@The-Compiler The-Compiler released this Sep 2, 2018 · 407 commits to master since this release

Assets 7

Changed

  • The content.xss_auditing setting is now enabled by default, to mirror
    Chromium's rather than Qt's default behavior.
  • Long URLs in the statusbar are now elided at the end rather than in the
    middle, to make sure the hostname is completely visible whenever possible.

Fixed

  • Crash in Qt 5.7.1 when a website uses window.print().
  • The workaround for Nouveau graphic drivers now works properly again.
  • Crash when using :follow-selected with a link which is outside of the view.
  • Workaround for windows not showing as urgent with some window managers
    (like i3).
  • Crash when opening URLs with some unicode characters (IDNA 2008). Those URLs
    still won't open though, due to missing support in Qt.
  • Crash when a download directory which can't be created is configured.
  • Crash in the importer.py script when importing Chrome bookmarks from newer Chrome versions.
  • The content.webrtc_public_interfaces_only option didn't work on Qt 5.11 previously (it now does).
    Note it still does not work on Qt 5.10 (due to a Qt bug) and Qt < 5.9.2.
  • Repeated escaping of entries in qute://log when refreshing page.
  • The host blocker doesn't block 0.0.0.0 anymore.
  • Crash when using :// as URL pattern.
  • The :buffer completion now sorts tabs with indices >= 10 correctly again.

@The-Compiler The-Compiler released this Jul 11, 2018 · 407 commits to master since this release

Assets 7

Security

  • CVE-2018-10895: Fix CSRF issue on the qute://settings page, leading to
    possible arbitrary code execution. See the related GitHub issue for details:
    #4060

Fixed

  • Rare crash when an error occurs in downloads.
  • Newlines are now stripped from the :version pastebin URL.
  • There's a new mkvenv-pypi-old environment in tox.ini which installs an
    older Qt, which is needed on Ubuntu 16.04.
  • Worked around a Qt issue which redirects to a chrome-error:// page when
    trying to use U2F.
  • The link_pyqt.py script now works correctly with PyQt 5.11.
  • The Windows installer now uninstalls the old version before installing the
    new one, fixing issues with qutebrowser not starting after installing v1.4.0
    over v1.3.3.

@The-Compiler The-Compiler released this Jul 3, 2018 · 407 commits to master since this release

Assets 7

Added

  • Support for the bundled sip module in PyQt 5.11 and other changes in
    Qt/PyQt 5.11.x.
  • New --debug-flag log-requests to log requests to the debug log for
    debugging.
  • New --first flag for :hint (bound to gi for inputs) which automatically
    selects the first hint.
  • New input.escape_quits_reporter setting which can be used to avoid
    accidentally quitting the crash reporter when pressing escape.
  • New qute-lastpass userscript which uses the LastPass CLI to fill passwords.
  • The Makefile now installs a /usr/share/metainfo/qutebrowser.appdata.xml file.
  • QtWebEngine: Support for printing from webpages via window.print.
  • QtWebEngine: Support for muting tabs:
    • New {audio} field for window.title_format and tabs.title.format which
      displays [M]/[A] for muted/recently audible tabs.
    • New :tab-mute command (bound to <Alt-m>) to mute/unmute a tab.
  • QtWebEngine: Support for content.cookies.accept with third-party cookies
    blocked by default (requires Qt 5.11).
  • QtWebEngine: New settings:
    • Support for requesting persistent storage via
      navigator.webkitPersistentStorage.requestQuota with a new
      content.persistent_storage setting (requires Qt 5.11).
      This setting also supports URL patterns.
    • Support for registering custom protocol handlers via
      navigator.registerProtocolHandler with a new
      content.register_protocol_handler setting (requires Qt 5.11).
      This setting also supports URL patterns.
    • Support for WebRTC screen sharing with a new content.desktop_capture
      setting (requires Qt 5.10).
      This setting also supports URL patterns.
    • New content.autoplay setting to enable/disable automatic video playback
      (requires Qt 5.10).
    • New content.webrtc_public_interfaces_only setting to only expose public
      interfaces over WebRTC (requires Qt 5.9.2 or 5.11).
    • New content.canvas_reading setting to disable reading from canvas
      elements.

Changed

  • The following settings now support URL patterns:
    • content.headers.do_not_track
    • content.headers.custom
    • content.headers.accept_language
    • content.headers.user_agent
    • content.ssl_strict
    • content.geolocation
    • content.notifications
    • content.media_capture
  • The Windows/macOS releases now bundle Qt 5.11.1 which is based on
    Chromium 65.0.3325.151 with security fixes up to Chromium 67.0.3396.87.
  • New short flags for commandline arguments: -B and -T for --basedir and
    --temp-basedir; -d and -D for --debug and --debug-flag.
  • Deleting history items via :history-clear or :completion-item-del now
    also removes that URL from QtWebEngine's visited links.
  • There's now completion for commands taking a variable count of arguments
    (like :config-cycle).
  • QtWebEngine: On Qt 5.11.1, no reloads are needed anymore when switching
    between pages with changed settings (e.g. content.javascript.enabled).
  • The qt.force_software_rendering setting changed from a boolean to taking
    different values (software-opengl, qt-quick and chromium) for different
    kinds of software rendering workarounds.
  • On Qt 5.11, using wayland with QtWebEngine is now possible when using
    software rendering.
  • GreaseMonkey scripts now get their own global scope (based on the page's
    one), which allows scripts like OneeChan to work.
  • Rapid hinting is now supported with the yank and yank-primary targets,
    copying newline-separated links.
  • QtWebEngine: On Qt 5.11, the developer tools (inspector) can now be used
    securely and without requiring the --enable-webengine-inspector option.
  • The <Enter> key (:follow-selected) now follows the currently focused
    element if there's no selection.
  • The --logfilter argument now can be prepended with an exclamation mark
    (e.g. --logfilter '!init,destroy') to invert the filter.
  • :view-source now has a --pygments flag which uses the "old" way of
    rendering sources even with QtWebEngine.
  • Improved error messages when a setting needs a newer Qt version.
  • QtWebEngine: Various improvements to make the cursor more visible in caret
    browsing.
  • When a prompt is opened in insert/passthrough mode, the mode is restored
    after closing the prompt.
  • On Qt 5.10 or newer, dictionaries are now read from the qutebrowser data
    directory (e.g. ~/.local/share/qutebrowser) instead of /usr/share/qt.
    Existing dictionaries are copied over.
  • If an error while parsing ~/.netrc occurs, the cause of the error is now
    logged.
  • On Qt 5.9 or newer, certificate errors now show Chromium's detailed error
    page.
  • Greasemonkey scripts now support a "@qute-js-world" tag to run them in a
    different JavaScript context.

Fixed

  • Various subtle keyboard focus issues.
  • The security fix in v1.3.3 caused URLs with ampersands
    (www.example.com?one=1&two=2) to send the wrong arguments when clicked on
    the qute://history page.
  • Crash when opening a PDF page with PDF.js enabled (on QtWebKit), but no
    PDF.js installed.
  • Crash when closing a tab shortly after opening it.

Removed

  • No prebuilt binaries for 32-bit Windows are supplied anymore. This is due to
    Qt removing QtWebEngine support for those upstream. It might be possible to
    distribute 32-bit binaries again with Qt 5.12 in December, but that will only
    happen if it turns out enough people actually need 32-bit support.
  • :tab-detach which has been deprecated in v1.1.0 has been removed.
  • The content.developer_extras setting got removed. On QtWebKit, developer
    extras are now automatically enabled when opening the inspector.

@The-Compiler The-Compiler released this Jun 21, 2018 · 837 commits to master since this release

Assets 9

Security

  • An XSS vulnerability on the qute://history page allowed websites to inject
    HTML into the page via a crafted title tag. This could allow them to steal
    your browsing history. If you're currently unable to upgrade, avoid using
    :history. A CVE request for this issue is pending, see #4011 for updates.

Fixed

  • Crash in a workaround for a Qt 5.11 bug in rare circumstances.
  • Workaround for a Qt bug which preserves searches between page loads.
  • In v1.3.2 a dependency on the PyQt5.QtQuickWidgets module was accidentally
    introduced. Since that module isn't packaged everywhere, it's been removed
    again.

@The-Compiler The-Compiler released this Jun 10, 2018 · 837 commits to master since this release

Assets 9

Fixed

  • QtWebEngine: Improved workaround for a bug in Qt 5.11 where only the
    top/bottom half of the window is used.
  • QtWebEngine: Work around a bug in Qt 5.11 where an endless loading-loop is
    triggered when clicking a link with an unknown scheme.
  • QtWebEngine: When switching between pages with changed settings, less
    unnecessary reloads are done now.
  • QtWebEngine: It's now possible to open external links such as magnet:// or
    mailto: via hints.

@The-Compiler The-Compiler released this May 29, 2018 · 837 commits to master since this release

Assets 9

Fixed

  • Work around a bug in Qt 5.11 where only the top/bottom half of the window is used.
    This workaround is incomplete, but fixes the majority of the cases where this happens.
  • Work around keyboard focus issues with Qt 5.11.
  • Work around an issue in Qt 5.11 where e.g. activating JavaScript per-domain
    needed a manual reload in some cases.
  • Don't crash when a ² key is pressed (e.g. on AZERTY keyboards).
  • Don't crash when a tab is opened and quickly closed again.

@The-Compiler The-Compiler released this May 4, 2018 · 837 commits to master since this release

Assets 9

Added

  • New :scroll-to-anchor command to scroll to an anchor in the document.
  • New url.open_base_url option to open the base URL of a searchengine when no
    search term is given.
  • New tabs.min_width setting to configure the minimal width for tabs.
  • New userscripts:
    • getbib to download bibtex information for DOIs on a page.
    • qute-keepass to get passwords from KeePassX.

Changed

  • QtWebEngine: Support for JavaScript Shared Web Workers have been disabled on
    Qt versions older than 5.11 because of security issues in in Chromium.
    You can get the same effect in earlier versions via
    :set qt.args ['disable-shared-workers']. An equivalent workaround is also
    contained in Qt 5.9.5 and 5.10.1.
  • The file dialog for downloads now has basic tab completion based on the
    entered text.
  • :version now shows OS information for POSIX OS other than Linux/macOS.
  • When there's an error inserting the text from an external editor, a backup
    file is now saved.
  • The window.hide_wayland_decoration setting got renamed to
    window.hide_decoration and now also works outside of wayland.
  • The tabs.favicons.show setting now can take three values: 'always' (was
    True), 'never' (was False) and 'pinned' (to only show favicons for
    pinned tabs).
  • Hover tooltips on tabs now always show the webpage's title.
  • The default value for content.host_blocking.lists was changed to only
    include https://github.com/StevenBlack/hosts[Steven Black's hosts-list] which
    combines various sources.
  • Error messages when trying to wrap when tabs.wrap is False are now logged
    to debug instead of messages.

Fixed

  • Using hints before a page is fully loaded is now possible again.
  • Selecting hints with the number keypad now works again.
  • Tab titles for tabs loaded from sessions should now really be correct instead
    of showing the URL.
  • Loading URLs with customized settings from a session now avoids an additional
    reload.
  • The window icon and title now get set correctly again.
  • The tabs.switching_delay setting now has a correct maximum value limit set.
  • The taskadd script now works properly when there's multi-line output.
  • QtWebEngine: Worked around issues with GreaseMonkey/stylesheets not being
    loaded correctly in some situations.
  • The statusbar now more closely reflects the caret mode state.
  • The icon on Windows should now be displayed in a higher resolution.
  • The QtWebEngine development tools (inspector) now also work when JavaScript is
    disabled globally.
  • Building .exe files now works when upx is installed on the system.
  • The keyhint widget now shows the correct text for chained modifiers.
  • Loading GreaseMonkey scripts now also works with Jinja2 2.8 (e.g. on Debian
    Stable).
  • Adding styles with GreaseMonkey on fast sites now works properly.
  • Window ID 0 is now excluded properly from :tab-take completion.
  • A rare crash when cancelling a download has been fixed.
  • The Makefile (intended for packagers) now supports PREFIX properly.
  • The workaround for a black window with Nvidia graphics is now enabled on
    non-Linux systems (like FreeBSD) as well.
  • Initial support for Qt 5.11.
  • Checking for a new version after sending a crash report now works properly
    again.
  • @match in Greasemonkey scripts now more closely matches the proper pattern
    syntax.
  • Searching via / or ? now doesn't handle any characters in a special way.
  • Fixed crash when trying to retry some failed downloads on QtWebEngine.
  • An invalid spellcheck dictionary filename now doesn't crash anymore.
  • When no spellcheck dictionaries are configured, it's now disabled internally.
    This works around an issue with entering special characters on Facebook
    messenger.
  • The macOS release now should work again on macOS 10.11 and newer.

@The-Compiler The-Compiler released this Mar 14, 2018 · 1178 commits to master since this release

Assets 9

Fixed

  • qutebrowser now starts properly when the PyQt5 QOpenGLFunctions package wasn't
    found.
  • The keybinding cheatsheet on the quickstart page is now loaded from a local
    qute:// URL again.
  • With "tox -e mkvenv-pypi", PyQt 5.10.0 is used again instead of Qt 5.10.1,
    because of an issue with Qt 5.10.1 which causes qutebrowser to fail to start
    ("Could not find QtWebEngineProcess").
  • Unbinding keys which were bound in older qutebrowser versions now doesn't
    crash anymore.
  • Fixed a crash when reloading a page which wasn't fully loaded with v1.2.0
  • Keys on the numeric keypad now fall back to the same bindings without Num+
    if no Num+ binding was found.
  • Fixed hinting on some pages with Qt < 5.10.
  • Titles are now displayed correctly again for tabs which are cloned or loaded
    from sessions.
  • Shortcuts now correctly use Ctrl instead of Command on macOS again.

@The-Compiler The-Compiler released this Mar 9, 2018 · 1178 commits to master since this release

Assets 9

Added

  • Initial implementation of per-domain settings:
    • :set and :config-cycle now have a -u/--pattern argument taking a
      URL match pattern
      for supported settings.
    • config.set in config.py now takes a third argument which is the pattern.
    • New with config.pattern('...') as p: context manager for config.py to
      use the shorthand syntax with a pattern.
    • New tsh keybinding to toggle scripts for the current host. With a capital
      S, the toggle is saved. With a capital H, subdomains are included. With
      u instead of h, the exact current URL is used.
    • New tph keybinding to toggle plugins, with the same additional binding
      described above.
  • New QtWebEngine features:
    • Caret/visual mode
    • Authentication via ~/.netrc
    • Retrying downloads with Qt 5.10 or newer
    • Hinting and other features inside same-origin frames
  • New flags for existing commands:
    • :session-load has a new --delete flag which deletes the
      session after loading it.
    • New --no-last flag for :tab-focus to not focus the last tab when focusing
      the currently focused one.
    • New --edit flag for :view-source to open the source in an external editor.
    • New --select flag for :follow-hint which acts like the given string was entered but doesn't necessary follow the hint.
  • New special pages:
    • qute://bindings (opened via :bind) which shows all keybindings.
    • qute://tabs (opened via :buffer) which lists all tabs.
  • New settings:
    • statusbar.widgets to configure which widgets should be shown in which
      order in the statusbar.
    • tabs.mode_on_change which replaces tabs.persist_mode_on_change. It can
      now be set to restore which remembers input modes (input/passthrough)
      per tab.
    • input.insert_mode.auto_enter which makes it possible to disable entering
      insert mode automatically when an editable element was clicked. Together
      with input.forward_unbound_keys, this should allow for emacs-like
      "modeless" keybindings.
  • New :prompt-yank command (bound to Alt-y by default) to yank URLs
    referenced in prompts.
  • The hostblock_blame script which was removed in v1.0 was updated for the new
    config and re-added.
  • New cycle-inputs.js script in scripts/ which can be used with :jseval -f
    to cycle through inputs.

Changed

  • Complete refactoring of key input handling, with various effects:
    • emacs-like keychains such as <Ctrl-X><Ctrl-C> can now be bound.
    • Key chains can now be bound in any mode (this allows binding unused keys in
      hint mode).
    • Yes/no prompts don't use keybindings from the prompt section anymore, they
      have their own yesno section instead.
    • Trying to bind invalid keys now shows an error.
    • The bindings.default setting can now only be set in a config.py, and
      existing values in autoconfig.yml are ignored.
  • Improvements for GreaseMonkey support:
    • @include and @exclude now support regex matches. With QtWebEngine and Qt
      5.8 and newer, Qt handles the matching, but similar functionality will be
      added in Qt 5.11.
    • Support for @requires
    • Support for the GreaseMonkey 4.0 API
  • The sqlite history now uses write-ahead logging which should be
    a performance and stability improvement.
  • When an editor is spawned with :open-editor and :config-edit, the changes
    are now applied as soon as the file is saved in the editor.
  • The hist_importer.py script now only imports URL schemes qutebrowser can
    handle.
  • Deleting a prefix (:, / or ?) via backspace now leaves command mode.
  • Angular 1 elements and <summary>/<details> now get hints assigned.
  • :tab-only with pinned tabs now still closes unpinned tabs.
  • The url.incdec_segments option now also can take port as possible segment.
  • QtWebEngine: :view-source now uses Chromium's view-source: scheme.
  • Tabs now show their full title as tooltip.
  • When there are multiple unknown keys in a autoconfig.yml, they now all get
    reported in one error.
  • More performance improvements when opening/closing many tabs.
  • The :version page now has a button to pastebin the information.
  • Replacements like {url} can now be escaped as {{url}}.

Fixed

  • QtWebEngine bugfixes:
    • Improved fullscreen handling with Qt 5.10.
    • Hinting and scrolling now works properly on special view-source: pages.
    • Scroll positions are now restored correctly from sessions.
    • :follow-selected should now work in more cases with Qt > 5.10.
    • Incremental search now flickers less and doesn't move to the second result
      when pressing Enter.
    • Keys like Ctrl-V or Shift-Insert are now correctly handled/filtered with
      Qt 5.10.
    • Fixed hangs/segfaults on exit with Qt 5.10.1.
    • Fixed favicons sometimes getting cleared with Qt 5.10.
    • Qt download objects are now cleaned up properly when a download is removed.
    • JavaScript messages are now not double-HTML escaped anymore on Qt < 5.11
  • QtWebKit bugfixes:
    • Fixed GreaseMonkey-related crashes.
    • :view-source now displays a valid URL.
  • URLs containing ampersands and other special chars are now shown correctly
    when filtering them in the completion.
  • :bookmark-add "" foo can now be used to save the current URL with a custom
    title.
  • :spawn -o now waits until the process has finished before trying to show the
    output. Previously, it incorrectly showed the previous output immediately.
  • Suspended pages now should always load the correct page when being un-suspended.
  • Exception types are now shown properly with :config-source and :config-edit.
  • When using :bookmark-add --toggle, bookmarks are now saved properly.
  • Crash when opening an invalid URL from an application on macOS.
  • Crash with an empty completion.timestamp_format.
  • Crash when completion.min_chars is set in some cases.
  • HTML/JS resource files are now read into RAM on start to avoid crashes when
    changing qutebrowser versions while it's open.
  • Setting bindings.key_mappings to an empty value is now allowed.
  • Bindings to an empty commands are now ignored rather than crashing.

Removed

  • QUTE_SELECTED_HTML is now not set for userscripts anymore except when called
    via hints.
  • The qutebrowser_viewsource userscript has been removed as
    :view-source --edit can now be used.
  • The tabs.persist_mode_on_change setting has been removed and replaced by
    tabs.mode_on_change.

@The-Compiler The-Compiler released this Mar 1, 2018 · 2057 commits to master since this release

Assets 8

Changed

  • Windows/macOS releases now bundle Qt 5.10.1 which includes security fixes from
    Chromium up to version 64.0.3282.140.

Fixed

  • QtWebEngine: Crash with Qt 5.10.1 when using :undo on some tabs.
  • Compatibility with Python 3.7