newmoon (33.0.0-1+stackrpms) obs; urgency=medium
* Upstream updates
* Implemented a restricted version of the asynchronous clipboard API
(navigator.clipboard). This API is restricted to writing only for
obvious security considerations. It supports both plaintext and the
standard DataTransfer methods. We did not implement the reinvented
wheel concept of ClipboardItem objects.
* Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for
OCSP stapled responses.
* Implemented an option (Found in Preferences -> Content -> Media tab
(new this version)) to restrict DOM full-screen mode to the existing
browser window.
* Implemented several options in a new preferences tab (Preference ->
Privacy -> Tracking) to allow users to more easily control several
privacy-impacting features, namely poisoning of canvas data (to prevent
fingerprinting), and enabling of Performance observers (a developer
feature) that some websites rely on for their operation.
* Implemented PromiseRejectionEvent. Although this is rarely actually
used, some common JS libraries (you know who you are!) use it as a
feature level canary and start loading (broken!) Promise shims if it is
not found, causing compatibility issues and broken websites due to the
shims.
* Fixes:
* Aligned microtasks and Promises scheduling with the current spec and
expected behavior.
* We now no longer send click events to top levels of the document
hierarchy when using non-primary buttons (use auxclick, instead, to
capture these events).
* Greatly improved the performance of box shadows.
* Greatly improved the performance of file/data uploads over HTTP/2
(most of the secure websites out there).
* Fixed several issues related to focus and content selection.
* Fixed issues with the use of focus-within caused by unexpected
processing of DOM events.
* Fixed an issue with CSP not behaving as-expected when using
importScripts(), and fixed a number of additional CSP-related issues.
* Fixed a web compatibility issue with CORS preflights not sending the
original request's referrer policy or referrer header.
* Fixed a spec compliance issue with StructuredClone.
* Fixed a crash due to clamping code introduced for SetInterval and
SetTimeout timers.
* Fixed crashes when dynamic imports are canceled (e.g. by navigation).
* Other changes:
* Changed to now have its .files property be writable
following a spec change and recommendation.
* We are now requiring and building against the C++17 language standard.
* Updated the in-tree ffvpx lib to 6.0.
* Added a preference to allow users to completely disable reporting of
CSP errors to webmasters. Using this is strongly discouraged as it will
provide essential troubleshooting information to webmasters setting up
CSP, and does not pose a privacy issue, but for those who really want
it, it can now be fully disabled. The preference is
security.csp.reporting.enabled.
* Updated the IntersectionObserver interface to now also accept
documents for the observer root instead of only HTML elements.
* Cleaned up various bits of code surrounding GMP, memory allocation,
system libraries, vestigial Android code, freetype2 and developer tools.
* Improved efficiency of handling D3D textures.
* Added initial and experimental Mac PowerPC and Big Endian support.
* Changed the behavior of hung scripts. We now automatically terminate
them instead of presenting the user with a dialog box (which may or may
not show in a reasonable time if the browser is too busy trying to
process the hung script). If you prefer the old behavior, uncheck the
box "Automatically stop non-responsive scripts" in Preferences ->
Content -> General
* Security issues addressed: CVE-2024-0746, CVE-2024-0741,
CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753.
* UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not applicable.
-- B. Stack Thu, 08 Feb 2024 22:46:46 -0500
newmoon (32.5.2-1+stackrpms) obs; urgency=medium
* Bugfix and security update:
- Removed the standard Twitter/X user-agent override because they decided
to block us on it.
- Added preferences for the user to control whether or not the tab page
title should be included in the window title or not. In Private Browsing
mode, the default is now to not show the title in the window. This was
done to avoid potential leakage to system logs (e.g. GNOME shell logs or
Windows event logs) of websites visited through the recorded window
title. The new preferences are privacy.exposeContentTitleInWindow and
privacy.exposeContentTitleInWindow.pbm for normal mode and Private
Browsing mode, respectively.
- Fixed several crashes in DOM and relating to dynamic JavaScript
module imports.
- Removed a restriction on Fetch preflight redirects, following a spec
update.
- Improved the handling of web workers if they get aborted mid-action.
- Security issues addressed: CVE-2023-6863, CVE-2023-6858 and several
others that do not have a CVE number.
-- B. Stack Fri, 26 Jan 2024 19:50:47 -0500
newmoon (32.1.0-1+stackrpms) obs; urgency=low
* Shadow DOM and CustomElements, collectively making up WebComponents,
have been enabled by default which should bring much broader web
compatibility to the browser for many a site that uses web 2.0+
frameworks. See implementation notes.
* Tab titles in the browser now fade if they are too long instead of
using ellipses, to provide a little more readable space to page titles.
Note that this may require some updates to tab extensions or themes.
* A number of site-specific overrides have been updated or removed
because they are no longer necessary or current with the platform
developments in terms of web compatibility. We could use your help
evaluating the ones that are still there; see the issue on our repo.
* Updated our promises and async function implementation to the current
spec.
* Implemented Promise.any()
* Fixed several crashes related to regular expression code.
* Improved regular expression object handling so it can be properly
garbage collected.
* Fixed some VP8 video playback.
* Fixed an issue where the caret (text cursor) would sometimes not be
properly visible.
* Updated the embedded emoji font.
* Implemented the :is() and :where() CSS pseudo-classes.
* Implemented complex selectors for the :not() CSS pseudo-class.
* Implemented the inset CSS shorthand property.
* Implemented the env() environment variable CSS function. See
implementation notes.
* Implemented handling for RGB encoded video playback (instead of just
YUV).
* Implemented handling for full-range videos (0-255 luminance levels)
giving better video playback quality.
* Removed the WebP image decoder pref. See implementation notes.
* Enabled the Web text-to-speech API by default (only supported on some
operating systems).
* Updated NSPR to 4.35 and NSS to 3.79.4
* Cleaned up unused "tracking protection" plumbing. See implementation
notes.
* Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).
* Fixed several intermittent and difficult-to-trace crashes.
* Improved content type security of jar: channels. DiD
* Improved JavaScript JIT code generation safety. DiD
* Fixed potential crash scenarios in the graphics subsystem. DiD
* Improved filename safety when saving files to prevent potential
environment leaks.
* Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several
others that do not have a CVE.
* UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable.
-- B. Stack Thu, 23 Mar 2023 13:53:33 -0400
newmoon (32.0.1-1+stackrpms) obs; urgency=low
* Upstream updates
* Fixed a crash in the new regular expression code.
* Added {Extended_Pictographic} unicode property escape to regular
expressions.
* Fixed a regression in regular expressions for literal parsing of
invalid ranges.
* Updated NSS to pick up fixes.
* Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and
CVE-2023-0767.
* UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not applicable.
-- B. Stack Tue, 21 Feb 2023 20:34:55 -0500
newmoon (32.0.0-1+stackrpms) obs; urgency=low
* New milestone release:
- Implemented Regular Expression named capture groups.
- Implemented Regular Expression unicode property escapes.
- Re-implemented Regular Expression lookaround/lookbehind (without
crashing this time ;) ).
- Implemented progressive decoding for JPEG-XL.
- Implemented animation for JPEG-XL.
- Renamed CSS offset-* properties to inset-* to align with the latest spec
and the web.
- Fixed CSS inheritance and padding issues in some cases.
- Aligned parsing of incorrectly duplicated HSTS headers with expected
behavior (discard all but the first one).
- Implemented a method to avoid memory exhaustion in case of (very) large
resolution animated images.
- Updated the JPEG-XL and Highway libraries to a recent, stable version.
- Cleaned up some unused CSS prefixing code.
- Improved the ability to link on *nix operating systems with other linkers
than gcc's default.
- Stability improvements (potential crash fixes).
- Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several
others that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable.
-- B. Stack Thu, 16 Feb 2023 19:40:20 -0500
newmoon (31.4.0-1) obs; urgency=medium
* Upstream updates
* Added support for the JPEG-XL image format.
* Implemented regular expressions lookaround/lookbehind.
* Aligned CORS header parsing with the updated spec. See implementation
notes.
* We no longer fire keypress events for non-printable keys. See
implementation notes.
* Added support for MacOS 13 "Ventura" in the platform, primarily
benefitting White Star.
* Fixed potentially problematic thread locking code on *nix platforms.
* Fixed some small issues in the display and operation of the Web
Developer tools.
* Removed unused but performance-impacting panning and tab animation
measuring code. (telemetry leftovers)
* Improved code for SunOS builds.
* Updated Internationalization data for time zones.
* Fixed a buffer overflow for Mac builds.
* Security issues addressed: CVE-2022-45411 and potential issues
without a CVE number.
* UXP Mozilla security patch summary: 2 fixed, 1 DiD, 1 deferred, 25
not applicable.
-- B. Stack Tue, 22 Nov 2022 10:03:10 -0500
newmoon (31.3.1-1) obs; urgency=medium
* Upstream updates
* Added detection suport for the newly-released MacOS 13 (Ventura).
* Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674)
DiD
* Fixed potentially undefined behavior in our thread locking code. DiD
* Fixed a potentially exploitable crash in the refresh driver.
* Fixed potentially undefined behavior when base-64 decoding. DiD
* Implemented a texture size cap for WebGL to prevent potential issues
with some graphics drivers. DiD
* Updated site-specific overrides to address issues with ZoHo.
* UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable.
-- B. Stack Tue, 01 Nov 2022 14:09:10 -0400
newmoon (31.3.0-1) UNRELEASED; urgency=low
* Upstream updates
* Implemented .at(index) JavaScript method on built-in indexables
(Array, String, TypedArray).
* Implemented the use of EventSource in workers.
* Enabled the sending of the Origin: header by default on same-origin
requests.
* Changed how Pale Moon is built. We are now using Visual Studio 2022
on Windows, and have made build system changes to reduce build times
and pressure on the linker on all platforms.
* Changed how Pale Moon handles standalone wave audio files (.wav). See
implementation notes.
* Improved string normalization.
* Updated the handling of CSS "supports" to now accept unparenthesized
strings (spec update).
* Updated the handling of flex containers in web pages for web
compatibility.
* Fixed various issues when building for Mac OS X.
* Fixed various C++ standard conformance issues in the source code.
* Fixed several issues building on SunOS and Linux with various
configurations and gcc versions.
* Fixed an issue with regular expressions' dotAll syntax and usage. See
implementation notes.
* Switched custom hash map to std::unordered_map where prudent.
* Cleaned up and updated IPC thread locking code.
* Removed spacing for accessibility focus rings in form controls to
align styling of them with expected metrics.
* Removed the unnecessary control module for building with non-standard
configurations of the platform.
* Removed the -moz prefix from min-content and max-content CSS keywords
where it was still in use.
* Security fixes: CVE-2022-40956 and CVE-2022-40958.
* UXP Mozilla security patch summary: 2 fixed, 11 not applicable.
-- B. Stack Tue, 01 Nov 2022 14:09:09 -0400
newmoon (31.2.0-1) obs; urgency=medium
* Changes/fixes:
* Implemented CSS white-space: break-spaces for web compatibility.
* Implemented Intl.RelativeTimeFormat for web compatibility.
* Implemented "Origin header CSRF mitigation". This is still disabled
by default to investigate potential issues with CloudFlare-backed sites.
* Implemented support for async generator methods in JavaScript.
* Added preliminary support for building on Apple Silicon like M1/M2
SoC.
* Added support for building with Visual Studio 2022.
* Improved the handling of CSS "sticky" elements in tables.
* Improved stack size limits on all platforms. See implementation notes.
* Updated function.toString handling to align with the updated
JavaScript spec. This should improve web compatibility.
* Updated Unicode support to Unicode v11, and updated the ICU library
accordingly. Building without ICU is no longer supported.
* Updated many in-tree third-party libraries to pick up various
performance and stability improvements.
* Updated site-specific user-agent overrides to work around issues with
Google fonts, Citi bank (again!) and MeWe.
* Removed some leftover (and unused) telemetry code in the platform and
front-end.
* Fixed an issue with VP9 video playback on Windows on some systems.
* Fixed an issue with the add-ons manager not properly handling empty
update URLs.
* Fixed a major performance regression on *nix based systems due to
incorrect thread handling.
* Fixed volume handling when building with the sndio audio back-end.
* Pale Moon no longer applies content security policies to documents
that are explicitly loaded as data documents or to images. See
implementation notes.
* Cleaned up some unnecessary code from the source tree for unused
build back-ends, Firefox marketplace "apps", and the rather ridiculous
moz://a protocol handler.
* Updated NSS to 3.52.8 to pick up several defense-in-depth security
fixes.
* UXP Mozilla security patch summary: 3 DiD, 12 not applicable.
-- B. Stack Wed, 03 Aug 2022 14:09:10 -0400
newmoon (31.1.1-1) obs; urgency=medium
* Changes/fixes:
* Updated the list of blocked external protocol handlers to combat
abuse of OS-supplied services on Windows.
* Fixed a potential issue with revoked site certificates when
connecting through a proxy.
* Updated NSS to 3.52.7 to pick up some security fixes.
* Updated site-specific user agent overrides to work around bad
sniffing practices of dropbox and vimeo.
* Security issues addressed: CVE-2022-34478, CVE-2022-34476,
CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473
DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE
number.
* UXP Mozilla security patch summary: 4 fixed, 4 DiD, 2 rejected, 11
not applicable.
-- B. Stack Mon, 11 Jul 2022 11:34:11 -0400
newmoon (31.1.0-1) UNRELEASED; urgency=medium
* Changes/fixes:
* Added Mojeek as an additional search engine in the browser. See
implementation notes.
* Implemented "nullish coalescing operator" (thanks, FranklinDM!) for
web compatibility.
* Fixed various crash scenarios in XPCOM.
* Fixed an important stability and performance issue related to
hardware acceleration.
* Fixed a long-standing issue where overly-long address bar tooltips
wouldn't break into multiple lines but instead cut off on the right
side.
* Fixed a long-standing issue where dynamic datalist updates for