Pale Moon (64-bit) 歷史版本列表
更新時間:2018-02-02
更新細節:
What's new in this version:
Changes/fixes:
- Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons
- Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre
- This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context
- Improved the debug-only startup cache wrapper to prevent a rare crash
- Fixed a crash in the XML parser
- Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
- Fixed a potential race condition in the browser cache
- Fixed a crash in HTML media elements (CVE-2018-5102)
- Fixed a crash in XHR using workers
- Fixed a crash with some uncommon FTP operations
- Fixed a potential race condition in the JAR library
更新時間:2018-01-18
更新細節:
What's new in this version:
Changes/fixes:
- Added support for Array.prototype[@@unscopables]
- Unfortunately, the addition of Javascript's ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature
- Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows
更新時間:2018-01-15
更新細節:
What's new in this version:
Changes/fixes:
- Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from "Options" to "Preferences" on Windows)
- Renamed "Restart with add-ons disabled" to "Restart in Safe Mode" to better reflect what it does
- Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update
- Fixed an issue on Mac builds not properly populating the application menu
- Added "My home page" as an option for new tabs
- Added an option to disable the 4th and 5th mouse buttons (Windows)
- (mouse.button4.enabled and mouse.button5.enabled, respectively)
- Improved the resetting of non-default profiles
- Fixed an issue with details/summary having the incorrect height if floated, breaking layouts
- Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs
- Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers
- (this should fix layout issues with Twitch's new web interface)
- Fixed an issue where CSS clone operations would draw a border
- Changed the way fractional border widths are rounded to provide more natural behavior
- Fixed an issue where number inputs would incorrectly be flagged as read-only
- Added assets for tile display in the Windows start panel
- Finished sync infra swapover by adding a one-time pref migration for server used
- Improved WebAudio API: Return the connected audio node from AudioNode.connect()
- Added support for a default playback start position in media elements
- Fixed an assert in cubeb-alsa code (Linux).
- Added support for media cue-change events (e.g. subtitles)
- Updated SQLite to 3.21.0
- Fixed a crash when trying to use the platform embedded
- Fixed devtools (gcli) screenshots on vertical-text pages
- Fixed devtools copy as cURL for POST requests
- Improved the HTML editor component (several bugfixes)
- Added support for ES7's exponentiation a ** b operator
- Fixed an issue with arrow functions incorrectly creating an 'arguments' binding
- Added Javascript's ES6 "unscopables"
Security/privacy fixes:
- Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen
- Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data
- Removed the sending of referrers when opening a link in a new private window
- Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not
- Removed the "ask every time" policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis
- Added support for X-Content-Type-Options: nosniff (for scripts)
- Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD (DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered)
更新時間:2017-12-15
更新細節:
What's new in this version:
Hotfix (v272+):
- Fixed instance variables which override defaults not overriding if you also have instance creation code
- Fixed editing the variable list for an object at the same time as editing variables for an instance of that object caused the instance's variables to override incorrectly
- Fixed the object window to allow using macros and enums without this resulting in a compiler error
- Fixed the manual saying that variables added via the new object variables system used 32bit doubles instead of the normal 64bit
- Fixed base64_decode() affecting chr() and causing HTML5 games to fail to load if you used this function
Object Variables:
- The object editor now has a new 'Variables' section
- This editor allows you to define variables and their default values, and these will be automatically set upon creation
- These default values can then be overridden for specific instances by opening the same variables window when in the room editor
Inherited Parent Events:
- The object editor's Events list now shows "ghosted" events inherited from a parent object
- This makes it easy to view all events available to an object in one place
- You can quickly open, inherit or override a parent event via its right-click context menu
Amazon Fire:
- Fixed an issue where some users got "Unable to obtain permission to execute" when running projects
- Fixed Device Manager's Test Connection button appeared to do nothing if you had the above issue
iOS:
- Added support for required new iOS icons, fixes game submission fails
- NOTE: You will be prompted (once) on opening an out-of-date project to update its iOS images
- Fixed an issue which meant Push Notification support was always being included in builds
Ubuntu and Mac 64bit games:
- Ubuntu support has now shifted to 64bit, rather than 32bit
- NOTE: You need to clean your project cache for Ubuntu if you get an error about already being connected when trying to build
- Mac now includes 64bit and 32bit binaries in its packages in order to comply with submission requirements, so builds will take a little longer now
Misc IDE Changes:
- Code Editor: Now uses "standard" text editor behaviour for home/end keys
- Debugger: Graph now shows more accurate fps_real values rather than a mean of a few frames
- Preferences: Android/Amazon keystore Import, Generate, and Show Hash buttons will show the output Window so you can see messages
- Resource Tree: Optimisations to speed up the IDE when large projects are open
- Target Manager: Currently-selected target is saved per-project when you close your projects
Fixed Bugs:
- Extension Editor: Removing proxy files with matching name can cause extension files to be deleted
- Code Editor: Multi select gets removed if you backspace more than once
- Code Editor: display_set_gui_maximise() should allow support for the US equivalent display_set_gui_maximize()
- Code Editor: Reopening projects with open code editors, not all of the code is coloured correctly until editor is focused
- Code Editor: Autocomplete suggests previously used incomplete variable
- Code Editor: Unstable error if you do a replace whilst selection only is enabled, delete some text then type in the search field
- Sound Editor: Short sounds are not played completely in preview
- DnD Editor: Missing a context menu entry for Expand All
- DnD Editor: Live Preview doesn't get focused if already open and contents have changed
- DnD Editor: Context menu is missing the entries for Go To Object and Add/Open Event
- DnD Editor: Context menu is missing keyboard shortcuts
- DnD Editor: Can't Cut/Copy/Paste using keyboard shortcuts using macOS IDE
- Image Editor: Shift selecting frames can cause Shift key to become locked
- Image Editor: Blend Mode 'Multiply' will not use destination alpha
- Image Editor: Dropping any non-image file on top of an open Image Editor gives incorrect prompt
- Tile Set Editor: Changing 'Auto tile background colour' appears to change nothing
- Sprite Editor: Texture Settings -> Edge Filtering will cause GameMaker Studio 2 to close when using a 4K sprite size (3840x2160)
- Physics shape fixture not generated unless Modify Collision Shape has been opened
- Importing Projects: Dragging gmez onto start page occasionally orders rooms incorrectly
- General: "GMS2 has become unstable" when dismissing Ctrl+T via spamming Escape
- Source Control: 'Import Project to Repo' creates local repo if the import fails, preventing further imports
- Preferences: Android keystore import / generate / show hash buttons should force showing their output
- Preferences: Android keystore alias should check for spaces and block with a description of how to fix
- Debugger: DS_Map key output in instances tab does not show bitshifted integers
- Debugger: Always uses the IP for the last Mac in device manager, which might not be the targeted Mac
- Debugger: GMS2 Runner.exe creates new inbound rule each time you debug
- Resource Tree: Pressing Enter after searching for a resource does not open the resource
- My Library: DPI scaling removes refresh button and squashes Search
- Search + Replace: Can't resize window
- Game Options: Mac is missing 'Enable Retina' option
- Game Options: UWP Publisher Name is missing from the UWP Game Options
- Tutorials: Crash when clicking 'Get More Tutorials'
- Licensing: Buying GMS2 products will require log out/in to properly update your licence
- Build Android: Cannot build for Android VM if the path to the NDK has not been set
- Build UWP: Certificate install not prompted / isn't performed as part of pfx install, causes builds to fail to install on phone
Known Issues:
- If you have cached Ubuntu build output for projects you will need to clean these to avoid a "already connected" error (just need to do this once)
- Explorer file dialogs can sometimes fail to open. This is a Windows 10 Creators Update issue and has been seen failing in other applications
- Welcome Page is still disabled during start-up - it can still be accessed via the Help menu, so new users can still get to these videos and links
- Runtime download/activation has been seen to crash the IDE occasionally during subsequent startup
- Closing and reopening the Marketplace tab can cause issues downloading some assets thereafter, need to restart GMS2 to fix
- Dead instances of Window's RuntimeBroker application can block attempts to use the manual in the IDE - just get a white page
- UWP requires you to have the older SDK tools installed as well as the current ones, not just the current ones
更新時間:2017-11-29
更新細節:
What's new in this version:
- Implemented the concept of so-called "cookie-averse document objects" which is a security&privacy measure that blocks certain web content from setting cookiesThis mitigates cookie-injection, which might help against "hidden" cookie tracking
- Mitigated some domain name spoofing through IDN by using dotless-i and dotless-j with accents
- Pale Moon will display these kinds of spoofed domains in punycode now in the actual address bar
- Please note that the identity panel will always be able to help you on secure sites when IDNs are in use to notice potential spoofing, as opposed to relying on detection algorithms in the URL itselfAs such
- Fixed an issue with mixed-content blocking
- Added an extra check for the correct signature data type on certificates
- Added missing sanitization in exporting bookmarks to HTML
- Fixed several crashes and memory safety hazards
更新時間:2017-11-15
更新細節:
What's new in this version:
- This is a minor bugfix release to address some pressing issues people have reported
Changes/fixes:
- Fixed a regression with new windows (opening two windows from the command-line or file association, focus issues on new windows, not loading the home page in a new window, etc.)
- Aligned XHR with the currect spec to allow withCredentials
- Fixed an input element focus issue within handlers
- Fixed the processing of all-padding HTTP/2 frames to prevent rare HTTP/2 hangups
- Updated CitiBank override to work around their login issues
- Updated Netflix override to a community-supplied one that seems to satisfy their arbitrary restrictions better
更新時間:2017-11-08
更新細節:
What's new in this version:
Changes/fixes:
- Dropped support for Direct2D 1.0 to avoid font rendering issues. Windows installations not capable of using Direct2D 1.1 will now fall back to software rendering. As a result, fonts may look different from this version onwards if you are on Windows Vista or Windows 7. Users on Windows 7 affected by this should install the Platform Update to re-enable Direct2D
- Updated the Brotli decoder library, and enabled support for Brotli HTTP content-encoding by default
- Added notifications to inform users about WebExtensions not being supported if they try to install them (as opposed to "extension is corrupt")
- Added a number of DOM childNode convenience functions. This should fix some lazy-loading frameworks
- (enjoy your LOLcats again!)
- Changed automatic updates over to the new infrastructure
- Added extra proxy settings in Options, covering DNS lookups through SOCKS v5 and automatic proxy authentication with known credentials
- Added a selectable fallback character encoding of UTF-8 and fallback to UTF-8 as a last effort. (Issue #1423)
- Improved timing of canplay and canplaythrough firing to work around a potential race condition locking up queued video playback
- Improved upmixing of mono sound for multi-channel setups
- Fixed a parallelization issue with the KISS-FFT library causing CPU-deadlocked threads (Issue #1425)
- Fixed "Remove from history" function from the downloads panel
- Forced focus on the address bar in new windows if the content is a blank/empty document
- Fixed the dropmarker in the address bar to allow the suggestions to be closed with a click
- Further cleaned up the status bar code
- Disabled window.showModalDialog; it's been removed from the spec 2 years ago and has potential abuse issues (modal dialogs block the UI)
- Fixed image decoder calls to make sure the image load event doesn't fire prematurely
- Updated LibPNG to 1.6.28, and enabled faster SSE2 decoding
- Updated WOFF2 code from upstream
- Updated the zlib compression library
- Made general improvements to internal code structure and spec adherence
- Fixed an issue with certain command-line parameters being used
- Updated the default theme to improve consistency and contrast of toolbar and download buttons
- Increased the default duration of notification pop-ups and made them configurable
- Improved handling of audio-visual media (ongoing)
- Fixed an issue in CSS where elements would sometimes reflow to the next line even with sufficient visual space
- Aligned the implementation of for(let x=y;;) loops with the final ES6 specification
- Fixed the selection system inside of a nested contenteditable element being broken
- Fixed Windows 10 detection for blocklisting graphics drivers
- Enabled pasting of clipboard data in documents without an editor element to improve web compatibility
- Fixed the uninstallation routine of restartless add-ons
- Fixed the handling of unimplemented functions in the console API
- Updated the Facebook user-agent to enable otherwise vendor-restricted functionality
- Updated the SVG scaling cache limit to be more lenient for larger SVG images at a small performance trade-off, working around some sites' design issues
Security/privacy fixes:
- Added an option to clear Site Connectivity Data (delete history)
- Removed stale entries from the HSTS preload list, and improved generation/processing of it
- Removed undesired certificate issuer organization to common name fallback (if issuer org is empty)
- Added pretty-printing for ECDSA-SHA224, 256, 384 and 512 hashed certificate signatures
- Worked around some more issues with broken Apple fonts
更新時間:2017-10-11
更新細節:
What's new in this version:
Changes/fixes:
- Changed the default Windows 10 styling when no accent color is aplied to black-on-white
- Changed the theme styling on Windows 10 when the system window frame is used (menu bar enabled) to use the window manager background directly, preventing visual lag updating the window color when it changes
- Updated user agent overrides for DropBox, YouTube and Yahoo to work around user agent sniffing issues
- Fixed a crash in the media subsystem
- Fixed a regression where video playback hardware acceleration was disabled incorrectly on some systems
Security fixes:
- Updated libhyphen to the latest upstream code to fix a security issue
- Updated NSPR to 4.16-RTM with a patch to un-bust building on win64
- Updated NSS to 3.32.1-RTM
- Worked around some more issues with Mac fonts (CVE-2017-7825)
- Fixed a potential rooting hazard in NPAPI plugin code. DiD
- Fixed a potential reference issue in JavaScript arrays. DiD
更新時間:2017-09-26
更新細節:
What's new in this version:
Changes/fixes:
User interface:
- Added a menu option to restart the browser
- Added Windows-specific CSS parameters and queries for the use of the system accent color. Added are parameters -moz-win-accentcolor and -moz-win-accentcolortext, and the media query -moz-win-accentcolor-applies to know if Windows is actively using an accent color
- Changed Windows' browser CSS sheet ot use variables instead of hard-coding colors, simplifying its style and making it more flexible. Further cleaned up the Windows 10 specific browser style
- Changed the theme on Windows 10 to use the new accent colors and improve O.S. consistency
- Fixed some general inconsistencies in the Windows theme on all Windows operating systems
- Updated Windows widgets to be able to pick up Windows 10 accent colors dynamically and have the browser 's look and feel respond accordingly, even with automatic color changes based on desktop wallpaper
- Removed the experimental FF4 prerelease status-in-addressbar feature because the already-crowded address bar needs a break. This should solve some extension interop issues, theme issues and domain highlighting issues people have reported
- Cleaned up some dead code for the plugin updater that no longer exists
- Fixed a text direction issue in preferences
- Fixed an issue with disabled context menu entries after using Customize...
- Reorganized and cleaned up the status preferences
Media:
- MSE Media updates (ongoing). We are focusing on improving MP4 handling
- Improved MP3 metadata parsing (e.g. incorrect duration with embedded album cover)
- Fixed a number of searching issues in MP3 files
- Fixed a few crashes
- Fixed an issue with automatically exporting bookmarks to HTML on shutdown
- Fixed a regression re: domains allowed to/blocked from installing add-ons
- Fixed several internal errors thrown in the front-end
- Fixed several minor issues in the devtools
- Fixed a number of minor issues in the devtools
- Added a fix to prevent the home page from being loaded (and subsequently overridden) when restoring a session
- Added an option to control add-on blocklist behavior (Options -> Security)
- Added DOM function isSameNode()
- Added DOM onvisibilitychange event
- Added document.scrollingelement (CSSOM)
- Added a basic implementation of Object.values and Object.entries enumerator functions (ECMA2017 draft)
- Added "Open in new private window" to bookmarks, feeds and history entries
- Added HTTP request method OPTIONS
- Added an option to exit to a no-content page after encountering a network or security error
- This is controlled with the preference browser.escape_to_blank -- when set to true, "Get me out of here" buttons will load a blank page instead of the browser's home page
- Added experimental Brotli accept-encoding (alternative to gzip/deflate compressed http data transfer). Disabled by default for now because it causes issues
- Improved the handling of several CSS selectors
- Changed session storage to remember form data for https sites by default
- Added (yet another) trap prevention method to onbeforeunload events
- Fixed privacy preferences not correctly resetting all options when choosing "Remember History"
- Fixed not being able to deselect loading bookmarks in the sidebar
- Limited the display of user names and hosts in the http auth dialog to sane lengths, preventing over-sizing issues
- Fixed a number of potential crash points
- Improved the security of the Windows dll loader module
- Reinstated "Open all in tabs" option on folders of live bookmarks (feeds)
- Made URL matching more liberal in selected text to make it easier to open stated addresses
- Fixed an issue with Graphite font rendering where automatic font collision fixing didn't always work
- Color Management for images is now disabled by default on Linux, due to many distributions not having a streamlined setup with sane default ICC profiles, which makes images look worse when color management is enabled
- Tightened the update security check to prevent acceptance of update manifests that have been intercepted/replaced through https MitM attacks
- Please be aware that https-filtering antivirus may interfere with future application updates as a result
- Updated the ANGLE library to broaden WebGL support and reduce the potential of crashes (due to junk being sent to the video driver)
- Added content-sniffing for WebP images (working around CloudFront's incorrect content-type headers)
- Fixed a problem with some H.264 media not playing (SPS NAL)
- Improved timer efficiency (switch back to lower precision when high precision is no longer needed, reducing CPU/power consumption)
- Improved context search on selected text/links
- Updated address bar handling with Alt or Shift modifiers, so that "switch to tab" with a modifier can open copies of already-opened sites
- Added a fix on Linux for starting the browser from Enlightenment
- Privacy fix: Pale Moon will now clear QuotaManager storage (asm.js cache/IndexedDB data) as part of clearing Offline Website Data
更新時間:2017-08-22
更新細節:
What's new in this version:
Changes/fixes:
- Fixed a number of crashes
- Enabled the opt-in debugging feature to log SSL keys to a file in all builds
- Added a fix for TLS 1.3 handshakes causing a browser hangup
- Handshakes should be considerably faster now and no longer stall in the wrong circumstances
Security fixes:
- Updated NSPR to 4.15.
- Updated NSS to 3.31.1.
- Fixed a DoS issue using overly long Username in URL scheme (CVE-2017-7783)
- Fixed an issue where (cross domain) iframes could break scope (CVE-2017-7787)
- Fixed an issue in WindowsDllDetourPatcher (CVE-2017-7804)
- Fixed an issue with elliptic curve addition in mixed Jacobian-affine coordinates (CVE-2017-7781)
- Fixed a UAF in nsImageLoadingContent (CVE-2017-7784)
- Fixed a UAF in WebSockets (CVE-2017-7800)
- Fixed a heap-UAF in RelocateARIAOwnedIfNeeded (CVE-2017-7809) DiD (accessibility is disabled)
- DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem