiD
Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD).
Implemented Global Privacy Control, taking the place of the unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that you do not want them to share or sell your data.
Implemented "optional chaining" (thanks, FranklinDM!).
Implemented setBaseAndExtent for text selections.
Implemented queueMicroTask() "pseudo-promise" callbacks.
Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect.
Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility.
Improved performance of parallel web workers in JavaScript.
Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
Updated various in-tree libraries.
Added support for extended VPx codec strings in media delivery via MSE (RFC-6381).
Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
Fixed several crashes and stability issues.
Removed all Google SafeBrowsing/URLClassifier service code.
Restored Mac OS X code and buildability in the platform.
Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation.
Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems.
Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users.
Removed more Android/Fennec code (on-going effort to clean up our code).
Removed the Marionette automated testing framework.
Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number.
Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility.
Fixed various crash scenarios in XPCOM.
Fixed an important stability and performance issue related to hardware acceleration.
Fixed a long-standing issue where dynamic datalist updates for <select> and similar elements wouldn't properly update the option list.
Disabled broken links to MDN articles in developer tools.
Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
Enabled the date picker for <input type=date>. See implementation notes.
Re-enabled the use of FIPS mode for NSS. See implementation notes.
Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios.
Improved memory handling in the graphics subsystem of Goanna.
Updated FFvpx to v4.2.7
Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites.
Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows.
Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes.
Improved the way data is transferred to and from canvases to prevent memory safety issues.
Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP).
Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number.
Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows.
Fixed a potential issue with revoked site certificates when connecting through a proxy.
Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo.
Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number.
Implemented CSS white-space: break-spaces for web compatibility.
Implemented Intl.RelativeTimeFormat for web compatibility.
Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
Implemented support for async generator methods in JavaScript.
Added preliminary support for building on Apple Silicon like M1/M2 SoC.
Added support for building with Visual Studio 2022.
Improved the handling of CSS "sticky" elements in tables.
Improved stack size limits on all platforms. See implementation notes.
Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
Updated many in-tree third-party libraries to pick up various performance and stability improvements.
Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe.
Removed some leftover (and unused) telemetry code in the platform and front-end.
Fixed an issue with VP9 video playback on Windows on some systems.
Fixed an issue with the add-ons manager not properly handling empty update URLs.
Fixed a major performance regression on *nix based systems due to incorrect thread handling.
Fixed volume handling when building with the sndio audio back-end.
Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler.
Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes.
Basilisk profile directory changed to reflect vendor change in application.
Restore ability to build Basilisk on Mac OS X.
Removal of telemetry code from Basilisk.
UXP Mozilla security patch summary: 11 fixed, 14 Did, 4 rejected, 91 not applicable

New in Basilisk 2022.01.27 (Jan 27, 2022)

New in Basilisk 2021.12.13 (Dec 14, 2021)

New in Basilisk 2021.11.14 (Nov 14, 2021)

New in Basilisk 2021.11.13 (Nov 13, 2021)

New in Basilisk 2021.09.27 (Sep 27, 2021)

New in Basilisk 2021.07.19 (Jul 20, 2021)

New in Basilisk 2021.04.27 (Apr 28, 2021)

New in Basilisk 2021.03.17 (Mar 18, 2021)

New in Basilisk 2021.03.11 (Mar 12, 2021)

New in Basilisk 2021.02.06 (Feb 8, 2021)

New in Basilisk 2021.01.05 (Jan 5, 2021)

New in Basilisk 2020.11.25 (Nov 26, 2020)

New in Basilisk 2020.09.11 (Sep 12, 2020)

New in Basilisk 2020.06.10 (Jun 11, 2020)

New in Basilisk 2020.05.08 (May 8, 2020)

New in Basilisk 2020.04.17 (Apr 18, 2020)

New in Basilisk 2020.04.15 (Apr 15, 2020)

New in Basilisk 2020.03.11 (Mar 12, 2020)

New in Basilisk 2020.03.04 (Mar 5, 2020)

This is a major development update:
New modular setup for building: Basilisk has been split off from the UXP platform repository and will be maintained as its own application with UXP as a platform module.
Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
Aligned document.open() with the overhauled specification.
Implemented promise-based media playback.
Enabled seeking to next frame in media files.
Improved table drawing performance again after the rewrite for sticky positioning making it slow.
Aligned the way DOM styles are computed with mainstream browser behavior.
Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
Implemented an NSS performance optimization for Master Password use with limited effect.
Implemented non-standard legacy CSSStyleSheet rules functions.
Implemented the html5 <dialog> element. To switch this on, flip dom.dialog_element.enabled to true.
Implemented CustomElements v1. (preffed, not functional yet due to reliance on shadowDOM).
Implemented rule processing stub for font-variation-settings.
Implemented optional catch binding (ES2019).
Changed the way hardware acceleration is controlled from applications.
Updated CSP processing to allow custom scheme wildcards to be specified without a port.
Removed the (unused) DOM promise implementation.
Disabled some logging in production builds.
Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
Completely removed showModalDialog.
Performed various tree-wide code cleanups.
Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text.
Removed a bunch of Android support code.
Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
Fixed several crashes.
Fixed a parsing issue with <template> tags.
Fixed an issue with form elements sometimes being incorrectly disabled.
Fixed some potential crashing scenarios with WebGL on Linux.
Fixed a potential pointer issue issue in cubeb. (DiD)
Fixed a crash due to ES6 modules (CVE-2020-9545).

New in Basilisk 2020.02.18 (Feb 18, 2020)

New in Basilisk 2020.02.06 (Feb 7, 2020)

New in Basilisk 2020.01.12 (Jan 12, 2020)

New in Basilisk 2019.10.31 (Oct 31, 2019)

New in Basilisk 2019.09.12 (Sep 13, 2019)

New in Basilisk 2019.09.03 (Sep 3, 2019)

New in Basilisk 2019.06.08 (Jun 9, 2019)

New in Basilisk 2019.03.27 (Mar 27, 2019)

New in Basilisk 2019.03.08 (Mar 9, 2019)

New in Basilisk 2019.02.11 (Feb 11, 2019)

New in Basilisk 2018.12.18 (Dec 19, 2018)

New in Basilisk 2018.11.07 (Nov 7, 2018)

New in Basilisk 2018.11.04 (Nov 5, 2018)

New in Basilisk 2018.09.27 (Sep 28, 2018)

New in Basilisk 2018.09.05 (Sep 5, 2018)

New in Basilisk 2018.06.01 (Jun 1, 2018)

New in Basilisk 2018.05.15 (May 15, 2018)

New in Basilisk 2018.04.26 (Apr 26, 2018)

New in Basilisk 2018.04.24 (Apr 24, 2018)

New in Basilisk 2018.03.21 (Mar 22, 2018)

New in Basilisk 2018.02.14 Beta (Feb 15, 2018)

New in Basilisk 2018.02.02 Beta (Feb 2, 2018)

New in Basilisk 2018.01.05 Beta (Jan 5, 2018)

New in Basilisk 2017.12.28 Beta (Dec 29, 2017)

New in Basilisk 2017.12.01 Beta (Dec 1, 2017)