Basilisk 2025.04.23

This is a development, bugfix, stability, and security release.

• Implemented CSS two-location color stop logic. This allows for two-location color stops (`color x% y%`) in gradients, which is shorthand for `color x%, color y%` where both colors are equal.
• Our minimum GCC version requirement to build is now 9.1.
• Improved channel handling when CSP blocks network redirects.
• Implemented several fixes for CORS preflight requests.
• Added explicit whitelisting from CSP content loading of javascript: scheme URLs.
• Updated the ffvpx library to 6.0.1, this time preventing video color range regressions. An update to 6.0 was previously backed out in v2025.01.04.
• Updated the JPEG-XL library to 0.11.1 to pick up several fixes and improve decoding compatibility of jxl files.
• Updated the SQLite library to 3.49.1.
• Fixed a spec compliance issue with DOMRect and DOMQuad returning 0 if NaN was present. We now return NaN in that case, per spec.
• Fixed a spec compliance issue with NTLM authentication. We now compute Channel Binding Hashes using the certificate signature's hash algorithm, per spec.
  Note that particularly weak algorithms are not used and SHA256 will be used as a minimum, instead, in those cases.
• Fixed a buildability issue on Mac with XCode 16.3.
• Added some additional safety checking to SharedArrayBuffers.
• Added some additional safety checking to XSLT compilation and transformation.
• Windows only: Added a preference widget.windows.follow_shortcuts_on_file_open to control how Windows File Open dialogs handle shortcut links. See implementation notes.
• Simplified some WASM code generation in the Ion JIT compiler.
• Fixed a crash in loading external resource maps.
• Disabled potentially unsafe attempts at recovering JIT operations.
• Fixed some minor linking issues in about:rights.
• Updated the embedded emoji font to fix incorrect display of some of the wheelchair emoji.
• Built on UXP commit: d892468fd0
• Security issues addressed: CVE-2025-1934 (DiD), CVE-2025-3028 (DiD), and and CVE-2025-3033 (see implementation notes)..

Implementation notes

• Windows only: This version introduces a new (numeric) preference to control how the "Open File" dialogs handle shortcut links in the file system.
  A low-severity security issue (CVE-2025-3033) was found that in some specific circumstances could allow a malicious actor to convince a user to upload an unintended file from their file system with a specially-crafted shortcut file. To mitigate this, a special flag can be passed to File Open dialogs which prevent the dialogs from parsing shortcut links and navigating to target files and folders based on the shortcut file contents. This can be controlled with the newly-added preference. Since this flag, when set, also prevents users from navigating "through" shortcuts to folders (from e.g. the desktop) and would instead open/attach/upload the shortcut file itself, this would be disruptive to many users' workflows. Considering the major usability drawback and the low-severity nature of the security issue (which would require considerable social engineering to pull off), Basilisk, at least for the time being or until a better solution is found, will continue allowing the following of shortcuts and navigating through them to target folders and files in File Open dialogs. If you are overly cautious, you may want to set this preference to the value 0 which always prevents shortcut parsing and following. For everyone else, just a warning to please stay safe and never follow strange sequences of instructions from strangers that you don't exactly know what they do (and never take their explanations at face value).