Basilisk is a free and Open Source XUL-based web browser, featuring the well-known Firefox-style interface and operation. It is based on the Goanna layout and rendering engine (a fork of Gecko) and builds on the Unified XUL Platform (UXP), which in turn is a fork of the Mozilla code base without Servo or Rust.
Basilisk as an application is primarily a vessel for development of the XUL platform it builds upon, and additionally a potential replacement for Firefox to retain the use of Firefox Extensions.
Basilisk is development software. This means that it should be considered more or less “beta” at all times; it may have some bugs and is provided as-is, with potential defects. Like any other Free Software community project, it comes without any warranty or promise of fitness for any particular purpose. That being said: of course we will do our best to provide an as stable and secure browser as possible with every official release of Basilisk.
It should be noted that because of this focus on platform development, the browser itself (the application code) will be released and maintained mostly as-it-is, with very little change or development on the user interface or browser front-end features.
Basilisk is a modern, full-featured web browser and as such requires a reasonably modern system to properly run.
Windows requirements
Windows 7 or later. Windows XP or Windows Vista are not supported.
1GB of RAM (2GB or more recommended for heavy use).
Dedicated GPU strongly recommended.
A modern processor (must have SSE2 support as the absolute minimum)
Important differences with Mozilla Firefox:
Uses Goanna as a layout and rendering engine. Goanna behaves slightly differently than Gecko in certain respects and may result in different display of web pages. e.g.: Goanna renders gradients in a more accurate color space (non-premultiplied).
Builds on UXP, our XUL platform in development. As such XUL is alive and well in this browser and will not be deprecated.
Has some long-standing known issues with the Mozilla code-base fixed (e.g. CVE-2009-1232).
Does not use Rust or the Photon user interface. You can expect a familiar interface as-carried by Firefox between v29 and v56.
Does not use Electrolysis (e10s, multi-process browsing).
Does not require walled-garden extension signing.
These release notes are summaries of the most important changes for public releases.
v2025.07.04
Published 2025-07-04
This is a major development, bugfix and security release.
Basilisk now includes all non-ubiquitous image and media types in the navigation Accept: header, as discussed in the relevant whatwg fetch spec issue.
Implemented .toJSON() for DOMRect, DOMPoint and DOMMatrix.
Added a base implementation of the SVGGeometryElement API. This is currently limited to .pathLength, getTotalLength() and getPointAtLength(distance)for SVG paths.
Added a base-64/character validity grammar check for CSP nonces.
Enabled JPEG-XL support unconditionally.
Improved desktop ARM media capabilities.
Improved our handling of CSP checks (multiple improvements surrounding loading principal checks).
Added several Mac-specific file types to be treated as executables.
Updated the emoji font to Unicode 16.0.0.
Updated SQLite library to 3.50.1.
Updated NSS to 3.90.7.1 to fix some issues with some sites due to prior root certificate updates.
Updated code dealing with internal URL rewrites for Youtube.
Changed the Firefox compatibility mode version to 128.
Changed how .click() on elements is handled. See implementation notes.
Changed DOMMatrix’s rotate() and rotateSelf() functions to accept 3D rotation instead of 2D, per spec.
Changed CSS parameter animation to round values instead of truncating them, per spec.
This affects all integer properties (e.g. z-order) and font-stretching.
Changed HTML element attribute parsing to additionally escape < and > characters, per spec.
Fixed a regression in XUL
Fixed a minor issue in DOMSVGPoint finity checks.
Fixed some minor platform issues and updated Mac SDK checks.
Fixed an issue when device contrast values would be unset in Mac or Windows+DirectWrite.
Fixed an issue in the “Copy as curl” feature which could potentially mangle URLs.
Fixed an issue with FontFaceSet loading.
Removed support for very old libavcodec versions (before v58).
Removed the CSP referrer directive as it’s no longer in the spec.
Removed preloading of a number of media libraries on Windows. See implementation notes.
Removed the allowance of in image maps. Only
Removed several obsolete and unused preferences from about:config.
Removed obsolete NPN preferences and calls. NPN has long since been replaced by ALPN.
Removed obsolete SVGZoomEvent interface and handlers.
Built on UXP commit: e52eaa961c
Security issues addressed: CVE-2025-6429, CVE-2025-6424 (DiD) and CVE-2025-6426.
Implementation notes
Normally, when a script issues a simulated click on an element, that click is issued on the document the element is in. Unfortunately there has been a perceived bug in mainstream browsers where this didn’t happen on anchors (, hyperlinks) and the browser would navigate even if that anchor was not actually in a web page document (i.e. just created as a reference in scripting). This was eventually made an accepted behaviour in the specification as an exception, describing this bug as expected behavior. Basilisk has now changed how it handles .click() events on anchors to follow this behavior. This primarily impacts some select “download button” behavior on the web where this behavior quirk for anchors is relied on.
Previously, Basilisk would preload a number of media .dll files into the browser, causing resource use even if there was no media to be decoded or played back in the browsing session yet. This was primarily done in inherited Mozilla code for EME to work. Since we don’t support in-browser DRM, this preloading is wholly unnecessary and has been removed.
Responses to “Basilisk 2025.07.04”
Back Top
Leave a Reply