Pale Moon 28.9.0.1 (64-bit)

[DDE_Server]

28.9.0.1 (2020-03-25)
This is a small update to address a breaking issue with user-agent override strings, causing problems on certain websites for a number of our users.
v28.9.0 (2020-03-24)
This is a major development update.

New features:

• Implemented asynchronous iterators (await iterator.next() and for await loops) (ES2018)
• Implemented promise-based media playback.
• Implemented non-standard legacy CSSStyleSheet rules functions.
• Implemented the html5 <dialog> element. To switch this on, flip dom.dialog_element.enabled to true.
• Implemented the optional hiding of pinned tabs in CtrlTab/AllTab panes. (controlled through the preferences browser.ctrlTab.hidePinnedTabs and browser.allTabs.hidePinnedTabs)
• Added 1.25x playback speed to html media elements.
• Added a hidden pref (browser.places.smartBookmarks.max) to control the sizes of default smart bookmarks categories.

Changes/fixes:

• Aligned document.open() with the overhauled specification.
• Aligned the way DOM styles are computed with mainstream browser behavior.
• Removed the (unused) DOM promise implementation.
• Enabled seeking to next frame in media files.
• Enabled dynamic UA updates for emergency use.
• Implemented rule processing stub for font-variation-settings.
• Increased the maximum XML nesting depth to 2048 levels for extreme corner cases and to conservatively align with other browsers.
• Improved the privacy of geolocation lookup calls, with thanks to a generous service donation from ip-api.com
• Improved reporting of the operating system in site-specific user-agent overrides.
• Improved table drawing performance again after the rewrite for sticky positioning making it slower.
• Updated CSP processing to allow custom scheme wildcards to be specified without a port.
• Aligned the behavior of outlines with other browsers when dealing with CSS-repositioned elements.
• Changed the way hardware acceleration is controlled from the application.
• Changed the default monospace font for main languages from Courier New to Consolas.
  This provides a more balanced font for fixed-width text that is slightly more condensed and more in line with the naturally compacter variable-width fonts used everywhere else.
• Changed the browser's behavior when restoring tabs from previous sessions. To prevent stale pages, it will now by default perform a "soft refresh" of the page instead of drawing it purely from cache without checking if the page needs updating. If you prefer the old behavior, set browser.sessionstore.cache_behavior to 0 in about:config.
• Updated NSPR to 4.24 and NSS to ~3.48.1-RTM, removing the previous custom patch level with NSS being able to support custom rounds for DBM now.
  For extensive release notes with all NSS changes, see NSS_Releases
• Implemented an NSS performance optimization for Master Password use with limited effect.
• Fixed some potential crashing scenarios with WebGL on Linux.
• Completely removed showModalDialog.
• Disabled some logging in production builds.
• Removed various gadgeteering/redundant/dead DOM APIs (casting/presentation, FlyWeb)
• Removed support for a number of critical libraries being system-supplied.
• Removed "Copy raw data" button from the troubleshooting information page, since it's never used by us in that format, and users mistakenly keep using it instead of copying text.
• Removed a bunch of Android and iOS support code.
• Fixed an issue with form elements sometimes being incorrectly disabled.
• Fixed several crashes.
• Fixed an issue with Captive Portal detection sometimes firing even when disabled by the user.
• Performed various tree-wide code cleanups.
• Backed out a large code cleanup patch for causing subtle issues in website operation (e.g. WordPress). This will have to be revisited later; the reintroduced code is not in use in practice.
• Cleaned up the application updater code.

Security-related fixes:

• Fixed a potential pointer issue in cubeb. DiD
• Disabled allowing remote jar: URIs by default for security reasons. If you need this functionality for your non-standard environment, you can enable it with the preference network.jar.block-remote-files, but please consider moving away from this method of providing web-based applications.
• Removed a potentially dangerous and otherwise ineffective optimization from the JavaScript engine.
• Fixed unwanted behavior where created/focused pop-up windows could potentially cover the DOM fullscreen notification, hiding it from users. (CVE-2020-6810)
• Fixed an issue where copying data as a curl request from developer tools would not properly escape parameters. (CVE-2020-6811)
• Updated our sctp library code with several upstream fixes.
• Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 3 already mitigated, 1 rejected, 11 not applicable.

Release Notes: Pale Moon - Release Notes
Download: Pale Moon for Windows downloads

 

[CyberTech]

Pale Moon 28.11.0 changelog:

• Changed storage format for certificates and passwords to SQLite.
• Added a preference (browser.tabs.insertAllAfterCurrent) to enable always adding new tabs after the current tab, whether related or not.
• Changed the way Firefox extensions are displayed in the add-on manager (provide a clear warning).
• Denied other types of add-ons that aren't explicitly targeting Pale Moon's ID.
• Improved the browser's DPI-awareness to be per-monitor instead of system-wide, on supported Windows operating systems.
• Updated bookmark backups code with the other half of what should have been done way back when, so they work fully as-intended.
• Added a preference (browser.bookmarks.editDialog.showForNewBookmarks) to enable immediately showing the edit dialog for new bookmarks.
• If set to true, clicking the star in the address bar will pop open the edit dialog immediately for changing details/sorting.
• Fixed the useragent string in native mode, and updated UA code to properly respond to live changes to some preferences.
• Tidied up front-end browser JavaScript.
• Changed the way sources are compiled (on-going de-unification).
• Improved compatibility with gcc v10
• Removed support for the obsolete and unmaintained NVidia 3DVision stereoscopic interface.
• Fixed some build issues in non-standard configurations.
• Fixed wrong positions when calculating the position for position:absolute child inside a table.
• Aligned file name extension of saved url files with other applications (lower case)
• Fixed building with --disable-webspeech (to disable speech synthesis)
• Added global menubar support for GTK.
• Implemented node.getRootNode
• Implemented AbortController (Abort API)
• Improved the uninstaller to use elevation when prudent and actually remove program files.
• Fixed a rare issue with editable page content.
• Fixed a crash related to ES module scripts.
• Aligned ES module scripting better with the current spec and removed eager instantiation.
• Fixed a potential issue with the JPEG encoder. (CVE-2020-12422) DiD
• Fixed a potential issue with AppCache manifests. DiD
• Fixed a potential crash in JavaScript date parsing.
• Fixed a problem with RSA key generation that would make it potentially vulnerable to side-channel attacks. (CVE-2020-12402)
• Fixed a potential crash due to multithread race condition. DiD
• Fixed a correctness issue in URL handling. (CVE-2020-12418) DiD
• Unified XUL Platform Mozilla Security Patch Summary: 2 fixed, 4 defense-in-depth, 10 not applicable.