Change Log =========== // https://keepachangelog.com/ All notable changes to this project will be documented in this file. This project adheres to https://semver.org/[Semantic Versioning], though minor breaking changes (such as renamed commands) can happen in minor releases. // tags: // `Added` for new features. // `Changed` for changes in existing functionality. // `Deprecated` for once-stable features removed in upcoming releases. // `Removed` for deprecated features removed in this release. // `Fixed` for any bug fixes. // `Security` to invite users to upgrade in case of vulnerabilities. [[v3.2.0]] v3.2.0 (unreleased) ------------------- Added ~~~~~ - When qutebrowser receives a SIGHUP it will now reload any config.py file in use (same as the `:config-source` command does). (#8108) - The Chromium security patch version is now shown in the backend string in --version and :version. This reflects the latest Chromium version that security fixes have been backported to the base QtWebEngine version from. (#7187) Changed ~~~~~~~ - A few more completions will now match search terms in any order: `:quickmark-*`, `:bookmark-*`, `:tab-take` and `:tab-select` (for the quick and bookmark categories). (#7955) - Elements with an ARIA `role="switch"` now get hints (toggle switches like e.g. on cookie banners). - The `tor_identity` userscript now validates that the -c|--control-port argument value is an int. (#8162) Fixed ~~~~~ - `input.insert_mode.auto_load` sometimes not triggering due to a race condition. - Worked around qutebrowser quitting when closing a KDE file dialog due to a Qt bug. [[v3.1.1]] v3.1.1 (unreleased) ------------------- [[v3.1.0]] v3.1.0 (2023-12-08) ------------------- Removed ~~~~~~~ - The darkmode settings `grayscale.all`, `grayscale.images` and `increase_text_contrast` got removed, following removals in Chromium. Added ~~~~~ - New `smart-simple` value for `colors.webpage.darkmode.policy.images`, which on QtWebEngine 6.6+ uses a simpler classification algorithm to decide whether to invert images. - New `content.javascript.legacy_touch_events` setting, with those now being disabled by default, following a Chromium change. Changed ~~~~~~~ - Upgraded the bundled Qt version to 6.6.1, based on Chromium 112. Note this is only relevant for the macOS/Windows releases, on Linux those will be upgraded via your distribution packages. - Upgraded the bundled Python version for macOS/Windows to 3.12 - The `colors.webpage.darkmode.threshold.text` setting got renamed to `colors.webpage.darkmode.threshold.foreground`, following a rename in Chromium. - With Qt 6.6, the `content.canvas_reading` setting now works without a restart and supports URL patterns. Fixed ~~~~~ - Some web pages jumping to the top when the statusbar is hidden or (with v3.0.x) when a prompt is hidden. - Compatibility with PDF.js v4 - Added an elaborate workaround for a bug in QtWebEngine 6.6.0 causing crashes on Google Mail/Meet/Chat, and a bug in QtWebEngine 6.5.0/.1/.2 causing crashes there with dark mode. - Made a rare crash in QtWebEngine when starting/retrying a download less likely to happen. - Graphical glitches in Google sheets and PDF.js, again. Removed the version restriction for the default application of `qt.workarounds.disable_accelerated_2d_canvas` as the issue was still evident on Qt 6.6.0. (#7489) - The `colors.webpage.darkmode.threshold.foreground` setting (`.text` in older versions) now works correctly with Qt 6.4+. [[v3.0.2]] v3.0.2 (2023-10-19) ------------------- Fixed ~~~~~ - Upgraded the bundled Qt version to 6.5.3. Note this is only relevant for the macOS/Windows releases, on Linux those will be upgraded via your distribution packages. This Qt patch release comes with https://code.qt.io/cgit/qt/qtreleasenotes.git/tree/qt/6.5.3/release-note.md[various important fixes], among them: * Fix for crashes on Google Meet / GMail with dark mode enabled * Fix for right-click in devtools not working properly * Fix for drag & drop not working on Wayland * Fix for some XKB key remappings not working * Security fixes up to Chromium 116.0.5845.187, including https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html[CVE-2023-4863], a critical heap buffer overflow in WebP, for which "Google is aware that an exploit [...] exists in the wild." [[v3.0.1]] v3.0.1 (2023-10-19) ------------------- Fixed ~~~~~ - The "restore video" functionality of the `view_in_mpv` script works again on webengine. - Setting `url.auto_search` to `dns` works correctly now with Qt 6. - Counts passed via keypresses now have a digit limit (4300) to avoid exceptions due to cats sleeping on numpads. (#7834) - Navigating via hints to a remote URL from a file:// one works again. (#7847) - The timers related to the tab audible indicator and the auto follow timeout no longer accumulate connections over time. (#7888) - The workaround for crashes when using drag & drop on Wayland with Qt 6.5.2 now also works correctly when using `wayland-egl` rather than `wayland` as Qt platform. - Worked around a weird `TypeError` with `QProxyStyle` / `TabBarStyle` on certain platforms with Python 3.12. - Removed 1px border for the downloads view, mostly noticeable when it's transparent. - Due to a Qt bug, cloning/undoing a tab which was not fully loaded caused qutebrowser to crash. This is now fixed via a workaround. - Graphical glitches in Google sheets and PDF.js via a new setting `qt.workarounds.disable_accelerated_2d_canvas` to disable the accelerated 2D canvas feature which defaults to enabled on affected Qt versions. (#7489) - The download dialog should no longer freeze when browsing to directories with many files. (#7925) - The app.slack.com User-Agent quirk now targets chromium 112 on Qt versions lower than 6.6.0 (previously it always targets chromium 99) (#7951) - Workaround a Qt issue causing jpeg files to not show up in the upload file picker when it was filtering for image filetypes (#7866) [[v3.0.0]] v3.0.0 (2023-08-18) ------------------- Major changes ~~~~~~~~~~~~~ - qutebrowser now supports Qt 6 and uses it by default. Qt 5.15 is used as a fallback if Qt 6 is unavailable. This behavior can be customized in three ways (in order of precedence): * Via `--qt-wrapper PyQt5` or `--qt-wrapper PyQt6` command-line arguments. * Via the `QUTE_QT_WRAPPER` environment variable, set to `PyQt6` or `PyQt5`. * For packagers wanting to provide packages specific to a Qt version, patch `qutebrowser/qt/machinery.py` and set `_WRAPPER_OVERRIDE`. - Various commands were renamed to better group related commands: * `set-cmd-text` -> `cmd-set-text` * `repeat` -> `cmd-repeat` * `repeat-command` -> `cmd-repeat-last` * `later` -> `cmd-later` * `edit-command` -> `cmd-edit` * `run-with-count` -> `cmd-run-with-count` The old names continue to work for the time being, but are deprecated and show a warning. - Releases are now automated on CI, and GPG signed by `qutebrowser bot `, fingerprint `27F3 BB4F C217 EECB 8585 78AE EF7E E4D0 3969 0B7B`. The key is available as follows: * On https://qutebrowser.org/pubkey.gpg * Via keys.openpgp.org * Via WKD for bot@qutebrowser.org - Support for old Qt versions (< 5.15), old Python versions (< 3.8) and old macOS (< 11)/Windows (< 10) versions were dropped. See the "Removed" section below for details. Added ~~~~~ - On invalid commands/settings with a similarly spelled match, qutebrowser now suggests the correct name in its error messages. - New `:prompt-fileselect-external` command which can be used to spawn an external file selector (`fileselect.folder.command`) from download filename prompts (bound to `` by default). - New `qute://start` built-in start page (not set as the default start page yet). - New `content.javascript.log_message.levels` setting, allowing to surface JS log messages as qutebrowser messages (rather than only logging them). By default, errors in internal `qute:` pages and userscripts are shown to the user. - New `content.javascript.log_message.excludes` setting, which allows to exclude certain messages from the `content.javascript.log_message.levels` setting described above. - New `tabs.title.elide` setting to configure where text should be elided (replaced by `…`) in tab titles when space runs out. - New `--quiet` switch for `:back` and `:forward`, to suppress the error message about already being at beginning/end of history. - New `qute-1pass` userscript using the 1password commandline to fill passwords. - On macOS when running with Qt < 6.3, `pyobjc-core` and `pyobjc-framework-Cocoa` are now required dependencies. They are *not* required on other systems or when running with Qt 6.3+, but still listed in the `requirements.txt` because it's impossible to tell the two cases apart there. - New features in userscripts: * `qutedmenu` gained new `window` and `private` options. * `qute-keepassxc` now supports unlock-on-demand, multiple account selection via rofi, and inserting TOTP-codes (experimental). * `qute-pass` will now try looking up candidate pass entries based on the calling tab's verbatim netloc (hostname including port and username) if it can't find a match with an earlier candidate (FQDN, IPv4 etc). - New `qt.chromium.experimental_web_platform_features` setting, which is enabled on Qt 5 by default, to maximize compatibility with websites despite an aging Chromium backend. - New `colors.webpage.darkmode.increase_text_contrast` setting for Qt 6.3+ - New `fonts.tooltip`, `colors.tooltip.bg` and `colors.tooltip.fg` settings. - New `log-qt-events` debug flag for `-D` - New `--all` flags for `:bookmark-del` and `:quickmark-del` to delete all quickmarks/bookmarks. Removed ~~~~~~~ - Python 3.8.0 or newer is now required. - Support for Python 3.6 and 3.7 is dropped, as they both reached their https://endoflife.date/python[end of life] in December 2021 and June 2023, respectively. - Support for Qt/PyQt before 5.15.0 and QtWebEngine before 5.15.2 are now dropped, as older Qt versions are https://endoflife.date/qt[end-of-life upstream] since mid/late 2020 (5.13/5.14) and late 2021 (5.12 LTS). - The `--enable-webengine-inspector` flag is now dropped. It used to be ignored but still accepted, to allow doing a `:restart` from versions older than v2.0.0. Thus, switching from v1.x.x directly to v3.0.0 via `:restart` will not be possible. - Support for macOS 10.14 and 10.15 is now dropped, raising the minimum required macOS version to macOS 11 Big Sur. * Qt 6.4 was the latest version to support macOS 10.14 and 10.15. * It should be possible to build a custom .dmg with Qt 6.4, but this is unsupported and not recommended. - Support for Windows 8 and for Windows 10 before 1607 is now dropped. * Support for older Windows 10 versions might still be present in Qt 6.0/6.1/6.2 * Support for Windows 8.1 is still present in Qt 5.15 * It should be possible to build a custom .exe with those versions, but this is unsupported and not recommended. - Support for 32-bit Windows is now dropped. Changed ~~~~~~~ - The qutebrowser icons got moved from `icons/` to `qutebrowser/icons` in the repository, so that it's possible for qutebrowser to load them using Python's resource system (rather than compiling them into a Qt resource file). Packagers are advised to use `misc/Makefile` if possible, which has been updated with the new paths. - The `content.javascript.can_access_clipboard` setting got renamed to `content.javascript.clipboard` and now understands three different values rather than being a boolean: `none` (formerly `false`), `access` (formerly `true`) and `access-paste` (additionally allows pasting content, needed for websites like Photopea or GitHub Codespaces). - The default `hints.selectors` now also match the `treeitem` ARIA roles. - The `:click-element` command now can also click elements based on its ID (`id`), a CSS selector (`css`), a position (`position`), or click the currently focused element (`focused`). - The `:click-element` command now can select the first found element via `--select-first`. - New `search.wrap_messages` setting, making it possible to disable search wrapping messages. - The `:session-save` command now has a new `--no-history` flag, to exclude tab history. - New widgets for `statusbar.widgets`: * `clock`, showing the current time * `search_match`, showing the current match and total count when finding text on a page - Messages shown by qutebrowser now don't automatically get interpreted as rich text anymore. Thus, e.g. `:message-info

test` now shows the given text. To show rich text with `:message-*` commands, use their new `--rich` flag. Note this is NOT a security issue, as only a small subset of HTML is interpreted as rich text by Qt, independently from the website. - Improved output when loading Greasemonkey scripts. - The macOS `.app` now is registered as a handler for `.mhtml` files, such as the ones produced by `:download --mhtml`. - The "... called unimplemented GM_..." messages are now logged as info JS messages instead of errors. - For QtNetwork downloads (e.g. `:adblock-update`), various changes were done for how redirects work: - Insecure redirects (HTTPS -> HTTP) now fail the download. - 20 redirects are now allowed before the download fails rather than only 10. - A redirect to the same URL will now fail the download with too many redirects instead of being ignored. - When a download fails in a way it'd leave an empty file around, the empty file is now deleted. - With Qt 6, setting `content.headers.referer` to `always` will act as if it was set to `same-domain`. The documentation is now updated to point that out. - With QtWebEngine 5.15.5+, the load finished workaround was dropped, which should make certain operations happen when the page has started loading rather when it fully finished. - `mkvenv.py` has a new `--pyqt-snapshot` flag, allowing to install certain packages from the https://www.riverbankcomputing.com/pypi/[Riverbank development snapshots server]. - When `QUTE_QTWEBENGINE_VERSION_OVERRIDE` is set, it now always wins, no matter how the version would otherwise have been determined. Note setting this value can break things (if set to a wrong value), and usually isn't needed. - When qutebrowser is run with an older QtWebEngine version as on the previous launch, it now prints an error before starting (which causes the underlying Chromium to remove all browsing data such as cookies). - The keys "" and "" are now named "" and "", respectively. - The `tox.ini` now requires at least tox 3.20 (was tox 3.15 previously). - `:config-diff` now has an `--include-hidden` flag, which also shows internally-set settings. - Improved error messages when `:spawn` can't find an executable. - When a process fails, the error message now suggests using `:process PID` with the correct PID (rather than always showing the latest process, which might not be the failing one) - When a process got killed with `SIGTERM`, no error message is now displayed anymore (unless started with `:spawn --verbose`). - When a process got killed by a signal, the signal name is now displayed in the message. - The `js-string-replaceall` quirk is now removed from the default `content.site_specific_quirks.skip`, so that `String.replaceAll` is now polyfilled on QtWebEngine < 5.15.3, hopefully improving website compaitibility. - Hints are now displayed for elements setting an `aria-haspopup` attribute. - qutebrowser now uses SPDX license identifiers in its files. Full support for the https://reuse.software/[REUSE specification] (license provided in a machine-readable way for every single file) is not done yet, but planned for a future release. Fixed ~~~~~ - When the devtools are clicked but `input.insert_mode.auto_enter` is set to `false`, insert mode now isn't entered anymore. - The search wrapping messages are now correctly displayed in (hopefully) all cases with QtWebEngine. - When a message with the same text as a currently already displayed one gets shown, qutebrowser used to only show one message. This is now only done when the two messages are completely equivalent (text, level, etc.) instead of doing so when only the text matches. - The `progress` and `backforward` statusbar widgets now stay removed if you choose to remove them. Previously they would appear again on navigation. - Rare crash when running userscripts with crashed renderer processes. - Multiple rare crashes when quitting qutebrowser. - The `asciidoc2html.py` script now correctly uses the virtualenv-installed asciidoc rather than requiring a system-wide installation. - "Package would be ignored" deprecation warnings when running `setup.py`. - ResourceWarning when using `:restart`. - Crash when shutting down before fully initialized. - Crash with some notification servers when the server is quitting. - Crash when using QtWebKit with PAC and the file has an invalid encoding. - Crash with the "tiramisu" notification server. - Crash when the "herbe" notification presenter doesn't start correctly. - Crash when no notification server is installed/available. - Warning with recent versions of the "deadd" (aka "linux notification center") notification server. - Crash when using `:print --pdf` with a directory where its parent directory did not exist. - The `PyQt{5,6}.sip` version is now shown correctly in the `:version`/`--version` output. Previously that showed the version from the standalone `sip` module which was only set for PyQt5. (#7805) - When a `config.py` calls `.redirect()` via a request interceptor (which is unsupported) and supplies an invalid redirect target URL, an exception is now raised for the `.redirect()` call instead of later inside qutebrowser. - Crash when loading invalid history items from a session file. [[v2.5.4]] v2.5.4 (2023-03-13) ------------------- Fixed ~~~~~ - Support SQLite with DQS (double quoted string) compile time option turned off. [[v2.5.3]] v2.5.3 (2023-02-17) ------------------- Added ~~~~~ - New `array_at` quirk, polyfilling the https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/at[`Array.at` method], which is needed by various websites, but only natively available with Qt 6.2. Fixed ~~~~~ - Crash when the adblock filter file can't be read. - Inconsistent behavior when using `:config-{dict,list}-*` commands with an invalid value. Before the fix, using the same command again would complain that the value was already present, despite the error and the value not being actually changed. - Incomplete error handling when mutating a dict/list in `config.py` and setting an invalid value. Before the fix, this would result in either a message in the terminal rather than GUI (startup), or in a crash (`:config-source`). - Wrong type handling when using `:config-{dict,list}-*` commands with a config option with non-string values. The only affected option is `bindings.commands`, which is probably rarely used with those commands. - The `readability` userscript now correctly passes the source URL to Breadability, to make relative links work. - Update `dictcli.py` to use the `main` branch, fixing a 404 error. - Crash with some notification servers when the server did quit. - Minor documentation fixes [[v2.5.2]] v2.5.2 (2022-06-22) ------------------- Fixed ~~~~~ - Packaging-related fixes: * The `install` and `stacktrace` help pages are now included in the docs shipped with qutebrowser when using the recommended packaging workflow. * The Windows installer now more consistently uses the configured Windows colors. * The Windows installer now bases the desktop/start menu icon choices on the existing install, if upgrading. * The macOS release hopefully doesn't cause macOS to (falsely) claim that it "is damaged and can't be opened" anymore. - The notification fixes in v2.5.1 caused new notification crashes (probably more common than the ones being fixed...). Those are now fixed, along with a (rather involved) test case to prevent similar issues in the future. - When a text was not found on a page, the associated message would be shown as rich text (e.g. after `/

`). With this release, this is fixed for search messages, while the 3.0.0 release will change the default for all messages to be plain-text. Note this is NOT a security issue, as only a small subset of HTML is interpreted as rich text by Qt, independently from the website. - When a Greasemonkey script couldn't be loaded (e.g. due to an unreadable file), qutebrowser would crash. It now shows an error instead. - Ever since the v1.2.0 release in 2018, the `content.default_encoding` setting was not applied on start properly (only when it was changed afterwards). This is now fixed. [[v2.5.1]] v2.5.1 (2022-05-26) ------------------- Fixed ~~~~~ - The `qute-pass` userscript is marked as executable again. - PDF.js now works properly again with the macOS and Windows releases. - The MathML workaround for darkmode (e.g. black on black Wikipedia formula) now also works for display (rather than inline) math. - The `content.proxy` setting can now correctly be set to arbitrary values via the `qute://settings` page again. - Fixed issues with Chromium version detection on Archlinux with qt5-webengine 5.15.9-3. - Fixed a rare possible crash with invalid `Content-Disposition` headers. - Fixes for various notification-related crashes: * With the `tiramisu` notification server (due to invalid behavior of the server, now a non-fatal error) * With the `budgie` notification server when closing a notification (due to invalid behavior of the server, now worked around) * When a server exits with an unsuccessful exit status (now a non-fatal error) * When a server couldn't be started successfully (now a non-fatal error) * With the `herbe` notification presenter, when the website tries to close the notification after the user accepting (right-clicking) it. - Fixes in userscripts: * The `qute-bitwarden` userscript now correctly searches for entries for sites on a subdomain of an unrecognized TLD. subdomain names. Previously `my.site.local` would have searched in bitwarden for `my.sitelocal`, losing the rightmost dot. [[v2.5.0]] v2.5.0 (2022-04-01) ------------------- Deprecated ~~~~~~~~~~ - v2.5.x will be the last release of qutebrowser 2. **For the upcoming 3.0.0 release**, it's planned to drop support for various legacy platforms and libraries which are unsupported upstream, such as: * Qt before 5.15 LTS (plus adding support for Qt 6.2+) * Python 3.6 * The QtWebKit backend * macOS 10.14 (via Homebrew) * 32-bit Windows (via Qt) * Windows 8 (via Qt) * Windows 10 before 1809 (via Qt) * Possibly other more minor dependency changes - The `:rl-unix-word-rubout` command (`` in command/prompt modes) has been deprecated. Use `:rl-rubout " "` instead. - The `:rl-unix-filename-rubout` command has been deprecated. Use either `:rl-rubout "/ "` (classic readline behavior) or `:rl-filename-rubout` (using OS path separator and ignoring spaces) instead. Changed ~~~~~~~ - Improved message if a spawned process wasn't found and a Flatpak container is in use. - The `:tab-move` command now takes `start` and `end` as `index` to move a tab to the first/last position. - Tests now automatically pick the backend (QtWebKit/QtWebEngine) based on what's available. The `QUTE_BDD_WEBENGINE` environment variable and `--qute-bdd-webengine` argument got replaced by `QUTE_TESTS_BACKEND` and `--qute-backend` respectively, which can be set to either `webengine` or `webkit`. - Using `:tab-give` or `:tab-take` on the last tab in a window now always closes that window, no matter what `tabs.last_close` is set to. - Redesigned `qute://settings` (`:set`) page with buttons for options with fixed values. - The default `hint.selectors` now match more ARIA roles (`tab`, `checkbox`, `menuitem`, `menuitemcheckbox` and `menuitemradio`). - Using e.g. `:bind --mode=passthrough` now scrolls to the passthrough section on the `qute://bindings` page. - Clicking on a notification now tries to focus the tab where the notification is coming from. Note this might not work properly if there is more than one tab from the same host open. - Improvements to userscripts: * `qute-bitwarden` understands a new `--password-prompt-invocation`, which can be used to specify a tool other than `rofi` to ask for a password. * `cast` now uses `yt-dlp` if available (falling back to `youtube-dl` if not). It also lets users override the tool to use via a `QUTE_CAST_YTDL_PROGRAM` environment variable. * `qute-pass` now understands a new `--prefix` argument if used in gopass mode, which gets passed as subfolder prefix to `gopass`. * `open_download` now supports Flatpak by using its XDG Desktop Portal. * `open_download` now waits for the exit status of `xdg-open`, causing qutebrowser to report any issues with it. - The `content.headers.custom` setting now accepts empty strings as values, resulting in an empty header being sent. - Renamed settings: * `qt.low_end_device_mode` -> `qt.chromium.low_end_device_mode` * `qt.process_model` -> `qt.chromium.process_model` - System-wide userscripts are now discovered from the correct location when running via Flatpak (`/app/share` rather than `/usr/share`). - Filename prompts now don't display a `..` entry in the list of files anymore. To get back to the parent directory, either type `../` manually, or use the new `:rl-filename-rubout` command, bound to `` by default. Added ~~~~~ - New `input.match_counts` option which allows to turn off count matching for more emacs-like bindings. - New `{relative_index}` field for `tabs.title.format` (and `.pinned_format`) which shows relative tab numbers. - New `input.mode_override` option which allows overriding the current mode based on the new URL when navigating or switching tabs. - New `qt.chromium.sandboxing` setting which allows to disable Chromium's sandboxing (mainly intended for development and testing). - New `QUTE_TAB_INDEX` variable for userscripts, containing the index of the current tab. - New `editor.remove_file` setting which can be set to `False` to keep all temporary editor files after closing the external editor. - New `:rl-rubout` command replacing `:rl-unix-word-rubout` (and optionally `:rl-unix-filename-rubout`), taking a delimiter as argument. - New `:rl-filename-rubout` command, using the OS path separator and ignoring spaces. The command also gets shown in the suggested commands for a download filename prompt now. Fixed ~~~~~ - When `search.incremental` is disabled, searching using `/text` followed by a backwards search via `?text` (or vice-versa) now correctly changes the search direction. - Elements getting a hint due to a `tabindex` now are skipped if it's set to `-1`, reducing some false-positives. - The audible indicator (`[A]`) now uses a 2s cooldown when the audio goes silent, equivalent with the behavior of older QtWebEngine versions. - With `confirm_quit` set to `downloads`, the confirmation dialog is now only shown when closing the last window (rather than closing any window, which would continue running that window's downloads). Unfortunately, more issues with `confirm_quit` and multiple windows remain. - Crash when a previous crash-log file contains non-ASCII characters (which should never happen unless it was edited manually) - Due to changes in Debian, an old workaround (for broken QtWebEngine patching on Debian) caused the inferior qutebrowser error page to be displayed, when Chromium's would have worked fine. The workaround was now dropped. - Crash when using `` (`:completion-item-del`) in the `:tab-focus` list, rather than `:tab-select`. - Work around a Qt issue causing `:spawn` to run executables from the current directory if no system-wide executable was found. The underlying Qt bug is tracked as https://lists.qt-project.org/pipermail/announce/2022-February/000333.html[CVE-2022-25255], though the impact with typical qutebrowser usage is low: Normally, qutebrowser is run from a fixed location (usually the users home directory), and `:spawn` is not typically used with executables that don't exist. The main security impact of this bug is in tools like text editors, which are often executed in untrusted directories and might attempt to run auxiliary tools automatically. - When `:rl-rubout` or `:rl-filename-rubout` (formerly `:rl-unix-word-rubout` and `:rl-unix-filename-rubout`) were used on a string not starting with the given delimiter, they failed to delete the first character, which is now fixed. - Fixes in userscripts: * `ripbang` now works again (it got blocked due to a missing user agent and used outdated qutebrowser commands before) * `keepassxc` now has a properly working `--insecure` flag - Speculative fix for an immediate crash at start with the macOS/Windows binaries (in certain rare environments). - Speculative fix for a qutebrowser crash when the notification daemon crashes while showing the notification. - Fix crash when using `:screenshot` with an invalid `--rect` argument. - Added a site-specific quirk to make cookie dialogs on StackExchange pages (such as Stack Overflow) work on Qt 5.12. [[v2.4.0]] v2.4.0 (2021-10-21) ------------------- Security ~~~~~~~~ - **CVE-2021-41146**: Fix arbitrary command execution on Windows via URL handler argument injection. See the https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm[security advisory] for details. Added ~~~~~ - New `content.blocking.hosts.block_subdomains` setting which can be used to disable the subdomain blocking for the hosts-based adblocker introduced in v2.3.0. - New `downloads.prevent_mixed_content` setting to prevent insecure mixed-content downloads (true by default). - New `--private` flag for `:tab-clone`, which clones a tab into a new private window, mirroring the same flags for `:open` and `:tab-give`. Fixed ~~~~~ - Switching tabs via mouse wheel scrolling now works properly on macOS. Set `tabs.mousewheel_switching` to false if you prefer the previous behavior. - Speculative fix for a crash when closing qutebrowser while a systray notification is shown. Changed ~~~~~~~ - Typing in the filename prompt now filters matching directories. - When opening a file qutebrowser can't handle from a `file:///` directory listing, qutebrowser now opens it with the default application rather than displaying a download prompt. - In Greasemonkey scripts, using "overrideMimeType" with GM_xmlhttpRequest is now supported. - `:hint --rapid` is now supported for the `tab` hinting target no matter what `tabs.background` is set to, as there are various scenarios where tabs can open in the background. - New flags for the `qute-pass` userscript: * `--unfiltered` to show all secrets, not just the one matching the current URL. * `--always-show-selection` to confirm the password to be entered even if there's only a single match. - In insert mode, `` is now bound to `fake-key ` by default, i.e., sends an Escape keypress to the website. - Using `GM_setClipboard` in Greasemonkey scripts is now supported. [[v2.3.1]] v2.3.1 (2021-07-28) ------------------- Fixed ~~~~~ - Updated the workaround for Google Account log in claiming that this browser isn't secure. For an equivalent workaround on older versions, run: `:set -u https://accounts.google.com/* content.headers.user_agent "Mozilla/5.0 ({os_info}; rv:90.0) Gecko/20100101 Firefox/90.0"` - Corrupt cache file exceptions with `adblock` 0.5.0+ are now handled properly. - Crash when entering unicode surrogates into the filename prompt. - `UnboundLocalError` in `qute-keepass` when the database couldn't be opened. [[v2.3.0]] v2.3.0 (2021-06-28) ------------------- Added ~~~~~ - New `content.prefers_reduced_motion` setting to request websites to reduce non-essential motion/animations. - New `colors.prompts.selected.fg` setting to customize the text color for selected items in filename prompts. Changed ~~~~~~~ - The hosts-based adblocker (using `content.blocking.hosts.lists`) now also blocks all requests to any subdomains of blocked hosts. - The `fonts.web.*` settings now support URL patterns. - The `:greasemonkey-reload` command now shows a list of loaded scripts and has a new `--quiet` switch to suppress that message. - When launching a userscript via hints, a new `QUTE_CURRENT_URL` environment variable now points to the current page (rather than the URL of the selected element, where `QUTE_URL` points to). Fixed ~~~~~ - Crash on macOS 10.14+ when logging into Google accounts -- the previous fix was incomplete due wrong information in Apple's documentation. - Crash when two Greasemonkey scripts have the same name (usually happening because the same file is in both the data and the config directory). - Deprecation warnings when using the `link_pyqt.py` script on Python 3.10 (e.g. via `tox` or `mkvenv.py`). [[v2.2.3]] v2.2.3 (2021-06-01) ------------------- Fixed ~~~~~ - Logging into Google accounts or sharing the camera on macOS 10.14+ crashed, which is now fixed. - The Windows installer now correctly aborts the installation on Windows 7 (rather than attempting an install which won't work, since Windows 7 is unsupported since the v2.0.0 release). - Using `--json-logging` without `--debug` caused qutebrowser to crash since the v1.13.0 release. It now works correctly again. - Mixing Qt 5.14+ with QtWebEngine 5.12 caused a crash related to qutebrowser's notification support, which is now fixed. - The documentation now points to the new IRC channels on irc.libera.chat instead of the defunct Freenode channels (due to a hostile takeover by Freenode staff). - Setting `content.headers.user_agent` or `.accept_language` to a value containing non-ascii characters was permitted by qutebrowser, but resulted in a crash when loading a page. Such values are now rejected properly. - When quitting qutebrowser on the `qute://settings` page, a crash could happen, which is now fixed. - When `:edit-text` is used, but the existing text in the input isn't representable in the configured encoding (`editor.encoding`), qutebrowser would crash. It now shows a proper error instead. - The testsuite should now work properly on aarch64. - When QtWebEngine is in a "stuck" state while `:selection-follow` was used, this could cause a crash in qutebrowser. This is now fixed (speculatively, due to lack of a reproducer). - When the brave adblock data (`adblock-cache.dat`) got corrupted, qutebrowser would crash when trying to load it. It now displays an error instead. - Combining `/S` (silent) and `/allusers` when uninstalling via the Windows installer now works properly. [[v2.2.2]] v2.2.2 (2021-05-20) ------------------- Fixed ~~~~~ - When awesomewm's "naughty" notification daemon was used with a development version of AwesomeWM and an unknown version number, qutebrowser would crash when trying to parse the version string. This is now fixed. - Due to a bug with QtWebEngine 5.15.4, old Service Worker data could cause renderer process crashes. This is now worked around by qutebrowser. - When an (broken) binding to `set-cmd-text` without any argument existed, using `:` would crash, which is now fixed. - New site-specific quirk (again) working around not being able to type accented/composed characters on Google Docs. - When running with `python -OO` (which is not recommended), a notification being shown would result in a crash, which is now fixed. [[v2.2.1]] v2.2.1 (2021-04-29) ------------------- Changed ~~~~~~~ - When an error occurs in a notification presenter, qutebrowser now shows that error in the statusbar instead of just logging it. - New site-specific-quirk for Discord logging users out when using vertical tabs (yes, really) Fixed ~~~~~ - Certain errors from notification daemons are now displayed as non-fatal errors instead of qutebrowser crashing: * With the legacy GNOME Flashback notification daemon (not GNOME Shell), when more than 20 notifications are currently shown. * With the KDE Plasma notification daemon, when the same notification is shown twice (with <1s delay). - The `mkvenv.py` script now works when `ldconfig -p` is failing. - Running `:spawn -u -o` broke in v2.2.0 and now works properly again. - Fixes in userscripts: * The `qute-bitwarden` userscript now still consumes returned data if the Bitwarden CLI showed a warning but exited with a 0 (successful) exit code. * The `qute-pass` userscript now doesn't try to match a username with `--password-only`, and error messages with invalid patterns are improved. * The `qute-pass` userscript now avoids running `pass` twice when `--otp-only` is used. [[v2.2.0]] v2.2.0 (2021-04-13) ------------------- Deprecated ~~~~~~~~~~ - Running qutebrowser with Qt 5.12.0 is now unsupported and logs a warning. It should still work - however, a workaround for issues with the Nvidia graphic driver was dropped. Newer Qt 5.12.x versions are still fully supported. - The `--force` argument for `:tab-only` is deprecated, use `--pinned close` instead. - Using `:tab-focus` without an argument or count is now deprecated, use `:tab-next` instead. Added ~~~~~ - New dependency on the `QtDBus` module. If this requirement is an issue for you or your distribution, please open an issue! Note that a DBus connection at runtime is still optional. - New `input.media_keys` setting which can be used to disable Chromium's handling of media keys. - New `:process` command (and associated `qute://process` pages) which can be used to view and terminate/kill external processes spawned by qutebrowser. - New `content.site_specific_quirks.skip` setting which can be used to disable individual site-specific quirks. - New `--pinned` argument for `:tab-only`, which replaces `--force` (with `--pinned close`), but also can take `--pinned keep` to keep pinned tabs without prompting. - New `fileselect.folder.command` which can be used with `fileselect.handler = external` to customize the command to use to upload directories (`` elements, which are non-standard but in wide use). - New `content.notifications.presenter` setting with various new ways to show web notifications: * `auto` (default): Automatically detect the best available option * `qt`: Use Qt's built-in mechanism (like before this release) * `libnotify`: Use a libnotify-compatible notification server (i.e. native notifications on Linux) * `systray`: Use a systray icon (very similar to `qt` but without some of its drawbacks) * `messages`: Use qutebrowser messages * `herbe`: Use https://github.com/dudik/herbe[herbe] - New `content.notifications.show_origin` setting, which can be used to decide for which notifications to show the origin (the URL the notification was sent from). Changed ~~~~~~~ - The `content.ssl_strict` setting got renamed to `content.tls.certificate_errors`, with new values: * `ask`: Prompt on overridable certificate errors (`ssl_strict = 'ask'`) * `ask-block-thirdparty`: See below * `block`: Block the page load (`ssl_strict = True`) * `load-insecurely`: Load the page despite the error (`ssl_strict = False`) - The new `content.tls.certificate_errors` setting now also understands the value `ask-block-thirdparty`, which asks for page loads but automatically blocks resource loads on TLS errors. This behavior is consistent with what other browsers do. - The prompt text shown on certificate errors has been improved to make it clearer what kind of error occurred exactly. - The `content.site_specific_quirks` setting got renamed to `content.site_specific_quirks.enabled`. - The `content.notifications` option got renamed to `content.notifications.enabled`. - The completion now also shows bindings starting with `set-cmd-text` in its third column, such as `o` for `:open`. - When `:spawn` is used with the `-m` / `--output-messages` flag, the output now appears live, while the process is running. - When a shown message replaces an existing related one (e.g. for zoom levels), the replacing now also works even if a different message was shown in between. - The `.redirect(...)` method on interceptors now supports an `ignore_unsupported=True` argument which suppresses exceptions if a request could not be redirected. Note, however, that it is still not public API. - When the `--config-py` argument is used, no warning about a missing `config.load_autoconfig` is shown anymore, as the argument is typically used for temporarily testing a config. - The internal `_autosave` session used for crash recovery is now only saved once per minute, since saving it for every page load is a noticeable performance issue. - The `readability-js` userscript now displays a small header with page information. - When an external file selector is used, some additional validation is done on the picked files now, so that errors are shown if e.g. a directory is selected when a file was expected. - The default binding for `T` (`:tab-focus`) got changed so that it fills the command line with `:tab-focus` if used without a count (instead of being equivalent to `:tab-next` in that case). - The `:config-unset` command now understands the `--pattern` (`-u`) flag to unset options customized for a given URL pattern (such as after answering a prompt with "always"/"never"). - The `:config-unset` command now shows an error when used on an option which is valid, but was never customized. - The `statusbar.widgets` setting now understands `text:...` entries which allows adding a hard-coded text to the statusbar. - The polyfill for `String.replaceAll` (required for Nextcloud Calendar < 2.2.0 with QtWebEngine < 5.15.3) is now disabled by default, as it's not fully compliant to the ECMAScript spec and might cause issues on other websites. If you still need it (e.g. if you're still on an old Nextcloud Calendar version), remove `js-string-replaceall` from `content.site_specific_quirks.skip`. Fixed ~~~~~ - When an editor exits with a != 0 exit status, the temporary editor file is now persisted. This already was the case when the editor crashed. - When a nonexistent file gets passed to `--config-py`, qutebrowser now complains instead of silently not loading it. - With some (rare) setups, opening the report dialog or using a PAC proxy with QtWebKit could result in qutebrowser hanging due to a PyQt bug. There's now a workaround which prevents the hang. - QtWebEngine version detection (influencing things like dark mode settings or certain workarounds) now works correctly on OpenBSD. - Certain version number formats in `/etc/os-release` caused qutebrowser to crash. Those are now handled correctly. - The macOS releases now properly support Dark Mode for UI elements by setting `NSRequiresAquaSystemAppearance` to false. Removed ~~~~~~~ - The `qute://spawn-output` page used by `:spawn -o` is now removed, as it's replaced by the new `qute://process` pages. [[v2.1.1]] v2.1.1 (2021-04-01) ------------------- Added ~~~~~ - Site-specific quirk for krunker.io, which shows a "Socket Error" with qutebrowser's default Accept-Language header. The workaround is equivalent to doing `:set -u matchmaker.krunker.io content.headers.accept_language ""`. Changed ~~~~~~~ - Clicking the 'x' in the devtools window to hide it now also leaves insert mode. Fixed ~~~~~ - The workaround for black on (almost) black formula images in dark mode now also works with Qt 5.12 and 5.13. - When running in Flatpak or with the Windows/macOS releases, the QtWebEngine version is now detected properly. Before, a wrong version was assumed, breaking dark mode and certain workarounds (resulting in crashes on websites like LinkedIn or TradingView). - When the metainfo in the completion database doesn't have the expected structure, qutebrowser now tries to gracefully recover from the situation instead of crashing. - When qutebrowser displays an error during initialization, opening a second instance would lead to a crash. Instead, qutebrowser now ignores the attempt to open a new page as long as it's not fully initialized yet. - When the Brave adblock cache folder was unreadable, qutebrowser crashed. It now displays an error instead. - Fixes in the `qute-pass` userscript for `gopass`: * Generating OTP tokens now works correctly. * Storing the username as part of the secret broke in v2.0.0 and now works again. - When using `bindings.key_mappings` to map a key to multiple other keys, qutebrowser would crash. This is now handled correctly - however, note that it's usually better to map keys to commands instead. - When a minimized window is selected via `:tab-select`, it's now un-minimized properly. - When a format string in the config (e.g. `tabs.title_format`) used a value like `{current_url.host}` (instead of `{current_url:host}`), qutebrowser would crash. It now correctly reports an invalid config value instead. - In rare circumstances, sending URLs/commands to existing instances would result in a crash, which is now fixed. - Running the testsuite should now fully work without internet access again. - The `--asciidoc` script for `mkvenv.py` broke with v1.14.0. It now works correctly again. - Various other fixes for running in Flatpak (backported in the Flatpak release even before this qutebrowser release). - We are the Knights Who Say... ':Ni!' [[v2.1.0]] v2.1.0 (2021-03-12) ------------------- Removed ~~~~~~~ - The following command aliases were deprecated in v2.0.0 and are now removed: * `run-macro` -> `macro-run` * `record-macro` -> `macro-record` * `buffer` -> `tab-select` * `open-editor` -> `edit-text` * `toggle-selection` -> `selection-toggle` * `drop-selection` -> `selection-drop` * `reverse-selection` -> `selection-reverse` * `follow-selected` -> `selection-follow` * `follow-hint` -> `hint-follow` * `enter-mode` -> `mode-enter` * `leave-mode` -> `mode-leave` Added ~~~~~ - New `:screenshot` command which can be used to screenshot the visible part of the page. - New optional dependency on the `importlib_metadata` project on Python 3.7 and below. This is only relevant when PyQtWebEngine is installed via pip - thus, this dependency usually isn't relevant for packagers. - New `qute-keepassxc` userscript integrating with the KeePassXC browser API. Changed ~~~~~~~ - Initial support for QtWebEngine 5.15.3 and PyQt 5.15.3/.4 - The `colors.webpage.prefers_color_scheme_dark` setting got renamed to `colors.webpage.preferred_color_scheme` and now takes the values `auto`, `light` and `dark` (instead of being `True` for dark and `False` for auto). Note that the `light` value is only supported with Qt 5.15.2+, falling back to the same behavior as `auto` on older versions. - On Linux, qutebrowser now tries harder to find details about the installed QtWebEngine version by inspecting the QtWebEngine binary. This should reduce issues with dark mode (and some workarounds) not working when using differing versions of QtWebEngine/PyQtWebEngine/Qt. This change also prepares qutebrowser for QtWebEngine 5.15.3, which will get released without an updated Qt. - When PyQtWebEngine >= 5.15.3 is installed via `pip` (as is e.g. the case with `mkvenv.py`), qutebrowser now queries the associated metadata to find out the QtWebEngine version. - When doing `:hint links yank --rapid`, the messages shown now replace each other, thus being less noisy. - Newlines in JavaScript messages (`confirm`, `prompt` and `alert`) are now preserved. - Messages in prompts are now word-wrapped rather than displaying them in one long line. - If a command stats with space (e.g. `: open ...`, it's now not saved to command history anymore (similar to how some shells work). - When a tab is pinned, running `:open` will now open a new tab instead of displaying an error. - The `fileselect.*.command` settings now support file selectors writing the selected paths to stdout, which is used if no `{}` placeholder is contained in the configured command. - The `--debug-flag` argument now understands a new `log-sensitive-keys` value which logs all keypresses (including those in insert/passthrough/prompt/... mode) for debugging. - The `readability` and `readability-js` userscripts now add a `qute-readability` CSS class to the page, so that it can be styled easily via a user stylesheet. Fixed ~~~~~ - With QtWebEngine 5.15.3 and some locales, Chromium can't start its subprocesses. As a result, qutebrowser only shows a blank page and logs "Network service crashed, restarting service.". This release adds a `qt.workarounds.locale` setting working around the issue. It is disabled by default since distributions shipping 5.15.3 will probably have a proper patch for it backported very soon. - The `colors.webpage.preferred_color_scheme` and `colors.webpage.darkmode.*` settings now work correctly with QtWebEngine 5.15.3 (and Gentoo, which at the time of writing packages 5.15.3 disguised as 5.15.2). - When dark mode settings were set, existing `blink-features` arguments in `qt.args` (or `--qt-flag`) were overridden. They are now combined properly. - On QtWebEngine 5.15.2, auto detection for the `prefers-color-scheme` media query is broken and always returns `no-preference`, which was removed from the CSS WG Specification. This release contains a workaround to always return `light` instead (as per the spec). - When an external file selector deletes the temporary file (like `nnn` does when quitting the terminal), qutebrowser would crash. It now displays an error instead. The same applies if the temporary file is unreadable for any other reason. - On macOS, a change in v2.0.x caused certain shortcuts to not work with Cmd anymore, using Ctrl instead. They now work correctly using Cmd (like usual on macOS) again. - On macOS, using `F` (`hint all tab`) sometimes would open a context menu instead of following a link. This is now fixed. - The quirk added for a missing `String.replaceAll` did not handle special regexp characters correctly, thus breaking some sites. It now handles them properly. - The "try again" button on error pages now works correctly with JavaScript disabled. - If a GreaseMonkey script doesn't have a "@run-at" comment, qutebrowser accidentally treated that as "@run-at document-idle". However, other GreaseMonkey implementations default to "@run-at document-end" instead, which is what qutebrowser now does, too. - The `hist_importer.py` script didn't work correctly after qutebrowser v2.0.0 and resulted in a history database qutebrowser couldn't read properly. It now works properly again. - With certain QtWebEngine versions (5.15.0 based on Chromium 80 and 5.15.3 based on Chromium 87), Chromium's dark mode doesn't invert certain SVG images, even with `colors.wegpage.darkmode.policy.images` set to `smart`. Most notably, this causes formulae on Wikipedia to display black on (almost) black. If `content.site_specific_quirks` is enabled, qutebrowser now injects some CSS as a workaround, which inverts all math formula images on Wikipedia (and potentially other sites, if they use the same CSS class). - When a hint label text started with an apostrophe, it would show an escaped text until the hints first character has been pressed. It now shows up correctly. [[v2.0.2]] v2.0.2 (2021-02-04) ------------------- Fixed ~~~~~ - When right-clicking an empty part of the downloads bar, qutebrowser v2.0.x would crash. This is now fixed. - Setting `content.cookies.store` to `false` only worked properly when this was done after qutebrowser was already started due to a regression in v2.0.0. It now works as expected again. - If qutebrowser was installed as a Python egg with Python 3.8 or 3.9, requesting unavailable resource files (such as PDF.js not being bundled, or a missing changelog file) caused in a crash due to an inconsistent behavior in those versions of Python. This is now handled properly by qutebrowser. - In v2.0.0, support for importing the `sip` dependency as `sip` rather than `PyQt5.sip` was dropped, since upstream claims it should be used as `PyQt5.sip` ever since PyQt 5.11. However, some distributions still package sip as a global `sip` package. Thus, support for a global `sip` package is now reintroduced. - The changelog for v2.0.0 claimed that `hints.leave_on_load` was set to `true` by default. However, the `input.insert_mode.leave_on_load` setting was instead set to `true` accidentally. This is now fixed by actually setting `hints.leave_on_load` to `true`, and reversing the change to `input.insert_mode.leave_on_load` so it is set to `false` by default again. - When the `importlib_resources` package is required but was missing, users would get a Python stacktrace rather than a proper error message. This is now fixed. - Site-specific quirk JavaScript files were loaded lazily rather than preloaded at the start of qutebrowser, causing a crash when e.g. switching between versions while qutebrowser is open. Now they are preloaded at the start of qutebrowser again. - The link to the keybinding cheatsheet on the internal `:help` page wasn't displayed correctly. This is now fixed. - When the completion rebuilding process was interrupted, qutebrowser did not detect this condition on the next start, thus resulting in a completion with inconsistent data. This is now fixed, with another rebuild being forced with this update, to ensure the data is consistent for all users. - In certain scenarios, qutebrowser v2.0.x warned about `config.load_autoconfig(...)` being missing when loading a secondary config (e.g. via `config.source(...)`). It now only shows those warnings for the main `config.py` file. - The `--enable-webengine-inspector` flag is now accepted again, however it's unused and undocumented. It purely exists to make it possible to use `:restart` between pre-v2.0.x and v2.0.2+ versions. - When `hints.dictionary` pointed to a file not encoded as UTF-8, this resulted in a crash (also in versions before v2.0.0). It now properly displays an error instead. - When running qutebrowser with a single empty commandline argument, such as done by `open_url_in_instance.sh`, this would result in a partially initialized window. Interacting with that window results in a crash (also in versions before v2.0.0). Instead, the startpage is now shown properly. [[v2.0.1]] v2.0.1 (2021-01-28) ------------------- Fixed ~~~~~ - If qutebrowser was installed as a Python egg (similar to a .zip file, via `setup.py install` under certain conditions), a change in v2.0.0 caused it to not start properly. This is now fixed. - If qutebrowser was set up (or packaged) in an unclean environment, this could result in a stale `qutebrowser/components/adblock.py` file being picked up. That file is not part of the release anymore, but if an old version is still around, causes qutebrowser to crash. It's now explicitly blocked inside qutebrowser so it gets ignored even if it still exists. - When the adblocking method was switched using `:set`, and the `adblock` dependency was unavailable when qutebrowser started (but was installed while qutebrowser was open), this resulted in a crash. Now a warning prompting for a restart of qutebrowser is shown instead. Changed ~~~~~~~ - The `format_json` userscript now uses sh instead of bash again. - The `add-nextcloud-bookmarks`, `add-nextcloud-cookbook`, `readability` and `ripbang` userscripts now use a `python3` rather than plain `python` shebang. - When `QTWEBENGINE_CHROMIUM_FLAGS` is set in the environment, this causes flag handling (including workarounds for QtWebEngine crashes) inside qutebrowser to break. This will be handled properly in a future version, but this release now shows a warning on standard output if this is the case. - The config completion for `fileselect.*.command` now also includes the "nnn" terminal file manager. [[v2.0.0]] v2.0.0 (2021-01-28) ------------------- Major changes ~~~~~~~~~~~~~ - If the Python `adblock` library is available, it is now used to integrate Brave's Rust adblocker library for improved adblocking based on ABP-like filter lists (such as EasyList). If it is unavailable, qutebrowser falls back to host-blocking, i.e. the same blocking technique it used before this release. As part of this, various settings got renamed, see "Changed" below. **Note: If the `adblock` dependency is available, qutebrowser will ignore custom host blocking** via the `blocked-hosts` config file or `file:///` URLs supplied as host blocking lists. You will need to either migrate those to ABP-like lists, or set `content.blocking.method` to `both`. - Various dependency upgrades - a quick checklist for packagers (see "Changed" below for details): * Ensure you're providing at least Python 3.6.1. * Ensure you're providing at least Qt 5.12 and PyQt 5.12. * Add a new optional dependency on the Python `adblock` library (if packaged - if not, consider packaging it, albeit optional it's very useful for users). * Remove the `cssutils` optional dependency (if present). * Remove the `attrs` (`attr`) dependency. * Remove the `pypeg2` dependency (and perhaps consider dropping the package if not used elsewhere - it's https://fdik.org/pyPEG2/[inactive upstream] and the repository was removed by Bitbucket). * Move the `pygments` dependency from required to optional. * Move the `setuptools` dependency from runtime (for `pkg_resources`) to build-time. * For Python 3.6, 3.7 or 3.8, add a dependency on the `importlib_resources` backport. * For Python 3.6 only, add a dependency on the `dataclasses` backport. - Dropped support for old OS versions in binary releases: * Support for Windows 7 is dropped in the Windows binaries, the minimum required Windows version is now Windows 8.1. * Support for macOS 10.13 High Sierra is dropped in the macOS binaries, the minimum required macOS version is now macOS 10.14 Mojave. - Various renamed settings and commands, see "Deprecated" and "Changed" below. Removed ~~~~~~~ - The `--enable-webengine-inspector` flag (which was only needed for Qt 5.10 and below) is now dropped. With Qt 5.11 and newer, the inspector/devtools are enabled unconditionally. - Support for moving qutebrowser data from versions before v1.0.0 has been removed. - The `--old` flag for `:config-diff` has been removed. It used to show customized options for the old pre-v1.0 config files (in order to aid migration to v1.0). - The `:inspector` command which was deprecated in v1.13.0 (in favor of `:devtools`) is now removed. Deprecated ~~~~~~~~~~ - Several commands have been renamed for consistency and/or easier grouping of related commands. Their old names are still available, but deprecated and will be removed in qutebrowser v2.1.0. * `run-macro` -> `macro-run` * `record-macro` -> `macro-record` * `buffer` -> `tab-select` * `open-editor` -> `edit-text` * `toggle-selection` -> `selection-toggle` * `drop-selection` -> `selection-drop` * `reverse-selection` -> `selection-reverse` * `follow-selected` -> `selection-follow` * `follow-hint` -> `hint-follow` * `enter-mode` -> `mode-enter` * `leave-mode` -> `mode-leave` Added ~~~~~ - New settings for the ABP-based adblocker: * `content.blocking.method` to decide which blocker(s) should be used. * `content.blocking.adblock.lists` to configure ABP-like lists to use. - New `qt.environ` setting which makes it easier to set/unset environment variables for qutebrowser. - New settings to use an external file picker (such as ranger or vifm): * `fileselect.handler` (`default` or `external`) * `fileselect.multiple_files.command` * `fileselect.single_file.command` - When QtWebEngine has been updated but PyQtWebEngine hasn't yet, the dark mode settings might stop working. As a (currently undocumented) escape hatch, this version adds a `QUTE_DARKMODE_VARIANT=qt_515_2` environment variable which can be set to get the correct behavior in (transitive) situations like this. - New `--desktop-file-name` commandline argument, which can be used to customize the desktop filename passed to Qt (which is used to set the `app_id` on Wayland). - The `:open` completion now also completes local file paths and `file://` URLs, via a new `filesystem` entry in `completion.open_categories`. Also, a new `completion.favorite_paths` setting was added which can be used to add paths to show when `:open` is used without any input. - New `QUTE_VERSION` variable for userscripts, which can be used to read qutebrowser's version. - New "Copy URL" entry in the context menu for downloads. - New `:bookmark-list` command which lists all bookmarks/quickmarks. The corresponding `qute://bookmarks` URL already existed since v0.8.0, but it was never exposed as a command. - New `qt.workarounds.remove_service_workers` setting which can be used to remove the "Service Workers" directory on every start. Usage of this option is generally discouraged, except in situations where the underlying QtWebEngine bug is a known cause for crashes. - Changelogs are now shown after qutebrowser was upgraded. By default, the changelog is only shown after minor upgrades (feature releases) but not patch releases. This can be adjusted (or disabled entirely) via a new `changelog_after_upgrade` setting. - New userscripts: * `kodi` to play videos in Kodi * `qr` to generate a QR code of the current URL * `add-nextcloud-bookmarks` to create bookmarks in Nextcloud's Bookmarks app * `add-nextcloud-cookbook` to add recipes to Nextcloud's Cookbook app Changed ~~~~~~~ - `config.py` files now are required to have either `config.load_autoconfig(False)` (don't load `autoconfig.yml`) or `config.load_autoconfig()` (do load `autoconfig.yml`) in them. - Various host-blocking settings have been renamed to accommodate the new ABP-like adblocker: * `content.host_blocking.enabled` -> `content.blocking.enabled` (controlling both blockers) * `content.host_blocking.whitelist` -> `content.blocking.whitelist` (controlling both blockers) * `content.host_blocking.lists` -> `content.blocking.hosts.lists` - Changes to default settings: * `tabs.background` is now `true` by default, so that new tabs get opened in the background. * `input.partial_timeout` is now set to 0 by default, so that partially typed key strings are never cleared. * `hints.leave_on_load` is now `false` by default, so that hint mode doesn't get left when a page finishes loading. This can lead to stale hints persisting in rare circumstances, but is better than leaving hint mode when the user entered it before loading was completed. * The default for `tabs.width` (tab bar width if vertical) is now 15% of the window width rather than 20%. * The default bindings for moving tabs (`tab-move -` and `tab-move +`) were changed from `gl` and `gr` to `gK` and `gJ`, to be consistent with the tab switching bindings. * The text color for warning messages is now black instead of white, for increased contrast and thus readability. * The default timeout for messages is now raised from 2s to 3s. - On the first start, the history completion database is regenerated to remove a few problematic entries (such as long `qute://pdfjs` URLs). This might take a couple of minutes, but is a one-time operation. This should result in a performance improvement for the completion for affected users. - qutebrowser now shows an error if its history database version is newer than expected. This currently should never happen, but allows for potentially backwards-incompatible changes in future versions. - At least Python 3.6.1 is now required to run qutebrowser, support for Python 3.5 (and 3.6.0) is dropped. Note that Python 3.5 is https://www.python.org/downloads/release/python-3510/[no longer supported upstream] since September 2020. - At least Qt/PyQt 5.12 is now required to run qutebrowser, support for 5.7 to 5.11 (inclusive) is dropped. While Debian Buster ships Qt 5.11, it's based on a Chromium version from 2018 with https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#browser-security[no Debian security support] and unsupported upstream since May 2019. It also has compatibility issues with various websites (GitHub, Twitch, Android Developer documentation, YouTube, ...). Since no newer Debian Stable is released at the time of writing, it's recommended to https://github.com/qutebrowser/qutebrowser/blob/main/doc/install.asciidoc#installing-qutebrowser-with-virtualenv[install qutebrowser in a virtualenv] with a newer version of Qt/PyQt. - New optional dependency on the Python `adblock` library (see above for details). - The (formerly optional) `cssutils` dependency is now removed. It was only needed for improved behavior in corner cases when using `:download --mhtml` with the (non-default) QtWebKit backend, and as such it's unlikely anyone is still relying on it. The `cssutils` project is also dead upstream, with its repository being gone after Bitbucket https://bitbucket.org/blog/sunsetting-mercurial-support-in-bitbucket[removed Mercurial support]. - The (formerly required) `pygments` dependency is now optional. It is only used when using `:view-source` with QtWebKit, or when forcing it via `:view-source --pygments` on QtWebEngine. If it is unavailable, an unhighlighted fallback version of the page's source is shown. - The former runtime dependency on the `pkg_resources` module (part of the `setuptools` project) got dropped. Note that `setuptools` is still required to run `setup.py`. - A new dependency on the `importlib_resources` module got introduced for Python versions up to and including 3.8. Note that the stdlib `importlib.resources` module for Python 3.7 and 3.8 is missing the needed APIs, thus requiring the backports for those versions as well. - The former dependency on the `attrs`/`attr` package is now dropped in favour of `dataclasses` in the Python standard library. On Python 3.6, a new dependency on the `dataclasses` backport is now required. - The former dependency on the `pypeg2` package is now dropped. This might cause some changes for certain corner-cases for suggested filenames when downloading files with the QtWebKit backend. - Windows and macOS releases now ship Python 3.9 rather than 3.7. - The `colors.webpage.darkmode.*` settings are now also supported with older Qt versions (Qt 5.12 and 5.13) rather than just with Qt 5.14 and above. - For regexes in the config (`hints.{prev,next}_regexes`), certain patterns which will change meanings in future Python versions are now disallowed. This is the case for character sets starting with a literal `[` or containing literal character sequences `--`, `&&`, `~~`, or `||`. To avoid a warning, remove the duplicate characters or escape them with a backslash. - If `prompt(..., "default")` is used via JS, the default text is now pre-selected in the prompt shown by qutebrowser. - URLs such as `::1/foo` are now handled as a search term or local file rather than IPv6. Use `[::1]/foo` to force parsing as IPv6 instead. - The `mkvenv.py` script now runs a "smoke test" after setting up the virtual environment to ensure it's working as expected. If necessary, the test can be skipped via a new `--skip-smoke-test` flag. - Both qutebrowser userscripts and Greasemonkey scripts are now additionally picked up from qutebrowser's config directory (the `userscripts` and `greasemonkey` subdirectories of e.g. `~/.config/qutebrowser/`) rather than only the data directory (the same subdirectories of e.g. `~/.local/share/qutebrowser/`). - The `:later` command now understands a time specification like `5m` or `1h5m2s`, rather than just taking milliseconds. - The `importer.py` script doesn't use a browser argument anymore; instead its `--input-format` switch can be used to configure the input format. The help also was expanded to explain how to use it properly. - If `tabs.tabs_are_windows` is set, the `tabs.last_close` setting is now ignored and the window is always closed when using `:close` (`d`). - With the (default) QtWebEngine backend, if a custom `accept` header is set via `content.headers.custom`, the custom value is now ignored for XHR (`XMLHttpRequest`) requests. Instead, the sent value is now `*/*` or the header set from JavaScript, as it would be if `content.headers.custom` wasn't set. - The `:tab-select` completion now shows the underlying renderer process PID if doing so is supported (on QtWebEngine 5.15). - If `tabs.favicons.show` is set to `never`, favicons aren't unnecessarily downloaded anymore. Thus, disabling favicons can help with a possible https://www.ghacks.net/2021/01/22/favicons-may-be-used-to-track-users/[fingerprinting vector]. - "Super" is now understood as a modifier (i.e. as alias to "Meta"). - Initial support for Python 3.10 (currently in Alpha stage). - Various performance improvements, including for the startup time. Fixed ~~~~~ - With interpolated color settings (`colors.tabs.indicator.*` and `colors.downloads.*`), the alpha channel is now handled correctly. - Fixes to userscripts: * `format_json` now uses `env` in its shebang, making it work correctly on systems where `bash` isn't located in `/bin`. * `qute-pass` now handles the MIME output format introduced in gopass 1.10.0. * `qute-lastpass` now types multiple `<` or `>` characters correctly. - The `:undo` completion now sorts its entries correctly (by the numerical index rather than lexicographically). - The `completion.web_history.ignore` setting now works properly when set in `config.py` (rather than via `:set`). Additionally, a `:config-source` will not result in a history rebuild if the value wasn't actually changed. - When downloading a `data:` URL, the suggested filename is now improved and contains a proper extension. Before this fix, qutebrowser would use the URL's data contents as filename with QtWebEngine; or "binary blob" with the Qt network stack. - When `:tab-only` is run before a tab is available, an error is now shown instead of crashing. - A couple of long URLs (such as `qute://pdfjs` URLs) are now not added to the history database anymore. - A bug in QtWebEngine 5.15.2 causes "renderer process killed" errors on websites like LinkedIn and TradingView. There is now a workaround in qutebrowser to prevent this from happening. - Nextcloud Calendars started using `String.replaceAll` which was only added to Chromium recently (Chrome 85), so won't work with current QtWebEngine versions. This release includes a workaround (a polyfill as a site-specific-quirk). [[v1.14.1]] v1.14.1 (2020-12-04) -------------------- Added ~~~~~ - With v1.14.0, qutebrowser configures the main window to be transparent, so that it's possible to configure a translucent tab- or statusbar. However, that change introduced various issues, such as performance degradation on some systems or breaking dmenu window embedding with its `-w` option. To avoid those issues for people who are not using transparency, the default behavior is reverted to versions before v1.14.0 in this release. A new `window.transparent` setting can be set to `true` to restore the behavior of v1.14.0. Changed ~~~~~~~ - Windows and macOS releases now ship Qt 5.15.2, which is based on Chromium 83.0.4103.122 with security fixes up to 86.0.4240.183. This includes CVE-2020-15999 in the bundled freetype library, which is known to be exploited in the wild. It also includes various other bugfixes/features compared to Qt 5.15.0 included in qutebrowser v1.14.0, such as: * Correct handling of AltGr on Windows * Fix for `content.cookies.accept` not working properly * Fixes for screen sharing (some websites are still broken until an upcoming Qt 5.15.3) * Support for FIDO U2F / WebAuth * Fix for the unwanted creation of directories such as `databases-incognito` in the home directory * Proper autocompletion in the devtools console * Proper signalisation of a tab's audible status (`[A]`) * Fix for a hang when opening the context menu on macOS Big Sur (11.0) * Hardware accelerated graphics on macOS Fixed ~~~~~ - Setting the `content.headers.referer` setting to `same-domain` (the default) was supposed to truncate referrers to only the host with QtWebEngine. Unfortunately, this functionality broke in Qt 5.14. It works properly again with this release, including a test so this won't happen again. - With QtWebEngine 5.15, setting the `content.headers.referer` setting to `never` did still send referrers. This is now fixed as well. - In v1.14.0, a regression was introduced, causing a crash when qutebrowser was closed after opening a download with PDF.js. This is now fixed. - With Qt 5.12, the `Object.fromEntries` JavaScript API is unavailable (it was introduced in Chromium 73, while Qt 5.12 is based on 69). This caused https://www.vr.fi/en and possibly other websites to break when accessed with Qt 5.12. A suitable polyfill is now included with qutebrowser if `content.site_specific_quirks` is enabled (which is the default). - While XDG startup notifications (e.g. launch feedback via the bouncy cursor in KDE Plasma) were supported ever since Qt 5.1, qutebrowser's desktop file accidentally declared that it wasn't supported. This is now fixed. - The `dmenu_qutebrowser` and `qutedmenu` userscripts now correctly read the qutebrowser sqlite history which has been in use since v1.0.0. - With Python 3.8+ and vertical tabs, a deprecation warning for an implicit int conversion was shown. This is now fixed. - Ever since Qt 5.11, fetching more completion data when that data is loaded lazily (such as with history) and the last visible item is selected was broken. The exact reason is currently unknown, but this release adds a tentative fix. - When PgUp/PgDown were used to go beyond the last visible item, the above issue caused a crash, which is now also fixed. - As a workaround for an overzealous Microsoft Defender false-positive detecting a "trojan" in the (unprocessed) adblock list, `:adblock-update` now doesn't cache the HTTP response anymore. - With the QtWebKit backend and `content.headers` set to `same-domain` (the default), origins with the same domain but different schemes or ports were treated as the same domain. They now are correctly treated as different domains. - When a URL path uses percent escapes (such as `https://example.com/embedded%2Fpath`), using `:navigate up` would treat the `%2F` as a path separator and replace any remaining percent escapes by their unescaped equivalents. Those are now handled correctly. - On macOS 11.0 (Big Sur), the default monospace font name caused a parsing error, thus resulting in broken styling for the completion, hints, and other UI components. They now look properly again. - Due to a Qt bug, installing Qt/PyQt from prebuilt binaries on systems with a very old `libxcb-utils` version (notably, Debian Stable, but not Ubuntu since 16.04 LTS) results in a setup which fails to start. This also affects the `mkvenv.py` script, which now includes a workaround for this case. - The `open_url_instance.sh` userscript now complains when `socat` is not installed, rather than silencing the error. - The example AppArmor profile in `misc/` was outdated and written for the older QtWebKit backend. It is now updated to serve as an useful starting point with QtWebEngine. - When running `:devtools` on Fedora without the needed (optional) dependency installed, it was suggested to install `qt5-webengine-devtools`, which does not, in fact, exist. It's now correctly suggested to install `qt5-qtwebengine-devtools` instead. - With Qt 5.15.2, lines/borders coming from the `readability-js` userscript were invisible. This is now fixed by changing the border color to grey (with all Qt versions). - Due to changes in the underlying Chromium, the `colors.webpage.prefers_color_scheme_dark` setting broke with Qt 5.15.2. It now works properly again. - A bug in the `pkg_resources` module used by qutebrowser caused deprecation warnings to appear on start with Python 3.9 on some setups. Those are now hidden. - Minor performance improvements. - Fix for various functionality breaking in private windows with v1.14.0, after the last private window is closed. This includes: * Ad blocking * Downloads * Site-specific quirks (e.g. for Google login) * Certain settings such as `content.javascript.enabled` [[v1.14.0]] v1.14.0 (2020-10-15) -------------------- Note: The QtWebEngine version bundled with the Windows/macOS releases is still based on Qt 5.15.0 (like with qutebrowser v1.12.0 and v1.13.0) rather than Qt 5.15.1 because of a https://bugreports.qt.io/browse/QTBUG-86752[Qt bug] causing frequent renderer process crashes. When Qt 5.15.2 is released (planned for November 3rd, 2020), a qutebrowser v1.14.x patch release with an updated QtWebEngine will be released. Furthermore, this release still only contains partial session support for QtWebEngine 5.15. It's still recommended to run against Qt 5.15 due to the security patches contained in it -- for most users, the added workarounds seem to work out fine. A rewritten session support will be part of qutebrowser v2.0.0, tentatively planned for the end of the year or early 2021. Changed ~~~~~~~ - The `content.media_capture` setting got split up into three more fine-grained settings, `content.media.audio_capture`, `.video_capture` and `.audio_video_capture`. Before this change, answering "always" to a prompt about e.g. audio capturing would set the `content.media_capture` setting, which would also allow the same website to capture video on a future visit. Now every prompt will set the appropriate setting, though existing `content.media_capture` settings in `autoconfig.yml` will be migrated to set all three settings. To review/change previously granted permissions, use `:config-diff` and e.g. `:config-unset -u example.org content.media.video_capture`. - The main window's (invisible) background color is now set to transparent. This allows using the alpha channel in statusbar/tabbar colors to get a partially transparent qutebrowser window on a setup which supports doing so. - If QtWebEngine is compiled with PipeWire support and libpipewire is installed, qutebrowser will now support screen sharing on Wayland. Note that QtWebEngine 5.15.1 is needed. - When `:undo` is used with a count, it now reopens the count-th to last tab instead of the last one. The depth can instead be passed as an argument, which is also completed. - The default `completion.timestamp_format` now also shows the time. - `:back` and `:forward` now take an optional index which is completed using the current tab's history. - The time a website in a tab was visited is now saved/restored in sessions. - When attempting to download a file to a location for which there's already a still-running download, a confirmation prompt is now displayed. - `:completion-item-focus` now understands `next-page` and `prev-page` with corresponding `` / `` default bindings. - When the last private window is closed, all private browsing data is now cleared. - When `config.source(...)` is used with a `--config-py` argument given, qutebrowser used to search relative files in the config basedir, leading to them not being found when using a shared `config.py` for different basedirs. Instead, they are now searched relative to the given `config.py` file. - `navigate prev` (`[[`) and `navigate next` (`]]`) now recognize links with `nav-prev` and `nav-next` classes, such as those used by the Hugo static site generator. - When `tabs.favicons` is disabled but `tabs.tabs_are_windows` is set, the window icon is still set to the page's favicon now. - The `--asciidoc` argument to `src2asciidoc.py` and `build_release.py` now only takes the path to `asciidoc.py`, using the current Python interpreter by default. To configure the Python interpreter as well, use `--asciidoc-python path/to/python --asciidoc path/to/asciidoc.py` instead of the former `--asciidoc path/to/python path/to/asciidoc.py`. - Dark mode (`colors.webpage.darkmode.*`) is now supported with Qt 5.15.2 (which is not released yet). - The default for the darkmode `policy.images` setting is now set to `smart` which fixes issues with e.g. formulas on Wikipedia. - The `readability-js` userscript now adds some CSS to improve the reader mode styling in various scenarios: * Images are now shrunk to the page width, similarly to what Firefox' reader mode does. * Some images are now displayed as block (rather than inline) which is what Firefox' reader mode does as well. * Blockquotes are now styled more distinctively, again based on the Firefox reader mode. * Code blocks are now easier to distinguish from text and tables have visible cell margins. - The `readability-js` userscript now supports hint userscript mode. Added ~~~~~ - New argument `strip` for `:navigate` which removes queries and fragments from the current URL. - `:undo` now has a new `-w` / `--window` argument, which can be used to restore closed windows (rather than tabs). This is bound to `U` by default. - `:jseval` can now take `javascript:...` URLs via a new `--url` flag. - New replacement `{aligned_index}` for `tabs.title.format` and `format_pinned` which behaves like `{index}`, but space-pads the index based on the total numbers of tabs. This can be used to get aligned tab texts with vertical tabs. - New command `:devtools-focus` (bound to `wIf`) to toggle keyboard focus between the devtools and web page. - The `--target` argument to qutebrowser now understands a new `private-window` value, which can be used to open a private window in an existing instance from the commandline. - The `:download-open` command now has a new `--dir` flag, which can be used to open the directory containing the downloaded file. An entry to do the same was also added to the context menu. - Messages are now wrapped when they are too long to be displayed on a single line. - New possible `--debug-flag` values: * `wait-renderer-process` waits for a `SIGUSR1` in the renderer process so a debugger can be attached. * `avoid-chromium-init` allows using `--version` without needing a working QtWebEngine/Chromium. Fixed ~~~~~ - A URL pattern with a `*.` host was considered valid and matched all hosts. Due to keybindings like `tsH` toggling scripts for `*://*.{url:host}/*`, invoking them on pages without a host (e.g. `about:blank`) could result in accidentally allowing/blocking JavaScript for all pages. Such patterns are now considered invalid, with existing patterns being automatically removed from `autoconfig.yml`. - When `scrolling.bar` was set to `overlay` (the default), qutebrowser would internally override any `enable-features=...` flags passed via `qt.args` or `--qt-flag`. It now correctly combines existing `enable-feature` flags with internal ones. - Elements with an inherited `contenteditable` attribute now trigger insert mode and get hints assigned correctly. - When checkmarks, radio buttons and some other elements are styled via the Bootstrap CSS framework, they now get hints correctly. - When the session file isn't writable when qutebrowser exits, an error is now logged instead of crashing. - When using `-m` with the `qute-lastpass` userscript, it accidentally matched URLs containing the match as substring. This is now fixed. - When a filename is derived from a page's title, it's now shortened to the maximum filename length permitted by the filesystem. - `:enter-mode register` crashed since v1.13.0, it now displays an error instead. - With the QtWebKit backend, webpage resources loading certain invalid URLs could cause a crash, which is now fixed. - When `:config-edit` is used but no `config.py` exists yet, the file is now created (and watched for changes properly) before spawning the external editor. - When hint mode was entered from outside normal mode, the status bar was empty instead of displaying the proper text. This is now fixed. - When entering different modes too quickly (e.g. pressing `fV`), the statusbar could end up in a confusing state. This is now fixed. - When qutebrowser quits, running downloads are now cancelled properly. - The site-specific quirk for `web.whatsapp.com` has been updated to work after recent changes in WhatsApp. - Highlighting in the completion now works properly when UTF-16 surrogate pairs (such as emoji) are involved. - When a windowed inspector is clicked, insert mode now isn't entered anymore. - When `:undo` is used to re-open a tab, but `tabs.tabs_are_windows` was set between closing and undoing the close, qutebrowser crashed. This is now fixed. - With QtWebEngine 5.15.0, setting the darkmode image policy to `smart` leads to renderer process crashes. The offending setting value is now ignored with a warning. - Fixes for the `qute-pass` userscript: * With newer `gopass` versions, a deprecation notice was copied as password due to `qute-pass` using it in a deprecated way. * The `--password-store` argument didn't actually set `PASSWORD_STORE_DIR` for `pass`, resulting in `qute-pass` finding matches but the underlying `pass` not finding matching passwords. [[v1.13.1]] v1.13.1 (2020-07-17) -------------------- Fixed ~~~~~ - With Qt 5.14, shared workers are now disabled. This works around a crash in QtWebEngine on certain sites (like the Epic Games Store or the Unreal Engine page). On older versions, you can get the same effect by doing `:set qt.args "['disable-shared-workers']"` and `:restart` (or set the setting in your `config.py`). - When a window is closed, the tab it contains are now correctly shut down (closing e.g. any dialogs which are still open for those tabs). - The Qt 5.15 session workaround now loads the correct (rather than the last) page when `:back` was used before saving a session. - In certain situations on Windows, qutebrowser fails to find the username of the user launching qutebrowser (most likely due to a bug in the application launching it). When this happens, an error is now displayed instead of crashing. - Certain `autoconfig.yml` with an invalid structure could lead to crashes, which are now fixed. - Generating docs with `asciidoc2html.py` (e.g. via `mkvenv.py`) now works correctly without Pygments being installed system-wide. - Ever since Qt 5.9, when `input.mouse.rocker_gestures` was enabled, the context menu still was shown when clicking the right mouse button, thus preventing the rocker gestures. This is now fixed. - Clicking the inspector switched from existing modes (such as passthrough) to normal mode since v1.13.0. Now insert mode is only entered when the inspector is clicked in normal mode. - Pulseaudio now shows qutebrowser's audio streams as qutebrowser correctly, rather than showing them as Chromium with some Qt versions. - If `:help` was called with a deprecated command (e.g. `:help :inspector`), the help page would show despite deprecated commands not being documented. This now shows an error instead. - The `qute-lastpass` userscript now filters out duplicate entries with `--merge-candidates`. [[v1.13.0]] v1.13.0 (2020-06-26) -------------------- Deprecated ~~~~~~~~~~ - The `:inspector` command is deprecated and has been replaced by a new `:devtools` command (see below). Removed ~~~~~~~ - The `:debug-log-level` command was removed as it's replaced by the new `logging.level.console` setting. - The `qute://plainlog` special page got replaced by `qute://log?plain` - the names of those pages is considered an implementation detail, and `:messages --plain` should be used instead. Changed ~~~~~~~ - Changes to commands: * `:config-write-py` now adds a note about `config.py` files being targeted at advanced users. * `:report` now takes two optional arguments for bug/contact information, so that it can be used without the report window popping up. * `:message` now takes a `--logfilter` / `-f` argument, which is a list of logging categories to show. * `:debug-log-filter` now understands the full logfilter syntax. - Changes to settings: * `fonts.tabs` has been split into `fonts.tabs.{selected,unselected}` (see below). * `statusbar.hide` has been renamed to `statusbar.show` with the possible values being `always` (`hide = False`), `never` (`hide = True`) or `in-mode` (new, only show statusbar outside of normal mode. * The `QtFont` config type formerly used for `fonts.tabs` and `fonts.debug_console` is now removed and entirely replaced by `Font`. The former distinction was mainly an implementation detail, and the accepted values shouldn't have changed. * `input.rocker_gestures` has been renamed to `input.mouse.rocker_gestures`. * `content.dns_prefetch` is now enabled by default again, since the crashes it caused are now fixed (Qt 5.15) or worked around. * `scrolling.bar` supports a new `overlay` value to show an overlay scrollbar, which is now the default. On unsupported configurations (on Qt < 5.11, with QtWebKit or on macOS), the value falls back to `when-searching` or `never` (QtWebKit). * `url.auto_search` supports a new `schemeless` value which always opens a search unless the given URL includes an explicit scheme. - New handling of bindings in hint mode which fixes various bugs and allows for single-letter keybindings in hint mode. - The statusbar now shows partial keychains in all modes (e.g. while hinting). - New `t[Cc][Hh]` default bindings which work similarly to the `t[Ss][Hh]` bindings for JavaScript but toggle cookie permissions. - The `tor_identity` userscript now takes the password via a `-p` flag and has a new `-c` flag to customize the Tor control port. - Small performance improvements. Added ~~~~~ - New settings: * `logging.level.ram` and `logging.level.console` to configure the default logging levels via the config. * `fonts.tabs.selected` and `fonts.tabs.unselected` to set the font of the selected tab independently from unselected tabs (e.g. to make it bold). * `input.mouse.back_forward_buttons` which can be set to `false` to disable back/forward mouse buttons. - New `:devtools` command (replacing `:inspector`) with various improved functionality: * The devtools can now be docked to the main window, by running `:devtools left` (`wIh`), `bottom` (`wIj`), `top` (`wIk`) or `right` (`wIl`). To show them in a new window, use `:devtools window` (`wIw`). Using `:devtools` (`wi`) will open them at the last used position. * The devtool window now has a "qutebrowser developer tools" window title. * When a resource is opened from the devtools, it now opens in a proper qutebrowser tab. * On Fedora, when the `qt5-webengine-devtools` package is missing, an error is now shown instead of a blank inspector window. * If opened as a window, the devtools are now closed properly when the associated tab is closed. * When the devtools are clicked, insert mode is entered automatically. Fixed ~~~~~ - Crash when `tabs.focus_stack_size` is set to -1. - Crash when a `pdf.js` file for PDF.js exists, but `viewer.html` does not. - Crash when `:completion-item-yank --sel` is used on a platform without primary selection support (e.g. Windows/macOS). - Crash when there's a feature permission request from Qt with an invalid URL (which happens due to a Qt bug with Qt 5.15 in private browsing mode). - Crash in rare cases where QtWebKit/QtWebEngine imports fail in unexpected ways. - Crash when something removed qutebrowser's IPC socket file and it's been running for 6 hours. - `:config-write-py` now works with paths starting with `~/...` again. - New site-specific quirk for a missing `globalThis` in Qt <= 5.12 on Reddit and Spotify. - When `;` is added to `hints.chars`, using hint labels containing `;;` now works properly. - Hint letters outside of ASCII should now work. - When `bindings.key_mappings` is used with hints, it now works properly with letters outside of ASCII as well. - With Qt 5.15, the audible/muted indicators are not updated properly due to a Qt bug. This release adds a workaround so that at least the muted indicator is shown properly. - As a workaround for crashes with QtWebEngine versions between 5.12 and 5.14 (inclusive), changing the user agent (`content.headers.user_agent`) exposed to JS now requires a restart. The corresponding HTTP header is not affected. [[v1.12.0]] v1.12.0 (2020-06-01) -------------------- Removed ~~~~~~~ - `tox -e mkvenv` which was deprecated in qutebrowser v1.10.0 is now removed. Use the `mkvenv.py` script instead. - Support for using `config.bind(key, None)` in `config.py` to unbind a key was deprecated in v1.8.2 and is now removed. Use `config.unbind(key)` instead. - `:yank markdown` was deprecated in v1.7.0 and is now removed. Use `:yank inline [{title}]({url})` instead. Added ~~~~~ - New `:debug-keytester` command, which shows a "key tester" widget. Previously, that was only available as a separate application via `python3 -m scripts.keytester`. - New `:config-diff` command which opens the `qute://configdiff` page. - New `--debug-flag log-cookies` to log cookies to the debug log. - New `colors.contextmenu.disabled.{fg,bg}` settings to customize colors for disabled items in the context menu. - New line selection mode (`:toggle-selection --line`), bound to `Shift-V` in caret mode. - New `colors.webpage.darkmode.*` settings to control Chromium's dark mode. Note that those settings only work with QtWebEngine on Qt >= 5.14 and require a restart of qutebrowser. Changed ~~~~~~~ - Windows and macOS releases now ship Qt 5.15, which is based on Chromium 80.0.3987.163 with security fixes up to 81.0.4044.138. - The `content.cookies.accept` setting now accepts URL patterns. - Tests are now included in release tarballs. Note that only running them with the exact dependencies listed in `misc/requirements/requirements-tests.txt{,-raw}` is supported. - The `:tab-focus` command now has completion for tabs in the current window. - The `bindings.key_mappings` setting now maps `` to the tab key by default. - `:tab-give --private` now detaches a tab into a new private window. Fixed ~~~~~ - Using `:open -s` now only rewrites `http://` in URLs to `https://`, not other schemes like `qute://`. - When an unhandled exception happens in certain parts of the code (outside of the main thread), qutebrowser did crash or freeze when trying to show its exception handler. This is now fixed. - `:inspector` now works correctly when cookies are disabled globally. - Added workaround for a (Gentoo?) PyQt/packaging issue related to the `QWebEngineFindTextResult` handling added in v1.11.0. - When entering caret selection mode (`v, v`) very early before a page is loaded, an error is now shown instead of a crash happening. - The workaround for session loading with Qt 5.15 now handles `sessions.lazy_restore` so that the saved page is loaded instead of the "stub" page with no possibility to get to the web page. - A site specific quirk to allow typing accented characters on Google Docs was active for docs.google.com, but not drive.google.com. It is now applied for both subdomains. - With older graphics hardware (OpenGL < 4.3) with Qt 5.14 on Wayland, WebGL causes segfaults. Now qutebrowser detects that combination and suggests to disable WebGL or use XWayland. [[v1.11.1]] v1.11.1 (2020-05-07) -------------------- Security ~~~~~~~~ - CVE-2020-11054: After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (`colors.statusbar.url.warn.fg`). However, when the affected website was subsequently loaded again, the URL was mistakenly displayed as green (`colors.statusbar.url.success_https`). While the user already has seen a certificate error prompt at this point (or set `content.ssl_strict` to `false` which is not recommended), this could still provide a false sense of security. This is now fixed. [[v1.11.0]] v1.11.0 (2020-04-27) -------------------- Added ~~~~~ - New settings: * `search.wrap` which can be set to false to prevent wrapping around the page when searching. With QtWebEngine, Qt 5.14 or newer is required. * `content.unknown_url_scheme_policy` which allows controlling when an external application is opened for external links (never, from user interaction, always). * `content.fullscreen.overlay_timeout` to configure how long the fullscreen overlay should be displayed. If set to `0`, no overlay is displayed. * `hints.padding` to add additional padding for hints. * `hints.radius` to set a border radius for hints (set to `3` by default). - New placeholders for `url.searchengines` values: * `{unquoted}` inserts the search term without any quoting. * `{semiquoted}` (same as `{}`) quotes most special characters, but slashes remain unquoted. * `{quoted}` (same as `{}` in earlier releases) also quotes slashes. Changed ~~~~~~~ - First adaptions to Qt 5.15, including a stop-gap measure for session loading not working properly with it. - Searching now wraps around the page by default with QtWebKit (where it didn't before). Set `search.wrap` to `false` to restore the old behavior. - The `{}` placeholder for search engines (the `url.searchengines` setting) now does not quote slashes anymore, but other characters typically encoded in URLs still get encoded. This matches the behavior of search engines in Chromium. To revert to the old behavior, use `{quoted}` instead. - The `content.windowed_fullscreen` setting got renamed to `content.fullscreen.window`. - Mouse-wheel scrolling is now prevented while hints are active. - Changes to userscripts: * `qute-bitwarden` now has an optional `--totp` flag which can be used to copy TOTP codes to clipboard (requires the `pyperclip` module). * `readability-js` now opens readability tabs next to the original tab (using the `:open --related` flag). * `readability-js` now displays a favicon for readability tabs. * `password_fill` now triggers a `change` JavaScript event after filling the data. - The `dictcli.py` script now shows better error messages. - Various improvements to the `mkvenv.py` script (mainly useful for development). - Minor performance improvements. Deprecated ~~~~~~~~~~ - A warning about old Qt versions is now also shown with Qt 5.9 and 5.10, as support for Qt < 5.11 will be dropped in qutebrowser v2.0. Fixed ~~~~~ - `unsafeWindow` is now defined for Greasemonkey scripts with QtWebKit. - The proxied `window` global is now shared between different Greasemonkey scripts (but still separate from the page's `window`), to match the original Greasemonkey implementation. - The `--output-messages` (`-m`) flag added in v1.9.0 now also works correctly when using `:spawn --userscript`. - `:version` and `--version` now don't crash if there's an (invalid) `/etc/os-release` file which has non-comment lines without a `=` character. - Scripts in `scripts/` now report errors to `stderr` correctly, instead of using `stdout`. [[v1.10.2]] v1.10.2 (2020-04-17) -------------------- Changed ~~~~~~~ - Windows and macOS releases now bundle Qt 5.14.2, including security fixes up to Chromium 80.0.3987.132. Fixed ~~~~~ - The WhatsApp workaround now also works when using WhatsApp in languages other than English. - The `mkvenv.py` script now also works properly on Windows. [[v1.10.1]] v1.10.1 (2020-02-15) -------------------- Fixed ~~~~~ - Crash when saving data fails during shutdown (which was a regression introduced in v1.9.0). - Error while reading config.py when `fonts.tabs` or `fonts.debug_console` is set to a value including `default_size`. - When a `state` file contains invalid UTF-8 data, a proper error is now displayed. Changed ~~~~~~~ - When the Qt version changes (and also on the first start of v1.10.1 on Qt 5.14), service workers registered by websites are now deleted. This is done as a workaround for QtWebEngine issues causing crashes when visiting pages using service workers (such as Google Mail/Drive). No persistent data should be affected as websites can re-register their service workers, but a (single) backup is kept at `webengine/Service Worker-bak` in qutebrowser's data directory. - Better output on stdout when config errors occur. - The `mkvenv.py` now ensures the latest versions of `setuptools` and `wheel` are installed in the virtual environment, which should speed up installation and fix install issues. - The default for `colors.statusbar.command.private.bg` has been changed to a slightly different gray, as a workaround for a Qt issue where the cursor was invisible in that case. [[v1.10.0]] v1.10.0 (2020-02-02) -------------------- Added ~~~~~ - New `colors.webpage.prefers_color_scheme_dark` setting which allows forcing `prefers-color-scheme: dark` colors for websites (QtWebEngine with Qt 5.14 or newer). - New `fonts.default_size` setting which can be used to set a bigger font size for all UI fonts. Changed ~~~~~~~ - The `fonts.monospace` setting has been removed and replaced by `fonts.default_family`. The new `default_family` setting is improved in various ways: * It accepts a list of font families (or a single font family) rather than a comma-separated string. As an example, instead of `fonts.monospace = "Courier, Monaco"`, use `fonts.default_family = ["Courier", "Monaco"]`. * Since a list is now accepted as value, no quoting of font names with spaces is required anymore. As an example, instead of `fonts.monospace = '"xos4 Terminus"'`, use `fonts.default_family = 'xos4 Terminus'`. * It is now empty by default rather than having a long list of font names in the default config. When the value is empty, the system's default monospaced font is used. - If `monospace` is now used in a font value, it's used literally and not replaced anymore. Instead, `default_family` is replaced as explained above. - The default `content.headers.accept_language` value now adds a `;q=0.9` classifier which should make the value sent more in-line with what other browsers do. - The `qute-pass` userscript now has a new `--mode gopass` switch which uses gopass rather than pass. - The `tox -e mkvenv` (or `mkvenv-pypi`) way of installing qutebrowser is now replaced by a `mkvenv.py` script. See the updated link:install{outfilesuffix}#tox[install instructions] for details. - macOS and Windows releases now ship with Qt/QtWebEngine 5.14.1 * Based on Chromium 77.0.3865.129 with security fixes up to Chromium 79.0.3945.117. * Sandboxing is now enabled on Windows. * Monospace fonts are now used when a website requests them on macOS 10.15. * Web notifications are now supported. Fixed ~~~~~ - When quitting qutebrowser, components are now cleaned up differently. This should fix certain (rare) segmentation faults and exceptions when quitting, especially with the new exit scheme introduced in in PyQt5 5.13.1. - Added a workaround for per-domain settings (e.g. a JavaScript whitelist) not being applied in some scenarios with Qt 5.13 and above. - Added additional site-specific quirk for WhatsApp Web. - The `qute-pass` userscript now works correctly when a `PASSWORD_STORE_DIR` ending with a trailing slash is given. [[v1.9.0]] v1.9.0 (2020-01-08) ------------------- Added ~~~~~ - Initial support for Qt 5.14. - New `content.site_specific_quirks` setting which enables workarounds for websites with broken user agent parsing (enabled by default, see the "Fixed" section for fixed websites). - New `qt.force_platformtheme` setting to force Qt to use a given platform theme. - New `tabs.tooltips` setting which can be used to disable hover tooltips for tabs. - New settings to configure the appearance of context menus: * `fonts.contextmenu` * `colors.contextmenu.menu.bg` * `colors.contextmenu.menu.fg` * `colors.contextmenu.selected.bg` * `colors.contextmenu.selected.fg` Changed ~~~~~~~ - The macOS binaries now require macOS 10.13 High Sierra or newer. Support for macOS 10.12 Sierra has been dropped. - The `content.headers.user_agent` setting now is a format string with the default value resembling the behavior of it being set to null before. This slightly changes the sent user agent for QtWebKit: Instead of mentioning qutebrowser and its version it now mentions the Qt version. - The `qute-pass` userscript now has a new `--extra-url-suffixes` (`-s`) argument which passes extra URL suffixes to the tldextract library. - A stack is now used for `:tab-focus last` rather than just saving one tab. Additionally, `:tab-focus` now understands `stack-prev` and `stack-next` arguments to traverse that stack. - `:hint` now has a new `right-click` target which allows right-clicking elements via hints. - The Terminus font has been removed from the default monospace fonts since it caused trouble with HighDPI setups. To get it back, add either `"xos4 Terminus"` or `Terminus` (depending on fontconfig version) to the beginning of the `fonts.monospace` setting. - As a workaround for a Qt bug causing a segfault, desktop sharing is now automatically rejected on Qt versions before 5.13.2. Note that screen sharing still won't work on Linux before Qt 5.14. - Comment lines in quickmarks/bookmarks files are now ignored. However, note that qutebrowser will overwrite those files if bookmark/quickmark commands are used. - Reopening PDF.js pages from e.g. a session file will now re-download and display those PDFs. - Improved behavior when using `:open-download` in a sandboxed environment (KDE Flatpak). - qutebrowser now enables the new PyQt exit scheme, which should result in things being cleaned up more properly (e.g. cookies being saved even without a timeout) on PyQt 5.13.1 and newer. - The `:spawn` command has a new `-m` / `--output-messages` argument which shows qutebrowser messages based on a command's standard output/error. - Improved insert mode detection for some CodeMirror usages (e.g. in JupyterLab and Jupyter Notebook). - If JavaScript is disabled globally, `file://*` now doesn't automatically have it enabled anymore. Run `:set -u file://* content.javascript.enabled true` to restore the previous behavior. - Settings with URL patterns can now be used to affect the behavior of the QtWebEngine inspector. Note that the underlying URL is `chrome-devtools://*` from Qt 5.11 to Qt 5.13, but `devtools://*` with Qt 5.14. - Improvements when `tabs.tabs_are_windows` is set: * Using `:tab-take` and `:tab-give` now shows an error, as the effect of doing so would be equal to `:tab-clone`. * The `:buffer` completion doesn't show any window sections anymore, only a flat list of tabs. - Improved parsing in some corner cases for the `QtFont` type (used for `fonts.tabs` and `fonts.debug_console`). - Performance improvements for the following areas: * Adding settings with URL patterns * Matching of settings using URL patterns Fixed ~~~~~ - Downloads (e.g. via `:download`) now see the same user agent header as webpages, which fixes cases where overly restrictive servers/WAFs closed the connection before. - `dictcli.py` now works correctly on Windows again. - The logic for `:restart` has been revisited, which should fix issues with relative basedirs. - Remaining issues related to Python 3.8 are now fixed (mostly warnings, especially on QtWebKit). - Workaround for a Qt bug where a page never finishes loading with a non-overridable TLS error (e.g. due to HSTS). - The `qute://configdiff` page now doesn't show built-in settings (e.g. javascript being enabled for `qute://` and `chrome://` pages) anymore. - The `qute-lastpass` userscript now stops prompting for passwords when cancelling the password input. - The tab hover text now shows ampersands (&) correctly. - With QtWebEngine and Qt >= 5.11, the inspector now shows its icons correctly even if loading of images is disabled via the `content.images` setting. - Entering a very long string (over 50k characters) in the completion used to crash, now it shows an error message instead. - Various improvements for URL/searchengine detection: * Strings with a dot but with characters not allowed in a URL (e.g. an underscore) are now not treated as URL anymore. * Strings like "5/8" are now not treated as IP anymore. * URLs with an explicit scheme and a space (%20) are correctly treated as URLs. * Mail addresses are now treated as search terms. * With `url.open_base_url` set, searching for a search engine name now works. * `url.open_base_url = True` together with `url.auto_search = 'never'` is now handled correctly. * Fixed crash when a search engine URL turns out to be invalid. - New "site specific quirks", which work around some broken websites: * WhatsApp Web * Google Accounts * Slack (with older QtWebEngine versions) * Dell.com support pages (with Qt 5.7) * Google Docs (fixes broken IME/compose key) [[v1.8.3]] v1.8.3 (2019-12-05) ------------------- Fixed ~~~~~ - Segmentation fault introduced in v1.8.2 when a tab gets closed immediately after it has finished loading (e.g. with certain login flows). [[v1.8.2]] v1.8.2 (2019-11-22) ------------------- Changed ~~~~~~~ - Windows/macOS releases now ship with Qt 5.12.6. This includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78. Fixed ~~~~~ - Unbinding keys via `config.bind(key, None)` accidentally worked in v1.7.0 but raises an exception in v1.8.0. It now works again, but is deprecated and shows an error. Note that `:config-py-write` did write such invalid lines before v1.8.0, so existing config files might need adjustments. - The `readability-js` userscript now handles encodings correctly (which it didn't before for some websites). - can now be used to paste text starting with a hyphen. - Following hints via the number keypad now works properly again. - Errors while reading the state file are now displayed instead of causing a crash. - Crash when using `:debug-log-level` without a console attached. - Downloads are now hidden properly when the browser is in fullscreen mode. - Crash when setting `colors.webpage.bg` to an empty value with QtWebKit. - Crash when the history database file is not a proper sqlite database. - Workaround for missing/broken error pages on Debian. - A deprecation warning (caused by pywin32) about the imp module on Windows is now hidden. [[v1.8.1]] v1.8.1 (2019-09-27) ------------------- Changed ~~~~~~~ - No code changes - this release only repackages the Windows/macOS releases due to issues with the v1.8.0 release. - Updated dependencies for Windows/macOS releases: * macOS and Windows releases now ship with Qt/QtWebEngine 5.12.5. Those are based on Chromium 69.0.3497.128 with security fixes up to Chromium 76.0.3809.87. * Qt 5.13 couldn't be used yet due to various bugs in Qt 5.13.0 and .1. [[v1.8.0]] v1.8.0 (2019-09-25) ------------------- Added ~~~~~ - New userscripts: * `readability-js` which uses Mozilla's node.js readability library. * `qute-bitwarden` which integrates the Bitwarden CLI. Changed ~~~~~~~ - The statusbar text for passthrough mode now shows all configured bindings to leave the mode, not only one. - When `:config-source` is used with a relative filename, the file is now searched in the config directory instead of the current working directory. - HTML5 inputs with date/time types now enter insert mode when selected. - `dictcli.py` now shows where dictionaries are installed to and complains when running it as root if doing so would result in a wrong installation path. - The Makefile now can also run `setup.py build` when invoked without a target. - Changes to userscripts: * qute-pass: Don't run `pass` if only a username is requested. * qute-pass: Support private domains like `myrouter.local`. * readability: Improved CSS styling. - Performance improvements in various areas: * Loading config files * Typing without any completion matches * General keyboard handling * Scrolling - `:version` now shows details about the loaded autoconfig.yml/config.py. - Hosts are now additionally looked up including their ports in netrc files. - With Qt 5.10 or newer, qutebrowser now doesn't force software rendering with Nouveau drivers anymore. However, QtWebEngine/Chromium still do so. - The XSS Auditor is now disabled by default (`content.xss_auditing` = `false`). This reflects a similar change in Chromium, see their https://www.chromium.org/developers/design-documents/xss-auditor[XSS Auditor Design Document] for details. Fixed ~~~~~ - `:config-write-py` now correctly writes `config.unbind(...)` lines (instead of `config.bind(..., None)`) when unbinding a default keybinding. - Prevent repeat keyup events for JavaScript when a key is held down. - The Makefile now rebuilds the manpage correctly. - `~/.config/qutebrowser/blocked-hosts` can now also contain /etc/hosts-like lines, not just simple hostnames. - Restored compatibility with Jinja2 2.8 (e.g. used on Debian Stretch or Ubuntu 16.04 LTS). - Fixed implicit type conversion warning with Python 3.8. - The desktop file now sets `StartupWMClass` correctly, so the qutebrowser icon is no longer shown twice in the Gnome dock when pinned. - Bindings involving keys which need the AltGr key now work properly. - Fixed crash (caused by a Qt bug) when typing characters above the Unicode BMP (such as certain emoji or CJK characters). - `dictcli.py` now works properly again. - Shift can now be used while typing hint keystrings, which e.g. allows typing number hints on French keyboards. - With rapid hinting in number mode, backspace now edits the filter text after following a hint. - A certain type of error ("locking protocol") while initializing sqlite now isn't handled as crash anymore. - Crash when showing a permission request in certain scenarios. Removed ~~~~~~~ - At least Python 3.5.2 is now required to run qutebrowser, support for 3.5.0 and 3.5.1 was dropped. [[v1.7.0]] v1.7.0 (2019-07-18) ------------------- Added ~~~~~ - New settings: * `colors.tabs.pinned.*` to control colors of pinned tabs. * `hints.leave_on_load` which allows disabling leaving of hint mode when a new page is loaded. * `colors.completion.item.selected.match.fg` which allows configuring the text color for the matching text in the currently selected completion item. * `tabs.undo_stack_size` to limit how many undo entries are kept for closed tabs. - New commands: * `:reverse-selection` (`o` in caret mode) to swap the stationary/moving ends of a selection. - New commandline replacements: * `{url:domain}`, `{url:auth}`, `{url:scheme}`, `{url:username}`, `{url:password}`, `{url:host}`, `{url:port}`, `{url:path}`, `{url:query}` for the respective parts of the current URL. * `{title}` for the current page title. - The `{title}` field in `tabs.title.format`, `tabs.title.format_pinned` and `window.title_format` got renamed to `{current_title}` (mirroring `{current_url}`) in order to not conflict with the new `{title}` commandline replacement. - New `delete` target for `:hint` which removes the hinted element from the DOM. - New `--config-py` commandline argument to use a custom `config.py` file. - Qt 5.13: Support for notifications (shown via system tray). Changed ~~~~~~~ - Updated dependencies for Windows/macOS releases: - PyQt5 5.12.3 / PyQtWebEngine 5.12.1 - Qt 5.12.4, which includes security fixes up to Chromium 74.0.3729.157 - Python 3.7.4 - OpenSSL 1.1.1 - Note: This release includes Qt 5.12.4 instead of Qt 5.13.0 due to https://bugreports.qt.io/browse/QTBUG-76913[QTBUG-76913] causing frequent segfaults with Qt 5.13. After Qt 5.13.1 is released, qutebrowser v1.8.0 will be released with an updated Qt. - Completely revamped Windows installer which allows installing without admin permissions and allows setting qutebrowser as default browser. - The desktop file `qutebrowser.desktop` is now renamed to `org.qutebrowser.qutebrowser.desktop`. - Pinned tabs now always show a favicon (even if the site doesn't provide one) when shrinking. - Setting `downloads.location.directory` now changes the directory displayed in the download prompt even if `downloads.location.remember` is set. - The `yank` command gained a new `inline` argument, which allows to e.g. use `:yank inline [{title}]({url})`. - Duplicate consecutive history entries with the same URL are now ignored. - More detailed error messages when spawning a process failed. - The `content.pdfjs` setting now supports domain patterns. - Improved process status output with `:spawn -o`. - The `colors.tabs.bar.bg` setting is now of type `QssColor` and thus supports gradients. - The `:fullscreen` command now understands a new `--enter` flag which causes it to always enter fullscreen instead of toggling the current state. - `--debug-flag stack` is now needed to show stack traces on renderer process crashes. - `--debug-flag chromium` can be used to easily turn on verbose Chromium logging. - For runtime data (such as the IPC socket), a proper runtime path is now used on BSD; only macOS/Windows continue to use the temporary directory. - PDF.js is now also searched in `/app/share/pdf.js/` (for Flatpak) - Permission prompts can now be answered with `Y` (`:prompt-accept --save yes`) and `N` (`:prompt-accept --save no`) to save the answer as a per-domain setting. - `content.dns_prefetch` is now turned off by default, as it causes crashes inside QtWebEngine. - The (still unofficial) interceptor plugin API now contains `resource_type` for a request and allows redirecting requests. - `:bookmark-remove` now shows a message for consistency with `:bookmark-add`. - Very early segfaults are now also caught by the crash handler. - The appdata XML now contains proper release information and an (empty) OARS content rating. - Improved Linux distribution detection. - Qt 5.13: Request filtering now happens in the UI rather than IO thread. - Qt 5.13: Support for PDFium (Chromium's PDF viewer) is disabled for now so that PDFs can still be downloaded (or shown with PDF.js) properly. - Various performance improvements (e.g. for showing hints or the :open completion). Deprecated ~~~~~~~~~~ - `:yank markdown` got deprecated, as `:yank inline [{title}]({url})` can now be used instead. Fixed ~~~~~ - Various QtWebEngine load signals are now handled differently, which should fix issues with insert mode being left while typing on sites like Google Translate. - Race condition causing a colored statusbar in normal mode when entering/exiting caret mode quickly. - Using `100%` for a hue in a `hsv(...)` config value now corresponds to 359 (rather than 255), matching the fixed behavior in Qt 5.13. - Chaining commands with `;;` used to abort with some failing commands. It now runs the second command no matter whether the first one succeeded or not. - Handling of profiles and private windows (and resulting crashes with Qt 5.12.2). - Fixes for corner-cases when using `:navigate increment/decrement`. - The type for the `colors.hints.match.fg` setting was changed to `QtColor`. Gradients were never supported for this setting, and with this change, values like `rgb(0, 0, 0)` now work as well. - Permission prompts now show a properly normalized URL with QtWebKit. - Crash on start when PyQt was built without SSL support with Qt >= 5.12. - Minor memory leaks. [[v1.6.3]] v1.6.3 (2019-06-18) ------------------- Fixed ~~~~~ - Crash when hinting and changing/closing the tab before hints are displayed. - Crash on redirects with Qt 5.13. - Hide bogus `AA_ShareOpenGLContexts` warning with Qt 5.12.4. - Workaround for renderer process crashes with Qt 5.12.4. If you're unable to update, you can remove `~/.cache/qutebrowser` for the same result. [[v1.6.2]] v1.6.2 (2019-05-06) ------------------- Changed ~~~~~~~ - Windows/macOS releases now ship with Qt 5.12.3, which includes security fixes up to Chromium 73.0.3683.75. Fixed ~~~~~ - Crash when SQL errors occur while using the completion. - Crash when cancelling a download prompt started in an already closed window. - Crash when many prompts are opened at the same time. - Running without Qt installed now displays a proper error again. - High CPU usage when using the keyhint widget with a low delay. - Crash with Qt >= 5.14 on redirects. [[v1.6.1]] v1.6.1 (2019-03-20) ------------------- Changed ~~~~~~~ - Windows/macOS releases now ship with Qt 5.12.2, which includes security fixes up to Chromium 72.0.3626.121 (including CVE-2019-5786 which is known to be exploited in the wild). Fixed ~~~~~ - Crash when using `:config-{dict,list}-{add,remove}` with an invalid setting. - Functionality like hinting on pages with an element with ID `_qutebrowser` (such as qutebrowser.org) on Qt 5.12. - The .desktop file in v1.6.0 was missing the "Actions" key, which is now fixed. - The SVG icon now has a size of 256x256px set to comply with freedesktop standards. - Setting `colors.statusbar.*.bg` to a gradient now has the expected effect of the gradient spanning the entire statusbar. [[v1.6.0]] v1.6.0 (2019-02-25) ------------------- Added ~~~~~ - New settings: * `tabs.new_position.stacking` which controls whether new tabs opened from a page should stack on each other or not. * `completion.open_categories` which allows to configure which categories are shown in the `:open` completion, and how they are ordered. * `tabs.pinned.frozen` to allow/deny navigating in pinned tabs. * `hints.selectors` which allows to configure what CSS selectors are used for hints, and also allows adding custom hint groups. * `input.insert_mode.leave_on_load` to turn off leaving insert mode when a new page is loaded. - New config manipulation commands: * `:config-dict-add` and `:config-list-add` to a new element to a dict/list setting. * `:config-dict-remove` and `:config-list-remove` to remove an element from a dict/list setting. - New `:yank markdown` feature which yanks the current URL and title in markdown format. - Support for new QtWebEngine features in Qt 5.12: * Basic support for client certificates. Selecting the certificate to use when there are multiple matching certificates isn't implemented yet. * Support for DNS prefetching (plus new `content.dns_prefetch` setting). Changed ~~~~~~~ - Various changes to the Windows and macOS builds: * Bundling Qt 5.12.1, based on Chromium 69.0.3497.128 with security fixes up to 71.0.3578.94. * Windows: A 32-bit build is available again. * Windows: The builds now bundle the Universal CRT DLLs, causing them to work on earlier versions of Windows 10. * macOS: Support for OS X 10.11 El Capitan was dropped, requiring macOS 10.12 Sierra or newer. * macOS: The IPC socket path used to communicate with existing instances changed due to changes in Qt 5.12. Please make sure to quit qutebrowser before upgrading. - `:q` now closes the current window instead of quitting qutebrowser completely (`:close`), while `:qa` quits (`:quit`). The behavior of `:wq` remains unchanged (`:quit --save`), as closing a window while saving the session doesn't make sense. - Completion highlighting is now done differently (using `QSyntaxHighlighter`), which should fix some highlighting corner-cases. - The `QtColor` config type now also understands colors like `rgb(...)`. - `:yank` now has a `--quiet` option which causes it to not display a message. - The `:open` completion now also shows search engines by default. - The `content.host_blocking.enabled` setting now supports URL patterns, so the adblocker can be disabled on a given page. - Elements with a `tabindex` attribute now also get hints by default. - Various small performance improvements for hints and the completion. - The Wayland check for QtWebEngine is now disabled on Qt >= 5.11.2, as those versions should work without any issues. - The JavaScript `console` object is now available in PAC files. - PAC proxies currently don't work properly on QtWebEngine (and never did), so an error is now shown when trying to configure a PAC proxy. - The metainfo file `qutebrowser.appdata.xml` is now renamed to `org.qutebrowser.qutebrowser.appdata.xml`. - The `qute-pass` userscript now understands domains in gpg filenames in addition to directory names. - The autocompletion for `content.headers.user_agent` got updated to only include the default and Chrome, as setting the UA to Firefox has various bad side-effects. - Combining Qt 5.12 with an older PyQt can lead to issues, so a warning is now shown when starting qutebrowser with that combination. Fixed ~~~~~ - Invalid world IDs now get rejected for `:jseval` and GreaseMonkey scripts. - When websites suggest download filenames with invalid characters, those are now correctly replaced. - Invalid hint length calculation in certain rare cases. - Dragging tabs in the tab bar (which was broken in v1.5.0) - Using Shift-Home in command mode now works properly. - Workaround for a Qt bug which prevented `content.cookies.accept = no-3rdparty` from working properly on some pages like GMail. However, the default for `content.cookies.accept` is still `all` to be in line with what other browsers do. - `:navigate` not incrementing in anchors or queries. - Crash when trying to use a proxy requiring authentication with QtWebKit. - Slashes in search terms are now percent-escaped. - When `scrolling.bar = True` was set in versions before v1.5.0, this now correctly gets migrated to `always` instead of `when-searching`. - Completion highlighting now works again on Qt 5.11.3 and 5.12.1. - The non-standard header `X-Do-Not-Track` is no longer sent. - PAC proxies were never correctly supported with QtWebEngine, but are now explicitly disallowed. - macOS: Context menus for download items now show in the correct macOS style. - Issues with fullscreen handling when exiting a video player. - Various fixes for Qt 5.12 issues: * A javascript error on page load was fixed. * `window.print()` works with Qt 5.12 now. * Fixed handling of duplicate download filenames. * Fixed broken `qute://history` page. * Fixed PDF.js not working properly. * The download button in PDF.js now works (it's not possible to make it work with earlier Qt versions). * Since Greasemonkey scripts modifying the DOM fail when being run at document-start, some known-broken scripts (Iridium, userstyles.org) are now forced to run at document-end. [[v1.5.2]] v1.5.2 (2018-10-26) ------------------- Changed ~~~~~~~ - The `content.cookies.accept` setting is now set to `all` instead of `no-3rdparty` by default, as `no-3rdparty` breaks various pages such as GMail. [[v1.5.1]] v1.5.1 (2018-10-10) ------------------- Fixed ~~~~~ - Flickering when opening/closing tabs (as soon as more than 10 are open) on some pages. - PDF.js is now bundled again with the macOS/Windows release. - PDF.js is now searched in the correct path (if not installed system-wide) instead of hardcoding `~/.local/share/qutebrowser`. - Improved logging for PDF.js resources which fail to load. - Crash when closing a tab after doing a search. - Tabs appearing when hidden after e.g. closing tabs. [[v1.5.0]] v1.5.0 (2018-10-03) ------------------- Added ~~~~~ - Rewritten PDF.js support: * PDF.js support and the `content.pdfjs` setting are now also available with QtWebEngine. * Opening a PDF file now doesn't start a second request anymore. * Opening PDFs on https:// sites now works properly. * New `--pdfjs` flag for `prompt-open-download`, so PDFs can be opened in PDF.js with `` in the download prompt. - New settings: * `content.mouse_lock` to handle HTML5 pointer locking. * `completion.web_history.exclude` which hides a list of URL patterns from the completion. * `qt.process_model` which can be used to change Chromium's process model. * `qt.low_end_device_mode` which turns on Chromium's low-end device mode. This mode uses less RAM, but the expense of performance. * `content.webrtc_ip_handling_policy`, which allows more fine-grained/restrictive control about which IPs are exposed via WebRTC. * `tabs.max_width` which allows to have a more "normal" look for tabs. * `content.mute` which allows to mute pages (or all tabs) by default. - Running qutebrowser with QtWebKit or Qt < 5.9 now shows a warning (only once), as support for those is going to be removed in a future release. - New t[iI][hHu] default bindings (similar to `tsh` etc.) to toggle images. - The qute-pass userscript now has optional OTP support. - When `:spawn --userscript` is called with a count, that count is now passed to userscripts as `$QUTE_COUNT`. Changed ~~~~~~~ - Windows and macOS releases now bundle Python 3.7, PyQt 5.11.3 and Qt 5.11.2. QtWebEngine includes security fixes up to Chromium 68.0.3440.75 and https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.11.2/?h=v5.11.2[various other fixes]. - Various performance improvements when many tabs are opened. - The `content.headers.referer` setting now works on QtWebEngine. - The `:repeat` command now takes a count which is multiplied with the given "times" argument. - The default keybinding to leave passthrough mode was changed from `` to ``, which makes pasting from the clipboard easier in passthrough mode and is also unlikely to conflict with webpage bindings. - The `app_id` is now set to `qutebrowser` for Wayland. - `Command` or `Cmd` can now be used (instead of `Meta`) to map the Command key on macOS. - Using `:set option` now shows the value of the setting (like `:set option?` already did). - The `completion.web_history_max_items` setting got renamed to `completion.web_history.max_items`. - The Makefile shipped with qutebrowser now supports overriding variables `DATADIR` and `MANDIR`. - Regenerating completion history now shows a progress dialog. - The `content.autoplay` setting now supports URL patterns on Qt >= 5.11. - The `content.host_blocking.whitelist` setting now takes a list of URL patterns instead of globs. - In passthrough mode, Ctrl + Mousewheel now also gets passed through to the page instead of zooming. - Editing text in an external editor now simulates a JS "input" event, which improves compatibility with websites reacting via JS to input. - The `qute://settings` page is now properly sorted on Python 3.5. - `:zoom`, `:zoom-in` and `:zoom-out` now have a `--quiet` switch which causes them to not display a message. - The `scrolling.bar` setting now takes three values instead of being a boolean: `always`, `never`, and `when-searching` (which only displays it while a search is active). - '@@' now repeats the last run macro. - The `content.host_blocking.lists` setting now accepts a `file://` URL to a directory, and reads all files in that directory. - The `:tab-give` and `:tab-take` command now have a new flag `--keep` which causes them to keep the old tab around. - `:navigate` now clears the URL query. Fixed ~~~~~ - `qute://` pages now work properly on Qt 5.11.2 - Error when passing a substring with spaces to `:tab-take`. - Greasemonkey scripts which start with a UTF-8 BOM are now handled correctly. - When no documentation has been generated, the plaintext documentation now can be shown for more files such as `qute://help/userscripts.html`. - Crash when doing initial run on Wayland without XWayland. - Crash when trying to load an empty session file. - `:hint` with an invalid `--mode=` value now shows a proper error. - Rare crash on Qt 5.11.2 when clicking on `