- Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
- Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
- Improved the performance of canvas poisoning by explicitly parallelizing it.
- Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
- Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
- Changed the way paletted image frames are allocated so the space is cleared before it's used.DiD
- Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
- Fixed several memory safety issues and crashes.