Header Gradient Blobs

This Month in Ladybird
June 2025

Hello friends! June is over, and while many took time off for summer, we still merged 241 PRs from 52 contributors.

Web Platform Tests (WPT)

This month we have 3,455 new passing WPT subtests for a new total of 1,818,766.

As expected, things are slowing down in this area, since we’ve exhausted the low-hanging fruit and are now left with many small things that often require more effort to fix. Of course we still carry on grinding upwards!

CSS logical aliases

Some CSS properties are “logical aliases” for others, for example margin-inline-start. This means that the side or direction they apply to depends on the text direction: for top-down text the “inline start side” is the top; for left-to-right it’s the left; and for right-to-left it’s the right. Ladybird has long understood these properties, but hard-coded them to left-to-right text. We’ve now replaced that with proper checks for the writing-mode and direction properties.

CSS counters on pseudo-elements

CSS counters let authors create automatic numberings similar to those in HTML numbered lists. We’ve improved our implementation by supporting counter properties on pseudo-elements as well.

For example, this is used by terminal.shop to display line numbers:

Before

After

tech() in CSS @font-face sources

We implemented the tech() function in the @font-face src descriptor. Similar to format(), this lets authors declare that the linked font file uses a particular font feature, and that browsers should ignore it if they do not support that. This saves time and bandwidth by avoiding downloading files that we cannot make use of, such as variable fonts or those using incremental transfer. (PR #4983)

Local Storage Persistence

Local storage is now persisted to disk within a sqlite database. Previously, data stored in local storage would be lost when the WebContent process exited, making it work similarly to session storage. This is particularly useful for websites that store access tokens in local storage, such as Discord. (PR #5052)

Offscreen Canvas

We’ve added an initial implementation of OffscreenCanvas. This allows authors to perform potentially complex rendering tasks off the main thread, which can significantly improve the performance of canvas-heavy websites. (PR #3788)

Geolocation

The Geolocation API allows websites to request and monitor the user’s physical location, speed and heading. We have added preliminary support for this API in Ladybird, only returning a single emulated position for now. In the future we will hook this up to the system’s location services together with the necessary permissions and privacy settings. (PR #5169)

Progress on Windows support

One of the most common questions we get: “When will Ladybird support Windows?”

To clarify, the upcoming alpha and beta releases will target Linux and macOS only. That said, community contributors have been making steady progress on a Windows port!

Our JavaScript tests already run on Windows, and the LibWeb engine library builds cleanly. The headless browser and WebContent process don’t run yet, but we’re getting closer.

CI: macOS and Windows

In May, we started using Blacksmith’s action runners, which significantly reduced CI times and sped up pull request iteration.

In June, we brought up a self-hosted macOS runner, removing one of the last remaining bottlenecks in our CI pipeline.
We also added Windows CI support on pull requests, making it easier to review Windows-specific changes.

Security Advisory update

We’ve received a few security reports via GitHub’s private vulnerability disclosure feature and are currently triaging them.

The first report to be fixed came from @intrigus-lgtm, and was featured in a CTF at GPN CTF 2025. One CTF participant shared a writeup on how they exploited the bug here.

Since we haven’t released any alpha or beta builds yet, we’re not publishing formal advisories. That said, these early reports have already shown us how much we need to improve our processes before a stable release.

As we receive more reports and move closer to shipping, we’ll share more about our vulnerability handling approach, in line with our Security Policy.

Credits

We’d like to thank everyone who contributed code this month:

Ali Mohammad Pur, Aliaksandr Kalenik, AmusedNetwork, Andreas Kling, Andrew Kaster, aplefull, ayeteadoe, Bastiaan van der Plaat, Ben Eidson, Callum Law, Carter Snook, Chase Knowlden, circl, Colin Reeder, Daniel Bertalan, devgianlu, Gingeh, Glenn Skrzypczak, InvalidUsernameException, Jelle Raaijmakers, Lucas CHOLLET, Lucien Fiorini, Luiz, Luke Wilde, Manuel Zahariev, mikiubo, Nicolas Danelon, Philipp Dreher, Prajjwal, Psychpsyo, R-Goc, rmg-x, Rocco Corsi, Ruben, Saksham Mittal, Sam Atkins, Semyon Danilov, Shannon Booth, stasoid, stelar7, Tete17, Tim Ledbetter, Timothy Flynn, Tom Lynch, Tomasz Strejczek, Totto16, Veeti Paananen, Viktor Szépe, wesinator