Basilisk Browser 2021.03.11 (March 11, 2021) Download Release Notes Spoiler: Changes v2021.03.11 v2021.03.11 Published 2021-03-11 This is a development, bugfix and security update. Added support for missing ES2019 JavaScript functions and specifications. Fixed an issue with useragent updates. Folder uploads through input elements now require user interaction on Windows 10. Mitigated a potential problem with history location/state change updates if used in rapid succession. Fixed a problem with WebCrypto failing to work properly with AES-GCM. Updated various libraries for compatibility and security. Fixed several memory safety hazards and potential browser crashes Security issues fixed: CVE-2021-23973, CVE-2021-23974. Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 19 not applicable.
Basilisk Browser 2021.04.27 (April 27, 2021) Download Release Notes Spoiler: Changes v2021.04.27 v2021.04.27 Published 2021-04-27 This is a development, bugfix and security update. Enabled the scrollbar-width CSS keyword by default. Removed unit restriction on SVG width and height attributes. Implemented prefers-color-scheme CSS keyword (defaults to "light"). Added CSS values smooth, high-quality and pixelated to the image-rendering keyword. Implemented Intl.NumberFormat.formatToParts() to allow deconstruction of localized number formats by scripts. Reinstated the dom.details_element.enabled preference and fixed a rendering issue with summary/details html elements. Fixed an issue with CSP .nonce attributes on elements. Added port restrictions for WebRTC PeerConnections to prevent network abuse through WebRTC connections. Fixed an overflow in clip paths, potentially causing them to be rendered incorrectly. Added a warning to opening from history if it would spawn many new tabs. Fixed forcing an icon type image even for invalid icons in search plugins. Security issues addressed: CVE-2021-23986, CVE-2021-23981 and defense-in-depth fixes for CVE-2021-29946, CVE-2021-23994, several crashes and potential document parser confusion. Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 5 defense-in-depth, 21 not applicable.
Basilisk Browser 2021.07.19 (July 19, 2021) Download Release Notes Spoiler: Changes v2021.07.19 v2021.07.19 Published 2021-07-19 This is a development, bugfix and security update. Enabled brotli compression for http for sites that support it. Implemented EventTarget as a constructor. Updated Windows 10 toolkit styling. Updated the port blacklist (removed 10080). CSS: Implemented calc() and animation support for stroke-dashoffset. Added support for checking boolean preferences to chrome CSS style sheets, to support more advanced theming options. Added support for dynamic dark color capable themes in CSS. Updated ResizeObserver implementation to a more recent specification. Removed a metric ton of Macintosh code. Removed obsolete system theme support from the layout engine. Fixed several crashes. Linux: blocked particularly old versions of Mesa/Nouveau drivers due to issues. Security issues addressed: CVE-2021-30547 and several other issues that don't have a CVE number. Unified XUL Platform Mozilla Security Patch Summary: 3 fixed, 3 DiD, 2 deferred (DiD), 12 not applicable.
Basilisk Browser 2021.09.27 (September 27, 2021) Download Release Notes Spoiler: Changes v2021.09.27 v2021.09.27 Published 2021-09-27 This is a development, bugfix and security update. Implemented promise.allSettled(). Implemented global origin on windows and workers. Improved performance of memory allocations. Updated SQLite to 3.36.0. Fixed several crashes. Security issues addressed: CVE-2021-38492. Mozilla Security Patch Summary: 1 fixed, 7 DiD, 22 not applicable.
Basilisk Browser 2021.11.14 (November 14, 2021) Download Release Notes Spoiler: Changes v2021.11.14 - v2021.11.13 v2021.11.14 Published 2021-11-14 This is a bugfix update. Fixed overall browser bustage due to branch confusion and telemetry removal. v2021.11.13 Published 2021-11-13 This is a development, bugfix and security update. Fixed several intermittent thread sanity issues. Added a preference to enable compatibility mode with earlier TLS 1.3 specifications. Fixed several potentially crashy code issues (DiD). Security issues addressed: CVE-2021-38508 and CVE-2021-38503. Mozilla Security Patch Summary: 3 fixed, 5 DiD, 19 not applicable.
Basilisk Browser 2022.01.27 (January 27, 2022) Download Release Notes Spoiler: Changes v2022.01.27 v2022.01.27 Published 2022-01-27 This is a security update. Important: This is the final public release of Basilisk from the original developer. As such, it comes without an internal updater and will not check for future updates to the application. To remain updated and secure, it is recommended at this point that you look for a different web browser like Pale Moon to continue browsing in a safe and secure manner. Be mindful of hacks: There are currently no people eligible to continue Basilisk as a product under the Basilisk name. If you see any future updates claiming/pretending to be official Basilisk or an official continuation, they are most likely scams and should not be trusted with your browsing. Improved application library loading security. DiD Fixed an issue in JavaScript serialization. DiD Fixed a potential out-of-bounds issue in IndexedDB. DiD Fixed a potential issue in widget data handling code. DiD Fixed potentially exploitable crashes in handling truncated/corrupt media files or streams. Fixed an issue in the DOM FileReader code. Updated NSS to 3.52.3 to address a security issue. Updated the installer to fix a rights elevation issue. Fixed the following security issues: CVE-2022-22736, CVE-2022-22741, CVE-2021-4140, CVE-2022-22746, CVE-2022-22744 and CVE-2022-22747.
Basilisk Browser 2022.08.06 Released (August 6, 2022) Download Release Notes Spoiler: Changes v2022.08.06 v2022.08.06 Published 2022-08-06 This is a major update. Very Important: This is the first public release from the Basilisk Development team. As such, the vendor name in the application has changed. This means the profile directory has changed. See here for more info. You will have to perform a manual update if you are currently running Basilisk 2022.01.27 as it was compiled without an updater. Note: Many things have changed since 2022.01.27 and 2022.08.06. We've tried to note all changes here but it is very likely something was missed. Fixed several application crash scenarios. DiD Fixed a number of thread locking/mutex issues. DiD Fixed a leak of content types due to inconsistent error reporting. (CVE-2022-22760) Fixed an issue with iframe sandboxing not being properly applied. (CVE-2022-22759) Fixed a potential leak of bookmarks from the exported bookmarks file if it included a malicious bookmarklet. Fixed an issue with drag-and-drop. (CVE-2022-22756) Fixed a potential crash due to truncated WAV files. Fixed a memory safety issue with XSLT. (CVE-2022-26485) Fixed a potential crash issue on bing.com. Fixed some thread locking issues. DiD Worked around a Mesa driver bug that could cause crashes. Fixed a potential resource access issue in devtools. DiD Security issues with CVEs addressed: CVE-2022-1097, CVE-2022-28285 (DiD) and CVE-2022-28283 (DiD). Implemented Global Privacy Control, taking the place of the unenforceable "DNT" (Do Not Track) signal. Through GPC, you indicate to websites that you do not want them to share or sell your data. Implemented "optional chaining" (thanks, FranklinDM!). Implemented setBaseAndExtent for text selections. Implemented queueMicroTask() "pseudo-promise" callbacks. Implemented accepting unit-less values for rootMargin in Intersection observers for web compatibility, making it act more like CSS margin as one would expect. Improvements to CSS grid and flexbox rendering and display following spec changes and improving web compatibility. Improved performance of parallel web workers in JavaScript. Improved display of cursive scripts (on Windows). Good-bye Comic Sans! Updated various in-tree libraries. Added support for extended VPx codec strings in media delivery via MSE (RFC-6381). Fixed a long-time regression where the browser would no longer honor old-style body and iframe body margins when indicated in the HTML tags directly instead of CSS. This improves compatibility with particularly old and/or archived websites. Fixed several crashes and stability issues. Removed all Google SafeBrowsing/URLClassifier service code. Restored Mac OS X code and buildability in the platform. Removed the non-standard ArchiveReader DOM API that was only ever a prototype implementation. Removed most of the last vestiges of the invasive Mozilla Telemetry code from the platform. This potentially improves performance on some systems. Removed leftover Electrolysis controls that could sometimes trick parts of the browser into starting in a (very broken) multi-process mode due to some plumbing for it still being present, if users would try to force the issue with preferences. Obviously, this was a footgun for power users. Removed more Android/Fennec code (on-going effort to clean up our code). Removed the Marionette automated testing framework. Security issues addressed: CVE-2022-29915, CVE-2022-29911, and several issues that do not have a CVE number. Implemented "nullish coalescing operator" (thanks, FranklinDM!) for web compatibility. Fixed various crash scenarios in XPCOM. Fixed an important stability and performance issue related to hardware acceleration. Fixed a long-standing issue where dynamic datalist updates for <select> and similar elements wouldn't properly update the option list. Disabled broken links to MDN articles in developer tools. Updated media support to include support for libavcodec 59/FFmpeg 5.0 for MP4 playback on Linux (thanks, Travis!) Enabled the date picker for <input type=date>. See implementation notes. Re-enabled the use of FIPS mode for NSS. See implementation notes. Improved memory handling and memory safety in the JavaScript engine, further reducing current and future crash scenarios. Improved memory handling in the graphics subsystem of Goanna. Updated FFvpx to v4.2.7 Slightly reduced strictness of media checking for improved compatibility with questionable "gif" video encoders used on major websites. Cleaned up the way file pickers (file open/save/save as dialogs) are handled on Windows. Restored the gMultiProcessBrowser property of the browser for Firefox extension compatibility. See implementation notes. Improved the way data is transferred to and from canvases to prevent memory safety issues. Reduced blocking severity for some extensions that were marked hard blockers for GRE (but aren't for UXP). Security issues addressed: CVE-2022-31739, CVE-2022-31741, and other security issues that do not have a CVE number. Updated the list of blocked external protocol handlers to combat abuse of OS-supplied services on Windows. Fixed a potential issue with revoked site certificates when connecting through a proxy. Updated site-specific user agent overrides to work around bad sniffing practices of dropbox and vimeo. Security issues addressed: CVE-2022-34478, CVE-2022-34476, CVE-2022-34480 DiD, CVE-2022-34472, CVE-2022-34475 DiD, CVE-2022-34473 DiD, CVE-2022-34481 and a memory safety issue that doesn't have a CVE number. Implemented CSS white-space: break-spaces for web compatibility. Implemented Intl.RelativeTimeFormat for web compatibility. Implemented "Origin header CSRF mitigation". This is still disabled by default to investigate potential issues with CloudFlare-backed sites. Implemented support for async generator methods in JavaScript. Added preliminary support for building on Apple Silicon like M1/M2 SoC. Added support for building with Visual Studio 2022. Improved the handling of CSS "sticky" elements in tables. Improved stack size limits on all platforms. See implementation notes. Updated function.toString handling to align with the updated JavaScript spec. This should improve web compatibility. Updated Unicode support to Unicode v11, and updated the ICU library accordingly. Building without ICU is no longer supported. Updated many in-tree third-party libraries to pick up various performance and stability improvements. Updated site-specific user-agent overrides to work around issues with Google fonts, Citi bank (again!) and MeWe. Removed some leftover (and unused) telemetry code in the platform and front-end. Fixed an issue with VP9 video playback on Windows on some systems. Fixed an issue with the add-ons manager not properly handling empty update URLs. Fixed a major performance regression on *nix based systems due to incorrect thread handling. Fixed volume handling when building with the sndio audio back-end. Cleaned up some unnecessary code from the source tree for unused build back-ends, Firefox marketplace "apps", and the rather ridiculous moz://a protocol handler. Updated NSS to 3.52.8 to pick up several defense-in-depth security fixes. Basilisk profile directory changed to reflect vendor change in application. Restore ability to build Basilisk on Mac OS X. Removal of telemetry code from Basilisk. UXP Mozilla security patch summary: 11 fixed, 14 Did, 4 rejected, 91 not applicable
Basilisk Browser 2022.09.28 Released (September 28, 2022) Website Download Release Notes Spoiler: Changes v2022.09.28 v2022.09.28 Published 2022-09-28 Implemented .at(index) JavaScript method on built-in indexables (Array, String, TypedArray). Implemented the use of EventSource in workers. Enabled the sending of the Origin: header by default on same-origin requests. Changed how Basilisk is built. We have made build system changes to reduce build times and pressure on the linker on all platforms. Note that Basilisk is not yet built with Visual Studio 2022. This change will be done in the next release. Changed how Basilisk handles standalone wave audio files (.wav). See implementation notes. Improved string normalization. Updated the handling of CSS "supports" to now accept unparenthesized strings (spec update). Updated the handling of flex containers in web pages for web compatibility. Fixed various issues when building for Mac OS X. Fixed various C++ standard conformance issues in the source code. Fixed several issues building on SunOS and Linux with various configurations and gcc versions. Fixed an issue with regular expressions' dotAll syntax and usage. See implementation notes. Switched custom hash map to std::unordered_map where prudent. Cleaned up and updated IPC thread locking code. Removed spacing for accessibility focus rings in form controls to align styling of them with expected metrics. Removed the unnecessary control module for building with non-standard configurations of the platform. Removed the -moz prefix from min-content and max-content CSS keywords where it was still in use. Updated the search engines included with Basilisk. Basilisk now includes the same search engines as Pale Moon. Fix issue where PDF.js was completely broken in the previous release. Fixed an important stability and performance issue related to hardware acceleration. Implemented Global Privacy Control in the Basilisk settings. Fix issue where the 32-bit Windows installer would not execute on 32-bit Windows systems. Remove Mozilla related default bookmarks. Update default bookmarks. Update compatmode override for Firefox to 102.0. Update user agent overrides to improve compatibility with Facebook. Security fixes: CVE-2022-40956 and CVE-2022-40958. UXP Mozilla security patch summary: 2 fixed, 11 not applicable.
Basilisk Browser 2022.11.04 Released (November 5, 2022) Website Download Release Notes Spoiler: Changes v2022.11.04 v2022.11.04 Published 2022-11-05 Added detection suport for the newly-released MacOS 13 (Ventura). Fixed a potential heap Use-After-Free risk in Expat. (CVE-2022-40674) DiD Fixed potentially undefined behavior in our thread locking code. DiD Fixed a potentially exploitable crash in the refresh driver. Fixed potentially undefined behavior when base-64 decoding. DiD Implemented a texture size cap for WebGL to prevent potential issues with some graphics drivers. DiD Updated site-specific overrides to address issues with ZoHo. UXP Mozilla security patch summary: 1 fixed, 2 DiD, 6 not applicable.
Basilisk Browser 2023.01.07 Released (January 7, 2023) Website Download Release Notes Spoiler: Changes v2023.01.07 v2023.01.07 Published 2023-01-08 Added support for the JPEG-XL image format. Implemented regular expressions lookaround/lookbehind. Aligned CORS header parsing with the updated spec. See implementation notes. We no longer fire keypress events for non-printable keys. See implementation notes. Added support for MacOS 13 "Ventura" in the platform, primarily benefitting White Star. Fixed potentially problematic thread locking code on *nix platforms. Fixed some small issues in the display and operation of the Web Developer tools. Removed unused but performance-impacting panning and tab animation measuring code. (telemetry leftovers) Improved code for SunOS builds. Updated Internationalization data for time zones. Fixed a buffer overflow for Mac builds. Fixed an issue with plugins not receiving keypress events properly. Added some extra sanity checks to our zip/jar/xpi reader to avoid issues with corrupt archives. Aligned cookie checks with RFC 6265 bis. See implementation notes. Removed obsolete code in Windows widgets that could cause potential issues with long paths and file names on supported versions. Fixed several crashes. Security issues addressed: CVE-2022-45411, CVE-2022-46876, CVE-2022-46874 and several others that do not have a CVE number UXP Mozilla security patch summary: 6 fixed, 1 DiD, 1 deferred, 45 not applicable. Implementation notes RFC 6265 has been worked on with draft changes describing how cookies are actually being handled in the real world, in the bis versions of the RFC. While these changes have not yet been finalized, browsers in general do adhere to the latest available bis version of this RFC. Specifically, the long-standing exceptions for cookie names and values have been formalized, e.g. having quoted values. Our behavior has changed in that we now once again accept Tab characters (0x09) which is the one excluded control character from the range that is otherwise forbidden. We also no longer apply these checks exclusively to those in http headers, and any way of setting cookies must now adhere to the valid range. Cookies that fail these range checks for valid characters will be ignored. CORS support has been updated to the current spec. Most importantly, Basilisk now accepts wildcard entries ("*") for the CORS statements Access-Control-Expose-Headers, Access-Control-Allow-Headers and Access-Control-Allow-Method. Note that wildcards are ignored (according to the spec) when credentials are passed. Basilisk will no longer fire the keypress events in content when the key pressed is a non-printable key. This is in response to issues where webmasters would use rudimentary and naïve input-restricting scripts in onkeypress handlers that would not take into account editing keys or navigation keys, causing issues for users trying to enter data into forms (and e.g. finding they could no longer use backspace, cursor keys or tab). This aligns our behavior with other browsers for web compatibility, although it should be considered a website error expecting not all keypresses to be intercepted in keypress events.
Basilisk Browser 2023.01.26 Released (January 26, 2023) Website Download Release Notes Spoiler: Changes v2023.01.26 v2023.01.26 Published 2023-01-26 Most important changes: Implemented Regular Expression named capture groups. Implemented Regular Expression unicode property escapes. Re-implemented Regular Expression lookaround/lookbehind (without crashing this time ;) ). Implemented progressive decoding for JPEG-XL. Implemented animation for JPEG-XL. Renamed CSS offset-* properties to inset-* to align with the latest spec and the web. Fixed CSS inheritance and padding issues in some cases. Aligned parsing of incorrectly duplicated HSTS headers with expected behavior (discard all but the first one). Implemented a method to avoid memory exhaustion in case of (very) large resolution animated images. Updated the JPEG-XL and Highway libraries to a recent, stable version. Cleaned up some unused CSS prefixing code. Improved the ability to link on *nix operating systems with other linkers than gcc's default. Stability improvements (potential crash fixes). Security issues addressed: CVE-2023-23598, CVE-2023-23599 and several others that do not have a CVE number. UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not applicable.
