Security:
* CVE-2018-10895: Fix CSRF issue on the qute://settings page,
leading to possible arbitrary code execution.
See the related GitHub issue for details:
https://github.com/qutebrowser/qutebrowser/issues/4060
Fixed:
* Rare crash when an error occurs in downloads.
* Newlines are now stripped from the :version pastebin URL.
* Worked around a Qt issue which redirects to a
chrome-error:// page when trying to use U2F.
* The link_pyqt.py script now works correctly with PyQt 5.11.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=47
- Update to version 1.4.0:
Added:
* Support for the bundled sip module in PyQt 5.11 and other
changes in Qt/PyQt 5.11.x.
* New --debug-flag log-requests to log requests to the debug
log for debugging.
* New --first flag for :hint (bound to gi for inputs) which
automatically selects the first hint.
* New input.escape_quits_reporter setting which can be used to
avoid accidentally quitting the crash reporter when pressing
escape.
* New qute-lastpass userscript which uses the LastPass CLI to
fill passwords.
* The Makefile now installs a
/usr/share/metainfo/qutebrowser.appdata.xml file.
* QtWebEngine: Support for printing from webpages via
window.print.
* QtWebEngine: Support for muting tabs:
+ New {audio} field for window.title_format and
tabs.title.format which displays [M]/[A] for
muted/recently audible tabs.
+ New :tab-mute command (bound to <Alt-m>) to mute/unmute a
tab.
* QtWebEngine: Support for content.cookies.accept with
third-party cookies blocked by default (requires Qt 5.11).
* QtWebEngine: New settings:
+ Support for requesting persistent storage via
navigator.webkitPersistentStorage.requestQuota with a new
content.persistent_storage setting (requires Qt 5.11).
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=45
Security:
* An XSS vulnerability on the qute://history page allowed
websites to inject HTML into the page via a crafted title
tag. This could allow them to steal your browsing history.
If you're currently unable to upgrade, avoid using :history.
A CVE request for this issue is pending.
Fixed:
* Crash in a workaround for a Qt 5.11 bug in rare
circumstances.
* Workaround for a Qt bug which preserves searches between page
loads.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=42
* QtWebEngine: Improved workaround for a bug in Qt 5.11 where
only the top/bottom half of the window is used.
* QtWebEngine: Work around a bug in Qt 5.11 where an endless
loading-loop is triggered when clicking a link with an unknown
scheme.
* QtWebEngine: When switching between pages with changed
settings, less unnecessary reloads are done now.
* QtWebEngine: It's now possible to open external links such as
magnet:// or mailto: via hints.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=39
* Work around a bug in Qt 5.11 where only the top/bottom half of
the window is used. This workaround is incomplete, but fixes
the majority of the cases where this happens.
* Work around keyboard focus issues with Qt 5.11.
* Work around an issue in Qt 5.11 where e.g. activating
JavaScript per-domain needed a manual reload in some cases.
* Don't crash when a ² key is pressed (e.g. on AZERTY keyboards).
* Don't crash when a tab is opened and quickly closed again.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=37
Added:
* New :scroll-to-anchor command to scroll to an anchor in the
document.
* New url.open_base_url option to open the base URL of a
searchengine when no search term is given.
* New tabs.min_width setting to configure the minimal width
for tabs.
* New userscripts:
+ getbib to download bibtex information for DOIs on a page.
+ qute-keepass to get passwords from KeePassX.
Changed:
* QtWebEngine: Support for JavaScript Shared Web Workers have
been disabled on Qt versions older than 5.11 because of
security issues in in Chromium. You can get the same effect
in earlier versions via
":set qt.args ['disable-shared-workers']". An equivalent
workaround is also contained in Qt 5.9.5 and 5.10.1.
* The file dialog for downloads now has basic tab completion
based on the entered text.
* :version now shows OS information for POSIX OS other than
Linux/macOS.
* When there's an error inserting the text from an external
editor, a backup file is now saved.
* The window.hide_wayland_decoration setting got renamed to
window.hide_decoration and now also works outside of wayland.
* The tabs.favicons.show setting now can take three values:
'always' (was True), 'never' (was False) and 'pinned'
(to only show favicons for pinned tabs).
* Hover tooltips on tabs now always show the webpage's title.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=34
Fixed:
* qutebrowser now starts properly when the PyQt5
QOpenGLFunctions package wasn't found.
* The keybinding cheatsheet on the quickstart page is now
loaded from a local qute:// URL again.
* Unbinding keys which were bound in older qutebrowser versions
now doesn't crash anymore.
* Fixed a crash when reloading a page which wasn't fully
loaded with v1.2.0
* Keys on the numeric keypad now fall back to the same bindings
without Num+ if no Num+ binding was found.
* Fixed hinting on some pages with Qt < 5.10.
* Titles are now displayed correctly again for tabs which are
cloned or loaded from sessions.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=32
Added:
* Initial implementation of per-domain settings:
+ :set and :config-cycle now have a -u/--pattern argument
taking a URL match pattern for supported settings.
+ config.set in config.py now takes a third argument which is
the pattern.
+ New with config.pattern('...') as p: context manager for
config.py to use the shorthand syntax with a pattern.
+ New tsh keybinding to toggle scripts for the current host.
With a capital S, the toggle is saved. With a capital H,
subdomains are included. With u instead of h, the exact
current URL is used.
+ New tph keybinding to toggle plugins, with the same
additional binding described above.
* New QtWebEngine features:
+ Caret/visual mode
+ Authentication via ~/.netrc
+ Retrying downloads with Qt 5.10 or newer
+ Hinting and other features inside same-origin frames
* New flags for existing commands:
+ :session-load has a new --delete flag which deletes the
session after loading it.
+ New --no-last flag for :tab-focus to not focus the last tab
when focusing the currently focused one.
+ New --edit flag for :view-source to open the source in an
external editor.
+ New --select flag for :follow-hint which acts like the
given string was entered but doesn't necessary follow the
hint.
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=29
- Update to version 1.1.0:
Added:
* Initial support for Greasemonkey scripts. There are still
some rough edges, but many scripts should already work.
* New fields for window.title_format and tabs.title.format:
+ {current_url}
+ {protocol}
* New settings:
+ colors.statusbar.passthrough.fg/.bg
+ completion.delay and completion.min_chars to update the
completion less often.
+ completion.use_best_match to automatically use the
best-matching command in the completion.
+ keyhint.radius to configure the edge rounding for the key
hint widget.
+ qt.highdpi to turn on Qt's High-DPI scaling.
+ tabs.pinned.shrink (true by default) to make it possible
for pinned tabs and normal tabs to have the same size.
+ content.windowed_fullscreen to show e.g. a fullscreened
video in the window without fullscreening that window.
+ tabs.persist_mode_on_change to keep the current mode when
switching tabs.
+ session.lazy_restore which allows to not load pages
immediately when restoring a session.
* New commands:
+ :tab-give and :tab-take, to give tabs to another window,
or take them from another window.
+ :completion-item-yank (bound to <Ctrl-C>) to yank the
current completion item text.
+ :edit-command to edit the commandline in an editor.
+ search.incremental for incremental text search.
* New flags for existing commands:
+ -o flag for :spawn to show stdout/stderr in a new tab.
+ --rapid flag for :command-accept (bound to Ctrl-Enter by
default), which allows executing a command in the
completion without closing it.
+ --private and --related flags for :edit-url, which have the
same effect they have with :open.
+ --history for :completion-item-focus which causes it to go
through the command history when no text was entered.
The default bindings for cursor keys in the completion
changed to use that, so that they can be used again to
navigate through completion items when a text was entered.
+ --file for :debug-pyeval which makes it take a filename
instead of a line of code.
* New config.source(...) method for config.py to source another
file.
* New {line} and {column} replacements for editor.command to
position the cursor correctly.
* New qute-pass userscript as alternative to password_fill
which allows selecting accounts via rofi or any other
dmenu-compatile application.
* New hist_importer.py script to import history from
Firefox/Chromium.
Changed:
* Some settings got renamed:
* tabs.width.bar -> tabs.width
* tabs.width.indicator -> tabs.indicator.width
* tabs.indicator_padding -> tabs.indicator.padding
* session_default_name -> session.default_name
* ignore_case -> search.ignore_case
* Much improved user stylesheet handling for QtWebEngine which
reduces flickering and updates immediately after setting a
stylesheet.
* High-DPI favicons are now used when available.
* The asciidoc2html.py script now uses Pygments (which is
already a dependency of qutebrowser) instead of
source-highlight for syntax highlighting.
* The :buffer command now doesn't require quoting anymore,
similar to :open.
* The importer.py script was largely rewritten and now also
supports importing from Firefox' places.sqlite file and
Chrome/Chromium profiles.
* Various internal refactorings to use Python 3.5 and
ECMAscript 6 features.
* If the window.hide_wayland_decoration setting is False, but
QT_WAYLAND_DISABLE_WINDOWDECORATION is set in the
environment, the decorations are still hidden.
* The install_dict.py script for QtWebEngine was renamed to
dictcli.py and can now also upgrade dictionaries correctly.
* :undo now can re-open multiple tabs after :tab-only was used.
* :config-write-py with a relative path now puts the file into
the config directory.
* The qute://version page now also shows the uptime of
qutebrowser.
* qutebrowser now prompts to create a non-existing directory
when starting a download.
* :jseval --file now searches relative paths in a js/ subdir in
qutebrowser's data dir, e.g. ~/.local/share/qutebrowser/js.
* The current/default bindings are now shown in the ``:bind`
completion.
* Empty categories are now hidden in the :open completion.
* Search terms for URLs and titles can now be mixed when
filtering the completion.
* The default font size for the UI got bumped up from 8pt to
10pt.
* Improved matching in the completion: The words entered are
now matched in any order, and mixed matches on URL/tite are
possible.
* The system's default encoding (rather than UTF-8) is now used
to decode subprocess output.
* qutebrowser now ensures it's focused again after an external
editor is closed.
* The colors.completion.fg setting can now be a list, allowing
to specify different colors for the three completion columns.
Fixed:
* More consistent sizing for favicons with vertical tabs.
* Using :home on pinned tabs is now prevented.
* Fix crash with unknown file types loaded via qute://help.
* Scrolling performance improvements.
* Sites like qute://help now redirect to qute://help/ to make
sure links work properly.
* Fixes for the size calculation of pinned tabs in the tab bar.
* Worked around a crash with PyQt 5.9.1 compiled against
Qt < 5.9.1 when using :yank or qute:// URLs.
* Fixed crash when opening qute://help/img.
* Fixed gU (:navigate up) on qute://help and webservers not
handling .. in a URL.
* Using e.g. -s backend webkit to set the backend now works
correctly.
* Fixed crash when closing the tab an external editor was
opened in.
* When using :search-next before a search is finished, no
warning about no results being found is shown anymore.
* Fix :click-element with an ID containing non-alphanumeric
characters.
* Fix crash when a subprocess outputs data which is not
decodable as UTF-8.
* Fix crash when closing a tab immediately after hinting.
* Worked around issues in Qt 5.10 with loading progress never
being finished.
* Fixed a crash when writing a flag before a command
(e.g. :-w open).
* Fixed a crash when clicking certain form elements with
QtWebEngine.
Deprecated:
* :tab-detach has been deprecated, as :tab-give without
argument can be used instead.
Removed:
* The long-deprecated :prompt-yes, :prompt-no, :paste-primary
and :paste commands have been removed.
* The invocation :download <url> <dest> which was deprecated
in v0.5.0
was removed, use :download --dest <dest> <url> instead.
* The messages.unfocused option which wasn't used anymore was
removed.
* The x[xtb] default bindings got removed again as many users
accidentally triggered them.
OBS-URL: https://build.opensuse.org/request/show/565833
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=23
- Update to version 1.0.4:
* The qute://gpl page now works correctly again.
* Trying to bind an empty command now doesn't crash anymore.
* Fixed crash when :config-write-py fails to write to the given
path.
* Fixed crash for some users when selecting a file with Qt 5.9.3
* Improved handling for various SQL errors
* Fix crash when setting content.cache.size to a big value
(> 2 GB)
OBS-URL: https://build.opensuse.org/request/show/546189
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=21
- Update to version 1.0.3:
* Changed
+ Performance improvements for tab rendering.
+ The :open-editor command is not hidden anymore and also usable
in normal mode.
+ Security enhancements for macos and windows builds
* Fixed
+ Handle accessing a locked sqlite database gracefully
+ Abort pinned tab dialogs properly when a tab is closed e.g.
by closing a window.
+ Unbinding a default keybinding twice no longer binds it again
+ Completions are now sorted correctly again when filtered
OBS-URL: https://build.opensuse.org/request/show/538969
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=19
- Update to version 1.0.2:
* Fixed
+ Fix workaround for black screens or crashes with Nvidia cards
+ Handle a filesystem going read-only gracefully
+ Fix crash when setting fonts.monospace
+ Fix list options not being modifyable via .append() in
config.py
+ Mark the content.notifications setting as QtWebKit only
correctly
+ Fix wrong rendering of keys like <back> in the completion
* Changed
+ Nicer error messages and other minor improvements
* Includes fixes from 1.0.1:
+ Fixed starting after customizing fonts.tabs or
fonts.debug_console.
+ Fixed starting with old PyQt versions compiled against newer
Qt versions.
+ Fixed check for PyQt version to correctly enforce 5.7
(not 5.2).
OBS-URL: https://build.opensuse.org/request/show/534464
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=15
- Update to version 1.0.0
* Dependency changes:
+ Support for legacy QtWebKit (before 5.212 which is
distributed independently from Qt) is dropped.
+ Support for Python 3.4 is dropped.
+ Support for Qt before 5.7.1 and PyQt before 5.7 is dropped.
+ New dependency on the QtSql module and Qt sqlite support.
+ New dependency on the attrs project (packaged as
python-attr in some distributions).
+ The depedency on PyOpenGL (when using QtWebEngine) got
removed. Note that PyQt5.QtOpenGL is still a dependency.
+ PyQt5.QtOpenGL is now always required, even with QtWebKit.
* The QtWebEngine backend is now used by default. Note this
means that QtWebEngine now should be a required dependency, and
QtWebKit (if new enough) should be changed to an optional
dependency.
* Completely rewritten configuration system which ignores the
old config file. See link:qute://help/configuring.html[] for
details.
* Various documentation files got moved to the doc/ subfolder;
qutebrowser.desktop got moved to misc/.
* :set now doesn't support toggling/cycling values anymore, that
functionality got moved to :config-cycle.
* New completion engine based on sqlite, which allows to
complete the entire browsing history. The default for
completion.web_history_max_items got changed to -1 (unlimited).
If the completion is too slow on your machine, try setting it to
a few 1000 items.
Added:
* QtWebEngine: Spell checking support, see the
spellcheck.languages setting.
* New qt.args setting to pass additional arguments to
Qt/Chromium.
* New backend setting to select the backend to use. Together
with the previous setting, this should make most wrapper
scripts unnecessary.
* qutebrowser can now be set as the default browser on macOS.
* New config commands:
+ :config-cycle to cycle an option between multiple values.
+ :config-unset to remove a configured option.
+ :config-clear to remove all configured options.
+ :config-source to (re-)read a config.py file.
+ :config-edit to open the config.py file in an editor.
+ :config-write-py to write a config.py template file.
* New :version command which opens qute://version.
* New back/forward indicator in the statusbar.
* New bindings.key_mappings setting to map keys to other keys.
* QtWebEngine: Support for proxy authentication.
Changed:
* Using :download now uses the page's title as filename.
* Using :back or :forward with a count now skips intermediate
pages.
* When there are multiple messages shown, the timeout is
increased.
* :search now only clears the search if one was displayed
before, so pressing <Escape> doesn't un-focus inputs anymore.
* Pinned tabs now adjust to their text's width, so the
tabs.width.pinned setting got removed.
* :set-cmd-text now has a --run-on-count argument to run the
underlying command directly if a count was given.
* :scroll-perc got renamed to :scroll-to-perc.
Removed:
* Migrating QtWebEngine data written by versions before
2016-11-15 (before v0.9.0) is now not supported anymore.
* Upgrading qutebrowser with a version older than v0.4.0 still
running now won't work properly anymore.
* The --harfbuzz and --relaxed-config commandline arguments got
dropped.
Fixes:
* Exiting fullscreen via :fullscreen or buttons on a page now
restores the correct previous window state
(maximized/fullscreen).
* When input.insert_mode.auto_load is set, background tabs now
don't enter insert mode anymore.
* The keybinding help widget now works correctly when using
keybindings with a count.
* The window.hide_wayland_decoration setting now works correctly
again.
OBS-URL: https://build.opensuse.org/request/show/533709
OBS-URL: https://build.opensuse.org/package/show/network/qutebrowser?expand=0&rev=13