Basilisk & Centaury

C

Camel1965

Bardzo aktywny
Zasłużony
Dołączył
8 Wrzesień 2010
Posty
47907
Reakcje/Polubienia
38060

Basilisk 2023.05.17​

May 17, 2023
  • This updates the UXP/Goanna platform version to 6.2.
  • Implemented dynamic module imports. See implementation notes.
  • Implemented exporting of async functions in modules.
  • Implemented JavaScript class fields. See implementation notes.
  • Implemented logical assignment operators ||=, &&= and ??=.
  • Implemented a solution for websites using the officially deprecated ambiguous window.event. This is disabled by default but can be enabled through about:config's dom.window.event.enabled preference. See implementation notes.
  • Implemented self.structuredClone()
  • Implemented Element.replaceChildren. Once again primarily a web developer note.
  • Improved Shadow DOM :host matching.
  • Implemented WebComponents' CSS ::slotted() and related functionality.
  • Improved page caching in our memory allocator.
  • Added support for FFmpeg 6.0, especially important for bleeding-edge Linux distros.
  • Fixed a potential drawing deadlock for images, specifically SVG. This solves a number of hang-on-shutdown scenarios.
  • Fixed various crashes related to WebComponents and our recent JavaScript work.
  • Fixed various build-from-source issues on secondary target platforms.
  • Fixed handling of async (arrow) functions declared inside constructors.
  • Fixed various small JavaScript conformance issues.
  • Fixed an issue where JavaScript (only in modules) would not properly create async wrappers.
  • Updated the DOM Performance API to the current spec (User Timing L3).
  • See implementation notes, especially if you intend to use this in web content for critical functionality.
  • Updated keypress event handling to send keypress events on Ctrl+Enter.
  • Updated internal JavaScript structures to make future porting easier, as well as improve JavaScript performance.
  • Updated window handling and styling on Mac.
  • Updated the Freetype lib to 2.13.0.
  • Updated the Harfbuzz lib to 7.1.0.
  • Updated our DNS lookup calls to use inet_ntop() instead of the deprecated inet_ntoa().
  • Updated the Fetch API to use the global's base URL instead of the entry document's base URL for spec compliance.
  • We no longer support the outmoded fontconfig on GTK systems.
  • We no longer parse or return the body of known-empty responses from servers (content-length of 0, or in case of HEAD or CONNECT methods).
  • Implemented scaled font caching on GTK, improving performance.
  • Fixed a build issue when building for Linux on ARM64 on later distros.
  • Split out more parts of the browser into separate .dll files on Windows to reduce compiler strain and an oversized xul.dll
  • Removed mozilla::AlignedStorage (code cleanup).
  • Builds for FreeBSD now use xz for packaging instead of bzip2.
  • Merged the preference dom.getRootNode.enabled into the dom.webcomponents.enabled pref. See implementation notes.
  • Fixed a potential DoS issue with JPEG decoding.
  • Fixed a potential issue in Windows widget code that could lead to crashes.
  • Disabled potentially hazardous external protocols on Windows.
  • Added known-problematic .dlls to the internal blocklist.
  • Security issues addressed: CVE-2023-32209, CVE-2023-32214 and several others that do not have a CVE designation.
  • UXP Mozilla security patch summary: 4 fixed, 1 rejected, 27 not applicable.
  • Implementation notes:
  • JavaScript modules have various methods of being loaded into web page content. One of the later introduced methods is a function-style import() declaration, so-called "dynamic module imports" that has been used by various web frameworks, causing issues for Basilisk resulting in blank pages in most cases (since the websites would not actually use document structure HTML, but rather JavaScript to create content, all from imported modules). This has been a major web compatibility issue lately and we're pleased to announce that this complex bit of machinery has been implemented.
  • JavaScript's language specification is continuing to be watered down from a prototyping language towards a more "C-like" hybrid. As part of that effort, JavaScript classes were introduced in ECMAScript 6, and now further expanded in ES2022 with class fields and private class fields/methods, as well as statics. We should have a complete implementation of this now, which constitutes the more important parts of the ES2022 language update.
  • The use of the outdated Microsoft Internet Explorer global window.event has been a pervasive web compatibility issue for us, especially since it was officially deprecated and we never implemented this ambiguous and unreliable property that is highly-context sensitive. Websites should use the event as passed into the event handler to get the event source instead. However, since neither Chrome nor Firefox have dropped this and seem to be playing a game of "chicken", it remains in use on the web. To deal with this conflict, we have now implemented the equivalent behind a preference to enable users to (temporarily) use the global window.event while webmasters update their websites. We hope the Google camp will finally drop this one soon so we can be done with this legacy quirk. will finally drop this one soon so we can be done with this legacy quirk.
  • The DOM Performance API was updated to the User Timing level 3 spec. It should be critically noted that the DOM Performance API was never designed to be used as a matter of course on published content, and was designed only for page performance analysis use by web designers. Of course, as part of making dev tools available to the web, a lot of abuse ensued because of the accurate navigation and timing measurements that this API can provide (looking at you, Google!). Because of tight integration with web content analysis, the older spec implementation we had was causing issues and actually breaking some services, so we updated it, but with a few important key differences:
  • In Basilisk, we keep navigation timing disabled because it's a notable privacy issue for the data it can gather (exact navigational events and timings). If you're a web dev and need these timing measurements, you can enable them with dom.enable_performance_navigation_timing.
  • Our implementation, contrary to the spec, does not allow unlimited recording of performance events (effectively logging every page event!) which can also rapidly eat up memory. Instead we enforce a sane default quota that should be roomy enough for all legitimate use, but prevents runaway resource use or extensive logging of user actions.
  • If the set quota is reached, a warning will be printed in the console and the recorded performance events will be thrown away. If you (foolishly) rely on Performance API events for your web application to function, be aware this may cause compatibility issues as the API was, again, not designed to be used in such a fashion. For event handling, there are much better alternatives available which do not involve extensive recording of user data or relying on a developer tool API.
  • We've historically implemented the DOM getRootNode function as it was being used in the wild as a standalone function, however its main intent has always been to be a helper function part of Shadow DOM/WebComponents. As such we have now merged the preference into the WebComponents preference, enabling and disabling it along with the rest of our WebComponents implementation.
Kliknij aby rozwinąć...
Zaloguj lub Zarejestruj się aby zobaczyć!
 
C

Camel1965

Bardzo aktywny
Zasłużony
Dołączył
8 Wrzesień 2010
Posty
47907
Reakcje/Polubienia
38060

Basilisk 2023.07.18​

July 19, 2023
  • This is a major development update, further improving web compatibility.
  • Added the (hidden) preference browser.history.menuMaxResults to allow users to control how many history entries are listed in the menu. Setting this to 0 will hide history menu entries altogether, and any positive number configures how many entries the entries are limited to. The default if not defined is 15.
  • Switched C++ language level used to C++14 on all platforms.
  • Web compatibility and scripting improvements:
  • Implemented geometry .from* static constructors for web compatibility.
  • Implemented partial support for CSS calc() in color keywords.
  • Implemented Array "find from last" feature (findLast and findLastIndex).
  • Implemented Object.hasOwn(object,property).
  • Implemented several additional Intl API methods and functions. This improves web compatibility with sites making use of things like hourCycle, advanced DateTimeFormat, Intl.Locale, and Intl as a constructor.
  • Cleaned up some unused code.
  • Removed support for Mozilla "experiment" type extensions.
  • Improved the JavaScript garbage collector's sweeping. This should fix a few intermittent crashes and improve performance.
  • Implemented some structural changes to the source to make future porting easier, and preparing for switching to C++17.
  • Removed handling of symlinks for directory listings to prevent potential security issues by walking symlinks when uploading. This effectively reverts a change made in Firefox 50 where this functionality was introduced. A case of "Not such a good idea after all" ;-)
  • Updated the list of extensions on Windows treated as "executable".
  • Security issues addressed: CVE-2023-37208.
  • Made preparations for requiring Authorization in CORS ACAH preflight.
  • Since no browser honors this part of the spec at the moment this is left disabled until there is consensus among browsers.
  • Fixed intermittent crashes related to the performance API.
  • Fixed intermittent issues with JavaScript malfunctioning in chrome scripts (causing faults in the UI and extensions).
  • Added ability to specify build version in mozconfig when compiling Basilisk.
  • UXP Mozilla security patch summary: 2 fixed, 2 rejected, 20 not applicable.
Kliknij aby rozwinąć...
Zaloguj lub Zarejestruj się aby zobaczyć!
 
C

Camel1965

Bardzo aktywny
Zasłużony
Dołączył
8 Wrzesień 2010
Posty
47907
Reakcje/Polubienia
38060

Basilisk 2023.10.03​

October 3, 2023
  • This is a bugfix and a critical security update:
  • Added WASM sign extension opcodes.
  • Added GTK version to "Help->About" on GTK builds.
  • Removed some unused Android/b2g/iOS code from Basilisk.
  • Removed some obsolete Crash Reporter and Error Reporting code from Basilisk.
  • Remove some unused code related to Mozilla telemetry from Basilisk.
  • Remove some unused stub functions from Basilisk.
  • Remove obsolete prefs related to the previously mentioned code removals from Basilisk.
  • Rewrite some code in Basilisk to use the text preprocessor at build time instead of AppConstants at run time.
  • Set Basilisk to always ask where to save files by default.
  • Fixed an issue in BigInt typedArray costructors.
  • Added some safety checks for Performance Observers.
  • Fixed JSON BigInt regressions.
  • Upgraded usrsctp library to a version over 5 years newer, fixing various security issues and potential bugs in sites using WebRTC DataChannels.
  • Fixed an issue with libvpx encoding (CVE-2023-5217)
  • Fixed an issue with dead Promise wrappers in JavaScript DiD
  • Fixed an issue with Alternative Services DiD
Kliknij aby rozwinąć...
Zaloguj lub Zarejestruj się aby zobaczyć!
 
C

Camel1965

Bardzo aktywny
Zasłużony
Dołączył
8 Wrzesień 2010
Posty
47907
Reakcje/Polubienia
38060

Basilisk 2024.02.03​

February 4, 2024
  • Implemented a restricted version of the asynchronous clipboard API (navigator.clipboard). This API is restricted to writing only for obvious security considerations. It supports both plaintext and the standard DataTransfer methods. We did not implement the reinvented wheel concept of ClipboardItem objects.
  • Implemented support for SHA-2 (SHA-256/SHA-512/etc.) signatures for OCSP stapled responses.
  • Implemented PromiseRejectionEvent. Although this is rarely actually used, some common JS libraries (you know who you are!) use it as a feature level canary and start loading (broken!) Promise shims if it is not found, causing compatibility issues and broken websites due to the shims.
  • Aligned microtasks and Promises scheduling with the current spec and expected behavior.
  • We now no longer send click events to top levels of the document hierarchy when using non-primary buttons (use auxclick, instead, to capture these events).
  • Greatly improved the performance of box shadows.
  • Greatly improved the performance of file/data uploads over HTTP/2 (most of the secure websites out there).
  • Fixed several issues related to focus and content selection.
  • Fixed issues with the use of focus-within caused by unexpected processing of DOM events.
  • Fixed an issue with CSP not behaving as-expected when using importScripts(), and fixed a number of additional CSP-related issues.
  • Fixed a web compatibility issue with CORS preflights not sending the original request's referrer policy or referrer header.
  • Fixed a spec compliance issue with StructuredClone.
  • Fixed a crash due to clamping code introduced for SetInterval and SetTimeout timers.
  • Fixed crashes when dynamic imports are canceled (e.g. by navigation).
  • Changed <input type=file> to now have its .files property be writable following a spec change and recommendation.
  • We are now requiring and building against the C++17 language standard.
  • Updated the in-tree ffvpx lib to 6.0.
  • Added a preference to allow users to completely disable reporting of CSP errors to webmasters. Using this is strongly discouraged as it will provide essential troubleshooting information to webmasters setting up CSP, and does not pose a privacy issue, but for those who really want it, it can now be fully disabled. The preference is security.csp.reporting.enabled.
  • Updated the IntersectionObserver interface to now also accept documents for the observer root instead of only HTML elements.
  • Cleaned up various bits of code surrounding GMP, memory allocation, system libraries, vestigial Android code, freetype2 and developer tools.
  • Improved efficiency of handling D3D textures.
  • Added initial and experimental Mac PowerPC and Big Endian support.
  • Added preferences for the user to control whether or not the tab page title should be included in the window title or not. In Private Browsing mode, the default is now to not show the title in the window. This was done to avoid potential leakage to system logs (e.g. GNOME shell logs or Windows event logs) of websites visited through the recorded window title. The new preferences are privacy.exposeContentTitleInWindow and privacy.exposeContentTitleInWindow.pbm for normal mode and Private Browsing mode, respectively.
  • Fixed several crashes in DOM and relating to dynamic JavaScript module imports.
  • Removed a restriction on Fetch preflight redirects, following a spec update.
  • Improved the handling of web workers if they get aborted mid-action.
  • Linux releases on both x86_64 and aarch64 are now built with GCC 11 and Oracle Linux 8.
  • Linux aarch64 releases are no longer considered to be in beta. Autoupdates will now work for Linux aarch64 builds moving forward.
  • Linux aarch64 builds are now available with both GTK2 and GTK3.
  • Refactored easy build shell script to use Oracle Linux 8 and GCC 11.
  • Refactored easy build shell script to work on both x86_64 and aarch64.
  • Changed some default Basilisk networking preferences to better respect privacy and security out of the box.
  • Fixed broken security section in the Page Info window.
  • Security issues addressed: CVE-2023-6863, CVE-2023-6858, CVE-2024-0746, CVE-2024-0741, CVE-2024-0743 DiD, CVE-2024-0750 DiD, and CVE-2024-0753.
  • UXP Mozilla security patch summary: 7 fixed, 4 DiD, 1 rejected (which was DiD at best), 34 not applicable.
Kliknij aby rozwinąć...
Zaloguj lub Zarejestruj się aby zobaczyć!
 
Musisz się zalogować lub zarejestrować aby odpowiedzieć

Podobne tematy:

OXYGEN THIEF
Sprzedawanie danych użytkowników vs. ochrona prywatności? Ciemna strona Brave
Odpowiedzi
0
Wyświetleń
352
OXYGEN THIEF
OXYGEN THIEF
OXYGEN THIEF
Edge Remover
2
Odpowiedzi
16
Wyświetleń
2K
Camel1965
C
Grandalf
Cromite
Odpowiedzi
5
Wyświetleń
761
Camel1965
C
OXYGEN THIEF
PC Assist Web Browser (PE)
Odpowiedzi
0
Wyświetleń
473
OXYGEN THIEF
OXYGEN THIEF
Grandalf
Mercury Browser
Odpowiedzi
1
Wyświetleń
620
Camel1965
C
Do góry