Pale Moon Version 32.1.0 Released w/Security Updates Compatibility Improvements

Started by Corrine, March 21, 2023, 03:11:46 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Corrine

Pale Moon has been updated to version 32.1.0.  This is a major update with security updates and important compatibility improvements for the web, particularly the implementation of Google WebComponents enabled by default.

Changes/Fixes:

  • Shadow DOM and CustomElements, collectively making up WebComponents, have been enabled by default which should bring much broader web compatibility to the browser for many a site that uses web 2.0+ frameworks. See implementation notes.
  • Tab titles in the browser now fade if they are too long instead of using ellipses, to provide a little more readable space to page titles. Note that this may require some updates to tab extensions or themes.
  • A number of site-specific overrides have been updated or removed because they are no longer necessary or current with the platform developments in terms of web compatibility. We could use your help evaluating the ones that are still there; see the issue on our repo.
  • Updated our promises and async function implementation to the current spec.
  • Implemented Promise.any()
  • Fixed several crashes related to regular expression code.
  • Improved regular expression object handling so it can be properly garbage collected.
  • Fixed some VP8 video playback.
  • Fixed an issue where the caret (text cursor) would sometimes not be properly visible.
  • Updated the embedded emoji font.
  • Implemented the :is() and :where() CSS pseudo-classes.
  • Implemented complex selectors for the :not() CSS pseudo-class.
  • Implemented the inset CSS shorthand property.
  • Implemented the env() environment variable CSS function. See implementation notes.
  • Implemented handling for both RGB encoded video playback (instead of just YUV).
  • Implemented handling for full-range videos (0-255 luminance levels) giving better video playback quality.
  • Removed the WebP image decoder pref. See implementation notes.
  • Enabled the Web text-to-speech API by default (only supported on some operating systems).
  • Updated NSPR to 4.35 and NSS to 3.79.4
  • Cleaned up unused "tracking protection" plumbing. See implementation notes.
  • Cleaned up URI Classifier plumbing (Google SafeBrowsing leftover).
  • Fixed several intermittent and difficult-to-trace crashes.
  • Improved content type security of jar: channels. DiD
  • Improved JavaScript JIT code generation safety. DiD
  • Fixed potential crash scenarios in the graphics subsystem. DiD
  • Improved filename safety when saving files to prevent potential environment leaks.
  • Security issues addressed: CVE-2023-25751, CVE-2023-28163 and several others that do not have a CVE.
  • UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not applicable.

Implementation notes:
  • Google WebComponents has been long-running major feature work in UXP. We're finally at a level with this (after several setbacks and brick-walling) that it can be enabled by default. Please note that while this greatly improves web compatibility with many Chrome-focused websites using these controversial technologies, our implementation is not yet complete and more work is necessary. As a result, this change to en
  • technologies, our implementation is not yet complete and more work is necessary. As a result, this change to enable it by default may actually break some previously-working websites as well, but it's expected the majority will work at our current state of implementation. Please visit the forum if you need help with web compatibility issues.
  • The env() CSS function was implemented for compatibility with websites that rely on this without fallback. Note that this function actually has no real use for desktops as it is primarily used to indicate environmental restrictions of mobile screens, e.g. extra space needed to avoid a camera notch or folding screen margin. However, due to the way certain sites implement their styling in a mobile-first approach, it is assumed that this function is available on all systems and in all browsers by these sites. Note that Pale Moon simply hard-codes queried values here.
  • WebP images have had a stable and complete implementation in Pale Moon for a long time now, so the preference to disable support for it has been removed, as it's considered by now to be one of the "staple" image formats supported by web browsers. This was done to reduce complexity for content negotiation, especially since we're adding more support for JPEG-XL that still isn't as-complete. From here on out, we simply always support WebP decoding.
  • While we've had a preference for "tracking protection" in our browser implementation (in about:config), this marketed feature of Firefox was never adopted by us, because it is for the most part a service-based feature, and the non-service parts were undesirable as they were crippling useful APIs. Our effective protection against tracking has not changed, we have simply removed the preference and plumbing for a non-functional service feature that would potentially give the false impression it would do anything.
As a reminder, if you are concerned about tracking, use a competent adblocker extension, and enable "Tell sites not to share or sell my data" in Preferences -> Privacy under "Data Privacy". You may also want to enable "canvas poisoning" by setting canvas.poisondata to true in about:config to reduce the risk of fingerprinting through canvases.

Notes:
DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.
Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads. To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.