Pale Moon: Release notes 

27.8.3 (2018-03-28)
This is a small update to address a pervasive crashing issue.

Changes/fixes:

    - Backed out some responsive layout code that caused intermittent but not uncommon crashes in the browser depending on window sizes and page content.

27.8.2 (2018-03-22)
This is a security update.

Changes/fixes:

    - Privacy fix: prevented update checks for the default theme.
    - Added a user-agent override for Dropbox to improve compatibility with their service.
    - Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
    - Disabled the Mac OSX Nano allocator. DiD
    - Fixed (CVE-2018-5129) OOB Write.
    - Updated the lz4 library to 1.8.0 to solve potential issues. DiD
    - Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
    -Fixed several memory safety an synchronicity hazards.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) 
actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code,
e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered. 


27.8.1 (2018-03-06)
This is a small update to address some breaking issues.

Changes/fixes:

    - Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
    - Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.

27.8.0 (2018-03-02)
This is a development update with new and improved features and bugfixes.

Changes/fixes:

    - Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
    - Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
    - Added Eyedropper menu entry to the AppMenu.
    - Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
    - Added URL fix-ups for schemes (mis-typed "ttp://" etc.).
    - Added support for ES6 "Symbol species".
    - Updated our TLS 1.3 support to the latest (probably final) draft.
    - Fixed gap inconsistency in the tabstrip.
    - Fixed a number of browser crashes.
    - Fixed a crash with the exponentiation operator "**"
    - Set the performance timer granularity to 1 ms.
    - Updated the kiss-fft library to our forked 1.4.0 version.
    - Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
    - Removed the notification bar when in full screen to prevent unwanted visible screen elements.
    - Removed unmaintained and insecure WebRTC code - building with WebRTC enabled is no longer an option.
    - Removed redundant checks for "Vista or later" since that is all we support.
    - Added display of the http status to raw request displays.
    - Added a workaround for cloned videos not retaining their muted state.
    - Added a temporary workaround to avoid crashes on trackless media.
    - Removed some superfluous ellipses from menu labels.
    - Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
    - Fixed some issues with setting the new tab preference (regression).

27.7.2 (2018-02-01)
This is a security and stability update.

Changes/fixes:

    - Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
    - Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre.
      This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between
      mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious
      purposes in this context.
    - Improved the debug-only startup cache wrapper to prevent a rare crash.
    - Fixed a crash in the XML parser.
    - Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
    - Fixed a potential race condition in the browser cache.
    - Fixed a crash in HTML media elements (CVE-2018-5102)
    - Fixed a crash in XHR using workers.
    - Fixed a crash with some uncommon FTP operations.
    - Fixed a potential race condition in the JAR library.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but
prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are
discovered. 

27.7.1 (2018-01-18)
This is a minor emergency update to address website breakage and a theme issue.

Changes/fixes:

    - Added support for Array.prototype[@@unscopables].
    - Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
    - Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.

27.7.0 (2018-01-15)
This is a stability and bugfix release, as well as adding a number of new features to further improve web compatibility.

Changes/fixes:

    - Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows).
    - Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does.
    - Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
    - Fixed an issue on Mac builds not properly populating the application menu.
    - Added "My home page" as an option for new tabs.
    - Added an option to disable the 4th and 5th mouse buttons (Windows).
      (mouse.button4.enabled and mouse.button5.enabled, respectively)
    - Improved the resetting of non-default profiles.
    - Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
    - Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
    - Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
      (this should fix layout issues with Twitch's new web interface)
    - Fixed an issue where CSS clone operations would draw a border.
    - Changed the way fractional border widths are rounded to provide more natural behavior.
    - Fixed an issue where number inputs would incorrectly be flagged as read-only.
    - Added assets for tile display in the Windows start panel.
    - Finished sync infra swapover by adding a one-time pref migration for server used.
    - Improved WebAudio API: Return the connected audio node from AudioNode.connect()
    - Added support for a default playback start position in media elements.
    - Fixed an assert in cubeb-alsa code (Linux).
    - Added support for media cue-change events (e.g. subtitles).
    - Updated SQLite to 3.21.0.
    - Fixed a crash when trying to use the platform embedded.
    - Fixed devtools (gcli) screenshots on vertical-text pages.
    - Fixed devtools copy as cURL for POST requests.
    - Improved the HTML editor component (several bugfixes).
    - Added support for ES7's exponentiation a ** b operator.
    - Fixed an issue with arrow functions incorrectly creating an 'arguments' binding.
    - Added Javascript's ES6 "unscopables".

Security/privacy fixes:

    - Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
    - Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
    - Removed the sending of referrers when opening a link in a new private window.
    - Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
    - Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
    - Added support for X-Content-Type-Options: nosniff (for scripts).
    - Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD


27.6.2 (2017-11-28)

This is a security and minor bugfix update to the browser.
This will most likely be the last update for 2017, with the holidays not far away.

Changes/fixes:

    - Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookies. This mitigates cookie-injection, 
    which might help against "hidden" cookie tracking.
    - Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents. (CVE-2017-7832)
      Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar.
      Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itself. 
      As such, some other issues like CVE-2017-7833 are already mitigated by us.
    - Fixed an issue with mixed-content blocking. (CVE-2017-7835)
    - Added an extra check for the correct signature data type on certificates.
    - Added missing sanitization in exporting bookmarks to HTML. (CVE-2017-7840)
    - Fixed several crashes and memory safety hazards.
    - Fixed the Linux load throbber image to be properly encoded, to prevent flickering.
    - Removed the shortcut key combination for restarting the browser to avoid issues with people using certain keyboard layouts hitting the combination and unintentionally triggering a browser restart.

27.6.1 (2017-11-15)
This is a minor bugfix release to address some pressing issues people have reported.

Changes/fixes:

    - Fixed a regression with new windows (opening two windows from the command-line or file association, focus issues on new windows, not loading the home page in a new window, etc.)
    - Aligned XHR with the currect spec to allow withCredentials.
    - Fixed an input element focus issue within handlers.
    - Fixed the processing of all-padding HTTP/2 frames to prevent rare HTTP/2 hangups.
    - Updated CitiBank override to work around their login issues.
    - Updated Netflix override to a community-supplied one that seems to satisfy their arbitrary restrictions better.

27.6.0 (2017-11-07)
This is a major development update.

Changes/fixes:

    - Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering.
     As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D.
    - Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default.
    - Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
    - Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks.
    (enjoy your LOLcats again!)
    - Changed automatic updates over to the new infrastructure.
    - Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials.
    - Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
    - Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback.
    - Improved upmixing of mono sound for multi-channel setups.
    - Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
    - Fixed "Remove from history" function from the downloads panel.
    - Forced focus on the address bar in new windows if the content is a blank/empty document.
    - Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click.
    - Further cleaned up the status bar code.
    - Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
    - Fixed image decoder calls to make sure the image load event doesn't fire prematurely.
    - Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding.
    - Updated WOFF2 code from upstream.
    - Updated the zlib compression library.
    - Made general improvements to internal code structure and spec adherence.
    - Fixed an issue with certain command-line parameters being used.
    - Updated the default theme to improve consistency and contrast of toolbar and download buttons.
    - Increased the default duration of notification pop-ups and made them configurable.
    - Improved handling of audio-visual media (ongoing).
    - Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space.
    - Aligned the implementation of for(let x=y;;) loops with the final ES6 specification.
    - Fixed the selection system inside of a nested contenteditable element being broken.
    - Fixed Windows 10 detection for blocklisting graphics drivers.
    - Enabled pasting of clipboard data in documents without an editor element to improve web compatibility.
    - Fixed the uninstallation routine of restartless add-ons.
    - Fixed the handling of unimplemented functions in the console API.
    - Updated the Facebook user-agent to enable otherwise vendor-restricted functionality.
    - Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues.

Security/privacy fixes:

    - Added an option to clear Site Connectivity Data (delete history).
    - Removed stale entries from the HSTS preload list, and improved generation/processing of it.
    - Removed undesired certificate issuer organization to common name fallback (if issuer org is empty).
    - Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures.
    - Worked around some more issues with broken Apple fonts.

27.5.1 (2017-10-10)
This is a security and stability update to the browser, as well as fixing some issues users have indicated.

Changes/fixes:

    - Changed the default Windows 10 styling when no accent color is applied to black-on-white.
    - Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes.
    - Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues.
    - Fixed a crash in the media subsystem.
    - Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems.

Security fixes:

    - Updated the hyphenation library to the latest upstream code to fix a security issue.
    - Updated NSPR to 4.16-RTM with a patch to un-bust building on win64.
    - Updated NSS to 3.32.1-RTM.
    - Worked around some more issues with Mac fonts (CVE-2017-7825).
    - Fixed a potential rooting hazard in NPAPI plugin code. DiD
    - Fixed a potential reference issue in JavaScript arrays. DiD

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem. 

27.5.0 (2017-09-26)
This is a major update furthering general development of the browser.

Changes/fixes:

    - User interface:
        - Added a menu option to restart the browser.
        - Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color.
        - Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style.
        - Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency.
        - Fixed some general inconsistencies in the Windows theme on all Windows operating systems.
        - Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper.
        - Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported.
        - Cleaned up some dead code for the plugin updater that no longer exists.
        - Fixed a text direction issue in preferences.
        - Fixed an issue with disabled context menu entries after using Customize...
        - Reorganized and cleaned up the status preferences.
   - Media:
        - MSE Media updates (ongoing). We are focusing on improving MP4 handling.
        - Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
        - Fixed a number of searching issues in MP3 files
        - Fixed a few crashes.
    - Fixed an issue with automatically exporting bookmarks to HTML on shutdown.
    - Fixed a regression re: domains allowed to/blocked from installing add-ons.
    - Fixed several internal errors thrown in the front-end.
    - Fixed several minor issues in the devtools.
    - Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session.
    - Added an option to control add-on blocklist behavior (Options -> Security)
    - Added DOM function isSameNode().
    - Added DOM onvisibilitychange event.
    - Added document.scrollingelement (CSSOM).
    - Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft).
    - Added "Open in new private window" to bookmarks, feeds and history entries.
    - Added HTTP request method OPTIONS.
    - Added an option to exit to a no-content page after encountering a network or security error.
      This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page.
    - Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data
      transfer). Disabled by default for now because it causes issues.
    - Improved the handling of several CSS selectors.
    - Changed session storage to remember form data for https sites by default.
    - Added (yet another) trap prevention method to onbeforeunload events.
    - Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
    - Fixed not being able to deselect loading bookmarks in the sidebar.
    - Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues.
    - Fixed a number of potential crash points.
    - Improved the security of the Windows dll loader module.
    - Reinstated "Open all in tabs" option on folders of live bookmarks (feeds).
    - Made URL matching more liberal in selected text to make it easier to open stated addresses.
    - Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work.
    - Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled.
    - Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks.
    Please be aware that https-filtering antivirus may interfere with future application updates as a result.
    - Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver).
    - Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers).
    - Fixed a problem with some H.264 media not playing (SPS NAL).
    - Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption).
    - Improved context search on selected text/links.
    - Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a
     modifier can open copies of already-opened sites.
    - Added a fix on Linux for starting the browser from Enlightenment.
    - Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data.

27.4.2.1 (2017-08-28)
This is an out-of-band update for the portable version of the browser only (Windows).
This fixes a few issues in the portable shell regarding backups and settings.

To update, please follow the recommended update procedure listed on the Pale Moon Portable page.
27.4.2 (2017-08-22)
This is a small update to address some security and stability issues.

Changes/fixes:

    - Fixed a number of crashes.
    - Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
    - Added a fix for TLS 1.3 handshakes causing a browser hangup.
    - Handshakes should be considerably faster now and no longer stall in the wrong circumstances.

Security fixes:

    - Updated NSPR to 4.15.
    - Updated NSS to 3.31.1.
    - Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
    - Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
    - Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
    - Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates
      (CVE-2017-7781)
    - Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
    - Fixed a UAF in WebSockets (CVE-2017-7800)
    - Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is 
      disabled)

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem. 

27.4.1 (2017-08-03)
This is a small update to address some media and web compatibility issues.

Changes/fixes:

    - Fixed an issue where media playback would not use hardware acceleration properly when using MSE.
      This would cause high CPU usage and/or choppy playback for HD video on e.g. YouTube.
    - Fixed ES6 iterator chains to be spec-compliant.
    - Fixed ES6 vector append calls and some related memory leaks.
    - Added a workaround to reduce the likelihood of a potential rare (timing-critical) crash.

27.4.0 (2017-07-12)
This is a major update to straighten out most of the media streaming issues, as well as adding the necessary enhancements, bugfixes and security fixes to the browser.

Changes/fixes:

    - Completely re-worked the Media Source Extensions code to make it spec compliant, and asynchronous as per specification for MSE with MP4. This should fix playback problems on YouTube, Twitch, Vimeo and other sites that previously had some issues. A massive thank you to Travis for his tireless work on making this happen!
    Please note that MSE+WebM (disabled by default) is not using this new code yet (planned for the next release), and as such there is a temporary set of things to keep in mind if you don't use default settings:
        - If you have previously enabled MSE+WebM, this setting will be reset when you update to avoid conflicting settings with the updated MSE code.
        - We've added an extra setting in Options to disable the updated MSE code (asynchronous use) in case you need to use WebM or are otherwise having issues with the updated code (please let us know in that case).
        - Once again, the MSE+WebM and Asynchronous MSE use are currently mutually exclusive. You can have one or the other, not both, until we sort out the code for WebM. To enable MSE+WebM you will first have to disable Asynchronouse MSE in settings (otherwise the WebM setting will be greyed out and disabled).
    - Added a control in options/preferences for HSTS and HPKP usage.
    - Changed HTML bookmark exports to write CRLF line endings to the file on Windows.
    - Leveraged multi-core rendering for libVPX (VP8/VP9 WebM decoding).
    - Fixed some issues accessing DeviantArt (useragent-sniffing).
    - Aligned CSS text-align with the spec.
    - Added a recovery module for browser initialization issues (e.g. when using a wrong language pack).
    - Fixed spurious console errors for XHR requests with certain http response codes.
    - Enabled v-sync aligned refresh for a smoother scrolling experience.
    - Removed support for CSS XP-theme media queries.
    - Improved console error reporting.
    - Fixed resetting toolbars and controls from the safe mode dialog.
    - Fixed bookmark recovery option from the safe mode dialog.
    - Fixed innerText getters for display:none elements.
    - Fixed a GL buffer crash that might occur with certain combinations of drivers and hardware.
    - Added some more details to about:support.
    - Fixed a potential crash when the last audio device is removed during playback.
    - Fixed a crash on about:support when windowless browsers are created.
    - Updated <select> elements to blank if the actively set value doesn't match any of the options.
    - Updated the interpretation of 2-digit years in date formats to match other browsers:
    0-49 = 2000-2049, 50-99 = 1950-1999.
    - Added "q" units to CSS (quarter of a millimeter).
    - Added .origin property to blobs.
    - Fixed several minor layout issues.
    - Fixed disabled HTML elements not producing the proper JS events.
    - Implemented web content handler blacklist according to the spec, allowing more than feeds to be registered.
    - Fixed a spec compliance issue with execCommand() on HTML elements.
    - Fixed a problem with table borders being drawn uneven or being omitted when zooming the page.
    - Added devtools "filter URLs" option in the network panel.
    - Added visual sorting options to the Network inspector.
    - Added importing of login data from Chrome profiles on Windows (Chrome has to be closed first).
    - Added importing of tags from bookmark export files (HTML format).
    - Updated usage of SourceMap headers with the updated spec (SourceMap header, keeping X-SourceMap as a fallback).
    - Fixed several cases of wrongly-used negations in JS modules.
    - Added the auxclick mouse event.
    - Added a control to not autoplay video unless it is in view (media.block-play-until-visible).
    - Updated the Graphite font library to 1.3.10.
    - Updated how image and media elements respond to window size changes (responsive design).
    - Added parsing and use of rotation meta data in video.
    - Fixed several crashes in a number of modules.
    - Fixed performance regression for scaling large vector images (e.g. MSIE Chalkboard test) \o/
    - Fixed some issues with notification icons.
    - Fixed some internal errors with live bookmarks.
    - Updated SQLite to 3.19.3.
    - Fixed several reported issues with devtools (cli-cookies, cli help, copying cURL, inspecting SVGs, element size calculations, etc.)
    - Fixed an issue where a server response was allowed to override add-ons' specified version ranges even for add-ons that have strict compatibility (e.g. themes, language packs).

Security fixes:

    - Removed preloading of HPKP hosts and enabled HPKP header enforcement.
    - Added support for TLS 1.3, the up-next secure connection protocol.
    - Fixed an issue with TLS 1.3 not supporting renegotiation by design.
    - Relaxed some restrictions for CSP to temporarily work around web compatibility issues with the CSP-3 deprecated `child-src` directive.
    - Updated NSS to 3.28.5.1-PM to address some security issues.
    - Updated the installer selfextractor module to address unsafe loading of libraries.
    - Changed the way certain resources are included to reduce effectiveness of some common fingerprinting techniques. (e.g. browserleaks.org)
    - Fixed a regression in the display of security information in the page info dialog for insecure content.
    - Fixed two potential issues with allocating memory for video. DiD
    - Fixed a potential issue with the network prediction algorithm. DiD
    - Restricted the use of Aspirational scripts in IDNs to prevent domain spoofing, in anticipation of the UAX#31 update making this official.
    - Prevented a Mac font specific issue that could be abused for domain spoofing (CVE-2017-7763)
    - Fixed several potentially exploitable crashes. (CVE-2017-7751) (CVE-2017-7757) and some that do not have a CVE designation.


27.3.0 (2017-04-28)
A major development update. Many things have changed in the media back-end, but please understand that some things are still a work in progress, and you may still encounter some html5 video playback issues with MSE.

Changes/fixes:

    - Fixed up, checked and enabled vertical text writing modes!
      Pale Moon will now be able to display vertical, right-to-left script.
    - Added the option to reset non-default profiles.
    - Fixed various issues in the WebP image decoder.
    - Added internally-supported document types to allowed <embed> types.
    - Fixed locale selection in ICU after update to ICU58.
      (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
    - Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
    - Ongoing fixes for the MP4 parser and MSE.
    - Made HTML Media Elements' preload attribute MSE-spec compliant.
      The preload attribute on HTML media elements is now ignored in the case of an MSE source. 
      This prevents an issue with sourceopen not firing when preload="none".
    - Fixed some issues with Windows WMF media playback.
    - Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
    - Fixed display of RSS folder icons.
    - Fixed issues with custom context menus.
    - Fixed an issue importing bookmarks with separators losing their extra data.
    - Changed the way numeric addresses are handled in the address bar so it doesn't perform a 
      search when it shouldn't.
    - Added an option (browser.sessionstore.cache_behavior) to control from which source 
      restored tabs pull their page content:
      0 = load restored tab data from cache (current behavior, default)
      1 = refresh restored tab data from the network
      2 = refresh stored tab data from the network and bypass any cached data.
    - Improved upon a v27 performance regression with SVG scaling.
    - Improved performance by being more selective which CSS animations to process.
      As a side-effect, elements changing their display from "none" to something visible now also 
      animate.
    - Increased memory allocation for the use of very large PAC files.
    - Added menu entries for the permissions manager and improvements to its function and 
      display.
    - Added preferences to control "highlight all" behavior of the find bar:
     accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words 
    by default.
     accessibility.typeaheadfind.highlightallremember = true/false remember the last-used 
    state of Highlight All.
    - Added devtools command-line options.
    - Added remote IP and protocol to Devtools->Network entry details.
    - Added support for <details> and <summary> HTML tags.
    - Fixed a regression in the MSIE profile migrator.
    - Removed migration of browser-specific settings when migrating data from IE/Safari.
    - Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata 
      making acceptance of them mandatory (and to prevent web compat issues due to the 
      current conflicting text of it).
    - Made the image document favicon skinnable.
    - Aligned DOM selection addRange with the spec.
    - Exposed mozAnon constructor js binding to system scopes for XHR.
    - Enhanced form data handling from JavaScript.

  Security/privacy changes:

    - Updated NSS to 3.28.4-RTM to address a number of issues.
    - Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
    - Reconfigured networking security: disabled static DHE suites by default, enabled all 
      RSA-AES(-GCM)-SHA256/384 suites in their stead.
    - Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
    - Added an option to display punycode domain for IDN websites to combat phishing.
      This is enabled by default for domain-validated https sites.
      Preference: browser.identity.display_punycode
      0 = Display IDN name in identity panel (previous behavior)
      1 = Display punycode name for DV SSL domains (default)
      2 = Also display punycode for HTTP sites if IDN name used
    - Fixed an issue to prevent contacting remote servers when a connection might get blocked.
    - Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
    - Fixed several memory- and thread-safety hazards.
    - Fixed an address bar spoofing issue. (CVE-2017-5451)
    - Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
    - Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) 
      (CVE-2017-5440)
    - Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
    - Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
    - Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
    - Fixed a potentially exploitable issue in graphite font shaping.
    - Fixed a potentially exploitable crash with credential-authentication.
    - Fixed out-of-bounds access with text selection in rare cases.
    - Fixed a security hazard in the ANGLE library.


27.2.1 (2017-03-24)
This is a small update to fix some stability and usability issues.

 Changes/fixes:

   - Fixed an issue with planar alpha handling (transparency) when drawing JXR images.
   - Fixed a crash related to a change JavaScript array handling introduced in 27.2.0.
     This became apparent with the pentadactyl extension, but could happen in other situations as well.
   - Fixed a crash when opening ridiculously large images with HQ scaling enabled (default).
     Pale Moon will now only apply HQ scaling for images within reasonable limits (64 Mpix or smaller). Images larger than that may
     not display properly when zooming in, or may not display at all, even scaled down (e.g. >256 Mpix large) and show a "broken
     image" placeholder instead; please use dedicated image viewer applications for those kinds of images; it is outside the scope 
     of a web browser to handle such large images.
    - Changed the way URL hashes are handled, and will no longer %-decode anchor hash identifiers by default.
      Note that this is against RFC 3986, which states that any part of the URL scheme that isn't data should be decoded.
      This is required for web compatibility because several sites use hash links to pass actual data to web applications 
      (Please don't do this! Hashes ar part of the URL address, should only consist of "safe" characters, and aren't suited to pass
      arbitrary data) and the most common browsers no longer follow the RFC in that respect.
      If you want RFC compliance, switch dom.url.getters_decode_hash to true
    - Restored 2 RSA Camellia cipher suites that were missing: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA and TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
    - Fixed an issue with custom toolbars getting deleted during upgrade from 27.0/27.1 to 27.2


27.2.0 (2017-03-18)
This is a major update to the browser with a focus on back-end improvements and security.

Changes/Fixes:

    Updated the ICU lib to 58.2 to fix a number of issues.
    Added proper control for the user for offline storage for web applications.
    Added a check to prevent auto-filled URLs from copying the auto-filled selection to clipboard/primary.
    Added the feature to pass a URL to open in a private window from the command-line.
    Improved the display of the downloads indicator on the button in bright-text situations.
    DOM storage now honors the "3rd party cookie" setting in that it will not allow 3rd party data to be stored if 3rd party cookies are disallowed.
    Allowed toolbar button badges to be properly styled.
    Updated the hunspell spellchecking library to 1.6.0 to fix a number of issues.
    Fixed desktop notifications being off-screen if fired in rapid succession.
    Added Element.insertAdjacentElement and Element.insertAdjacentText DOM functions.
    Added support for JPEG-XR images.
    This makes Pale Moon have the broadest support for image formats of all web browsers.
    (enabled by default; you can disable this with media.jxr.enabled).
    Completely removed the use of GStreamer on Linux.
    Added support for element.innerText.
    Custom toolbars should now properly remember their state.
    Fixed some more playback issues with MP4/MSE videos.
    Please be aware that we are still working on further improving MSE video handling.
    Changed media processing to reduce dangerous processing asynchronicity.
    This should also make media elements and playback more responsive.
    Fixed a useragent string regression always displaying the minor Goanna version as .0
    Updated NSPR to 4.13.1.
    Updated NSS to 3.28.3-RTM.
    Fixed unrestricted icon sizes in PMkit buttons.
    Fixed unresponsive buttons on support page when not building the updater.
    Fixed the use of "View image" and "Save image as" on extremely large images.
    Changed the way "View Image" and "Save image as" work on canvas elements.
    Made checking for dangerously large resolution PNG images smarter.
    It will now accept larger "strip"-aspect ratio images while reducing unsupported large image resolutions.
    This will e.g. fix Gmail's "emoji" window that uses a ridiculously long but very narrow single image to store all the emoticon pictures.
    Converted several hard-coded URLs to preferences.
    Updated the google.com override so it would not cripple services based on UA sniffing.
    Added Inner and Outer Window ID administration.
    Fixed the add-on discovery pane detection.
    Added support for canvas ellipse.
    Improved drawing of certain MathML elements at problematic zoom levels.
    No longer building gamepad support.
    Updated Harfbuzz font shaper to 1.4.3 to fix a number of issues.
    Fixed a number of crashes (layout, plugins, uncommon navigation, bad URLs).
    Aligned SVG specular filters with the spec.

Security/privacy changes:

    Added support for 256-bit AES-GCM encryption.
    Added support for ChaCha20-Poly1305 encryption.
    Removed support for Camellia-GCM since nobody seems interested in it.
    (Camellia in 128/256-bit CBC block mode is still fully supported).
    Added support for SHA-224, SHA-256, SHA-384 and SHA-512 to Crypto utils.
    Improved status handling of secure sites to be less sensitive to "insecure" items that are local.
    Fixed print preview hijacking. (CVE-2017-5421)
    Fixed a potentially exploitable crash in OnStartRequest. (CVE-2017-5416)
    Fixed potential cross-origin content-stealing through a timing attack. (CVE-2017-5407) DiD
    Fixed a denial-of-service problem with view-source. (CVE-2017-5422)
    Fixed crash in directional controls. (CVE-2017-5413)
    Fixed a perceived problem with chrome manifests. (CVE-2017-5427)
    Fixed the use of an uninitialized value. (CVE-2017-5405)
    Fixed a buffer overflow. (CVE-2017-5412)
    Fixed a UAF situation. (CVE-2017-5403)
    Fixed a potential spoofing issue with the address bar. (CVE-2017-5417)
    Fixed a potential issue in libvpx. (CVE-2017-5402) DiD
    Fixed a potential issue with HTTP auth. (CVE-2017-5418)
    Fixed several memory safety hazards and potentially exploitable crashes. DiD

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem. 


27.1.2 (2017-03-03)
This is a small update adding a workaround for potential deadlocks happening in media elements

27.1.1 (2017-02-21)
This is a stability and bugfix update to the browser.

Changes/Fixes:

    Implemented a fix in media handling to prevent crashes with concurrent videos and/or rapidly starting/stopping video playback in the browser.
    Fixed the way the Adobe Flash plugin is detected to prevent confusion with other plugins that identify themselves as "Flash" (e.g. VLC).
    Windows: Solved stability issues caused by the release build process, resulting in unexpected behavior (e.g. hangups).

27.1.0 (2017-02-09)
This is a major update with lots of development and bugfixes. It also introduces the so-called "PMkit" modules, our effort to restore compatibility with Jetpack/SDK extensions and making it possible for extension developers to convert their SDK extensions with little effort to a Pale Moon compatible format. For more details please check the PMkit documentation on the developer wiki.

Changes/Fixes:

    Reworked the media back-end completely (thanks Travis!) to use FFmpeg (including support for FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer relying on gstreamer on Linux, as well as adding some improvements on Windows for media parsing and playing.
    On Linux, Apple .mov files of the correct type will also be played through FFmpeg now, for those rare occasions where they are still in use, considering there is no Quicktime plug-in available on that operating system.
    Restored the classic about:config styling.
    Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.
    Improved cross-compartment wrapper handling when managing a large number of tabs (fixes a performance regression with v27).
    Changed the way audio and video synchronization is calculated to account for (slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.
    Changed the way scripts are handled when they are stopped from the "unresponsive script" dialog, to prevent browser lockup. We will now stop all scripts in the affected compartment in one go.
    Fixed several errors in the devtools.
    Fixed a nasty crash caused by cross-origin referrers.
    Fixed the installer to allow 64-bit versions of the browser to be installed on Vista again.
    Added HTML5-spec clipboard handling for content (cut&copy only -- paste is not allowed for security reasons).
    Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.
    This should make running SDK-based modules as PMkit extensions fairly simple for extension developers. See the introductory text to these release notes.
    Fixed a css layout issue: make max-width affect contributions to intrinsic min-width.
    Implemented several updates to the permissions manager. Among others, Improved the permissions manager (about:permissions) with a more complete set of permissions for pages.
    Removed otherwise unused Metro browser platform/widget code.
    Removed support for non-standard/deprecated let blocks and expressions.
    Made the use of let as a keyword versionless and ES6 compliant.
    Made the privacy category in preferences a tabbed setup to better fit the current options.
    Fixed a regression preventing certain MP4 video files from playing.
    Fixed a regression where seeking in media files would halt playback/jump to the end of the stream.
    Fixed a crash caused by certain downloadable fonts with DirectWrite in use.
    Improved downloads-button indicator legibility on some combinations of Windows versions and system theme colors.
    Changed the Facebook user-agent override to be our native one, based on reports from users that it is (finally) working acceptably.
    Fixed site-specific useragents being ignored if a global override is defined.

Security/privacy changes:

    Changed CORS handling to allow data: sources, assuming they are same-origin. This should fix the infamous "Facebook endless reload" issue and may make some other sites that assume this particular (unspecified) CORS behavior happy with Pale Moon.
    Reinstated the network.stricttransportsecurity.enabled preference so people who choose privacy over HSTS can do so again.
    Added, In HSTS "off" state, prevention of HSTS site status from being written to disk.
    Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar)
    Fixed an exploitable crash when using MP4 video. (CVE-2017-5396)
    Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
    Fixed a potential security issue when exporting certificates with specially-crafted credentials. (CVE-2017-5381)
    Fixed a potential use-after-free situation in frame selection. (CVE-2017-5380) DiD
    Fixed a leak of window details through the Ion compiler in certain situations.
    Fixed the potential for an exploitable crash involving Javascript GC. DiD
    Fixed a potential overflow situation in (non-released) WebRTC code. DiD
    Fixed a potentially unsafe situation in websockets. DiD
    Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877, 1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344, 1285960).


27.0.3 (2016-12-16)
This is a bugfix and security update.

Changes/fixes:

    Fixed certain network errors not displaying.
    Fixed network error page styling.
    Fixed the writing of DOM storage data to tabs (should solve the "tabs not loading their contents" issue when migrating a profile and some other situations).
    Disabled downloadable font unicode-ranges on non-Windows platforms.
    Added a Google Fonts user-agent override for non-Windows platforms so they don't send unicode-ranged composite fonts (Feature detection? Google apparently still doesn't know what that is).
    Re-enabled the reporting of CSS errors to the console by default to prevent issues with some extensions who rely on this (e.g. Stylish).
    Fixed and updated preferences for location bar suggestions.
    Fixed several x64-specific issues in memory allocation code (regression fix).
    Fixed timer issues when resuming a computer from stand-by (regression fix).
    Fixed a number of branding and textual issues in the browser.
    Fixed prompting for the saving of off-line data (previously always allowed without prompting).
    Fixed a layout regression that would cause block elements following left floats to not wrap to the next line if there wasn't enough clearance.
    Fixed a mismatch in Firefox extension compatibility-mode installation where Firefox extensions served by addons.mozilla.org would be marked incompatible when trying to install.

Security-related and crash fixes:

    Fixed use-after-free while manipulating DOM events and removing audio elements (CVE-2016-9899).
    Fixed CSP bypass using the marquee tag (CVE-2016-9895).
    Fixed a vulnerability in the internal Jetpack modules (CVE-2016-9903). DiD
    Fixed use-after-free in Editor while manipulating DOM subtrees (CVE-2016-9898).
    Fixed an error in the buffer logic in http-chunked decoder.
    Fixed a crash in generational GC code (not in use by default) DiD
    Fixed a compartment mismatch bug in plug-in code
    Fixed a crash trying to get a nonexistent property.
    Improved MediaRecorder's observer safety.
    Fixed a crash related to document history.



27.0.2 (2016-12-02)
This is a minor update to address usability and security issues:

    Enabled Firefox Compatibility mode by default for the useragent string.
    Unfortunately too many websites (and especially the big players who should know better like Google, Apple and Microsoft) still require the "we must pretend to be Firefox if we want this site to work" status quo to be maintained, because people still insist on using useragent sniffing to determine "browser features", or even worse, discriminate against free choice of browser by flat-out refusing service (I'm looking at you, banking industry and cloud services!) when visiting websites just because companies don't want to provide assistance to any but users on the main 3.
    HTML offers plenty of ways to do proper feature detection; site owners should use them.
    Seriously people, it was a bad idea 20 years ago, and it's a worse idea in 2016.
    The built-in devtools are back, and with a facelift!
    Thanks to some consistent community help, the built-in devtools, sorely missed by a number of our users, are back. They've received a code and style update and should be fully functional on the new platform. This was originally planned for 27.1, but it was decided to include this as soon as possible, not in the least to assist extension developers in their efforts to adapt to Pale Moon 27.
    Security fix:
    Fixed a crash in SVG, related to CVE-2016-9079, as a defense-in-depth measure.

27.0.1 (2016-11-28)
This is a bugfix release for some of the issues that popped up with the new milestone.

Changes/fixes:

    Fixed removal of distribution/bundles/ copies of status bar code and ruby annotations code.
    This should clean up everything on install/upgrade that currently causes double code to create intermittent/odd behavior.
    Backed out some media back-end changes to fix MSE playback on Twitch.tv and other similar sites.
    Disabled pop-up network status in full screen by default (since video detection is rather iffy at the moment).
    Fixed a regression causing the "reset profile" button to not appear in about:support on the default profile.
    Worked around bad Netflix interface changes - it will now use a more compatible web UI.
    Please note that these Netflix changes were unrelated to the actual release of Pale Moon (26.5 is also affected).
    Aligned base status bar colors with default prefs.
    Fixed status bar options not being remembered.
    Added an override for Amazon Prime videos so they won't stop us at the front door any longer when not using the Firefox Compatibility user agent mode.
    Re-applied proper branding text to in-app licensing.

27.0.0 (2016-11-22)
After about 8 months of development, we now have a new milestone release with literally too many changes to list even concisely. These release notes will therefore only highlight the most important parts of this release.
In this release we've done a full upgrade of our back-end platform, meaning many things work different "under the hood" and you may run into a number of extension compatibility issues as a result.

New and updated features:

    Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
    Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
    Pale Moon now fully supports HTTP/2.
    Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
    Media Source Extensions have been implemented to solve many video playback issues.
    This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
    Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
    Support for SSL/TLS connections to proxy servers.
    Support for the WOFF2 font format for downloadable fonts.
    The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
    The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.

Removed support/features:

    Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
    Removed the internal PDF (pre)viewer. This module was not maintained, was unable to display even half of the PDF documents correctly, and could not reasonably remain included in the browser. Please use a separate reader and/or install a PDF reader plugin.
    Disabled building of the devtools. They will not be included in release versions of Pale Moon from this point forward. If you are a web developer or otherwise need those tools, fear not! They are available as a browser extension.
    Removed the active XSS filter. This feature, although effective, was prone to some instability and needs to be rewritten for the update of our platform. It may or may not return in the future, depending on whether the original author has time to rewrite parts of this filter implementation.
    Removed support for Add-on SDK extensions (JetPack extensions), considering the Mozilla/Gecko SDK is no longer compatible with our combination of application and platform code.

Security highlights:

    All relevant security fixes up to and including Firefox 50 have been ported across from Mozilla to continue to provide an as secure as possible browser.
    Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
    There's a new option and control to determine whether to save zone information (marking files as "downloaded from the Internet") on downloaded files (Windows+NTFS). You can find this in Options.

Other important notes:

    Pale Moon 27 will initially only be available in English. We are working on getting localization done to have language packs available over time.
    Important: You can not use the previous language packs since many strings have changed. Trying to do so will likely prevent the browser from starting or functioning. Pale Moon will automatically disable language packs for the previous version, but if you have explicitly disabled add-on compatibility checking you may run into trouble.
    We will continue to fully support the following:
        NPAPI plugins
        Extensions with binary/XPCOM components
        XUL/Overlay and bootstrapped extensions
        Complete themes
        Unsigned and author-signed extensions
        The Camellia encryption cipher (also in GCM mode)
        Graphite font shaping
        Sync 1.1 (albeit without support for syncing add-ons)
        Full customization of the UI as before

26.5.0 (2016-09-28)
Fixes/Changes:

    Implemented a breaking CSP (content security policy) spec change; when a page with CSP is loaded over http, Pale Moon now interprets CSP directives to also include https versions of the hosts listed in CSP if a scheme (http/https) isn't explicitly listed. This breaks with CSP 1.0 which is more restrictive and doesn't allow this cross-protocol access, but is in line with CSP 2 where this is allowed.
    Fixed an issue with the XML parser where it would sometimes end up in an unknown state and throw an error (e.g. when specific networking errors would occur).
    Improved the performance of canvas poisoning by explicitly parallelizing it.

Security fixes:

    Fixed a potentially exploitable crash related to text writing direction. (CVE-2016-5280)
    Made checking for invalid PNG files more strict. Pale Moon will now reject more PNG files that have corrupted/invalid data that could otherwise lead to potential security issues.
    Changed the way paletted image frames are allocated so the space is cleared before it's used. DiD
    Fixed a crash in nsNodeUtils::CloneAndAdopt() due to a typo. DiD
    Fixed several memory safety issues and crashes.

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.


26.4.1 (2016-09-12)
This is a minor bugfix and security release.

Changes/fixes:

    Fixed a crash in the XSS filter.
    Slightly changed the address bar shading on secure sites to be more subtle and easily-blended.
    Fixed the occurrence of "null" titles in bookmarks dragged from special folders.
    Fixed an error initializing the browser due to trying to restore scratchpad data from a stored session when having switched from a version with devtools to a version without devtools, and the previous version had scratchpad data saved.
    Fixed some minor issues in scratchpad and gcli devtools.

Security fixes:

    Updated the HSTS preload list to a much more updated source list, and performing our own checks on validity from now on to have the list be as accurate as possible.
    Disabled Triple-DES cipher suites by default (mitigating SWEET32).

Portable-only: Changed the behavior to, by default, allow it to start a new copy or multiple copies without checking if Pale Moon is already running on the system. You will need separate profiles to run multiple browsers concurrently.

 

26.4.0.1 (2016-08-23) - Linux only
This Linux-only release is once again using GStreamer 0.10 for video support, which should prevent Pale Moon from crashing when playing some HTML5 videos.

Additional changes/fixes:

    A blacklist for GStreamer has been implemented and enabled by default (can be disabled with the media.gstreamer.enable-blacklist about:config pref).
    The flump3dec GStreamer plugin (known to be crashy) & h264parser element (a potential security risk) have been blacklisted.
    Fixed a couple other GStreamer related crashes.
    No longer force Link Time Optimization with GCC 6

26.4.0 (2016-08-17)
Changes/fixes:

    Removed Google Search as a bundled search provider. If desired, you can manually install it (or other search engines) after the update by following the steps in the Manage Search Engines topic.
    Fixed the URL API to allow "stringification" of the object per specification. This should make a number of websites happy.
    Added the ES6 string .includes() function in addition to the pre-existing .contains() function for checking if a string contains another string. The .contains() function is retained for compatibility with web and extension scripts that adhere to the ES6 pre-release specification up to and including RC3.
    Fixed the calculation of standalone SVG embeds width and height, which should solve some reported issues with html5 graphs being displayed incorrectly.
    Linux: improved memory allocation.
    Updated the graphite font library to 1.3.9.
    Added a blocking rule for F-Secure's 64-bit deepguard library to prevent crashes.
    Updated the SQLite library to 3.13.0.
    Download= properties of links are now honored from the context menu "Save" option.
    Fixed a crash in the XSS filter.
    Fixed a crash in the DOM error module.
    Worked around a crash on Linux
    Linux: Improved optimization and GCC6 compatibility (Note: compiling with GCC 6 is still not recommended and it may or may not work, depending on your environment)

Security fixes:

    (CVE-2016-5251)Potential URL spoofing in the address bar.
    (CVE-2016-0718) Context-dependent crash in expat 2.1.0.
    (CVE-2016-5266) Outgoing dataTransfer items are not properly filtered.
    Fixed potentially exploitable crash in the array splice implementation.
    Fixed potentially exploitable crash caused by badly formatted ICO files.
    (CVE-2016-5254) Heap-use-after-free in nsXULPopupManager::KeyDown


26.3.0 (2016-06-21)
Changes/fixes:

    Added detection for dark system themes on Windows 10 and re-worked Windows 10 specific theming to better integrate into the OS and provide more clarity.
    HTML5 media controls have been reworked to a horizontal volume control on all media, including HTML5 audio that was previously without an element-control for volume.
    Default HTML5 media volume preference added as media.default_volume -- fractional, default 1.0 (=100%).
    String.prototype.match() and .replace() are now fully spec compliant.
    NSPR and NSS now correctly no longer enforce IA32 architecture compatibility, getting the advantage of SSE2 like the rest of the code.
    Worked around crashes in the XSS filter when navigating back in history due to document fragments.
    Instated a hard minimum of 10,000 places entries regardless of free disk space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size, which should be sane enough even on low-memory machines.
    Fixed a typo in networking code introduced in 26.2.2 that would cause issues on some sites due to adding extra forward slashes to the URL.

Security fixes:

    Fixed a number of memory safety hazards and potentially exploitable crashes.
    Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class
    Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL.
    Fixed a memory overrun error in the VP8 encoder. DiD
    Fixed non-threadsafe re-use of pixman images to prevent potential race conditions. DiD
    Fixed CVE-2016-2825 Partial Same Origin Policy violation


26.2.2 (2016-05-10) & Android 25.9.2
This is mainly a security update.

Changes/fixes:

    Added a detection routine for dark window colors on Windows 8 and later (system themes using dark window frames) to better adapt to dark system colors. Theme developers can take advantage of this by checking for darkwindowframe="true" on #main-window in CSS selectors.
    CSS classes prefixed with "--" no longer stop parsing of the selectors.
    Several crash fixes.

Security fixes:

    Made GC suppression more aggressive to prevent issues when actually out of memory.
    Fixed a memory safety hazard in jpeg decoding.
    Fixed a potentially exploitable crash when using bi-directional text.
    Updated NSS to 3.19.4.2-PM, fixing CVE-2016-1938 among other things.

26.2.1 (2016-04-08)
This is a small update to fix a problem with keyboard navigation of the user interface.
26.2.0 (2016-04-05)
This is a major update and bugfix release.

Changes:

    Implemented the URL API that's needed for a number of websites.
    Changed internal keystroke handling within the spec to better align with generally expected behavior.
    This should fix the infamous "backspace" issue on Facebook.
    Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing.
    Linux: gstreamer 1.0 support has been implemented and enabled by default (hats off to Travis!)
    From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported).
    Re-styled about:sessionrestore to use more available screen real estate for tab info.
    Added an option to use the mousewheel for horizontal scrolling (mouse action value 4).
    (e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally)
    Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons.
    Fixed some hard-coded branding strings in Sync still reading "Firefox", and similarly changed sync information URLs to point to our relevant pages.
    Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us.
    Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly)
    Fixed several issues with the default theme causing problems with behavior due to styling (thanks, Antonius32) (Issue #384 and friends)
    Fixed some miscellaneous issues in the internal jemalloc implementation.
    Added a configure option to use the full jemalloc lib (jemalloc v3) if the builder so wishes (used for Linux, sys mallocs are not happy there either, so for our generic binaries we switched to this lib now)
    Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings.
    Fixed layout of reflowed comboboxes without enough space.
    Fixed a crash related to flexboxes overflowing themselves. (Issue #396)
    Added a simple implementation for Weak Messagelisteners. (Issue #399)
    Fixed a crash for losing our cache entry while finishing up compression.
    (re-apply after unintentional back-out switching to Goanna)
    Linux: Worked around driver bugs with Intel drivers that falsely report what they can support in max texture size.
    Portable only: Removed compression of the browser components library after some reports that in certain configurations and environments it was causing issues with the browser.

Security fixes:

    Updated the graphite font library to 1.3.7+ to solve CVE-2016-2796 and no less than 14 of its friends.
    Updated NSS to 3.19.4.2-PM to address several vulnerabilities (UAF, heap overflow).
    Updated libvorbis to a much more recent version to fix multiple issues.
    Crash fix and DiD fixes by holding strong references to objects in suspect places in the HTML parser. (CVE-2016-1961) (ZDI-CAN-3574)
    Fixed several out-of-bounds issues in the VP8 decoder.
    Fixed a potentially exploitable crash in XML/XSLT handling.
    Applied some Kung Fu to HTML animations and transitions to prevent memory hazards.
    Fixed applicable Mozilla code vulnerabilities CVE-2016-1965, CVE-2016-1960 (ZDI-CAN-3545), CVE-2016-1966, and CVE-2016-1963.


26.1.1 (2016-02-24)
This is a bugfix release to improve stability and extension compatibility.

Changes/fixes:

    Fixed a few oversights in the Firefox extension compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions.
    Changed memory handling to (hopefully) address the memory inflation issues some people have experienced with 26.1.0.
    Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.

26.1.0 (2016-02-16)
This is a web compatibility, stability and bugfix release.

Changes/fixes:

    Disabled our ES6 Promise implementation introduced in 26.0 since there were some severe issues with its implementation that caused a lot of inexplicable failures on websites. This means that some sites that insist on using Promises without checking availability and that do not provide sufficient web client compatibility by way of server-side libraries or polyfills will currently not work as-intended. Apologies for any inconvenience this may cause; providing a perfectly-working implementation will be our top priority going forward.
    Improved website compatibility with many sites and web applications by making our cookie gate less strict.
    Fixed web compatibility with Google Hangouts and Yahoo Calendar.
    Changed the memory allocator on Windows platforms to a much more modern full-library implementation of jemalloc, with miscellaneous additional fixes. This should give comparable speed to the system one and will allocate free memory more dynamically. This should fix issues like "huge animated gif choking" and inexplicable pauses when using many tabs, scrolling (extremely) long pages, or viewing media.
    Fixed a few rare crashing issues on Windows due to the build process.
    Reduced so-called "jank" on inner frame scrolling reflows.
    Extension compatibility: partial implementation of Firefox 26 download js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box. (Thanks, Chaoskagami!)
    Added a "superstop" key combination (Shift+Esc) that will stop all (foreground and background) network activity, stop animated gifs, etc. even after the page itself has fully loaded (and the stop button not being available) - some web applications may not like this if you use it since it will also cancel XHR requests, etc.
    Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation (Thanks, Trava90!)
    Updated the default theme to tweak/improve it some more (Thanks, Antonius32!)

Security fixes:

    Updated the Graphite2 font library to 1.3.5+ to fix a number of vulnerabilities (and some font bugs).

26.0.3 (2016-02-05)
This is a small bugfix release:

    Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility.
    Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the "grey" area of cookie behavior.
    Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported.

26.0.2 (2016-02-03)
This is a bugfix, security and web compatibility release.

Changes/fixes:

    Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
    Please see the forum for information on which operating systems we can reasonably support.
    Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
    Made sure that dom.disable_beforeunload is predefined in about:config.
    Fixed web compatibility issues with Youtube, Youtube Gaming, Yuku fora and Netflix.
    Fixed web compatibility with Comcast/XFinity webmail and other sites or web applications that expect older JavaScript versions as default.
    Reinstated the about:config warning by default.
    Fixed 2 potential browser crashes.

Security fixes:

    Updated NSS to 3.19.4.1-PM to fix a potential UAF and CVE-2015-7575.
    Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
    Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD
    Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD
    Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.


26.0.1 (unreleased)
Internal development/test version.

26.0.0 (2016-01-26)
This is a new milestone release! It's been in the works for a good number of months, and has many hundreds of notable changes, fixes, and improvements that can't possibly all be listed here.

These release notes for this version are a concise summary, lifting out the most prominent and important changes. You may find slightly more detailed release notes on the forum.

General release notes:

    Goanna logoPale Moon is now building on the new Goanna engine instead of Gecko. Although close relatives in terms of web technology, they are not the same under the hood and any reports of bugs with the layout/rendering engine should be as detailed as possible to allow us to pinpoint the cause of the bugs and fix them (just stating "it works in Firefox" really doesn't help us!). If you wish to report issues, please either use the issue tracker on GitHub or report a detailed description and steps to reproduce on the forum.
    We've had to reduce the number of supported languages for our language packs. With the need to move to our own full localization and lacking translators to support and maintain less common languages in use around the world, we've reduced our number of offered languages to a little over 30. The languages still supported should more than cover the common languages spoken around the globe. You will need to update your language packs!
    Although we've given this release extensive testing, it is still possible you run into some website compatibility issues (usually because of websites doing useragent sniffing) and e.g. some sites displaying a mobile version if they do not recognize or incorrectly recognize the new browser engine. Please always try contacting the webmasters first before posting support requests at our address, since this is usually not something we can provide solutions for, ourselves, and we end up having to redirect you anyway.

Fixes/changes:

    The layout parser/renderer has received many updates with this change over to Goanna, improving web compatibility and standards compliance in many areas.
    The browser user interface has received updates, making it more compatible with Windows 10 in many respects and more in line with the general styles of the operating system version it is run on in terms of the shapes of controls and color setting.
    Updated graphics/media support: Pale Moon now supports the WebP image format, properly scales EXIF rotated JPEGs, has updated support for different WebGL texture formats, improved scaling of vector images, updated libpng, libjpeg-turbo, libvpx, and misc other upstream libraries/modules, and more!
    Library changes:
        The library now has a scope bar (pops up when searching) with the option to select what you want to search in (either bookmarks or history) and the option to save your searches.
        By default, there will be a history menu drop-down in the browser's user interface next to the bookmarks one.
        Added "Containing folder" and "Containing folder path" columns so you can see exactly where a bookmark is located at a glance when searching (after enabling the columns).
    Added support for Ruby annotations. If you need this functionality, set the about:config preference browser.ruby.enabled to true, and restart the browser.
    Added conservative image decoding: it will now only decode images that are (almost) in view, greatly improving overall memory use and initial loading of graphics-heavy pages.
    Aligned 3D CSS transforms and perspective with the spec.
    JavaScript improvements: added basic support for ES6 Promises, added element.matches(), updated property assignments, added Bin/Oct literals in Number(), improved performance of TypeOf calls, improved GC memory shrinking, improved memory allocations, improved RegEx performance and compatibility, and more!
    Added CSS media queries to determine the OS the browser is running on, allowing theme designers to make specific changes based on OS at run-time.
    Added a control preference for onunload= events as dom.disable_beforeunload. This allows you to completely disable events fired when leaving a page.
    Changed the memory allocator to the (faster) system allocator on modern operating systems.
    Improved the handling of very large numbers of tabs.
    Added Ecosia as a "green" search engine alternative for the environmentally aware surfer.
    Autoplay of media now has a separate control preference for scripted content as media.autoplay.allowscripted, to block script-initiated autoplay of media.

Security updates:

    Added support for 128-bit Camellia-GCM ciphers in addition to the existing CBC ciphers to offer a more internationally diverse choice of secure encryption ciphers than just AES.
    Added an advanced, active XSS (cross-site scripting) filter. Pale Moon will now check for XSS attacks and block XSS content in the resulting pages. This is brand-new technology and feedback on this filter specifically (e.g. bugs, false positives, etc.) should be posted in the dedicated thread on the forum for this feature. Please also see that thread for details on how to use and control this filter.
    Distrusted several root certificates in accordance with security best practice.
    Aligned cookie acceptance with RFC 6265 §4.1.1. We still make an exception for allowing spaces and double quotes in cookie values, but this will be made more strict in the future for full spec compliance. If you are a web designer and use cookies, please verify that you are RFC compliant in terms of both cookie names and cookie values, or the browser may reject them.
    Removed several hazardous modules like the maintenance service and the identity module.
    Ported all security updates from Mozilla that are applicable/relevant to our code base (up to and including all security issues made known to us until now). Considering v26 has been kept updated over its long development until release, the list of fixes/CVEs would be too exhaustive to list in these release notes individually.


25.8.1 (2015-11-28)
A small update to address two important issues:

    Fix for a crash that could occur at random since the update to 25.8.0.
    Fix for CSP (Content Security Policy) to be more lenient towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.

25.8.0 (2015-11-17)
This is a security, stability and usability update.

Fixes/changes:

    Updated LibVPX to 1.4.x to be able to play more kinds of VP9-encoded videos.
    Updated the JPEG decoder library to 1.4.0.
    Fixed and cleaned up XPCOM timer thread code to avoid intermittent issues with events not firing (especially after stand-by).
    Updated overrides to work around issues with Facebook and Netflix.
    Fixed an issue where too-old system-supplied NSPR and/or NSS libraries would be accepted for use.

Security fixes:

    Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
    Updated the NSPR library to 4.10.10 to address several security issues.
    Updated the NSS library to 3.19.4 to address several security issues.
    Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
    Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
    Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
    Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
    Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
    Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
    Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
    Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
    Fixed several Javascript-based memory safety hazards. DiD


25.7.3.1 (Android only!) (2015-10-15)
A small update to the Android version only to fix an issue with the Sync setup still not working properly on Android clients.
25.7.3 (2015-10-14)
This is a usability update needed due to the fact that Mozilla has shut down their key exchange (J-PAKE) server along with the old Sync servers. This was unexpected and required us to set up our own key server (testing indicates this works as-expected, but please do report any issues on the forum) - which also required reconfiguration of the browser.
Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code since it requires a Mozilla server no longer present. If you need this functionality, you must update to this version or later.
25.7.2 (2015-10-02)
This is a stability update, addressing 2 critical hangs:

    Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed.
    Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.

25.7.1 (2015-09-28)
This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

Fixes/changes:

    Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.
    Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).
    Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).
    Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).
    Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.
    Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)
    Updated libnestegg to the most current version.
    Fixed an issue where setting the location to an empty string could cause a reload loop.

Security fixes:

    Changed the jemalloc poison address to something that is not a NOP-slide. DiD
    Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)
    Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)
    Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)
    Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)
    Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)
    Fixed a potentially exploitable crash in nsXBLService::GetBinding
    Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)
    Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)
    Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)


25.7.0 (2015-08-26)
This is a bugfix and maintenance release.

Fixes/changes:

    Code cleanup: Removed the (otherwise unused) visual event tracer code.
    Code cleanup: Removed reflow performance tracing code (telemetry).
    Fixed a key JavaScript bug where defining properties on an object would wipe the object.
    This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped.
    This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function.
    Updated the SQLite library to 3.8.11.1.
    Added support for the element.matches() Web API function.
    Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag.
    Fixed an issue with running timers after the computer would have been put to sleep with the browser opened.

Security fixes:

    Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD
    Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)
    Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-4488)
    Fixed crash or memory corruption in nsTArray (CVE-2015-4489)
    Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)
    Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)
    Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)

25.6.0 (2015-07-27)
This release addresses some security issues and a range of usability improvements to the browser.

Fixes/changes:

    Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
    Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
    Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
    The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preference signon.ignoreAutocomplete to false.
    Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.
    Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming.
    Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
    Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
    Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
    Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
    Added -moz-os-version selectors for @media CSS queries to simplify theming on different operating systems (esp. Windows).
    Updated and improved several languages for the Status Bar code, and added Slovenian.
    Fixed an issue in the internal updater window not showing proper language strings.
    Fixed an issue where the unexpected use of "backface-visibility" on non-3D transformed elements (like the body) would break positioned elements on web pages.
    Fixed text positioning in the combobox display area when a non-default height is set for the combobox.
    Fixed a crash caused by bad Opus audio encoding in media files.
    Fixed a crash when trying to measure memory in about:memory while playing video.
    Fixed a rare crash in sLayersAccelerationPrefsInitialized
    Fixed miscellaneous other crashes.
    Fixed a DNS prefetching issue for the people using this feature.
    Fixed an issue with single-word searches from the address bar when a proxy is in use.
    Fixed a number of build issues on Linux when using system libs.
    Added support for link-time optimization on newer Linux compilers.
    Removed more telemetry code (ongoing project!).

Security fixes:

    Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
    Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
    Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
    Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
    Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
    Fixed an issue where an IPDL message was sent off the main thread.
    Fixed a potentially exploitable TCPSocket crash due to a race condition.

25.5.0 (2015-06-10)
This is an important maintenance update with mostly under-the-hood changes.

Fixes/changes:

    Logjam fix: Refuse DHE keys with less than 1024 key bits
    Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
    Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
    Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
    HSTS preload list updates (Squarefractal)
    Status bar locale addition: cs
    Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
    Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
    Disabled the Sync promo box in doorhangers.
    Updated libpng to version 1.5.22
    Fixed support for builds using newer freetype on Linux. (Axiomatic)
    Fixed --with-system-pixman builds. (Isaac Dunham)
    Updated SQLite to version 3.8.10.1
    Changed the after-upgrade page loaded to the release notes instead of the home page.
    (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
    Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
    Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
    Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
    Reorganized how pushed floats are handled in layout flow
    Implemented a change to run the updater from the install directory instead of copying it.
    Fixed transparency of the Pale Moon document icon for 256x256
    Updated padlock code:
    - Added mixed-mode shading, and reorganized shading pref values more logically
    (0=off, 1=secure only, 2=secure+mixed, 3=all)
    - Cleaned up CSS
    - Cleaned up padlock logic a little
    Hard-coded internal UA sniffing values for the extension legacy of devtools
    Updated NSPR to 4.10.8
    Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
    Bumped the built-in site-specific UA compat mode overrides to v38
    Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
    Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
    Added the option to load modules into a named scope (see issue #88)
    Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
    Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
    Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
    Added a preference for always preferring a certain dictionary language.
    To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.

More information about changes in this version that would be important for extension developers and web programmers can be found here.

Security fixes:

    Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
    DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
    Fix for updater hijacking (CVE-2015-2720)
    Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
    Fix for a buffer overflow in the XML parser (CVE-2015-2716)
    Fix for a potentially exploitable crash in DNS handling
