- Changed the X-Content-Type-Options: nosniff behavior to only check "success" class server responses, for web compatibility reasons.
- Changed the performance timer resolution once more to a granularity of 1 ms, after evaluating more potential ways of abusing Spectre. DiD
This takes the most cautious approach possible lacking more information (because apparently NDAs have been signed over this between mainstream players), follows Safari's lead, and should make it not just infeasible but downright impossible to use these timers for nefarious purposes in this context.
- Improved the debug-only startup cache wrapper to prevent a rare crash.
- Fixed a crash in the XML parser.
- Added a check for integer overflow in AesTask::DoCrypto() (CVE-2018-5122) DiD
- Fixed a potential race condition in the browser cache.
- Fixed a crash in HTML media elements (CVE-2018-5102)
- Fixed a crash in XHR using workers.
- Fixed a crash with some uncommon FTP operations.
- Fixed a potential race condition in the JAR library.