Updates 4/28/17 - Pale Moon

Pale Moon 27.3.0 (2017-04-28) http://www.palemoon.org/releasenotes.shtml

A major development update. Many things have changed in the media back-end, but please understand that some things are still a work in progress, and you may still encounter some html5 video playback issues with MSE.

Changes/fixes:

• Fixed up, checked and enabled vertical text writing modes!
  Pale Moon will now be able to display vertical, right-to-left script.
• Added the option to reset non-default profiles.
• Fixed various issues in the WebP image decoder.
• Added internally-supported document types to allowed <embed> types.
• Fixed locale selection in ICU after update to ICU58.
  (Note: Pale Moon uses the system locale for date formatting, not the browser locale)
• Re-implemented the previous spellchecker dictionary logic (allow user override of document/element language, improve logic and make it unambiguous).
• Ongoing fixes for the MP4 parser and MSE.
• Made HTML Media Elements' preload attribute MSE-spec compliant.
  The preload attribute on HTML media elements is now ignored in the case of an MSE source. This prevents an issue with sourceopen not firing when preload="none".
• Fixed some issues with Windows WMF media playback.
• Fixed an issue with Synced preferences sometimes overwriting stored individual preferences.
• Fixed display of RSS folder icons.
• Fixed issues with custom context menus.
• Fixed an issue importing bookmarks with separators losing their extra data.
• Changed the way numeric addresses are handled in the address bar so it doesn't perform a search when it shouldn't.
• Added an option (browser.sessionstore.cache_behavior) to control from which source restored tabs pull their page content:
  0 = load restored tab data from cache (current behavior, default)
  1 = refresh restored tab data from the network
  2 = refresh stored tab data from the network and bypass any cached data.
• Improved upon a v27 performance regression with SVG scaling.
• Improved performance by being more selective which CSS animations to process.
  As a side-effect, elements changing their display from "none" to something visible now also animate.
• Increased memory allocation for the use of very large PAC files.
• Added menu entries for the permissions manager and improvements to its function and display.
• Added preferences to control "highlight all" behavior of the find bar:
  accessibility.typeaheadfind.highlightallbydefault = true/false highlight all found words by default.
  accessibility.typeaheadfind.highlightallremember = true/false remember the last-used state of Highlight All.
• Added devtools command-line options.
• Added remote IP and protocol to Devtools->Network entry details.
• Added support for <details> and <summary> HTML tags.
• Fixed a regression in the MSIE profile migrator.
• Removed migration of browser-specific settings when migrating data from IE/Safari.
• Implemented optional parameters for permessage-deflate in preparation for RFC7692 errata making acceptance of them mandatory (and to prevent web compat issues doe to the current conflicting text of it).
• Made the image document favicon skinnable.
• Aligned DOM selection addRange with the spec.
• Exposed mozAnon constructor js binding to system scopes for XHR.
• Enhanced form data handling from JavaScript.

Security/privacy changes:

• Updated NSS to 3.28.4-RTM to address a number of issues.
• Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
• Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
• Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
• Added an option to display punycode domain for IDN websites to combat phishing.
  This is enabled by default for domain-validated https sites.
  Preference: browser.identity.display_punycode
  0 = Display IDN name in identity panel (previous behavior)
  1 = Display punycode name for DV SSL domains (default)
  2 = Also display punycode for HTTP sites if IDN name used
• Fixed an issue to prevent contacting remote servers when a connection might get blocked.
• Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
• Fixed several memory- and thread-safety hazards.
• Fixed an address bar spoofing issue. (CVE-2017-5451)
• Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
• Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
• Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
• Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
• Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
• Fixed a potentially exploitable issue in graphite font shaping.
• Fixed a potentially exploitable crash with credential-authentication.
• Fixed out-of-bounds access with text selection in rare cases.
• Fixed a security hazard in the ANGLE library.

-------------------------------------------------------------------------------------------------------

Update via the internal Updater:   Help / About Pale Moon ; or full downloads:

32-bit version https://www.palemoon.org/palemoon-win32.shtml

x64-bit version https://www.palemoon.org/palemoon-win64.shtml