• 3 months ago
  • 3 months ago
  • Pale Moon 29.4.0

    mattatobin 3 months ago 3 commits to release since this release

    This is a development, bugfix and security release. Our release schedule was adjusted here to provide web compatibility improvements and not just a security update this month.


    • Implemented promise.allSettled().
    • Implemented global origin on windows and workers.
    • Improved performance of memory allocations.
    • Updated libcubeb to the current development version.
    • This improves OSS compatibility and addresses potential crashes, performance issues and security issues.
    • Updated SQLite to 3.36.0.
    • Improved thread safety of the web content cache. DiD
    • Added several fixes to avoid potential crashes and security issues. DiD
    • Unified XUL Platform Mozilla Security Patch Summary: 5 DiD, 12 not applicable.

    Built with the Unified XUL Platform - August 17, 2021 release.

  • 3 months ago
  • 3 months ago
  • Pale Moon 29.3.0

    mattatobin 4 months ago 10 commits to release since this release

    This is a development, bugfix and security release.


    • “Web Developer” is now called “Developer Tools” in the menus.
    • Updated and aligned about:home, the QuickDial page and logopage styling.
    • Re-organized the privacy category in the preferences window.
    • Enabled brotli compression for http for sites that support it. See implementation notes.
    • Implemented EventTarget as a constructor.
    • Updated Windows 10 toolkit styling.
    • Updated the port blacklist (removed 10080). See implementation notes.
    • CSS: Implemented calc() and animation support for stroke-dashoffset.
    • Added support for checking boolean preferences to chrome CSS style sheets, to support more advanced theming options.
    • Added support for dynamic dark color capable themes in CSS.
    • Updated ResizeObserver implementation to a more recent specification. See implementation notes.
    • Removed a metric ton of Macintosh code.
    • Removed obsolete system theme support from the layout engine.
    • Fixed several crashes.
    • Linux: blocked particularly old versions of Mesa/Nouveau drivers due to issues.
    • Security issues addressed: CVE-2021-30547 and several other issues that don’t have a CVE number.
    • Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD, 2 deferred (DiD), 12 not applicable.

    Implementation notes:

    • Brotli compression (introduced a few years back) has originally been restricted to https only in web browsers because there was some concern about interaction with middleware boxes with poor design trying to transparently recompress data not recognizing the new compression stream type and causing failures. The kind of processing done in those boxes (SDCH) has long since been deprecated. Since then, the segregation for Brotli between http and https has been maintained by Chrome and Firefox as a vessel to further promote https over http by artificially keeping http less efficient (denying the use of the more dense Brotli compression). Since there is no technical reason not to enable Brotli over http, we will accept (by way of Accept-encoding) Brotli over plain http from this version on, offering up to 20% less bandwidth use when servers also support it.
    • We maintain a blacklist of ports that should not be addressed from a browser (primarily to prevent scripted abuse). Not too long ago we updated these ports with a number of additional (higher range) ones, including port 10080 (Amanda). Unfortunately there is too much overlap with other common services/devices that also use this (arbitrarily chosen) port, so we’ve removed this particular port again from our blacklist.
    • The ResizeObserver implementation was changed to now support the updated specification for this API, including the experimental properties contentBoxSize and borderBoxSize which allows finer control to respond to size changes of elements. The old spec sizing property of contentRect remains supported for web compatibility.

    Built with the Unified XUL Platform - July 19, 2021 release.

  • Pale Moon 29.2.1

    Moonchild 5 months ago 40 commits to release since this release

    This is a small bugfix release.


    • Worked around an issue with autocomplete popups sometimes failing to work (and added some debug console logging to it in case it happens to help find the root cause)
    • Fixed an issue with DOM mouse scrolling throwing errors.
    • Fixed a race with network detection routines firing incorrectly when resuming from standby.
    • Fixed a crash when using large uploads through DOM.
    • Fixed an issue where the menulist-button on editable menulist widgets was not visible on GTK3.
    • Reduced the number of reported “important preferences” in troubleshooting information, excluding individual printer details.
    • Fixed an issue with the JS JIT compiler not tracing debugger environments (DiD).

    There were no security issues that applied to UXP or Pale Moon this release cycle.

    Built with the Unified XUL Platform - June 8, 2021 release.

  • 5 months ago
  • Pale Moon 29.2.0

    Moonchild 7 months ago -33 commits to master since this release

    This is a development and bugfix release.

    Starting with this version, we will no longer be supporting unmaintained legacy Firefox extensions that are not updated for/targeting Pale Moon directly.
    Please see this forum post for details.


    • When opening tabs from the History side bar, Pale Moon will now warn you about the action if it would result in opening many tabs at once.
    • Pale Moon now offers “Open All in Tabs” on bookmark folders even if there is only one sub-item in it, for UI consistency.
    • Added media format controls in the Content category of Preferences.
    • Added controls for preferred color scheme. See implementation notes.
    • Updated several site-specific user-agent overrides for web compatibility.
    • Removed the ability to accept Firefox IDs for extension installation.
    • Removed conditional Macintosh code from the application front-end.
    • Updated the AV1 reference library to 2.0.
    • Cleaned up more Android code from the platform.
    • Updated the embedded emoji font to cater to even more race-dependent profession emoji.
    • Fixed an overflow in clip paths, potentially causing them to be rendered incorrectly.
    • Added CSS values smooth, high-quality and pixelated to the image-rendering keyword.
    • Implemented Intl.NumberFormat.formatToParts() to allow deconstruction of localized number formats by scripts.
    • Reinstated the dom.details_element.enabled preference and fixed a rendering issue with summary/details html elements.
    • Fixed an issue with CSP .nonce attributes on elements.
    • Security issues addressed: CVE-2021-29946 DiD and CVE-2021-23994 DiD.
    • Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 14 not applicable.

    Implementation notes:

    • This version adds support for the prefers-color-scheme CSS keyword. This keyword is a media query keyword that indicates to websites whether your content styling preference is “light” or “dark”. Unlike other browsers where this will be tied to your system color scheme and determined automatically (which might be a point on which you can be fingerprinted, so this would be a privacy concern), we’ve decided to give the user control through Preferences -> Content -> Colors where you will find a new control to indicate your user preference (it defaults to “light” for everyone). While this control also gives you the option to disable this feature and effectively not support the keyword, be aware that this might cause issues on some websites that do not provide styling for “unspecified” color scheme preferences.
      In the future we may add an “automatic” option similar to other browsers in case you regularly switch your system application style from light to dark and v.v.

    Built with the Unified XUL Platform - April 27, 2021 release.

  • 7 months ago
  • 7 months ago
  • Pale Moon 29.1.1

    Moonchild 8 months ago -7 commits to master since this release

    This is a minor security and bugfix update.


    • Updated NSS to fix certificate import and keygen regressions.
    • Removed restrictions for units of width/height attributes on SVG elements.
    • Enabled scrollbar-width CSS keyword by default.
    • Security issues addressed: CVE-2021-23981 and a DiD fix for potential document parser confusion.
    • Unified XUL Platform Mozilla Security Patch Summary: 2 DiD, 9 not applicable.

    Built with the Unified XUL Platform - March 30, 2021 release.

  • 8 months ago
  • Pale Moon 29.1.0

    Moonchild 9 months ago 69 commits to release since this release

    This is a development, bugfix and security update.

    New features:

    • Language packs for the following newly-supported languages:
      • Arabic (ar)
      • Chinese Traditional (zh-TW)
      • Croatian (hr)
      • Danish (da)
      • Finnish (fi)
      • Galician (gl)
      • Indonesian (id)
      • Icelandic (is)
      • Japanese (ja)
      • Romanian (ro)
      • Serbian (cyrillic) (sr)
      • Slovenian (sl)
      • Thai (th)
    • Implemented String.prototype.replaceAll().
    • Implemented JSON superset proposal.
    • Implemented well-formed JSON stringify.
    • Implemented numeric separators in JavaScript.


    • Updated timezone data to 2021a.
    • Updated the wording and inclusion of more select license blocks in about:license.
    • Updated some site-specific user-agent overrides for web compatibility.
    • Updated the lz4 library for performance and security updates.
    • Improved performance of JSON stringify.
    • Further improved support for building on FreeBSD.
    • Fixed a regression where changes to useragent compatibility required a restart to take effect.
    • Fixed a regression where AES-GCM in WebCrypto (“subtle” crypto API) wasn’t working.
    • This could make certain login procedures fail to work.
    • Fixed a full browser deadlock when page scripting would flood browsing history with rapid location state changes.
    • Disabled AV1 codec use by default again since our implementation has significant streaming issues (particularly audio) that needs further work.
    • Added required interaction with file/folder open dialog boxes on html file input elements on some operating systems to avoid malicious content tricking users into uploading sensitive files unintentionally (related to CVE-2021-23956).
    • Added a font sanity check to avoid triggering a potential vulnerability on unpatched Windows operating systems (related to CVE-2021-24093).
    • Security issues addressed: CVE-2021-23974, CVE-2021-23973 and several memory safety hazards that don’t have CVE numbers.
    • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 DiD, 19 not applicable.

    Built with the Unified XUL Platform - March 2, 2021 release.

  • 9 months ago
  • 9 months ago
  • Pale Moon 29.0.1

    mattatobin 9 months ago 85 commits to release since this release

    This is a security and stability update.


    • Fixed a browser crash when manipulating frame trees.
    • Fixed an issue with depth textures in ANGLE.
    • Updated the SSOAU for YouTube Studio.
    • Security issue addressed: ZDI-CAN-12197.

    Built with the Unified XUL Platform - February 5, 2021 release.

  • Pale Moon 29.0.0

    mattatobin 9 months ago 90 commits to release since this release

    A new year, a new milestone!

    While our initial intent was to have Google WebComponent support with this milestone, any reasonable deadline has passed for it.

    Instead, this new release continues to build on further improvements and enhancements in the platform and additions to the browser, as well as a large number of bugfixes.

    New additions:

    • Implemented Intl.PluralRules API for JavaScript.
    • Added a frequently-requested preference (browser.tabs.allowTabDetach) to disable “tearing off” of tabs (meaning dragging them outside of the tab bar resulting in them being made into their own window).
    • Added FLAC as a recognized filetype-by-extension.
    • Implemented basic support for the scrollbar-width CSS keyword. See implementation notes.
    • Added preliminary support for modern FreeBSD builds.
    • Selectively enabled core features of the DOM Animations API.
    • Enabled AV1 video support by default (previously built but not enabled in releases).
    • Added support for pointer events.
    • Added support for the SVG transform-box property.
    • Added support for the inputmode property for forms to enable context-sensitive display of soft keyboards.
    • Enabled shutting down of the file I/O worker when idle for a while (resource optimization).
    • Enabled blocking of auto-play of media in the background by default.
    • We now offer official GTK3 builds for Linux alongside the GTK2 builds.
    • Partial (and as of yet, not acceptably functional) implementation of Google WebComponents. See implementation notes.


    • Updated NSPR to 4.29.
    • Updated NSS to 3.59.
    • Disabled legacy database format for storage of certificates and passwords. See implementation notes.
    • Updated several site-specific user-agent overrides for web compatibility.
    • Improved styling of the “find in page” bar to avoid unreadable text on some system themes.
    • Removed a large chunk of Android-specific code.
    • Split gkmedias.dll back out from xul.dll.
    • Cleaned up a number of redundant and obsolete code paths.
    • Fixed a regression with the Performance API.
    • Fixed an initialization issue in the browser when users would force-disable certain types of caching.
    • Fixed a crash when attempting to save a file from FTP that could be displayed in the browser.
    • Fixed the root cause of an issue with JavaScript module loading causing crashes. See implementation notes.
    • Fixed a rare initialization issue for the print preview window causing it to not display.
    • Fixed a crash on Mac when text input was not secure.
    • Disabled the Storage Manager API by default.
    • Disabled the <menuitem> html tag by default. If you still need this, you can re-enable it with the preference dom.menuitem.enabled in about:config.
    • Fixed a memory safety issue related to XUL trees (CVE-2021-23962).
    • Implemented several defense-in-depth measures to improve stability and future security.
    • Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 6 DiD, 1 already implemented, 1 deferred to the next release, 24 not applicable.

    Implementation notes:

    • We’ve implemented basic support for the scrollbar-width CSS keyword. The most important setting used with increasing frequency on the web is scrollbar-width: none effectively disabling scrollbars while not affecting overflow behavior when content would overflow its designated space (normally that would result in scrollbars being added to access the hidden content). This support for none is complete. A different setting for this keyword is thin. While this is implemented, it is currently reliant on the underlying system theme for widgets on various operating systems and (especially on Linux) may have little or no effect depending on the widget theme you are using, resulting in standard-sized scrollbars (the same as auto, the default for this keyword).
    • The legacy database format for storing security certificates and passwords (dbm, a Berkeley-derived format) is no longer built and as a result the browser will no longer be able to convert the old format (cert8.db and key3.db) to the current format which is SQL-based. Please see our document on profile migration for pointers on upgrading very old profiles that have not had this migration occur yet.
    • We tracked down (thanks, jarman!) the issue that had us forced to disable the inlining of code optimization in our JIT compiler for JavaScript (IonMonkey) in our previous version by default, to prevent crashes with module scripts (see release notes of 28.17.0). As a result we’ve been able to reclaim our temporary loss in performance of the browser while solving the crashes caused by this optimization.
    • We’ve implemented a good chunk of Google WebComponents (CustomElements and Shadow DOM). The incomplete code is behind a preference (dom.webcomponents.enabled) and it is strongly suggested you do not touch it unless you plan on helping us implement the remainder of this fundamentally-web-altering spec. Please do not expect that this preference is a magic wand to make Google and it’s puppy sites suddenly work in “modern” (mind the quotes) ways or without help (e.g. polyfills). While we’ve ticked a lot of the boxes already for a working implementation, this specification is kind of special in that it is all-or-nothing because it is not an extension or evolution of existing technology, but rather an attempt at redefining how websites work and are structured (with plenty of critical feedback because of that) at the most fundamental level.

    Built with the Unified XUL Platform - February 2, 2021 release.

  • 10 months ago
  • 10 months ago
  • Pale Moon 28.17.0

    mattatobin 11 months ago 106 commits to release since this release

    This is a development, bugfix and security update.


    • Changed the way dates and times are formatted in the UI to properly adhere to the user’s regional settings in the O.S.
    • Re-enabled the DOM Filesystem API for web compatibility.
    • Moved the global user-agent override to the networking component. See implementation notes.
    • Worked around crashes and run-time issues with module scripts. See implementation notes.
    • Fixed a website layout issue with table-styled elements potentially overlapping when placed inside a flexbox.
    • Fixed some code logic issues with websockets.
    • Fixed a regression when waking the computer from standby causing high CPU usage in some uncommon situations.
    • Updated the list of prohibited ports the browser can use. See implementation notes.
    • Updated root certificates.
    • Windows: Changed the way downloaded files without an extension are handled. See implementation notes.
    • Mac-beta: Improved version detection of MacOS including Big Sur.
    • Security issues addressed: CVE-2020-26978 and CVE-2020-35112.
    • Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 deferred to the next release, 16 not applicable.

    Implementation notes:

    • The global user-agent override was moved to the networking component where it is actually implemented. The new preference name is network.http.useragent.global_override. Please note that using a blanket override is normally (very) counterproductive and does not, in fact, help much with privacy. It would also override the compatibility modes (Native/Gecko/Firefox) in Pale Moon. As such, the browser will now warn you if the user-agent is globally overridden (in preferences) and allow you to easily reset that override and re-enable the various compatibility modes.
    • Module scripting caused some persistent and very hard to track browser crashes that we’ve narrowed down to a specific optimization in the JavaScript JIT (Just-In-Time) compiler (IonMonkey). This optimization is now disabled by default but if you need that little extra performance (usually only noticed in very optimized code or some benchmarks) then you can re-enable it, trading in stability, by setting the new preference javascript.options.ion.inlining to true.
    • Prohibited ports: Pale Moon maintains a blacklist of ports the browser may normally not connect to on servers, to mitigate abusive web scripting employing your browser as an attack bot on servers (e.g. by connecting to mail servers or what not), NAT slipstreaming, and similar security issues. To more thoroughly prevent known abusable ports on servers, this list was extended with a number of additional default ports for various non-http protocols.
    • Downloaded files without a file extension: When a file without an extension is downloaded, we will now open the download folder where you may choose to take any specific action manually, instead of trying to execute it as a program or through an associated program.

    Built with the Unified XUL Platform - December 18, 2020 release.

  • 11 months ago
  • 11 months ago
  • Pale Moon 28.16.0

    mattatobin 1 year ago 111 commits to release since this release

    This is a development and security update to the browser.

    Note for Linux users: With CentOS 6 going end-of-life, this version will be the last for which we will be building 32-bit Linux official binaries to download. While your distribution may choose to continue offering 32-bit versions of the browser, built from source by the maintainers, we won’t be offering any further official 32-bit Linux binaries on our website. Please check with your distribution’s package maintainers to know if further 32-bit support will be available on your particular flavor of Linux.


    • Aligned CSS tab-size with the specification and un-prefixed it.
    • Updated Brotli library to 1.0.9.
    • Updated JAR lib code.
    • Optimized UI code, resulting in smaller downloads and less space consumed on disk.
    • Changed the default Firefox Compatibility version number to 68.0 (since versions ending in .9 makes some frameworks unhappy, refusing access to users)
    • Cleaned up HPKP leftovers.
    • Disabled the DOM filesystem API by default.
    • Removed Phone Vibrator API.
    • Fixed an issue where the software uninstaller would not remove the program files it should.
    • Fixed a devtools crash related to timeline snapshots.
    • Fixed an issue in Skia that could cause unsafe memory access. [DiD]
    • Fixed several data race conditions. [DiD]
    • Fixed an XSS vulnerability where scripts could be executed when pasting data into on-line editors.
    • Linux: Fixed an overflow issue in freetype.
    • Security issues addressed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several others that do not have a CVE designation.
    • Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 defense-in-depth, 3 rejected, 20 not applicable.

    Implementation notes:

    • Windows binaries should all be properly code-signed again.
    • The uninstaller issue might only appear if you have not used the internal updater to update the browser after installation.
    • The DOM Filesystem and dir picker APIs are, in practice, not used on websites. We’ve disabled these web-exposed APIs because they are not entirely without potential risk, and intend to remove them in a future version unless there is a demonstrable need to keep them as optional (unsupported) APIs in the platform.
    • One of the rejected security patches deals with entering a single word in the address bar. Standard browser behavior in that situation is for browsers to do a normal network lookup of that word in case it is a LAN machine name (other browsers also do this) which may “leak” your entered search term to the LAN. If you want to avoid this, please always use the search box for entering web searches, as it’s unambiguous what to do with single words in that case.

    Built with the Unified XUL Platform - November 24, 2020 release.

  • 1 year ago
  • Pale Moon 28.15.0

    Moonchild 1 year ago 118 commits to release since this release

    This is a standard development and bugfix release.


    • Implemented support for CSS caret-color.
    • Implemented support for un-prefixed ::selection CSS pseudo-element styling.
    • Fixed another potential crashing scenario in ResizeObservers.
    • Fixed several crashes in the DOM Fetch API.
    • Fixed a crash in table pagination.
    • Security issues fixed: CVE-2020-15680 (VG-VD-20-115) and several memory safety hazards.
    • Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 2 defense-in-depth, 12 not applicable.

    Built with the Unified XUL Platform - October 24, 2020 release.

  • 1 year ago
  • Pale Moon 28.14.2

    wolfbeast 1 year ago 65 commits to master since this release

    This update fixes a few important issues.


    • Fixed some additional crashes caused by the ResizeObserver API. This should take care of all crashes that have been attributed to this new code.
    • Fixed erroneous parsing of CSS percentages as number values.
  • Pale Moon 28.14.1

    wolfbeast 1 year ago 66 commits to master since this release

    This update addresses an intermittent crash in the newly-implemented ResizeObserver API (introduced in 28.14.0) occurring on a number of high-profile and often-used websites.

  • Pale Moon 28.14.0

    mattatobin 1 year ago 67 commits to master since this release

    This is a development and security update.

    • Updated the browser identity code for website security to more clearly indicate website status.
      A detailed explanation is available on the forum and beyond the scope of these release notes.
    • Updated unofficial branding to be more generic and more clearly separate unofficial builds from Pale Moon as a product.
      Please note that this goes hand in hand with an update of our redistribution license, and from this point forward any “New Moon” products are to be considered separate, and not unofficial Pale Moon builds or in any way related to or affiliated with Pale Moon, despite the similarity in name.
    • Added a preference (signon.startup.prompt) to give users the option to ask for the Master Password the moment the application starts (before the main window opens). This allows a workaround for getting multiple Master Password prompts if individual components need access to the password store at the same time.
    • Changed the way download sources are displayed to always use the actual domain downloads are from. In some situations the browser would previously display the domain of the referring page in an inconsistent fashion.
    • Implemented the ES2019 Object.fromEntries() utility function.
    • Implemented the CSS flow-root keyword.
    • (Re-)implemented percentage-based CSS opacity values according to the updated spec.
    • Implemented the last few missing bits for a standards-compliant implementation of JavaScript modules.(preloading, resource: scheme, etc.)
    • Implemented the ResizeObserver DOM API.
    • Fixed a null crash on some websites using CSS clip paths.
    • Updated script handling inside SVGs to only run scripts if they are enabled and permitted, avoiding a potential XSS pitfall.
    • Fixed several memory safety hazards and crashes.
    • Updated the MediaQueryList interface to the updated spec. It now inherits from EventTarget and implements AddEventListener/RemoveEventListener in addition to AddListener/RemoveListener and should improve web compatibility for some sites.
    • Removed support for the archaic and non-standard <marquee> element.
    • Removed some leftovers from the discontinued plugin update checker service.
    • Removed some internal HPKP implementation leftovers.
    • Cleaned up the Windows widget code to reduce potentially vulnerable direct-dll loads.
    • Security issues fixed: CVE-2020-15676 and CVE-2020-15677
    • Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 defense-in-depth, 7 not applicable.

    Built with the Unified XUL Platform - September 29, 2020 release.