White Star Release Notes

White Star 32.1.0

This is another major update with important compatibility improvements for the web. Most notably, our implementation of Google WebComponents is now at a state where we enabled them by default.
Please visit thePale Moon Release Notes for the details.

White Star 32.0.1

This is a bugfix and security update.

Changes/fixes:

• Fixed a crash in the new regular expression code.
• Added {Extended_Pictographic} unicode property escape to regular expressions.
• Fixed a regression in regular expressions for literal parsing of invalid ranges.
• Updated NSS to pick up fixes.
• Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and CVE-2023-0767.
• UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not applicable.

White Star 32.0.0

This is a new milestone release. Primary focus for this milestone is web compatibility, in particular Regular Expression extensions, standards compliance issues and further JPEG-XL support. This milestone now offers full coverage of the ECMAScript 2016-2020 JavaScript specifications, with the exception of BigInt primitives.

Changes/fixes:

• Implemented Regular Expression named capture groups.
• Implemented Regular Expression unicode property escapes.
• Re-implemented Regular Expression lookaround/lookbehind (without crashing this time ;) ).
• Implemented progressive decoding for JPEG-XL.
• Implemented animation for JPEG-XL.
• Renamed CSS offset-* properties to inset-* to align with the latest spec and the web.
• Fixed CSS inheritance and padding issues in some cases.
• Aligned parsing of incorrectly duplicated HSTS headers with expected behavior (discard all but the first one).
• Implemented a method to avoid memory exhaustion in case of (very) large resolution animated images.
  
• Updated the JPEG-XL and Highway libraries to a recent, stable version.
• Cleaned up some unused CSS prefixing code.
  
• Improved the ability to link on *nix operating systems with other linkers than gcc's default.
• Stability improvements (potential crash fixes).
• Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several others that do not have a CVE number.
• UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable.

White Star 31.4.2

This is a bugfix and security update.

Changes/fixes:

• Fixed JPEG-XL's transparency display for images with an alpha channel.
• Temporarily removed regex lookbehind to stop crashes occurring on 32-bit builds of the browser.
• Added some extra sanity checks to our zip/jar/xpi reader to avoid issues with corrupt archives.
• Aligned cookie checks with RFC 6265 bis. See implementation notes.
• Removed obsolete code in Windows widgets that could cause potential issues with long paths and file names on supported versions.
• Fixed several crashes.
  
• Security issues addressed: CVE-2022-46876, CVE-2022-46874 and several others that do not have a CVE number.
• UXP Mozilla security patch summary: 4 fixed, 20 not applicable.

White Star 31.4.1

This is a bugfix release.

Changes/fixes:

• Fixed wrong color of decoded JPEG-XL images.
• Fixed an issue with plugins not receiving keypress events properly.

White Star 31.4.0

This is a major development update, adding JPEG-XL image support among other things.

Changes/fixes:

• Added support for the JPEG-XL image format.
• Implemented regular expressions lookaround/lookbehind.
• Aligned CORS header parsing with the updated spec. See implementation notes.
• We no longer fire keypress events for non-printable keys. See implementation notes.
• Added support for MacOS 13 "Ventura" in the platform
• Fixed potentially problematic thread locking code on *nix platforms.
• Fixed some small issues in the display and operation of the Web Developer tools.
• Removed unused but performance-impacting panning and tab animation measuring code. (telemetry leftovers)
• Improved code for SunOS builds.
• Updated Internationalization data for time zones.
• Fixed a buffer overflow for Mac builds.
• Security issues addressed: CVE-2022-45411 and potential issues without a CVE number.
• UXP Mozilla security patch summary: 2 fixed, 1 DiD, 1 deferred, 25 not applicable.

Implementation notes:

• CORS support has been updated to the current spec. Most importantly, Pale Moon now accepts wildcard entries ("*") for the CORS statements Access-Control-Expose-Headers, Access-Control-Allow-Headers and Access-Control-Allow-Method. Note that wildcards are ignored (according to the spec) when credentials are passed.
• Pale Moon will no longer fire the keypress events in content when the key pressed is a non-printable key. This is in response to issues where webmasters would use rudimentary and na??ve input-restricting scripts in onkeypress handlers that would not take into account editing keys or navigation keys, causing issues for users trying to enter data into forms (and e.g. finding they could no longer use backspace, cursor keys or tab). This aligns our behavior with other browsers for web compatibility, although it should be considered a website error expecting not all keypresses to be intercepted in keypress events.

White Star 31.3.1

This is a security and compatibility update.

Changes/fixes:

• Added detection suport for the newly-released MacOS 13 (Ventura).
• Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674) DiD
• Fixed potentially undefined behavior in our thread locking code. DiD
• Fixed a potentially exploitable crash in the refresh driver.
  
• Fixed potentially undefined behavior when base-64 decoding. DiD
• Implemented a texture size cap for WebGL to prevent potential issues with some graphics drivers. DiD
• Updated site-specific overrides to address issues with ZoHo.
• UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable.

White Star 31.3.0.1

This is a small update to back out the changes to handling of flex containers in 31.3.0 since it caused severe usability issues on several websites.

White Star 31.3.0

This is a major development, bugfix and security release.

Changes/fixes:

• Implemented .at(index) JavaScript method on built-in indexables (Array, String, TypedArray).
• Implemented the use of EventSource in workers.
• Enabled the sending of the Origin: header by default on same-origin requests.
• Changed how Pale Moon is built. We are now using Visual Studio 2022 on Windows, and have made build system changes to reduce build times and pressure on the linker on all platforms
• Changed how Pale Moon handles standalone wave audio files (.wav). See implementation notes.
• Improved string normalization.
• Updated the handling of CSS "supports" to now accept unparenthesized strings (spec update).
• Updated the handling of flex containers in web pages for web compatibility.
• Fixed various issues when building for Mac OS X.
• Fixed various C++ standard conformance issues in the source code.
• Fixed several issues building on SunOS and Linux with various configurations and gcc versions.
• Fixed an issue with regular expressions' dotAll syntax and usage. See implementation notes.
• Switched custom hash map to std::unordered_map where prudent.
• Cleaned up and updated IPC thread locking code.
• Removed spacing for accessibility focus rings in form controls to align styling of them with expected metrics.
• Removed the unnecessary control module for building with non-standard configurations of the platform.
• Removed the -moz prefix from min-contentand max-content CSS keywords where it was still in use.
• Security fixes: CVE-2022-40956 and CVE-2022-40958.
• UXP Mozilla security patch summary: 2 fixed, 11 not applicable.

Implementation notes:

• Pale Moon would previously send wave audio files (.wav) to the system-configured media player if they would be opened standalone (i.e. not inside a <media> HTML element in a page). This was done due to the historical use of rather exotic codecs in .wav files that would not be broadly supported in the browser. In the current day, however, this is much less of a concern. If you prefer to retain the old behavior and send .wav files to whatever the configured system media player is, then you should set the preference media.wave.play-stand-alone to false in about:config.
• There was a spec compliance issue with the dotAll regular expression implementation, causing it to not work properly. Specifically, using the code>new RegExp() constructor would not accept "s" as a flag, and the .dotAll property was not cased properly (all lowercase) causing compatibility issues.

White Star 31.2.0

This is a major bugfix and development update. Some of these updates were actually in the 31.1.1 White Star release, due to my use of the master branch instead of release, to support Apple Silicon.

Changes/fixes:

• Implemented CSS white-space: break-spaces for web compatibility.
• Implemented Intl.RelativeTimeFormat for web compatibility.
• Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites.
• Implemented support for async generator methods in JavaScript.
• Added preliminary support for building on Apple Silicon like M1/M2 SoC.
• Added support for building with Visual Studio 2022.
• Improved the handling of CSS "sticky" elements in tables.
• Improved stack size limits on all platforms. See implementation notes.
  
• Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility.
• Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported.
  
• Updated many in-tree third-party libraries to pick up various performance and stability improvements.
  
• Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe.
• Removed some leftover (and unused) telemetry code in the platform and front-end.
• Fixed an issue with VP9 video playback on Windows on some systems.
• Fixed an issue with the add-ons manager not properly handling empty update URLs.
  
• Fixed a major performance regression on *nix based systems due to incorrect thread handling.
• Fixed volume handling when building with the sndio audio back-end.
• White Star no longer applies content security policies to documents that are explicitly loaded as data documents or to images. See implementation notes.
  
• Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler.
• Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes.
• UXP Mozilla security patch summary: 3 DiD, 12 not applicable.

Implementation notes:

• Prior to this version, White Star would apply Content Security Policies (CSPs) to all requests made to servers that would respond with a policy header, as one would expect for strict use of CSPs as-intended. Unfortunately, Chrome has been less strict in applying these policies and specifically excluded applying these policies to images and "data documents". As a result, web compatibility became a problem for non-Google browsers with webmasters being oblivious about their overzealous CSPs deployed on websites, causing images (especially SVG) and data to not load or load properly. To align with mainstream browser behavior and improve web compatibility on misconfigured websites, we are now no longer applying CSPs to images or documents explicitly loaded as arbitrary data.
• We've adjusted default per-thread stack sizes in the platform to be more generous on all platforms. This allows the browser to render more deeply nested visual elements in web pages and the new limit matches the capabilities of mainstream browsers as a result. Please note that some custom builds may need to adjust their linker's stack sizes on some operating systems to come to a stable and usable build with this change since the new Goanna rendering depth requires this larger stack size to not run out of memory. The default per-thread stack size is now 2 MB with the exception of 32-bit Windows builds where 1.5 MB is used to go easy on its limited address space. Custom Linux builds with system-default small stack sizes should adjust their build configuration accordingly.

White Star 31.1.1

This is a security update.

Changes/fixes:

• Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows.
• Fixed a potential issue with revoked site certificates when connecting through a proxy.
  
• Updated NSS to 3.52.7 to pick up some security fixes.
• Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo.
• Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number.
• UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11 not applicable.

Rejected patches were for behavioral changes to long-standing drag and drop behavior that were marked as potential security issues. The amount of social engineering and user interaction required to abuse this behavior however has made it not a real practical issue over the past 9 years and the measures required to work around it as Mozilla has now done were considered disproportional in complexity and impact on browser behavior to warrant accepting them.

White Star 31.1.0

This is a new milestone release.

Changes/fixes:
This is a major development update, focusing on media support, browser stability, performance and web compatibility.

Changes/fixes:

• Added Mojeek as an additional search engine in the browser. See implementation notes.
  
• Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility.
  
• Fixed various crash scenarios in XPCOM.
• Fixed an important stability and performance issue related to hardware acceleration.
• Fixed a long-standing issue where overly-long address bar tooltips wouldn't break into multiple lines but instead cut off on the right side.
• Fixed a long-standing issue where dynamic datalist updates for <select> and similar elements wouldn't properly update the option list.
• Disabled broken links to MDN articles in developer tools.
• Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!)
  
• Enabled the date picker for <input type=date>. See implementation notes.
• Re-enabled the use of FIPS mode for NSS. See implementation notes.
• Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios.
• Improved memory handling in the graphics subsystem of Goanna.
• Updated FFvpx to v4.2.7
  
• Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites.
• Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows.
• Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes.
  
• Improved the way data is transferred to and from canvases to prevent memory safety issues.
• Updated NSS to 3.52.6 to address security issues.
• Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP).
• Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number.
• UXP Mozilla security patch summary: 2 fixed, 1 DiD, 26 not applicable.
• Added support for building with newer MacOS SDKs.
• Updated Info.plist version to 10.7 and Force Light Mode.

Implementation/build notes:

• Following the concerns surrounding bias, censorship and unwanted filtering of search results by almost all available search engines, we've contacted Mojeek to have their search engine added by default to Pale Moon. This was done to offer a truly independent search alternative that has its own (long-standing) search index of the Web and does not rely on the major indexers like Bing, Google or Yahoo, who all apply bias and filtering to varying degrees on their search results (e.g. about politics or the war in the Ukraine). Since privacy-focused search engines like DuckDuckGo do rely on search results from these "big indexers", whatever their "upstream" decides to be filtered out will also affect your results through those search engines. Mojeek offers its own, entirely independent search results which may provide you with truly independent alternative results. Give it a try!
  
• Form input fields of type "date" will now pop up a graphical calendar to pick dates instead of having to manually enter the dates. Please note that the default format will match the base language of the browser (American English) which will be reflected in the mm/dd/yyyy placeholder. This is cosmetic only and does not actually influence how the date is passed to the server via the form. More work is needed for better localization of date and time input fields but that did not make this release.
• FIPS mode is a special (rather archaic) operating mode of the NSS security library and software security device that handles certificates and credentials in the browser. In v31.0.0 this operating mode was no longer supported which resulted in some users who had previously enabled FIPS mode in the browser from accessing their credentials (giving errors on the master password, instead). For the time being, support for this mode is enabled again but if you use it, please disable this mode as it will go away. Standard operating mode with a master password is more secure than FIPS mode at this point, and FIPS was only ever necessary for US governmental use and "grandfathered in" without getting much attention. This will go away permanently over time so please pre-empt this removal by disabling FIPS mode if you had enabled it (its control can be found in Preferences -> Advanced -> Certificates tab -> Button "Security devices" -- yes, it's buried pretty deep ;-) ).
• Windows binaries are now being built and linked against a newer Windows SDK (10.0.22000.0) to align with system support for Windows 11. It is unlikely that this will negatively affect any users at this point in time.
• While we don't support multi-process browsing or "electrolysis", extensions may still be checking what Firefox used as an indicator to know if electrolysis was enabled in it, which in some cases would require the extension to adjust its behavior. To provide better compatibility with legacy extensions that might otherwise error out when the gMultiprocessBrowser property was completely undefined, we restored this property (hard-coded to "false" since we don't support multi-process).

White Star 31.0.0

This is a new milestone release.

Changes/fixes:

• We're once again accepting the installation of legacy Firefox extensions alongside our own Pale Moon exclusive extensions. As always, please note that using extensions for an old version of a different browser is entirely at your own risk and we obviously cannot and will not provide much (if any) support for their use. Firefox extensions will be indicated with an orange dot in the Add-ons Manager in the browser.
  
• Implemented "optional chaining" (thanks, FranklinDM!).
• Implemented setBaseAndExtent for text selections.
• Implemented queueMicroTask() "pseudo-promise" callbacks.
• Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect.
  
• Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility.
• Improved performance of parallel web workers in JavaScript.
• Improved display of cursive scripts (on Windows). Good-bye Comic Sans!
  
• Updated various in-tree libraries.
  
• Added support for extended VPx codec strings in media delivery via MSE (RFC-6381).
• Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites.
• Fixed several crashes and stability issues.
  
• Added a licensing screen to the Windows installer to clarify the browser's licensing. In other installations, you may find this licensing statement in the added license.txt file in the browser installation location.
  
• Removed all Google SafeBrowsing/URLClassifier service code.
• Restored Mac OS X code and buildability in the platform.
  
• Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation.
• Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems.
• Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users.
• Removed more Android/Fennec code (on-going effort to clean up our code).
• Removed the Marionette automated testing framework.
• Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number.
• UXP Mozilla security patch summary: 4 fixed, 1 DiD, 19 not applicable.

Older Release Notes

Copyright © DBSoft 2003-2023 Visits: 21228