Pale Moon (32-bit) 歷史版本列表 Page7

更新時間：2016-06-21
更新細節：

What's new in this version:

- Added detection for dark system themes on Windows 10 and re-worked Windows 10 specific theming to better integrate into the OS and provide more clarity.
- HTML5 media controls have been reworked to a horizontal volume control on all media, including HTML5 audio that was previously without an element-control for volume.
- Default HTML5 media volume preference added as media.default_volume --fractional, default 1.0 (=100%).
- String.prototype.match() and .replace() are now fully spec compliant.
- NSPR and NSS now correctly no longer enforce IA32 architecture compatibility, getting the advantage of SSE2 like the rest of the code.
- Worked around crashes in the XSS filter when navigating back in history due to document fragments.
- Instated a hard minimum of 10,000 places entries regardless of free disk space and total memory to prevent undesired expiration of history. That is around 16MB for an average entry size, which should be sane enough even on low-memory machines.
- Fixed a typo in networking code introduced in 26.2.2 that would cause issues on some sites due to adding extra forward slashes to the URL.

Security fixes:
- Fixed a number of memory safety hazards and potentially exploitable crashes.
- Fixed CVE-2016-2821 Use-after-free in the mozilla::dom::Element class
- Fixed netaddr deserialization for AF_UNSPEC and AF_LOCAL.
- Fixed a memory overrun error in the VP8 encoder. DiD
- Fixed non-threadsafe re-use of pixman images to prevent potential race conditions. DiD
- Fixed CVE-2016-2825 Partial Same Origin Policy violation

更新時間：2016-05-10
更新細節：

What's new in this version:

Changes/fixes:
- Added a detection routine for dark window colors on Windows 8 and later (system themes using dark window frames) to better adapt to dark system colors. Theme developers can take advantage of this by checking for darkwindowframe="true" on #main-window in CSS selectors.
- CSS classes prefixed with "--" no longer stop parsing of the selectors.
- Several crash fixes.

Security fixes:
- Made GC suppression more aggressive to prevent issues when actually out of memory.
- Fixed a memory safety hazard in jpeg decoding.
- Fixed a potentially exploitable crash when using bi-directional text.
- Updated NSS to 3.19.4.2-PM, fixing CVE-2016-1938 among other things.

更新時間：2016-04-08
更新細節：

What's new in this version:

- This is a small update to fix a problem with keyboard navigation of the user interface.

更新時間：2016-04-06
更新細節：

What's new in this version:

Changes:
- Implemented the URL API that's needed for a number of websites
- Changed internal keystroke handling within the spec to better align with generally expected behavior
- This should fix the infamous "backspace" issue on Facebook
- Web developers please note: calling preventDefault() in a "keydown" event handler will now prevent most keypress events from firing
- Linux: gstreamer 1.0 support has been implemented and enabled by default (hats off to Travis!)
- From this version forward you will need to have gstreamer 1.0 libraries for video playback (0.10 is no longer supported)
- Re-styled about:sessionrestore to use more available screen real estate for tab info
- Added an option to use the mousewheel for horizontal scrolling (mouse action value 4)
- (e.g. setting mousewheel.with_shift.action to 4 makes Shift+wheel scroll horizontally)
- Bumped max icon size for search engine icons to 32 KB to cater to more common use of HiDPI icons
- Fixed some hard-coded branding strings in Sync still reading "Firefox", and similarly changed sync information URLs to point to our relevant pages
- Removed default profile bookmarks pointing to Firefox/Mozilla since the information there no longer applies to us
- Updated UA overrides and XSS configuration to deal with some problematic sites (e.g.: Google, Embedly)
- Fixed several issues with the default theme causing problems with behavior due to styling (thanks, Antonius32) (Issue #384 and friends)
- Fixed some miscellaneous issues in the internal jemalloc implementation
- Added a configure option to use the full jemalloc lib (jemalloc v3) if the builder so wishes (used for Linux, sys mallocs are not happy there either, so for our generic binaries we switched to this lib now)
- Worked around a crash caused by the XSS filter on some fora by bailing on too short and empty strings
- Fixed layout of reflowed comboboxes without enough space
- Fixed a crash related to flexboxes overflowing themselves. (Issue #396)
- Added a simple implementation for Weak Messagelisteners. (Issue #399)
- Fixed a crash for losing our cache entry while finishing up compression
- (re-apply after unintentional back-out switching to Goanna)
- Linux: Worked around driver bugs with Intel drivers that falsely report what they can support in max texture size
- Portable only: Removed compression of the browser components library after some reports that in certain configurations and environments it was causing issues with the browser

Security fixes:
- Updated the graphite font library to 1.3.7+ to solve CVE-2016-2796 and no less than 14 of its friends
- Updated NSS to 3.19.4.2-PM to address several vulnerabilities (UAF, heap overflow)
- Updated libvorbis to a much more recent version to fix multiple issues
- Crash fix and DiD fixes by holding strong references to objects in suspect places in the HTML parser. (CVE-2016-1961) (ZDI-CAN-3574)
- Fixed several out-of-bounds issues in the VP8 decoder
- Fixed a potentially exploitable crash in XML/XSLT handling
- Applied some Kung Fu to HTML animations and transitions to prevent memory hazards
- Fixed applicable Mozilla code vulnerabilities CVE-2016-1965, CVE-2016-1960 (ZDI-CAN-3545), CVE-2016-1966, and CVE-2016-1963

更新時間：2016-02-26
更新細節：

What's new in this version:

- This is a bugfix release to improve stability and extension compatibility

Changes/fixes:
- Fixed a few oversights in the Firefox extension compatibility changes in 26.1.0 that should improve compatibility with a number of Firefox extensions
- Changed memory handling to (hopefully) address the memory inflation issues some people have experienced with 26.1.0
- Updated YouTube compatibility, which should once again allow users to choose between Flash and HTML5 players on YouTube

更新時間：2016-02-16
更新細節：

What's new in this version:

Changes/fixes:
- Disabled our ES6 Promise implementation introduced in 26.0 since there were some severe issues with its implementation that caused a lot of inexplicable failures on websites. This means that some sites that insist on using Promises without checking availability and that do not provide sufficient web client compatibility by way of server-side libraries or polyfills will currently not work as-intended. Apologies for any inconvenience this may cause; providing a perfectly-working implementation will be our top priority going forward
- Improved website compatibility with many sites and web applications by making our cookie gate less strict
- Fixed web compatibility with Google Hangouts and Yahoo Calendar
- Changed the memory allocator on Windows platforms to a much more modern full-library implementation of jemalloc, with miscellaneous additional fixes. This should give comparable speed to the system one and will allocate free memory more dynamically. This should fix issues like "huge animated gif choking" and inexplicable pauses when using many tabs, scrolling (extremely) long pages, or viewing media
- Fixed a few rare crashing issues on Windows due to the build process
- Reduced so-called "jank" on inner frame scrolling reflows
- Extension compatibility: partial implementation of Firefox 26 download js modules as shims; this should make more Firefox extensions compatible with us out-of-the-box.
- Added a "superstop" key combination (Shift+Esc) that will stop all (foreground and background) network activity, stop animated gifs, etc. even after the page itself has fully loaded (and the stop button not being available) - some web applications may not like this if you use it since it will also cancel XHR requests, etc.
- Updated NTLM authentication, deprecating v1 and adding a proper v2 implementation
- Updated the default theme to tweak/improve it some more

Security fixes:
- Updated the Graphite2 font library to 1.3.5+ to fix a number of vulnerabilities (and some font bugs

更新時間：2016-02-07
更新細節：

What's new in this version:

- Changed our cookie gate to allow cookie names with spaces in them, to improve web compatibility
- Critical note: if your site uses cookie names with spaces in them, please consider moving away from doing that so you are no longer in the "grey" area of cookie behavior
- Changed the configuration of our XSS filter to address some known, harmless filter hits that have been reported

更新時間：2016-02-03
更新細節：

What's new in this version:

Changes/fixes:
- Removed the sanity check for unsupported point-of-sale XP-based operating systems by user request.
- Please see the forum for information on which operating systems we can reasonably support.
- Changed the way "transparent" is handled in Goanna to improve transparent gradients using this keyword.
- Made sure that dom.disable_beforeunload is predefined in about:config.
- Fixed web compatibility issues with Youtube, Youtube Gaming, Yuku fora and Netflix.
- Fixed web compatibility with Comcast/XFinity webmail and other sites or web applications that expect older JavaScript versions as default.
- Reinstated the about:config warning by default.
- Fixed 2 potential browser crashes.

Security fixes:
- Updated NSS to 3.19.4.1-PM to fix a potential UAF and CVE-2015-7575.
- Crash fix: Prevented queueing multiple media sources that could lead to unsafe memory access.
- Prevented unsafe memory manipulations in zip archives. (CVE-2016-1945) DiD
- Prevented a potential buffer overflow in WebGL. (x64 only) (CVE-2016-1935) DiD
- Updated the way binaries are code-signed. Not only does v26.0 use a new SHA256-signed digital certificate, but starting this version will also be signed with both SHA1 and SHA256 digest algorithms to satisfy later Windows' code-signing requirements.

更新時間：2016-01-27
更新細節：

What's new in this version:

- This is a new milestone release! It's been in the works for a good number of months, and has many hundreds of notable changes, fixes, and improvements that can't possibly all be listed here.
- These release notes for this version are a concise summary, lifting out the most prominent and important changes. You may find slightly more detailed release notes on the forum.

General:
- Goanna logoPale Moon is now building on the new Goanna engine instead of Gecko. Although close relatives in terms of web technology, they are not the same under the hood and any reports of bugs with the layout/rendering engine should be as detailed as possible to allow us to pinpoint the cause of the bugs and fix them (just stating "it works in Firefox" really doesn't help us!). If you wish to report issues, please either use the issue tracker on GitHub or report a detailed description and steps to reproduce on the forum
- We've had to reduce the number of supported languages for our language packs. With the need to move to our own full localization and lacking translators to support and maintain less common languages in use around the world, we've reduced our number of offered languages to a little over 30. The languages still supported should royally cover all commonly-spoken languages around the globe. You will need to update your language packs!
- Although we've given this release extensive testing, it is still possible you run into some website compatibility issues (usually because of websites doing useragent sniffing) and e.g. some sites displaying a mobile version if they do not recognize or incorrectly recognize the new browser engine. Please always try contacting the webmasters first before posting support requests at our address, since this is usually not something we can provide solutions for, ourselves, and we end up having to redirect you anyway

Fixes / Changes:
- The layout parser/renderer has received many updates with this change over to Goanna, improving web compatibility and standards compliance in many areas
- The browser user interface has received updates, making it more compatible with Windows 10 in many respects and more in line with the general styles of the operating system version it is run on in terms of the shapes of controls and color setting
- Updated graphics/media support: Pale Moon now supports the WebP image format, properly scales EXIF rotated JPEGs, has updated support for different WebGL texture formats, improved scaling of vector images, updated libpng, libjpeg-turbo, libvpx, and misc other upstream libraries/modules, and more!

Library changes:
- The library now has a scope bar (pops up when searching) with the option to select what you want to search in (either bookmarks or history) and the option to save your searches
- By default, there will be a history menu drop-down in the browser's user interface next to the bookmarks one
- Added "Containing folder" and "Containing folder path" columns so you can see exactly where a bookmark is located at a glance when searching (after enabling the columns)
- Added support for Ruby annotations. If you need this functionality, set the about:config preference browser.ruby.enabled to true, and restart the browser
- Added conservative image decoding: it will now only decode images that are (almost) in view, greatly improving overall memory use and initial loading of graphics-heavy pages
- Aligned 3D CSS transforms and perspective with the spec
- JavaScript improvements: added basic support for ES6 Promises, added lement.matches(), updated property assignments, added Bin/Oct literals in Number(), improved performance of TypeOf calls, improved GC memory shrinking, improved memory allocations, improved RegEx performance and compatibility, and more!
- Added CSS media queries to determine the OS the browser is running on, allowing theme designers to make specific changes based on OS at run-time
- Added a control preference for onunload= events as dom.disable_beforeunload. This allows you to completely disable events fired when leaving a page
- Changed the memory allocator to the (faster) system allocator on modern operating systems
- Improved the handling of very large numbers of tabs
- Added Ecosia as a "green" search engine alternative for the environmentally aware surfer
- Autoplay of media now has a separate control preference for scripted content as media.autoplay.allowscripted, to block script-initiated autoplay of media

Security updates:
- Added support for 128-bit Camellia-GCM ciphers in addition to the existing CBC ciphers to offer a more internationally diverse choice of secure encryption ciphers than just AES
- Added an advanced, active XSS (cross-site scripting) filter. Pale Moon will now check for XSS attacks and block XSS content in the resulting pages. This is brand-new technology and feedback on this filter specifically (e.g. bugs, false positives, etc.) should be posted in the dedicated thread on the forum for this feature. Please also see that thread for details on how to use and control this filter
- Distrusted several root certificates in accordance with security best practice
- Aligned cookie acceptance with RFC 6265 §4.1.1. We still make an exception for allowing spaces and double quotes in cookie values, but this will be made more strict in the future for full spec compliance. If you are a web designer and use cookies, please verify that you are RFC compliant in terms of both cookie names and cookie values, or the browser may reject them
- Removed several hazardous modules like the maintenance service and the identity module
- Ported all security updates from Mozilla that are applicable/relevant to our code base (up to and including all security issues made known to us until now). Considering v26 has been kept updated over its long development until release, the list of fixes/CVEs would be too exhaustive to list in these release notes individually

更新時間：2015-11-29
更新細節：

What's new in this version:

- Fix for a crash that could occur at random since the update to 25.8.0.
- Fix for CSP (Content Security Policy) to be more lenient towards the incorrect passing of full URLs with all sorts of parameters in the CSP header, leading to misinterpretation of the header and incorrectly blocking the loading of content.