Pale Moon Changelog

What's new in Pale Moon 33.1.0

Apr 23, 2024

New features:
Implemented support for single-use meta tag. This implementation allows use of it without specifying a second meta tag to actually load the linked document which was originally intended for this tag (to hint to a browser it should pre-load the document for fast painting).
Implemented CSP v3 keywords script-src-elem, script-src-attr, style-src-elem and style-src-attr.
Enabled the use of html5's by default. While this is not yet a complete implementation, use of it in the wild dictated we enable this early. The implementation should functionally suffice for usage seen so far.
Added support for Emoji 15.1.
Implemented webkitURL legacy window alias for URL for web compatibility.
Implemented CSS shorthands margin-block, margin-inline, padding-block and padding-inline.
Added support for querying CPU capabilities (SSE2/AVX/AVX2) to the Navigator interface. For privacy reasons this is not exposed to the web, but can be used by extensions.
Changes/fixes:
Fixed broken mousewheel scrolling if building with --disable-npapi.
Fixed a minor issue with XUL tree display in some circumstances.
Dev: Aligned canvas Path2D.addPath with the updated spec. It now supports DOMMatrix as opposed to SVGMatrix.
Removed Stylo (Gecko Rust style system) leftovers from the source tree.
Fixed a few potential emoji display issues.
Fixed some issues with workers.
Fixed an issue with ctrl+c copying in devtools.
Fixed crashes when run under WINE because of its lack of support for IDXGIKeyedMutex.
Fixed a crash when dealing with a specific (unmaintained) extension.
Added .xrm-ms files to the executable warning list on Windows.
Added sanity checks on http/2 header sizes.
Fixed a potential issue in the JavaScript JIT compiler.
Pulled a few fixes from upstream for the OpenType Sanitizer.
Added a fix to avoid a potential issue when assigning a media data buffer.
Security issues addressed: CVE-2024-3863, CVE-2024-3302, CVE-2024-3857 DiD, CVE-2024-3859 and CVE-2024-3861 DiD.

New in Pale Moon 33.0.2 (Mar 26, 2024)

New in Pale Moon 33.0.1 (Feb 28, 2024)

New in Pale Moon 33.0.0 (Jan 30, 2024)

New features:
Implemented a restricted version of the asynchronous clipboard API (navigator.clipboard). This API is restricted to writing only for obvious security considerations. It supports both plaintext and the standard DataTransfer methods. We did not implement the reinvented wheel concept of ClipboardItem objects.
Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for OCSP stapled responses.
Implemented an option (Found in Preferences -> Content -> Media tab (new this version)) to restrict DOM full-screen mode to the existing browser window.
Implemented several options in a new preferences tab (Preference -> Privacy -> Tracking) to allow users to more easily control several privacy-impacting features, namely poisoning of canvas data (to prevent fingerprinting), and enabling of Performance observers (a developer feature) that some websites rely on for their operation.
Implemented PromiseRejectionEvent. Although this is rarely actually used, some common JS libraries (you know who you are!) use it as a feature level canary and start loading (broken!) Promise shims if it is not found, causing compatibility issues and broken websites due to the shims.
Fixes:
Aligned microtasks and Promises scheduling with the current spec and expected behavior.
We now no longer send click events to top levels of the document hierarchy when using non-primary buttons (use auxclick, instead, to capture these events).
Greatly improved the performance of box shadows.
Greatly improved the performance of file/data uploads over HTTP/2 (most of the secure websites out there).
Fixed several issues related to focus and content selection.
Fixed issues with the use of focus-within caused by unexpected processing of DOM events.
Fixed an issue with CSP not behaving as-expected when using importScripts(), and fixed a number of additional CSP-related issues.
Fixed a web compatibility issue with CORS preflights not sending the original request's referrer policy or referrer header.
Fixed a spec compliance issue with StructuredClone.
Fixed a crash due to clamping code introduced for SetInterval and SetTimeout timers.
Fixed crashes when dynamic imports are canceled (e.g. by navigation).
Other changes:
Changed to now have its .files property be writable following a spec change and recommendation.
We are now requiring and building against the C++17 language standard.
Updated the in-tree ffvpx lib to 6.0.
Added a preference to allow users to completely disable reporting of CSP errors to webmasters. Using this is strongly discouraged as it will provide essential troubleshooting information to webmasters setting up CSP, and does not pose a privacy issue, but for those who really want it, it can now be fully disabled. The preference is security.csp.reporting.enabled.
Updated the IntersectionObserver interface to now also accept documents for the observer root instead of only HTML elements.
Cleaned up various bits of code surrounding GMP, memory allocation, system libraries, vestigial Android code, freetype2 and developer tools.
Improved efficiency of handling D3D textures.
Added initial and experimental Mac PowerPC and Big Endian support.
Changed the behavior of hung scripts. We now automatically terminate them instead of presenting the user with a dialog box (which may or may not show in a reasonable time if the browser is too busy trying to process the hung script). If you prefer the old behavior, uncheck the box "Automatically stop non-responsive scripts" in Preferences -> Content -> General
Security issues addressed: CVE-2024-0746, CVE-2024-0741, CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753.
UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not applicable.

New in Pale Moon 32.5.2 (Dec 22, 2023)

New in Pale Moon 32.5.1 (Nov 28, 2023)

New in Pale Moon 32.5.0 (Oct 31, 2023)

Added an initial implementation of the ReadableStreams API, improving web compatibility with sites that apparently use this API in utilitarian fashion.
Added support for transparency in WebM videos for the edge case of using elements for transparent animated images. Major caveat: this will massively impact performance of video playback if an alpha channel is present in the video.
Added support for crypto.randomUUID to allow website scripting to generate random UUIDs (universally unique identifiers) through the WebCrypto interface.
By user request, added a preference browser.bookmarks.openInTabClosesMenu (default true) to allow users to configure if they want to keep the bookmarks menu open if they open bookmarks from it in a new tab (by middle-clicking or Ctrl-clicking). The default behavior is to close the bookmarks menu like any other menu when an option in it is clicked.
Removed the user-agent override for Netflix, since they have stopped supporting the Silverlight browser plugin. Pale Moon no longer has a way to provide Netflix DRM-controlled playback with them dropping it, so there is no longer a reason to try and force compatibility.
Updated the user-agent override for Spotify. While it is possible to use the website with this, it suffers from the same DRM issue and not all media will be playable (only non-encumbered media can be played in Pale Moon like podcasts). Your mileage may vary.
Implemented timer nesting and clamping for workers, preventing timer hangs on bad website code.
Improved handling of drawing SVG images on canvases without explicit width or height attributes. We now follow the css-sizing-3 Intrinsic Sizes spec.
Improved performance of our memory allocator.
Updated libvpx to 1.6.1.
Cleaned up and updated some media playback code.
Removed the inclusion of GMP (Gecko Media Plugin) support from Pale Moon, as it was only in use for EME/DRM and WebRTC, neither of which we support.
Removed the last vestiges of EME/DRM code from UXP, since this will never be supported in any application building on it due to the media industry's draconic policies around FOSS.
Removed simd.js, moving actually used SIMD handling to C++.
Removed the use of libav in our source, replacing its supply of FFT with the equivalent from FFMpeg.
Fixed potential type confusion in IonMonkey due to 3-byte opcodes.
Fixed an issue with tooltips persisting even if the browser window would have lost focus.
Fixed PerformanceObserver navigation and resource timing (default disabled for privacy); our implementation now fully passes conformance tests.
Fixed an issue where top-level SVG images would not be correctly clipped by positioned elements, giving the impression of wrong z-ordering as the SVG would overlap other elements.
Dev: Updated setInterval to fall back to 0 if no duration is supplied.
Dev: Updated ResizeObserver to a recent spec change, now returning an array of results for borderBoxSize and contentBoxSize instead of an object.
Dev: Updated Intl.NumberFormat and DefaultNumberOption() to follow spec updates. Most importantly for web compatibility, we now allow the "maximumFractionDigits" option in Intl.NumberFormat to be less than the default minimum fraction digits for the chosen locale, following the general consensus in TC39 around this issue.
Increased leniency (removed upper limit) of GLSL versions as they tend to be fully backwards compatible.
Fixed various crashes.
Added a safeguard to the sec-gpc header (Global Privacy Control) so it cannot be inadvertently overwritten.
Security fixes: addressed CVE-2023-5722, CVE-2023-5723, CVE-2023-5724, CVE-2023-5727 and several other issues without a CVE number assigned to them.
UXP Mozilla security patch summary: 6 fixed, 2 DiD, 19 not applicable.

New in Pale Moon 32.4.1 (Oct 11, 2023)

New in Pale Moon 32.4.0.1 (Oct 11, 2023)

New in Pale Moon 32.4.0 (Oct 11, 2023)

New in Pale Moon 32.3.1 (Oct 11, 2023)

New in Pale Moon 32.3.0 (Jul 12, 2023)

New in Pale Moon 32.2.1 (Jul 12, 2023)

New in Pale Moon 32.2.0 (Jul 12, 2023)

Implemented dynamic module imports. See implementation notes.
Implemented exporting of async functions in modules.
Implemented JavaScript class fields. See implementation notes.
Implemented logical assignment operators ||=, &&= and ??=.
Implemented a solution for websites using the officially deprecated ambiguous window.event. This is disabled by default but can be enabled through about:config's dom.window.event.enabled preference. See implementation notes.
Implemented self.structuredClone() (this may be very obscure to anyone except web developers. Apologies ;-) )
Implemented Element.replaceChildren. Once again primarily a web developer note.
Improved Shadow DOM :host matching.
Implemented WebComponents' CSS ::slotted() and related functionality.
Improved page caching in our memory allocator.
Added support for FFmpeg 6.0, especially important for bleeding-edge Linux distros.
Fixed a potential drawing deadlock for images, specifically SVG. This solves a number of hang-on-shutdown scenarios.
Fixed various crashes related to WebComponents and our recent JavaScript work.
Fixed various build-from-source issues on secondary target platforms.
Fixed various small browser front-end scripting issues that could lead to errors or broken functionality.
Fixed handling of async (arrow) functions declared inside constructors.
Fixed various small JavaScript conformance issues.
Fixed an issue where JavaScript (only in modules) would not properly create async wrappers.
Updated the DOM Performance API to the current spec (User Timing L3).
See implementation notes, especially if you intend to use this in web content for critical functionality.
Updated keypress event handling to send keypress events on Ctrl+Enter.
Updated internal JavaScript structures to make future porting easier, as well as improve JavaScript performance.
Updated window handling and styling on Mac.
Updated the Freetype lib to 2.13.0.
Updated the Harfbuzz lib to 7.1.0.
Updated our DNS lookup calls to use inet_ntop() instead of the deprecated inet_ntoa().
Updated the Fetch API to use the global's base URL instead of the entry document's base URL for spec compliance.
We no longer support the outmoded fontconfig on GTK systems.
We no longer parse or return the body of known-empty responses from servers (content-length of 0, or in case of HEAD or CONNECT methods).
Implemented scaled font caching on GTK, improving performance.
Fixed a build issue when building for Linux on ARM64 on later distros.
Split out more parts of the browser into separate .dll files on Windows to reduce compiler strain and an oversized xul.dll
Removed mozilla::AlignedStorage (code cleanup).
Builds for FreeBSD now use xz for packaging instead of bzip2. By request, we now also offer GTK2 builds for FreeBSD.
Merged the preference dom.getRootNode.enabled into the dom.webcomponents.enabled pref. See implementation notes.
Fixed a potential DoS issue with JPEG decoding.
Fixed a potential issue in Windows widget code that could lead to crashes.
Disabled potentially hazardous external protocols on Windows.
Added known-problematic .dlls to the internal blocklist.
Security issues addressed: CVE-2023-32209, CVE-2023-32214 and several others that do not have a CVE designation.
UXP Mozilla security patch summary: 4 fixed, 1 rejected, 27 not applicable.

New in Pale Moon 32.1.1 (Jul 12, 2023)

New in Pale Moon 32.1.0 (Jul 12, 2023)

Shadow DOM and CustomElements, collectively making up WebComponents, have been enabled by default which should bring much broader web compatibility to the browser for many a site that uses web 2.0+ frameworks. See implementation notes.
Tab titles in the browser now fade if they are too long instead of using ellipses, to provide a little more readable space to page titles. Note that this may require some updates to tab extensions or themes.
A number of site-specific overrides have been updated or removed because they are no longer necessary or current with the platform developments in terms of web compatibility. We could use your help evaluating the ones that are still there; see the issue on our repo.
Updated our promises and async function implementation to the current spec.
Implemented Promise.any()
Fixed several crashes related to regular expression code.
Improved regular expression object handling so it can be properly garbage collected.
Fixed some VP8 video playback.
Fixed an issue where the caret (text cursor) would sometimes not be properly visible.
Updated the embedded emoji font.
Implemented the :is() and :where() CSS pseudo-classes.
Implemented complex selectors for the :not() CSS pseudo-class.
Implemented the inset CSS shorthand property.
Implemented the env() environment variable CSS function. See implementation notes.
Implemented handling for RGB encoded video playback (instead of just YUV).
Implemented handling for full-range videos (0-255 luminance levels) giving better video playback quality.
Removed the WebP image decoder pref. See implementation notes.
Enabled the Web text-to-speech API by default (only supported on some operating systems).
Updated NSPR to 4.35 and NSS to 3.79.4
Cleaned up unused "tracking protection" plumbing. See implementation notes.
Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).
Fixed several intermittent and difficult-to-trace crashes.
Improved content type security of jar: channels. DiD
Improved JavaScript JIT code generation safety. DiD
Fixed potential crash scenarios in the graphics subsystem. DiD
Improved filename safety when saving files to prevent potential environment leaks.
Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several others that do not have a CVE.
UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable.

New in Pale Moon 32.0.1 (Jul 12, 2023)

New in Pale Moon 32.0.0 (Jan 24, 2023)

New in Pale Moon 29.1.0 (Mar 3, 2021)

New in Pale Moon 29.0.1 (Feb 7, 2021)

New in Pale Moon 29.0.0 (Feb 4, 2021)

A new year, a new milestone!
While our initial intent was to have Google WebComponent support with this milestone, any reasonable deadline has passed for it.
Instead, this new release continues to build on further improvements and enhancements in the platform and additions to the browser, as well as a large number of bugfixes.
New additions:
Implemented Intl.PluralRules API for JavaScript.
Added a frequently-requested preference (browser.tabs.allowTabDetach) to disable "tearing off" of tabs (meaning dragging them outside of the tab bar resulting in them being made into their own window).
Added FLAC as a recognized filetype-by-extension.
Implemented basic support for the scrollbar-width CSS keyword. See implementation notes.
Added preliminary support for modern FreeBSD builds.
Selectively enabled core features of the DOM Animations API.
Enabled AV1 video support by default (previously built but not enabled in releases).
Added support for pointer events.
Added support for the SVG transform-box property.
Added support for the inputmode property for forms to enable context-sensitive display of soft keyboards.
Enabled shutting down of the file I/O worker when idle for a while (resource optimization).
Enabled blocking of auto-play of media in the background by default.
We now offer official GTK3 builds for Linux alongside the GTK2 builds.
Partial (and as of yet, not acceptably functional) implementation of Google WebComponents. See implementation notes.
Changes/fixes:
Updated NSPR to 4.29.
Updated NSS to 3.59.
Disabled legacy database format for storage of certificates and passwords. See implementation notes.
Updated several site-specific user-agent overrides for web compatibility.
Improved styling of the "find in page" bar to avoid unreadable text on some system themes.
Removed a large chunk of Android-specific code.
Split gkmedias.dll back out from xul.dll.
Cleaned up a number of redundant and obsolete code paths.
Fixed a regression with the Performance API.
Fixed an initialization issue in the browser when users would force-disable certain types of caching.
Fixed a crash when attempting to save a file from FTP that could be displayed in the browser.
Fixed the root cause of an issue with JavaScript module loading causing crashes. See implementation notes.
Fixed a rare initialization issue for the print preview window causing it to not display.
Fixed a crash on Mac when text input was not secure.
Disabled the Storage Manager API by default.
Disabled the html tag by default. If you still need this, you can re-enable it with the preference dom.menuitem.enabled in about:config.
Fixed a memory safety issue related to XUL trees (CVE-2021-23962).
Implemented several defense-in-depth measures to improve stability and future security.
Unified XUL Platform Mozilla Security Patch Summary: 1 fixed, 6 DiD, 1 already implemented, 1 deferred to the next release, 24 not applicable.
Implementation notes:
We've implemented basic support for the scrollbar-width CSS keyword. The most important setting used with increasing frequency on the web is scrollbar-width: none effectively disabling scrollbars while not affecting overflow behavior when content would overflow its designated space (normally that would result in scrollbars being added to access the hidden content). This support for none is complete. A different setting for this keyword is thin. While this is implemented, it is currently reliant on the underlying system theme for widgets on various operating systems and (especially on Linux) may have little or no effect depending on the widget theme you are using, resulting in standard-sized scrollbars (the same as auto, the default for this keyword).
The legacy database format for storing security certificates and passwords (dbm, a Berkeley-derived format) is no longer built and as a result the browser will no longer be able to convert the old format (cert8.db and key3.db) to the current format which is SQL-based. Please see our document on profile migration for pointers on upgrading very old profiles that have not had this migration occur yet.
We tracked down (thanks, jarman!) the issue that had us forced to disable the inlining of code optimization in our JIT compiler for JavaScript (IonMonkey) in our previous version by default, to prevent crashes with module scripts (see release notes of 28.17.0). As a result we've been able to reclaim our temporary loss in performance of the browser while solving the crashes caused by this optimization.
We've implemented a good chunk of Google WebComponents (CustomElements and Shadow DOM). The incomplete code is behind a preference (dom.webcomponents.enabled) and it is strongly suggested you do not touch it unless you plan on helping us implement the remainder of this fundamentally-web-altering spec. Please do not expect that this preference is a magic wand to make Google and its puppy sites suddenly work in "modern" (mind the quotes) ways or without help (e.g. polyfills). While we've ticked a lot of the boxes already for a working implementation, this specification is kind of special in that it is all-or-nothing because it is not an extension or evolution of existing technology, but rather an attempt at redefining how websites work and are structured (with plenty of critical feedback because of that) at the most fundamental level.

New in Pale Moon 28.17.0 (Dec 20, 2020)

New in Pale Moon 28.16.0 (Nov 26, 2020)

Changes/fixes:
Aligned CSS tab-size with the specification and un-prefixed it.
Updated Brotli library to 1.0.9.
Updated JAR lib code.
Optimized UI code, resulting in smaller downloads and less space consumed on disk.
Changed the default Firefox Compatibility version number to 68.0 (since versions ending in .9 makes some frameworks unhappy, refusing access to users)
Cleaned up HPKP leftovers.
Disabled the DOM filesystem API by default.
Removed Phone Vibrator API.
Fixed an issue where the software uninstaller would not remove the program files it should.
Fixed a devtools crash related to timeline snapshots.
Fixed an issue in Skia that could cause unsafe memory access. DiD
Fixed several data race conditions. DiD
Fixed an XSS vulnerability where scripts could be executed when pasting data into on-line editors.
Linux: Fixed an overflow issue in freetype.
Security issues addressed: CVE-2020-26960, CVE-2020-26951, CVE-2020-26956, CVE-2020-15999 and several others that do not have a CVE designation.
Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 4 defense-in-depth, 3 rejected, 20 not applicable.
Implementation notes:
Windows binaries should all be properly code-signed again.
The uninstaller issue might only appear if you have not used the internal updater to update the browser after installation.
The DOM Filesystem and dir picker APIs are, in practice, not used on websites. We've disabled these web-exposed APIs because they are not entirely without potential risk, and intend to remove them in a future version unless there is a demonstrable need to keep them as optional (unsupported) APIs in the platform.
One of the rejected security patches deals with entering a single word in the address bar. Standard browser behavior in that situation is for browsers to do a normal network lookup of that word in case it is a LAN machine name (other browsers also do this) which may "leak" your entered search term to the LAN. If you want to avoid this, please always use the search box for entering web searches, as it's unambiguous what to do with single words in that case.

New in Pale Moon 28.15.0 (Nov 26, 2020)

New in Pale Moon 28.14.2 (Oct 2, 2020)

New in Pale Moon 28.14.1 (Oct 2, 2020)

New in Pale Moon 28.14.0 (Oct 2, 2020)

Updated the browser identity code for website security to more clearly indicate website status.
A detailed explanation is available on the forum and beyond the scope of these release notes.
Updated unofficial branding to be more generic and more clearly separate unofficial builds from Pale Moon as a product.
Please note that this goes hand in hand with an update of our redistribution license, and from this point forward any "New Moon" products are to be considered separate, and not unofficial Pale Moon builds or in any way related to or affiliated with Pale Moon, despite the similarity in name.
Added a preference (signon.startup.prompt) to give users the option to ask for the Master Password the moment the application starts (before the main window opens). This allows a workaround for getting multiple Master Password prompts if individual components need access to the password store at the same time.
Changed the way download sources are displayed to always use the actual domain downloads are from. In some situations the browser would previously display the domain of the referring page in an inconsistent fashion.
Implemented the ES2019 Object.fromEntries() utility function.
Implemented the CSS flow-root keyword.
(Re-)implemented percentage-based CSS opacity values according to the updated spec.
Implemented the last few missing bits for a standards-compliant implementation of JavaScript modules.(preloading, resource: scheme, etc.)
Implemented the ResizeObserver DOM API.
Fixed a null crash on some websites using CSS clip paths.
Updated script handling inside SVGs to only run scripts if they are enabled and permitted, avoiding a potential XSS pitfall.
Fixed several memory safety hazards and crashes.
Updated the MediaQueryList interface to the updated spec. It now inherits from EventTarget and implements AddEventListener/RemoveEventListener in addition to AddListener/RemoveListener and should improve web compatibility for some sites.
Removed support for the archaic and non-standard element.
Removed some leftovers from the discontinued plugin update checker service.
Removed some internal HPKP implementation leftovers.
Cleaned up the Windows widget code to reduce potentially vulnerable direct-dll loads.
Security issues fixed: CVE-2020-15676 and CVE-2020-15677
Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 1 defense-in-depth, 7 not applicable.

New in Pale Moon 28.13.0 (Sep 7, 2020)

New in Pale Moon 28.12.0 (Aug 4, 2020)

Changes/fixes:
Added controls for WASM to the browser's preferences, and enabled by default.
Enabled various arbitrarily-disabled CSS functions.
Added the use of basic path descriptors (i.e. polygon) to css clip paths.
Implemented multithreaded request signal handling for the Abort API. Please see implementation notes below.
Updated the included US-English dictionary, adding approximately 2500 additional words.
Removed the DOM battery API. This was already disabled for privacy reasons for a long while.
Fixed an erroneous warning displayed on toolkit-only add-ons like supplied dictionaries.
Fixed an issue with the sessionstore tab load preference.
Improved the generation of the names of downloaded files to prevent confusion. (CVE-2020-15658)
Fixed a code issue with base64 encoding of data.
Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) DiD
Fixed a spec compliance issue with regards to the cross-origin loading of scripts. (CVE-2020-15652)
Improved the loading of a system DLL on Windows, preventing low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 15 not applicable.
Implementation notes:
In 28.11.0, we introduced the Abort API as new code. The implementation of it still had an issue where especially web workers would not always see the availability of abort signals on fetch requests while AbortSignal was implemented in the browser. This effectively made some websites (especially those using a particular polyfill for the Abort API that would detect the need to polyfill by way of Request.signal) throw errors that were fine before. We offered users a workaround by temporarily disabling the AbortController in the browser by way of a preference (dom.abortController.enabled).
v28.12.0 fixes the multi-threaded handling of signals, which should solve these problems. As such, the workaround is no longer needed and upon upgrade the preference will be reset to enable AbortControllers again.
DLL-hijacking on Windows would only be possible if a malicious actor already either gained administrative access to the program's installation folder or otherwise have unrestricted access to the program folder (by having it installed in local application folders inside the user's profile space or other insecure program locations). In that case the system is already compromised and any executable can be replaced, so having dll loading hijacked would be the least of your concerns (i.e. the main program .exe could also be replaced/infected in that case).

New in Pale Moon 28.11.0 (Jul 16, 2020)

This is a development, bugfix and security update.
Changes/fixes:
Changed storage format for certificates and passwords to SQLite.
Added a preference (browser.tabs.insertAllAfterCurrent) to enable always adding new tabs after the current tab, whether related or not.
Changed the way Firefox extensions are displayed in the add-on manager (provide a clear warning).
Denied other types of add-ons that aren't explicitly targeting Pale Moon's ID.
Improved the browser's DPI-awareness to be per-monitor instead of system-wide, on supported Windows operating systems.
Updated bookmark backups code with the other half of what should have been done way back when, so they work fully as-intended.
Added a preference (browser.bookmarks.editDialog.showForNewBookmarks) to enable immediately showing the edit dialog for new bookmarks.
If set to true, clicking the star in the address bar will pop open the edit dialog immediately for changing details/sorting.
Fixed the useragent string in native mode, and updated UA code to properly respond to live changes to some preferences.
Tidied up front-end browser JavaScript.
Changed the way sources are compiled (on-going de-unification).
Improved compatibility with gcc v10
Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
Fixed some build issues in non-standard configurations.
Fixed wrong positions when calculating the position for position:absolute child inside a table.
Aligned file name extension of saved url files with other applications (lower case)
Fixed building with --disable-webspeech (to disable speech synthesis)
Added global menubar support for GTK.
Implemented node.getRootNode
Implemented AbortController (Abort API)
Improved the uninstaller to use elevation when prudent and actually remove program files.
Fixed a rare issue with editable page content.
Fixed a crash related to ES module scripts.
Aligned ES module scripting better with the current spec and removed eager instantiation.
Fixed a potential issue with the JPEG encoder. (CVE-2020-12422) DiD
Fixed a potential issue with AppCache manifests. DiD
Fixed a potential crash in JavaScript date parsing.
Fixed a problem with RSA key generation that would make it potentially vulnerable to side-channel attacks. (CVE-2020-12402)
Fixed a potential crash due to multithread race condition. DiD
Fixed a correctness issue in URL handling. (CVE-2020-12418) DiD
Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 4 defense-in-depth, 10 not applicable.

New in Pale Moon 28.10.0 (Jun 8, 2020)

New in Pale Moon 28.9.3 (Jun 8, 2020)

New in Pale Moon 28.9.2 (May 8, 2020)

New in Pale Moon 28.9.1 (Apr 12, 2020)

New in Pale Moon 28.9.0.2 (Apr 12, 2020)

New in Pale Moon 28.9.0.1 (Apr 12, 2020)

New in Pale Moon 28.9.0 (Mar 25, 2020)

This is a major development update.
New features:
Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
Implemented promise-based media playback.
Implemented non-standard legacy CSSStyleSheet rules functions.
Implemented the html5 element. To switch this on, flip dom.dialog_element.enabled to true.
Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences browser.ctrlTab.hidePinnedTabs and browser.allTabs.hidePinnedTabs)
Added 1.25x playback speed to html media elements.
Added a hidden pref (browser.places.smartBookmarks.max) to control the sizes of default smart bookmarks categories.
Changes/fixes:
Aligned document.open() with the overhauled specification.
Aligned the way DOM styles are computed with mainstream browser behavior.
Removed the (unused) DOM promise implementation.
Enabled seeking to next frame in media files.
Enabled dynamic UA updates for emergency use.
Implemented rule processing stub for font-variation-settings.
Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from ip-api.com
Improved reporting of the operating system in site-specific user-agent overrides.
Improved table drawing performance again after the rewrite for sticky positioning making it slower.
Updated CSP processing to allow custom scheme wildcards to be specified without a port.
Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements.
Changed the way hardware acceleration is controlled from the application.
Changed the default monospace font for main languages from Courier New to Consolas.
This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else.
Changed the browser's behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a "soft refresh" of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set browser.sessionstore.cache_behavior to 0 in about:config.
Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now.
For extensive release notes with all NSS changes, see NSS_Releases
Implemented an NSS performance optimization for Master Password use with limited effect.
Fixed some potential crashing scenarios with WebGL on Linux.
Completely removed showModalDialog.
Disabled some logging in production builds.
Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
Removed support for a number of critical libraries being system-supplied.
Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text.
Removed a bunch of Android and iOS support code.
Fixed an issue with form elements sometimes being incorrectly disabled.
Fixed several crashes.
Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user.
Performed various tree-wide code cleanups.
Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
Cleaned up the application updater code.
Security-related fixes:
Fixed a potential pointer issue in cubeb. DiD
Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
Updated our sctp library code with several upstream fixes.
Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable.

New in Pale Moon 28.8.4 (Mar 25, 2020)

New in Pale Moon 28.8.3 (Mar 25, 2020)

New in Pale Moon 28.8.2.1 (Mar 25, 2020)

New in Pale Moon 28.8.2 (Mar 25, 2020)

New in Pale Moon 28.8.1 (Mar 25, 2020)

New in Pale Moon 28.8.0 (Jan 12, 2020)

New features:
Added support for modern Solaris operating systems like Illumos (thanks Athenian200!).
Implemented position:sticky for table parts - You can now use CSS to e.g. stick table headers so they don't scroll off the screen!
Enabled basic implementation of module type scripting. While not fully spec compliant (yet), this will fix the few web compatibility issues with sites that rely on this feature without fallback (e.g. the Chromium bugtracker).
Implemented Promise.prototype.finally() (ES2018).
Implemented Regular Expression lookbehind (ES2018).
Implemented Regular Expression /s flag (dotAll support) (ES2018).
Implemented String.prototype.matchAll (regex) (ES2020).
Added Ekoru to the list of default search engines. This is a Bing-backed search engine that donates the majority of its revenue to various charities that support the planet and animals. An environment-supporting alternative to Ecosia if you don't want to support Google in the process.
Changes/fixes:
Changed the way tables are rendered to fix a number of spec compliance issues and allow relative positioning of table parts.
Now building against the Windows 10 SDK 10.0.17763.132 for increased compatibility with Windows 10 and improved Spectre mitigation.
Removed the unused DiskSpaceWatcher component.
Updated cairo code.
Updated SQLite to 3.30.1.
Updated the Brotli library to 1.0.7.
Updated the woff2 library to 1.0.2.
Updated the OpenType Sanitizer to 8.0.0.
Updated the Javascript math library for precision and performance fixes.
Updated the embedded Emoji font to Mozilla's COLR-mapped twemoji 0.5.0 (Twemoji 12.1.3), to support Emoji 12.
Improved CSS grid rendering.
Changed packaging for archives to use 7z/xz instead of zip/bz2.
Made the second argument of (DOM/CSS) insertRule() optional for (Chrome) web compatibility.
Removed the non-standard object.prototype.watch()/unwatch() functions. Please note that this may affect some extensions; those will need to be updated to no longer use these non-standard functions.
Fixed the status bar module to work around an issue with relying on watch()/unwatch().
Fixed a build failure in the libcubeb sndio module.
Fixed a small oversight in the release branch that would potentially still mark "jnlp" (Java Web Start) files as executable.
Fixed the certificate retrieval logic in the certificate exception dialog.
Fixed an issue with add-ons potentially getting confused during add-on updates due to cached scripts.
Fixed a crash due to unnecessary reparenting calls in layout.
Reinstated the mentioning of the number of accelerated/total windows in Troubleshooting Information, for completeness.
Moved the embedded font for Emoji from application to platform so all UXP applications can easily benefit from it (thanks Tobin!).
Cleaned up the jemalloc code: Removed dead/unused code, removed conditionals around "always on" code, and made the allocator VLA-free.
Security-related fixes:
Removed the silent fallback to insecure install locations on Windows.
Pale Moon will no longer by default install into unprotected program locations (this was a regression in v28).
If your operating system account does not have the necessary privileges, you need to manually select an accessible folder to install into. This is important to prevent malware from modifying installed programs in well-known but otherwise unprotected installation locations.
Added a preference for, and disabled, the confirmation prompt for URL authentication (prevents evil traps).
Disabled the use of HPKP by default due to the inherent risks involved with this feature. A preference was added to completely disable header processing, and using preloaded pins is effectively disabled. Please note that this is automatically disabled by default for everyone, regardless of your previous setting for this feature, and it is strongly recommended you keep this feature disabled. HPKP will eventually be removed (overall Internet concensus).
Fixed a potential issue when interacting with plugins. (DiD)
Fixed a potential crash scenario when reading PAC configuration. (DiD)
Fixed a potential issue with text selection painting. (DiD)
Fixed an issue with element references not being properly updated. (DiD)
Fixed an issue with incorrect saving of web pages as text. (DiD)
Fixed a potential issue with clipboard handling. (DiD)
Fixed a potential issue with attaching the debugger to web workers. (DiD)
Updated NSS to 3.41.4 to address CVE-2019-11756 and CVE-2019-11745.
Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 8 DiD, 16 not applicable.

New in Pale Moon 28.7.2 (Nov 19, 2019)

New in Pale Moon 28.7.1 (Nov 19, 2019)

New in Pale Moon 28.7.0 (Sep 2, 2019)

Changes/fixes:
Landed a large JavaScript parser tune-up, which as a targeted goal brings our ES6 stringification fully in line with the ES2018 revision for classes, and implements rest/spread parameters for object literals. (Cheers to Luke!)
Fixed a crash with the tuned-up parser code when certain error messages were triggered.
Aligned browser behavior with mainstream regarding inner window behavior when domain is manipulated.
Improved performance dealing with frame properties.
Improved performance for handling html5 strings.
Improved performance of image content loading.
Fixed potential type confusion in array joins.
Fixed an issue on some pages causing high CPU usage when wrongly specifying plugin content.
Fixed an issue with the add-ons manager "discover" pane if no network connection is present.
Fixed an issue with bookmark/history search results offering context menu options that would be invalid without a selection.
Fixed the devtools JSON viewer and enabled it by default.
Fixed searching from about:home not working for search plugins using the POST method.
Fixed an issue with the checkboxes for location bar preferences.
Fixed SVG alignment issues if SVG-containing elements fall on odd pixel sizes, causing blurry display of especially small SVGs like icons/glyphs.
SVGs will now always be pixel-snapped to provide expected crisp display.
Fixed precompilation of Sync client modules when packaging. This also removes the redundant services.sync.enabled pref.
Added support for matroska containers and h264-based webm video formats.
Added support for AAC audio in matroska and webm video formats.
Added support for spaces in the Mac package and application name.
Added an exception to the unique file origin policy for font types.
Added native file picker support for xdg on Linux.
Updated the default bookmark icons.
Updated the SQLite lib to 3.29.0.
Removed e10s information from about:troubleshooting.
Removed hotfix leftovers.
Removed the WebIDE developer tool.
Removed conditional build-time disabling of the Pale Moon status bar code.
Removed "Delete this page" and "Forget about this site" links from live bookmarks (since they make no sense on feeds).
Removed the Financial Times' polyfill user-agent override since they updated their detection to work with Pale Moon.

New in Pale Moon 28.6.1 (Jul 25, 2019)

New in Pale Moon 28.6.0.1 (Jul 8, 2019)

New in Pale Moon 28.6.0 (Jul 8, 2019)

Implemented String.prototype.trimStart and String.prototype.trimEnd (ES2019)
Implemented Array.prototype.flat and Array.prototype.flatMap (ES2019)
Implemented Symbol.prototype.description (ES2019)
Added support for gzip-compressed SVG-in-Opentype fonts.
Updated official branding.
Updated reader view components.
Added a preference to control the setting of cookies through meta header information (non-standard feature) and disabled by default.
Updated ES6 Atomics and re-enabled them.
Updated internationalization code to support updated time zones and the Japanese Reiwa era.
Updated NSS to a custom version to have better encryption strength for master passwords.
IMPORTANT: To use this strong encryption and re-key the password database with it, change your master password (can be changed to the same one you already had if desired, but you have to go through the change password process). Depending on your computer and the number of stored passwords, this encryption update may take some time, so please be patient. Please be aware that once re-keyed, the password store will be locked to the new encryption and will no longer be accessible with the master password in older versions of Pale Moon.
Restored "Release notes" in the help menu.
Rearchitectured the application/extension update code.
Added several performance improvements to DOM and the parser.
Improved JavaScript garbage collection of dead compartments.
Fixed a performance issue with painting on some pages.
Improved performance of some websites with complex event regions.
Fixed a potential performance issue in display lists on some pages.
Fixed a rendering bottleneck for the use of XRender when using a remote session.
Fixed graphical artifacts/flickering when using XRender on Intel or Intel-hybrid GPU setups.
Added a DiD fix for potential future issues with inlining array natives.
Fixed a potential UAF situation in the HTML5 parser (DiD)
Fixed an origin-clean bypass issue.
Changed the way permissions for predefined sites are loaded.
Reverted the 28.5.1 change to treat *.jnlp files as executables (CVE-2019-11696) after input from an Oracle representative. Java Web Start files are not executable and should not be treated any different than regular documents handled by external applications.
Removed SecurityUI telemetry.
Removed some other dead telemetry code.
Removed geo-specific selection of default search engines.
Deprecated the use of FUEL.
Removed the unused code for "enhanced tiles" in the new tab page.
Removed preference to brute-force e10s to on.
Removed Unboxed Array code.
Removed Unboxed Object code.
Fixed failure to print if a page contains a 0-sized element.
Fixed an issue with tab-modal dialogs being presented in the wrong order.
Fixed an issue with the tab bar remaining collapsed in customize mode if normally hidden.
Fixed an issue with Sync when choosing to overwrite data with synced data.
Fixed an issue with tab previews on the taskbar.
Fixed an issue with IntersectionObserver viewport accuracy.
Fixed Scroll bar orientation on Mac OS X.
Fixed an issue with anchor/link targets not re-using a named target.
Fixed a build issue with Gnu-CC on PPC64.
Fixed browser.link.open_newwindow functionality.

New in Pale Moon 28.5.2 (Jul 3, 2019)

New in Pale Moon 28.5.1 (Jul 3, 2019)

New in Pale Moon 28.5.0 (May 3, 2019)

Redesigned the about box.
Added "Check for updates" menu entries to the AppMenu and classic menu (since the About box redesign no longer has application update in it).
Restored the app.update.url.override pref for AUS testing/override.
Added "Loop" control to html5 video.
Fixed a crash with frames (e.g. when using Tile Tabs).
Fixed an issue with textarea placeholders (spec compliance).
Removed the Windows Maintenance Service one last time.
Improved http basic auth DoS heuristics.
Fixed an issue on big-endian machines (e.g. PPC64/linux).
Removed e10s code from widgets.
Preffed the various http "Accept" headers and aligned with the Fetch spec (except for image requests).
Aligned URLSearchParams with the spec.
Updated several site-specific UA overrides.
Fixed "Yet Another special case of a flex frame being the absolute containing block"™
Fixed border drawing when the tab bar is hidden.
Pref-controlled and disabled the use of unboxed plain objects in JavaScript's JIT compiler.
Improved handling of interrupted connections through proxies and pseudo-VPN extensions.
Removed contextual identity.
Updated the 7zip installer stub to a much more recent code version.
Fixed an issue with applying percentages to 0 in layout sizes.
Fixed an issue with calculating linear sums in JS JITed code.
Added default value feature to get*Pref() preference functions.
Fixed an issue that would occasionally overwrite the new tab custom URL.
Updated the SQLite library to 3.27.2
Killed the crashreporter toolkit files and exception handler hooks.
Fixed an issue with a missing border on the tab bar when on the bottom.
Fixed a crash with badly-formatted SVG files.
Showed the robots to the exit after squatting in the browser for decades.
JavaScript: Implemented TC39 toString() revision proposal.
Rearchitectured the JavaScript front-end parser to provide better and more logical parsing of JS code.
Removed support code and leftovers for unsupported SunOS, AIX, BEOS, HPUX and OS/2 operating systems.
Fixed a scrollbar arrow issue on OS X.
Removed all Firefox Accounts code.
Made the CSS parser more robust and aligned url() behavior with the CSS3 spec in case of bad input.
Fixed an issue with blocklist updates not actually dynamically applying due to a wrong URL.
Updated the embedded emoji font to the TweMoji v11.4.0 equivalent.
Fixed an issue with async/deferred scripts preventing page loads from completing.

New in Pale Moon 28.4.1 (Apr 2, 2019)

New in Pale Moon 28.4.0 (Mar 27, 2019)

New in Pale Moon 28.3.0 (Jan 22, 2019)

Changes/fixes:
Added AV1 support for MP4/MSE videos. Please note that this is a reference library implementation and the upstream decoding lib currently has poor performance for higher resolutions (720p+). This is disabled by default; use the about:config preference media.av1.enabled to enable this codec.
Changed the API used for video playback with FFmpeg 58+. This should solve performance issues with VPx.
Redesigned the main toolbar icons as SVG images to make them HiDPI compliant.
Fixed the sync notification (infobar) icon.
Fixed a potential cycle collector resource leak.
Added icons and controls to tabs to indicate if sound is playing the tab and if so, allowing the user to mute it with a click.
This is a native implementation of the API in use in Basilisk and performs the same function as the "expose noisy tabs" extension, although the extension may still be preferred by some for e.g. skinning capabilities. The feature may be disabled with browser.tabs.showAudioPlayingIcon.
Removed support for VR hardware.
Fixed out-of-bounds sizes for CSS calculation strings.
Removed the DirectShow component since it is no longer necessary.
Stopped trying to cater to addons.mozilla.org since they no longer offer anything useful to Pale Moon after the Great XUL Extension Purge™.
Added an option to process favicons for optimal sized display and removing animations. Enable this with browser.chrome.favicons.process
Fixed an incorrect preference reference in feed reader.
Fixed an issue with lazy frame construction on display:contents elements. This should solve e.g. the use of mathjax in comments on stackoverflow.
Media code improvements and cleanup (ongoing).
Updated the DropBox useragent override to solve login issues.
Fixed potential crashes due to shutdown observers in VTT and font lists. DiD
Enabled some mistakingly-disabled optimizations in the JS JIT compiler.
Fixed several potential crashes in JS. DiD
Fixed several potential crashes in WebCrypto. DiD
Fixed a potential crash in JS Range Analysis. DiD
Fixed a potential crash in the layout engine due to combo boxes. DiD
Fixed a potential shutdown crash in non-standard environments related to 2D Canvas. DiD
Fixed a potential overflow in the PNG writer. DiD
Fixed a potential double-free in the MAR signing utility. DiD
Fixed an issue where URLs could be extracted cross-origin (CVE-2018-18494).
Updated NSPR to v4.20.
Updated NSS to 3.41, providing (among other things) full compatibility with the final version of TLS 1.3 on websites.
Updated location.protocol to the latest spec.
Updated Intersection Observers to the latest spec and enabled them by default.
Updated the SQLite lib to 3.26.0.
Fixed errors about the login manager's recipeManager not being available (yet).
Switched status bar download arrow to SVG.
Fixed a crash in IntersectionObservers.
Fixed initialization of the Search service from browser code to avoid synchronous init.
Added logging of performance warnings to devtools consoles.
Fixed favicons in taskbar tab preview listings.
Blocked Comodo IS dll < version 6.3 to prevent startup crashes.
Fixed issues in the HTML form submit observer module.
Limited resolving depth of CSS variables to a sane maximum (fixes cras.sh issue).
Removed Mozilla's proprietary constructor on WebAudio's AudioContext, aligning it with the standard specification.
Exposed the previously hidden preference in about:config for page thumbnail generation (some people prefer this for local privacy).
Aligned Element.ScrollIntoView with the DOM specification. This improves, among other things, compatibility with the React framework.
Removed Firefox Accounts integration, phase 1:
Changed the Sync client to the one from Tycho.
Made Sync optional at build time.

New in Pale Moon 28.2.2 (Jan 18, 2019)

New in Pale Moon 28.2.1 (Dec 14, 2018)

New in Pale Moon 28.2.0 (Dec 14, 2018)

Fixed a major performance issue with web workers.
Fixed a rare crash on local networks with HTTP basic auth and unsupported cipher suites.
Fixed a performance/timer issue when leaving the browser idle.
Fixed an issue causing an empty dialog when launching executable files from the browser.
Fixed an issue preventing making entries to disallow sites to store data for off-line use.
Removed code to prevent extensions with binary components.
Fixed an issue with common dialogs being sized incorrectly for their content.
Fixed an issue with event handling on the tab bar that would cause frustrating behavior when trying to open/close tabs in rapid succession.
Switched default behavior for scrolling when a context or pop-up menu is open to allow scrolling, like in v27. This also affects scrolling in very long menus, e.g. bookmarks.
Added experimental Asynchronous Panning and Zooming (APZ) for desktop use.
Re-enabled the use and parsing of ICC v4 color profiles.
Removed telemetry code from the caching subsystem.
Improved full-screen detection for suppressing status messages.
Made all arguments passed to Init*Event() optional except the first for parity with other browsers.
Cleaned up some internal installer code.
Fixed making caret width configurable when dealing with CJK characters (regression).
Fixed drawing of table borders consistently when zooming a page (regression).
Exposed the "Save download location per site" pref in about:config.
Improved media handling (ongoing).
Added experimental support for AV1 in WebM videos (disabled by default).
Note: this is for WebM only for now, so MP4 and MSE AV1 streams (e.g. YouTube) will not (yet) play.
Removed the (defunct and incomplete) in-browser translation code.
Fixed an issue with CSS Grid layouts unnecessarily shrinking element blocks.
Fixed notification settings menu entry (opes about:permissions with relevant data now).
Fixed the launching of an undesirable background content process for capturing page thumbnails.
Fixed a focus issue in the bookmark properties dialog.
Changed the setting for reporting CSS errors to the console to false by default, to prevent unnecessary performance loss for recording this data.
Added control mechanisms for Opportunistic Encryption (both for alternative services and upgrade-insecure-requests) in preferences, and disabled this by default due to potential security and privacy issues with this transitional technology.
Updated the default reported Firefox version in Firefox Compatibility Mode to prevent "too old Firefox" complaints on websites.
Updated libnestegg, ffvpx, reader view components and several other modules from upstream.
Implemented security fixes for CVE-2018-12381, CVE-2017-7797, a better fix for CVE-2018-12386 (DiD), CVE-2018-12401 (DiD), CVE-2018-12398, CVE-2018-12392, several Skia bugs, and several crashes and memory safety hazards that do not have a CVE number.

New in Pale Moon 28.1.0 (Dec 14, 2018)

Updated NSS to 3.38, removed TLS 1.3 draft version check since it's considered final.
Reinstated RC4 as an optional encryption cypher for non-standard environments (e.g. old routing/peripheral networked hardware on LAN). RC4 and 3DES are marked weak and disabled, and will never be used in the first handshake with a site, only as last-ditch fallback when specifically enabled (meaning they won't show up on ssllabs' test, for example).
Removed Telemetry accumulation calls, automatic timers and stopwatches. This removes a very noticeable performance sink for all operations on all platforms.
Fixed many occurrences of discouraged types of memory access for primarily GCC 8 compatibility. This improves overall code security as a defense-in-depth measure.
Re-implemented the pref-controlled custom background color for standalone images.
Updated session history handling for internal pages. about:logopage is no longer stored in history, and you can choose to store the QuickDial page in history by setting the pref browser.newtabpage.add_to_session_history to true. This is disabled by default (meaning you can't use the "Back" button to go back to the QuickDial page) as a defense-in-depth security measure.
Added ui.menu.allow_content_scroll to control whether content can be scrolled if a context menu is open.
Fixed incorrect code removal in ipc.
Removed support for TLS session caches in TLSServerSocket.
Added support for local-ref as SVG xlink:href values.
Changed the find bar to be a browser-global toolbar again (like in Pale Moon 27) instead of per-tab. For people who prefer search terms to be saved on a per-tab basis (like with the per-tab findbar previously), this is possible by setting findbar.termPerTab to true. This resolves a number of issues, including styling with lightweight themes not applying to the find bar, and status pop-ups overlapping the find bar.
Ported all relevant security fixes from Mozilla's Gecko/62 release, including CVE-2018-12377 and CVE-2018-12379.
Restored part of the searchplugin API that was removed by Mozilla, so extensions can provide and save edits to installed search engines.
Improved the speed of restoring browsing sessions upon startup.
Fixed the "Restore previous session" button sometimes being missing from about:home, while a restorable session would be present.
Fixed tab previews in the Windows taskbar (if enabled).
Fixed the setting of the new tab page being "My Home Page" so it'll pick up subsequent changes to the home page URL automatically.
Removed the Firefox Accounts migrator from Sync.
Fixed an issue with the enabled state of number controls if appearances changed.
Stopped building ffvpx on 32-bit platforms (except windows) to use the (faster) system-installed lib instead.
Re-added a horizontal scroll action option for mouse wheel. (regression)
Fixed handling of content language if the locale is changed.
Fixed document navigation with the F6 key.
Fixed toolbar styling in toolkit themes.
Fixed viewing the source of a selection.

New in Pale Moon 28.0.1 (Dec 14, 2018)

New in Pale Moon 28.0.0 (Dec 14, 2018)

SpiderMonkey update: The JavaScript engine has received a major upgrade and now supports all landmark features from the ECMAScript standards as carried by mainstream browsers. This should put an end to the increasing JavaScript issues we've seen due to web frameworks not being browser-agnostic in that respect, or the browser not supporting what websites expect.
Goanna update: The layout and rendering engine (Goanna) has been updated to its 4th generation (version 4.*) which brings with it improved compatibility with "trendy" CSS styling techniques that build on a few very specific features (e.g. CSS Grid). Goanna continues to build on tried-and-tested software fallbacks in case hardware acceleration can't be used, and Linux remote desktop users can continue to leverage xrender for speedy remote screen updates in Pale Moon.
DOM enhancements: Enhancements in the Document Object Model provides websites with updated APIs to perform their tasks. (e.g. Fetch, WebAnimations, WebCrypto, HTML Input Element Extensions, etc.)
Media enhancements: Our media back-end update is, for all intents and purposes, complete. MSE media streaming (for MP4) should be compatible with all major players on the market now. MSE for WebM is still disabled by default due to some compatibility issues that need to be examined, but you may enable this in preferences to e.g. allow 4k video playback on some sites that only offer UHD in WebM format. We now also support playback of FLAC-encoded audio.
New: WebGL2 support! Pale Moon now supports the WebGL2 standard for enhanced graphical experiences in 2D and 3D.
Devtools have been given a refresh. Just in case you thought they weren't extensive enough yet, some new categories have been added to inspect and manipulate all aspects of web content.
Updates to the login manager: Login credentials can now be stored specifically with or without a user name, and selected individually. This is a behavior change from previous, and clicking a password field can now pop-up a selection list of user names for which passwords are stored (if multiple credentials are saved). Clicking the appropriate login name (or date-stamped version if no name is present) will fill in the accompanying password.

New in Pale Moon 27.9.4 (Jul 20, 2018)

New in Pale Moon 27.9.0 (Apr 20, 2018)

New in Pale Moon 27.8.3 (Mar 29, 2018)

New in Pale Moon 27.8.2 (Mar 29, 2018)

New in Pale Moon 27.8.1 (Mar 17, 2018)

New in Pale Moon 27.8.0 (Mar 17, 2018)

New in Pale Moon 27.7.2 (Feb 2, 2018)

New in Pale Moon 27.7.0 (Jan 17, 2018)

Changes/fixes:
Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
Fixed an issue on Mac builds not properly populating the application menu.
Added "My home page" as an option for new tabs.
Added an option to disable the 4th and 5th mouse buttons (Windows).
(mouse.button4.enabled and mouse.button5.enabled, respectively)
Improved the resetting of non-default profiles.
Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
(this should fix layout issues with Twitch's new web interface)
Fixed an issue where CSS clone operations would draw a border.
Changed the way fractional border widths are rounded to provide more natural behavior.
Fixed an issue where number inputs would incorrectly be flagged as read-only.
Added assets for tile display in the Windows start panel.
Finished sync infra swapover by adding a one-time pref migration for server used.
Improved WebAudio API: Return the connected audio node from AudioNode.connect()
Added support for a default playback start position in media elements.
Fixed an assert in cubeb-alsa code (Linux).
Added support for media cue-change events (e.g. subtitles).
Updated SQLite to 3.21.0.
Fixed a crash when trying to use the platform embedded.
Fixed devtools (gcli) screenshots on vertical-text pages.
Fixed devtools copy as cURL for POST requests.
Improved the HTML editor component (several bugfixes).
Added support for ES7's exponentiation a ** b operator.
Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
Added Javascript's ES6 "unscopables".
Security/privacy fixes:
Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
Removed the sending of referrers when opening a link in a new private window.
Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
Added support for X-Content-Type-Options: nosniff (for scripts).
Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD: This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

New in Pale Moon 27.7.0 Alpha 2 (Jan 8, 2018)

Finished sync infra swapover by adding a one-time pref migration for server used.
Fixed devtools (gcli) screenshots on vertical-text pages.
Fixed devtools copy as cURL for POST requests.
Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
Removed the "ask every time" policy for cookies.
Added support for X-Content-Type-Options: nosniff (scripts).
Added "My home page" as an option for new tabs.
Fixed an issue with "nosniff" in the case of null body responses (30x).
Added support for media cue-change events (e.g. subtitles).
Improved the HTML editor component (several bugfixes).
Fixed an issue where CSS clone operations would draw a border.
Fixed an issue where number inputs would incorrectly be flagged as read-only.
Improved the resetting of non-default profiles.
Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
Made several more improvements to the details/summary tags.
Fixed several additional bugs in details/summary tags.
Fixed an assert in cubeb-alsa code (Linux).
Added an option to disable the 4th and 5th mouse buttons (Windows).
(mouse.button4.enabled and mouse.button5.enabled, respectively)
Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled)
Fixed an issue on Mac builds not properly populating the application menu.
Added support for ES7's exponentiation a ** b operator.
Updated SQLite to 3.21.0.
Removed referrers when opening links in a new private window.
Added assets for tile display in the Windows start panel.
Improved WebAudio API: Return the connected audio node from AudioNode.connect()
Added support for a default playback start position in media elements.
Fixed a crash when trying to use the platform embedded.
Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
Removed the sending of referrers when opening a link in a new private window.
Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
(this should fix layout issues with Twitch's new web interface)
Changed the way fractional border widths are rounded to provide more natural behavior.
Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused or stolen;
Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
Added Javascript's ES6 "unscopables".

New in Pale Moon 27.6.2 (Dec 2, 2017)

New in Pale Moon 27.6.1 (Nov 19, 2017)

New in Pale Moon 27.6.0 (Nov 15, 2017)

Changes/fixes:
Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
(enjoy your LOLcats again!)
Changed automatic updates over to the new infrastructure.
Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
Improved upmixing of mono sound for multi-channel setups.
Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
Fixed "Remove from history" function from the downloads panel.
Forced focus on the address bar in new windows if the content is a blank/empty document.
Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
Further cleaned up the status bar code.
Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
Updated WOFF2 code from upstream.
Updated the zlib compression library.
Made general improvements to internal code structure and spec adherence.
Fixed an issue with certain command-line parameters being used.
Updated the default theme to improve consistency and contrast of toolbar and download buttons.
Increased the default duration of notification pop-ups and made them configurable.
Improved handling of audio-visual media (ongoing).
Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
Fixed the selection system inside of a nested contenteditable element being broken.
Fixed Windows 10 detection for blocklisting graphics drivers.
Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
Fixed the uninstallation routine of restartless add-ons.
Fixed the handling of unimplemented functions in the console API.
Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
Security/privacy fixes:
Added an option to clear Site Connectivity Data (delete history).
Removed stale entries from the HSTS preload list, and improved generation/processing of it.
Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
Worked around some more issues with broken Apple fonts.

New in Pale Moon 27.5.1 (Oct 11, 2017)

New in Pale Moon 27.5.0 (Sep 28, 2017)

CHANGES/FIXES:
Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
Fixed a regression re: domains allowed to/blocked from installing add-ons.
Fixed several internal errors thrown in the front-end.
Fixed several minor issues in the devtools.
Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
Added an option to control add-on blocklist behavior (Options -> Security)
Added DOM function isSameNode().
Added DOM onvisibilitychange event.
Added document.scrollingelement (CSSOM).
Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
Added "Open in new private window" to bookmarks, feeds and history entries.
Added HTTP request method OPTIONS.
Added an option to exit to a no-content page after encountering a network or security error.
This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
Improved the handling of several CSS selectors.
Changed session storage to remember form data for https sites by default.
Added (yet another) trap prevention method to onbeforeunload events.
Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
Fixed not being able to deselect loading bookmarks in the sidebar.
Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
Fixed a number of potential crash points.
Improved the security of the Windows dll loader module.
Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
Made URL matching more liberal in selected text to make it easier to open stated addresses.
Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
Please be aware that https-filtering antivirus may interfere with future application updates as a result.
Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
Fixed a problem with some H.264 media not playing (SPS NAL).
Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
Improved context search on selected text/links.
Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
Added a fix on Linux for starting the browser from Enlightenment.
Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.
User interface:
Added a menu option to restart the browser.
Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
Cleaned up some dead code for the plugin updater that no longer exists.
Fixed a text direction issue in preferences.
Fixed an issue with disabled context menu entries after using Customize...
Reorganized and cleaned up the status preferences.
Media:
MSE Media updates (ongoing). We are focusing on improving MP4 handling.
Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
Fixed a number of searching issues in MP3 files
Fixed a few crashes.

New in Pale Moon 27.5.0 Alpha 1 (Sep 26, 2017)

CHANGES/FIXES:
Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
Fixed a regression re: domains allowed to/blocked from installing add-ons.
Fixed several internal errors thrown in the front-end.
Fixed several minor issues in the devtools.
Fixed a number of minor issues in the devtools.
Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
Added an option to control add-on blocklist behavior (Options -> Security)
Added DOM function isSameNode().
Added DOM onvisibilitychange event.
Added document.scrollingelement (CSSOM).
Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
Added "Open in new private window" to bookmarks, feeds and history entries.
Added HTTP request method OPTIONS.
Added an option to exit to a no-content page after encountering a network or security error.
This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues.
Improved the handling of several CSS selectors.
Changed session storage to remember form data for https sites by default.
Added (yet another) trap prevention method to onbeforeunload events.
Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
Fixed not being able to deselect loading bookmarks in the sidebar.
Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
Fixed a number of potential crash points.
Improved the security of the Windows dll loader module.
Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
Made URL matching more liberal in selected text to make it easier to open stated addresses.
Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
Please be aware that https-filtering antivirus may interfere with future application updates as a result.
Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
Fixed a problem with some H.264 media not playing (SPS NAL).
Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
Improved context search on selected text/links.
Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites.
Added a fix on Linux for starting the browser from Enlightenment.
Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.
User interface:
Added a menu option to restart the browser.
Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
Cleaned up some dead code for the plugin updater that no longer exists.
Fixed a text direction issue in preferences.
Fixed an issue with disabled context menu entries after using Customize...
Reorganized and cleaned up the status preferences.
Media:
MSE Media updates (ongoing). We are focusing on improving MP4 handling.
Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
Fixed a number of searching issues in MP3 files
Fixed a few crashes.

New in Pale Moon 27.3.0 (May 22, 2017)

Changes/fixes:
Fixed up, checked and enabled vertical text writing modes!
Pale Moon will now be able to display vertical, right-to-left script.
Added the option to reset non-default profiles.
Fixed various issues in the WebP image decoder.
Added internally-supported document types to allowed types.
Fixed locale selection in ICU after update to ICU58.
(Note: Pale Moon uses the system locale for date formatting, not the browser locale)
Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
Ongoing fixes for the MP4 parser and MSE.
Made HTML Media Elements' preload attribute MSE-spec compliant.
The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none".
Fixed some issues with Windows WMF media playback.
Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
Fixed display of RSS folder icons.
Fixed issues with custom context menus.
Fixed an issue importing bookmarks with separators losing their extra data.
Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't.
Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
0 = load restored tab data from cache (current behavior, default)
1 = refresh restored tab data from the network
2 = refresh stored tab data from the network and bypass any cached data.
Improved upon a v27 performance regression with SVG scaling.
Improved performance by being more selective which CSS animations to process.
As a side-effect, elements changing their display from "none" to something visible now also animate.
Increased memory allocation for the use of very large PAC files.
Added menu entries for the permissions manager and improvements to its function and display.
Added preferences to control "highlight all" behavior of the find bar:
accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default.
accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All.
Added devtools command-line options.
Added remote IP and protocol to Devtools->Network entry details.
Added support for and HTML tags.
Fixed a regression in the MSIE profile migrator.
Removed migration of browser-specific settings when migrating data from IE/Safari.
Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues due to the current conflicting text of it).
Made the image document favicon skinnable.
Aligned DOM selection addRange with the spec.
Exposed mozAnon constructor js binding to system scopes for XHR.
Enhanced form data handling from JavaScript.
Security/privacy changes:
Updated NSS to 3.28.4-RTM to address a number of issues.
Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
Added an option to display punycode domain for IDN websites to combat phishing.
This is enabled by default for domain-validated https sites.
Preference: browser.identity.display_punycode
0 = Display IDN name in identity panel (previous behavior)
1 = Display punycode name for DV SSL domains (default)
2 = Also display punycode for HTTP sites if IDN name used
Fixed an issue to prevent contacting remote servers when a connection might get blocked.
Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
Fixed several memory- and thread-safety hazards.
Fixed an address bar spoofing issue. (CVE-2017-5451)
Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
Fixed a potentially exploitable issue in graphite font shaping.
Fixed a potentially exploitable crash with credential-authentication.
Fixed out-of-bounds access with text selection in rare cases.
Fixed a security hazard in the ANGLE library.

New in Pale Moon 27.2.1 (Apr 3, 2017)

New in Pale Moon 27.2.0 (Mar 19, 2017)

Changes/Fixes:
Updated the ICU lib to 58.2 to fix a number of issues.
Added proper control for the user for offline storage for web applications.
Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
Added the feature to pass a URL to open in a private window from the command-line.
Improved the display of the downloads indicator on the button in bright-text situations.
DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
Allowed toolbar button badges to be properly styled.
Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
Fixed desktop notifications being off-screen if fired in rapid succession.
Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
Added support for JPEG-XR images.
This makes Pale Moon have the broadest support for image formats of all web browsers.
(enabled by default; you can disable this with media.jxr.enabled).
Completely removed the use of GStreamer on Linux.
Added support for element.innerText.
Custom toolbars should now properly remember their state.
Fixed some more playback issues with MP4/MSE videos.
Please be aware that we are still working on further improving MSE video handling.
Changed media processing to reduce dangerous processing asynchronicity.
This should also make media elements and playback more responsive.
Fixed a useragent string regression always displaying the minor Goanna version as .0
Updated NSPR to 4.13.1.
Updated NSS to 3.28.3-RTM.
Fixed unrestricted icon sizes in PMkit buttons.
Fixed unresponsive buttons on support page when not building the updater.
Fixed the use of "View image" and "Save image as" on extremely large images.
Changed the way "View Image" and "Save image as" work on canvas elements.
Made checking for dangerously large resolution PNG images smarter.
It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
Converted several hard-coded URLs to preferences.
Updated the google.com override so it would not cripple services based on UA sniffing.
Added Inner and Outer Window ID administration.
Fixed the add-on discovery pane detection.
Added support for canvas ellipse.
Improved drawing of certain MathML elements at problematic zoom levels.
No longer building gamepad support.
Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
Aligned SVG specular filters with the spec.
Security/privacy changes:
Added support for 256-bit AES-GCM encryption.
Added support for ChaCha20-Poly1305 encryption.
Removed support for Camellia-GCM since nobody seems interested in it.
(Camellia in 128/256-bit CBC block mode is still fully supported).
Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
Fixed print preview hijacking. (CVE-2017-5421)
Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
Fixed crash in directional controls. (CVE-2017-5413)
Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
Fixed the use of an uninitialized value. (CVE-2017-5405)
Fixed a buffer overflow. (CVE-2017-5412)
Fixed a UAF situation. (CVE-2017-5403)
Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
Fixed a potential issue with HTTP auth. (CVE-2017-5418)
Fixed several memory safety hazards and potentially exploitable crashes. DiD

New in Pale Moon 27.0.3 (Jan 9, 2017)

Changes/fixes:
Fixed certain network errors not displaying.
Fixed network error page styling.
Fixed the writing of DOM storage data to tabs (should solve the "tabs not loading their contents" issue when migrating a profile and some other situations).
Disabled downloadable font unicode-ranges on non-Windows platforms.
Added a Google Fonts user-agent override for non-Windows platforms so they don't send unicode-ranged composite fonts (Feature detection? Google apparently still doesn't know what that is).
Re-enabled the reporting of CSS errors to the console by default to prevent issues with some extensions who rely on this (e.g. Stylish).
Fixed and updated preferences for location bar suggestions.
Fixed several x64-specific issues in memory allocation code (regression fix).
Fixed timer issues when resuming a computer from stand-by (regression fix).
Fixed a number of branding and textual issues in the browser.
Fixed prompting for the saving of off-line data (previously always allowed without prompting).
Fixed a layout regression that would cause block elements following left floats to not wrap to the next line if there wasn't enough clearance.
Fixed a mismatch in Firefox extension compatibility-mode installation where Firefox extensions served by addons.mozilla.org would be marked incompatible when trying to install.
Security-related and crash fixes:
Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
Fixed CSP bypass using the marquee tag (CVE-2016-9895).
Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
Fixed an error in the buffer logic in http-chunked decoder.
Fixed a crash in generational GC code (not in use by default) DiD
Fixed a compartment mismatch bug in plug-in code
Fixed a crash trying to get a nonexistent property.
Improved MediaRecorder's observer safety.
Fixed a crash related to document history.
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

New in Pale Moon 27.0.2 (Dec 6, 2016)

New in Pale Moon 27.0.1 (Nov 29, 2016)

New in Pale Moon 27.0.0 (Nov 24, 2016)

New and updated features:
Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
Pale Moon now fully supports HTTP/2.
Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
Media Source Extensions have been implemented to solve many video playback issues.
This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
Support for SSL/TLS connections to proxy servers.
Support for the WOFF2 font format for downloadable fonts.
The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.
Removed support/features:
Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
Removed the internal PDF (pre)viewer. This module was not maintained, was unable to display even half of the PDF documents correctly, and could not reasonably remain included in the browser. Please use a separate reader and/or install a PDF reader plugin.
Disabled building of the devtools. They will not be included in release versions of Pale Moon from this point forward. If you are a web developer or otherwise need those tools, fear not! They are available as a browser extension.
Removed the active XSS filter. This feature, although effective, was prone to some instability and needs to be rewritten for the update of our platform. It may or may not return in the future, depending on whether the original author has time to rewrite parts of this filter implementation.
Removed support for Add-on SDK extensions (JetPack extensions), considering the Mozilla/Gecko SDK is no longer compatible with our combination of application and platform code.
Security highlights:
All relevant security fixes up to and including Firefox 50 have been ported across from Mozilla to continue to provide an as secure as possible browser.
Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
There's a new option and control to determine whether to save zone information (marking files as "downloaded from the Internet") on downloaded files (Windows+NTFS). You can find this in Options.
Other important notes:
Pale Moon 27 will initially only be available in English. We are working on getting localization done to have language packs available over time.
Important: You can not use the previous language packs since many strings have changed. Trying to do so will likely prevent the browser from starting or functioning. Pale Moon will automatically disable language packs for the previous version, but if you have explicitly disabled add-on compatibility checking you may run into trouble.
We will continue to fully support the following:
NPAPI plugins
Extensions with binary/XPCOM components
XUL/Overlay and bootstrapped extensions
Complete themes
Unsigned and author-signed extensions
The Camellia encryption cipher (also in GCM mode)
Graphite font shaping
Sync 1.1 (albeit without support for syncing add-ons)
Full customization of the UI as before

New in Pale Moon 26.5.0 (Sep 30, 2016)

New in Pale Moon 26.4.0.1 (Sep 8, 2016)

New in Pale Moon 26.4.0 (Sep 8, 2016)

New in Pale Moon 26.3.3 (Jul 22, 2016)

New in Pale Moon 26.3.1 (Jun 30, 2016)

New in Pale Moon 26.3.0 (Jun 30, 2016)

New in Pale Moon 26.2.2 (May 12, 2016)

New in Pale Moon 26.2.1 (Apr 20, 2016)

New in Pale Moon 26.2.0 (Apr 20, 2016)

Changes:
Implemented the URL API that's needed for a number of websites.
Changed internal keystroke handling within the spec to better align with generally expected behavior.
This should fix the infamous "backspace" issue on Facebook.
Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing.
From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported).
Re-styled about:sessionrestore to use more available screen real estate for tab info.
Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).
(e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally)
Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.
Fixed some hard-coded branding strings in Sync still reading "Firefox", and similarly changed sync information URLs to point to our relevant pages.
Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.
Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly)
Fixed several issues with the default theme causing problems with behavior due to styling (thanks, Antonius32) (Issue #384 and friends)
Fixed some miscellaneous issues in the internal jemalloc implementation.
Added a configure option to use the full jemalloc lib (jemalloc v3) if the builder so wishes (used for Linux, sys mallocs are not happy there either, so for our generic binaries we switched to this lib now)
Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.
Fixed layout of reflowed comboboxes without enough space.
Fixed a crash related to flexboxes overflowing themselves. (Issue #396)
Added a simple implementation for Weak Messagelisteners. (Issue #399)
Fixed a crash for losing our cache entry while finishing up compression.
(re-apply after unintentional back-out switching to Goanna)
Portable only: Removed compression of the browser components library after some reports that in certain configurations and environments it was causing issues with the browser.
Security fixes:
Updated the graphite font library to 1.3.7+ to solve CVE-2016-2796 and no less than 14 of its friends.
Updated NSS to 3.19.4.2-PM to address several vulnerabilities (UAF, heap overflow).
Updated libvorbis to a much more recent version to fix multiple issues.
Crash fix and DiD fixes by holding strong references to objects in suspect places in the HTML parser. (CVE-2016-1961) (ZDI-CAN-3574)
Fixed several out-of-bounds issues in the VP8 decoder.
Fixed a potentially exploitable crash in XML/XSLT handling.
Applied some Kung Fu to HTML animations and transitions to prevent memory hazards.
Fixed applicable Mozilla code vulnerabilities CVE-2016-1965, CVE-2016-1960 (ZDI-CAN-3545), CVE-2016-1966, and CVE-2016-1963.

New in Pale Moon 26.1.1 (Feb 27, 2016)

New in Pale Moon 26.1.0 (Feb 27, 2016)

Changes/fixes:
Disabled our ES6 Promise implementation introduced in 26.0 since there were some severe issues with its implementation that caused a lot of inexplicable failures on websites. This means that some sites that insist on using Promises without checking availability and that do not provide sufficient web client compatibility by way of server-side libraries or polyfills will currently not work as-intended. Apologies for any inconvenience this may cause; providing a perfectly-working implementation will be our top priority going forward.
Improved website compatibility with many sites and web applications by making our cookie gate less strict.
Fixed web compatibility with Google Hangouts and Yahoo Calendar.
Changed the memory allocator on Windows platforms to a much more modern full-library implementation of jemalloc, with miscellaneous additional fixes. This should give comparable speed to the system one and will allocate free memory more dynamically. This should fix issues like "huge animated gif choking" and inexplicable pauses when using many tabs, scrolling (extremely) long pages, or viewing media.
Fixed a few rare crashing issues on Windows due to the build process.
Reduced so-called "jank" on inner frame scrolling reflows.
Extension compatibility: partial implementation of Firefox 26 download js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!)
Added a "superstop" key combination (Shift+Esc) that will stop all (foreground and background) network activity, stop animated gifs, etc. even after the page itself has fully loaded (and the stop button not being available) - some web applications may not like this if you use it since it will also cancel XHR requests, etc.
Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!)
Updated the default theme to tweak/improve it some more (Thanks, Antonius32!)
Security fixes:
Updated the Graphite2 font library to 1.3.5+ to fix a number of vulnerabilities (and some font bugs).

New in Pale Moon 26.1.0 Beta 1 (Feb 18, 2016)

New in Pale Moon 26.0.0 (Jan 27, 2016)

GENERAL RELEASE NOTES:
Pale Moon is now building on the new Goanna engine instead of Gecko. Although close relatives in terms of web technology, they are not the same under the hood and any reports of bugs with the layout/rendering engine should be as detailed as possible to allow us to pinpoint the cause of the bugs and fix them (just stating "it works in Firefox" really doesn't help us!). If you wish to report issues, please either use the issue tracker on GitHub or report a detailed description and steps to reproduce on the forum.
We've had to reduce the number of supported languages for our language packs. With the need to move to our own full localization and lacking translators to support and maintain less common languages in use around the world, we've reduced our number of offered languages to a little over 30. The languages still supported should more than cover the common languages spoken around the globe. You will need to update your language packs!
Although we've given this release extensive testing, it is still possible you run into some website compatibility issues (usually because of websites doing useragent sniffing) and e.g. some sites displaying a mobile version if they do not recognize or incorrectly recognize the new browser engine. Please always try contacting the webmasters first before posting support requests at our address, since this is usually not something we can provide solutions for, ourselves, and we end up having to redirect you anyway.
FIXES/CHANGES:
The layout parser/renderer has received many updates with this change over to Goanna, improving web compatibility and standards compliance in many areas.
The browser user interface has received updates, making it more compatible with Windows 10 in many respects and more in line with the general styles of the operating system version it is run on in terms of the shapes of controls and color setting.
Updated graphics/media support: Pale Moon now supports the WebP image format, properly scales EXIF rotated JPEGs, has updated support for different WebGL texture formats, improved scaling of vector images, updated libpng, libjpeg-turbo, libvpx, and misc other upstream libraries/modules, and more!
Added support for Ruby annotations. If you need this functionality, set the about:config preference browser.ruby.enabled to true, and restart the browser.
Added conservative image decoding: it will now only decode images that are (almost) in view, greatly improving overall memory use and initial loading of graphics-heavy pages.
Aligned 3D CSS transforms and perspective with the spec.
JavaScript improvements: added basic support for ES6 Promises, added element.matches(), updated property assignments, added Bin/Oct literals in Number(), improved performance of TypeOf calls, improved GC memory shrinking, improved memory allocations, improved RegEx performance and compatibility, and more!
Added CSS media queries to determine the OS the browser is running on, allowing theme designers to make specific changes based on OS at run-time.
Added a control preference for onunload= events as dom.disable_beforeunload. This allows you to completely disable events fired when leaving a page.
Changed the memory allocator to the (faster) system allocator on modern operating systems.
Improved the handling of very large numbers of tabs.
Added Ecosia as a "green" search engine alternative for the environmentally aware surfer.
Autoplay of media now has a separate control preference for scripted content as media.autoplay.allowscripted, to block script-initiated autoplay of media.
Library changes:
The library now has a scope bar (pops up when searching) with the option to select what you want to search in (either bookmarks or history) and the option to save your searches.
By default, there will be a history menu drop-down in the browser's user interface next to the bookmarks one.
Added "Containing folder" and "Containing folder path" columns so you can see exactly where a bookmark is located at a glance when searching (after enabling the columns).
SECURITY UPDATES:
Added support for 128-bit Camellia-GCM ciphers in addition to the existing CBC ciphers to offer a more internationally diverse choice of secure encryption ciphers than just AES.
Added an advanced, active XSS (cross-site scripting) filter. Pale Moon will now check for XSS attacks and block XSS content in the resulting pages. This is brand-new technology and feedback on this filter specifically (e.g. bugs, false positives, etc.) should be posted in the dedicated thread on the forum for this feature. Please also see that thread for details on how to use and control this filter.
Distrusted several root certificates in accordance with security best practice.
Aligned cookie acceptance with RFC 6265 §4.1.1. We still make an exception for allowing spaces and double quotes in cookie values, but this will be made more strict in the future for full spec compliance. If you are a web designer and use cookies, please verify that you are RFC compliant in terms of both cookie names and cookie values, or the browser may reject them.
Removed several hazardous modules like the maintenance service and the identity module.
Ported all security updates from Mozilla that are applicable/relevant to our code base (up to and including all security issues made known to us until now). Considering v26 has been kept updated over its long development until release, the list of fixes/CVEs would be too exhaustive to list in these release notes individually.

New in Pale Moon 25.4.0b3 Build 2515.5.2 Beta (May 4, 2015)

New in Pale Moon 25.3.1 Build 2015.03.26 (Mar 26, 2015)

New in Pale Moon 25.3.0 Build 2015.03.20 (Mar 20, 2015)

Fixes/changes:
Overhauled WebGL. It now properly supports depth textures, shadow mapping and glow shaders.
Note that older operating systems or older/embedded video processors may be limited in their support of these features.
Updated the ANGLE library to a much more current version.
Removed the crash reporter code completely to improve overall browser responsiveness and operation.
Please note that a necessary victim of this has been the in-browser (devtools) SPS profiler because of its reliance on crash reporter data-gathering tools.
Removed the Mozilla Plugin Finder Service (no longer in use @Mozilla).
Android: removed the Mozilla "product announcements" service.
Re-added control of the number of concurrent tabs to be restored from a session with browser.sessionstore.max_concurrent_tabs (accepted values 1-10)
Significantly improved performance and accuracy of date/time/timer handling.
Significantly improved performance of the creation of DOM elements with plain text content.
Added several significant performance optimizations for arrays and strings in javascript.
Added several code performance optimizations and bugfixes in SVG, the presentation shell, SCTP, style gradients and CSS parsing routines. (Thanks, Axiomatic!)
Added an "Open link in current tab" context menu entry on links for UI consistency.
Updated styling of the browser with personas (lightweight themes) once more to improve display in tabs-on-top mode, improve overall legibility of tab text, and display of inverted close buttons on some controls on dark personas.
Added a special case check for the Flash plugin version check on Linux failing due to commas instead of periods in the version string.
Added Windows 10 compatibility in executable manifests.
Android: Fixed a crash on GL canvas surfaces.
Fixed incorrect Sync "howto" instruction links from the Sync dialogs.
Fixed the color of selected tabs in Linux when personas (lightweight themes) are in use that do not match the overall tone of the OS system theme.
Fixed a bug where a variable in parentheses would abort Javascript parsing.
Fixed a bug where the address bar would incorrectly be cleared.
Fixed padding issues for dropdown lists.
Fixed DNS lookups so proper record types are requested for IPv4 and IPv6.
Security fixes:
Disabled all RC4-based encryption ciphers by default. [More info]
Fixed several miscellaneous memory safety hazards.
(applicable bugs related to CVE-2015-0835 and CVE-2015-0836)
Fixed loading of locally stored DLL files through the internal updater. (CVE-2015-0833)
Fixed a potential crash point in IndexedDB. (CVE-2015-0831) DiD
Fixed a double-free situation when using non-default memory allocators and a 0-length XHR. (CVE-2015-0828)
Note: production builds of Pale Moon were never vulnerable.
Fixed a crash using DrawTarget in the Cairo graphics library. (CVE-2015-0824)
Fixed potential reading of local files through manipulation of form autocomplete. (CVE-2015-0822)
Fixed a potential PNG heap-overflow crash. DiD
Followed up on research regarding CVE-2014-8639 (see 25.2) and made cookie handling through proxies more restrictive again.

New in Pale Moon 25.2.1 Build 2515.1.31 (Feb 4, 2015)

Fixes/changes:
ES6: Added the following functions:
Array.prototype.find and Array.prototype.findIndex
IsConstructor(arg)
Array.of(items...)
Number.parseInt and Number.parseFloat
Advanced math functions: hyperbolic sin/cos/tan/asin/acos/atan, hypotenuse, cube root, expm1, log1p, log10, log2, sign and trunc
Map.prototype.forEach and Set.prototype.forEach
ES6: Added the following number constants: EPSILON, MIN_SAFE_INTEGER and MAX_SAFE_INTEGER
ES6: Added the use of binary and octal numeric literals (&b... and &o...)
ES6: Updated behavior of accessing indexed values in accordance with the spec.
CSS: Added overflow-clip-box:content-box|padding-box
DOM: Added table.createTBody() function
Added a clearer alltabs button for dark personas.
Added a development tools toggle hotkey (F12)
Added a preference prompts.tab_modal.focusSwitch to enable or disable tab switching when a modal dialog (e.g. javascript confirmation) is presented in a page.
IonMonkey on Android: fixed the implementation of AbsI.
IonMonkey: fixed a bug where actively used objects were discarded.
Fixed register initialization to prevent incorrect detection of SIMD instructions on some CPUs.
Optimized some loops in the spell checker to increase performance.
Simplified cache handling, updated cache parameters to better reflect current web use, and enabled automatic cache sizing by default.
Adjusted memory cache sizing to better reflect capacities of current hardware.
Updated UserAgent override workarounds for Netflix and FaceBook to fix some site issues.
Aligned programmatic access to geolocation with the spec.
Fixed a crash when being fed a data file (XML) with too deeply nested tags.
Fixed a crash in HTML5/WebAudio that affected some games.
Fixed a crash when programmatically collapsing elements.
Fixed a few non-breaking bugs related to e10s code.
Fixed text input/padding issues.
Updated surround downmixing code for Vorbis.
Improved tolerance in WebAudio for loading multichannel audio files.
Android: Fixed an issue with Flash, it should now run on more devices.
Updated the DDG search plugin to make the actual query be the last parameter in the address bar for easy editing after a search has been performed.
Removed some unused update channel code.
Updated branding to more clearly indicate Pale Moon's trademark.
Updated some licensing texts in-browser to properly reflect used code and rights.
Security/privacy fixes:
Added a preference network.stricttransportsecurity.enabled to enable or disable the use of HSTS (HTTP Strict Transport Security), allowing users to choose between privacy and security in this matter. (hidden pref)
Fixed CVE-2014-1589 by whitelisting XBL bindings that may be applied to untrusted content.
Important: extension developers should read this related thread.
Fixed CVE-2014-1593.
Mac: fixed CVE-2014-1595.
Fixed CVE-2014-8639 by adjusting cookie handling through proxies.
Fixed CVE-2014-8636.
Fixed several memory safety hazards that do not have CVE numbers.

New in Pale Moon 25.1.0 Build 2514.11.30 (Dec 11, 2014)

This is an important update after rapid development on the back-end to keep pace with the current changes on the web and improve compatibility with websites.
Fixes/changes:
New feature: multi-line flexbox support.
Pale Moon now supports more advanced multi-line and multi-column flex elements. This will allow websites to use these elements for easier responsive design of web pages and ordering/layout of multiple elements. This has been on Pale Moon's to-do list for a while but was rather complex to tackle, hence the delay in implementation. This should address layout issues on several recently-updated websites (e.g. the MSN home page).
New feature: added support for collapsed flex element items.
Enhanced feature: Content Security Policy (CSP)
Pale Moon now fully supports the CSP 1.0 specification allowing websites to set restrictions on content to prevent XSS (Cross-site scripting) attacks. Previously, the implementation in Pale Moon was partial, and did not support a number of features, resulting in some websites not rendering properly because Pale Moon was being too strict in enforcing the policy. This should address issues on websites enforcing CSP (e.g. the Dropbox web interface and FaceBook galleries).
New feature: added support for iframes with inline content.
Updated the Firefox Compatibility mode version to 31.9.
With the improvements in rendering and overall feature set, the Firefox Compatibility mode (as presented in the UserAgent string) has been bumped to prevent websites from complaining about "using a too old/unsupported version of Firefox" (e.g. Google websites).
Pale Moon no longer builds the so-called "media navigator" by default.
This module provides access to the user's webcam and microphone. Although it can be used for other purposes, in practice this is only used for WebRTC and, in fact, its support (GetUserMedia) is often mistaken for actually supporting WebRTC in a browser (causing errors since Pale Moon does not support WebRTC). No longer including these features reduces input complexity and overhead for a feature not actively used. This also circumvents privacy concerns/confusion like CVE-2014-1586.
Improved tab handling on lightweight themes (personas) some more to enhance contrast on certain themes and to make the tab hover effect slightly more distinct.
Fixed oversized/blocky menu arrows on Windows 8.1 in HiDPI mode.
Fixed incorrect operating system being passed on to addons.mozilla.org.
Fixed an error being thrown in the error console/web console when opening a new window.
Removed the NVidia 3D Vision auxiliary utility library.
This library has been the likely cause for a number of crashes on NVidia cards, and is completely unnecessary for Pale Moon.
Made the installer less aggressive for file type associations, to prevent "stealing" of globally associated file types.
Android: improved restoring of session tabs.
Android: added an option to automatically restore tabs.
An important thing to note with this new option is the following: with the option enabled, Pale Moon will now automatically restore tabs you had open previously when the app gets suspended (pushed out of memory by other apps, closed by swipe, etc.). The "quit" main menu option, however, completely shuts down your session, unloads Pale Moon from active memory, and tabs will not be automatically restored when you launch Pale Moon again. This is by design. To restore tabs in that situation, use the link from the home screen.
Fixed memory security hazards CVE-2014-1574 and CVE-2014-1575 security fix
Fixed CVE-2014-1581. security fix
Fixed bug 1069584: Bail if a cairo surface is in an invalid state. security fix
Made sure to initialize surfaces for draw targets. security fix
Fixed CVE-2014-1594: Use AsContainerLayer() in order to avoid a bad cast. security fix
Fixed several problems in the HTML parser. security fix
Improved security of XHR by filtering out types of requests that can potentially be abused. security fix