Basilisk & Centaury

Basilisk 2024.08.16​

Basilisk 2024.09.13​

Basilisk 2024.10.24​

Basilisk 2024.11.23​

v2024.11.23 Published 2024-11-23
This is a minor security and bugfix update.

• Cleaned up some old unused code for pre-Windows 7 versions in the Windows installer.
• Built on UXP commit: df16df5693
• Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD
• Addressed CVE-2024-10463.

Kliknij aby rozwinąć...

Basilisk 2025.01.04​

Basilisk 2025.02.22​

Basilisk 2025.04.23​

Basilisk 2025.06.13​

• This is a bugfix and security release:
• Fixed an issue where the Basilisk preferences would fail to open if the browser is compiled with --disable-webrtc.
• Fixed a crash dealing with BigInt in Javascript compilation.
• Updated NSS to 3.90.7 to pick up a security fix.
• Updated devtools to escape some more characters in "Copy as cURL" on POSIX operating systems. DiD
• Addressed PWN2OWN-2025-1 (out of bounds read or write in promise) DiD
• Addressed PWN2OWN-2025-2 (out of bounds read or write when using the ExtractLinearSum optimization) DiD
• Fixed potential unexpected behavior in embedded protobuf code. DiD
• Fixed an issue with potentially uninitialized contrast values when enhanced device contrast values can not be read from the OS. DiD
• Fixed potential sanitization issues with devtools' "Copy as curl" feature. DiD
• Built on UXP commit: 15335ce39d

Kliknij aby rozwinąć...

Basilisk 2025.07.04​

v2025.07.04 Published 2025-07-04
This is a major development, bugfix and security release.

• Basilisk now includes all non-ubiquitous image and media types in the navigation Accept: header, as discussed in the
  Zaloguj lub Zarejestruj się aby zobaczyć!
  .
• Implemented .toJSON() for DOMRect, DOMPoint and DOMMatrix.
• Added a base implementation of the SVGGeometryElement API. This is currently limited to .pathLength, getTotalLength() and getPointAtLength(distance)for SVG paths.
• Added a base-64/character validity grammar check for CSP nonces.
• Enabled JPEG-XL support unconditionally.
• Improved desktop ARM media capabilities.
• Improved our handling of CSP checks (multiple improvements surrounding loading principal checks).
• Added several Mac-specific file types to be treated as executables.
• Updated the emoji font to Unicode 16.0.0.
• Updated SQLite library to 3.50.1.
• Updated NSS to 3.90.7.1 to fix some issues with some sites due to prior root certificate updates.
• Updated code dealing with internal URL rewrites for Youtube.
• Changed the Firefox compatibility mode version to 128.
• Changed how .click() on <A> elements is handled. See implementation notes.
• Changed DOMMatrix's rotate() and rotateSelf() functions to accept 3D rotation instead of 2D, per spec.
• Changed CSS parameter animation to round values instead of truncating them, per spec.
  This affects all integer properties (e.g. z-order) and font-stretching.
• Changed HTML element attribute parsing to additionally escape < and > characters, per spec.
• Fixed a regression in XUL <tree> elements where column selection would omit the first-defined column.
• Fixed a minor issue in DOMSVGPoint finity checks.
• Fixed some minor platform issues and updated Mac SDK checks.
• Fixed an issue when device contrast values would be unset in Mac or Windows+DirectWrite.
• Fixed an issue in the "Copy as curl" feature which could potentially mangle URLs.
• Fixed an issue with FontFaceSet loading.
• Removed support for very old libavcodec versions (before v58).
• Removed the CSP referrer directive as it's no longer in the spec.
• Removed preloading of a number of media libraries on Windows. See implementation notes.
• Removed the allowance of <A> in image maps. Only <area> is now supported.
• Removed several obsolete and unused preferences from about:config.
• Removed obsolete NPN preferences and calls. NPN has long since been replaced by ALPN.
• Removed obsolete SVGZoomEvent interface and handlers.
• Built on UXP commit: e52eaa961c
• Security issues addressed: CVE-2025-6429, CVE-2025-6424 (DiD) and CVE-2025-6426.

Implementation notes

• Normally, when a script issues a simulated click on an element, that click is issued on the document the element is in. Unfortunately there has been a perceived bug in mainstream browsers where this didn't happen on anchors (<A>, hyperlinks) and the browser would navigate even if that anchor was not actually in a web page document (i.e. just created as a reference in scripting). This was eventually made an accepted behaviour in the specification as an exception, describing this bug as expected behavior. Basilisk has now changed how it handles .click() events on anchors to follow this behavior. This primarily impacts some select "download button" behavior on the web where this behavior quirk for anchors is relied on.
• Previously, Basilisk would preload a number of media .dll files into the browser, causing resource use even if there was no media to be decoded or played back in the browsing session yet. This was primarily done in inherited Mozilla code for EME to work. Since we don't support in-browser DRM, this preloading is wholly unnecessary and has been removed.

Kliknij aby rozwinąć...

Basilisk 2025.10.10​

Basilisk 2026.01.23​

Basilisk 2026.01.23​

v2026.01.23 Published 2026-01-23
UXP Changes:

• Allow themes to detect Windows 11 usage.
• Implemented WeakRef.
• Implemented URL.canParse().
• Implemented the inset-block and inset-inline CSS shorthands.
• Added a preference (privacy.forgetaboutsite.clearPasswords) to control clearing of passwords when using "forget about this site" in the permissions manager, and disabled clearing of passwords by default, since it was considered unexpected behavior by the community.
• Re-landed CSS Cascade Layers support after the previous back-out.
• Re-landed CSS color-mix support after the previous back-out. RGB and HSL color spaces only, like previous.
• Implemented viewport overflow propagation logic. See implementation notes.
• Unprefixed CSS -moz-appearance; Basilisk now accepts the unprefixed CSS appearance keyword. For compatibility, -moz-appearance and -webkit-appearance (if enabled) have been retained.
• Fixed an intermittent but fairly prominent crash-to-desktop due to JavaScript garbage collection on certain modern sites.
• Fixed a crash on sites with certain types of CSP handling.
• Fixed a crash in WASM.
• Updated NSS to 3.90.9 (custom).
• Updated ICU to v78.1.
• Added support for building on Sparc64 hardware.
• Added support for building for NetBSD on DEC Alpha.
• Added basic support for building on Mac PowerPC (still a work in progress).
• Added basic support for building on LoongArch64 hardware (龍芯 CPUs).
• Added support for running on FreeBSD 15.
• Removed automatic coloring of auto-filled login fields.
• Restored support for in-process NPAPI plugins.
• Improved JavaScript IonMonkey stability on ARM and Mac SoC hardware.
• Built on UXP commit: f272382a9c
• Security issues addressed: CVE-2025-13015, CVE-2026-0879 (DiD), CVE-2026-0880 (DiD), CVE-2026-0889 (DiD), CVE-2026-0883, CVE-2026-0886 (DiD), and several others without a CVE designation.

Basilisk Changes:

• Change dom.always_stop_slow_scripts pref to true by default
• Implement internal polyfill loader based on Greasemonkey to help with compatibility when UXP does not support specific JS features.
• Update PDF.js to v3.11.174.
• Restore official branding files back to Basilisk repo.
• Make List All Tabs button removable and always visible.
• Implement Firefox's "Container Tabs" functionality.
• Introduced LoongArch64 builds. These are built on Slackwareloong64.

Included Polyfills:

• This release includes the following polyfills:
  • image.decode
  • Intl.DisplayNames
  • TextEncoderStream
  • ReadableStream pipeTo
  • ReadableStream pipeThrough
  • FinalizationRegistry

Basilisk Update Notes:

• There may be situations in which the "restore session" functionality does not correctly assign restored tabs to the container in which they were used. If this happens to you please report the exact steps to reproduce.
• PDF.js v3.11.174 was chosen because it is the last version not to use JS Modules.
• PDF.js has the following changes applied:
  • Fix for CVE-2024-4367 (isEvalSupported set to false by default).
  • Disabled XFA by default.
  • Disabled execution of arbitrary JavaScript in all PDF files by default. I was just as horrified as you are to learn that this exists and is an actual spec.
  • CSS and JS fixes as needed to make it render and work correctly in UXP-based browsers.
• Releases on all platforms other than Windows are now built with Clang + Thin LTO for improved performance.

UXP Implementation Notes:

• The WeakRef spec only allows code to hint/coerce and does not guarantee if or when dereferencing happens.
• A number of sites have started using overflow-x: clip without overflow-y on full-document elements. While this makes little sense, our strict implementation previously resulted in unscrollable pages. There is special viewport overflow propagation logic in the relevant drafts which we have now implemented to avoid this behavior.

Kliknij aby rozwinąć...

Basilisk 2026.03.09​

v2026.03.09 Published 2026-03-09
UXP Changes:

• Re-landed Xoroshiro128++ JavaScript PRNG to make it more robust while keeping high performance.
  This was previously backed out due to intermittent issues and crashes.
• Implemented JavaScript SubmitEvent support for HTML forms.
• Implemented JavaScript requestSubmit() for HTML forms.
• Implemented JavaScript toSorted().
• Implemented JavaScript toReversed().
• Implemented top-level await support for JavaScript modules. See implementation notes.
• Implemented pointer and hover CSS media queries.
• Enabled hardware-accelerated decoding for VP9 videos (where possible).
• Re-landed our expat library update, with fixes for large attribute parsing.
• Updated the JPEG-XL library to 0.11.2 to pick up security and performance fixes, and applied a spot-fix for big-endian hardware.
• Updated libtheora to 1.2.0.
• Updated libvpx to 1.16.0 with various fixes to retain compatibility with older MacOS and PowerPC platforms.
• Basilisk, from this version forward, allows unencrypted websocket connections to localhost addresses even when the calling document was served encrypted.
• Fixed an issue in the new Cascade Layers implementation causing problems with UI elements and extensions.
• Fixed several issues with the new ICU library implementation in UXP:
• • Fixed an issue where it was returning unexpected Unicode spaces in date strings instead of standard space characters, causing problems with web scripting.
• • Fixed an issue with plural forms for Shuar, Welsh and several Slavic languages.
• • Fixed an issue with letter dots in Lithuanian.
• • Fixed an issue with word-wrapping in Tibetan.
• Fixed an intermittent browser crash related to removing cached image data, and improved image data cache handling as a whole.
• Further improved compatibility with Mac on PowerPC hardware.
• Restored support for building on 32-bit MacOS 10.6.
• Applied miscellaneous fixes for building on MacOS 10.5 (Leopard) and 10.6 (Snow Leopard).
• Fixed run-time issues on FreeBSD 15.*.
• Fixed an issue with applying image filters on big-endian hardware.
• Fixed an issue preventing bundled fonts from working properly on targets other than Windows or Linux-GTK.
• Fixed crashes on long browsing sessions on sites making heavy use of WeakRef.
• Built on UXP commit: a268e57967
• Security issues addressed: CVE-2026-2806 (DiD), CVE-2026-2758, CVE-2026-2804, CVE-2026-2787 (DiD), CVE-2026-2757, CVE-2026-2773, CVE-2026-2779 (DiD), CVE-2026-2775, and several others that do not have a CVE designation.

Basilisk Changes:

• LoongArch64 builds are now built on Loongnix Server 23.
• Introduced Mac OS X 10.5 PowerPC builds.
• We no longer differentiate between beta/alpha/etc. for builds. All builds are welcome here <3

Included Polyfills:

• This release includes the following polyfills:
  • image.decode
  • Intl.DisplayNames
  • Intl.Segmenter
  • en-US only Intl.ListFormat
  • Microsoft-specific (Outlook, Azure, etc) webauthn shim
  • TextEncoderStream
  • ReadableStream pipeTo
  • ReadableStream pipeThrough
  • FinalizationRegistry

Basilisk Update Notes:

• Added logging to the console when polyfills are loaded.
• Improved spec compliance in ReadableStream polyfill.
• Enabled getAnimations by default.

UXP Implementation Notes:

• Top-level await for JavaScript modules has been implemented. This allows the use of the await keyword at the top level without a wrapper to force pseudo-synchronous processing in async modules. This completes the last landmark issue of our ES2022 compatibility. Most notably, the lack of this would result in websites using certain

Kliknij aby rozwinąć...