Pale Moon 27.9.4
更新細節:
Changes/fixes:
Updated the useragent for addons.mozilla.org to work around their "Only with Firefox" discrimination preventing users from downloading themes, old versions of extensions, and other files with Pale Moon.
Restricted web access to the moz-icon:// scheme that could potentially be abused to infringe the user's privacy.
Prevented various location-based threats.
Fixed a potential vulnerability with plugins being redirected to different origins.
Improved the security check for launching executable files (by association) on Windows from the browser. For users who have (most likely accidentally) granted a system-wide waiver for opening these kinds of files without being prompted, this permission has been reset.
Fixed an issue with invalid qcms transforms.
Fixed a buffer overflow using the computed size of canvas elements.
Fixed a use-after-free when using focus().
Added some sanity checks on nsMozIconURI.
Fixed an issue in the case the preferences file in the profile would not be writable (e.g. temporary permission issues due to backup, virus scanning or similar external processes).
版本下載:Pale Moon 27.9.4
Pale Moon 27.9.3
更新細節:
Changes/fixes:
Ported a patch from libopus upstream.
Fixed an issue with task counting in JS GC.
Fixed a use-after-free in DOMProxyHandler::EnsureExpandoObject.
Portable only: Included the previously omitted registry helper. This may in some cases help with file/type associations.
版本下載:Pale Moon 27.9.3
Pale Moon 27.9.2
更新細節:
Changes/fixes:
Changed the language strings for softblocked items so people will cry less when we do our job.
Prevent potential SmartScreen bypass on Windows 10.
Fixed an issue in the Downloads panel improperly rendering some Unicode characters, allowing for the file name to be spoofed. This could be used to obscure the file extension of potentially executable files from user view in the panel.
Fixed a vulnerability in the XSLT component leading to a buffer overflow and crash if it occurs.
Fixed an integer overflow vulnerability in the Skia library resulting in possible out-of-bounds writes.
Fixed a use-after-free vulnerability while enumerating attributes during SVG animations with clip paths.
Fixed a buffer overflow during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable extension in order to occur.
Fixed several stability issues (crashes) and memory safety hazards.
版本下載:Pale Moon 27.9.2
Pale Moon 27.9.1
更新細節:
Changes/fixes:
Removed the unused/incomplete places protocol handler.
Worked around an issue with MSE media without a Track ID. This should help with the playability of some live streams.
Ported across jemalloc improvements from UXP.
Ported across cairo mutex improvements from UXP.
Added support for FFmpeg 4.0/libavcodec 58.
Added a fix for Windows 10's "isAlpha()" not being what one would expect in v1803.
版本下載:Pale Moon 27.9.1
Pale Moon 27.9.0
更新細節:
Changes/fixes:
Fixed a number of spec compliance issues in our media subsystem.
Added a trailing slash to referrers when policy is set to fix some web compatibility issues.
Fixed the property order in Object.getOwnPropertyNames(string) and others for web compatibility.
Updated RegExp(RegExp object, flags) to the ES6 standard specification.
Changed the embedded font from the no longer free EmojiOne to the open-licensed Twemoji (with additional fixes). This also further extends unicode support to Unicode 10 emoji(s). Please note that as a result, color emoji(s) will look different than before.
Adjusted some things in our memory allocator code to provide, among other things, better allocation alignment on Windows.
Made the attempt to migrate people from the old sync server domain name to the current one more aggressive. We will be retiring the old pmsync.palemoon.net Sync server address shortly to remove the need for us to maintain a security certificate for it; this preference migration should automatically put everyone on the correct server address (pmsync.palemoon.org) when upgrading.
Made reading of the sessionstore synchronous, to speed up startup and prevent the homepage from being loaded when restoring a session.
Added a fix to switch to the correct window/tab when a web notification is clicked.
Changed the placeholder text to not include "Search" when all search functions from the address bar are disabled.
Enabled the use of Skia for canvas on Linux and OSX.
Worked around a potential cause for some non-standard bitmapped fonts ending up with incorrect line heights (I'm looking at you, Noto fonts!).
Added a workaround for incorrectly-encoded JPEG-XR images with planar alpha. Ultimately, the jxrlib reference implementation should be fixed to encode according to spec.
Aligned XCTO:nosniff allowed script MIME types with the updated spec.
Improved the logic for storing vector images in the surface cache.
Fixed character set handling for XMLHttpRequests.
版本下載:Pale Moon 27.9.0
Pale Moon 27.8.3
更新細節:
Changes/fixes:
Backed out some responsive layout code that caused intermittent but not uncommon crashes in the browser depending on window sizes and page content.
版本下載:Pale Moon 27.8.3
Pale Moon 27.8.2
更新細節:
Changes/fixes:
Privacy fix: prevented update checks for the default theme.
Added a user-agent override for Dropbox to improve compatibility with their service.
Fixed an issue with mouseover handling related to (CVE-2018-5103).
Disabled the Mac OSX Nano allocator.
Fixed (CVE-2018-5129) OOB Write.
Updated the lz4 library to 1.8.0 to solve potential issues.
Fixed (CVE-2018-5137) Path traversal on chrome:// URLs.
Fixed several memory safety an synchronicity hazards.
版本下載:Pale Moon 27.8.2
Pale Moon 27.8.1
更新細節:
Changes/fixes:
Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.
版本下載:Pale Moon 27.8.1
Pale Moon 27.8.0
更新細節:
Changes/fixes:
Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
Added Eyedropper menu entry to the AppMenu.
Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
Added URL fix-ups for schemes (mis-typed "ttp://" etc.).
Added support for ES6 "Symbol species".
Updated our TLS 1.3 support to the latest (probably final) draft.
Fixed gap inconsistency in the tabstrip.
Fixed a number of browser crashes.
Fixed a crash with the exponentiation operator "**".
Set the performance timer granularity to 1 ms.
Updated the kiss-fft library to our forked 1.4.0 version.
Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
Removed the notification bar when in full screen to prevent unwanted visible screen elements.
Removed unmaintained and insecure WebRTC code - building with WebRTC enabled is no longer an option.
Removed redundant checks for "Vista or later" since that is all we support.
Added display of the http status to raw request displays.
Added a workaround for cloned videos not retaining their muted state.
Added a temporary workaround to avoid crashes on trackless media.
Removed some superfluous ellipses from menu labels.
Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
Fixed some issues with setting the new tab preference (regression).
版本下載:Pale Moon 27.8.0
Pale Moon 27.7.2
更新細節:
Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre. This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
Improved the debug-only startup cache wrapper to prevent a rare crash.
Fixed a crash in the XML parser.
Added a check for integer overflow in AesTask::DoCrypto().
Fixed a potential race condition in the browser cache.
Fixed a crash in HTML media elements.
Fixed a crash in XHR using workers.
Fixed a crash with some uncommon FTP operations.
Fixed a potential race condition in the JAR library.
版本下載:Pale Moon 27.7.2
Pale Moon 27.7.1
更新細節:
Changes/fixes:
Added support for Array.prototype[@@unscopables].
Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.
版本下載:Pale Moon 27.7.1
Pale Moon 27.7.0
更新細節:
Changes/fixes:
Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
Fixed an issue on Mac builds not properly populating the application menu.
Added "My home page" as an option for new tabs.
Added an option to disable the 4th and 5th mouse buttons (Windows)
(mouse.button4.enabled and mouse.button5.enabled, respectively).
Improved the resetting of non-default profiles.
Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers. (this should fix layout issues with Twitch's new web interface).
Fixed an issue where CSS clone operations would draw a border.
Changed the way fractional border widths are rounded to provide more natural behavior.
Fixed an issue where number inputs would incorrectly be flagged as read-only.
Added assets for tile display in the Windows start panel.
Finished sync infra swapover by adding a one-time pref migration for server used.
Improved WebAudio API: Return the connected audio node from AudioNode.connect().
Added support for a default playback start position in media elements.
Fixed an assert in cubeb-alsa code (Linux).
Added support for media cue-change events (e.g. subtitles).
Updated SQLite to 3.21.0.
Fixed a crash when trying to use the platform embedded.
Fixed devtools (gcli) screenshots on vertical-text pages.
Fixed devtools copy as cURL for POST requests.
Improved the HTML editor component (several bugfixes).
Added support for ES7's exponentiation a ** b operator.
Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
Added Javascript's ES6 "unscopables".
Security/privacy fixes:
Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
Removed the sending of referrers when opening a link in a new private window.
Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
Added support for X-Content-Type-Options: nosniff (for scripts).
Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical.
版本下載:Pale Moon 27.7.0
Pale Moon 27.6.2
更新細節:
Changes/fixes:
Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, which might help against "hidden" cookie tracking.
Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents.
Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar.
Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. As such, some other issues like CVE-2017-7833 are already mitigated by us.
Fixed an issue with mixed-content blocking.
Added an extra check for the correct signature data type on certificates.
Added missing sanitization in exporting bookmarks to HTML.
Fixed several crashes and memory safety hazards.
版本下載:Pale Moon 27.6.2
Pale Moon 27.6.1
更新細節:
Changes/fixes:
Fixed a regression with new windows (opening two windows from the command-line or file association, focus issues on new windows, not loading the home page in a new window, etc.).
Aligned XHR with the current spec to allow withCredentials.
Fixed an input element focus issue within handlers.
Fixed the processing of all-padding HTTP/2 frames to prevent rare HTTP/2 hangups.
Updated CitiBank override to work around their login issues.
Updated Netflix override to a community-supplied one that seems to satisfy their arbitrary restrictions better.
版本下載:Pale Moon 27.6.1
Pale Moon 27.6.0
更新細節:
Changes/fixes:
Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt").
Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
Changed automatic updates over to the new infrastructure.
Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort.
Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
Improved upmixing of mono sound for multi-channel setups.
Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads.
Fixed "Remove from history" function from the downloads panel.
Forced focus on the address bar in new windows if the content is a blank/empty document.
Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
Further cleaned up the status bar code.
Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI).
Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
Updated WOFF2 code from upstream.
Updated the zlib compression library.
Made general improvements to internal code structure and spec adherence.
Fixed an issue with certain command-line parameters being used.
Updated the default theme to improve consistency and contrast of toolbar and download buttons.
Increased the default duration of notification pop-ups and made them configurable.
Improved handling of audio-visual media (ongoing).
Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
Fixed the selection system inside of a nested contenteditable element being broken.
Fixed Windows 10 detection for blocklisting graphics drivers.
Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
Fixed the uninstallation routine of restartless add-ons.
Fixed the handling of unimplemented functions in the console API.
Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.
Security/privacy fixes:
Added an option to clear Site Connectivity Data (delete history).
Removed stale entries from the HSTS preload list, and improved generation/processing of it.
Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
Worked around some more issues with broken Apple fonts.
版本下載:Pale Moon 27.6.0