May 17th, 2013· Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
· Improved placeholder management for full-document plugin content, e.g.
· makes Youtube embeddings more usable on Facebook
May 17th, 2013· Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
May 7th, 2013· Improved placeholder management for full-document plugin content, e.g.
· makes Youtube embeddings more usable on Facebook
April 30th, 2013· Fixed backward compatibility issue with recent channel cloning changes
· [XSS] Compatibility with certain redirector URL patterns
· [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
· [Locale] Updated Esperanto
· [Locale] Updated Upper Serbian
April 24th, 2013· [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
· [Locale] Updated Esperanto (thanks Michael Wolf)
· [Locale] Updated Upper Serbian
April 4th, 2013· Added per-window private browsing support to some background requests
· Improved channel cloning for internal redirections
· Added further Microsoft mail services dependencies to the default whitelist
· [XSS] Fixed character class bug
· [XSS] Fixed potential jQuery-based injection
· Improved handling of some moz-null principal instances in ABE requests
· New 360Haven surrogate lets the site work with 1st party scripts allowed and ads/tracker scripts forbidden
March 12th, 2013· Fixed outlook.com UI broken in Nightly by work-around for bug 677050
· Removed STS support for Gecko >= 4, which provides built-in HSTS
· Work around for multiple object creation causing UI inconsistencies[XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource()
February 26th, 2013· Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
· "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
· "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
· Inclusion type checks exception for yandex.st
· [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments (thanks RAJAH235 for reporting)
February 21st, 2013· Fixed Google Analytics cross-site checks breaking GMail composition window
February 21st, 2013· Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
· "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
· "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
· Inclusion type checks exception for yandex.st
February 20th, 2013· [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments
February 19th, 2013· Made "Yes, remove all protections" the default button in the removal warning dialog
· [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
· [XSS] Removed host redirection chance on XSS-vulnerable pages
February 11th, 2013· [XSS] Smarter syntax check optimization, removes harmful side effect
February 11th, 2013· [XSS] Fixed bug in broken string literals balancing
February 11th, 2013· [XSS] Obfuscated string literals detection
February 9th, 2013· [XSS] Improved parsing while decoding mixed-charset encoded URLs
· [XSS] Better decoding of maliciously mixed-charset encoded strings
February 8th, 2013· [XSS] Work-around for a Gecko race condition allowing some script-enabled attackers to make the charset-mismatch checks abort prematurely
February 6th, 2013· [XSS] Forced unicode conversions more resilient to invalid input
February 6th, 2013· [XSS] More exotic charset awareness added to script injection checks
· [XSS] Removed limited injection chance allowing redirection of XSS vulnerable pages to an integral IP
· "Security Downgrade Warning" suggests blacklist mode as a better option than uninstalling, to retain scripting-unrelated protections
· Removed legacy uninstall hooks and related localized strings
January 29th, 2013· Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
· [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method
· Allow/Forbid button on the site info page
January 28th, 2013· Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
January 23rd, 2013· [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method
January 18th, 2013· Allow/Forbid button on the site info page
January 15th, 2013· [Surrogate] Less aggressive but more compatible adf.ly surrogate (it automatically skips ad but requires scripts enabled on adf.ly)
· Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent Firefox versions
· [Surrogate] dimtus.com scriptless automatic image revelation
· [Surrogate] imageteam.org scriptless automatic image revelation
· [External Filters] Fixed cache API compatibility issue
December 27th, 2012· [ClearClick] Fixed miscalculations in screenshot comparison
· Fixed wrong placeholder position for standalone HTML 5 video content
· "Appearance" option to hide the "About NoScript" menu item
· Deny loading of any empty Flash object
· Fixed HSB locale (thanks Michael Wolf)
· Fixed forced HTTPS breaks redirects on Firefox >= 18
· Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes
· Fixed broken early HTTP observer on Firefox >= 18
· Fixed anti-popunder surrogate breaking BFCache
December 27th, 2012· Fixed wrong plaecholder position for standalone HTML 5 video content
December 22nd, 2012· "Appearance" option to hide the "About NoScript" menu item
· Deny loading of any empty Flash object
· Fixed HSB locale
December 21st, 2012· Fixed forced HTTPS breaks redirects on Firefox >= 18
· Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes
December 19th, 2012· Fixed broken early HTTP observer on Firefox >= 18
December 18th, 2012· Fixed anti-popunder surrogate breaking BFCache
December 18th, 2012· Fixed new placeholder close button being hidden on some Youtube pages
December 17th, 2012· [XSS] Improved compatibility with Twitter's cross-site requests
· Close button on embedding placeholder (like using shift+click on the placeholder itself). Shift clicking the close button bypasses it.
· Fixed placeholders intercepting clicks from overlaid elements
· Fixed unbound embed enablement confirmation dialog size
December 4th, 2012· [XSS] Further tweaks to reduce false positives
· [XSS] The "maybe JS" step now removes leading parens, reducing false positives e.g. on Picasa
· [Surrogate] Work-around for anti-popunder surrogate causing Ebay to recreate phantom cookies on page unload
· Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus) breaking bookmarklets and URL bar Javascript support after being updated for Firefox 17
· Removed some console noise
· [Surrogate] Updated adf.ly surrogate to work with new links
November 22nd, 2012· Fixed Google links anonymizer surrogate interfering with the "Search tools" button
· Fixed impossible to copy lines from Console² if opened by NoScript
· [XSS] Exception for wpcomwidgets.com safe inclusions
· Slightly reduced About box width
November 13th, 2012· [XSS] Better compatibility with Ebay's saved searches
· [Surrogate] Imagebax.com scriptless ads skipping redirection
· Fixed first non-cached page load in a session from about:newtab failing
· Removed legacy XUL script blocking code
· Added optional diagnostic to centralized channel aborting
· Fixed bug in Java URLs resolution
November 2nd, 2012· Improved long URL wrapping for more manageable plugin placeholder tooltips
· Fixed ABE notifications bleeding out of the viewport when very long URLs are involved
· [Surrogate] More efficient deferred script loading and syntax check, saves memory and startup time from unused surrogates
· [Surrogate] Picbucks.com scriptless ads skipping redirection
· [Surrogate] Imagebunk.com scriptless image revealing
· [Surrogate] Picsee.net scriptless image revealing
· Added navigator.doNotTrack property support
October 26th, 2012· Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content allowed) to the default whitelist (required by MS mail services)
· [XSS] Removed false positive on some Google Gadgets; the work-around can be disabled by setting the noscript.filterXExceptions.ggadgets about:config preference to false
· Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
· Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with FRAMEs and IFRAMEs as well
· Fixed redirections involving sites marked as untrusted causing inconsistencies in page permissions, with JavaScript being blocked even if the site is whitelisted
· Fixed regression on older Gecko versions causing NoScript to believe the browser is proxied when it's not
October 18th, 2012· Work-around for unique origins being assigned to URL bar loads by Gecko 16 and above interfering with some ABE rules
· Work-around for bug 797684 patch causing ABE's Sandbox action to fail
· Work-around for regression from Mozilla bug 797684 fix causing frames not to be blocked correctly in recent >= 18 builds
· Slightly revised About box to make more room for contributors
October 6th, 2012· Fixed synchronous timeout emulation ordering bug in bookmarklet execution on scriptless pages
· [XSS] Fixed comment preprocessing optimization affecting free JavaScript detection
· [XSS] Fixed second order data: URLs sanitization issue
· Fixed meta refresh blocker notification bar broken on Gecko < 4
· Fixed iframe placeholder positioning issue
· Fixed regression in placeholder positioning
· [ClearClick] Fixed false positive on cross-site SVG document embeddings
September 26th, 2012· [XSS] Fixed slow regular expression causing some base64 request payloads to trigger false positives
· Force placeholders to frontmost position e.g. on HTML 5 Youtube content
· New icon for blocked embeddings on globally allowed pages
September 13th, 2012· More reliable Java applet origin identification
· Cross-browser work-around for bug 789773 - nsIWebProgressListener implementations referencing the load's window in onStateChange() (like NoScript or Roboform) cause popup loads to be aborted and the browser to hang on exit
September 5th, 2012· Fixed HTTP checks not being skipped anymore for some chrome-generated XMLHttpRequest requests because of a Gecko 15 change
· Work-around for cloned DOM nodes not retaining additional chrome-attached information anymore, thus breaking placeholders in some cases
· Fixed placeholder post-enablement event channeling broken by Sandbox changes
· Fixed placeholder sizes messed up by changes in Gecko 17
· Work-around for broken content policy call for Java plugin on Gecko 17 and above
August 28th, 2012· [XSS] Fixed false positives on URLs containing an ASP.NET cookieless session identifier
· noscript.eraseFloatingElements about:config preference to switch the mousedown
· del key floating popup erasing feature off and on
· Limited the mousedown + del key floating popup erasing feature to pages where scripts are forbidden and to absolute or fixed position elements
· Fixed JavaScript URL non-void expression evaluation in the URL bar causing scripts to get globally allowed
· XSS] Work-around for a Gecko URL parsing quirk
August 22nd, 2012· [ClearClick] Improved protection against clickjacking timing attacks
· Fine tuned floating div (in-page popup) removal by locking it to the nearest positioned ancestor and swallowing the mouseup event if the DEL key has been hit after last mousedown
August 13th, 2012· Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it (useful to forcibly kill in-page popups when scripts are disabled)
· Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking protection implementation detail
· Disabled LiveConnect interception on Gecko 16 or better, since Java globals have been removed from the DOM
· XSS] Work-around for Mozilla TBPL DOS
· Fixed Silverlight and Flash scripted initialization patches being broken by recent JavaScript interpreter changes
August 2nd, 2012· Work-around for hp-ww.com misconfiguration (JavaScript files served with bogus content-type header)
July 30th, 2012· [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
· Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height
· [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
· Fixed placeholders for absolutely positioned elements may cause layout glitches
· Fixed interaction with built-in
July 30th, 2012· [XSS] Further reduction in false positives triggered by XML payloads
July 30th, 2012· Further hack to remove the height attribute automatically set on the notification stack by browser tools
July 30th, 2012· Hack to automatically restore the notification bar position as the last of its sibling DOM nodes, as a better work-around for browser tools messing with its height
· Removed ineffective CSS-based work-around for the browser tools splitter messing with NoScript notification's height
July 28th, 2012· [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
· [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
July 24th, 2012· Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height
· Fixed placeholders for absolutely positioned elements may cause layout glitches
July 23rd, 2012· Fixed interaction with built-in Firefox's click-to-play causing infinite object activation loop
July 21st, 2012· Added ability to replace obsolete default whitelist entries
· Replaced browserid.org with persona.org in the default whitelist
· Improved anti-DOS protection
· Better usability with some HTML5 Youtube videos
· Reverted to the ctrl+shift+S main keyboard shortcut
· [XSS] Fixed XML preprocessing breaking detection of some E4X constructs
· [XSS] Protection against error-based SQLI with a XSS payload
July 11th, 2012· Work-around for Mozilla bug 771655 (broken debugger)
· Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is taken by the debugger
· Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks Alex Inführ for reporting)
· Removed assumptions of a body element from some code paths which may handle generic XML documents
June 29th, 2012· [ClearClick] Fixed Tumblr widgets false positive
· [XSS] Fixed false positive with some Base64-encoded Yahoo News subrequests
· Fixed regression, noscript.allowedMimeRegExp not working anymore for plugins other than Java, Flash and Silverlight
· Auto-anchored multi-valued regexp preferences can now be separated by regular spaces rather than just newlines (this behavior was documented but not actually implemented for noscript.allowedMimeRegExp)
June 13th, 2012· [XSS] Updated execution sink checks
· [XSS] Fixed newline parsing bug
· [XSS] Fixed document.cookie minimal assignment false negative
· [XSS] Fixed dotted query parameter names false positives, affecting OpenID, Hotmail and other services
· Fixed some messages being dumped to the console even if logging is turned off
June 12th, 2012· [XSS] Improved E4X handling
· [XSS] Fixed regression allowing some alert-only PoCs
· [XSS] Improved unconventional assignments detection
· [Locale] Corrected he-IL merge
· [XSS] Improved data: URIs detection
· [XSS] More regular expression objects caching as a speed optimization
· [XSS] Removed optimization shortcut causing false negatives on some kind of concatenated assignments
· [XSS] Improved "Maybe JS" heuristic
· [XSS] More aggressive obsolete charsets filtering
June 5th, 2012· [Locale] Updated he-IL
· Fixed early synthetic DNS notification causing blank stripe on the bottom of the first browser window if started maximized or fullscreen
· Removed Firefox 2.x compatibility code x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked
May 30th, 2012· Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked
May 28th, 2012· Fixed JS links detection not resolving JS string escapes
· Fixed HTML 5 parser detection in META refresh processing being broken by a removed browser preference
· Fixed exception raised by inclusion type checks when parent document's URI has no host
· [XSS] Better detection of free inline script injections (without string literal evasion) inside function calls
· The noscript.allowedMimeRegExp preference now applies also to Java, Flash and Silverlight mime types
May 21st, 2012· [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
· to the LAN anymore for the purpose of cross-zone request forgery checks
· in order to safely work-around DNS misconfiguration issues in the wild
· [ABE] Fixed router WEB UI fingerprinting failing on some devices
· because of redirection loops
· [XSS] Protection against HPP attacks exploiting URL parsing quirks
· specific to ASP Classic
· Fixed first application updates check failing on Nightly
· [XSS] Fixed false positive regression on some file hosting sites
May 14th, 2012· Fixed first application updates check failing on Nightly (bug 754393)
May 14th, 2012· [XSS] Fixed false positive regression on some file hosting sites
May 11th, 2012· [XSS] Protection against exploitation of classic MS ASP's coalescing of same-name query parameters
· [XSS] Protection against URL injections in in window.name
· [XSS] Fixed case-sensitivity bug in detection of unicode escape sequences
· [Surrogate] adagionet.com inclusion surrogate
· Fixed "Allow sites open through bookmarks" regression
· [XSS] Fixed bug in the InjectionChecker tokenization
· Added inclusion type check exception to the lesscss Google Code file repository, often used as a CDN
April 19th, 2012· Smart integration with the new browser-native click to play: if a plugin object is manually allowed from NoScript's UI, it gets also natively activated (noscript.smartClickToPlay about:config preference)
· Improved active content identity tracking, to avoid redundant blocking steps across reloads
· Fixed redirections in legacy frames not being blocked
· [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site
April 9th, 2012· [ClearClick] Work-around for "rapid fire" protection interfering with some add-ons, such as 1Password and FloatNotes
· [ClearClick] Compatibility with Bitdefender TrafficLight
· [XSS] Enhanced InjectionChecker tolerance to certain URL patterns containing domain-names as parameter values
March 27th, 2012· Restored Nightly compatibility, broken by bug 719154
· [ClearClick] improved compatibility with Disqus widgets
· [AddressMatcher] Optimized trailing "*" in glob expressions
· Fixed origin URL detection flawed when certain wrapped URIs are loaded
· [XSS] Fixed false positive with query string patterns mimicking array access
March 17th, 2012· Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail
· [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes
· [ClearClick] Better special-casing for same-site embedded objects
· [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs
· [XSS] Better window.name protection
· [XSS] Improved detection of javascript: URL injections
March 12th, 2012· [ClearClick] Fixed subtle bug which may lead to infinite loops in some cases
March 12th, 2012· Improved InjectionChecker logging
· Reduced false positive rate on HTML injection checks
· [ClearClick] Fixed clicking on some plugin content causing elements of the parent page to become white
· [ClearClick] Fixed minor bugs triggered by ABP placeholders
· [ClearClick] Protection against partial obscuration via Flash objects with OS-native wmode values
· [XSS] Further sensitivity tweaks
· [XSS] Better compatibility with some 3rd party ads on Ebay
· [XSS] Fixed false positive on dotted name-value assignments chained with semicolons (e.g. on some Yahoo-served ads)
February 27th, 2012· [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
· [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks Masato Kinugawa for reporting)
· [XSS] Added event injection checks for scriptless pages too, in order to prevent edge-case execution on permissions change
· [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato Kinugawa for reporting)
· [XSS] Improved HTML detection accuracy
· Better tagging of surrogate sandboxes for about:memory debugging
· Improved glinks surrogate
February 13th, 2012· Fixed about:newtab not considered as a local origin by ABE
· Added blob:, about:memory and about:support to the automatic whitelist
· Added reflected script inclusion check exception for intensedebate.com
· Fixed CSS issues on Gecko 1.8
February 13th, 2012· [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested documents
January 19th, 2012· [ClearClick] Protection against two steps interaction attack based on HTML5 DnD
January 13th, 2012· [XSS] Fixed sanitization reporting bug
January 4th, 2012· [ClearClick] Better compatibility with recent Disqus widget versions
December 20th, 2011· Fixed some localizations having newlines replaced with 'n' characters
December 18th, 2011· Fixed regression in SWFObject emulation for plugin placeholders
· Fixed top-level surrogates broken by ECMAv5 version specification
December 6th, 2011· [Surrogate] Wrapped in lexical scoped blocks scripts also when debug mode is on
· [Surrogate] Early one-time syntax checks on setup
· [ClearClick] Better compatibility with some GMail embeddings
· [XSS] Better compatibility with Visual Studio in-browser documentation
· [ClearClick] Fixed Adblock Plus causing false positives on Fx 3.6
· Improved HTML 5 DnD XSS protection
· [Locale] Lithuanian
December 6th, 2011· Configuration import/export directory is persisted across sessions
December 2nd, 2011· [Surrogate] DOMContentLoad listeners on windows
November 28th, 2011· Protection against a new XSS technique based on HTML 5 DnD
November 19th, 2011· [Locale] Updated he-il
· [ClearClick] Fixed incompatibility with the FoxTab add-on
November 19th, 2011· [XSS] Deeper decoding on sanitization
November 19th, 2011· [XSS] More accurate recursive decoding
November 16th, 2011· [ClearClick] Improved protection against Clickjacking on nested windowed Flash targets
November 10th, 2011· [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec used instead of "1.8"
November 7th, 2011· [Surrogate] JavaScript 1.8 support (thanks al_9x for RFE)
· Better heuristic for XSSI detection
· Removed previous work-around XSSI exceptions
· Fixed some DOM traversal bugs
· Refined Google search meta refresh blocking exception
· Added meta refresh blocking exception for t.co (Twitter URL shortener)
November 7th, 2011· Work-around for XSSI checks breaking some Yahoo! Mail features
November 7th, 2011· New noscript.forbidMetaRefresh.exceptions url pattern preference
· Meta refresh blocking exception for Google Search (blank page shown otherwise if meta refresh blocking is enabled, cookies are disabled for Google and Google Search scripting is forbidden)
October 29th, 2011· Improved anti-popunder built-in surrogate
· Fixed object autowiring upon placeholder activation regressed by recent surrogate sandboxing changes
October 27th, 2011· noscript.xss.checkInclusions about:config preference (default true) controls whether the new protection against reflected cross-site script inclusion (XSSI) is enabled or not
· noscript.xss.checkInclusions.exceptions about:confing preference to disable XSSI checks for certain script sources
October 24th, 2011· Protection against reflected script inclusion
· Fixed logged error message on permissions change
October 22nd, 2011· [ABE] Fixed subrequests matching an Anon action rule not being shown in the logs if already anonymized by the browser
October 22nd, 2011· Fixed error console noise regression from menu fixes
October 21st, 2011· noscript.keys.tempAllowPage about:config preference to configure a keyboard shortcut for "Temporarily allow all this page"
· noscript.keys.revokeTemp about:config preference to configure a keyboard shortcut for "Revoke temporary permissions"
· noscript.menuAccelerators about:config preference to switch keyboard accelerators for "(Temporary) allow all this page" menu items on/off
· Fixed notifications get all shown on the top in a tab where one notification has already been shown on the top
· Fixed quasi-leak (zombie compartment) after using the NoScript menu on a page where embedded content is present, until the menu is opened on another page
· [ABE] Fixed Anonymize actions logged twice
October 17th, 2011· [Surrogate] Fixed sandboxed surrogates unable to set global variables
October 17th, 2011· Improved object wiring emulation on placeholder activation
October 12th, 2011· Improved object wiring emulation on placeholder activation
October 10th, 2011· [Surrogate] noscript.surrogate.sandbox preference to control the execution method for inclusion surrogates
October 10th, 2011· Work-around for CORS incompatibility with internal redirects
· Removed legacy threading management support
October 8th, 2011· [Surrogate] Surrogates triggered by content policy calls get executed in a sandbox
· Moved SWFObject and Silverlight patching to early scripts
· Replaced every reference to XHR's "on..." event handler properties with their addEventListener() counterparts, to cope with bug 687332 fallouts
September 29th, 2011· Fixed speculative parsing causing inclusion surrogates to be executed twice
September 23rd, 2011· Fixed missing placeholder for plugin documents when collapsing blocked object preference is set (thanks Mc for reporting)
· Removed problematic "(Temporarily) Allow all on this page" access keys
· Even better euristic to match id-less replaced embeddings on reload
September 21st, 2011· Better euristic to match id-less replaced embeddings on reload
September 21st, 2011· [XSS] Better compatibility with Facebook Connect apps
September 21st, 2011· Fixed unblocking HTML 5 media clips from placeholder causes the throbber to spin indefinitely
· Fixed "..txt" (rather than ".txt") being appended as the default file extension when exporting NoScript's configuration / whitelist
· Fixed inital directory uncorrectly initialized by the configuration export dialog on some platforms
September 19th, 2011· Facebook Connect surrogate
· Removed outdated anti-anti-adblocker surrogate
September 19th, 2011· Fixed placeholders hard to activate on HTML 5 Youtube videos
September 7th, 2011· [XSS] Improved out-of-the-box compatibility with some Facebook games
· Fixed plugin blocking not working sometimes on file:// pages loadeded before any network activity
September 1st, 2011· Google Plus One surrogate
· Removed t.co surrogate, since Twitter implemented a NOSCRIPT fallback
September 1st, 2011· Better load progress feedback for hosts which are not DNS-cached yet
August 24th, 2011· Improved Google Analytics surrogate
· More intuitive handling of the "live" behavior of the ABE ruleset editor when syntax errors are introducd
August 19th, 2011· Fixed OBJECT document inclusions failing under some circumstances
August 17th, 2011· Prevent any website from embedding view-source URIs inside frames
· Firefox 9.0a1 compatibility
August 17th, 2011· Temporarily disabled anti-anti-adblocker surrogate on any site except those explicitly added to noscript.surrogate.ab.sources preference, as a work-around for bug 677652
· Lazy initialization is deferred also when a file:// URL is loaded as the home page
August 13th, 2011· Temporarily disabled anti-anti-adblocker surrogate on any site except those explicitly added to noscript.surrogate.ab.sources preference, as a work-around for bug 677652
· Lazy initialization is deferred also when a file:// URL is loaded as the home page
August 11th, 2011· More accurate work around for bug 677050
August 11th, 2011· Work around for Nightly bug 677050
August 11th, 2011· Fixed rapid-fire cross-site interaction protection interfering with some keyboard-based UI patterns
August 11th, 2011· Fixed Firefox's built-in feed renderer broken unless about:feeds is whitelisted
August 11th, 2011· Plugin origin checks now account for multiple extra-codebase archives
· Work around for HTTPS script inclusions on JavaScript-disabled pages being loaded, albeit not executed
· [ClearClick] Tentative work-around for ABP's "Block..." tab causing false positives on nested documents
August 3rd, 2011· Work-around for content policy inconsistencies in Java applet origins handling
August 3rd, 2011· Surrogate for the t.co Twitter URL shortener, which would otherwise require JavaScript
· USER ruleset conveniently pre-selected when ABE options are opened
· Improved invisible links detection approach
August 3rd, 2011· Fixed bookmarklets from sidebars not working on JS-disabled pages
· Improved Twitter surrogate for Fx 3.x
July 16th, 2011· [ClearClick] Restored compatibility with bit.ly (now bitly.com)
July 16th, 2011· [ClearClick] Refactoring and isolation of the rapid fire protection
July 16th, 2011· [ClearClick] Further refinement of rapid fire detection on tab switching
July 16th, 2011· [ClearClick] Fixed delay on first event response after some kinds of tab switching
July 16th, 2011· [ClearClick] Fixed false positives due to backwards incompatibilities with Fx 3.5 and below
· [Nightly compat] Fixed import/export broken by nsIJSON interface changes in recent nightly builds
July 9th, 2011· ClearClick protection against rapid fire cross-site interaction AKA "double-clickjacking",
July 9th, 2011· ClearClick protection against view-source content extraction attacks
· Current version number shown directly in all the "About NoScript" menu items
· Fixed NoScript icon status not updated when a tab is moved to a new window
July 9th, 2011· Fixed work around for Bug 668690 breaking feed viewer
July 1st, 2011· Disabled NoScript's X-Frame-Options support on Firefox 3.6.10 and above, where it is built-in
· Work around for Bug 668690 affecting Gecko 2.0 and above
July 1st, 2011· Fixed startup error in Nightly due to the merge of event target interfaces in bug 658714
June 30th, 2011· Fixed conflict with Firebug console
· Removed legacy code in content policy and ClearClick
June 25th, 2011· Fixed surrogates causing duplicate history entries for some sites on Firefox 5 Work around for bug 666371 breaking popunder surrogate and legitimate popups on some sites
June 25th, 2011· Work-around for Nightly bug breaking the "View image" command
· Improved Google Analytics surrogate
June 25th, 2011· HTML 5 media blocking extended to Mozilla's audio API extension
· Improved handling of resource prefetching through object elements
· Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the default whitelist and to the whitelists of Hotmail users, after Microsoft explained that this is the future-proof permission needed to ensure compatibility with the Live webmail
June 25th, 2011· Full page reload is not triggered anymore when invisible plugin objects are activated if the parent page has been loaded by a POST HTTP request
· Full page reload is not triggered anymore on invisible frame activation
· Fixed "Blocked Objects" menu missing on Hotmail inbox
· Object elements used to prefetch JavaScript and CSS content are not blocked anymore, provided that the parent is whitelisted, This behavior can be disabled in about:config, noscript.allowCachingObjects
June 25th, 2011· Added msc.wlxrs.com to the default whitelist as requested by the Hotmail team (new domain required for Hotmail to work)
· One-time merge of the default whitelist to integrate services already whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
· Work-around for scripts served from amazonaws.com having wrong media type sometimes
June 13th, 2011· Work-around for an unfixable (JavaScript fragments get actually uploaded cross-site) false positive on Verizon login
June 11th, 2011· Work-around for an unfixable (JavaScript fragments get actually uploaded cross-site) false positive on Verizon
June 11th, 2011· Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing noise on trunk after bug 311007 landed
June 11th, 2011· Improved embedded object activation on Javascript-enabled pages via dynamic method proxies
June 1st, 2011· Reduced request garbage collection frequency
June 1st, 2011· Fixed toolbar button hidden in popup windows
May 28th, 2011· Fixed placeholders broken on trunk after fix for Gecko's bug 308590
May 28th, 2011· Added paypal.com and paypalobjects.com to the default whitelist, to cope with the new in-page contribution setup at AMO and reduce XSS risks
· Improved toStaticHTML() emulation
May 28th, 2011· Fixed broken toolbar button on first window opened during first run ever on Firefox 4.x
May 28th, 2011· Tentative fix for double HTTP requests sent sometimes upon DNS refresh
· Fixed XSS false positive on Google's Talk Gadget loading
May 28th, 2011· Improved bookmarklet execution handling (thanks @nomaded for reporting)
· Compatibility bump for Fx 7.0a1
May 28th, 2011· Further and less likely ASP-related tricks in InjectionChecker
· Fixed bookmarklets and JavaScript URLs broken in about:blank unless imports are allowed
· JavaScript URL bar shortcuts are now treated as bookmarklet and executed by default
May 28th, 2011· More ASP idiosyncrasies taken in account by InjectionChecker
May 28th, 2011· Fixed false positive in anti-exfiltration HTML injection checks
May 21st, 2011· Fixed rc2 frame blocking regression
May 21st, 2011· Per-site WebGL blocking support (WebGL is implicitly disabled whereve JavaScript is not allowed; it can be blocked on any other site by checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site by clicking on a placeholder of the blocked canvas or by using the "Blocked objects..." menu if no canvas had been inserted in the page)
May 21st, 2011· Work-around for Cocoon add-on being broken by NoScript's early usage of the IO Service
May 21st, 2011· Fixed plugin documents can't be opened in NewsFox if embedding restrictions are in place
May 21st, 2011· Fixed broken anti image exfiltration rules in HTML injection checks on noscripted pages
May 21st, 2011· Fixed recent memory optimizations breaking compatibility with some extensions
April 30th, 2011· [L10n] Updated ro
· Restored some locales gone missing in previous dev build
April 11th, 2011· Improved XML prescreening
April 11th, 2011· Halved startup time
April 6th, 2011· More robust surrogate execution
April 6th, 2011· Label automatically hidden when NoScript's toolbar buttons are added to the add-ons bar
April 1st, 2011· Fixed AddressMatcher broken by RegExp changes in latest Minefield
March 28th, 2011· Fixed ABE options panel regressions due to the changed storage
March 28th, 2011· Removed googlesyndication.com from the default whitelist
· Added securecode.com ("Verified by VISA") to the default whitelist, in order to prevent surprise transaction failures
· [XSS] Exception for POST requests coming from a secure albeit not whitelisted Verified by Visa (securecode.com) origin
· [ABE] Fixed bug causing excessive console noise from permissive rules
· Updated locales
March 28th, 2011· Fixed various Script Surrogate inconsistencies
March 28th, 2011· ABE] Rulesets now are stored as preferences rather than files for faster startup (less I/O) and more consistent settings management
· [ABE/Sync] Rulesets are integrated into Firefox Sync for preferences too
· On first Firefox 4 run toolbar icon now gets added to the add-on bar instead of the navigation bar if the latter is invisible, even if the former is invisible as well (many users seem to expect it there)
· Fixed additional toolbar buttons too wide when labels are shown
· Fixed some Script Surrogate regressions
· Work around for alert on new windows due to Mozilla's bug 608628
· Fixed placeholder not shown for embed elements placed inside invalid object elements
March 28th, 2011· Firefox Sync integration can be switched off through the noscript.sync.enabled about:config preference
· Fixed false positive regression from recent Firefox 4 optimizations
March 28th, 2011· Further version-specific Script Surrogate optimizations
March 23rd, 2011· First shot at Firefox Sync native integration, synchronizes everything except custom ABE rules
· [ABE] Optimized origin tracing
· [ABE] INC(MEDIA) subtype matching HTML5 video and audio requests
· [ABE] INC(FONT) subtype matching font embedding requests
· Huge refactoring in regular expression usage to optimize for Fx 4
· Script Surrogate optimization
March 21st, 2011· [ABE] Work-around for some Java plugin requests bypassing HTTP observers
· [ABE] Media HTML elements and plugin sub-requests are matched by the OBJ inclusion subtype
· [ABE] Font requests are matched by the OTHER inclusion subtype
March 14th, 2011· Fixed iframe content being sometimes opened in new tabs on Fx 4 when ABE is enabled and DNS cache is missed
March 8th, 2011· Fixed spaces in ipecho response breaking WAN IP detection with one of the mirrors
· Experimental built-in profiler for debugging purposes
March 4th, 2011· Fixed spaces in ipecho response breaking WAN IP detection
· Experimental built-in profiler for debugging purposes
March 4th, 2011· Compatibility with Fire.fm
· [XSS] Compatibility with latest Readability
· Tentative work-around for a WAN IP detection issue after sleep/wakeup
March 4th, 2011· Forced text-plain on documents which miss a content-type header but send "X-Content-Type-Options: nosniff"
· Increased compatibility of the X-Content-Options implementation
March 4th, 2011· Work-around for surrogates not being executed on latest Fx 4 builds
· X-Content-Options implementation more compatible with Browserscope
February 28th, 2011· Fixed AJAX fallback last-minute breakage
February 28th, 2011· Improved XSS filter to protect against potential risks from new HTML 5
· features
· AJAX fallback support via Google's _escaped_fragment_ recommendation,
· can disabled by toggling the noscript.ajaxFallback.enabled preference
· New noscript.placeholderLongTip about:config preference to control whether embedding placeholder tooltips should include query strings and hash fragments or not (true by default)
February 15th, 2011· Fixed empty tooltip for embedded placeholder on some RTL pages
· Truncate URLs in placeholders tooltips at the the query string or hash, to increase readability
· Increased WAN IP checks interval to 1 hour reducing log spam on routers
· Removed some obsolete code
February 15th, 2011· Fixed all IPv6 addresses in fc80::/24 subnet being erronously treated like link-local addresses
· Fixed "Unsafe Reload" not working for sanitized POST requests from untrusted to trusted sites
· Better compatibility with Paypal button hosted on non-whitelisted sites
February 7th, 2011· [UI] Fixed toolbar button being added on the right of the window resizer
· when Fx 4 is run for the first time with NoScript and the add-on bar is
· visible
· [UI] Hitting the "show UI" shortcut (ctrl+shift+S) a second time
· dismisses NoScript's popup menu (thanks jso for RFE)
· Restored header reordering after DNT header is added, in order to match
· Firefox 4's header fingerprint
January 31st, 2011· Fixed status label menu popping up in a wrong position
· Updated locales
January 31st, 2011· Fixed external filters submenu not removed when external filters are
· disabled
· Blocked objects menus show IFRAME/FRAME rather than mime type info for
· blocked frames
· Restored legacy status label by popular request
· Sticky menu can be triggered by left clicking on status label now
January 29th, 2011· Work-around for menu icons hidden with some Linux distros and themes
· Changed the X-Do-Not-Track header name to DNT in anticipation of an IETF
· Internet-Draft, per Jonathan Mayer
· noscript.doNotTrack.forced gets honored for local addresses now
· Fixed partial external filter definition could not be saved
· Fixed empty external filter whitelist could not be validated
January 29th, 2011· Fixed exception on cross-site POST requests from URIs not supporting
· the host component
· Fixed JS redirection detection being activated also on whitelisted pages sometimes
January 29th, 2011· 64x64 icon for Fx 4's add-ons manager
· Fixed bookmarklet execution machinery active even when JavaScript is
· disabled by Firefox's content options
· Tentative work-around for toolbar button being oriented vertically in
· some themes, disrupting toolbar's layout
· More updated locales
January 29th, 2011· Fixed a ClearClick bypass possible to whitelisted attackers who can run
· JavaScript
· Updated locales
· Improved K-Meleon portability (thanks jk- for RFE
January 19th, 2011· Fixed X-Do-Not-Track after a DNS cache miss causing some embedded content requests to fail
January 19th, 2011· Fixed NoScript toolbar buttons having wrong orientation in "icon and text" mode
January 19th, 2011· Fixed toolbar button does not open the menu (unless you click the little arrow) if you disable hovering and toggling
· Removed dynamic localization fallback at runtime
· Added static localization fallback to the build system
· Localization layout cleanup x Legacy files cleanup
January 19th, 2011· Removed toolbarbutton-specific stylings
· Better web compatibility for X-Content-Options
· Better home router compatibility for X-Do-Not-Track
January 19th, 2011· Fixed DoNotTrack exceptions/forced patterns not being enforced
· Tentative work-around for basic HTTP authentication failing with some servers when X-Do-Not-Track is sent
January 5th, 2011· Fixed some cross-site requests containing JSON-like fragments broken
December 29th, 2010· Fixed forbid META refresh inside NOSCRIPT elements regression
December 29th, 2010· Fixed partial options dialog breakage (ClearClick and Import/Export)
December 29th, 2010· Removed JAR blocking (obsolete in supported browser versions)
· Removed emulated TLD service
· Hidden status bar icon option on applications which have no status bar
· Fixed noscript.doNotTrack.* preferences not being honored
December 29th, 2010· Fixed wrong popup position on status bar icon (Fx 3.6.x and below only)
December 29th, 2010· X-Do-Not-Track and X-Behavioral-Ad-Opt-Out (tracking opt-out) support, controlled by the noscript.doNotTrack.* about:config preferences
· Restored "left+click on NoScript icon reopens the menu in legacy mode even if it's already opened in hover mode" feature
· Fixed bug preventing channel replacement when the HTTP method changes Embedded permissions are now bound to the embedding site
· Fixed permissions keys for Flash embeddings include FlashVars PARAMETER elements, rather than just attributes
· Fixed embedding permission changes not honoring disabled autoreload preferences
December 29th, 2010· Middle clicking toolbar button temporarily allows all on current page
· Removed forced embedding opacization legacy feature
· Removed tooltips from icons spawning hover UI
· Disabled permission toggling on left+click for hover UI toolbar buttons (can be reenabled by setting noscript.hoverUI.excludeToggling to true)
· Fixed notification regression
December 29th, 2010· No extra spacer added on addon-bar during first customization
· Long menus automatically scroll to the bottom when opened from the bottom of the browser
· Fixed legacy status bar icon switching permissions on left+click like the toolbar button
· Fixed legacy status bar icon always getting "after_start" popup position
December 29th, 2010· Improved anti-popunder surrogate
· Check for UI accessibility of Firefox 4 with hidden addon-bar and automatic installation of toolbar button on fail
· Fixed whitelisted iframe blocking getting in the way of web content embedded by privileged tabs (e.g. Firefox 4's add-on manager)
· [ClearClick] slightly shorter viewport to accomodate Facebook's "Like" mini buttons
· Fixed tooltips getting in the way of hover UI - Removed status bar label
· Fixed regression: permissions changes on sites with non-standard ports failed to trigger page reload
· Fixed layout issue triggered by JS redirect detection
December 15th, 2010· Fixed new IFRAME-based Youtube embedding method broken on non whitelisted pages with embedding restrictions
December 15th, 2010· Fixed toolbar buttons icon size on Firefox 4 Windows theme
· XSS check on permissions changes, suppressing events and forcing filtered reload if an injection is found
· Fixed graphic glitches on menu showing with accelerated graphics
· Fixed permission changes causing unrelated tabs to be reloaded when automatic permissions had been previously granted
December 15th, 2010· Fixed unhandled exception caused by LiveConnect interception logging
· Optimized QueryInterface generation
· [ABE] 6to4 IP addresses support
· Fixed LiveConnect interception firing a dummy JVM sometimes on Gecko 2.0
December 15th, 2010· LiveConnect interception time reduced by 10 on Firefox 3.6 and by 100 on Firefox 4 (about 1ms each)
· Restored LiveConnect interception logging (LOG_CONTENT_INTERCEPT mask) Fixed bug in fake redirections code, causing it not to honor the redirection limit settings
· [XSS] Improved SQLXSSI detection accuracy
· Updated revsci surrogate
November 26th, 2010· [XSS] Detection and filtering of hexadecimal and binary encoded
· reflected XSS through MySQL injection, partially found and disclosed
· (raw hexadecimal variant only)
November 26th, 2010· Bug fixes and improvements in LiveConnect interception
· Fixed random "win is null" error message (thanks timeless for report)
November 26th, 2010· Java packages exposed by LiveConnect on the window object are made
· unaccessible wherever Java is blocked by embedding restrictions
November 26th, 2010· [ABE] Work-around for Flash video playback and other HTTP subrequests
· from plugins sometimes failing on latest Minefield builds
November 26th, 2010· [ABE] Fixed 2.0.6rc1 regression: broken internal redirections
November 26th, 2010· "Security and privacy info" pages shown also by middle-clicking items
· in NoScript Options|Whitelist (thanks dhown for RFE)
· [XSS] Better compatibility with 4shared embedded movies
· [ABE] Fixed regression: Anon action interfering with IFrame blocking
· when DNS record for current request is cached (thanks al_9x for report)
November 12th, 2010· Improved LoadGroup integration of the new internal redirection machinery for better loading progress feedback.
November 12th, 2010· Fixed stability issue when forcing HTTPS on images
November 12th, 2010· Faster and more "correct" hack for internal redirections
November 12th, 2010· Experimental asynchronous channel replacement for ABE and HTTPS enforcement, should prevent issues with image caching
· Work-around for Google/Youtube bug, sending "Content-Type: text/plain" header for script files even with "X-Content-Type-Options: nosniff" (see http://forums.informaction.com/viewtopic.php?f=7&t=5304)
November 12th, 2010· Fixed automatic allowing for XMLHttpRequest of sites with explicit port numbers whose domain is allowed (thanks evanpelt for reporting)
October 29th, 2010· Better logging for the "X-Content-Type-Options: nosniff" activity
· noscript.nosniff about:config preference to control whether enforcing
· "X-Content-Type-Options: nosniff" (true, default) or not (false)
October 29th, 2010· "X-Content-Type-Options: nosniff" support
· Fixed using bookmarklets with noscript.allowBookmarkletImports set to false erronously adds current website to the JavaScript whitelist
October 18th, 2010· Fixed right-click on the toolbar button switching permissions
October 18th, 2010· Bold "Recently blocked" menu and items which have been attempted to load from the currently displayed web site (thanks therube for RFE)
· Removed legacy (pre Fx 3) notification code
October 6th, 2010· Changed noscript.forbidIFramesContext about:config preference default to 3 (same base domain) to ensure better usability on complex sites (e.g. new Twitter) for people who's blocking iframes on trusted sites
· Optimal sensitivity calibration for Hover UI trigger events
September 29th, 2010· Improved Hover UI usability with the noscript.hoverUI.delayStop about:config preference, dictating how many milliseconds the mouse must stand still on NoScript's icon before NoScript's menu is displayed
September 29th, 2010· Surrogate scripts are no longer wrapped inside anonymous functions, in order to allow top-level variables to be forced read-only by using the const keyword; built-in surrogates have been retrofitted to prevent scope clashes, by adding anonymous function wrappers as needed
September 29th, 2010· Configurable enter and exit delays for the hover UI behavior, via noscript.hoverUI.delay* about:config preferences
· Improved compatibility with very short frames (like the top bar on www.blogger.com)
· Removed legacy code specializing TYPE_OTHER
September 21st, 2010· Work-around for first script element in body of a framed document not being executed unless password manager is enabled on Minefield
· Work-around for surrogates not being executed in frames on Minefield
September 11th, 2010· Improved compatibility of the popunder surrogate
· Fixed broken meebo.com detached windows
· Updated it-IT
September 4th, 2010· Further FBML compatibility improvements
August 31st, 2010· [HSTS] Fixed SSL certifiacate error pages not being patched (removing the expert interface) when a broken HSTS site is open for the first time
August 21st, 2010· Fixed optimization bug which may lead to slower checks on specific source patterns
August 21st, 2010· Huge InjectionChecker speed optimization, prevents most DOS false positives caused by checks timeout (thanks Sylvia Oberstein for report)
August 18th, 2010· [Surrogate] Fixed fallback regression
August 7th, 2010· [ABE] noscript.abe.localExtras about:config preference can specify net resources (space separated IPs and/or subnets) to be considered as LOCAL by ABE, in addition to the "regular" private subnetworks and the auto-detected WAN IP
· [ClearClick] Better compatibility with iframes containing very tiny pages (e.g. horizontal Flattr buttons)
· Fixed page-level surrogates not always being executed inside iframes
· [XSS] Fixed XML tags with no attributes which are omonymous of "sensitive" HTML tags triggering XSS false positives
August 7th, 2010· Forced NOSCRIPT element activation is not triggered for sources marked as untrusted
· Update for Firefox 4.0b4pre compatibility (bug 546606)
August 7th, 2010· Improved interaction between surrogates and NOSCRIPT element activation
· Fixed potential recursion issue during DNS resolution on SeaMonkey trunk
· Fixed https://bugzilla.mozilla.org/show_bug.cgi?id=584334
· Fixed using IPv6 URL syntax causes confusion to some proxies
· Compatibility checks updates
August 7th, 2010· [ABE] "X-ABE-Fingerprint: Off" header can be sent by web servers which don't want / need to be fingerprinted by ABE's WAN IP protection
· [ABE] User agent header "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" is sent to help administrators finding info about ABE's fingerprinting
· [ABE] Fingerprint checks are performed every 15 minutes, rather than 5
· Fixed early access to document.documentElement breaking XBL bindings on SeaMonkey trunk
August 7th, 2010· Fixed meta redirections being broken sometimes when a NOSCRIPT element activation is forced on a JavaScript-enabled page
July 28th, 2010· [Surrogate] Fixed Google thumbs surrogate broken by recent Gecko changes
· [ClearClick] Work-around for client(Height|Width) miscalculation
July 28th, 2010· Full hand-over to InjectionChecker for untrusted origin requests as well
· More efficient UI synchronization system
· Fixed status icon not being correctly updated when a new script source gets added after page is loaded
July 28th, 2010· More web-compatible NOSCRIPT element handling on mixed permissions pages
July 28th, 2010· WAN IP checks logged on Error Console (thanks al_9x for RFE)
July 28th, 2010· Experimental cross-zone CSRF protection for flawed routers which expose their WAN IP on their LAN interface (thanks al_9x for report)
July 28th, 2010· Anti-anti-adblocker generic page-level surrogate
· Minimal surrogates for several ad/tracking sources
· Revsci surrogate (thanks al_9x)
· Work-around for medicare.gov "benign" XSS
July 28th, 2010· Fixed X-Frame-Options being checked for plugin embeddings as well (thanks Richard Johnson for reporting)
July 28th, 2010· External filters now receive the object URL as their 4th argument
July 15th, 2010· ABE built-in ruleset editor
· Button to reset ABE's defaults
· Fixed setting noscript.cp.last to false causing embeddings not to be blocked
· Fixed 2nd order InjectionChecker bypass (thanks Sirdarckcat for report)
· External filters now receive the object referrer as their 3rd argument
July 7th, 2010· Emergency fix for a page reload bug on Mac OS X causing high CPU consumption after permission changes (thanks "D A" for reporting)
July 7th, 2010· Improved ClearClick clipping accuracy on framesets
· Improved ClearClick clipping accuracy on nested scrolling elements
July 7th, 2010· Fixed work-around for Mozilla's bug 576492 breaking NoScript on browser restart
July 7th, 2010· Support for the latest Gecko 2 XPCOM changes
· Work-around for Mozilla's bug 576492
July 7th, 2010· noscript.surrogates.debug preference enables console logging of uncaught exceptions happening in surrogates (thanks al_9x for suggestion)
· Better error handling in surrogates, prevents a failing scripts to abort the others
· Improved AMO surrogates, allows right-click menu to work on install buttons (thanks Mc for reporting)
July 7th, 2010· Fixed bug on edge case minimum placeholder size computation when object to be replaced is out of the current viewport
· Version compatibility bump for Firefox 4.0b2pre
· Fixed regression: untrusted icon not being shown when all the sources of a page are untrusted (thanks al_9x for reporting)
July 7th, 2010· window.toStaticHTML implementation
· Improved placeholders for embeds nested in ActiveX OBJECT elements
July 7th, 2010· Surrogate for Google Search thumbnails when Google is not whitelisted
· Automatic reload on permission change setting now affects pages
· containing embeddings which change status too, whose reload can be also
forced through the noscript.autoReload.embedders preference:
· never reload
· inherit the noscript.autoReload setting
· force reload
· Prevent reload on pages where a 3rd party script changed its
· permissions status but the top-level is forbidden and unchanged
· Surrogate to use InstallTrigger on AMO even if addons.mozilla.org is not
· whitelisted
June 25th, 2010· Fixed ClearClick false positives on Fx 3.5 and below
· Compatibility version bump for Seamokey trunk
June 25th, 2010· Fixed '@' surrogates being ran on scriptless pages
· Recentering on the parent form for ClearClick checks over a form widget reduces false positives over obstructed frames
June 24th, 2010· Fixed Script Surrogates activation glitches
June 24th, 2010· Fixed wrongly sized placeholders on Youtube (regression from rc1)
June 24th, 2010· More accurated feedback on nested object blocking
· External filters command line template updated with request origin as the 3rd argument
June 24th, 2010· imagebam surrogate kills popups over images and popunders on click
· imagehaven surrogate kills popups over images and popunders on click
· inserstitialBox surrogate kills interstital on imagevenue.com
· "!@" prefixed surrogates run no matter whether scripts are enabled or disabled for the page (in a DOMContentLoaded event handler)
· Fixed JS redirect handling causing duplicate object placeholders on scriptless pages containing embeddings only
· Fixed ABE's SELF checks fail on redirects which contain a browser URL
June 24th, 2010· Fixed bookmarklets support on non-whitelisted pages broken in non-Places browsers like SeaMonkey
· Better icon feedback on page where there's no script element but some plugin content has been blocked
June 24th, 2010· Fixed ClearClick false positives when RTL content or browser settings put the vertical scrollbar on the left
· Fixed setting noscript.checkInjectionType to false did not disable the feature
· More accurate embedded object replacement
June 24th, 2010· Fixed Places-related bug on Minefield (thanks mpz for reporting)
· noscript.forbidIFrameContext=3 (allow same base domain) falls back to 2 (allow same domain) if either the parent or the frame is marked as untrusted
June 24th, 2010· More compatible docShell reaching, works around some buggy extensions which wrap browser.webNavigation just partially
· InjectionChecker's XML reduction more compatible with SAML
June 18th, 2010· Optimal timing for page-level surrogates in frames
· ClearClick exceptions are considered independently from the JavaScript whitelist as they should
· More consistent web bugs blocking with forced NOSCRIPT elements, take 2
June 18th, 2010· Inclusion type checks try to infer file type from directory-like URLs
· More consistent web bugs blocking with forced NOSCRIPT elements
· Fixed object placeholder regressions in Gecko < 1.9
June 18th, 2010· Improved URL parsing in META refresh interception
· Optimized * universal pattern in AddressMatcher
· Better error reporting during the execution of location bar scriptlets
June 18th, 2010· Better timing for page-level script surrogates inside frames
· mime/type@http://site.com syntax support for noscript.allowedMimeRegExp preference
· Improved XSS checks accuracy (less false positives) and performance
· Enhanced management of recent Silverlight versions
June 18th, 2010· More accurate checks for META inside NOSCRIPT with HTML 5 parser
· Fixed possible DOS condition on some kinds of very long URLs
June 18th, 2010· Improved heuristic for background refresh automatic blocking and reenablement
· Fixed regressed "Follow" button on META refresh inside NOSCRIPT element
June 18th, 2010· Fixed some sites refreshing themselves even if another load has been initiated
June 18th, 2010· More discreet and automated anti-tabnagging protection (refreshes are blocked on unfocused tabs and get automatically executed only when tab gets in focus again)
· Slight optimization of AddressMatcher tests on .site.com clauses
· Fixed noscript.forbidBGRefresh.exceptions not being honored
· Better handling of error conditions happening during ABE's channel replacement internal redirections
· Fixed minor feedback icon glitches
May 28th, 2010· Experimental blocking of page refreshes happening inside untrusted unfocused tabs, should provide protection against Aviv Raff's scriptless "tabnabbing" variant. Enabled by default, can be controlled through the noscript.forbidBGRefresh about:config integer preference
· 0 - no blocking
· 1 - block refreshes on untrusted unfocused tabs
· 2 - block refreshes on trusted unfocused tabs
· 3 - block refreshes on both trusted and untrusted unfocused tab
· Address patterns matching pages which shouldn't be affected can be listed in the noscript.forbidBGRefresh.exceptions preference
· Fixed XSS false positive in new 3.7 add-ons
· Fixed meta-refresh URL parsing mismatch
· Fixed import script surrogates being broken by a 1.9.9.79 regression
May 28th, 2010· Fixed "Partially allowed scripts" icon shown instead of the "Scripts allowed but some objects blocked" one when the blocked objects' domains are not whitelisted for scripting
· Fixed "Scripts allowed but some objects blocked" icon not being used for blocked web fonts
· (ABE) Deny on INCLUSION don't trigger a notification even if the blocked request is for a subdocument (the blocking is logged in the Console, use SUB if user-facing notification is needed
· Fixed privileged XMLHttpRequests for untrusted resources being blocked if HTTP redirections occurred
· Better compatibility with IronPort web-based tools
May 22nd, 2010· Script surrogates whose source starts with the '!' get executed on pages where scripts are disabled (on document DOM completion, rather than before HTML parsing starts like regular surrogates)
May 22nd, 2010· Redirect cache for scripts and XBL only
· Fixed cross-site CSS being blocked under some circumstances (e.g. on Flickr and Yahoo)
May 22nd, 2010· ABE INCLUSION(type1, type2, type3...) pseudo-method allows rules to take request type (e.g. SCRIPT vs CSS) in account
· ABE SELF+ (same domain) and SELF++ (same base domain) pseudo-origins
· Fixed iconic feedback inconsistencies when untrusted blocked objects are mixed with full-trusted content
· Fixed Injection Checker false positives on some kinds of complex nested URLs
· Tweaked ClearClick for Disqus compatibility
May 22nd, 2010· Fixed broken menu on Minefield when External Filters are enabled
· Fixed about: URL not being shown in NoScript menu
· Removed minor strict warnings on Minefield
May 22nd, 2010· Redirected site caching now skips plugin content
· Removed __parent__ usages for Minefield compatibility
· Removed some strict warnings
May 3rd, 2010· Fixed false positive issue with empty cross-site POST requests (thanks Bahamut for reporting)
May 3rd, 2010· Fixed potential double-firing command issue on Firefox Mobile
· Added about:addons and about:home to the mandatory whitelist
· Improved responsivity and usability on Firefox Mobile
May 3rd, 2010· Fixed configuration import/export/synchronization bug introduced by "configuration presets" for Firefox Mobile
· Finger-friendlier UI on Firefox Mobile
April 30th, 2010· Added "Allowed with untrusted sources and blocked objects" icon
· Fixed minor inconsistencies in new partial allowance feedback icons
April 30th, 2010· Compatibility and better integration with latest Firefox Mobile
· Experimental external filters for plugin content (e.g. Blitzableiter for Adobe Flash), see NoScript Options|Advanced|External Filters (Fx >=3.5)
· New specific partial status icon for pages where all scripts are allowed but some objects are blocked
· "about:blank" won't be shown as a secondary source in NoScript's UI. Old behavior can be restored by setting the noscript.showBlankSources preference to true
· googleapis.com in the default whitelist x Fixed 2nd order indirect InjectionChecker bypass (thanks Sirdarckcat for reporting)
April 21st, 2010· Further compatibility improvements in complex bookmarklets handling
April 21st, 2010· Better asynchronous bookmarklets handling, should not crash on Readability anymore
· Ultimate (maybe!) fix for trunk bug 556739 breakage
April 21st, 2010· Better fix for trunk bug 556739 breakage
April 19th, 2010· Further embed-only sites in menu fixes (thanks al_9x for reporting)
April 18th, 2010· Fixed bookmarklet support broken on trunk by bug 556739 (thanks dhouwn for reporting)
April 18th, 2010· Better untrusted menu behavior on embedding only sources (thanks al_9x for reporting)
· Improved InjectionChecker compatibility with OpenID and other complex requests (thanks Jamie Cox for reporting)
· Fixed accurate Base64 injection checks breaking some encrypted Paypal buttons
April 15th, 2010· Removed ":0" wildcards from NoScript menu in ignorePorts=false mode to prevent confusing behaviors (thanks al_9x for suggestion)
· Embedding-only sites are shown in the Untrusted menu if placeholders are set to be hidden for untrusted embeddings (thanks al_9x for suggestion)
April 15th, 2010· Improved XSS filter sensitivity for Base64-encoded payloads (thanks Stefano Di Paola for suggestion)
· Improved Facebook connect compatibility (thanks Peter Alexander for reporting)
· Removed __count__ usage in DNS cache management (SpiderMonkey compat)
· Fixed "Attempt to fix Javascript links" not working when the javascript: scheme is mixed-case (thanks al_9x for reporting)
April 6th, 2010· Fixed InjectionChecker infinite recursion bug on certain requests (thanks dhouwn for reporting)
· Fixed plugin activation patches not being applied under some circumnstances
April 6th, 2010· Pluggable site info page can be opened by middle-click or shift+click on any site entry in NoScript's menus, and can be configured by editing the noscript.siteInfoProvider about:config preference
· More user-friendly management of non-standard TCP ports
· Fixed release notes page might break session restore sometimes
· Locale files maintenance
· Object sources won't appear in main menu when embedding restrictions apply to whitelist; previous behavior can be restored by setting the noscript.alwaysShowObjectSources to false (thanks al_9x for RFE)
April 6th, 2010· Better management of cached requests x Fixed allowing objects from "Blocked objects" reloading only the first of each URL/mime pair group (thanks al_9x for reporting)
· Improved Facebook widgets compatibility (thanks Peter Alexander and Chuck Mullen for reporting)
· Fixed "Allow scripts globally" setting being ignored by the bulk configuration import feature (thanks Mike Perry for reporting)
· Fixed "Mark as untrusted" menu items being shown in "Allow scripts globally" mode even if both "Untusted" and "Mark as untrusted" are unchecked in the Appearace options tab (thanks Mike Perry for reporting)
· Improved bookmarklets support
· Minor bug fixes in jolly port matching x Improved Anti-Popunder surrogate (thanks justaguest for reporting)
April 6th, 2010· Fixed HTMLObjectElement plugin content being blocked by X-Frame-Options checks
March 18th, 2010· Fixed feed subscription broken on sites implementing X-Frame-Policy (regression from 1.9.9.56)
· Included js.wlxrs.com in default whitelist in order to make Hotmail login work out-of-the-box for new users
March 18th, 2010· More reload-friendly and permission-friendly X-Frame-Policy error page
· Fixed bug in method surrogation for replaced/blocked plugin objects
March 18th, 2010· Method surrogation for replaced and blocked plugin objects
· Regression fix: documents loaded in object elements not being checked for X-Frame-Policy anymore
· Performance and accuracy improvements in plugin placeholder handling
March 18th, 2010· Improved Flash version detection emulation
March 18th, 2010· Remote whitelist and blacklist subscription, controlled by the noscript. subscription.trustedURL and noscript.subscription.untrustedURL about:config preference
· Fixed: lists export feature shouldn't include temporary and mandatory entries
March 18th, 2010· Version bump for latest trunk apps compatibility
March 18th, 2010· Better bookmarklet imports management, more compatible with not cached 3rd party scripts
· Fixed manually allowing a domain should always imply addresses with ports if noscript.ignorePorts is true
February 27th, 2010· Updated ABE grammar to use new AddressMatcher syntactic sugar
· Alert about ABE syntax errors when option dialog gets focused after a ruleset editing
February 27th, 2010· .x.y AddressMatcher syntactic sugar, matching both x.y and *.x.y
· InjectionChecker speed and accuracy improvements
· Fixed top-level site not being correctly positioned and highlighted in permissions menu sometimes
· Fixed post-XSS "Unsafe reload" not working properly sometimes
February 27th, 2010· Fixed a second level InjectionChecker bypass, requiring an open redirect which accepts and uses unfiltered data: URIs. Responsible disclosure by the SecuriTeam Secure Disclosure (SSD) project
· Fixed reload on permission change being triggered on the nearest 10 tabs only
· Fixed permanent address entry being added to the whitelist if domain is already allowed upon bookmarklet execution
· Better UI behavior for URLs with non-standard ports
· Updated nb-NO localization
February 13th, 2010· Fixed XSS checks skipped on some reloads
· Improved content placeholder management
· Mobile version bump
February 13th, 2010· Fixed uneeded tab reload issue related to untrusted subdomains
· Optimized reload checks for the "hundreds of tabs" case, in order to prevent UI locking
· Improved XSS checks on file uploads, should not hang even on gigabytes
· Trunk compatibility version bump
February 5th, 2010· Enhanced compatibility with Paypal encrypted buttons
· Fixed some anti-popunder surrogate incompatibilities
February 5th, 2010· Fixed allowing a Flash object causing a page reload sometimes
· Script Surrogate to work around Facebook's "noscript" cookie
· Fixed minor incompatibilities caused by the anti-popunder surrogate
February 5th, 2010· Fixed broken popup issue on some sites
· Fixed ghost sites in context menus on about:blank after a complex frame structure with redirects has been shown in the same tab
· Fixed XSS false positive on certain nested URL patterns
January 28th, 2010· ClearClick: more efficient code paths specific to Fx 3.6 and above
· Fixed zoom-related ClearClick false positives on Fx 3.6 and above
· Fixed fonts being reported as "unknown" type in Blocked Objects menu
January 28th, 2010· Fix for newline-based double-reflection InjectionChecker bypass
· Surrogate scripts from local files: surrogate's replacement is treated as a file:// URL and resolved against current browser profile if it starts with "file://", "./" or "../"
January 28th, 2010· Improved bookmarklet compatibility
January 20th, 2010· Fixed quirks mode triggered by surrogate execution on Gecko < 1.9.1
January 20th, 2010· Fix for some popups broken by 1.9.9.37
January 20th, 2010· Fixed potential infinite loop occurring when window.open is called in a recursive context, e.g. on Google Reader
· Fixed mishandling of non-default 1 value for the proxiedDNS preference
January 18th, 2010· Anti-Popunder surrogate now applies to all HTTP pages by default
· DNS activity logging facility (disabled by default)
· Slight optimization of DNS lookups
· Temptative fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501446 crasher
January 7th, 2010· Updated Firefox Mobile (Fennec) compatibility
· Improved and generalized Anti-Popunder surrogate
January 7th, 2010· Anti-Popunder surrogate extended to AWEmpire popunders (on empornium.us by default, customizable in noscript.surrogates.popunder.sources)
· Fixed bug in bookmarklet support on about:blank
· Improved InjectionChecker compatibility with letitbit.net uploads
· Improved InjectionChecker compatibility with Rapidshare uploads
January 7th, 2010· Better HTTPS/HTTP redirection support
January 7th, 2010· Further InjectionChecker optimizations, providing a dramatic speed boost on nested URLs (e.g. on iGoogle and many ad networks)
January 7th, 2010· InjectionChecker accuracy optimization, preventing false positives in some edge cases with nested URLs
December 30th, 2009· Injection Checker compatibility with Livejournal comment posting
· Improved ClearClick compatibility with Facebook applications
December 30th, 2009· Temptative work-around for hard to reproduce content policy DOS false positive on comcast.net
December 30th, 2009· Work-around for a Flash player double-instantiation bug in Gecko 1.9.0 preventing some movies from playing
· Removed placeholder enhancements for Gecko 1.8.x, due to unwanted side effects on some sites
December 19th, 2009· Placeholder enhancements backported to Gecko 1.8.x
· Fixed missing placeholders on Gecko 1.8.x
December 18th, 2009· Reduced reflow chances on placeholder activation
· Improved InjectionChecker compatibility with Facebook Connect
December 18th, 2009· Fixed Flash swallowed clicks regression on Gecko 1.8.x
December 18th, 2009· Fixed "Temporarily allow" regression
December 18th, 2009· Specific scriptless partial permissions icon for partially allowed framesets
· Reduced disk activity on permission change
· Work-around for a Java initialization failure
December 15th, 2009· Fixed "no partial icon when frameset and frame are scriptless" issue
December 15th, 2009· Better bounding checks for Gecko 1.9.2-compatible ClearClick
· Fixed residual bfcache-related issues
December 15th, 2009· ClearClick made compatible with Gecko 1.9.2
· ClearClick optimization for plugin content
· Improved opacity management in ClearClick
· Added ability for page-level script surrogates to run before page load even on untrusted sites
· New "imdb" script surrogate to watch IMDB trailers without allowing doubleclick.com
· Improved Google Analytics surrogate
· Turned the "fap" surrogate into a generic "popunder" one
· Fixed blocked embeddings info being wiped during bfcache lifecycle
December 15th, 2009· Optimized matching for HTML 5 event handlers injection
· "Allow sites opened through bookmarks" won't allow sites previously marked as untrusted
· Turned the noscript.canonicalFQDN to false by default
· Improved embedded objects identity checks upon reloads
November 28th, 2009· Removed residual compound attribute-based injection chance
November 28th, 2009· Fixed residual crash issue when favicons need to be redirected to HTTPS
· Enhanced ClearClick compatibility with Photbucket
November 28th, 2009· Better object unblocking behavior, triggering a page reload if allowed object has no layout (i.e. was meant to be scripted only), increasing usability of trusted restrictions e.g. in VMWare Server's console
· Work-around for a Firefox image caching crashing bug triggered by HTTPS enforcement on mixed content
· Improved compatibility with Ebay
November 17th, 2009· Fixed HTTPS enforcement for embedded images breaking HTTP authentication
· Fixed XHR breakage when called from a Worker
· Skip link fixing on right click
· Improved bookmarklet execution mechanism
· Improved compatibility of InjectionChecker with Facebook Connect
· Improved compatibility of InjectionChecker with Lycos Mail
October 28th, 2009· Fixed page loading issues (hard to reproduce but reported by many)
October 28th, 2009· Fixed page loading regression from "Hijack checks skip error pages" optimization in 1.9.9.12 (hard to reproduce but reported by many)
· Fixed attribution of Romanian translation
October 27th, 2009· Allowing a plugin object which size is not set causes a page reload, assuming that scripts would be used to size it
· Google Translate XSS exception
· abine:* ClearClick subexception
· Updated localizations
· Removed current URL leaking into RegExp properties if invisible link detection is enabled
· Hijack checks must skip error pages
· Fixed XSS false positive at travelocity.com
October 14th, 2009· Reorganization of the "Embeddings" (FKA "Plugins") options panel
· "Forbid / " option in the "Embeddings" panel
· "Forbid @font-face" option in the "Embeddings" panel
· ClearClick report id made selectable
October 14th, 2009· Webfonts blocking from untrusted sources and on untrusted pages, controlled by the noscript.forbidFonts about:config preference (UI planned for later)
· noscript.forbidMedia about:config preference controlling HTML 5 media blocking independently from the "Forbid other plugins" setting (UI planned for later)
· Improved live object allowing/forbidding
· Fixed potential false positives generated by Spidermonkey's decompiler artifacts
October 14th, 2009· Fixed noscript.forbidData not being honored
· Fixed Trillian to Yahoo Mail! XSS false positive
October 14th, 2009· Fixed potential cache issues due by header cloning on internal redirects
October 5th, 2009· Improved Google Analytics surrogate, handling form submissions
October 5th, 2009· Added https://mail.google.com/* to X-Frame-Options parent whitelist, in order to allow GMail/Calendar mashups via extensions and GreaseMonkey
· Fixed noscript.forbidIFrameContext set to 0 blocking top-level web pages loading
· Fixed Yahoo! Mail login persistence issue
October 2nd, 2009· Improved emulation of complex bookmarklet import sequences
· Fixed potential issue in new InjectionChecker C++ style comments code
October 2nd, 2009· Fixed header cloning bug in internal redirections
· Better management of C++ style comments in InjectionChecker
· Fixed legacy frames retargeting bug
October 2nd, 2009· noscript.frameOptions.enabled about:config preference to control if the X-Frame-Options header must be honored
· noscript.frameOptions.parentWhitelist preference to exclude some parent window from X-Frame-Options checks on their embedded frames
· Enhanced internal redirection mechanism
· Fixed Weave 0.7pre log window incompatibility
October 2nd, 2009· Improved InjectionChecker's heuristic
September 24th, 2009· Fixed InjectionChecker micro-injecion scanning bug
September 24th, 2009· First public Strict Transport Security implementation
· Fixed Javascript disabled in about:neterror pages if the broken destination page is marked as untrusted
· Improved HTTPS enforcement, honoring original referer
· Fixed a potential "unresponsive script" InjectionChecker condition
· Fixed help links not opening from NoScript's UI on Minefield
· Fixed ABE LOCAL symbol matching 172.16.0.0/16 rather than the whole 172.16.0.0/12
September 24th, 2009· InjectionChecker optimization on long Base64 sequences
September 24th, 2009· X-Frame-Options applied only to ultimate load, after redirection (compatibility with IE8's and Chrome's implementation)
· Fixed Flash activation bug on Gecko
September 24th, 2009· Quantserve surrogate script
· Added en-GB locale to legacy Seamonkey install script
September 14th, 2009· Fixed kongregate.com incompatibility
September 14th, 2009· Updated MK locale
· QA for release
September 14th, 2009· Flash object emulation to fool SWFObject 2.2 version detection without instantiating a real Flash object
September 14th, 2009· Fixed bug in the new Flash early instantiation management
September 14th, 2009· Upper limit to bookmarklet setTimeout() emulation, in order to prevent infinite pseudo-loops
· Improved InjectionChecker algorithms
· Early URL-less Flash objects are instantiated only if Flash permissions have been already granted to the origin site
September 14th, 2009· Fixed issue with early manipulation of Flash objects whose source URL has not been set yet
September 3rd, 2009· Improved bookmarklet setTimeout() emulation (delay ordering is honored and pseudo-recursion is supported)
· Update locales
August 25th, 2009· Fixed minor bugs in "Recent blocked sites" implementation
· Updated Rumenian
· Fixed encoding issue with configuration import / export / sync (thanks m_c for reporting)
August 25th, 2009· Optimization of multiple regexp preferences
· Fixed XSS filter exceptions not being honored if URL contains percent-encoded character which are invalid UTF-8 code points (thanks Bueller007 for reporting)
· Fixed UTF8 overdecoding checks interfering with some Japanese sites (thanks Bueller007 for reporting)
August 25th, 2009· Reset command in "Recently blocked sites" menu (thanks Fred for suggestion)
· For privacy reasons "Recently blocked sites" are erased everytime user purges history
· Temporary permissions are revoked and "Recently blocked sites" are erased everytime user exits the "Private Browsing" mode
· Fixed DNS-sensitive frame blocking bug
August 25th, 2009· New "Recently blocked sites" menu to allow active content origins which have been recently blocked but are unrelated with current page (e.g. loaded in custom frames provided by extensions)
· Fixed some glitch in temporary permissions handling (thanks computerfreaker for reporting)
· Simplified bookmarklet permissions granting
· Simplified ABERequest lifecycle management
· Prevented potential memory leak
August 20th, 2009· Fixed ABE internal redirection on DNS cache miss interfering with injection checks under some circumstances
August 20th, 2009· Full HTML 5 event attributes InjectionChecker support
· Fixed DNS resolution notification causing event loop spinning and perceived slowness of "Open all in tabs" command
· Removed InjectionChecker bypass (thanks Sirdarckcat for reporting)
· Updated locales
August 20th, 2009· Improved protection against DOS attacks (thanks Gereth Heyes for testbed)
August 20th, 2009· Fixed Mac OS X specific hang bug triggered by STATUS_RESOLVING DNS notifications for some sub-requests
August 10th, 2009· ABE's caching DNS requests now send STATUS_RESOLVING notifications
· Improved injection checks
· Fixed invalid chars in host names causing loads to fail without any
· visible error feedback
· Work around for breakages caused by the .NET Framework Assistant,
· ABE grammar source (ABE.g) included in the distributed XPI
August 4th, 2009· Improved XSS filter compatibility with some decimal coordinates patterns
· Fixed JavaScript IFrame manipulation causes documents to be loaded in a new window sometimes
August 4th, 2009· Improved XSS filter compatibility with MySpace modules
August 4th, 2009· Improved permission change speed for very long lists / very slow CPUs
August 4th, 2009· Fixed HTTPS-forced subrequests being cancelled sometimes
August 4th, 2009· Fixed HTTPS-forced subrequests being cancelled sometimes
August 4th, 2009· Fixed URL classifier not being called for hosts whose DNS record is not cached yet by ABE
August 4th, 2009· Fixed domain name resolution delayed for cached failed responses after a network reconnection
August 4th, 2009· Fixed invisible links detection turning some links into absolutely positioned if they have no layout on load
· Improved specificity of data: URL injection detection
July 31st, 2009· Fixed DNS cache status interfering with HTTPS redirections
July 31st, 2009· Fixed HTTPS-bound active content restrictions preferences not being honored sometimes
July 31st, 2009· HTML 5 video and audio are blocked also when loaded as documents in a frame or in a top-level window
July 30th, 2009· Decoupled legacy frame blocking from "Forbid IFrames"
July 30th, 2009· Fixed IFrame blocking being delayed to DNS resolution when ABE is active
· Fixed Frame blocking leading to extra history entries on unblocking
July 30th, 2009· Content serviced with the "Content-disposition: attachment" header
· (forced downloads) should not be subject to plugin blocking
· policies
· ABE checks should be skipped for XHR requests made from chrome
July 30th, 2009· Inclusion type checks accomodating hosting errors in AOL gadgets,
· outbrain.com widgets and E-junkie libraries
· Fixed es-CL locale metadata
July 22nd, 2009· Fixed default whitelist not being installed on first run anymore since 1.9.6's fix for multibyte temporary allow / mark as untrusted
July 22nd, 2009· Inclusion content type checking now graces default file extensions
· Improved XSS filter pre-screening efficiency
· Prefixed content type based inclusion blocking message
July 22nd, 2009· Fixed inclusion content type checks blocking Twitter JSON feeds loaded via SCRIPT elements (thanks Mel Reyes for reporting)
July 21st, 2009· Inclusion content type checks made more tolerant to dynamically generated scripts and stylesheets (thanks therube for reporting)
July 21st, 2009· New layer of inclusion protection, checks whether 3rd party scripts and CSSs are served with proper content type (it can be disabled via noscript.checkInclusionType preference; exception patterns can be listed in the noscript.checkInclusionType.exceptions preference)
· Fixed subdomain matching glitch with 1 char subdomain prefixes
July 20th, 2009· Block JAR remote resources being loaded as documents" now blocks also script and CSS cross-site inclusions
July 20th, 2009· Fixed XSS false positives when asynchronous activity must be performed in ABE
July 20th, 2009· Fixed missing plugin placeholder when IFrames are forbidden
July 20th, 2009· Fixed session restore broken by some 1.9.6 ABE optimizations
· Fixed XMarks compatibility issue
July 20th, 2009· Support for raw IP and subnets with address prefix/mask syntax in ABE rulesets
· Improved UTF-8 XSS protection
· Fixed ABE resource lists parsing glitches
· Improved "Anonymous" (formerly "Logout") ABE action behavior
· Fixed IP display in Allow/Forbid menu items on Gecko >= 1.9
· Added ABE local rulesets to configuration import/export dataset
· Fixed multibyte domain names couldn't be temporarily allowed nor marked as untrusted
July 20th, 2009· Fixed "live" plugin unblocking broken on some sites (thanks therube for reporting)
July 20th, 2009· Fixed CSS bug preventing placeholders from being hidden with Shift+click
July 20th, 2009· Fixed Seamonkey 1.x breakage from 1.9.5.7
July 20th, 2009· ABE Logout action strips query strings from potential authorization and session-related parameters and neutralizes non-idempotent requests by switching their method to GET and removing uploads x Fixed DNS optimizations causing ABE's "Logout" action to abort the request sometimes (Gecko
July 20th, 2009· Work around for Tab Mix Plus beta breaking bookmarklets and URL bar JavaScript one liners on untrusted sites (Fx 3.5)
July 20th, 2009· New Notifications|ABE option to disable ABE notifications + External requests on default ports to domain names different than "localhost" resolving to 127.0.0.1 don't generate notifications, in order to reduce spam from misconfigured hosts files (activity gets still logged to the Error Console and notifications can be restored by toggling the noscript.ABE.notify.namedLoopback preference)
July 20th, 2009· Fixed incompatibility with back-forward gestures in Mouse Gesture Redux
· Fixed "Open all tabs" glitches
July 20th, 2009· Fixed Google Analytics surrogates causing some sites to open "undefined" URLs
July 20th, 2009· Fixed ABE RFC 3330 support bug
July 20th, 2009· Work around for NewTabUrl incompatibility x Fixed undisclosed yet parsing bug (credits will be given where due in a later release)
June 29th, 2009· Fixed forbidden objects in allowed documents not causing partially allowed icon on first load in Gecko < 1.9 (thanks al9_x for report)
· Fixed forbidden objects in mixed trusted/blacklisted pages not causing partially allowed icon (thanks al9_x for report)
June 29th, 2009· Fixed late request cancelation of scripts preventing page from complete loading
· Fixed refreshing ABE rulesets enabling back disabled local rulesets
June 29th, 2009· Fixed DNS cache purging bug (thanks therube for reporting)
June 29th, 2009· Parallelization of DNS activity bringing huge ABE performance gain
· Minor fixes in LOCAL policies enforcing
June 29th, 2009· Fixed possible deadlock introduced in 1.9.4.6 x Fixed DNS cache purging bug
June 29th, 2009· Refactoring of content policy related code x Another memory optimization iteration x Restored automatic Seamonkey profile install cleaner
June 29th, 2009· Further memory footprint and performance ABE optimizations
June 29th, 2009· Origin tracing speed and accuracy improvements + Enhanced frame busting emulation
June 29th, 2009· Optimized garbage collection in DNS 2nd level cache
June 29th, 2009· Fixed mixed content SSL false positives when ABE enabled x Fixed file:// entry added to whitelist everytime a 2nd level domain gets allowed on Gecko >= 1.9 (thanks GµårÐïåñ for reporting)
June 29th, 2009· Implemented 2nd level DNS cache fixing some artifacts/crashes on Google Maps and some latency issues in Gecko < 1.9 (thanks therube and Alan Baxter for reporting)
June 29th, 2009· Fixed page content getting randomly scrambled during heavily concurrent loads when ABE's asynchronous networking is enabled x Fixed password manager autofill failing sometimes (thanks Tommy Coe for reporting)
June 29th, 2009· First stable ABE (Application Boundaries Enforcer) release + Improved JavaScript form submission emulation (thanks aladin235 for reporting about Twitter logout button) + Asyncrhonous networking in Gecko >= 1.9 for ABE preflight requests and DNS checks (can be turned off by noscript.asyncNetworking about:config preference) + noscript.ABE.legacySupport about:config preference to enable ABE on older, less supported platforms (Gecko < 1.9) + Modularized SeaMonkey uninstaller + Bookmarklet emulation made compatible with latest Fx 3.5 builds x Better UI feedback about CAPS parsing artifacts
June 29th, 2009· Fixed missing site rules being repeatedly fetched after 12 hours timeout
June 29th, 2009· Added gstatic.com (Google Maps and other services) to the default whitelist Fixed broken embeddings from file:// URLs (thanks Endor for report)
June 29th, 2009· Fixed import/export buttons for whitelist and full configuration overriding each other (thanks Alan Baxter for reporting)
June 29th, 2009· Precise reporting of ABE DNS failures + Automatically include browser origins in Accept predicates x Lighter XSS checks, relying on ABE for pre-screening when possible (preventing some timeout-related false positives and random hangs)
June 29th, 2009· More accurate NOSCRIPT web-bugs blocking, skipping same origin images and scripted pages (thanks Jorgo for suggestion) x Working link to ABE documentation in NoScript Options|Advanced|ABE x Fixed ABE external editor failing to open on Mac OS X (thanks David Bass for reporting)
June 29th, 2009· Improved Google Analytics script surrogates + New Imagefap anti-popup script surrogates + Seamonkey 1.x streamlined installation process (profile local installations are not supported anymore, but switching to browser-wide is automatic on update) + Seamonkey 1.x automatic uninstall procedure (button provided in NoScript Options)
June 29th, 2009· First public Application Boundaries Enforcer (ABE) prototype, see NoScript Options|Advanced|ABE + SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
June 29th, 2009· First public Application Boundaries Enforcer (ABE) prototype, see NoScript Options|Advanced|ABE + SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
May 24th, 2009· Fixed fatal exception on JSON XSS checks (thanks HeikoAdams for report)
May 22nd, 2009· Fixed whitelsit import/export broken by new global import/export ( thanks Tim Johnson for report)
May 21st, 2009· Fixed automatic secure cookie management being enabled by default (thanks therube for report)
May 20th, 2009· Redirect loops caused by HTTPS enforcement now trigger the standard redirect loop error page (thanks Matt McCutchen for RFE)
· Fixed https-forced embedded objects not being loaded unless already cached (thanks Matt McCutchen for report)
May 13th, 2009· 100x speedup of bookmark-based configuration persistence
· NoScript tries to synchronize its configuration with foreign bookmarks when the "Backup configuration in bookmarks" gets enabled in order to ease adding new "slaves"
· Excluded temporary permissions from bookmark-based synchronization
· Fixed XMark synchronization failing because of XMark's 4KB limit on bookmark URIs
· Fixed opening the [NoScript] configuration bookmark hanging the AutoPager extension
· Disqus ClearClick exception
· Feedly ClearClick exception
May 2nd, 2009· NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.
May 2nd, 2009· One-time startup prompt to ask users if they wants to install/keep the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above
· Fixed filterset bug: it could be disabled but not removed.
· Fixed "Attempt to fix JS links" not working for drop-down lists on
· Gecko < 1.9 (thanks therube for report)
· Updated zh-CN translation
· Updated el-GR translation
April 30th, 2009· Improved Gecko >= 1.9.1 support
· Updated nl-NL translation
· Fixed notification icons broken on Minefield (Fx 3.6a1pre)
· Fixed blocked objects in "restrictions on trusted sites" mode not being counted for "partially allowed" reporting
April 24th, 2009· Experimental "Backup NoScript configuration in a bookmark for easy synchronization" feature (enable it in "NoScript Options|General")
· Fixed potential DNS leak in some proxied setups when opening URLs with FQDNs as their hostnames (thanks Rolf Wendolsky for report).
April 15th, 2009· Fixed notifications reporting "Forbidden" on some partially allowed pages
April 13th, 2009· Fixed notifications reporting "Partially allowed" on fully allowed
· pages
· Fixed source code (view-source: originated) POST requests being
· turned into GET requests
April 11th, 2009· New "partially allowed subcontent" icon to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled
· New script sources inventory behavior reporting "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed unless their hosting document is allowed too
· New "noscript.clearClick.subexceptions" preference to list sources of embedded content which don't need to be protected by ClearClick
· ClearClick compatibility with the "ShareThis" extension
April 2nd, 2009· Improved ClearClick specificity on zoomed pages (fixes a false positive on GMail's Flash-based attach link when zoom is active)
· Temporarily disabled ClearClick on 3.6a1pre because of bug 486200
March 26th, 2009· Fixed placeholder size miscalculation for hidden blocked objects (thanks al9_x for report)
· Fixed HTTPS enforcing on documents causing an initial aborted HTTP documents request on Gecko < 1.9 (thanks al_9x for report)
March 19th, 2009· HTTPS forced on background requests (images, stylesheets, scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE)
· Fennec 1.0b1 compatibility
March 11th, 2009· ClearClick performance boost on crowded documents
· Updated French translation
· Reduced log spam on content blocking
March 4th, 2009· Work around for Mozilla bug 453825
March 4th, 2009· Work around for SimpleViewer and other Flash movies replaced with innerHTML breaking on nsIContentPolicy presence (thanks Steffen Zahn for reporting).
February 23rd, 2009· Fixed page-level surrogates in subframes being executed too much early to be effective (thanks GossamerGremlin for report)
· Work-around for bug 4066046 (thanks Alice0755)
· Fixed incompatibility with the wfx_Versions extension (thanks Archaeopteryx for report)
· Fixed double activation for nested OBJECT elements, e.g. apple.com QuickTime movies (thanks al_9 for report)
· Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20 (thanks al_9x for report)
February 16th, 2009· pper limits for JS link detection loop
· about:certerror added to the intrinsic whitelist
· ClearClick compatibility with the Link Alert extension
· 3rd party script blocking improvements
· Updated Slovak translation
February 7th, 2009· Fixed XHTML namespacing issues (thanks dhouwn for report)
February 2nd, 2009· Fixed X-FRAME-OPTIONS not working inside OBJECT elements
· Restored broken compatibility with Seamonkey 1.0.x (thanks James Andrewartha for report)
February 1st, 2009· Improved ClearClick sensitivity (thanks Eric Lawrence for report)
January 27th, 2009· Support for page-level surrogate scripts, executed before pages
· whose URL matches sources patterns starting with "@" start loading
· x Enhanced "catch all" Google Analytics surrogate (thanks Jesse
· Andrew for reporting)
· x Refactored the Silverlight IsVersionSupported() patch to use
· ScriptSurrogate.execute()
· x Streamlined Silverlight support
· Instant placeholders, being shown before page finishes loading
January 25th, 2009· Improved script surrogation reliability
· Fixed URIValidator preferences not being updated at runtime
· Updated Sweden locale
January 24th, 2009· Stricter checks for the "Attempt to fix JavaScript link" feature and emulation of form submission links (thanks Jah for report)
January 21st, 2009· Fixed minimum sized placeholder potentially exceeding smaller frames (thanks greenhatch for report about BetFair's menu)
· Fixed ClearClick form bounds miscalculation with negative coords (thanks Zjakki Willems for report about BlogSpot's search feature)
· Fixed document loaded in a nested iframe when enabling a blocked legacy frame
January 18th, 2009· Fixed page loading stalled sometimes when the final destination of a redirected script inclusion gets blocked by NoScript
January 16th, 2009· New noscript.clearclick.exceptions preference to specify URL patterns of page where clickjacking shouldn't be checked *.ebay.com ClearClick exception to temporarily work-around a false positive on one-click bids too difficult to reproduce x Performance optimization of the JSON and E4X hijacking protection x Compatibility with Amazon one-click
· Removed __count__ usage triggering a deprecated warning in Fx 3.0.x x Relaxed XSS checks from same-domain HTTPSHTTP requests
· Improved E4X hijacking detection, skips leading XML comments in scripts (http://forums.mozillazine.org/viewtopic.php?p=5488645)
· Updated Japanese translation
January 12th, 2009· Removed a potential document leak
January 8th, 2009· Kazakh translation (thanks Baurzhan Muftakhidinov)
· ClearClick optimization by canvas recycling
· Work-around for bug 472495
January 5th, 2009· Further optimization of Base64 injection checks
· More accurate clipping of scrolling frames in ClearClick
December 29th, 2008· Performance optimization of Base64 checks (thanks Dave Griffiths for reporting an Ebay chatroom issue)
December 28th, 2008· Fixed rare ClearClick false positives on the bottom edge of scrolling frames
· Fixed ClearClick false positive on some cnbc.com videos
December 18th, 2008· Improved specificity for "location=code" injection checks
· Compatibility with Facebook Connect JSON patterns
December 8th, 2008· Contextual disablement with visual feedback for "Revoke temporary permissions" and "Temporarily allow all on this page" toolbar buttons (thanks WAPCE for suggestion). x Improved early detection of event attribute XSS x Updated Arabic translation by Khaled Hosny
December 2nd, 2008· Updated zh-CN locale
· Enhanced interaction with AdBlock Plus tabs appearing over NoScript placeholders
· Flash-specific placeholder icon
· Java-specific placeholder icon
· Silverlight-specific placeholder icon
· Improved ClearClick compatibility with Google Street View (thanks natron for report)
· Finer grained object reload algorithm for mass permission changes from the "Blocked objects" menu
November 25th, 2008· Greatly increased sticky menu / Fennec UI responsiveness
· Refactoring of ClearClick's document patching code
· Removed translucency transition from sticky menu
· Extra QA for release
· Updated localizations
November 17th, 2008· ClearClick enablement options on the ClearClick warning dialog
· ClearClick session whitelist
· Forced non-sticky behavior when there's just one site to allow and noscript.sticky.liveReload is unset
· Fixed placeholders not working on Fx 3.1
November 11th, 2008· Fixed clicking on icon not hiding menu on Fx 2
· Fixed Entrecard ClearClick false positive
· Fixed AntiXSS filter false positive on some forum ads
November 8th, 2008· Fixed incompatibility causing Tor Button to endlessy reload the page when disabled.
October 27th, 2008· Malay translation (thanks Joshua Issac)
· Croatian translation (thanks Stiepan A. Kovac)
October 20th, 2008· Fixed redirection issue (thanks pumaro for report)
October 19th, 2008· Fixed problem with tab navigation on forms inside frames
October 13th, 2008· Improved viewport bounds matching
· Fixed incompatibility with iMacros (thanks OneMen)
· Fixed redirected frames 404 issue (thanks pumaro)
October 10th, 2008· Fixed mailto: protocol not working outside frames (thanks Robert Janc for reporting)
October 10th, 2008· Fixed late breaking POST injection checker regression, causing problems on some forms
October 10th, 2008· Adapted Frame Break Emulation to alternate framebusting idioms
· Several localization updates
· Added a separate "Forbid FRAME" option for legacy FRAME elements (thanks OfficeAngel for request)
· Legacy FRAMEs nested inside IFRAMEs are forbidden by default if IFRAME blocking is on (about:config noscript.forbidMixedFrames)
· Fixed some ClearClick false positives when enabled for trusted sites or with some extensions mixing content and chrome
· Fixed mailto: URIs not working inside frames
· Fixed various typos in English localization of new features
· Restored compatibility with Fx 1.5.0.x (thanks Kevin for help)
October 8th, 2008· ClearClick technology backported to Gecko 1.8.1 based browsers such as Firefox 2.0.x and SeaMonkey 1.1.x
October 7th, 2008· New "ClearClick" protection, specifically addressing Clickjacking, Clickjacket and other UI-redressing vulnerabilities: UI interaction with embedded objects is disabled if they're obstructed or not clearly visible (thanks Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for inspiration and discussion)
· "ClearClick protection" and "Opacize embedded objects" controls in "NoScript Options|Plugins", to enable/disable them on untrusted and/or trusted pages
· Frame breaker emulation for frames where JS is disabled, controlled by the noscript.emulateFrameBreak about:config preference
· Fixed recursion problem with new legacy frame management
· Changed noscript.forbidIFrameContext default to 3 (allow same domain) unless "forbid non-HTTPS active content" is enforced: if this is the case, scheme must be the same as well.
September 18th, 2008· Version 1.8.3
Brand new suite of features enhancing HTTPS effectiveness:
· Force HTTPS on most sensitive sites
· Option to disable active content on whitelisted sites which are not served through HTTPS, either always or when connecting through a proxy ("Tor mode"), to mitigate domain spoofing risks in hostile environments
· Automatic and customizable Secure Cookie Management, to protect against HTTPS cookie hijacking. Important: if you got troubles logging in on some sites with this feature on, please get latest development build and, if it does not help, follow the easy advices given in this FAQ
· Better bookmarklet compatibility on untrusted sites.
· Temporarily allow all this page toolbar button.
· Revoke temporary permissions toolbar button.
· Several improvements in blacklisting mode: even if whitelisting is still the recommended safest mode, you can use Allow scripts globally and still block sites you mark as untrusted. More important, you can still enjoy full Anti-XSS protection even while you're keeping JavaScript allowed everywhere.
September 17th, 2008· Switched "HTTPS|Automatic Secure Cookie Management" off by default: even if all the reported login issues (especially the ebay.com one) have been fixed, it probably deserves more testing from opt-in volunteers before a general "default-on" release
· Unsafe cookies can be handled either globally (default), or per tab (noscript.secureCookies.perTab)
· Fixed "force HTTPS" not working across some redirection patterns
September 16th, 2008· Fixed minor bugs in automatic fall-back for insecure cookies x Updated localizations
September 3rd, 2008· "Make page permissions permanent" command + Meaningful tooltip for "Allow all in this page" and "Temporarily allow all in this page", listing affected sites
· More meaningful tooltip for Revoke Temporary Permission, listing affected sites and counting affected objects (Gecko >= 1.9) x Rationalized keyboard accelerators for English menu items
August 21st, 2008· Fixed JS button auto-navigation problem with relative URLs JavaScript redirections detected also in the onload attribute of the body element (thanks timeless)
July 6th, 2008· QA for release
June 27th, 2008· Fixed changing permissions on one tab reload all tabs issue (thanks redhat71 for reporting)
June 16th, 2008· Fixed Injection Checker false positive regression on URIs which contain encoded newline characters (thanks Kostas)
June 16th, 2008· Improved XSS JavaScript unicode escape handling Recursive JSON reduction, dramatically cutting analysis time on complex JSON URLs, e.g. for some Orkut widgets
December 15th, 2007· Object placeholder rendering optimization
· Extra QA for release
December 6th, 2007· Extra QA for release
· Menu rendering speed optimizations
· Emulated TLD Effective service up to 100x speedup
· InjectionChecker performance up to 50x speedup
· Fixed leak regression from 1.1.8.3 redirection handling refinements
· Fixed Firefox notifications not shown if NoScript notifications were suppressed (thanks gecco)
November 12th, 2007· Version bump for Firefox 3
· Temporarily allow sites matching the regular expression(s) in the
· noscript.whitelistRegExp about:config preference
· Further QA for release
· Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes)
· Fixed shorthands broken when XSS protection was off
November 5th, 2007· Fixed installation problems with addons.mozilla.org automatic update
September 17th, 2007· Object placeholders' minimum size set to 32x32 for visibility
· Object placeholder override for Microsoft Silverlight
· Fixed "Forbid IFRAME" blocking also Flash (thanks niko322)
· Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans)
· Fixed IFRAME in place activation shouldn't reload parent page
September 11th, 2007· Further QA for release
· Improvements in script redirection management
September 4th, 2007· Work-around for Daily Dilbert extension's CSS bug hijacking statusbar icons (thanks gumble and Archaepterix for reporting)
· Fixed toolbar icon breaking when "Scripts Globally Allowed" and no script found in page (thanks Claus Valca and Gecco for reporting)
· Fixed infobar icon not always properly updated upon tab-switching (regression from 1.1.6.20 feedback fix)
September 3rd, 2007· fixed inconsistent status icon feedback
August 20th, 2007· Support for keyword-driven bookmarklets on untrusted pages (thanks Mike Rocker and therube for report/request)noscript.forbidChromeScripts preference (true by default), prevents script tags in content (non chrome:/resource:/file:) documents from referencing chrome
· Fix for fast reload not working on Minefield
· Fixed noscript.forbid ChromeScripts preventing RSS subscribe UI from working: browser packages are whitelisted by default, extensions and other chrome packages can be optionally whitelisted adding a noscript. forbidChrome Exceptions. package Name preference set to true, and the noscript. forbid ChromeScripts preference defaults to false now, since Bug 292789 couldn't do any harm unless some extension does very stupid things.
August 2nd, 2007· Fixed configuration conflict preventing javascript: links from opening in some circumstances (thanks england and haklin)
· Optional blocking of tracking images (also known as "Web Bugs") embedded inside NOSCRIPT tags: it can be enable through the noscript.blockNSWB about:config property
· URI Validator facility for on-demand protection against URI-based exploits. You can add your uri-validator anchored regular expressions as an about:config preference named like "noscript.urivalid.protocolname" to validate the URI substring immediately following scheme colon (see the noscript.urivalid.aim pre-configured example entry)
· Minor change in query string parser, it doesn't drop "=" splitted chunks exceeding the first two anymore
July 26th, 2007· Fix for popup content loaded in the opener window regression (from mail/news exploitation protection)
July 24th, 2007· Early protection against URL protocol handling exploitation (see http://tinyurl.com/37o23j and Mozilla bug 389106)
· Fix to ampersand being sometimes escaped by anti-XSS filters
June 28th, 2007· Removed about:neterror from the permanent non-deletable whitelist (for the super-paranoids, thanks Aerik)
· Minor bug fix, anti-XSS notification bar skipped when an URL nested in a query string gets sanitized
· Extra QA for public release
June 20th, 2007· noscript.injectionCheck about:config option adds first-line detection for XSS injections in GET requests originated by whitelisted sites and landing on top level windows. Value can be: 0 - never check / 1 - check cross-site requests from temporary allowed sites / 2 - check every cross-site request (default) / 3 - check every request
· noscript.jsredirectIgnore about:config option enables/disables the new "Detect and show JavaScript redirections" feature
· noscript.jsredirectFollow about:config option enables/disables auto-following if a single redirect is detected on a textless page
· "Allow top level sites by default" won't affect sites that have been manually forbidden during the current session (to make this exception permanent, mark the site as untrusted)
May 28th, 2007· Improved notification consistency with back-forward navigation
· Better compatibility with Google Desktop Search and Paypal email
May 22nd, 2007· Fixed regression from bug 53901 work-around, "Mark as untrusted menu" not working anymore
August 20th, 2007· Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from working: browser packages are whitelisted by default, extensions and other chrome packages can be optionally whitelisted adding a noscript.forbidChromeExceptions.packageName preference set to true, and the noscript.forbidChromeScripts preference defaults to false now, since Bug 292789 couldn't do any harm unless some extension does very stupid things.
April 24th, 2007· Lituanian (thanks to Mindaugas Jakutis)
· Additional localization updates and minor fixes
April 21st, 2007· Minor improvements in XSS exceptions regular expression parsing
· Fixed last-minute Seamonkey breakage (many thanks therube!!!)
· 1.1.4.8RC3 (1.1.4.7.070420.1)
Find us on Google+
