v27.4 [Jul 13, 2017]
- Fixed a number of crashes.
- Enabled the opt-in debugging feature to log SSL keys to a file in all builds.
- Added a fix for TLS 1.3 handshakes causing a browser hangup.
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783).
- Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787).
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804).
- Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates(CVE-2017-7781).
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784).
- Fixed a UAF in WebSockets(CVE-2017-7800).
v27.3 [Apr 28, 2017]
27.3.0 (2017-04-28)
A major development update. Many things have changed in the media back-end, but please understand that some things are still a work in progress, and you may still encounter some html5 video playback issues with MSE.
v27.2 [Mar 18, 2017]
Reworked the media back-end completely (thanks Travis!) to use FFmpeg (including support for FFmpeg v3 and MP3 playback) and our own MP4 parser, and no longer relying on gstreamer on Linux, as well as adding some improvements on Windows for media parsing and playing.
On Linux, Apple .mov files of the correct type will also be played through FFmpeg now, for those rare occasions where they are still in use, considering there is no Quicktime plug-in available on that operating system.
Restored the classic about:config styling.
Added a fallback to US-ASCII if the autoconfig UTF-8 conversion fails.
Improved cross-compartment wrapper handling when managing a large number of tabs (fixes a performance regression with v27).
Changed the way audio and video synchronization is calculated to account for (slow) device latency, preventing things from getting out of sync on e.g. BlueTooth-connected speakers.
Changed the way scripts are handled when they are stopped from the "unresponsive script" dialog, to prevent browser lockup. We will now stop all scripts in the affected compartment in one go.
Fixed several errors in the devtools.
Fixed a nasty crash caused by cross-origin referrers.
Fixed the installer to allow 64-bit versions of the browser to be installed on Vista again.
Added HTML5-spec clipboard handling for content (cut© only -- paste is not allowed for security reasons).
Made multiple changes to the toolkit jetpack modules to cater to PMkit extensions.
This should make running SDK-based modules as PMkit extensions fairly simple for extension developers. See the introductory text to these release notes.
Fixed a css layout issue: make max-width affect contributions to intrinsic min-width.
Implemented several updates to the permissions manager. Among others, Improved the permissions manager (about:permissions) with a more complete set of permissions for pages.
Removed otherwise unused Metro browser platform/widget code.
Removed support for non-standard/deprecated let blocks and expressions.
Made the use of let as a keyword versionless and ES6 compliant.
Made the privacy category in preferences a tabbed setup to better fit the current options.
Fixed a regression preventing certain MP4 video files from playing.
Fixed a regression where seeking in media files would halt playback/jump to the end of the stream.
Fixed a crash caused by certain downloadable fonts with DirectWrite in use.
Improved downloads-button indicator legibility on some combinations of Windows versions and system theme colors.
Changed the Facebook user-agent override to be our native one, based on reports from users that it is (finally) working acceptably.
Fixed site-specific useragents being ignored if a global override is defined.
Security/privacy changes:
Changed CORS handling to allow data: sources, assuming they are same-origin. This should fix the infamous "Facebook endless reload" issue and may make some other sites that assume this particular (unspecified) CORS behavior happy with Pale Moon.
Reinstated the network.stricttransportsecurity.enabled preference so people who choose privacy over HSTS can do so again.
Added, In HSTS "off" state, prevention of HSTS site status from being written to disk.
Updated the IDN blacklist with more extended unicode characters that "look very similar to" normal ASCII characters, to prevent spoofing of well-known domains. If blacklisted characters are found, the IDN domain name will be displayed in its punycode form. (CVE-2017-5383 and similar)
Fixed an exploitable crash when using MP4 video. (CVE-2017-5396)
Fixed an exploitable crash in XSL parsing. (CVE-2017-5376)
Fixed a potential security issue when exporting certificates with specially-crafted credentials. (CVE-2017-5381)
Fixed a potential use-after-free situation in frame selection. (CVE-2017-5380) DiD
Fixed a leak of window details through the Ion compiler in certain situations.
Fixed the potential for an exploitable crash involving Javascript GC. DiD
Fixed a potential overflow situation in (non-released) WebRTC code. DiD
Fixed a potentially unsafe situation in websockets. DiD
Fixed several memory and other safety hazards (BMO bugs 1318766, 1325877, 1328834 DiD, 1288561 DiD, 1322420 DiD, 1293327 DiD, 1322315, 1325344, 1285960).
DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
v27.0 [Nov 10, 2016]
New and updated features:
Support for DirectX 11 and Direct2d 1.1 on Windows. This will bring Pale Moon more in line with the capabilities for current-day operating systems and graphics hardware.
Update of the Goanna engine to 3.0 - with many changes to layout and rendering for the modern web.
Pale Moon now fully supports HTTP/2.
Ruby Annotations are now an integral part of the HTML parser, controllable with CSS.
Media Source Extensions have been implemented to solve many video playback issues.
This can be enabled/disabled and configured in Options. It's recommended at this time to not enable MSE for WebM since there are a few issues with it on services like YouTube (e.g. losing audio when looping/skipping).
Support for reading and playing so-called "fragmented" MP4 files has been added, further solving media playback issues.
Support for SSL/TLS connections to proxy servers.
Support for the WOFF2 font format for downloadable fonts.
The JavaScript engine has been updated with support for many landmark ECMAScript6 features (chief among them promises and generators). This will solve many of the web compatibility issues that people have started to run into in the past few months (e.g. webmail interfaces, some sites coming up blank because they are script-generated).
The way web content is cached has been changed to be more efficient. If you want to immediately take advantage of this, clear your cache.
Removed support/features:
Removed support for Windows XP. If you are still running Windows XP, then your only option is to continue using Pale Moon 26.
Removed the internal PDF (pre)viewer. This module was not maintained, was unable to display even half of the PDF documents correctly, and could not reasonably remain included in the browser. Please use a separate reader and/or install a PDF reader plugin.
Disabled building of the devtools. They will not be included in release versions of Pale Moon from this point forward. If you are a web developer or otherwise need those tools, fear not! They are available as a browser extension.
Removed the active XSS filter. This feature, although effective, was prone to some instability and needs to be rewritten for the update of our platform. It may or may not return in the future, depending on whether the original author has time to rewrite parts of this filter implementation.
Removed support for Add-on SDK extensions (JetPack extensions), considering the Mozilla/Gecko SDK is no longer compatible with our combination of application and platform code.
Security highlights:
All relevant security fixes up to and including Firefox 50 have been ported across from Mozilla to continue to provide an as secure as possible browser.
Several libraries have been updated to their latest versions to pick up any important vulnerability fixes.
There's a new option and control to determine whether to save zone information (marking files as "downloaded from the Internet") on downloaded files (Windows NTFS). You can find this in Options.
v26.4 [Aug 17, 2016]
Changes/fixes:
Fixed a crash in the XSS filter.
Slightly changed the address bar shading on secure sites to be more subtle and easily-blended.
Fixed the occurrence of "null" titles in bookmarks dragged from special folders.
Fixed an error initializing the browser due to trying to restore scratchpad data from a stored session when having switched from a version with devtools to a version without devtools, and the previous version had scratchpad data saved.
Fixed some minor issues in scratchpad and gcli devtools.
Security fixes:
Updated the HSTS preload list to a much more updated source list, and performing our own checks on validity from now on to have the list be as accurate as possible.
Disabled Triple-DES cipher suites by default (mitigating SWEET32).
v26.3 [Jun 21, 2016]
Fixed an additional issue found that could cause menu text on Windows 10 to be white-on-white (and therefore unreadable).
Fixed an issue with news feeds not showing up when embedded in web pages.
Removed recently-added parsing of the child-src content security policy directive, after some web compatibility issues with it came to light, as well as it becoming clear that the CSP spec will see it removed in favor of the previous directive for embedded content. This should fix some intermittent issues people have reported on e.g. the main google.com page and phpMyAdmin installations.
v26.2 [Apr 5, 2016]
A small update to fix a problem with keyboard navigation of the user interface.
v26.1 [Feb 16, 2016]
- Fixed a few oversights in the Firefox extension compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions.
- Changed memory handling to (hopefully) address the memory inflation issues some people have experienced with 26.1.0.
- Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube.
v26.0 [Sep 5, 2015]
Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility.
Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the "grey" area of cookie behavior.
Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported.
v25.7 [Aug 26, 2015]
This is a usability update needed due to the fact that Mozilla has shut down they key exchange (J-PAKE) server along with the old Sync servers. This was unexpected and required us to set up our own key server (testing indicates this works as-expected, but please do report any issues on the forum) - which also required reconfiguration of the browser. Please note that older versions of the browser will no longer be able to link devices to a sync account using the 12-character code since it requires a Mozilla server no longer present. If you need this functionality, you must update to this version or later.
v25.6 [Jul 27, 2015]
Canvas anti-fingerprinting option.
Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts.
Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video.
Reinstated the packaging of pre-compiled scripts in the browser.
Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
v25.4 [May 8, 2015]
25.4.1 (2015-05-10)
This is a small but important update to the previous major release to address some critical issues:
Fixed loss of the browser's disk cache on startup due to incorrect corruption detection logic
Fixed a browser crash on some HTML5 games
25.4.0 (2015-05-08)
IMPORTANT: If you use a language pack, make sure to update it to the latest version! We do have automatic updates enabled for language packs but please double-check that the version matches. If you are using an older language pack with this version of the browser, some dialog boxes may come up blank.
This is a major update - too much has changed for this little blurb to do it justice so please see below for the most important changes/fixes in this release:
Fixes/changes:
Updated SQLite from 3.7.17 to v3.8.8.3, improving history/bookmark/etc. performance by up to 50% depending on operation
Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode padlock and better tooltips.
Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading at all by default).
Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as executable
Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds before plugins are unloaded
Fixed version strings for e.g. flash on Linux being displayed with commas instead of periods - this should also fix the incorrect "your plugin is vulnerable" message while being on the latest version
Windows: Set the double-click/Ctrl arrow word selection to not eat the space (only select the actual word)
Android: DNS fix for VPN connections, preventing the "server not found" issues people have been reporting for certain VPN providers on mobile
Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions
Android: updated the random number generator handling on later versions of Android
Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!)
Optimized the NSS callback for secure connections
Updated the domains that are whitelisted for installation of extensions/themes/personas, streamlining the use of addons.palemoon.org
Added personas support to titlebar text (adopt the lightweight theme's coloring/shading) in custom titlebar mode (Pale Moon appmenu/button)
Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if manually enabled, see previous version notes) as weak.
Dev: Added availability of the full ciphersuite string for use in extensions to the nsISSLStatus interface (nsISSLStatus.cipherSuite)
Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android
Removed the compilation and inclusion of a one-time-use pre-compiled startup cache in omni.ja, reducing overall application size significantly and avoiding a number of quirks of both the build process and the operation of the browser
Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
Removed most telemetry code, reducing code complexity and wasted CPU
Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
Removed Mozilla-specific parameters for searches. Search suggestions should now work again for Google searches
Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
Dev: Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not currently producing stable builds on Linux, so please use GCC for that operating system.
Linux: removed GnomeVFS that's no longer in use
Fixed the "double padlock while loading a secure site" niggle in the UI
Dev: added allowance of using -moz-appearance:none on drop-down lists to hide the arrow button (catering to custom styling of the control)
Added some more ES6 math/number functions:
Implemented Math.fround(x)
Implemented Number.isSafeInteger(x)
Implemented Math.clz32(x)
v25.2 [Jan 15, 2015]
Pale Moon: Release notes
25.2.0 (2015-01-15)
This is an important update after rapid development on the back-end to extend browser capabilities and implement some ES6 draft functions for web programmers, as well as provide some important crashfixes, bugfixes and security updates.
Fixes/changes:
ES6: Added the following functions:
Array.prototype.find and Array.prototype.findIndex
IsConstructor(arg)
Array.of(items...)
Number.parseInt and Number.parseFloat
Advanced math functions: hyperbolic sin/cos/tan/asin/acos/atan, hypotenuse, cube root, expm1, log1p, log10, log2, sign and trunc
Map.prototype.forEach and Set.prototype.forEach
ES6: Added the following number constants: EPSILON, MIN_SAFE_INTEGER and MAX_SAFE_INTEGER
ES6: Added the use of binary and octal numeric literals (&b... and &o...)
ES6: Updated behavior of accessing indexed values in accordance with the spec.
CSS: Added overflow-clip-box:content-box|padding-box
DOM: Added table.createTBody() function
Added a clearer alltabs button for dark personas.
Added a development tools toggle hotkey (F12)
Added a preference prompts.tab_modal.focusSwitch to enable or disable tab switching when a modal dialog (e.g. javascript confirmation) is presented in a page.
IonMonkey on Android: fixed the implementation of AbsI.
IonMonkey: fixed a bug where actively used objects were discarded.
Fixed register initialization to prevent incorrect detection of SIMD instructions on some CPUs.
Optimized some loops in the spell checker to increase performance.
Simplified cache handling, updated cache parameters to better reflect current web use, and enabled automatic cache sizing by default.
Adjusted memory cache sizing to better reflect capacities of current hardware.
Updated UserAgent override workarounds for Netflix and FaceBook to fix some site issues.
Aligned programmatic access to geolocation with the spec.
Fixed a crash when being fed a data file (XML) with too deeply nested tags.
Fixed a crash in HTML5/WebAudio that affected some games.
Fixed a crash when programmatically collapsing elements.
Fixed a few non-breaking bugs related to e10s code.
Fixed text input/padding issues.
Updated surround downmixing code for Vorbis.
Improved tolerance in WebAudio for loading multichannel audio files.
Android: Fixed an issue with Flash, it should now run on more devices.
Updated the DDG search plugin to make the actual query be the last parameter in the address bar for easy editing after a search has been performed.
Removed some unused update channel code.
Updated branding to more clearly indicate Pale Moon's trademark.
Updated some licensing texts in-browser to properly reflect used code and rights.
v24.7 [Jul 29, 2014]
24.7.1 (2014-08-06)
This is a bugfix release for some outstanding issues in 24.7.0.
Fixes/changes:
- Fixed a text rendering issue with the new back-end on overdraw layers when hardware acceleration is in use on Windows. This may also solve some additional small issues in the user interface that weren't present before 24.7.0.
- Fixed the use of Google Maps.
If you previously used the workaround in 24.7, then please remove the user-set preference (right-click -> reset).
v24.5 [Apr 25, 2014]
24.5.0 (2014-04-25)
This is a security and bugfix release, to address outstanding known issues and streamline browser identity.
Fixes/changes:
Fix plugin doorhanger code for removed-node confusion.
Remove Mozilla Corp specific details from search plugins, to clearly indicate the client is Pale Moon and to make sure searches are never counted towards other browser's searches by mistake by search providers.
Make sure to set both "warnOnClose" and "warnOnCloseOther" prefs to false when users choose to disable this check in the popup prompt.
Update branding: Remove nightly branding altogether - only have unofficial official, and fix the broken About dialog branding.
Bugfix: Clamp level of WebGL TexImage operations to 32-bits to avoid issues on x64 architectures.
Update Linux theme: feed icon
Bugfix: Add Firefox Compatibility flag to unofficial branding.
Workaround for several prominent websites complaining about an "outdated browser".
Security fixes:
bug #987003 - Be more careful sandboxing javascript: URLs.
bug #952022 - Add missing detachAsmJSModule.
bug #986843 - Replace AutoHoldZone with AutoCompartmentRooter.
bug #989183 - Check for nsXBLJSClass.
bug #980537 - Only store FakeBackstagePass instances in mThisObjects.
bug #986678 - Fix type check in TryAddTypeBarrierForWrite.
bug #966006 - Fix security issue in DNS resolver.
bug #944353 - Avoid spurious decoding of corrupt images.
bug #969226 - Avoid buffer overflow in corrupt ICC profiles.
bug #991471 - Fix offset when setting host on URL.
bug #993546 - Don't try to malloc-free 0-size memory chunks.
bug #992968 - Avoid OOM problems with JIT code caching
v20.3 [Jul 27, 2013]
Changes:
- A change to how tab histories are cached to improve the overall memory footprint and make browsing smoother, especially when using a large number of tabs with extensive active use.
- A change to the networking pipelining back-end to use a more aggressive fallback if there are issues with pipelining requests, to minimize delays when loading pages and prevent time-outs.
- Update of the compiler to Visual Studio 2012 Update 3, to fix a few compiler issues.
- Removed the double entry for smooth scrolling selection in preferences (leaving just the one in the scrolling tab)
Fixes:
- ASAN heap-use-after-free in nsINode::GetParentNode
- Non-null crash at nsCString::CharAt
- Code injection through internal updater
- InstallTrigger can use the wrong principal when validating URI loads
- Cross Domain Policy override using webworkers
- Fix for Updater crash
- Fix for XSS vulnerability/URI spoofing
- Fix for newly allocated WebGL array buffers (prevent the use of uninitialized memory)
- Several fixes for the SSL crypto library (CVE-2013-1705 and others)
- Fix for do_QueryFrame support
- x64: Fix for Yarr error
- Update to the installer's 7zsfx module to prevent dll hijacking
v20.2 [Jul 1, 2013]
- Changes:
- Implementation of some conservative additional multi-core support (mainly in graphics/media) using OpenMP. I'm taking baby steps here and will remain conservative in the use of multiple cores so stability of the browser isn't needlessly endangered.
- Update of the navigation button icons (again). Users have clearly indicated that the inverted color icons on glass and dark themes were less desirable. I've listened, and changed the icons for glass back to the pre-20 style but with added contrast, and made a distinction for dark personas (themes) where the icons are now simply inverted white (like in Firefox).
- Change for the color management system (CMS) so that Pale Moon now supports more types of embedded ICC profiles (including the already decade-old version 4 spec) and in the process fixing potential color issues on screens with images that embed such profiles.
- Update of the browser padlock code. You can now choose both a "modern" look (as introduced in version 19) and a "classic" look (as introduced in version 15, when this padlock feature was first added). It also removes some phantom spacing in locations where the padlock isn't used.
- Fixes:
- (CVE-2013-1692) Fix for the inclusion of body data in an XMLHttpRequest HEAD request, making cross-site request forgery (CSRF) attacks via a crafted web site more difficult.
- (CVE-2013-1697) Fix to restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges.
- (CVE-2013-1694) Fix to properly handle the lack of a wrapper, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.
- Fix to prevent arbitrary code execution from the profiler developer tool.
- Fix for a crash when rapidly reloading pages.
- Fix for cross-document selections.
- Fixes for several crashes in JavaScript.
- Fixes for several memory safety hazards and uncommon memory leaks.
v20.1 [May 23, 2013]
- Update of the libpixman graphics library to improve performance for SSE2 CPUs.
- Change to the "Clear download history" setting for use with the panel-based download manager (classic UI unaffected).
- Fix for UAF with video and onresize event (crash fix).
- Fix for parameters being used uninitialized.
- Fix for out-of-bounds read in SelectionIterator::GetNextSegment.
- Fix for heap use-after-free in mozilla::plugins::child::_geturlnotify.
- Fix for heap-use-after-free in nsFrameList::FirstChild (crash fix).
- Fix for heap-use-after-free in nsContentUtils::RemoveScriptBlocker (crash fix).
- Fix for out-of-bounds read crash in PropertyProvider::GetSpacingInternal (crash fix).
- Fix for out-of-bounds read in gfxSkipCharsIterator::SetOffsets.
- Fix for assertion failure in nsUnicharStreamLoader::WriteSegmentFun with ISO-2022-JP.
- Fix for crash with inline script in an XML doc (crash fix).
- Fix for "ASSERTION: Out of flow frame doesn't have the expected parent" and crash (crash fix).
- Fix for nsScriptSecurityManager::CheckLoadURIWithPrincipal being broken.
- Fix for a problem where the IPC Channel could overwrite the stack.
- Fix for Crash in MediaDecoder::UpdatePlaybackOffset (crash fix).
- Fix for Crash [@ nsTextFrame::HasTerminalNewline()] with splitText (crash fix).
- Fix for FTP use-after-free crash.
v19.0 [Feb 22, 2013]
Fix for bookmarks giving an "XML parsing error" when set to "load in the sidebar"
Fix for a double padlock display if a secure site would not supply a favicon
Redone the mixed content https padlock image in 32bpp to prevent potential UI rendering issues
Fixed a setting so no unnecessary code walking is done for the otherwise disabled accessibility features
Fix (inherent) for add-ons and themes being marked as incompatible in Pale Moon x64 when they have a minimum version of 19.0
Fixes a critical security vulnerability in the browser (MFSA 2013-29)
Slightly improves HTTP pipelining
Update to the integrated status bar feature (German localization updated)
v15.4 [Jan 16, 2013]
Deal with bogus Turktrust certs MFSA 2013-20
Several memory security hazards fixed MFSA 2013-01
Updated OTS library to r95 to fix potential font-related exploits
Security fix for libpixman stack buffer overflow
Fix for certain types of input lag on Twitter/Facebook & other sites with unnecessary DOM invalidations
Fix for HTTP pipelining re-use (improve pipelining logic)
Performance&stability updates to cairo and direct2d back-end
Improved performance for repeat gradients
v15.2 [Oct 8, 2012]
Pale Moon 15.2 is an update to address a number of security issues, addresses current performance, and redesigns the way secure sites are displayed, among other things.
Changes in this version:
The identity panel has been redesigned, both for potential abuse of the new logic implemented in version 15.1 and because people clearly indicated that they would want to see the padlock permanently present on secure sites, while still seeing the favicon.
The padlock has been made a separate indicator now, and will be shown on SSL (HTTPS) sites, to the right of the domain name (domain verified) or company name (extended verification) information in the identity panel, by default. A few options have been implemented for style, including "old school" display of the padlock in the status bar of the browser. For more information about how to change the location of the padlock, see the Pale Moon Tweak Guide (PMTG)
The padlock will indicate whether a site is secure (gold padlock), has extended verification (green padlock) or if there is a problem with security (low-grade encryption or mixed content). A click on the padlock will open a details window with security information.
The address bar now has either a blue or green slight shading (border) for SSL sites, further clarifying that you are on a secure site. This can be disabled if desired via about:config. See the Pale Moon Tweak Guide (PMTG) for instructions.
Address bar auto-completion is now on by default.
After re-evaluating the auto-fill algorithm, autocompletion of domains on the address bar has now been enabled by default. This may interfere with searching from the address bar for some people, but:
- You have a search box on the right, you can use that, which has the intended functionality
- You can press space or another key to remove the auto-filled portion before pressing enter
- You can disable autocompletion from the Pale Moon status bar options:
Status -> tab Address Bar -> Firefox compatibility
Partial Japanese implementation for status bar options (preferences only)
Important performance regression fix.
Both JavaScript and the layout engine should now have the speed and stability that is to be expected from an optimized browser. In previous, recent versions, some concessions had to be made in terms of performance to provide proper stability for Pale Moon. Working around bugs in the Microsoft compiler is tricky, but with some fine-tuning, Pale Moon now gets the benefits of maximum performance again like in the past.
Fix for the "tabs on top" menu entry not showing when tabs are already set on top, making it very difficult to switch them back to bottom.
Firefox 15 removed the context menu entry for "tabs on top" when tabs were set on top, making it impossible without going into about:config to set them to being on the bottom once you had changed it. This is considered a serious UI bug for Pale Moon, because it destroys intuitiveness for this option (you cannot use the same method you used to set them on top (context menu in the UI), to switch them back to being on bottom (having to manually change a parameter in about:config)). To make matters worse, this problem would only occur after a browser restart, meaning the UI would change simply because you closed and restarted the browser, removing this menu option.
Crash fix: Fix for a browser crash with certain types of invalid gradients. (bug #792903)
Security fix: Prevent private browsing data leakage through popup windows (bug #795015)
Security fix: Detect IC purging (bug #794025)
Security fix: Prevent mRules from dying in DoInsertHTMLWithContext (bug #788950)
Security fix: Drain the parent frame's overflow list before insert/append (bug #765621)
v9.0 [Jan 9, 2012]
- Under the hood changes and improvements to the way memory is handled by the Javascript engine.
- WebGL has been changed to use ANGLE by default instead of using native OpenGL to give better performance on a number of systems that would otherwise suffer from high CPU usage and lower frame rates.
- Change in compiler: from this point on, Visual Studio 2010 will be used for all "next gen" builds.
- Build environment changed to cater to the ever-growing XUL dll size without having to compromize on what modules to optimize. (Prevent running into the 3GB address space limit)
- DNS prefetching disabled by default to prevent router hangups
- Changes to timings for UI script execution and content script execution to prevent unnecessary dialog popups about unresponsive scripts.
- Some image decoding tweaks.
- Eye candy: animated preferences dialog (resize when switching category).
v8.0 [Nov 14, 2011]
A major update building on the Firefox 8.0 code base, with improvements that were planned for the (unreleased) version 7.0.2.
This version sees the following improvements in addition to those inherent to Firefox 8:
- Improved cache handling: this will make the browser handle system resources more efficiently on most systems.
- Improved networking: communication with web servers should be noticeably faster and smoother
- Fix for a rare image decoding bug (garbage, possible crashes)
It should be noted that the shift in focus of development has been towards the back-end of the browser (background resource handling and background networking), considering the rendering and scripting speed is not the bottleneck for current versions of the browser. Inherently, this may result in less of a clear difference in benchmark scores when comparing to its vulpine sibling or previous versions of Pale Moon because of rebalancing of code priority when building. Maximum benchmark scores are nice, of course, but the main goal of Pale Moon remains to be as efficient as possible when taken as a whole, including those parts that aren't measured in limited benchmark tests
v6.0 [Aug 23, 2011]
The new version of Pale Moon is based on based on Firefox 6.0 and has added ak, ast, br, bs, en-ZA, gd, lg, mai, nso, and son language packs, Add-ons will no longer automatically update by default the moment they are checked and found to have a newer release, giving the user the choice to accept or reject the update, read release notes,update of the status bar add-on to v2.2, fixing compatibility issues and extending some configurability, Link right-click menu has "Open in new tab" on top now,performance issues fixed on some systems, instability problems fixed on some systems,updated artwork for the new about box, cosmetic changes and Zulu language added for the language packs
v4.0 [Apr 21, 2011]
A number of fixes and a cosmetic update:
Performance fix: Javascript performance improved.
Crash fix: Prevent crashes in optimized builds of JS due to 20110410-CCBug.
Updater fix: Internal updater should function again from this version onward.
Add-ons window shows the proper add-ons page when loading it.
Shell integration fixed for Vista and 7: The browser should no longer complain that it's not the default program when it, in fact, is. See bug 20110408-SHBug.
Main Pale Moon program icon updated with a higher-res version of the logo image.
