Pale Moon full changelog

New features:
Re-landed Xoroshiro128++ JavaScript PRNG to make it more robust while keeping high performance.
This was previously backed out due to intermittent issues and crashes.
Implemented JavaScript SubmitEvent support for HTML forms.
Implemented JavaScript requestSubmit() for HTML forms.
Implemented JavaScript toSorted().
Implemented JavaScript toReversed().
Implemented top-level await support for JavaScript modules. See implementation notes.
Implemented pointer and hover CSS media queries.
Enabled hardware-accelerated decoding for VP9 videos (where possible).
Changes/fixes:
Re-landed our expat library update, with fixes for large attribute parsing.
Updated the JPEG-XL library to 0.11.2 to pick up security and performance fixes, and applied a spot-fix for big-endian hardware.
Updated libtheora to 1.2.0.
Updated libvpx to 1.16.0 with various fixes to retain compatibility with older MacOS and PowerPC platforms.
Pale Moon, from this version forward, allows unencrypted websocket connections to localhost addresses even when the calling document was served encrypted.
Fixed an issue in the new Cascade Layers implementation causing problems with UI elements and extensions.
Fixed several issues with the new ICU library implementation in UXP:
Fixed an issue where it was returning unexpected Unicode spaces in date strings instead of standard space characters, causing problems with web scripting.
Fixed an issue with plural forms for Shuar, Welsh and several Slavic languages.
Fixed an issue with letter dots in Lithuanian.
Fixed an issue with word-wrapping in Tibetan.
Fixed an intermittent browser crash related to removing cached image data, and improved image data cache handling as a whole.
Further improved compatibility with Mac on PowerPC hardware.
Restored support for building on 32-bit MacOS 10.6.
Applied miscellaneous fixes for building on MacOS 10.5 (Leopard) and 10.6 (Snow Leopard).
Fixed run-time issues on FreeBSD 15.*.
Fixed an issue with applying image filters on

This is a minor release to address some critical issues in the new milestone.
Changes/fixes:
Backed out the expat library update for causing memory inflation and browser hang issues on XUL/XML and SVG files with particularly large attributes.
Backed out the change of the Javascript PRNG for causing intermittent issues and crashes on 32-bit platforms.
Both of these issues are being investigated and can hopefully re-land with the next development release.

This is a new milestone release! There are many changes in this milestone; the most important ones are highlighted here.
New features:
Our default theme on Windows received a refresh and update. It should integrate better with Windows 11 now, and be more responsive to dark accent colors, among other things.
Implemented WeakRef. See implementation notes.
Implemented URL.canParse().
Implemented the inset-block and inset-inline CSS shorthands.
Added a preference (privacy.forgetaboutsite.clearPasswords) to control clearing of passwords when using "forget about this site" in the permissions manager, and disabled clearing of passwords by default, since it was considered unexpected behavior by the community.
Changed our JavaScript PRNG to Xoroshiro128++ to make it more robust while keeping high performance.
Important updates and fixes:
Re-landed CSS Cascade Layers support after the previous back-out.
Re-landed CSS color-mix support after the previous back-out. RGB and HSL color spaces only, like previous.
Implemented viewport overflow propagation logic. See implementation notes.
Unprefixed CSS -moz-appearance; Pale Moon now accepts the unprefixed CSS appearance keyword. For compatibility, -moz-appearance and -webkit-appearance (if enabled) have been retained, although the long-term plan is to eventually remove the -moz prefixed one, so if you are an extension or theme developer, please consider switching your CSS to use appearance without a prefix.
Fixed an intermittent but fairly prominent crash-to-desktop due to JavaScript garbage collection on certain modern sites.
Fixed a crash on sites with certain types of CSP handling.
Fixed a crash in WASM.
Updated NSS to 3.90.9 (custom) to pick up several security and stability fixes.
Updated ICU to v78.1. This is a major uplift for our internationalization subsystem, allowing further future developments for the Internationalization API.
Updated Emoji support to Unicode 17.
Updated our expat parser code to a more recent

Disabled CSP reporting temporarily to work around memory issues caused by CloudFlare's scripting. While CSP reporting is important to inform webmasters of issues with their content security policies, not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlare's side.
Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlare's scripting. This wasn't a bug, per se, but could easily lock up with bad scripting if called recursively.
Added a few other small fixes that are tangentially related to the code changes made.

Changes/fixes:
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented AbortSignal.abort() and stub AbortSignal.timeout().
Unprefixed the :modal CSS pseudo-class and exposed it to content.
Improved efficiency and performance of the Cycle Collector.
Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
Updated the root certificates in the internal trust store.
Updated the Public Suffix List (eTLD) in the browser.
Removed no longer specced URL Constructor(DOMString url, URL base).
Restored unofficial branding to what it was before ("New Moon" instead of "Browser").
Changed the default Firefox Compatibility user-agent version to 115.0.
Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
Fixed a number of bugs and spec compliance issues in WebCrypto.
Fixed installer application naming issue causing failure to detect running application.
Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
Fixed a crash in the XSLT stylesheet importing code.
Updated NSS to 3.90.6 (custom) to pick up several security fixes.
Security issues addressed: CVE-2025-1009.

Changes/fixes:
Implemented Regular Expression "match indices" (/d) feature.
Added a way to programmatically clear the DNS cache in the browser, and added a button to the UI for it in about:networking.
Updated handling of referrer policies to adhere to the updated spec.
CSS font variations keywords no longer throw an error. See implementation notes.
CSS border-radius will now also apply to element outlines.
Improved the display of amount of cached web content in preferences when cache is being cleared.
Improved the installer AVX check to skip on early versions of Windows 10 (which don't support it).
Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.
Refreshed the built-in list of effective top-level domains.
Fixed several application crashes.
Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).
Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).
Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base.
From this version forward we also publish language packs for Persian (Farsi), Hindi, Kannada and Vietnamese.
Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).
Implementation notes:
The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Pale Moon throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse th

Changes/fixes:
Added a processor check to the 64-bit installer for Windows to check for AVX.
Note: this check does not work on Window 7/8/8.1 and will allow installations on non-AVX processors there.
Note: if you are running Windows 10 before build 2004 (before 20H1), this check may fail on AVX-capable CPUs and prevent installation.
Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD
Addressed CVE-2024-10463.

Changes/fixes:
Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes.
Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
Improved buildability on NetBSD and Altivec architectures.
Fixed building issues on Apple Silicon Mac with XCode 16.
Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
Dev: Implemented ES2023 Hashbang grammar proposal.
Fixed an issue with JavaScript's StructuredClone.
Security issues addressed: CVE-2024-9396.
Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Changes/fixes:
Implemented the bulk of the CSS "cascade layers" spec (@layer{}). This implementation is not 100% complete yet, but should satisfy common use of CSS cascade layers on the web.
Implemented support for Sec-Fetch-* headers, implementing another mechanism to deal with site security. See this part of the spec for a primer on what this does.
Added support for FFmpeg 7.0 / libavcodec 61 (Linux).
Pale Moon will now look up hosts in DNS ahead of time to make page navigation smoother. See implementation notes.
Pale Moon will now block access to the reserved address 0.0.0.0 on non-Windows operating systems. See implementation notes.
Dev: Aligned rounding behavior and precision ranges of toFixed and related functions with the spec. See implementation notes.
Dev: Aligned isTrusted for PostMessage and BroadcastChannel with expected values on the web. See implementation notes.
Dev: Added the navigator.webdriver attribute for web compatibility (always false in Pale Moon as we do not support browser automation APIs).
Re-implemented the Durstenfeld shuffle for plugin enumeration that was unfortunately dropped with one of our past rebases, to strengthen fingerprinting resistance.
Fixed an issue with character clusters (e.g. for text selection) resulting from a regression surrounding our improvements for emoji handling.
Fixed an issue with setting DOM color values. DiD
Slightly improved password form handling, detecting previously unsupported field orders.
Updated NSS to 3.90.4.
Updated our emoji font to 15.1.2 (Unicode 15.1 with some additional extras/updates).
Code cleanup:
Removed unused code related to the (incomplete) FoxEye experiment.
Removed support code for LibAV and (very) old versions of FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this version forward (Linux).
Removed click event dispatching code that is no longer relevant.
Cleaned up internal macro use in CSS code (this does not impact any exposed APIs or code).
Removed the hidden n