Basilisk is a free and Open Source XUL-based web browser, featuring the well-known Firefox-style interface and operation. It is based on the Goanna layout and rendering engine (a fork of Gecko) and builds on the Unified XUL Platform (UXP), which in turn is a fork of the Mozilla code base without Servo or Rust.
Basilisk as an application is primarily a vessel for development of the XUL platform it builds upon, and additionally a potential replacement for Firefox to retain the use of Firefox Extensions.
Basilisk is development software. This means that it should be considered more or less “beta” at all times; it may have some bugs and is provided as-is, with potential defects. Like any other Free Software community project, it comes without any warranty or promise of fitness for any particular purpose. That being said: of course we will do our best to provide an as stable and secure browser as possible with every official release of Basilisk.
It should be noted that because of this focus on platform development, the browser itself (the application code) will be released and maintained mostly as-it-is, with very little change or development on the user interface or browser front-end features.
Basilisk is a modern, full-featured web browser and as such requires a reasonably modern system to properly run.
Windows 7 or later. Windows XP or Windows Vista are not supported.
1GB of RAM (2GB or more recommended for heavy use).
Dedicated GPU strongly recommended.
A modern processor (must have SSE2 support as the absolute minimum)
Important differences with Mozilla Firefox:
Uses Goanna as a layout and rendering engine. Goanna behaves slightly differently than Gecko in certain respects and may result in different display of web pages. e.g.: Goanna renders gradients in a more accurate color space (non-premultiplied).
Builds on UXP, our XUL platform in development. As such XUL is alive and well in this browser and will not be deprecated.
Has some long-standing known issues with the Mozilla code-base fixed (e.g. CVE-2009-1232).
Does not use Rust or the Photon user interface. You can expect a familiar interface as-carried by Firefox between v29 and v56.
Does not use Electrolysis (e10s, multi-process browsing).
Does not require walled-garden extension signing.
This is a major development, bugfix and security release.
Added support for the JPEG-XL image format.
Implemented regular expressions lookaround/lookbehind.
Aligned CORS header parsing with the updated spec. See implementation notes.
We no longer fire keypress events for non-printable keys. See implementation notes.
Added support for MacOS 13 “Ventura” in the platform, primarily benefitting White Star.
Fixed potentially problematic thread locking code on *nix platforms.
Fixed some small issues in the display and operation of the Web Developer tools.
Removed unused but performance-impacting panning and tab animation measuring code. (telemetry leftovers)
Improved code for SunOS builds.
Updated Internationalization data for time zones.
Fixed a buffer overflow for Mac builds.
Fixed an issue with plugins not receiving keypress events properly.
Added some extra sanity checks to our zip/jar/xpi reader to avoid issues with corrupt archives.
Aligned cookie checks with RFC 6265 bis. See implementation notes.
Removed obsolete code in Windows widgets that could cause potential issues with long paths and file names on supported versions.
Fixed several crashes.
Security issues addressed: CVE-2022-45411, CVE-2022-46876, CVE-2022-46874 and several others that do not have a CVE number
UXP Mozilla security patch summary: 6 fixed, 1 DiD, 1 deferred, 45 not applicable.
RFC 6265 has been worked on with draft changes describing how cookies are actually being handled in the real world, in the bis versions of the RFC. While these changes have not yet been finalized, browsers in general do adhere to the latest available bis version of this RFC. Specifically, the long-standing exceptions for cookie names and values have been formalized, e.g. having quoted values. Our behavior has changed in that we now once again accept Tab characters (0x09) which is the one excluded control character from the range that is otherwise forbidden. We also no longer apply these checks exclusively to those in http headers, and any way of setting cookies must now adhere to the valid range. Cookies that fail these range checks for valid characters will be ignored.
CORS support has been updated to the current spec. Most importantly, Basilisk now accepts wildcard entries (“*”) for the CORS statements Access-Control-Expose-Headers, Access-Control-Allow-Headers and Access-Control-Allow-Method. Note that wildcards are ignored (according to the spec) when credentials are passed.
Basilisk will no longer fire the keypress events in content when the key pressed is a non-printable key. This is in response to issues where webmasters would use rudimentary and naïve input-restricting scripts in onkeypress handlers that would not take into account editing keys or navigation keys, causing issues for users trying to enter data into forms (and e.g. finding they could no longer use backspace, cursor keys or tab). This aligns our behavior with other browsers for web compatibility, although it should be considered a website error expecting not all keypresses to be intercepted in keypress events.