Pale Moon full changelog

Disabled CSP reporting temporarily to work around memory issues caused by CloudFlare's scripting. While CSP reporting is important to inform webmasters of issues with their content security policies, not having the browser eat up all memory is more critical. We do intend to re-enable this when the issue is resolved on CloudFlare's side.
Improved CSS grid performance to avoid exponential calculations and reflows caused by CloudFlare's scripting. This wasn't a bug, per se, but could easily lock up with bad scripting if called recursively.
Added a few other small fixes that are tangentially related to the code changes made.

Changes/fixes:
Implemented a content sniffer for ADTS and raw AAC audio.
Implemented AbortSignal.abort() and stub AbortSignal.timeout().
Unprefixed the :modal CSS pseudo-class and exposed it to content.
Improved efficiency and performance of the Cycle Collector.
Added a check for explicit expectance of a percentage value in CSS HSL for the S and L components.
Updated the cookie storage database to no longer use BaseDomain. See implementation notes.
Updated CSS grid handling to no longer apply auto min-sizing when flex max-sizing (browser parity).
Updated the root certificates in the internal trust store.
Updated the Public Suffix List (eTLD) in the browser.
Removed no longer specced URL Constructor(DOMString url, URL base).
Restored unofficial branding to what it was before ("New Moon" instead of "Browser").
Changed the default Firefox Compatibility user-agent version to 115.0.
Fixed an issue where cloned <audio> or <video> elements would not respect the original element's muted state.
Fixed a number of bugs and spec compliance issues in WebCrypto.
Fixed installer application naming issue causing failure to detect running application.
Fixed a crash when Interval handlers are present in scripts that are automatically terminated due to excessive runtime.
Fixed a crash in JS Structured Cloning when the input would be bogus (CloudFlare-triggered crash).
Fixed a crash in the XSLT stylesheet importing code.
Updated NSS to 3.90.6 (custom) to pick up several security fixes.
Security issues addressed: CVE-2025-1009.

Changes/fixes:
Implemented Regular Expression "match indices" (/d) feature.
Added a way to programmatically clear the DNS cache in the browser, and added a button to the UI for it in about:networking.
Updated handling of referrer policies to adhere to the updated spec.
CSS font variations keywords no longer throw an error. See implementation notes.
CSS border-radius will now also apply to element outlines.
Improved the display of amount of cached web content in preferences when cache is being cleared.
Improved the installer AVX check to skip on early versions of Windows 10 (which don't support it).
Updated NSS to 3.90.5 (unofficial) to pick up some security fixes.
Refreshed the built-in list of effective top-level domains.
Fixed several application crashes.
Reduced unnecessary debug/informative messages in release builds (WebGL and CSP).
Backed out building against ffmpeg 6.0 and ffvpx 6.0 for causing a video playback regression on full-range videos (levels 0-255).
Cleaned up a large amount of leftover Boot2Gecko code, simplifying code paths throughout the code base.
From this version forward we also publish language packs for Persian (Farsi), Hindi, Kannada and Vietnamese.
Security issues addressed: CVE-2024-11693 and CVE-2024-11704 (DiD).
Implementation notes:
The CSS font variations keywords (woff2-variations, truetype-variations, etc.) allow webmasters to indicate format hints for @font-face font resources so authors can provide alternative resources for browsers that don't support tech(variations). The intent of these hints is to provide an alternate font with variations in addition to regular fonts without. Unfortunately, some webmasters don't indicate a base font the variation font face would be an alternate for, which resulted in Pale Moon throwing an error on the only @font-face src entry provided, in turn having the web font not being loaded at all (because no valid entry was found), breaking website layout. From this version onwards, we parse th

Changes/fixes:
Added a processor check to the 64-bit installer for Windows to check for AVX.
Note: this check does not work on Window 7/8/8.1 and will allow installations on non-AVX processors there.
Note: if you are running Windows 10 before build 2004 (before 20H1), this check may fail on AVX-capable CPUs and prevent installation.
Improved handling of multipart/mixed documents. (CVE-2024-10461 and CVE-2016-2816) DiD
Addressed CVE-2024-10463.

Changes/fixes:
Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes.
Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
Improved buildability on NetBSD and Altivec architectures.
Fixed building issues on Apple Silicon Mac with XCode 16.
Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
Dev: Implemented ES2023 Hashbang grammar proposal.
Fixed an issue with JavaScript's StructuredClone.
Security issues addressed: CVE-2024-9396.
Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Changes/fixes:
Implemented the bulk of the CSS "cascade layers" spec (@layer{}). This implementation is not 100% complete yet, but should satisfy common use of CSS cascade layers on the web.
Implemented support for Sec-Fetch-* headers, implementing another mechanism to deal with site security. See this part of the spec for a primer on what this does.
Added support for FFmpeg 7.0 / libavcodec 61 (Linux).
Pale Moon will now look up hosts in DNS ahead of time to make page navigation smoother. See implementation notes.
Pale Moon will now block access to the reserved address 0.0.0.0 on non-Windows operating systems. See implementation notes.
Dev: Aligned rounding behavior and precision ranges of toFixed and related functions with the spec. See implementation notes.
Dev: Aligned isTrusted for PostMessage and BroadcastChannel with expected values on the web. See implementation notes.
Dev: Added the navigator.webdriver attribute for web compatibility (always false in Pale Moon as we do not support browser automation APIs).
Re-implemented the Durstenfeld shuffle for plugin enumeration that was unfortunately dropped with one of our past rebases, to strengthen fingerprinting resistance.
Fixed an issue with character clusters (e.g. for text selection) resulting from a regression surrounding our improvements for emoji handling.
Fixed an issue with setting DOM color values. DiD
Slightly improved password form handling, detecting previously unsupported field orders.
Updated NSS to 3.90.4.
Updated our emoji font to 15.1.2 (Unicode 15.1 with some additional extras/updates).
Code cleanup:
Removed unused code related to the (incomplete) FoxEye experiment.
Removed support code for LibAV and (very) old versions of FFmpeg. We require libavcodec 58 or later (FFmpeg 4.0+) from this version forward (Linux).
Removed click event dispatching code that is no longer relevant.
Cleaned up internal macro use in CSS code (this does not impact any exposed APIs or code).
Removed the hidden n