Pale Moon 歷史版本列表
Pale Moon (32-bit)Pale Moon (64-bit)
更新時間:2015-07-27
更新細節:
What's new in this version:
Fixes/changes:
- Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
- Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
- Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
- The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preference signon.ignoreAutocomplete to false.
- Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.
- Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming.
- Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
- Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
- Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
- Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
- Added -moz-os-version selectors for @media CSS queries to simplify theming on different operating systems (esp. Windows).
- Updated and improved several languages for the Status Bar code, and added Slovenian.
- Fixed an issue in the internal updater window not showing proper language strings.
- Fixed an issue where the unexpected use of "backface-visibility" on non-3D transformed elements (like the body) would break positioned elements on web pages.
- Fixed text positioning in the combobox display area when a non-default height is set for the combobox.
- Fixed a crash caused by bad Opus audio encoding in media files.
- Fixed a crash when trying to measure memory in about:memory while playing video.
- Fixed a rare crash in sLayersAccelerationPrefsInitialized
- Fixed miscellaneous other crashes.
- Fixed a DNS prefetching issue for the people using this feature.
- Fixed an issue with single-word searches from the address bar when a proxy is in use.
- Fixed a number of build issues on Linux when using system libs.
- Added support for link-time optimization on newer Linux compilers.
- Removed more telemetry code (ongoing project!).
Security fixes:
- Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
- Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
- Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
- Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
- Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
- Fixed an issue where an IPDL message was sent off the main thread.
- Fixed a potentially exploitable TCPSocket crash due to a race condition.
更新時間:2015-07-27
更新細節:
What's new in this version:
Fixes/changes:
- Canvas anti-fingerprinting option: Pale Moon now includes the option to make canvas fingerprinting much more difficult. By setting the about:config preference canvas.poisondata to true, any data read back from canvas surfaces will be "poisoned" with humanly-imperceptible data changes. By default this is off, because it has a large performance impact on the routines reading this data.
- Added a feature to allow icon fonts to be used even when users disallow the use of document-specified fonts. This should retain full navigation for icon-font heavy websites (no more dreaded "boxes" with hex codes) when custom text fonts are disabled.
- Added a feature to prevent screen savers from kicking in when playing full-screen HTML5 video. This is currently not yet operational on Linux because of stability issues we've run into on that OS, but Windows should properly benefit from this change.
- The "autocomplete=off" parameter for signon forms is now completely ignored by default, to keep the user in control of their browser's behavior and allowing credentials to be saved if wished. If you prefer the previous behavior, allowing a website to determine whether autocomplete should be allowed or not, then change the about:config preference signon.ignoreAutocomplete to false.
- Reinstated the packaging of pre-compiled scripts in the browser. Hopefully this will fix the reports by some users who found that initial start-up after installation/upgrade of the browser was unacceptably slow. Unfortunately this means a slightly larger download/install size as a trade-off.
- Added the option to use Chrome://../skin/ overrides, in effect allowing the use of "Icon themes"; toolbar icon replacements to customize your browser icons without the need for any CSS or full-blown theming.
- Added a count for the number of matches in the find bar. it will now list the total number of matches found, and which match is the currently highlighted one.
- Fixed the issue where highlighted words after finding and highlighting them all in a page would remain highlighted when closing the find bar.
- Added support for CSP 'nonce' keywords (CSP 1.1/2.0). Please note that this is still experimental and may not work 100% as-expected. Please report any bugs you may find.
- Aligned CSP more with the spec in terms of reporting and case-sensitivity of matches, and made it more app-friendly.
- Added -moz-os-version selectors for @media CSS queries to simplify theming on different operating systems (esp. Windows).
- Updated and improved several languages for the Status Bar code, and added Slovenian.
- Fixed an issue in the internal updater window not showing proper language strings.
- Fixed an issue where the unexpected use of "backface-visibility" on non-3D transformed elements (like the body) would break positioned elements on web pages.
- Fixed text positioning in the combobox display area when a non-default height is set for the combobox.
- Fixed a crash caused by bad Opus audio encoding in media files.
- Fixed a crash when trying to measure memory in about:memory while playing video.
- Fixed a rare crash in sLayersAccelerationPrefsInitialized
- Fixed miscellaneous other crashes.
- Fixed a DNS prefetching issue for the people using this feature.
- Fixed an issue with single-word searches from the address bar when a proxy is in use.
- Fixed a number of build issues on Linux when using system libs.
- Added support for link-time optimization on newer Linux compilers.
- Removed more telemetry code (ongoing project!).
Security fixes:
- Fixed a memory safety bug due to a bad test in nsZipArchive.cpp (CVE-2015-2735).
- Fixed a memory safety bug in nsZipArchive::BuildFileList (CVE-2015-2736).
- Fixed a memory safety bug caused by an overflow in nsXMLHttpRequest::AppendToResponseText (CVE-2015-2740).
- Fixed a Use After Free in CanonicalizeXPCOMParticipant (CVE-2015-2722).
- Fixed off-main-thread nsIPrincipal use of various consumers in the tree (only grab the principal when needed).
- Fixed an issue where an IPDL message was sent off the main thread.
- Fixed a potentially exploitable TCPSocket crash due to a race condition.
更新時間:2015-06-10
更新細節:
What's new in this version:
Fixes/changes:
- Logjam fix: Refuse DHE keys with less than 1024 key bits
- Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
- Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
- Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
- HSTS preload list updates (Squarefractal)
- Status bar locale addition: cs
- Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
- Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
- Disabled the Sync promo box in doorhangers.
- Updated libpng to version 1.5.22
- Fixed support for builds using newer freetype on Linux. (Axiomatic)
- Fixed --with-system-pixman builds. (Isaac Dunham)
- Updated SQLite to version 3.8.10.1
- Changed the after-upgrade page loaded to the release notes instead of the home page.
- (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
- Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
- Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
- Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
- Reorganized how pushed floats are handled in layout flow
- Implemented a change to run the updater from the install directory instead of copying it.
- Fixed transparency of the Pale Moon document icon for 256x256
Updated padlock code:
- Added mixed-mode shading, and reorganized shading pref values more logically (0=off, 1=secure only, 2=secure+mixed, 3=all)
- Cleaned up CSS
- Cleaned up padlock logic a little
- Hard-coded internal UA sniffing values for the extension legacy of devtools
- Updated NSPR to 4.10.8
- Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
- Bumped the built-in site-specific UA compat mode overrides to v38
- Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
- Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
- Added the option to load modules into a named scope (see issue #88)
- Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
- Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
- Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
- Added a preference for always preferring a certain dictionary language.
- To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
- More information about changes in this version that would be important for extension developers and web programmers can be found here.
Security fixes:
- Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
- DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
- Fix for updater hijacking (CVE-2015-2720)
- Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
- Fix for a buffer overflow in the XML parser (CVE-2015-2716)
- Fix for a potentially exploitable crash in DNS handling
更新時間:2015-06-10
更新細節:
What's new in this version:
Fixes/changes:
- Logjam fix: Refuse DHE keys with less than 1024 key bits
- Search plugin updates to re-enable Google suggestions and reduce tracking (Squarefractal)
- Allow plugin-specific (.dll based) OOPP overrides also for npswf. This will not be used for the "master switch" for OOPP and Flash will still be in the plugin container, unless a specific dom.ipc.plugins.enabled.npswf*.dll boolean is set to override.
- Fixed a crash during WebGL Conformance Tests for undefined indices (Toady)
- HSTS preload list updates (Squarefractal)
- Status bar locale addition: cs
- Implemented a fix for the toolkit update service so that the same version as the current application will not be offered as a valid update (Tobin)
- Reorganized the AppMenu (give equal ease for windowed and tabbed browsing, deprioritize Sync)
- Disabled the Sync promo box in doorhangers.
- Updated libpng to version 1.5.22
- Fixed support for builds using newer freetype on Linux. (Axiomatic)
- Fixed --with-system-pixman builds. (Isaac Dunham)
- Updated SQLite to version 3.8.10.1
- Changed the after-upgrade page loaded to the release notes instead of the home page.
- (and hoping people actually do take a moment to read them, preventing unnecessary support requests)
- Fixed navigator.geolocation - should never be null, to properly adhere to the specification (Travis)
- Moved paintlock event delay to greprefs, and adjusted it for 2015's heavier sites
- Fixed the about dialog scripting for pre-release builds (includes build date now as-intended and no longer errors the script)
- Reorganized how pushed floats are handled in layout flow
- Implemented a change to run the updater from the install directory instead of copying it.
- Fixed transparency of the Pale Moon document icon for 256x256
Updated padlock code:
- Added mixed-mode shading, and reorganized shading pref values more logically (0=off, 1=secure only, 2=secure+mixed, 3=all)
- Cleaned up CSS
- Cleaned up padlock logic a little
- Hard-coded internal UA sniffing values for the extension legacy of devtools
- Updated NSPR to 4.10.8
- Updated the NSS security lib to 3.19-RTM + re-worked Pale Moon changes
- Bumped the built-in site-specific UA compat mode overrides to v38
- Fixed a compressed-cache crash due to losing our cache entry while finishing up compression.
- Updated and patched libcubeb, the main media sound library, to fix a number of audio issues (e.g. when switching output device) and audio-related crashes
- Added the option to load modules into a named scope (see issue #88)
- Removed quick access keys for buttons on the updater window (since it may pop up unannounced when people are typing, causing them to make unintended choices)
- Updated jemalloc and mozjemalloc memory allocator libraries to improve performance
- Removed implicit access to a whole range of internally-used interfaces and classes that page content has no business calling anyway
- Added a preference for always preferring a certain dictionary language.
- To use this, create a new preference spellchecker.dictionary.override (string) and set it to your language code.
- More information about changes in this version that would be important for extension developers and web programmers can be found here.
Security fixes:
- Fixes for miscellaneous memory safety hazards (relevant and applicable fixes from CVE-2015-2708 and CVE-2015-2709)
- DiD (defense-in-depth) fix to prevent potential overflows in CSS restyling
- Fix for updater hijacking (CVE-2015-2720)
- Fix to prevent potential disclosure of sensitive information in Android logs (CVE-2015-2714)
- Fix for a buffer overflow in the XML parser (CVE-2015-2716)
- Fix for a potentially exploitable crash in DNS handling
更新時間:2015-05-11
更新細節:
What's new in this version:
- Fixed loss of the browser's disk cache on startup due to incorrect corruption detection logic
- Fixed a browser crash on some HTML5 games
更新時間:2015-05-11
更新細節:
What's new in this version:
- Fixed loss of the browser's disk cache on startup due to incorrect corruption detection logic
- Fixed a browser crash on some HTML5 games
更新時間:2015-05-09
更新細節:
What's new in this version:
Fixes/changes:
- Updated SQLite from 3.7.17 to v3.8.8.3, improving history/bookmark/etc. performance by up to 50% depending on operation
- Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode padlock and better tooltips.
- Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading at all by default).
- Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as executable
- Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
- Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds before plugins are unloaded
- Fixed version strings for e.g. flash on Linux being displayed with commas instead of periods - this should also fix the incorrect "your plugin is vulnerable" message while being on the latest version
- Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word)
- Android: DNS fix for VPN connections, preventing the "server not found" issues people have been reporting for certain VPN providers on mobile
- Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
- Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions
- Android: updated the random number generator handling on later versions of Android
- Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
- Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!)
- Optimized the NSS callback for secure connections
- Updated the domains that are whitelisted for installation of extensions/themes/personas, streamlining the use of addons.palemoon.org
- Added personas support to titlebar text (adopt the lightweight theme's coloring/shading) in custom titlebar mode (Pale Moon appmenu/button)
- Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
- Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
- Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if manually enabled, see previous version notes) as weak.
- Dev: Added availability of the full ciphersuite string for use in extensions to the nsISSLStatus interface (nsISSLStatus.cipherSuite)
- Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android
- Removed the compilation and inclusion of a one-time-use pre-compiled startup cache in omni.ja, reducing overall application size significantly and avoiding a number of quirks of both the build process and the operation of the browser
- Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
- Removed most telemetry code, reducing code complexity and wasted CPU
- Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
- Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
- Removed Mozilla-specific parameters for searches. Search suggestions should now work again for Google searches
- Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
- Dev: Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not currently producing stable builds on Linux, so please use GCC for that operating system.
- Linux: removed GnomeVFS that's no longer in use
- Fixed the "double padlock while loading a secure site" niggle in the UI
- Dev: added allowance of using -moz-appearance:none on drop-down lists to hide the arrow button (catering to custom styling of the control) Added some more ES6 math/number functions:
- Implemented Math.fround(x)
- Implemented Number.isSafeInteger(x)
- Implemented Math.clz32(x) Security fixes:
- Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0815 and CVE-2015-0815
- Fixed CVE-2015-0811 [qcms] heap info leak
- Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements
- Fixed CVE-2015-0801 a variant of CVE-2015-0818
- Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android
- Fixed CVE-2015-0798 access to privileged URLs through about: redirector
更新時間:2015-05-09
更新細節:
What's new in this version:
Fixes/changes:
- Updated SQLite from 3.7.17 to v3.8.8.3, improving history/bookmark/etc. performance by up to 50% depending on operation
- Added a new "mixed-mode" state for HTTPS connections. Clarified mixed-mode connections with a mixed-mode padlock and better tooltips.
- Added a conditional partial shading to the URL bar and made it default (shading only on secure sites, no red shading at all by default).
- Dev: Fixed file system mode flags for *nix systems, to make executable files like scripts actually flagged as executable
- Added native IPv6 lookups to NSPR to solve IPv6-only and dual-stack setups in some situations
- Added a pref to control the unloading of idle plugins from memory and lowered the default "idle" time to 60 seconds before plugins are unloaded
- Fixed version strings for e.g. flash on Linux being displayed with commas instead of periods - this should also fix the incorrect "your plugin is vulnerable" message while being on the latest version
- Windows: Set the double-click/Ctrl+arrow word selection to not eat the space (only select the actual word)
- Android: DNS fix for VPN connections, preventing the "server not found" issues people have been reporting for certain VPN providers on mobile
- Updated a number of trusted root certificates, and distrusted the CNNIC root certificate by popular demand
- Linux: Worked around the slice memory allocator not being properly disabled on later GLib versions
- Android: updated the random number generator handling on later versions of Android
- Added fix to prevent spurious re-paints with plugins (performance/UX improvement)
- Removed the plugin check link from the Addons Manager, since it's no longer reliable and not officially available for browsers except Mozilla Firefox. (Bonus: no user profiling/tracking through optimizely!)
- Optimized the NSS callback for secure connections
- Updated the domains that are whitelisted for installation of extensions/themes/personas, streamlining the use of addons.palemoon.org
- Added personas support to titlebar text (adopt the lightweight theme's coloring/shading) in custom titlebar mode (Pale Moon appmenu/button)
- Added display of HTTPS protocol (SSL/TLS) to the page info window (thanks Travis!)
- Improved certificate display: Removed MD5 and added SHA256 fingerprint, and made them selectable/copyable
- Updated classification of secure connections: Classify any encryption with less than 128 bits or including RC4 (if manually enabled, see previous version notes) as weak.
- Dev: Added availability of the full ciphersuite string for use in extensions to the nsISSLStatus interface (nsISSLStatus.cipherSuite)
- Added MAKE_UNLINKABLE to the about: page redirector and added that as default for the reader mode on Android
- Removed the compilation and inclusion of a one-time-use pre-compiled startup cache in omni.ja, reducing overall application size significantly and avoiding a number of quirks of both the build process and the operation of the browser
- Fixed an NVIDIA specific GLX server vendor bug for pixmap depth and fbConfig depth
- Removed most telemetry code, reducing code complexity and wasted CPU
- Linux: Added OSS support (mutually exclusive with ALSA): configure with --enable-oss
- Made DNS caching a lot less aggressive to align the browser's behavior with the dynamic nature of the modern web.
- Removed Mozilla-specific parameters for searches. Search suggestions should now work again for Google searches
- Added the option to allow users to use a fixed (JSON) file-based geolocation response in favor of a GeoIP service.
- Dev: Improvements to Clang builds (thanks Axiomatic/BitVapor!). Clang is not currently producing stable builds on Linux, so please use GCC for that operating system.
- Linux: removed GnomeVFS that's no longer in use
- Fixed the "double padlock while loading a secure site" niggle in the UI
- Dev: added allowance of using -moz-appearance:none on drop-down lists to hide the arrow button (catering to custom styling of the control) Added some more ES6 math/number functions:
- Implemented Math.fround(x)
- Implemented Number.isSafeInteger(x)
- Implemented Math.clz32(x) Security fixes:
- Fixed several memory safety hazards (UAF/DF/UU); applicable bugs covered by CVE-2015-0815 and CVE-2015-0815
- Fixed CVE-2015-0811 [qcms] heap info leak
- Fixed CVE-2015-0810 clickjacking attacks via a Flash object in conjunction with DIV elements
- Fixed CVE-2015-0801 a variant of CVE-2015-0818
- Fixed CVE-2015-0800 improve randomness of DNS resolver queries on Android
- Fixed CVE-2015-0798 access to privileged URLs through about: redirector
更新時間:2015-04-26
更新細節:
What's new in this version:
- This release is an emergency update to fix crashes that started occurring because of Mozilla improperly signing the extensions and extension updates as offered through the Firefox Add-ons site addons.mozilla.org. Any improperly signed extension would not be able to be installed, and would immediately crash the browser.
更新時間:2015-04-26
更新細節:
What's new in this version:
- This release is an emergency update to fix crashes that started occurring because of Mozilla improperly signing the extensions and extension updates as offered through the Firefox Add-ons site addons.mozilla.org. Any improperly signed extension would not be able to be installed, and would immediately crash the browser.