Pale Moon: Release notes
General notes:
DiD This means that
a fix is "Defense-in-Depth": It is a fix that does not apply to a
(potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when
surrounding code changes, exposing the problem, or when new attack
vectors are discovered.
Rejected security patches:
This means that patches were theoretically applicable to our code but
considered undesirable, which could be due to unwanted changes in
behavior, known regressions caused by the patches, or unnecessary risks
for stability, security or privacy.
v33.5.0 (2024-12-05)
This is a development, bugfix and security release.
Note: Intel Mac builds are now "ad hoc" signed instead of unsigned,
which should solve potential issues with newer macOS while still being
compatible with old OS X. If you experience issues, please post in the Mac
board on the forum for support.
Changes/fixes:
- Implemented Regular Expression "match indices" (/d) feature.
- Added a way to programmatically clear the DNS cache in the
browser, and added a button to the UI for it in about:networking.
- Updated handling of referrer policies to adhere to the
updated spec.
- CSS font
variations keywords no longer throw
an error. See implementation notes.
- CSS
border-radius will now also apply to
element outlines.
- Improved the display of amount of cached web content in
preferences when cache is being cleared.
- Improved the installer AVX check to skip on early versions
of Windows 10 (which don't support it).
- Updated NSS to 3.90.5 (unofficial) to pick up some security
fixes.
- Refreshed the built-in list of effective top-level domains.
- Fixed several application crashes.
- Reduced unnecessary debug/informative messages in release
builds (WebGL and CSP).
- Backed out building against ffmpeg 6.0 and ffvpx 6.0 for
causing a video playback regression on full-range videos (levels 0-255).
- Cleaned up a large amount of leftover Boot2Gecko code,
simplifying code paths throughout the code base.
- From this version forward we also publish language packs
for Persian (Farsi), Hindi, Kannada and Vietnamese.
- Security issues addressed: CVE-2024-11693 and
CVE-2024-11704 (DiD).
Implementation notes:
- The CSS font variations keywords (
woff2-variations ,
truetype-variations , etc.) allow webmasters to
indicate format hints for @font-face font resources so
authors can provide alternative resources for browsers that don't
support tech(variations) . The intent of these hints is to
provide an alternate font with variations in addition to regular fonts
without. Unfortunately, some webmasters don't indicate a base font the
variation font face would be an alternate for, which resulted in Pale
Moon throwing an error on the only @font-face src
entry provided, in turn having the web font not being loaded at all
(because no valid entry was found), breaking website layout. From this
version onwards, we parse the -variations keywords
allowing variation alternative font-faces to be loaded, even if no base
font was specified. To webmasters only supplying @font-face entries
with variations keywords: please understand the intent of this CSS 4
spec and always provide a base font entry (graceful fallback).
v33.4.1 (2024-11-05)
This is a small bugfix and security release.
Changes/fixes:
- Added a processor check to the 64-bit installer for Windows
to check for AVX.
Note: this check does not work on Window 7/8/8.1 and will allow
installations on non-AVX processors there.
Note: if you are running Windows 10 before build 2004 (before 20H1),
this check may fail on AVX-capable CPUs and prevent installation.
- Improved handling of multipart/mixed documents.
(CVE-2024-10461 and CVE-2016-2816) DiD
- Addressed CVE-2024-10463.
v33.4.0.1 (2024-10-09)
This is a small update to address two important issues:
- Extension compatibility issues with the ghostbuster
(leading to tab handling problems).
- Windows 7 compatibility issues in 32-bit builds on some
systems (leading to application UI paint failures/black window).
v33.4.0 (2024-10-08)
This is a development, bugfix and security release.
Changes/fixes:
- Introduced the "ghostbuster" concept; this is an automated
internal mechanism to attempt cleanup of particularly problematic web
content after a tab or window is closed. See implementation notes.
- Added support for the PROT_MPROTECT security feature on
targets that use it (notably PaX and NetBSD).
- Implemented preferences to give the user control over the
Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
- Improved buildability on NetBSD and Altivec architectures.
- Fixed building issues on Apple Silicon Mac with XCode 16.
- Added workarounds for non-standard MSE/WebM/VPx encoding on
YouTube that could cause video buffering and halting issues.
- Dev: Changed the default credentials mode for module
scripts from 'omit' to 'same-origin', aligning with mainstream.
- Dev: Implemented
getTransform and setTransform
with DOMMatrix arguments.
- Dev: Implemented ES2023 Hashbang grammar proposal.
- Fixed an issue with JavaScript's
StructuredClone .
- Security issues addressed: CVE-2024-9396.
- Rejected:
CVE-2024-9398 (properly informing the user about attempts to use
unhandled protocols by web pages is considered more important than
potential determination whether a handler for such a protocol is
installed)
Implementation notes:
- When very complex "modern" websites get closed by the user,
it is possible that the browser is unable to properly release all the
resources attached to it, especially those resources, modules and
scripts that were part of Shadow DOM or complex interlinked module
scripts. This can then result in "detached" web content and scripts
that continue to use memory, have active event listeners and loaded
scripts. Mainstream browsers are less affected by this as their
multi-process setups will effectively "throw the baby out with the bath
water" by simply killing the relevant content process. Since we don't
have that luxury of a lazy solution to an architectural problem, we
need to handle these so-called "ghost windows" resulting from this
problem internally without restarting the browser process. This version
of Pale Moon introduces the "ghostbuster" concept to try and address
this: an automated, internal mechanism that periodically checks for the
existence of ghost windows and severs links of them, so that
garbage/cycle collection can come in afterwards and release the
resources, hopefully preventing browser slowdowns and inflated memory
usage over time. If this, for some reason, causes issues for you, you
can disable the ghostbuster by setting the preference
browser.ghostbuster.enabled
to false . Also please report (in detail) on the forum
about the issue you're having if flipping this preference to false
resolves it, so we can look into improving this new feature.
- By user request, primarily for advanced power users who
need this for their local setups, 2 new preferences were introduced to
control how the browser deals with same-origin and CORS.
security.same_origin_policy.enabled , when
set to false , will completely disable checking if scripts
are allowed to be loaded based on the same-origin policy. Security warning: this is a really
bad idea on the open web and you should never blanket disable the
Same-Origin Policy check in a web browser for normal use.
content.cors.bypass_preflight_request ,
when set to true , will no longer send CORS preflight
requests or check preflight responses and always allow cross-origin
requests. Note that this kind of request is normally only made if
sending a request to a server might result in data changes server-side
(e.g. POST). This preference only does something when CORS is already
disabled; provided primarily for specific corner cases where CORS is
disabled and preflight checks (providing an extra safety net for server
data) need to be shut off too.
There are dragons hiding in
these two preferences. Please handle them responsibly.
v33.3.1 (2024-09-10)
This is a minor security and bugfix update.
Changes/fixes:
- Backed out support for FFmpeg 7.0/libavcodec 61 (Linux) due
to it causing a major regression in WebAudio (broken on all platforms).
This is being worked on to re-land at a later date.
- Restricted the
NotifyPaintEvent interface to
chrome code only; there is no reason (other than potential
tracking/fingerprinting) to have this accessible from content.
- Fixed a potentially exploitable issue in JavaScript (
FetchName ).
- Fixed a code correctness issue in XPConnect when creating
sandboxes. DiD
- Added a warning for using externally handled usenet
protocols.
- Security issues addressed: CVE-2024-8383 and CVE-2024-8381.
v33.3.0 (2024-08-13)
This is a major development update.
Important
notes with this version:
- From this version forward, all 64-bit releases require a
processor with AVX capabilities! Please keep an eye on the forum for
announcements of 64-bit SSE builds by the community if you are on
particularly old or otherwise limited hardware that does not support
AVX.
- For Linux users: Starting with this version, our binaries
are built with gcc 11 on a still conservative but more modern build
platform (Oracle Linux 8). As a result, there may be some lib
incompatibilities if you are still running on a particularly old distro
for some reason. While we try to serve as broad of a Linux base as
possible with our binaries, our lowest common denominator will
occasionally shift to newer distros as a result of O.S. life cycles,
compiler capabilities and available libraries.
Changes/fixes:
- Implemented the bulk of the CSS "cascade layers" spec (
@layer{} ).
This implementation is not 100% complete yet, but should satisfy common
use of CSS cascade layers on the web.
- Implemented support for
Sec-Fetch-* headers,
implementing another mechanism to deal with site security. See this
part of the spec for a primer on what this does.
- Added support for FFmpeg 7.0 / libavcodec 61 (Linux).
- Pale Moon will now look up hosts in DNS ahead of time to
make page navigation smoother. See implementation notes.
- Pale Moon will now block access to the reserved address
0.0.0.0 on non-Windows operating systems. See implementation notes.
- Dev: Aligned rounding behavior and precision ranges of
toFixed
and related functions with the spec. See implementation notes.
- Dev: Aligned isTrusted for
PostMessage and BroadcastChannel
with expected values on the web. See implementation notes.
- Dev: Added the
navigator.webdriver attribute
for web compatibility (always false in Pale Moon as we do not support
browser automation APIs).
- Re-implemented the Durstenfeld shuffle for plugin
enumeration that was unfortunately dropped with one of our past
rebases, to strengthen fingerprinting resistance.
- Fixed an issue with character clusters (e.g. for text
selection) resulting from a regression surrounding our improvements for
emoji handling.
- Fixed an issue with setting DOM color values. DiD
- Slightly improved password form handling, detecting
previously unsupported field orders.
- Updated NSS to 3.90.4.
- Updated our emoji font to 15.1.2 (Unicode 15.1 with some
additional extras/updates).
- Code cleanup:
- Removed unused code related to the (incomplete) FoxEye
experiment.
- Removed support code for LibAV and (very) old versions of
FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this
version forward (Linux).
- Removed click event dispatching code that is no longer
relevant.
- Cleaned up internal macro use in CSS code (this does not
impact any exposed APIs or code).
- Removed the hidden
network.dns.disablePrefetchFromHTTPS
pref. DNS prefetching should not be treated differently for http and
https.
- Security issues addressed: CVE-2024-7531.
Implementation notes:
- Pale Moon will now pre-emptively look up the internet
addresses in DNS for website navigation (e.g. from links). This speeds
up navigation as there will be no delay for DNS lookups when users
navigate to a new host or domain from the visited page. Please note
that this only deals with DNS (i.e.: looking up the addresses of
websites in the domain name system) and Pale Moon will not pre-emptively connect to the
servers in question; it will just have the addresses for them ready in
case the user decides to navigate to them.
For some people, this may still be seen as a privacy issue (e.g. when
the DNS server operated within an organization is tightly monitored for
"unwanted traffic") as it will regularly fire DNS lookups for hosts or
domains the user doesn't actually visit, so if this is a concern for
you and you wish to revert to our previous behavior, go to Preferences
-> Advanced -> tab "Network", and uncheck "Prefetch DNS lookups".
- Pale Moon will no longer allow connecting to the "this
machine" special reserved address 0.0.0.0 (and IPv6 equivalents
[::]/[::0.0.0.0]) on operating systems other than Windows. This is to
mitigate potentially unrestricted access to local resources on
UNIX-like operating systems due to the way the network stack operates
there. If needed for your use case, you can control this behavior
through the preference
network.dns.blockQuad0 -- if set
to true , any attempt to connect to the reserved addresses
will result in an error.
- We aligned behavior of number conversions with what is
generally expected on the web by mainstream browser engines and/or
updated specs. Specifically,
toFixed no longer accepts
negative precision ranges, and toExponential will now
round up at the midpoint in the decimal significand.
- Initially, the mechanisms
BroadcastChannel
and MessagePort implicitly called for dispatched events
to not be trusted, but since browsers marked them as trusted, this was
in conflict with the spec. Eventually, the spec for this was changed to
make them trusted in this case. Pale Moon now follows this behavior as
well.
v33.2.1 (2024-07-15)
This is a bugfix and security update.
Changes/fixes:
- Fixed a crash in CSS grid layout.
- Set hidden HTML elements to actually always be hidden.
- Updated NSS to 3.90.3.
- Updated SQLite to 3.46.0.
- Fixed an issue with setting of cookies.
- Fixed an issue in Linux IPC code.
- Fixed an issue with DNS prefetching (disabled by default).
- Security issues addressed: CVE-2024-6611, CVE-2024-6612 DiD and several others
(mostly DiD) that do not
have a CVE number assigned.
v33.2.0 (2024-06-18)
This is a development, stability and security release.
Note: Mac builds have
switched to Xcode 15 and are now cross-compiled from Apple silicon for
Intel targets. While the resulting builds have been tested on a few
Intel Mac systems, this is a big build change, so please get in touch
through our forum
if you experience any issues with these builds on Mac.
New features:
- Implemented the missing parts of the html5
<dialog>
element, including modal handling and custom backdrops.
- Implemented coarser, user-configurable granularity for the
canvas poisoning anti-fingerprinting measure. See implementation notes.
- Implemented new CSS viewport units
svw , svh ,
svmin , svmax , lvw , lvh ,
lvmin , lvmax , dvw , dvh ,
dvmin and dvmax .
- Implemented new CSS logical viewport units
vb ,
vi , svb , svi , lvb ,
lvi , dvb and dvi .
Changes/fixes:
- Removed the archaic and wholly outdated FIPS security
module code.
- Removed the archaic DBM support code for storing of
passwords in DBM format files.
- Removed the
-moz prefix from -moz-fit-content ,
aligning with the current CSS standard fit-content value.
- Updated our build system by adopting parts of the old
autoconf 2.13 as maintained code. autoconf 2.13 is no longer a build
requirement. If you build from source, you may want to review your
dependencies with this change.
- Fixed issues when building with GCC 14.* and Clang 16.*.
- Fixed issues with emoji sequence clusters causing incorrect
rendering of emoji glyphs in some cases.
- Made some arguments to the legacy
XPathEvaluator/XPathExpression interfaces optional for web
compatibility.
- Fixed a crash when reporting JavaScript module exporting
errors.
- Updated checking of special cookie prefixes to be
case-insensitive in accordance with the current RFC 6265 (bis-11+).
- Fixed issues with external protocol handlers.
- Fixed an issue where autocomplete pop-ups would stay open
in some circumstances.
- Fixed an issue with potentially bad file names being
entered by the user to "Save As...".
- Fixed several crashes and race conditions.
- Security issues addressed: CVE-2024-5699, CVE-2024-5702 DiD, CVE-2024-5690,
CVE-2024-5698 DiD,
CVE-2024-5688 DiD,
CVE-2024-5692 and several other security issues (some more DiD) that do not have CVE
numbers assigned to them.
Implementation notes:
- While we have had canvas data poisoning as an option for a
very long time (we introduced it as a concept), it was pointed out that
having a fast rotation on the poisoning leading to new and unique
canvas hashes every time a user would navigate was a red flag to
trackers that poisoning is being employed, mitigating its intent. A
different implementation of canvas poisoning was created that will
still provide human-imperceptible data manipulation of canvases leading
to bogus hashes for trackers, but now in such a way that this hash will
not change for a courser, but variable time frame. This time frame
defaults to 5 minutes in this release, which may be tweaked in the
future if necessary, but is also entirely user-configurable between 1
second and 8 hours with the preference
canvas.poisondata.interval
(indicated in seconds).
v33.1.1 (2024-05-28)
This is a minor security and stability update.
Changes/fixes:
- Made the nonce length for http digest auth configurable.
- Fixed various potential issues with font loading, parsing
and handling.
- Cleaned up error reporting for workers and normalized error
messages.
- Security issues addressed: CVE-2024-4772 DiD, CVE-2024-4771,
CVE-2024-4769 and CVE-2024-4770.
- We've switched back to an older toolchain (17.3) for
compiling 32-bit Windows binaries (again) to hopefully address some of
the intermittent stability issues people continued to have on later
Microsoft compiler versions when running on older hardware.
v33.1.0 (2024-04-23)
This is a development, stability and security release.
New features:
- Implemented support for single-use
<link
rel=preload> meta tag. This implementation allows use of it
without specifying a second <link rel={type}> meta
tag to actually load the linked document which was originally intended
for this tag (to hint to a browser it should pre-load the document for
fast painting).
- Implemented CSP v3 keywords
script-src-elem , script-src-attr ,
style-src-elem and style-src-attr .
- Enabled the use of html5's
<dialog> by
default. While this is not yet a complete implementation, use of it in
the wild dictated we enable this early. The implementation should
functionally suffice for usage seen so far.
- Added support for Emoji 15.1.
- Implemented
webkitURL legacy window alias for
URL for web compatibility.
- Implemented CSS shorthands
margin-block , margin-inline ,
padding-block and padding-inline .
- Added support for querying CPU capabilities (SSE2/AVX/AVX2)
to the Navigator interface. For privacy reasons this is not exposed to
the web, but can be used by extensions.
Changes/fixes:
- Fixed broken mousewheel scrolling if building with
--disable-npapi .
- Fixed a minor issue with XUL tree display in some
circumstances.
- Dev: Aligned canvas
Path2D.addPath with the
updated spec. It now supports DOMMatrix as opposed to SVGMatrix .
- Removed Stylo (Gecko Rust style system) leftovers from the
source tree.
- Fixed a few potential emoji display issues.
- Fixed some issues with workers.
- Fixed an issue with ctrl+c copying in devtools.
- Fixed crashes when run under WINE because of its lack of
support for
IDXGIKeyedMutex .
- Fixed a crash when dealing with a specific (unmaintained)
extension.
- Added
.xrm-ms files to the executable warning
list on Windows.
- Added sanity checks on http/2 header sizes.
- Fixed a potential issue in the JavaScript JIT compiler.
- Pulled a few fixes from upstream for the OpenType Sanitizer.
- Added a fix to avoid a potential issue when assigning a
media data buffer.
- Security issues addressed: CVE-2024-3863, CVE-2024-3302,
CVE-2024-3857 DiD,
CVE-2024-3859 and CVE-2024-3861 DiD.
v33.0.2 (2024-03-26)
This is a minor security and stability release.
Changes/fixes:
- Fixed an issue with attributes on duplicate html tags.
- Aligned the behavior of internal pointer structures to be
more
uniform. DiD
- Security issue addressed: CVE-2024-2610
v33.0.1 (2024-02-27)
This is a bugfix and security update.
Changes/fixes:
- Removed site-specific override for Amazon.com due to
breakage.
- Fixed script timeout values that were inadvertently
overridden in branding.
- Fixed an issue where empty MIME type registrations would
break some parts of the UI.
- (Linux only) Pasting URLs to content now by default does
not navigate to that URL.
- If content-paste-navigation is enabled (via
middlemouse.contentLoadURL ),
navigation is now restricted to pasting to active body type elements
(to prevent unwanted navigation when pasting URLs to input boxes, for
example).
- Fixed a problem with JS modules preventing
ExportEntries
from working.
- (Linux only) Fixed a build issue when building with a
system-supplied cairo library (unsupported).
- Fixed an issue where workers could lock up the browser with
SetInterval
with an out-of-bounds (too small)
value. This is now clamped to 4ms matching the HTML spec.
- Fixed a few usability issues with the built-in developer
tools.
- Fixed a potential crash in web workers.
- Fixed a potential overflow issue in image maps.
- Fixed a potential security issue with multi-part/mixed
content (CVE-2024-1551).
(from this point forward we will no longer list UXP Mozilla security
patch summaries as they are mostly irrelevant)
v33.0.0 (2024-01-30)
This is a new milestone release. It involves over 250 commits, of which
the most important ones are highlighted here.
New features:
- Implemented a restricted version of the asynchronous
clipboard API (navigator.clipboard). This API is restricted to writing
only for obvious security considerations. It supports both plaintext
and the standard DataTransfer methods. We did not implement the
reinvented wheel concept of ClipboardItem objects.
- Implemented support for SHA-2 (SHA-256/SHA-512/etc.)
signatures for OCSP stapled responses.
- Implemented an option (Found in Preferences -> Content
-> Media tab (new this version)) to restrict DOM full-screen mode to
the existing browser window.
- Implemented several options in a new preferences tab
(Preference -> Privacy -> Tracking) to allow users to more easily
control several privacy-impacting features, namely poisoning of canvas
data (to prevent fingerprinting), and enabling of Performance observers
(a developer feature) that some websites rely on for their operation.
- Implemented
PromiseRejectionEvent . Although
this is rarely actually used, some common JS libraries (you know who
you are!) use it as a feature level canary and start loading (broken!) Promise
shims if it is not found, causing compatibility issues and broken
websites due to the shims.
Fixes:
- Aligned microtasks and Promises scheduling with the current
spec and expected behavior.
- We now no longer send
click events to top
levels of the document hierarchy when using non-primary buttons (use auxclick ,
instead, to capture these events).
- Greatly improved the performance of box shadows.
- Greatly improved the performance of file/data uploads over
HTTP/2 (most of the secure websites out there).
- Fixed several issues related to focus and content selection.
- Fixed issues with the use of
focus-within
caused by unexpected processing of DOM events.
- Fixed an issue with CSP not behaving as-expected when using
importScripts() ,
and fixed a number of
additional CSP-related issues.
- Fixed a web compatibility issue with CORS preflights not
sending the original request's referrer policy or referrer header.
- Fixed a spec compliance issue with
StructuredClone .
- Fixed a crash due to clamping code introduced for
SetInterval
and SetTimeout timers.
- Fixed crashes when dynamic imports are canceled (e.g. by
navigation).
Other changes:
- Changed
<input type=file> to now have
its .files property be writable following a spec change
and recommendation.
- We are now requiring and building against the C++17
language standard.
- Updated the in-tree ffvpx lib to 6.0.
- Added a preference to allow users to completely disable
reporting of CSP errors to webmasters. Using this is strongly
discouraged as it will provide essential troubleshooting information to
webmasters setting up CSP, and does not pose a privacy issue, but for
those who really want it, it can now be fully disabled. The preference
is
security.csp.reporting.enabled .
- Updated the IntersectionObserver interface to now also
accept documents for the observer root instead of only HTML elements.
- Cleaned up various bits of code surrounding GMP, memory
allocation, system libraries, vestigial Android code, freetype2 and
developer tools.
- Improved efficiency of handling D3D textures.
- Added initial and experimental Mac PowerPC and Big Endian
support.
- Changed the behavior of hung scripts. We now automatically
terminate them instead of presenting the user with a dialog box (which
may or may not show in a reasonable time if the browser is too busy
trying to process the hung script). If you prefer the old behavior,
uncheck the box "Automatically stop non-responsive scripts" in
Preferences -> Content -> General
- Security issues addressed: CVE-2024-0746, CVE-2024-0741,
CVE-2024-0743 DiD,
CVE-2024-0750 DiD, and
CVE-2024-0753.
- UXP Mozilla security patch summary: 3 fixed, 2 DiD, 12 not
applicable.
v32.5.2 (2023-12-22)
This is a bugfix and security update.
Merry Christmas and Happy Holidays to all!
Changes/fixes:
- Removed the standard Twitter/X user-agent override because
they decided to block us on it.
- Added preferences for the user to control whether or not
the tab page title should be included in the window title or not. In
Private Browsing mode, the default is now to not show the title in the
window. This was done to avoid potential leakage to system logs (e.g.
GNOME shell logs or Windows event logs) of websites visited through the
recorded window title. The new preferences are
privacy.exposeContentTitleInWindow
and privacy.exposeContentTitleInWindow.pbm for normal
mode and Private Browsing mode, respectively.
- Fixed several crashes in DOM and relating to dynamic
JavaScript module imports.
- Removed a restriction on Fetch preflight redirects,
following a spec update.
- Improved the handling of web workers if they get aborted
mid-action.
- Security issues addressed: CVE-2023-6863, CVE-2023-6858 and
several others that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 2 DiD, 1
rejected (which was DiD at best), 1 postponed (low risk), 22
not
applicable.
v32.5.1 (2023-11-28)
This is a minor development and security update.
Important: as of this
version, our beta FreeBSD binaries require at least FreeBSD 13.
Changes/fixes:
- Restricted protocol fallback for TLS. Pale Moon no longer
(by default) allows TLS 1.3 to fall back to earlier protocol versions
during the initial handshake.
- Reverted the addition of
browser.bookmarks.openInTabClosesMenu
due to behavioral issues with menus.
If you desire the intended behavior, please use an extension instead.
- We no longer support the data: protocol inside SVG's
<use> statements.
- Enabled more validation/error checking for WebGL on Windows
to prevent potential crashes.
- Improved secure context checking for iframes.
- Fixed the handling of relative paths in URLs starting with
multiple forward slashes.
- Security issues addressed: CVE-2023-6204, CVE-2023-6210,
CVE-2023-6209 and CVE-2023-6205 DiD
- UXP Mozilla security patch summary: 3 fixed, 1 DiD, 14
not
applicable.
v32.5.0 (2023-10-31)
This is a major development and security update. And a Happy Halloween
to everyone who celebrates! 🎃👻🦇
Changes/fixes:
- Added an initial implementation of the ReadableStreams API,
improving web compatibility with sites that apparently use this API in
utilitarian fashion.
- Added support for transparency in WebM videos for the edge
case of using
<video> elements for transparent
animated images. Major caveat: this will massively impact performance
of video playback if an alpha channel is present in the video.
- Added support for
crypto.randomUUID to allow
website scripting to generate random UUIDs (universally unique
identifiers) through the WebCrypto interface.
- By user request, added a preference
browser.bookmarks.openInTabClosesMenu
(default true ) to allow users to configure if they want
to keep the bookmarks menu open if they open bookmarks from it in a new
tab (by middle-clicking or Ctrl-clicking). The default behavior is to
close the bookmarks menu like any other menu when an option in it is
clicked.
- Removed the user-agent override for Netflix, since they
have stopped supporting the Silverlight browser plugin. Pale Moon no
longer has a way to provide Netflix DRM-controlled playback with them
dropping it, so there is no longer a reason to try and force
compatibility.
- Updated the user-agent override for Spotify. While it is
possible to use the website with this, it suffers from the same DRM
issue and not all media will be playable (only non-encumbered media can
be played in Pale Moon like podcasts). Your mileage may vary.
- Implemented timer nesting and clamping for workers,
preventing timer hangs on bad website code.
- Improved handling of drawing SVG images on canvases without
explicit width or height attributes. We now follow the css-sizing-3
Intrinsic Sizes spec.
- Improved performance of our memory allocator.
- Updated libvpx to 1.6.1.
- Cleaned up and updated some media playback code.
- Removed the inclusion of GMP (Gecko Media Plugin) support
from Pale Moon, as it was only in use for EME/DRM and WebRTC, neither
of which we support.
- Removed the last vestiges of EME/DRM code from UXP, since
this will never be supported in any application building on it due to
the media industry's draconic policies around FOSS.
- Removed simd.js,
moving actually used SIMD handling to C++.
- Removed the use of libav in our source, replacing its
supply of FFT with the equivalent from FFMpeg.
- Fixed potential type confusion in IonMonkey due to 3-byte
opcodes.
- Fixed an issue with tooltips persisting even if the browser
window would have lost focus.
- Fixed
PerformanceObserver navigation and
resource timing (default
disabled for privacy); our implementation now fully passes conformance
tests.
- Fixed an issue where top-level SVG images would not be
correctly
clipped by positioned elements, giving the impression of wrong
z-ordering as the SVG would overlap other elements.
- Dev: Updated
setInterval to fall back to 0 if
no duration is supplied.
- Dev: Updated
ResizeObserver to a recent spec
change, now returning
an array of results for borderBoxSize and contentBoxSize
instead of an
object.
- Dev: Updated
Intl.NumberFormat and DefaultNumberOption()
to follow spec updates. Most importantly for web compatibility, we now
allow the "maximumFractionDigits" option in Intl.NumberFormat
to be less than the default minimum fraction digits for the chosen
locale, following the general consensus in TC39 around this issue.
- Increased leniency (removed upper limit) of GLSL versions
as they tend to be fully backwards compatible.
- Fixed various crashes.
- Added a safeguard to the sec-gpc
header (Global Privacy Control) so it cannot be inadvertently
overwritten.
- Security fixes: addressed CVE-2023-5722, CVE-2023-5723,
CVE-2023-5724, CVE-2023-5727 and several other issues without a CVE
number assigned to them.
- UXP Mozilla security patch summary: 6 fixed, 2 DiD, 19
not
applicable.
v32.4.1 (2023-10-03)
This is a bugfix and security update.
Changes/fixes:
- Fixed an issue in BigInt typedArray costructors.
- Added some safety checks for Performance Observers.
- Fixed JSON BigInt regressions.
- Fixed missing BigInt increment/decrement operations.
- Added WASM sign extension opcodes.
- Fixed an issue with dead Promise wrappers in JavaScript DiD
- Fixed an issue with Alternative Services DiD
- Fixed an issue with libvpx (address CVE-2023-5217) DiD
v32.4.0.1 (2023-09-14)
This is a point release update to address a critical security
vulnerability.
Changes/fixes:
- Fixed a WebP decoder issue (CVE 2023-4863)
v32.4.0 (2023-09-05)
This is a major development update, further improving web compatibility
and fixing bugs.
Changes/fixes:
- Implemented the
BigInt primitive type for
JavaScript. See implementation notes.
- Implemented Big(U)Int64 array support.
- Implemented ergonomic brand checks for JavaScript class
fields.
- Aligned the Performance API with the Timeline v2 spec.
- Aligned the handling of flex/grid percentages resolving
against the parent with other browsers. See implementation notes.
- Added or updated several user-agent overrides for
problematic websites.
- Added 2 preferences to allow users to disable CSS
animations and transitions. See implementation notes.
- Improved compatibility with MacOS 14.
- Fixed an important, intermittent JavaScript crash related
to garbage collection.
- Fixed several crashes.
- Fixed several debug build related issues.
- Fixed an issue building on SunOS related to the spelling
library.
- Developer: Added ASan support for building with MSVC.
- Added the
.xll file extension to the
executable extensions list.
- Security issues addressed: several potential security
issues that do not have a CVE number. DiD
- UXP Mozilla security patch summary: 1 fixed, 3 DiD, 17
not
applicable.
Implementation notes:
- The
BigInt primitive (base number format) in
JavaScript allows JavaScript to handle excessively large integers
(whole numbers). This primitive is especially useful for specialized
scientific applications that need very large yet accurate numbers, but
has seen widespread adoption for an as of yet unknown reason as part of
web frameworks, causing general web compatibility issues for Pale Moon
when scripts expect BigInt support and instead have an error thrown. We
have now implemented this primitive for use so we no longer have
compatibility issues with these frameworks. It is still unknown why
BigInt is in use there and for what. Critical
note: BigInt might be tempting to consider for
JS-backed cryptography but this is very ill-advised, as BigInt
operations are, by their nature, not
constant-time and allow timing and side-channel attacks.
- Flex and grid item sizes in percentages would previously be
resolved against the parent like other elements, according to a very
long-standing practice that stems from the Internet Explorer days.
Mainstream browsers have, however, made an exception for flex items and
grid items to no longer do this. We have now made the same exception
for these types of elements which should solve layout issues on some
websites (notably reserving too much space for items, often resulting
in very large areas of whitespace or items being pushed out of view).
- Two preferences were added (
layout.css.animation.enabled
and layout.css.transition.enabled ) to allow users to
completely disable CSS-based animations and transition effects. This
was a request by users as both a performance and accessibility
consideration. Please note that in some cases, disabling animations and
transitions may have an impact on final web page layout, so you may run
into some issues when disabling these animations and transitions as the
web pages were designed to use them.
v32.3.1 (2023-07-18)
This is a small but important bugfix release to address important
regressions in 32.3.0.
Changes/fixes:
- Fixed intermittent crashes related to the performance API.
- Fixed intermittent issues with JavaScript malfunctioning in
chrome scripts (causing faults in the UI and extensions).
v32.3.0 (2023-07-11)
This is a major development update, further improving web compatibility.
Changes/fixes:
- Added the (hidden) preference
browser.history.menuMaxResults
to allow users to control how many history entries are listed in the
menu. Setting this to 0 will hide history menu entries
altogether, and any positive number configures how many entries the
entries are limited to. The default if not defined is 15 .
- Switched C++ language level used to C++14 on all platforms.
- Web compatibility and scripting improvements:
- Implemented geometry
.from* static
constructors for web compatibility.
- Implemented partial support for CSS
calc()
in color keywords.
- Implemented Array "find from last" feature (
findLast
and findLastIndex ).
- Implemented Object.hasOwn(object,property).
- Implemented several additional Intl API methods and
functions. This improves web compatibility with sites making use of
things like
hourCycle , advanced DateTimeFormat ,
Intl.Locale , and Intl as a
constructor.
- Cleaned up some unused code.
- Removed support for Mozilla "experiment" type extensions.
- Improved the JavaScript garbage collector's sweeping. This
should fix a few intermittent crashes and improve performance.
- Implemented some structural changes to the source to make
future porting easier, and preparing for switching to C++17.
- Removed handling of symlinks for directory listings to
prevent potential security issues by walking symlinks when uploading.
This effectively reverts a change made in Firefox 50 where this
functionality was introduced. A case of "Not such a good idea after
all" ;-)
- Updated the list of extensions on Windows treated as
"executable".
- Security issues addressed: CVE-2023-37208.
- Made preparations for requiring Authorization in CORS
ACAH preflight.
Since no browser honors this part of the spec at the moment this is
left disabled until there is consensus among browsers.
- UXP Mozilla security patch summary: 2 fixed, 2 rejected, 20
not
applicable.
v32.2.1 (2023-06-19)
This is a small bugfix and stability update.
There were no applicable Mozilla security bugs this time around.
Changes/fixes:
- Fixed a crash in devtools in some OOM situations.
- Fixed crashes when internal script execution was blocked by
extensions.
- Fixed crashes with WebComponents'
::slotted
selector.
- Disabled incremental cycle collector by default to avoid
performance regressions.
- Updated the default override for chase.com to work around
issues.
v32.2.0 (2023-05-16)
This is another important, major development update, continuing our
rapid development efforts in the v32 milestone.
With this version we should have restored web compatibility with the
majority of reported problematic websites. If you were previously
running into websites being problematic in Pale Moon, it may be a good
idea to try them again with this release.
Special thanks to Job Bautista, martok, dbsoft, FranklinDM and Travis
for continuing their hard work making this a reality!
This updates our UXP/Goanna platform version to 6.2.
Changes/fixes:
- Implemented dynamic module imports. See implementation
notes.
- Implemented exporting of async functions in modules.
- Implemented JavaScript class fields. See implementation
notes.
- Implemented logical assignment operators
||= ,
&&=
and ??= .
- Implemented a solution for websites using the officially
deprecated ambiguous
window.event . This is disabled by
default but can be enabled through about:config's dom.window.event.enabled
preference. See implementation notes.
- Implemented
self.structuredClone() (this may
be very obscure to anyone except web developers. Apologies ;-) )
- Implemented
Element.replaceChildren . Once
again primarily a web developer note.
- Improved Shadow DOM
:host matching.
- Implemented WebComponents' CSS
::slotted()
and related functionality.
- Improved page caching in our memory allocator.
- Added support for FFmpeg 6.0, especially important for
bleeding-edge Linux distros.
- Fixed a potential drawing deadlock for images, specifically
SVG. This solves a number of hang-on-shutdown scenarios.
- Fixed various crashes related to WebComponents and our
recent JavaScript work.
- Fixed various build-from-source issues on secondary target
platforms.
- Fixed various small browser front-end scripting issues that
could lead to errors or broken functionality.
- Fixed handling of async (arrow) functions declared inside
constructors.
- Fixed various small JavaScript conformance issues.
- Fixed an issue where JavaScript (only in modules) would not
properly create async wrappers.
- Updated the DOM Performance API to the current spec (User
Timing L3).
See implementation notes, especially if you intend to use this in web
content for critical functionality.
- Updated keypress event handling to send keypress events on
Ctrl+Enter.
- Updated internal JavaScript structures to make future
porting easier, as well as improve JavaScript performance.
- Updated window handling and styling on Mac.
- Updated the Freetype lib to 2.13.0.
- Updated the Harfbuzz lib to 7.1.0.
- Updated our DNS lookup calls to use
inet_ntop()
instead of the deprecated inet_ntoa() .
- Updated the Fetch API to use the global's base URL instead
of the entry document's base URL for spec compliance.
- We no longer support the outmoded
fontconfig
on GTK systems.
- We no longer parse or return the body of known-empty
responses from servers (content-length of 0, or in case of HEAD or
CONNECT methods).
- Implemented scaled font caching on GTK, improving
performance.
- Fixed a build issue when building for Linux on ARM64 on
later distros.
- Split out more parts of the browser into separate .dll
files on Windows to reduce compiler strain and an oversized xul.dll
- Removed mozilla::AlignedStorage (code cleanup).
- Builds for FreeBSD now use xz for packaging instead of
bzip2. By request, we now also offer GTK2 builds for FreeBSD.
- Merged the preference
dom.getRootNode.enabled
into the dom.webcomponents.enabled pref. See
implementation notes.
- Fixed a potential DoS issue with JPEG decoding.
- Fixed a potential issue in Windows widget code that could
lead to crashes.
- Disabled potentially hazardous external protocols on
Windows.
- Added known-problematic .dlls to the internal blocklist.
- Security issues addressed: CVE-2023-32209, CVE-2023-32214
and several others that do not have a CVE designation.
- UXP Mozilla security patch summary: 4 fixed, 1 rejected, 27
not
applicable.
Implementation notes:
- JavaScript modules have various methods of being loaded
into web page content. One of the later introduced methods is a
function-style import() declaration, so-called "dynamic module imports"
that has been used by various web frameworks, causing issues for Pale
Moon resulting in blank pages in most cases (since the websites would
not actually use document structure HTML, but rather JavaScript to
create content, all from imported modules). This has been a major web
compatibility issue lately and we're pleased to announce that this
complex bit of machinery has been implemented.
- JavaScript's language specification is continuing to be
watered down from a prototyping language towards a more "C-like"
hybrid. As part of that effort, JavaScript classes were introduced in
ECMAScript 6, and now further expanded in ES2022 with class fields and
private class fields/methods, as well as statics. We should have a
complete implementation of this now, which constitutes the more
important parts of the ES2022 language update.
- The use of the outdated Microsoft Internet Explorer global
window.event
has been a pervasive web compatibility issue for us, especially since
it was officially deprecated and we never implemented this ambiguous
and unreliable property that is highly-context sensitive. Websites
should use the event as passed into the event handler to get the event
source instead. However, since neither Chrome nor Firefox have dropped
this and seem to be playing a game of "chicken", it remains in use on
the web. To deal with this conflict, we have now implemented the
equivalent behind a preference to enable users to (temporarily) use the
global window.event while webmasters update their
websites. We hope the Google camp will finally drop this one soon so we
can be done with this legacy quirk.
- The DOM Performance API was updated to the User Timing
level 3 spec. It should be critically noted that the DOM Performance
API was never designed to be used as a matter of course on published
content, and was designed only for page performance analysis use by web
designers. Of course, as part of making dev tools available to the web,
a lot of abuse ensued because of the accurate navigation and timing
measurements that this API can provide (looking at you, Google!).
Because of tight integration with web content analysis, the older spec
implementation we had was causing issues and actually breaking some
services, so we updated it, but with a few important key differences:
- In Pale Moon, we keep navigation timing disabled because
it's a notable privacy issue for the data it can gather (exact
navigational events and timings). If you're a web dev and need these
timing measurements, you can enable them with
dom.enable_performance_navigation_timing .
- Our implementation, contrary to the spec, does not allow
unlimited recording of performance events (effectively logging every
page event!) which can also rapidly eat up memory. Instead we enforce a
sane default quota that should be roomy enough for all legitimate use,
but prevents runaway resource use or extensive logging of user actions.
- If the set quota is reached, a warning will be printed in
the console and the recorded performance events will be thrown away. If
you (foolishly) rely on Performance API events for your web application
to function, be aware this may cause compatibility issues as the API
was, again, not designed to be used in such a fashion. For event
handling, there are much better alternatives available which do not
involve extensive recording of user data or relying on a developer tool
API.
- We've historically implemented the DOM
getRootNode
function
as it was being used in the wild as a standalone function, however its
main intent has always been to be a helper function part of Shadow
DOM/WebComponents. As such we have now merged the preference into the
WebComponents preference, enabling and disabling it along with the rest
of our WebComponents implementation.
v32.1.1 (2023-04-18)
This is a bugfix and security release.
Changes/fixes:
- Fixed a crash in CompareDocumentPosition with Shadow DOM.
- Fixed a crash with display:contents styling.
- Added a preference to disable the TLS 1.3 protocol
downgrade sentinel (see implementation notes).
- Changed the way large clipboard copy/paste operations are
handled, improving privacy (see implementation notes).
- Improved filename safety when saving files to prevent
potential environment leaks (bis).
- Improved sanity checks of MIME type headers.
- Security issues addressed: CVE-2023-29545 and
CVE-2023-29539.
- UXP Mozilla security patch summary: 2 fixed, 1 rejected, 49
not
applicable.
Implementation notes:
- Some proxies and middleware boxes improperly handle the TLS
1.3 protocol handshake causing an insecure downgrade to TLS 1.2. With
our recent update of NSS, Pale Moon no longer allows this kind of
protocol downgrade when trying to establish a TLS 1.3 connection to a
server. The resulting error is ssl_error_rx_malformed_server_hello with
an inability to connect to the server. To enable users to still connect
to the servers or devices in question, we've added an option to switch
off the downgrade sentinel. To switch it off as a temporary workaround,
set security.tls.hello_downgrade_check to false.
- If copy and paste operations to/from the browser are
performed, Pale Moon writes clipboard contents to disk in a temporary
cache file if the copy/paste amount is particularly large, to avoid
using large amounts of memory to hold this data. The average
paste/clipboard size doesn't tend to hit this limit in which case it is
just held in memory.
Previously, these cache files, while in the O.S. temporary file
location (%TEMP% or /tmp), would not be consistently cleaned up,
potentially causing privacy issues if persisted. This was changed to
using auto-cleaning anonymous temp files, improving user privacy and
relying less on the O.S. or user performing cleanup of temporary file
storage. Thanks to Sandra for pointing this out and providing the patch.
v32.1.0 (2023-03-21)
This is another major update with important compatibility improvements
for the web. Most notably, our implementation of Google WebComponents
is now at a state where we enabled them by default.
Additionally, our Mac builds (for both Intel and ARM Macs) are no
longer in beta and considered stable. Signed/notarized builds with the
regular branding are available from the download page!
Huge thanks to FranklinDM for his work this cycle getting us to this
point. Of course major thanks to everyone who has contributed to this
complex and difficult WebComponents task over a long time!
Thanks also to Martok and Job Bautista for continuing to work on and
improve the JavaScript engine as well as u3shit for working on video
playback improvements.
Changes/fixes:
- Shadow DOM and CustomElements, collectively making up
WebComponents, have been enabled by default which should bring much
broader web compatibility to the browser for many a site that uses web
2.0+ frameworks. See implementation notes.
- Tab titles in the browser now fade if they are too long
instead of using ellipses, to provide a little more readable space to
page titles. Note that this may require some updates to tab extensions
or themes.
- A number of site-specific overrides have been updated or
removed because they are no longer necessary or current with the
platform developments in terms of web compatibility. We could use your
help evaluating the ones that are still there; see the issue
on our repo.
- Updated our promises and async function implementation to
the current spec.
- Implemented
Promise.any()
- Fixed several crashes related to regular expression code.
- Improved regular expression object handling so it can be
properly garbage collected.
- Fixed some VP8 video playback.
- Fixed an issue where the caret (text cursor) would
sometimes not be properly visible.
- Updated the embedded emoji font.
- Implemented the
:is() and :where()
CSS pseudo-classes.
- Implemented complex selectors for the
:not()
CSS pseudo-class.
- Implemented the
inset CSS shorthand property.
- Implemented the
env() environment variable
CSS function. See implementation notes.
- Implemented handling for RGB encoded video playback
(instead of just YUV).
- Implemented handling for full-range videos (0-255 luminance
levels) giving better video playback quality.
- Removed the WebP image decoder pref. See implementation
notes.
- Enabled the Web text-to-speech API by default (only
supported on some operating systems).
- Updated NSPR to 4.35 and NSS to 3.79.4
- Cleaned up unused "tracking protection" plumbing. See
implementation notes.
- Cleaned up URI Classifier plumbing (Google SafeBrowsing
leftover).
- Fixed several intermittent and difficult-to-trace crashes.
- Improved content type security of
jar:
channels. DiD
- Improved JavaScript JIT code generation safety. DiD
- Fixed potential crash scenarios in the graphics subsystem. DiD
- Improved filename safety when saving files to prevent
potential environment leaks.
- Security issues addressed: CVE-2023-25751, CVE-2023-28163
and several others that do not have a CVE.
- UXP Mozilla security patch summary: 1 fixed, 4 DiD, 14 not
applicable.
Implementation notes:
- Google WebComponents has been long-running major feature
work in UXP. We're finally at a level with this (after several setbacks
and brick-walling) that it can be enabled by default. Please note that
while this greatly improves web compatibility with many Chrome-focused
websites using these controversial technologies, our implementation is
not yet complete and more work is necessary. As a result, this change
to enable it by default may actually break some previously-working
websites as well, but it's expected the majority will work at our
current state of implementation. Please visit the forum if you need
help with web compatibility issues.
- The
env() CSS function was implemented for
compatibility with websites that rely on this without fallback. Note
that this function actually has no real use for desktops as it is
primarily used to indicate environmental restrictions of mobile
screens, e.g. extra space needed to avoid a camera notch or folding
screen margin. However, due to the way certain sites implement their
styling in a mobile-first approach, it is assumed that this function is
available on all systems and in all browsers by these sites. Note that
Pale Moon simply hard-codes queried values here.
- WebP images have had a stable and complete implementation
in Pale Moon for a long time now, so the preference to disable support
for it has been removed, as it's considered by now to be one of the
"staple" image formats supported by web browsers. This was done to
reduce complexity for content negotiation, especially since we're
adding more support for JPEG-XL that still isn't as-complete. From here
on out, we simply always support WebP decoding.
- While we've had a preference for "tracking protection" in
our browser implementation (in about:config), this marketed feature of
Firefox was never adopted by us, because it is for the most part a
service-based feature, and the non-service parts were undesirable as
they were crippling useful APIs. Our effective protection against
tracking has not changed, we have simply removed the preference
and plumbing for a non-functional service feature that would
potentially give the false impression it would do anything.
As a reminder, if you are concerned about tracking, use a competent
adblocker extension, and enable "Tell sites not to share or sell my
data" in Preferences -> Privacy under "Data Privacy". You may also
want to enable "canvas poisoning" by setting canvas.poisondata
to true in about:config to reduce the risk of
fingerprinting through canvases.
v32.0.1 (2023-02-21)
This is a bugfix and security update.
Changes/fixes:
- Fixed a crash in the new regular expression code.
- Added
{Extended_Pictographic} unicode
property escape to regular expressions.
- Fixed a regression in regular expressions for literal
parsing of invalid ranges.
- Updated NSS to pick up fixes.
- Security issues addressed: CVE-2023-25733 DiD, CVE-2023-25739 DiD and CVE-2023-0767.
- UXP Mozilla security patch summary: 1 fixed, 2 DiD, 14 not
applicable.
v32.0.0 (2023-01-24)
This is a new milestone release.
Primary focus for this milestone is web compatibility, in particular
Regular Expression extensions, standards compliance issues and further
JPEG-XL support.
This milestone now offers full coverage of the ECMAScript 2016-2020
JavaScript specifications, with the exception of BigInt
primitives.
Special thanks to Martok, Job Bautista and FranklinDM without whom this
milestone would not have been possible, and to dbsoft for putting in
the effort to work on Mac and FreeBSD builds.
Most important changes:
- Implemented Regular Expression named capture groups.
- Implemented Regular Expression unicode property escapes.
- Re-implemented Regular Expression lookaround/lookbehind
(without crashing this time ;) ).
- Implemented progressive decoding for JPEG-XL.
- Implemented animation for JPEG-XL.
- Implemented a compatibility mode for
<button>
elements. See implementation notes.
- Renamed CSS
offset-* properties to inset-*
to align with the latest spec and the web.
- Fixed CSS inheritance and padding issues in some cases.
- Aligned parsing of incorrectly duplicated HSTS headers with
expected behavior (discard all but the first one).
- Implemented a method to avoid memory exhaustion in case of
(very) large resolution animated images.
- Updated the JPEG-XL and Highway libraries to a recent,
stable version.
- Cleaned up some unused CSS prefixing code.
- Improved the ability to link on *nix operating systems with
other linkers than gcc's default.
- Stability improvements (potential crash fixes).
- Security issues addressed: CVE-2023-23598, CVE-2023-23599
and several others that do not have a CVE number.
- UXP Mozilla security patch summary: 4 fixed, 2 DiD, 19 not
applicable.
Platform support:
- We're working on finalizing official builds for Mac OS and
FreeBSD. These are currently in beta and can be downloaded from the Contributed Builds page. Please
note that you may run into some system compatibility issues with these
builds. If you do, please go to the forum and
report it in the appropriate board!
Implementation notes:
- To provide users with a temporary work-around for
non-compliant websites, a compatibility mode for
<button>
elements was implemented, which will treat <button>
elements as generic containers instead of actual form button elements.
This has been necessary because Chrome is not standards compliant in
this respect and website developers regularly make the mistake of
trying to use active content on button faces and expecting pointer
events to end up being sent to the active content and not the button
(which is not
what the standard prescribes! See "content model" on the standards
page stating there "must be no interactive content descendant").
Webmasters should be alerted to this compliance issue, but it can
(temporarily) be worked around in the browser from this point for
forward by setting the preference dom.forms.button.standards_compliant
to false and restarting the browser. Note that this is a
workaround and the only actual solution is advocacy for the standard
and more browsers becoming standards compliant.
You can find the release notes for previous
releases of Pale Moon on
the Archived Release
Notes page.
|