Updates 10/8/24 - Pale Moon

PaleMoon v33.4.0 (2024-10-08).

https://www.palemoon.org/releasenotes.shtml

This is a development, bugfix and security release.

Changes/fixes:

• Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes.
• Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
• Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
• Improved buildability on NetBSD and Altivec architectures.
• Fixed building issues on Apple Silicon Mac with XCode 16.
• Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
• Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
• Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
• Dev: Implemented ES2023 Hashbang grammar proposal.
• Fixed an issue with JavaScript's StructuredClone.
• Security issues addressed: CVE-2024-9396.
• Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Implementation notes:

When very complex "modern" websites get closed by the user, it is possible that the browser is unable to properly release all the resources attached to it, especially those resources, modules and scripts that were part of Shadow DOM or complex interlinked module scripts. This can then result in "detached" web content and scripts that continue to use memory, have active event listeners and loaded scripts. Mainstream browsers are less affected by this as their multi-process setups will effectively "throw the baby out with the bath water" by simply killing the relevant content process. Since we don't have that luxury of a lazy solution to an architectural problem, we need to handle these so-called "ghost windows" resulting from this problem internally without restarting the browser process. This version of Pale Moon introduces the "ghostbuster" concept to try and address this: an automated, internal mechanism that periodically checks for the existence of ghost windows and severs links of them, so that garbage/cycle collection can come in afterwards and release the resources, hopefully preventing browser slowdowns and inflated memory usage over time. If this, for some reason, causes issues for you, you can disable the ghostbuster by setting the preference browser.ghostbuster.enabled to false. Also please report (in detail) on the forum about the issue you're having if flipping this preference to false resolves it, so we can look into improving this new feature.

• By user request, primarily for advanced power users who need this for their local setups, 2 new preferences were introduced to control how the browser deals with same-origin and CORS.
  
  • security.same_origin_policy.enabled, when set to false, will completely disable checking if scripts are allowed to be loaded based on the same-origin policy. Security warning: this is a really bad idea on the open web and you should never blanket disable the Same-Origin Policy check in a web browser for normal use.
  • content.cors.bypass_preflight_request, when set to true, will no longer send CORS preflight requests or check preflight responses and always allow cross-origin requests. Note that this kind of request is normally only made if sending a request to a server might result in data changes server-side (e.g. POST). This preference only does something when CORS is already disabled; provided primarily for specific corner cases where CORS is disabled and preflight checks (providing an extra safety net for server data) need to be shut off too.
  There are dragons hiding in these two preferences. Please handle them responsibly.

----------------------------

Available via the internal updater:   Help / Check for Updates

or Full downloads:   Pale Moon for Windows downloads