What's new in NoScript for Firefox 11.4.29 RC 5
Dec 8, 2023
- [nscl] Improved reliability of TLD updater
New in NoScript for Firefox 11.4.29 RC 4 (Dec 7, 2023)
- [nscl] Updated TLDs
- Removed theme.js console noise
New in NoScript for Firefox 11.4.29 RC 3 (Dec 6, 2023)
- Fix beta channel updates breakage due to browser_specific_settings override
New in NoScript for Firefox 11.4.29 RC 1 (Oct 20, 2023)
- [nscl] Updated TLDs
- [L10n] Updated de, mk, nl, pl, ru, sq, tr, uk, zh_CN, zh_TW
- Explicit Android compatibility declaration
New in NoScript for Firefox 11.4.28 (Oct 10, 2023)
- Prevent URL leaks from media placeholders (thanks NDevTK
- for report)
- [nscl] Support for in-tree TLDs updates
New in NoScript for Firefox 11.4.28 RC 2 (Oct 9, 2023)
- Remove replaceAsync() dependency on
- String.prototype.matchAll()
New in NoScript for Firefox 11.4.28 RC 1 (Oct 8, 2023)
- Prevent URL leaks from media placeholders (thanks NDevTK for report)
- [nscl] Support for in-tree TLDs updates
New in NoScript for Firefox 11.4.27 (Sep 13, 2023)
- [XSS] Better specificity of HTML elements preliminary checks
- [XSS] Better specificity of potential fragmented injection through framework syntax detection
- [nscl] RegExp.combo(): RegExp creation by combination for better readability and comments
- [nscl] Replaced lib/sha256.js with web platform native implementation (thanks Martin for suggested patch)
- [nscl] Fixed property/function mismatch
- Fixed operators precedence issue
- [nscl] Prevent dead object access on BF cache
New in NoScript for Firefox 11.4.27 RC 3 (Sep 8, 2023)
- Better specificity of HTML elements preliminary checks.
New in NoScript for Firefox 11.4.27 RC 2 (Sep 2, 2023)
- [XSS] Better specificity of potential fragmented injection through framework syntax detection (thanks Rom623, barbaz et al)
- [nscl] RegExp.combo(): RegExp creation by combination for better readability and comments
New in NoScript for Firefox 11.4.27 RC 1 (Aug 9, 2023)
- [nscl] Replaced lib/sha256.js with web platform native implementation (thanks Martin for suggested patch)
- [nscl] Fixed property/function mismatch (thanks Alex)
- Fixed operators precedence issue #312 (thanks Alex)
- [nscl] Prevent dead object access on BF cache (thanks jamhubub and mriehm)
New in NoScript for Firefox 11.4.26 RC 2 (Jul 20, 2023)
- [Android] Fixed regression preventing NoScript prompts from being shown
New in NoScript for Firefox 11.4.25 (Jul 12, 2023)
- Reload extension on fatal failures
- [Android] Fixed UI styling regression
- Fixed UI inconsistencies when finer-grained contextual policies are created/imported by other means (thanks barbaz for reporting)
New in NoScript for Firefox 11.4.25 RC 2 (Jul 10, 2023)
- Reload extension on fatal failures
- [Android] Fixed UI styling regression
New in NoScript for Firefox 11.4.25 RC 1 (Jul 2, 2023)
- Fixed UI inconsistencies when finer-grained contextual policies are created/imported by other means (thans barbaz for reporting)
New in NoScript for Firefox 11.4.24 (Jun 29, 2023)
- [XSS] Fix Base64 hash checks interfering with query string checks (thanks barbaz for reporting)
- [TabGuard] Stop exempting domains bidirectionally by default
- [TabGuard] Fix destination domain being reported as the trigger of a warning prompt when all the other tab-tied domains have been exempted (thanks barbaz for report)
New in NoScript for Firefox 11.4.24 RC 2 (Jun 29, 2023)
- [XSS] Fix Base64 hash checks interfering with query string
- checks (thanks barbaz for reporting)
New in NoScript for Firefox 11.4.23 (Jun 29, 2023)
- [TabGuard] Eclude non-scriptable content types from suspects
- [TabGuard] Check for chains of about:blank puppet tabs
- Mirror NoScript's badge content in the contet menu to provide more info (e.g. on SS or TG status) whenever the toolbar icon is hidden
- [TabGuard] Short circuit requests in non-anonymized tabs
- [TabGuard] Decouple tab ties cutting from one-shot authorized loads cases for same-site navigation
- [TabGuard] Load with credentials when reloading from NoScript's UI
- [TabGuard] "TG" badge on the NoScript icon when the selected tab is anonymized
- [TabGuard] Cut ties and restore authorization info on manual reloads
- [TabGuard] Remove Set-Cookie headers from anonymized requests to prevent unreversible authorization loss
- [TabGuard] Keep track of anonymized requests
- [TabGuard] Keep track of anonymized tabs
- [TabGuard] Fi "never prompt" option's label not being clickable
- [TabGuard] Introduce prompt granularity options (default: prompt only on POST requests)
- Removed invalid CSS
- Avoid unnecessary prompt resizing
- Prevent focus-related console warning when opening prompts
New in NoScript for Firefox 11.4.24 RC 1 (Jun 28, 2023)
- [TabGuard] Stop exempting domains bidirectionally by
- default
- [TabGuard] Fix destination domain being reported as the
- trigger of a warning prompt when all the other tab-tied
- domains have been exempted (thanks barbaz for report)
New in NoScript for Firefox 11.4.23 RC 5 (Jun 27, 2023)
- [TabGuard] Exclude non-scriptable content types from suspects
- [TabGuard] Check for chains of about:blank puppet tabs
New in NoScript for Firefox 11.4.23 RC 4 (Jun 16, 2023)
- Mirror NoScript's badge copntent in the context menu to provide more info (e.g. on XSS or TG status) whenever the toolbar icon is hidden
New in NoScript for Firefox 11.4.23 RC 3 (Jun 16, 2023)
- [TabGuard] Short circuit requests in non-anonymized tabs
- [TabGuard] Decouple tab ties cutting from one-shot authorized loads cases for same-site navigation
New in NoScript for Firefox 11.4.23 RC 2 (Jun 15, 2023)
- [TabGuard] Load with credentials when reloading from NoScript's UI
- [TabGuard] "TG" badge on the NoScript icon when the selected tab is anonymized
- [TabGuard] Cut ties and restore authorization info on manual reloads
- [TabGuard] Remove Set-Cookie headers from anonymized requests to prevent unreversible authorization loss
- [TabGuard] Keep track of anonymized requests
- [TabGuard] Keep track of anonymized tabs
- [TabGuard] Fi"never prompt" option's label not being clickable
New in NoScript for Firefox 11.4.23 RC1 (May 21, 2023)
- [TabGuard] Introduce prompt granularity options (default: prompt only on POST requests)
- Removed invalid CSS
- Avoid unnecessary prompt resizing
- Prevent focus-related console warning when opening prompts
New in NoScript for Firefox 11.4.22 (May 18, 2023)
- [L10n] Updated uk
- Consistently apply DEFAULT policy to top-level data: URLs
New in NoScript for Firefox 11.4.22 RC 1 (May 10, 2023)
- [L10n] Updated uk
- Consistently apply DEFAULT policy to top-level data: URLs
New in NoScript for Firefox 11.4.21 (Apr 4, 2023)
- Fixed mislabeled Tor Browser settings override option
- [L10n] Updated mk
New in NoScript for Firefox 11.4.21 RC 2 (Mar 30, 2023)
- Better label formatting for Tor Browser overriding options
New in NoScript for Firefox 11.4.20 (Mar 21, 2023)
- Generalized prompt safety hooks
- Better blob: URL support
- [nscl] Improved cross-window patch cascading
- [nscl] Avoid unneeded side effects when checking for zombie patched objects
- [nscl] Prompt safety hooks
- [L10n] Updated fr, fi
- Fi font family typo (!283, thanks ale-kinokon)
New in NoScript for Firefox 11.4.19 RC 3 (Mar 20, 2023)
- [nscl] Improved cross-window patch cascading
New in NoScript for Firefox 11.4.19 RC 1 (Mar 18, 2023)
- [nscl] Prompt safety hooks
- [L10n] Updated fi
- [L10n] Updated fr
- Fix font family typo (!283, thanks alex-kinokon)
New in NoScript for Firefox 11.4.18 RC 1 (Mar 1, 2023)
- [Firefox on Linux] Fixed detached window UI gets closed when its decoration is clicked (thanks richard for reporting)
New in NoScript for Firefox 11.4.17 RC 2 (Feb 23, 2023)
- [nscl] Fixed rc1 regression erasing big policies from sync storage (thanks Dwedit and mkupper for reporting)
New in NoScript for Firefox 11.4.17 RC 1 (Feb 23, 2023)
- [Windows] Changed the tab enforcement toggling shortcut to "Alt+Shift+Comma" (still "Alt+Shift+Space" on desktop OSes other than Windows) - issue #281
- Updated copyright year
- Settings persistence made more reliable and resilient against sync storage unavailability
- Removed unused files from the source tree
- Fixed "Firefox" being shown instead of "Tor Browser" in the Security Level override option label
- [L10n] Updated pl, tr
New in NoScript for Firefox 11.4.16 (Feb 9, 2023)
- [L10n] Updated de, nl, pl, ru, sq, zh_CN
- Always open the windowed standalone UI when invoked from
- The Alt+Shift+N shortcut
- Alt+Shift+Space shortcut to toggle restrictions
- Enforcement for current tab (issue #129, thanks PF4Public
- For RFE)
New in NoScript for Firefox 11.4.16 RC 1 (Feb 5, 2023)
- Always open the windowed standalone UI when invoked from the Alt+Shift+N shortcut
- Alt+Shift+Space shortcut to toggle restrictions enforcement for current tab (issue #129, thanks PF4Public for RFE)
New in NoScript for Firefox 11.4.15 (Jan 31, 2023)
- Use the actual browser's brand name for Tor Browser derivatives
- Always open the windowed standalone UI when invoked from the contextual menu
New in NoScript for Firefox 11.4.15 RC 2 (Jan 26, 2023)
- Use the actual browser's brand name for Tor Browser derivatives
New in NoScript for Firefox 11.4.15 RC 1 (Jan 17, 2023)
- Always open the windowed standalone UI when invoked from the contextual menu (thanks ZeroUnderscoreOu for reporting)
New in NoScript for Firefox 11.4.14 (Jan 3, 2023)
- Updated HTML event attributes list
- Uniformed indexed directory Firefox UI emulation to prevent a script blocking bypass on file:// resources (thanks RyotaK for reporting)
- Fixed error being logged in the console on scriptless pages when hitting [Delete] or [Backspace] (thanks barbaz for reporting)
- Work-around for background page misteriously being unloaded sometimes by Firefox
- [L10n] Updated Transifex configuration
New in NoScript for Firefox 11.4.14 RC 2 (Dec 31, 2022)
- Updated HTML event attributes list
- Uniformed indexed directory Firefox UI emulation to prevent a script blocking bypass on file:// resources (thanks RyotaK for reporting)
- Fixed error being logged in the console on scriptless pages when hitting [Delete] or [Backspace] (thanks barbaz for reporting)
New in NoScript for Firefox 11.4.14 RC 1 (Dec 4, 2022)
- Work-around for background page misteriously being unloaded sometimes by Firefox
- [L10n] Updated Transifex configuration
New in NoScript for Firefox 11.4.13 (Nov 22, 2022)
- Ensure theme changes are synchronized across windows,
- including private ones (thanks barbaz for reporting)
- [UI] Ensure prompts are always centered relative to the
- parent window in multi-monitors setups
- Switch to "Modern Red Evil" icon contributed by fatboy
- Work-around for Chromium unable to load the placeholder icon
- Themed placeholders
- [nscl] Fixed placeholder fallback styles on Gecko
- embedding documents
- [L10n] New Romanian (ro) locale (thanks Simona Iacob and Inpresentia I.)
New in NoScript for Firefox 11.4.13 RC 1 (Nov 18, 2022)
- Switch to "Modern Red Evil" icon contributed by fatboy
- Work-around for Chromium unable to load the placeholder icon
- Themed placeholders
- [nscl] Fixed placeholder fallback styles on Gecko embedding documents
- [L10n] New Romanian (ro) locale (thanks Simona Iacob and Inpresentia I.)
New in NoScript for Firefox 11.4.12 RC 1 (Nov 15, 2022)
- Updated is, mk
- New Finnish (fi) locale (thanks RJuho, olavinto and ricky.tigg)
- New Ukrainian (uk) locale (thanks Kataphan, MuS and uniss)
- New Persian (fa) locale (thanks voxp and magnific
New in NoScript for Firefox 11.4.11 (Sep 14, 2022)
- Fix broken NoScript dialogs when browser.privatebrowsing.autostart = true (issue#259, thanks foenix for reporting)
- Avoid using fallback origins for main_frame loads
New in NoScript for Firefox 1.4.11 RC 2 (Sep 11, 2022)
- Fix broken NoScript dialogs when browser.privatebrowsing.autostart = true (issue#259, thanks foenix for reporting)
New in NoScript for Firefox 1.4.11 RC 1 (Sep 9, 2022)
- Avoid using fallback origins for main_frame loads
New in NoScript for Firefox 11.4.10 (Sep 1, 2022)
- [TabTies] Cascade and merge ties in a shared pool, to prevent them from being cut by closing a middle tab (thanks NDevTK for reporting)
- Extended origin normalization to top-level documents (thanks NDevTK for reporting)
- [TabGuard] Fixed regression in about:blank handling (thanks NDevTK for reporting)
- Better origin guess for requests from sandboxed iframes (thanks NDevTK for reporting)
- More precise tracking of implicit origins in tab URLs
- [nscl] Stricter criteria for cutting tab relations (thanks NDevTK for reporting)
- Use window.origin when fetching policies for inheriting special URLs (thanks NDevTK for reporting)
- Better build script compatibility
New in NoScript for Firefox 11.4.10 RC 3 (Aug 31, 2022)
- [TabTies] Cascade and merge ties in a shared pool, to prevent them from being cut by closing a middle tab (thanks NDevTK for reporting)
New in NoScript for Firefox 11.4.10 RC 2 (Aug 30, 2022)
- Extended origin normalization to top-level documents (thanks NDevTK for reporting)
- [TabGuard] Fixed regression in about:blank handling (thanks NDevTK for reporting)
New in NoScript for Firefox 11.4.10 RC 1 (Aug 30, 2022)
- Better origin guess for requests from sandboxed iframes
- More precise tracking of implicit origins in tab URLs
- [nscl] Stricter criteria for cutting tab relations
- Use window.origin when fetching policies for inheriting special URLs
- Better build script compatibility
New in NoScript for Firefox 11.4.9 (Aug 15, 2022)
- [L10n] Updated pl, tr, zh_CN
- [TabGuard] Abort the load when the warning dialog is closed by any mean except the OK button
- [TabGuard] Stricter criteria for cutting tab relations(thanks fatboy for reporting)
New in NoScript for Firefox 11.4.9 RC 1 (Aug 13, 2022)
- [L10n] Updated pl, tr, zh_CN
- [TabGuard] Abort the load when the warning dialog is closed by any mean except the OK button
- [TabGuard] Stricter criteria for cutting tab relations (thanks fatboy for reporting)
New in NoScript for Firefox 11.4.8 (Aug 11, 2022)
- Cross-tab identity leak protection
- [TabGuard] Better request lifecycle management
- [L10n] Updated de, it, nl, ru, sq
- [l10n] Automatic pull for 100% completed translations only
New in NoScript for Firefox 11.4.8 RC 5 (Aug 11, 2022)
- [TabGuard] Avoid infinite redirection loops
New in NoScript for Firefox 11.4.8 RC 2 (Aug 10, 2022)
- [TabGuard] Better management of subrequests in undecided
- tabs
New in NoScript for Firefox 11.4.8 RC 1 (Aug 10, 2022)
- Cross-tab identity leak protection (tor-browser#41071)
New in NoScript for Firefox 11.4.7 (Aug 8, 2022)
- [XSS] Fixed regression in invalid characters optimization causing false negatives (thanks Tsubasa for reporting)
- Minor build script enhancement
New in NoScript for Firefox 11.4.7 RC 1 (Aug 7, 2022)
- [XSS] Fixed regression in invalid characters optimization causing false negatives (thanks Tsubasa for reporting)
- Minor build script enhancement
New in NoScript for Firefox 11.4.6 (May 30, 2022)
- [nscl] Copy NOSCRIPT elements' attribute in emulated replacements (issue #238)
- [SS] Correct for concurrency in timeout checks
- [UI] Flatter preset appearance
- [UI] Focus visual feedback adjustments
- Inclusion-time TLD updates
- Updated HTML events
- [L10n] Updated pl
- Opaque white for vintage lock icons
- [L10n] Updated is
New in NoScript for Firefox 11.4.6 RC 2 (May 28, 2022)
- [nscl] Copy NOSCRIPT elements' attribute in emulated replacements (issue #238)
New in NoScript for Firefox 11.4.6 RC 1 (May 25, 2022)
- [XSS] Correct for concurrency in timeout checks
- [UI] Flatter preset appearance
- [UI] Focus visual feedback adjustments
- Inclusion-time TLD updates
- Updated HTML events
- [L10n] Updated pl
- Opaque white for vintage lock icons
- [L10n] Updated is
New in NoScript for Firefox 11.4.5 (Apr 18, 2022)
- Improved preset sizing
- Reduce toolbar bottom shaded line tickness
- [L10n] Updated he
- Various user-driven visual tweaks
- Fixed vintage icon brightness in automatic light mode
- Minor icon tweaks
New in NoScript for Firefox 11.4.5 RC 2 (Apr 16, 2022)
- Improved preset sizing
- Updated NSCL reference
- Reduce toolbar bottom shaded line tickness
- Fixed typos
- Cut down description with link to the website and security reporting information
New in NoScript for Firefox 11.4.5 RC 1 (Apr 5, 2022)
- [L10n] Updated he
- Various user-driven visual tweaks
- Fixed vintage icon brightness in automatic light mode
- Minor icon tweaks
New in NoScript for Firefox 11.4.4 (Apr 1, 2022)
- [L10n] Updated mk
- Removed "clearclick" item from default settings
- Better layout for mixed status icons
New in NoScript for Firefox 11.4.4 RC 1 (Apr 1, 2022)
- [L10n] Updated mk
- Removed "clearclick" item from default settings
- Better layout for mixed status icons
New in NoScript for Firefox 11.4.3 (Mar 28, 2022)
- Reversed colors in Modern Red permissive icons for better
- contrast
- Fixed regression causing only signed builds to complete
New in NoScript for Firefox 11.4.3 RC 1 (Mar 28, 2022)
- Reversed colors in Modern Red permissive icons for better contrast
- Fixed regression causing only signed builds to complete
New in NoScript for Firefox 11.4.2 RC 8 (Mar 28, 2022)
- Slight color tweakings
- Auto-deploy after Chromium package is ready
New in NoScript for Firefox 11.4.2 RC 7 (Mar 28, 2022)
- Dark scheme for high contrast toolbar buttons (issue #142)
- [Android] Preset size tweakings
- Reduce toolbar unused space
- Better contrast for "unsafe" URL labels
- [L10n] Updated es, fr
- Cleaner and more definite checked preset layout
- Less blurry focus halo
New in NoScript for Firefox 11.4.2 RC 6 (Mar 27, 2022)
- [L10n] Updated de
- [l10n] Updated pt_BR (thanks @DavidBrazSan)
- Removed eyes from default disabled and unrestricted small icons
- Improved preset label positioning
New in NoScript for Firefox 11.4.2 RC 5 (Mar 27, 2022)
- [L10n] Updated ru, tr, zh_CN
- Improved visual cues for selected presets
- [Android] Fixed regression: preset labels not correctly sized in landscape mode
- Fixed regression removing hover effect from toolbar buttons
New in NoScript for Firefox 11.4.2 RC 4 (Mar 26, 2022)
- Improved layout
- More balanced Modern Red icon set
- [L10n] Updated de, nl, ru, sq, tr
New in NoScript for Firefox 11.4.2 RC 3 (Mar 25, 2022)
- Move XSS options down one line
- New "Enable restrictions on browser restart" option
- [L10n] Updated de, nl, zh_CN
New in NoScript for Firefox 11.4.2 RC 2 (Mar 25, 2022)
- Localizable Modern Red / Vintage Blue switch.
- [L10n] Updated de, is.
New in NoScript for Firefox 11.4.2 RC 1 (Mar 24, 2022)
- Minor cross-theme visual tweakings
- Override dark vintage theme brightness filter on images for important UX cues
- Fix too wide CSS scope bleeding into page style (issue #232, thanks SuperPat45 for report)
New in NoScript for Firefox 11.4.1 (Mar 23, 2022)
- Support for reverting to the "Vintage Blue" style (NoScript Options/Appearance)
- Various tweaks to the "Moder Red" dark and light themes
New in NoScript for Firefox 11.4.1 RC 4 (Mar 23, 2022)
- Open the appearance page for users to configure their preferred visual theme on upgrade from 11.4.1rc3 and below
- Support for focusing and/or highlighting elements when opening the options page
- Fixed confusing theme application until a choice is made
- Dynamic size adjustments on theme changes
- Focus indicator for on/off switches
- Icon sizes adjustments (thanks barbaz)
- Fixed UI in private windows always inheriting the fallback browser color scheme until explicitly set
- More explanatory text for the Modern Red / Vintage Blue switch
New in NoScript for Firefox 11.4.1 RC 3 (Mar 22, 2022)
- Cross-theme visual tweaks
- More robust fallback for private windows
New in NoScript for Firefox 11.4.1 RC 2 (Mar 22, 2022)
- Fix status icon not always synchronized with vintage/modern setting
New in NoScript for Firefox 11.4.1 RC 1 (Mar 22, 2022)
- Support for reverting to the "Vintage Blue" style (NoScript Options/Appearance)
New in NoScript for Firefox 11.4 (Mar 21, 2022)
- Visual refresh based on Simply Secure concept artwork
- Full Dark/Light color schemes support
- [l10n] Many languages updates
- Include ServiceWorker-initiated fetch requests in UI
- Reporting (thanks 0_o for report)
- Remove redundant style patching
- Prompts can be closed by keyboard: Enter emulates the
- Default button click, Escape the cancel action
- Ensure better visibility for in-popup message box
- Sticky toolbar and scrollable fixed-height content in
- BrowserAction popups
- [XSS] Automatically reload page when clearing XSS choice
- From popup
- [XSS] Enable "Clear XSS Choices" button only if some item
- Is selected
- Remember last active tab when opening the option window
- Avoid useless reload if no actual change has happened in
- Enforcement status
- Fix for regression: request and execution attempts not
- Being reported anymore in the UI if restrictions are
- Disabled (thanks Stefan Mey for report)
- Dark mode support
- Improved high contrast layout
- Fixed automatic reload not always triggered for CUSTOM
- Tweakings
- More consistent cross-browser widgets
- Partial status indicator on the left of the icon, to
- Accommodate Chromium's badge position
- Make focus hint less elusive for needed capability widgets
- More accurate blocking stats
New in NoScript for Firefox 11.4 RC 5 (Mar 18, 2022)
- Fix breakage when dom.storage.enabled is set to false (thanks DJ-Leith for report)
- [l10n] Many languages updates
New in NoScript for Firefox 11.4 RC 3 (Mar 15, 2022)
- Include ServiceWorker-initiated fetch requests in UI reporting (thanks 0_o for report)
- Remove redundant style patching
New in NoScript for Firefox 11.4 RC 2 (Mar 14, 2022)
- Prompts can be closed by keyboard: Enter emulates the default button click, Escape the cancel action
- Improved light/dark schemes support
New in NoScript for Firefox 11.4 RC 1 (Mar 14, 2022)
- Dark/Light/Auto theme switcher in Appearance options panel
- Ensure better visibility for in-popup message box
New in NoScript for Firefox 11.3.8 RC 6 (Mar 14, 2022)
- Sticky toolbar and scrollable fixed-height content in browserAction popups
- Remove debug statements
- Use currentWindow instead of lastFocusedWindow to initialize browserAction and its surrogate windows
- [XSS] Automatically reload page when clearing XSS choice from popup
- [XSS] Enable "Clear XSS Choices" button only if some item is selected
- More visual tweaks
New in NoScript for Firefox 11.3.8 RC 5 (Mar 13, 2022)
- Remember last active tab when opening the option window
- More visual/theming tweaks
- Avoid useless reload if no actual change has happened in enforcement status
New in NoScript for Firefox 11.3.8 RC 4 (Mar 12, 2022)
- Apply preferred theme to media placeholders
- Fix for regression: request and execution attempts not being reported anymore in the UI if restrictions are disabled (thanks Stefan Mey for report)
- Dark and light themes refinements
New in NoScript for Firefox 11.3.8 RC 3 (Mar 11, 2022)
- Dark mode support
- Improved high contrast layout
- Fixed undefined lastInput on tab key
- Fixed automatic reload not always triggered for CUSTOM
- tweakings
New in NoScript for Firefox 11.3.8 RC 2 (Mar 10, 2022)
- [L10n] Updated zh_TW
- More consistent cross-browser widgets
- Fix placeholder close button shadow
- Fix blurry icons on Chromium
- Partial status indicator on the left of the icon, to accommodate Chromium's badge position
New in NoScript for Firefox 11.3.8 RC 1 (Mar 7, 2022)
- Make focus hint less elusive for needed capability widgets
- Align capabilities on the vertical center
- Improve buttons and tabs appearance
- Visual refresh based on Simply Secure concept artwork
- More accurate blocking stats
New in NoScript for Firefox 11.3.7 (Mar 2, 2022)
- Always avoid DNS resolution when a HTTP(S) proxy is used.
New in NoScript for Firefox 11.3.7 RC 1 (Mar 2, 2022)
- Always avoid DNS resolution when a HTTP(S) proxy is used (thanks nojake for reporting)
New in NoScript for Firefox 11.3.6 (Feb 28, 2022)
- Make high contrast and draggable toolbar items mutually
- Exclusive
- [Chromium] Fix high contrast option not working
- Avoid flashing empty graveyard on popup opening
- More deterministic DnD placeholder creation
- [L10n] Updated fr, es, nl, zh_CN
- Make disabled buttons draggable and hidden enabled buttons
- Interactive when the "graveyard" is open
- Close UI and reload immediately when enabling global/tab
- Restrictions or disabling them for the tab only
New in NoScript for Firefox 11.3.6 RC 4 (Feb 28, 2022)
- Avoid flashing empty graveyard on popup opening
New in NoScript for Firefox 11.3.5 (Feb 28, 2022)
- [L10n] Updated de, mk, ru, sq, tr
- Fix regressions in draggable toolbar buttons
New in NoScript for Firefox 11.3.6 RC 3 (Feb 28, 2022)
- More deterministic DnD placeholder creation
- [L10n] Updated fr
New in NoScript for Firefox 11.3.6 RC 2 (Feb 27, 2022)
- [L10n] Updated es
- Make disabled buttons draggable and hidden enabled buttons interactive when the "graveyard" is open
New in NoScript for Firefox 11.3.6 RC 1 (Feb 27, 2022)
- Close UI and reload immediately when enabling global/tab restrictions or disabling them for the tab only
- [L10n] Updated nl, zh_CN
New in NoScript for Firefox 11.3.5 RC 2 (Feb 26, 2022)
- Updated de, mk, ru, sq, tr
New in NoScript for Firefox 11.3.4 (Feb 25, 2022)
- Avoid closing the customizer on arrow up key context selection change (thanks barbaz for reporting)
- Prominently warn user whenever restrictions are disabled
- Better accessibility and styling for popup global buttons
- [L10n] Updated de
- Fix for contextual permissions display inconsistencies in options panel (thanks barbaz for reporting)
New in NoScript for Firefox 11.3.4 RC 2 (Feb 25, 2022)
- Avoid closing the customizer on arrow up key context
- selection change (thanks barbaz for reporting)
- Prominently warn user whenever restrictions are disabled
- Support icon buttons elsewhere in the UI (e.g. in the
- messagebox)
- Support for selectively hiding messages
- Support for extra UI in the popup's message box
- Prevent popup closure and automatic reload when
- restrictions are disabled for the tab or globally
- Use a 5 seconds timeout to remotely fetch HTML events
- source
- Better accessibility and styling for popup global buttons
New in NoScript for Firefox 11.3.4 RC 1 (Feb 23, 2022)
- [L10n] Updated de
- Fix for contextual permissions display inconsistencies in options panel (thanks barbaz for reporting)
New in NoScript for Firefox 11.3.3 (Feb 21, 2022)
- Play nice with the Viewhance extension
- Avoid synchronous fetching for remote embedding documents
- Fixed typo in UI context dropdown initial selection
- Fixed wrong label for http: sites in contextual policy UI
- Fix for first party context policy ignored on first load in new tabs
- Consolidate best effort policy fetching
- Use correct context for all subresources checks
- Queries on Firefox
- [L10n] Updated de, es, he
New in NoScript for Firefox 11.3.3 RC 6 (Feb 21, 2022)
- [Android] Improved CUSTOM panel portrait layout
- [L10n] Updated de, he
New in NoScript for Firefox 11.3.3 RC 4 (Feb 20, 2022)
- Fixed wrong label for http: sites in contextual policy UI (thanks barbaz for reporting)
- Fix for first party context policy ignored on first load in new tabs (thanks ayi for reporting)
New in NoScript for Firefox 11.3.3 RC 3 (Feb 19, 2022)
- Consolidate best effort policy fetching
New in NoScript for Firefox 11.3.3 RC 2 (Feb 19, 2022)
- Use correct context for all subresources checks (thanks user72 for reporting)
New in NoScript for Firefox 11.3.3 RC 1 (Feb 19, 2022)
- Prevent LAN protection from performing unnecessary DNS queries on Firefox (thanks vexity for reporting)
- [L10n] Updated de, es
New in NoScript for Firefox 11.3.2 (Feb 18, 2022)
- Prevent LAN protection from breaking webRequest blockin on the Tor Browser (thanks TorBrowserUser for reporting)
New in NoScript for Firefox 11.3.2 RC 1 (Feb 17, 2022)
- Prevent LAN protection from breaking webRequest blocking on the Tor Browser (thanks TorBrowserUser for reporting
New in NoScript for Firefox 11.3.1 RC 2 (Feb 17, 2022)
- Fix regression: CUSTOM UI broken on Gecko 77 and below
New in NoScript for Firefox 11.3.1 RC 1 (Feb 17, 2022)
- Localized reset button
- [nscl] Fix for null origin URL objects breaking Sites parser (thanks kinet1k for reporting)
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
New in NoScript for Firefox 11.3 (Feb 16, 2022)
- LAN capability to check for cross-zone WAN to LAN requests
- Contextual policies (different capabilities for the same origin, depending on the top-level domain) configurable in the CUSTOM panel
New in NoScript for Firefox 11.3 RC 4 (Feb 16, 2022)
- Automatically persist contextual policy on creation and use animation to convey it being a new instance
- Updated RU
New in NoScript for Firefox 11.3 RC 3 (Feb 15, 2022)
- [LAN] check origin for all the DNS records to be local in order to mitigate DNS rebinding attacks
- [nscl] SyncMessage, fix for about:blank being reported as the tab URL sometimes on Chromium
- [L10n] Updated it, nl, sq, tr, zh_CN
New in NoScript for Firefox 11.3 RC 2 (Feb 15, 2022)
- LAN capability to check for cross-zone WAN to LAN requests
- Support contextual policies in permission updates
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
New in NoScript for Firefox 11.3 RC 1 (Feb 14, 2022)
- Contextual policies (different capabilities for the same origin, depending on the top-level domain) configurable in the CUSTOM panel (thanks NLnet for financial support)
New in NoScript for Firefox 11.2.25 (Feb 14, 2022)
- More robust policy fetching
- [Firefox] Fix regression causing file:// policy not to be correctly enforced sometimes
New in NoScript for Firefox 11.2.25 RC 2 (Feb 13, 2022)
- More robust policy fetching
New in NoScript for Firefox 11.2.25 RC 1 (Feb 13, 2022)
- Fix regression causing file:// policy not to be correctly enforced sometimes.
New in NoScript for Firefox 11.2.24 (Feb 11, 2022)
- Avoid unnecessary window patching
New in NoScript for Firefox 11.2.24 RC 1 (Feb 11, 2022)
- Avoid unnecessary window patching
New in NoScript for Firefox 11.2.23 (Feb 10, 2022)
- Fix rare breakages due to xray cloning
New in NoScript for Firefox 11.2.23 RC 1 (Feb 10, 2022)
- [nscl] Fix rare breakages due to xray cloning
New in NoScript for Firefox 11.2.21 / 5.1.9 (Feb 9, 2022)
- Better fallback for failing syncMessage
- [XSS] Simplified preemptive name sanitization
New in NoScript for Firefox 11.2.20 (Feb 9, 2022)
- [L10n] Updated de
- [XSS] Fix false positive warning when "name" is in the query string.
New in NoScript for Firefox 11.2.21 RC 1 (Feb 8, 2022)
- Better fallback for failing syncMessage
- [XSS] Simplified preemptive name sanitization
New in NoScript for Firefox 11.2.20 RC 1 (Feb 7, 2022)
- [XSS] Fix false positive warning when "name" is in the query string (thanks John Shield / DuckDuckGo for reporting)
New in NoScript for Firefox 11.2.19 (Feb 5, 2022)
- [XSS] Faster invalidCharsRx initialization on Gecko 78 and above
- [XSS] More resilient name handling
- [nscl] Use HTTPS SyncMessage endpoint for Chromium too (works around lack of file access by default on packed extensions breaking NoScript)
New in NoScript for Firefox 11.2.19 RC 1 (Feb 4, 2022)
- Faster invalidCharsRx initialization on Gecko 78 and above
- [XSS] More resilient name handling
New in NoScript for Firefox 11.2.16 RC 5 (Jan 31, 2022)
- Fallback to synchronous policy fetching if the document is already loaded (e.g. on updates)
- [XSS] Interactive testing made a bit easier
New in NoScript for Firefox 11.2.16 RC 4 (Jan 31, 2022)
- Mitigate side effects of dead objects on patched windows during extension updates
New in NoScript for Firefox 11.2.16 RC 3 (Jan 30, 2022)
- Fix false positive on Microsoft authentication (thanks GrK and Hanna_Payne for reporting)
New in NoScript for Firefox 11.2.16 RC 2 (Jan 23, 2022)
- [nscl] Work-around for object element initialization inconsistencies on Firefox (thanks skriptimaahinen for reporting)
New in NoScript for Firefox 11.2.16 RC 1 (Jan 20, 2022)
- [L10n] Updated fr
- Better support for service workers in unrestricted modes
New in NoScript for Firefox 11.2.15 (Jan 19, 2022)
- [Android] Work-around for Firefox "forgetting" tabs
- [nscl] Improved cross-frame auto-patching
New in NoScript for Firefox 11.2.15 RC 1 (Jan 15, 2022)
- [Android] Work-around for Firefox "forgetting" tabs
- [nscl] Improved cross-frame auto-patching
New in NoScript for Firefox 11.2.14 (Dec 30, 2021)
- X [nscl] Updated SyncMessage fixes conflict with other
- Content blockers (thanks gwarser, barbaz and Baraoic)
New in NoScript for Firefox 11.2.14 RC 1 (Dec 29, 2021)
- [nscl] Updated SyncMessage fixes conflict with other content blockers (thanks gwarser, barbaz and Baraoic)
New in NoScript for Firefox 11.2.13 (Dec 29, 2021)
- [XSS] Tweaked risky operator check prevents false positive
- on outbound Twitter navigation (thanks @muchtypo for
- reporting)
- [XSS] Better logging for JS fragment detection
- [XSS] Fixed performance regression in invalid character
- ranges generation causing random XSS "DOS" false positives
- Fetch policy for baseURI if document.domain is empty
- [L10n] Updated ja, lt, pl, ru, zh_CN
- Always fetch policy synchronously, if missing
- Fixed undetermined status icon on BF cache page loads
- [nscl] Fix webgl blocking regression due to xray wrappers
- confusion (thanks skriptimaahinen)
- [nscl] Prevent unnecessary breakages on pages inspecting
- canvas.getContext when webgl is disabled
- [nscl] Reduce the risk to interfere with scripts messing
- with the media attribute (issue #207)
New in NoScript for Firefox 11.2.13 RC 1 (Dec 28, 2021)
- [XSS] Restored compatibility with Gecko 77 and below
New in NoScript for Firefox 11.2.12 RC6 (Dec 27, 2021)
- [XSS] Fixed regression causing "too much recursion" false positives (thanks barbaz for report)
- [XSS] Precomputed invalid identifier chars regular expression
New in NoScript for Firefox 11.2.12 RC5 (Dec 26, 2021)
- [XSS] Tweaked risky operator check prevents false positive on outbound Twitter navigation (thanks @muchtypo for reporting)
- [XSS] Better logging for JS fragment detection
- [XSS] Fixed performance regression in invalid character ranges generation causing random XSS "DOS" false positives
- Fetch policy for baseURI document.domain is empty
New in NoScript for Firefox 11.2.12 RC4 (Dec 5, 2021)
- [L10n] Updated ja, lt, pl, ru, zh_CN
- Always fetch policy synchronously, if missing
- Fixed undetermined status icon on BF cache page loads
New in NoScript for Firefox 11.2.12 RC3 (Aug 26, 2021)
- [nscl] Fix webgl blocking regression due to xray wrappers confusion (thanks skriptimaahinen)
New in NoScript for Firefox 11.2.12 RC2 (Aug 21, 2021)
- [nscl] Prevent unnecessary breakages on pages inspecting canvas.getContext when webgl is disabled
New in NoScript for Firefox 11.2.12 RC1 (Jul 30, 2021)
- [nscl] Reduce the risk to interfere with scripts messing with the media attribute (issue #207)
New in NoScript for Firefox 11.2.11 (Jul 29, 2021)
- [nscl] Fixed JavaScript access to CSS rules broken on Chromium when unrestricted CSS is disabled - issue #204
- Prevent Chromium builds from being sent to AMO for signing
- [nscl] Fixed CPU/RAM overload on some pages with unrestricted CSS disabled but scripting enabled (not recommended setting) - issue #194, issue #199
- [nscl] Fixed CPU spikes on Chromium triggered by automatic file downloads (thanks ptheborg for report)
New in NoScript for Firefox 11.2.11 RC4 (Jul 28, 2021)
- Fixed JavaScript access to CSS rules broken on Chromium when unrestricted CSS is disabled - issue #204
New in NoScript for Firefox 11.2.10 (Jul 23, 2021)
- Cross-browser file naming consistency, in spite of version numbering incompatibilities
- [nscl] Fix for potential race conditions on certain page transitions (issue #205)
- Handle exception when accessing navigator.serviceWorker on sandboxed frames
- MS Edge support
New in NoScript for Firefox 11.2.10 RC1 (Jul 23, 2021)
- Cross-browser file naming consistency, in spite of versionnumbering incompatibilities
- [nscl] Fi for potential race conditions on certain page transitions (issue #205)
- Handle eception when accessing navigator.serviceWorker on sandboed frames
- MS Edge support
New in NoScript for Firefox 11.2.9 (Jun 24, 2021)
- [L10n] Updated de, mk
- Replace deprecated extension.getURL() with runtime.getURL()
- REUSE-compliant licensing boilerplate
- Remove unused/refactored-out files
- Relicensing as GPL3+
- [nscl] Fixed infinite recursion issue on window.open wrappers
- Avoid treating JavaScript files as embeddings when opened as top-level documents
New in NoScript for Firefox 11.2.9 RC3 (Jun 23, 2021)
New in NoScript for Firefox 11.2.9 RC2 (Jun 19, 2021)
- Replace deprecated extension.getURL() with runtime.getURL()
- REUSE-compliant licensing boilerplate
- Remove unused/refactored-out files
- Relicensing as GPL3+
- [nscl] Fixed infinite recursion issue on window.open wrappers
New in NoScript for Firefox 11.2.9 RC1 (Jun 4, 2021)
- Avoid treating JavaScript files as embeddings when opened as top-level documents
- [L10n] Updated de
New in NoScript for Firefox 11.2.8 (May 20, 2021)
- Quiet down unnecessary debug logging (issue #191)
- [L10n] Updated he, de
- Fix meta refresh sometimes ignored on Firefox 78 ESR
- Chromium-specific build-time customizations
New in NoScript for Firefox 11.2.8 RC 2 (May 20, 2021)
- Quiet down unnecessary debug logging (issue #191)
- [L10n] Updated he
New in NoScript for Firefox 11.2.8 RC 1 (May 19, 2021)
- Fix meta refresh sometimes ignored on Firefox 78 ESR (issue #192, thanks hackerncoder for report)
- [l10n] Updated de
- Chromium-specific build-time customizations
New in NoScript for Firefox 11.2.7 (May 6, 2021)
- Better prompt layout (no accidental scrollbar)
- [nscl] Fix regression causing media patches to break some pages (thanks l0drex for report, issue #189)
New in NoScript for Firefox 11.2.7 RC 1 (May 6, 2021)
- Better prompt layout (no accidental scrollbar)
- [nscl] Fix regression causing media patches to break some pages (thanks l0drex for report, issue #189)
New in NoScript for Firefox 11.2.6 (May 5, 2021)
- [nscl] Various webgl blocking enhancements
- Remove also sticky-positioned elements with click+DEL on scriptless pages (thanks skriptimaahinen for RFE)
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fied race condition causing eternal CSS not to be rendered sometimes when unrestricted CSS is disabled
- Avoid document rewriting for noscript meta refresh emulation in most cases
- [nscl] Fied HTML pages broken when served with application/ml MIME type and no "object" capability
- [nscl] Switch early content script configuration to use /nscl/service/DocStartInjection.js
- Configurable "unrestricted CSS" capability to for sites where the CSS PP0 mitigation should be disabled (e.g TRUSTED)
- [nscl] Fi CSS PP0 mitigation still interfering with some WebEtensions (thanks barbaz for report)
- [SS] Increased sensitivity and specificity of risky operator pre-checks
New in NoScript for Firefox 11.2.6 RC 1 (May 4, 2021)
- [nscl] Various webgl blocking enhancements
- Remove also sticky-positioned elements with click+DEL on scriptless pages (thanks skriptimaahinen for RFE)
New in NoScript for Firefox 11.2.6 (May 4, 2021)
- [nscl] Various webgl blocking enhancements
- Remove also sticky-positioned elements with click+DEL on scriptless pages (thanks skriptimaahinen for RFE)
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fixed race condition causing external CSS not to be rendered sometimes when unrestricted CSS is disabled
- Avoid document rewriting for noscript meta refresh emulation in most cases
- [nscl] Fixed XHTML pages broken when served with application/xml MIME type and no "object" capability
- [nscl] Switch early content script configuration to use /nscl/service/DocStartInjection.js
- Configurable "unrestricted CSS" capability to for sites where the CSS PP0 mitigation should be disabled (e.g TRUSTED)
- [nscl] Fix CSS PP0 mitigation still interfering with some WebExtensions (thanks barbaz for report)
- [XSS] Increased sensitivity and specificity of risky operator pre-checks
New in NoScript for Firefox 11.2.5 RC 6 (May 4, 2021)
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Policy retrieval origin fine tuning
New in NoScript for Firefox 11.2.5 RC 5 (May 3, 2021)
- Fixed hook not taking in account experimental webgl contexts (issue #187, thanks roman567e45 for report)
New in NoScript for Firefox 11.2.5 RC 3 (Apr 28, 2021)
- Fixed race condition causing external CSS not to be rendered sometimes when unrestricted CSS is disabled
- Rename "unchecked CSS" capability to "unrestricted CSS"
- Avoid document rewriting for noscript meta refresh emulation in most cases
New in NoScript for Firefox 11.2.5 RC 2 (Apr 27, 2021)
- Minor fixes from the library [nscl] Fixed XHTML pages broken when served with application/xml MIME type and no "object" capability
- [nscl] Switch early content script configuration to use/nscl/service/DocStartInjection.js
- [nscl] Refactored ContentScriptOnce.js to the library
- Rename the "csspp0" capability to "unchecked_css"
New in NoScript for Firefox 11.2.5 RC 1 (Apr 2, 2021)
- Configurable "csspp0" capability to for sites where the CSS PP0 mitigation should be disabled (e.g TRUSTED)
- [nscl] Fix CSS PP0 mitigation still interfering with some WebExtensions (thanks barbaz for report)
- [XSS] Increased sensitivity and specificity of risky operator pre-checks
New in NoScript for Firefox 11.2.4 (Mar 29, 2021)
- CSS resources prefetching as a mitigation against CSS PP0 (https://github.com/Yossioren/pp0)
- [L10n] Updated br, de, el, es, fr, he, is, nl, pl, pt_BR, Ru, sq, tr, zh_CN
- [nscl] Inteception of webgl context creation in OffscreenCanvas too
- Fixed configuration upgrades not applied on manual updates (thanks Nan for reporting)
- Mitigation for misbehaving pages repeating failed requests in a tight loop
- [UI] More understandable label for the cascading Restrictions option
- [nscl] More refactoring out in NoScript Commons Library
- [nscl] patchWindow improvements
New in NoScript for Firefox 11.2.4 RC 5 (Mar 27, 2021)
- [nscl] Inteception of webgl context creation in OffscreenCanvas too
- Fixed regression: Site Info broken by NSCL refactoring
New in NoScript for Firefox 11.2.4 RC 4 (Mar 26, 2021)
- [nscl] Fixed unmerged NetCSP "extra" headers always undefined
- HTML event atoms reorder in Mozilla sources
New in NoScript for Firefox 11.2.4 RC 3 (Mar 25, 2021)
- Avoid stack trace generation for debugging purposes on release builds
- More selective CSS PP0 protection, ecluded on the Tor Browser where it's unneeded and easier to test/debug on dev builds
- Make isTorBrowser information available in child policy
- Prevent console noise on startup with privileged tabs
- [nscl] More refactoring out in NoScript Commons Library
New in NoScript for Firefox 11.2.4 RC 2 (Mar 16, 2021)
- [nscl] Switch to NSCL for messaging
- [nscl] Rollback unneded window.opener patching (thanks musonius for insight)
- CSS PP0 mitigation: cross-site stylesheets on scriptless pages, one resource per host
- Limit CSS PP0 mitigation to scriptless pages and prefetch only cross-site resources
New in NoScript for Firefox 11.2.4 RC 1 (Mar 13, 2021)
- CSS resources prefetching as a mitigation against CSS PP0 (https://github.com/Yossioren/pp0)
- [L10n] Updated br, de, el, es, fr, he, is, nl, pl, pt_BR, ru, sq, tr, zh_CN
- Fixed configuration upgrades not applied on manual updates (thanks Nan for reporting)
- Mitigation for misbehaving pages repeating failed requests in a tight loop
- [UI] More understandable label for the cascading restrictions option
- [nscl] patchWindow improvements
- [nscl] Switch to NSCL's generic inclusion shell script
New in NoScript for Firefox 11.2.3 (Feb 18, 2021)
- Purged non-inclusive terms from obsolete messages
- Added red halo feedback in CUSTOM preset for noscript
- Element capability
- Fixed missing red halo feedback in CUSTOM preset for
- Inline scripts and other capabilities sometimes
- Fixed race condition causing noscript elements not to be
- Rendered sometimes
New in NoScript for Firefox 11.2.2 (Feb 17, 2021)
- Fixed typo in version checked on noscript capability update.
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl,
- pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW.
New in NoScript for Firefox 11.2.1 RC 4 (Feb 15, 2021)
- [UI] Minor CSS Chromium compatibility fix
- Configurable capability to show noscript elements on script-disabled pages
- [L10n] Updated de
New in NoScript for Firefox 11.2.1 RC 3 (Feb 14, 2021)
- [nscl] Improved integration of the NoScript CommonsLibrary
- Moved nscl submodule into src
- [nscl] Update (restructured tree)
- Removed nscl cache directory from src
- [nscl] Refactoring to use Policy and its dependencies from the NoScript Commons Library
New in NoScript for Firefox 11.2.1 RC 2 (Feb 13, 2021)
- Remove ||= operator which makes AMO's validator eplode
- Switch to faster and easier to maintain tld.js from nscl
- [nscl] Updated with TLD_CACHE removal after usage
- [nscl] Updated NoScript Common Library inclusions
- Added the NoScript Commons Library (nscl) as a submodule
- [UI] Fi punycode inconsistencies
- [UI] improve preset and site controls alignment
- Updated TLDs
- Provide feedback in the CUSTOM tab for WebGL usage attempts even if the canvas element is not attached to the DOM
- [L10n] Updated de, ja
- Updated HTML events
New in NoScript for Firefox 11.2.1 RC 1 (Feb 7, 2021)
- Prevent double script on trusted file:// pages in some edge cases
- Updated events archive
- Prevent detection of wrapped functions (e.g. in WebGL interception) on Chromium
- Updated TLDs
- Merge German language update
New in NoScript for Firefox 11.2 (Jan 29, 2021)
- [XSS] New UI to reveal and selectively remove permanent user choices
- [L10n] Updated de
- Webgl hook refactored on nscl/content/patchWindow.js and made Chromium-compatibile
- Updated TLDs
New in NoScript for Firefox 11.2 RC3 (Jan 26, 2021)
- Fixed choice manager UI bug.
New in NoScript for Firefox 11.2 RC2 (Jan 25, 2021)
- Updated TLDs
- [XSS] New UI to reveal and selectively remove permanent user choices
New in NoScript for Firefox 11.2 RC1 (Jan 25, 2021)
- [L10n] Updated de
- Webgl hook refactored on nscl/content/patchWindow.js and made Chromium-compatibile
- Updated TLDs
New in NoScript for Firefox 11.1.9 (Jan 21, 2021)
- Return null when webgl is not allowed (thanks Matthew Finkel for patch)
- [SS] Fied memoization bug resulting in performance degradation on some payloads
- [SS] Include call stack in debugging log output
- [SS] Skip naps when InjectionChecker runs in its own worker
- Shortcut for easier SS filter testing
- More lenient filter to add a new entry to per-sitepermissions
- [L10n] Updated de
- Replace script-embedded bitmap with css-embedded SVG as the placeholder logo
- Updated TLDs
- Remove source map reference causing console noise
- Fi per-site permissions UI glitches when base domain is added to eisting subdomain (thanks barbaz for reporting)
New in NoScript for Firefox 11.1.9 RC5 (Jan 18, 2021)
- Return null when webgl is not allowed
New in NoScript for Firefox 11.1.9 RC4 (Jan 15, 2021)
- Updated TLDs
- [XSS] Fixed memoization bug resulting in performance
- Degradation on some payloads
- [XSS] Include call stack in debugging log output
- [XSS] Skip naps when InjectionChecker runs in its own
- Worker
- Shortcut for easier XSS filter testing
New in NoScript for Firefox 11.1.9 RC3 (Jan 14, 2021)
- More lenient filter to add a new entry to per-site permissions
New in NoScript for Firefox 11.1.9 RC2 (Jan 11, 2021)
- [L10n] Updated de
- Better fix for per-site permissions UI glitches
New in NoScript for Firefox 11.1.8 (Jan 8, 2021)
- [XSS] Fix for old pre-screening optimization exploitable
- To bypass the filter in recent browsers - thanks Tsubasa
- FUJII (@reinforchu) for reporting
- Replace DOM-based entity decoding with the he.js pure JS
- Library
- Updated copyright statement
- Updated browser-polyfill.js
- Removed obsolete fastclick.js dependency
- [l10n] Updated de (thanks ib and Musonius)
- Updated TLDs
New in NoScript for Firefox 11.1.8 RC 1 (Jan 7, 2021)
- [XSS] Fix for old pre-screening optimization exploitable to bypass the filter in recent browsers (thanks Tsubasa FUJII for reporting)
- Replace DOM-based entity decoding with the he.js pure JS library
- Updated copyright statement
- Updated browser-polyfill.js
- Removed obsolete fastclick.js dependency
- [l10n] Updated de (thanks ib)
- Updated TLDs
New in NoScript for Firefox 11.1.7 (Dec 22, 2020)
- Optimize serviceWorker tracking for heavy tabs usage
- Force placeholder visibility on Youtube embeddings
- Fixed popup opening being slowed down if options UI is
- Opened (thanks Sirus for report)
- Explicit failure for wrong settings importation formats
- Updated TLDs
New in NoScript for Firefox 11.1.7 RC 3 (Dec 18, 2020)
- Updated TLDs
- Optimize serviceWorker tracking for heavy tabs usage
- (thanks vadimm and barbaz for investigation)
- Force placeholder visibility on Youtube embeddings
New in NoScript for Firefox 11.1.6 (Dec 10, 2020)
- Better handling of concurrent prompts issues (thanks
- Billarbor for reporting)
- Remove z-index boosting from ancestors when placeholder is
- Collapsed or replaced (issue #162)
- Fixed permission keyboard shortcuts being triggered with
- Modifiers like CTRL (thanks barbaz for report)
- More accurate blockage reporting, with better filtering of
- Page's own CSP effects
- [UI] Fixed bug in CUSTOM sites filtering (thanks barbaz
- For reporting)
- Fixed bug in automatic HTML events build-time updates
- Updated HTML events
- Updated TLDs
- [L10n] Updated sv_SE
- Better handling 0 width / 0 height media placeholders
New in NoScript for Firefox 11.1.6 RC 6 (Dec 8, 2020)
- Better handling of concurrent prompts issues (thanks billarbor for reporting)
New in NoScript for Firefox 11.1.6 RC 5 (Dec 8, 2020)
- Remove z-index boosting from ancestors when placeholder is collapsed or replaced (issue #162)
New in NoScript for Firefox 11.1.6 RC 3 (Dec 5, 2020)
- More accurate blockage reporting, with better filtering of page's own CSP effects
New in NoScript for Firefox 11.1.6 RC 1 (Nov 19, 2020)
- Updated TLDs
- [L10n] Updated sv_SE
- Better handling 0 width / 0 height media placeholders
New in NoScript for Firefox 11.1.5 (Nov 6, 2020)
- Updated TLD
- Fixed potential infinite loop via DOMContentLoaded
- Work-around for Firefox 82 media redirection bug
- Updated TLDs
New in NoScript for Firefox 11.1.5 RC 2 (Nov 5, 2020)
- Updated TLD
- Fixed potential infinite loop via DOMContentLoaded
New in NoScript for Firefox 11.1.5 RC 1 (Nov 4, 2020)
- Work-around for Firefox 82 media redirection bug (thanks ppxxbu and skriptimaahinen)
- Updated TLDs
New in NoScript for Firefox 11.1.4 (Oct 26, 2020)
- Fixed sloppy CSP media blocker detection breaking MSE blob: media placeholders on Chromium
- Fixed race condition causing temporary settings not to
- Survive updates sometimes
- Updated TLDs
- [Mobile] Improved prompts appearance on Android
New in NoScript for Firefox 11.1.4 RC 3 (Oct 26, 2020)
- Fixed sloppy CSP media blocker detection breaking MSE
- Blob: media placeholders on Chromium
New in NoScript for Firefox 11.1.4 RC 2 (Oct 25, 2020)
- Fixed race condition causing temporary settings not to survive updates sometimes
New in NoScript for Firefox 11.1.4 RC 1 (Oct 24, 2020)
New in NoScript for Firefox 11.1.3 (Oct 12, 2020)
- Fixed regression: document media and font restrictions always cascaded (thanks BrainDedd for report)
- Remove domPolicy logging when debugging is off
- Trivial reordering from Mozilla source
- Updated TLDs
New in NoScript for Firefox 11.1.2 RC1 (Oct 9, 2020)
- Fied regression: document media and font restrictions always cascaded (thanks BrainDedd for report)
- Remove domPolicy logging when debugging is off
- Trivial reordering from Mozilla source
- Updated TLDs
New in NoScript for Firefox 11.1.1 (Oct 8, 2020)
- Updated TLDs
- Better heuristic to figure out missing data while computing contetual policies
- Fied regression breaking per-tab restrictions disablement (thanks Horsefly for report)
New in NoScript for Firefox 11.1.1 RC1 (Oct 6, 2020)
- Updated TLDs
- Better heuristic to figure out missing data while computing contextual policies
- Fixed regression breaking per-tab restrictions disablement (thanks Horsefly for report)
New in NoScript for Firefox 11.1.0 RC2 (Oct 5, 2020)
- Improved blocking of media documents unaffected by webRequest
- Automatically init tag message with last changelog
New in NoScript for Firefox 11.1.0 RC1 (Oct 4, 2020)
- Improved NOSCRIPT element emulation compatibility with XML documents.
New in NoScript for Firefox 11.0.47 RC6 (Oct 3, 2020)
- WebNavigation.onCommitted + tabs.executeScript to deliver
- DOM policies earlier whenever possible
- Fixed typo causing CSP-based media blocking to skip
- Requests with no content-type header
New in NoScript for Firefox 11.0.47 RC5 (Oct 2, 2020)
- Partial work-around for Fx 80 file:// documents parsing inconsistencies (further fix for issue #156)
New in NoScript for Firefox 11.0.47 RC4 (Oct 2, 2020)
- Cache policy on top document for file:// subdocuments (fixes issue #156)
- Updated TLDs
- Enforce more restrictive CSP on media/object documents
New in NoScript for Firefox 11.0.47 RC3 (Sep 28, 2020)
- Better cross-browser media handling
- Improved file: directory path normalization
New in NoScript for Firefox 11.0.47 RC2 (Sep 27, 2020)
- [Mobile] Use tabs as prompts if the browser.windows API is missing
New in NoScript for Firefox 11.0.46 (Sep 21, 2020)
- Updated TLDs
- [L10n] Updated is
- Fixed file:// and ftp:// specific content scripts not runnning in subdocuments
- Fixed deferred scripts in file:// pages may run twice (issue #155)
- Fixed rendering bug with scrolled file:// pages on soft reload (thanks Iouri for report)
- Fixed 11.0.44 regression: ghost media item reported on every page
- Better emulation of SVG events
New in NoScript for Firefox 11.0.45 RC4 (Sep 17, 2020)
- Fixed deferred scripts in file:// pages may run twice (issue #155)
New in NoScript for Firefox 11.0.45 RC2 (Sep 16, 2020)
- Fixed 11.0.44 regression: ghost media item reported on every page
New in NoScript for Firefox 11.0.45 (Sep 16, 2020)
- Better emulation of SVG events
New in NoScript for Firefox 11.0.44 (Sep 15, 2020)
- Dispatch synthetic SVGLoad event in soft load when needed
- [L10n] Updated da, es
- Fixed namespacing issues with script replacements
- Fixed media placeholder not shown when blocking Youtube
- Movies
- Work around for unpredictable content script execution
- Order
- Ensure content of NoScript prompts is always visible
- Fixed soft reload messing with non UTF-8 encodings (thanks
- "Quest" for reporting)
- Updated TLDs
- [XSS] Fixed escape detection bug causing strage false
- Positives (thanks Dave Howorth for report)
New in NoScript for Firefox 11.0.44 RC 7 (Sep 14, 2020)
- Better reflect event firing order in soft reload emulation
New in NoScript for Firefox 11.0.44 RC 5 (Sep 14, 2020)
New in NoScript for Firefox 11.0.44 RC 4 (Sep 14, 2020)
- Fixed namespacing issues with script replacements
- Fixed typo in content script ordering work-around
New in NoScript for Firefox 11.0.44 RC 3 (Sep 13, 2020)
- Fixed media placeholder not shown when blocking Youtube movies
- Work around for unpredictable content script execution order
- Ensure content of NoScript prompts is always visible
New in NoScript for Firefox 11.0.44 RC 2 (Sep 11, 2020)
- Fixed soft reload messing with non UTF-8 encodings (thanks "Quest" for reporting)
New in NoScript for Firefox 11.0.44 RC 1 (Sep 10, 2020)
- Updated TLDs
- [L10n] Updated es
- [XSS] Fixed escape detection bug causing strage false positives (thanks Dave Howorth for report)
- Fixed markup typo
New in NoScript for Firefox 11.0.43 (Sep 9, 2020)
- Fix for some race conditions causing corruptions in non-HTML non-XML documents
New in NoScript for Firefox 11.0.43 RC 1 (Sep 8, 2020)
- Should fix some race conditions causing corruptions in non-HTML non-XML documents
New in NoScript for Firefox 11.0.42 (Sep 8, 2020)
- Avoid useless "seen" reports from onBeforeRequest()
- Catch broadcast messaging errors
- Make build.sh tag push even already created tags
- Updated TLDs
- Work-around for applying DOM CSP to non-HTML XML documents (thanks skriptimaahinen)
- Document freezing to handle SVG and other XML documentsas a fallback before CSP insertion
- Refactored and improved syncFetchPolicy fallback for file:
- and ftp: special cases
New in NoScript for Firefox 11.0.43 RC 1 (Sep 8, 2020)
- Should fix some race conditions causing corruptions in non-HTML non-XML documents
New in NoScript for Firefox 11.0.42 RC 8 (Sep 5, 2020)
- Avoid useless "seen" reports from onBeforeRequest()
- Catch broadcast messaging errors
- Make build.sh tag push even already created tags
New in NoScript for Firefox 11.0.42 RC 7 (Sep 4, 2020)
- Updated TLDs
- Let injected CSP prevent onload events from firing on unfrozen embedded elements
- Work-around for applying DOM CSP to non-HTML XML documents
New in NoScript for Firefox 11.0.42 RC 6 (Sep 3, 2020)
- Document freezing to handle SVG and other XML documents impervious to CSP on Mozilla
New in NoScript for Firefox 11.0.42 RC 5 (Sep 1, 2020)
- Skip soft reload if not needed
New in NoScript for Firefox 11.0.42 RC 4 (Aug 31, 2020)
- XML-compatible soft reload
New in NoScript for Firefox 11.0.42 RC 3 (Aug 30, 2020)
- "Soft reload" approach to fix file: and ftp: issues
New in NoScript for Firefox 11.0.42 RC 2 (Aug 29, 2020)
- SyncMessage suspending on DOMContentLoaded
- Updated TLDs
New in NoScript for Firefox 11.0.42 RC 1 (Aug 29, 2020)
- Refactored and improved syncFetchPolicy fallback for file: and ftp: special cases
New in NoScript for Firefox 11.0.41 (Aug 25, 2020)
- More precise event suppression mechanism
- Fixed regression: events suppressed on file:// pages
- Unless scripts are allowed
- Updated TLDs
New in NoScript for Firefox 11.0.41 RC 2 (Aug 25, 2020)
- More precise event suppression mechanism
New in NoScript for Firefox 11.0.40 (Aug 24, 2020)
- Avoid synchronous policy fetching whenever possible (fixes multiple issues)
New in NoScript for Firefox 11.0.40 RC 2 (Aug 24, 2020)
- Avoid synchronous policy fetching whenever possible
New in NoScript for Firefox 11.0.40 RC 1 (Aug 22, 2020)
- Handle edge case in file:// pages: policy change and reload before DOMContentLoaded
New in NoScript for Firefox 11.0.39 (Aug 21, 2020)
- Fix reload loops on broken file: HTML documents
- [XSS] Updated HTML event attributes
- Local policy fallback for file: and ftp: URLs using window.name rather than sessionStorage
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Added "Revoke temporary permissions on NoScript updates, even if the browser is not restarted" advanced option
- Let temporary permissions survive NoScript updates (shameless hack)
- Fixed some traps around Messages abstraction
- Ignore search / hash on policy matching of domain-less URLs (e.g. file:///...)
- Updated TLDs
- Fixed automatic scrolling hampers usability on long sites lists in popup
- Better timing for event attributes removal/restore
- Work-arounds for edge cases in synchronous page loads bypassing webRequest (thanks skriptimaahinen)
New in NoScript for Firefox 11.0.39 RC 8 (Aug 21, 2020)
- Several hacks to make non-distruptive updates compatible with Chromium
- Tighten localPolicy persistence mechanism during reloads
New in NoScript for Firefox 11.0.39 RC 7 (Aug 20, 2020)
- Temporary settings survival more resilient and compatible with Fenix
- [L10n] Updated es
New in NoScript for Firefox 11.0.39 RC 6 (Aug 20, 2020)
- Fix reload loops on broken file: HTML documents (thanks bernie for report)
- [XSS] Updated HTML event attributes
New in NoScript for Firefox 11.0.39 RC 5 (Aug 19, 2020)
- Local policy fallback for file: and ftp: URLs using window.name rather than sessionStorage
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Renamed option to "Revoke temporary permissions on NoScript updates, even if the browser is not restarted"
New in NoScript for Firefox 11.0.39 RC 4 (Aug 18, 2020)
- Added option to forget temporary settings immediately
- whenever NoScript gets updated
- Fixed regression: file:/// URLs reloaded whenever NoScript
- gets reinstalled / enabled / reloaded
- More resilient and easy to debug survival data retrieving
New in NoScript for Firefox 11.0.39 RC 3 (Aug 18, 2020)
- Fixed regression causing manual NoScript downgrades to be delayed until manual restart
New in NoScript for Firefox 11.0.39 RC 2 (Aug 18, 2020)
- Let temporary permissions survive NoScript updates (shameless hack)
- Fixed some traps around Messages abstraction
- Ignore search / hash on policy matching of domain-less URLs (e.g. file:///...)
- Removed useless CSS property
- Updated TLDs
New in NoScript for Firefox 11.0.38 (Aug 17, 2020)
- Better timing for event attributes removal/restore
- Work-arounds for edge cases in synchronous page loads
- Bypassing webRequest (thanks skriptimaahinen)
- [L10n] Updated bn
New in NoScript for Firefox 11.0.39 RC 1 (Aug 15, 2020)
- Updated TLDs
- Fixed automatic scrolling hampers usability on long sites lists in popup
- Fixed typo in vendor-prefixed CSS
New in NoScript for Firefox 11.0.38 RC 2 (Aug 13, 2020)
- Better timing for event attributes removal/restore
New in NoScript for Firefox 11.0.38 RC 1 (Aug 13, 2020)
- Work-arounds for edge cases in synchronous page loads bypassing webRequest (thanks skriptimaahinen)
- [L10n] Updated bn
New in NoScript for Firefox 11.0.37 (Aug 11, 2020)
- Simpler and more reliable sendSyncMessage implementation and usage
- sendSyncMessage support for multiple suspension requests (should fix extension script injection issues)
- Updated TLDs
New in NoScript for Firefox 11.0.37 RC3 (Aug 11, 2020)
- Simpler and more reliable sendSyncMessage implementation and usage
- Updated TLDs
New in NoScript for Firefox 11.0.37 RC2 (Aug 10, 2020)
- SyncMessage suspending on DOM modification as well
- Updated TLDs
New in NoScript for Firefox 11.0.37 RC1 (Aug 8, 2020)
- Updated TLDs
- sendSyncMessage support for multiple suspension requests (should fix extension script injection issues)
New in NoScript for Firefox 11.0.36 (Aug 7, 2020)
- Fixed regression: temporary permissions revocation not working anymore on privileged pages
- SendSyncMessage script execution safety net more compatible with other extensions (e.g. BlockTube)
New in NoScript for Firefox 11.0.36 RC 1 (Aug 6, 2020)
- Fixed regression: temporary permissions revocation not working anymore on privileged pages
- SendSyncMessage script execution safety net more compatible with other extensions (e.g. BlockTube)
New in NoScript for Firefox 11.0.35 (Aug 6, 2020)
- Avoid unnecessary reloads on temporary permissions revocation
- [UI] Removed accidental cyan background for site labels
- [L10n] Updated es
- Work-around for conflict with extensions inserting elements into content pages' DOM early
- [XSS] Updated HTML events
- Updated TLDs
- Fixed buggy policy references in the Options dialog
- More accurate NOSCRIPT element emulation
- Anticipate onScriptDisabled surrogates to first script-src none' CSP violation
- isTrusted checks for all the content events
- Improved look in mobile portrait mode
- Let SyncMessage prevent undesired script execution scheduled during suspension
New in NoScript for Firefox 11.0.35 RC 4 (Aug 3, 2020)
- Avoid unnecessary reloads on temporary permissions
- Revocation
- Fixed potentially infinite loop in SyncMessage Firefox
- Implementation
- [UI] Removed accidental cyan background for site labels
- [L10n] Updated es
New in NoScript for Firefox 11.0.35 RC 3 (Aug 3, 2020)
- Work-around for conflict with extensions inserting elements into content pages' DOM early
- [XSS] Updated HTML events
New in NoScript for Firefox 11.0.35 RC 2 (Jul 30, 2020)
- Updated TLDs
- Fixed buggy policy references in the Options dialog
- More accurate NOSCRIPT element emulation
- Anticipate onScriptDisabled surrogates to first script-src 'none' CSP violation
- isTrusted checks for all the content events
- Improved look in mobile portrait mode
New in NoScript for Firefox 11.0.35 RC 1 (Jul 30, 2020)
- Let SyncMessage prevent undesired script execution scheduled during suspension
New in NoScript for Firefox 11.0.34 (Jul 11, 2020)
- Fixed regression breaking network-based CSP injection
New in NoScript for Firefox 11.0.34 RC 1 (Jul 10, 2020)
- Fixed regression breaking network-based CSP injection
New in NoScript for Firefox 11.0.33 (Jul 10, 2020)
- Switch from HTTP to DOM event based CSP reporting in Compatible browsers
- [XSS] Updated HTML event attributes
- Updated TLDs
New in NoScript for Firefox 11.0.32 (Jun 22, 2020)
- [L10n] Updated it, mk, sv_SE
- Fixed setting CUSTOM permissions in private mode may cause
- The TRUSTED preset to become temporary
- Updated TLDs
- [XSS] Updated HTML 5 events support
- More compact high contrast appearance
New in NoScript for Firefox 11.0.32 RC1 (Jun 21, 2020)
- [L10n] Updated it, mk, sv_SE
- Fixed setting CUSTM permissins in private mde may cause the TRUSTED preset t becme temprary
- Updated TLDs
- [XSS] Updated HTML 5 events supprt
- Mre cmpact high cntrast appearance
New in NoScript for Firefox 11.0.31 (Jun 9, 2020)
- Focus "OK" button on dialog-mode UI
- Fixed various toolbar buttons DnD issues
- Updated TLDs
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fixed very low contrast HTTPS-only label in High Contrast mode
New in NoScript for Firefox 11.0.31 RC2 (Jun 7, 2020)
- Focus "OK" button on dialog-mode UI
- [L10n] Updated da
- Fixed various toolbar buttons DnD graphic issues
- Updated TLDs
New in NoScript for Firefox 11.0.31 RC1 (Jun 6, 2020)
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fixed very low contrast HTTPS-only label in High Contrast mode
- More precise DnD of toolbar buttons + work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=568313
New in NoScript for Firefox 11.0.30 (Jun 4, 2020)
- Discoverable option to force site-leaking UI in PBM/Incognito
- [L10n] Updated he
- Easier keyboard navigation of preset configuration
- Yellow-less UI palette
New in NoScript for Firefox 11.0.30 RC 1 (Jun 4, 2020)
- Discoverable option to force site-leaking UI in PBM/Incognito
- [L10n] Updated he
- Easier keyboard navigation of preset configuration
- Yellow-less UI palette
New in NoScript for Firefox 11.0.29 (Jun 2, 2020)
- Consistent focus appearance across desktop and mobile
- Fixed regression on Firefox 68 for Android: UI cannot be closed
New in NoScript for Firefox 11.0.28 (Jun 2, 2020)
- Don't enforce Incognito UI restrictions if the "Override
- Tor Browser Security Level preset" option is checked
- Incognito-aware permissions persistence and UI (https://trac.torproject.org/projects/tor/ticket/29957)
- Removed inline preset options relics
- Reset non-secure site matches to DEFAULT unless setting UNTRUSTED to avoid confusion on preset changes
- [A11y] Keyboard-based UI navigation
- Updated TLDs
- Work-around Gecko 77 cached CSP issues (thanks acat for https://trac.torproject.org/projects/tor/ticket/34305)
New in NoScript for Firefox 11.0.27 RC 6 (Jun 1, 2020)
- Don't enforce Incognito UI restrictions if the "Override
- Tor Browser Security Level preset" option is checked
- Enter key closes the popup also while editing the CUSTOM preset
- Incognito-aware permissions persistence and UI
- Removed inline preset options relics
New in NoScript for Firefox 11.0.27 RC 4 (May 31, 2020)
- Fixed first capability checkbox accidentally "clicked" when opening CUSTOM by space bar
- [A11y] Keyboard accelerators for toolbar buttons
New in NoScript for Firefox 11.0.27 RC 3 (May 31, 2020)
- Further keyboard UI accelerators
- Reset non-secure site matches to DEFAULT unless setting UNTRUSTED to avoid confusion on preset changes
New in NoScript for Firefox 11.0.27 RC 2 (May 31, 2020)
- [A11y] Keyboard-based UI navigation
- Updated TLDs
- Unspoofable browser version detection
New in NoScript for Firefox 11.0.27 RC 1 (May 28, 2020)
- Updated TLDs
- Work-around Gecko 77 cached CSP issues (thanks acat for reporting)
- Remove active preset hilight at least until keyboard navigation is fixed
New in NoScript for Firefox 11.0.26 (May 18, 2020)
- UI adjustments for better mobile experience (thanks BramPitoyo for suggestions)
- Updated HTML 5 events archive
- Updated TLDs
- Fixed hard reload needed after releasing restrictions (regression on FirefoBeta)
- Fixed 3rd party scripts blocking regression on FirefoTrunk due to XBL removal (thanks guardao for reporting)
- Fixed typo in unused yet code
New in NoScript for Firefox 11.0.26 RC2 (May 17, 2020)
- UI adjustments for better mobile experience
New in NoScript for Firefox 11.0.26 RC1 (May 16, 2020)
- Updated HTML 5 events archive
- Updated TLDs
- Fixed hard reload needed after releasing restrictions (regression on Firefox Beta)
- Fixed 3rd party scripts blocking regression on Firefox Trunk due to XBL removal (thanks guardao for reporting)
- Fixed typo in unused yet code
New in NoScript for Firefox 11.0.25 (Apr 21, 2020)
- [XSS] Fixed false positives and timeouts (thanks riaggren for report)
New in NoScript for Firefox 11.0.24 (Apr 16, 2020)
- Fixed SoundCloud login broken by NoScript being enabled
- [XSS] Updated HTML5 events
- Updated TLDs
New in NoScript for Firefox 11.0.23 (Mar 25, 2020)
- Updated TLDs
- Further refresh syntax parsing leniency (thanks insertscript)
New in NoScript for Firefox 11.0.22 (Mar 23, 2020)
- Updated TLDs
- [L10n] Updated he
- Uniform refresh url matching across HTTP and DOM checks
New in NoScript for Firefox 11.0.21 (Mar 21, 2020)
- Fixed URL matching regexp (thanks insertscript)
New in NoScript for Firefox 11.0.21 RC1 (Mar 21, 2020)
- Fixed URL matching regexp (thanks insertscript)
New in NoScript for Firefox 11.0.20 (Mar 21, 2020)
- More aggressive blocking for data: refresh attempts (thanks insertscript)
New in NoScript for Firefox 11.0.19 (Mar 19, 2020)
- Prevent ANY redirection to data: URIs in documents
New in NoScript for Firefox 11.0.19 RC1 (Mar 19, 2020)
- Prevent ANY redirection to data: URIs in documents
New in NoScript for Firefox 11.0.18 (Mar 17, 2020)
- Automated "Updated TLDs" commit
- Updated TLDs
- Apply "font-family: Inter" to the mobile stylesheet only
- Support synonims for "release"
New in NoScript for Firefox 11.0.18 RC 1 (Mar 16, 2020)
- Automated "Updated TLDs" commit
- Updated TLDs
- Apply "font-family: Inter" to the mobile stylesheet only
- Support synonyms for "release"
New in NoScript for Firefox 11.0.17 (Mar 14, 2020)
- Updated TLDs
- Force CSP inheritance for redirections to data: URIs on
- Gecko pre-69
- Added CSS reference to Inter font to improve UI look on
- Fenix
New in NoScript for Firefox 11.0.16 RC1 (Mar 14, 2020)
- Updated TLDs
- Force CSP inheritance for redirections to data: URIs on Gecko pre-69
- Added CSS reference to Inter font to improve UI look on Fenix
New in NoScript for Firefox 11.0.15 (Mar 3, 2020)
- Fixed CapsCSP bug allowing data: URLs to bypass font blocking (thanks dcent and skriptimaahinen)
- [XSS] Prevent DOS detection from being triggered for already aborted requests (thanks barbaz)
- [L10n] Updated es and added bn
- [XSS] More accurate base64 checks on hash
- Updated TLDs
- Minor adjustments for Firefox Preview (Fenix) compatibility
- Refactored XSS filter into an asynchronous worker to better handle DOS attempts
- [XSS] Abort on InjectionChecker timeouts
- [XSS] Updated recognized HTML events
- Fixed autoreload after popup closing broken on Vivaldi
New in NoScript for Firefox 11.0.15 RC1 (Mar 2, 2020)
- Fixed CapsCSP bug allowing data: URLs to bypass font blocking (thanks dcent and skriptimaahinen)
- [XSS] Prevent DOS detection from being triggered for already aborted requests (thanks barbaz)
New in NoScript for Firefox 11.0.14 RC1 (Mar 1, 2020)
- [L10n] Updated es and added bn
- [SS] More accurate base64 checks on hash
- Updated TLDs
- Minor adjustments for Firefo Preview (Feni)
- compatibility
- Refactored SS filter into an asynchronous worker to
- better handle DOS attempts
- [SS] Abort on InjectionChecker timeouts
- [SS] Updated recognized HTML events
- Fied autoreload after popup closing broken on Vivaldi
New in NoScript for Firefox 11.0.13 (Jan 29, 2020)
- [Chromium] Fix SyncMessage broken by feature-policyheaders
- Remove "application" manifest.json key from Chromium packages
New in NoScript for Firefox 11.0.13 RC1 (Jan 13, 2020)
- [Chromium] Fix SyncMessage broken by feature-policy headers
- Remove "application" manifest.json key from Chromiumpackages
New in NoScript for Firefox 11.0.12 (Jan 10, 2020)
- [L10n] Updated ru
- Unrestricted tab support for service workers and their
- Included 3rd party scripts
- Record document origins in TabStatus
- Support for reporting service workers and their imported
- Scripts in UI
- Cross-browser request properties normalization
- Updated TLDs
- Fixed initial requst URL lost across redirections
- Updated copyright statement
- Fixed settings export button broken on Vivaldi (issue
- #124)
- Fixed UNTRUSTED domains accidentally set in "match HTTPS
- Only" mode (issue #126)
New in NoScript for Firefox 11.0.12 RC2 (Jan 8, 2020)
- [L10n] Updated ru
- Unrestricted tab support for service workers and their included 3rd party scripts
- Record document origins in TabStatus
- Support for reporting service workers and their imported scripts in UI
- Cross-browser request properties normalization
- Updated TLDs
- Fixed initial requst URL lost across redirections
- Updated copyright statement
- Fixed settings export button broken on Vivaldi (issue #124)
New in NoScript for Firefox 11.0.12 RC1 (Dec 30, 2019)
- Fixed UNTRUSTED domains accidentally set in "match HTTPS only" mode (issue #126)
New in NoScript for Firefox 11.0.11 (Dec 30, 2019)
- [L10n] Updated da, de, fr, he, it, mk, nl, ru, sq, tr,
- Zh_TW
- Fixed UI not working on pages were sessionStorage is disabled
- Updated TLDs
- Added "ping" (beacon/ping) capability control
New in NoScript for Firefox 11.0.11 RC2 (Dec 29, 2019)
- [L10n] Updated da, de, fr, he, it, mk, nl, ru, sq, tr, zh_TW
- Fixed UI not working on pages were sessionStorage is disabled
New in NoScript for Firefox 11.0.11 RC1 (Dec 26, 2019)
- Updated TLDs
- Added "ping" (beacon/ping) capability control
New in NoScript for Firefox 11.0.10 (Dec 24, 2019)
- Order change in html5 events source
- Updated TLDs
- Removed unused "privacy" permission
- Fixed shortcut and context menu doing nothing unless BrowserAction icon is visible on Firefox (issue 58)
- [L10n] Updated de, fr, he, nl, tr
- Updated TLDs
- Fix minor typo regarding appearance redundancy (issue 61)
- Fixed scripts could not be enabled on file: SVG documents
New in NoScript for Firefox 11.0.10 RC1 (Nov 26, 2019)
- Updated TLDs
- Fixed scripts could not be enabled on file: SVG documents
New in NoScript for Firefox 11.0.9 (Nov 19, 2019)
- [Chromium] Prevent duplicated MSE placeholders (e.g. on Youtube)
- Fixed external scripts included in HEAD of file:// pages failing (issue #115)
- [XSS] Updated HTML 5 events inventory
- Best effort to make media placeholders visible and clickable
- Placeholders for MSE on Chromium too
- Use invalid IP rather than domain name to prevent offline status from breaking sync messaging in Chromium
- Removed empty exportFunction() Chromium shim
- Updated TLDs
New in NoScript for Firefox 11.0.8 / 5.1.9 (Nov 11, 2019)
- [L10n] Updated da, ja, lt, mk, nl
- Fixed onionSecure setting persistence issue (Tor ticket32362)
- Fixed CSP DOM injection breaking XML documents rendering
New in NoScript for Firefox 11.0.8 RC1 (Nov 7, 2019)
- [L10n] Updated da, ja, lt, mk, nl
- Fixed onionSecure setting persistence issue (Tor ticket 32362)
- Fixed CSP DOM injection breaking XML documents rendering
New in NoScript for Firefox 11.0.7 (Nov 5, 2019)
- Use fragments to reinsert and run previously blocked scripts
- Fetch policies asynchronously for about: and javascript: URLs
- Remove loop around XHR
New in NoScript for Firefox 11.0.6 (Nov 1, 2019)
- Compute the correct origin for the policy to be fetched from about:blank and javascript: URLs
- Work-around for Youtube video elements positioned off-display at replacement time
- Version numbers for Chromium dev builds compatible with Chromestore requirements
- Script blocking before policy is fetched only for synchronous loads
- Make tests not to run automatically on dev mode startup anymore
New in NoScript for Firefox 11.0.6 RC 2 (Nov 1, 2019)
- Script blocking before policy is fetched only for synchronous loads
New in NoScript for Firefox 11.0.4 RC 15 (Oct 28, 2019)
- [Tor] Treat .onion sites whose protocol is HTTP as if it was HTTPS
New in NoScript for Firefox 11.0.4 RC 14 (Oct 26, 2019)
- More precise and verbose fallbacks for policy retrieval timing issues
- Mobile] Blocked scripts count displayed in the browser action menu item
- Consolidated missing endpoint error detection in Messages
- Cleaner and tighter usage of SyncMessage to fetch policies
- Fixed bug in chunked storage causing shrunk items not to be retrieved correctly
- Use asyncrhonous messages to deliver SyncMessage payloads on Firefox
- More compatible Messages abstraction
- Progressive count of debug messages to better trace asynchronous execution
- [XSS] Fixed false positive (property assignment)
New in NoScript for Firefox 11.0.4 RC 13 (Oct 19, 2019)
- More robust SyncMessage implementation coping with XHR
- Suspension inconsistencies on Firefox
New in NoScript for Firefox 11.0.4 RC 12 (Oct 19, 2019)
- [L10n] Updated nl
- Policy fetching asynchronous only before initialization
- Support for safe asynchronous page loading without fallback reloads
- Fixed asynchronous onSyncMessage listeners support, on Chromium too
- Fixed typo causing initializing promise not being cached
- Avoid unnecessary page reloads on extension updates
- Fixed undefined variable error when in debugging mode
New in NoScript for Firefox 11.0.4 RC 11 (Oct 9, 2019)
- [Tor] Display .onion sites as "secure" in the UI (tickets #27313 and #27307)
- Fixed typo causing Chromium builds not to be created in the XPI directory
New in NoScript for Firefox 11.0.4 RC 10 (Oct 8, 2019)
- Support for splitting sync storage items into chunks, to allow synchronization of big policies across devices
- [L10n] Updated ca, nl
- Overwrite Chromium zip on reiterated builds
New in NoScript for Firefox 11.0.4 RC 9 (Oct 6, 2019)
- IPv4 subnet shortcut matching
New in NoScript for Firefox 11.0.4 RC 8 (Oct 5, 2019)
- Fallback to local storage for any item exceeding limits (fixes persistence problems on Chromium)
- Alternate version numbering for Chromium pre-releases
- [L10n] Updated nl
New in NoScript for Firefox 11.0.4 RC 7 (Oct 2, 2019)
- Prevent startup tabs from remaining stuck with about:blank
New in NoScript for Firefox 11.0.4 RC 3 (Oct 1, 2019)
- Make policy fetching resilient to missing tab information
- More verbose error logging while processing syncMessage listeners
- Fix CSP violation reporting management of "fake" blocked-uri like "eval"
- Leaner and faster SyncMessage shim tab id tracking hack for Firefox
New in NoScript for Firefox 11.0.4 RC 2 (Sep 29, 2019)
- Recursive webgl context monkeypatching across same origin windows (thanks skriptimaahinen for concept and patch)
- Replaced cookie-based hacks with synchronous messaging currently shimmed) to retrieve fallback and per-tab restriction policies
- Work-around for Chromium not supporting frameAncestors in webRequest
- Block CSP violation reports requests synchronously, before they fail on .invalid DNS resolution, on Chromium
New in NoScript for Firefox 11.0.4 RC 1 (Sep 27, 2019)
- [L10n] Updated Transifex-managed da, it, nl, ru, sv_SE
- [XSS] Updated HTML5 events
- Updated TLDs
- Fixed "Cascade top document restrictions" option not always applied to embedded elements (thanks barbaz for reporting)
- Removed XSS prompt for timeouts
New in NoScript for Firefox 11.0.3 (Aug 20, 2019)
- [Tor] Work-around for prompts being huge when resistFingerprinting is enabled
- [XSS] Fixed false positives due to overzealous HTML attribute checking
- [XSS] Enabled InjectionChecker logging when debugging mode is on
- Work-around for browser.i18n.getMessage() API in content scripts giving away browser's real locale (Tor issue #31287)
- Updated TLDs
- [L10n] Updated Transifex-managed he, is, nb, ru, sq, zh_TW
New in NoScript for Firefox 11.0.2 (Jul 26, 2019)
- Restored "classic" pasted HTML sanitization feature, Now triggered by drag'n'drop too (thanks barbaz for patch)
- Fixed bug in browser type detection by content scripts (thanks barbaz)
- Added "Collapse blocked objects" option in Blocked Objects prompt
- Fixed corner case when application/* content types should match "media" rather than "object" (thanks skriptimaahinen for reporting)
- Replacement clicks are now intercepted even if a conten placeholder is obstructed by an overlay
- More graceful handling of chrome: origins (thanks skriptimaahinen for reporting)
- CSP building optimizations
- Updated TLDs.
- [L10n] Updated Transifex-managed locales br, de, it, ms, nl, ru, tr, nb, sv_SE and zh_CN
New in NoScript for Firefox 11.0.2 RC 2 (Jul 25, 2019)
- Pdated TLDs.
- [L10n] Updated Transifex-managed locales br, de, it, ms, nl, ru, tr
- Fixed bug in browser type detection by content scripts (thanks barbaz)
- Fixed paste sanitization bugs and make it work on drag and drop too (thanks barbaz)
New in NoScript for Firefox 11.0 (Jul 10, 2019)
- [XSS] Fixed false positives with parameters named "src"
- Static click-to-play placeholders
- [L10n] New da, is, pl, sq, zh_TW Transifex-managed locales
- [L10n] Updated sv_SE Transifex-managed locale
New in NoScript for Firefox 11.0 RC (Jun 25, 2019)
- [SS] Fied false positives with parameters named "src"
- Static click-to-play placeholders
- [L10n] New da, is, pl, sq, zh_TW Transife-managed locales
- [L10n] Updated sv_SE Transife-managed locale
New in NoScript for Firefox 10.6.3 (Jun 17, 2019)
- Multiple fixes in embeddings replacement (thanks barbaz for reporting)
- Fixed [Import] settings button on Android
- [XSS] JSON reduction optimizations
- [XSS] XSS checks performance improvements play nicer with
- resistFingerprinting
- [XSS] Fully asynchronous InjectionChecker, prevents freezes on heavy payloads
- Skip page autoreloads on transitions between temporary and permanent presets of the same kind
- Updated TLDs
New in NoScript for Firefox 10.6.3 RC8 (Jun 16, 2019)
- Multiple fixes in embeddings replacement (thanks barbaz for reporting)
- Updated TLDs
New in NoScript for Firefox 10.6.3 RC7 (May 30, 2019)
New in NoScript for Firefox 10.6.3 RC6 (May 29, 2019)
- Fixed [Import] settings button on Android
New in NoScript for Firefox 10.6.3 RC5 (May 28, 2019)
- [XSS] JSON reduction optimizations
New in NoScript for Firefox 10.6.3 RC4 (May 28, 2019)
- [XSS] XSS checks performance improvements play nicer with resistFingerprinting
New in NoScript for Firefox 10.6.3 RC3 (May 27, 2019)
- Fully asynchronous InjectionChecker, prevents freeze on heavy payloads
New in NoScript for Firefox 10.6.2 (May 22, 2019)
- Removed work-around for https://bugzil.la/1532530 (now
- fixed and backported to the Tor Browser too)
- Fixed media.mediasource.enabled breakage (thanks
- skriptimaahinen for patch)
- Reference internal pages as absolute URLs for Chromium
- compatibility
- Updated TLDs
- [Locale] Updated Transifex-managed locales (es, ms, tr)
New in NoScript for Firefox 10.6.2 RC 1 (May 1, 2019)
- Fixed media.mediasource.enabled breakage (thanks skriptimaahinen for patch)
- Reference internal pages as absolute URLs for Chromium compatibility
- Updated TLDs
- [Locale] Updated Transifex-managed locales (es, ms, tr)
New in NoScript for Firefox 10.6.1 (Apr 11, 2019)
- Make RequestGuard's header processing synchronous as needed
- Fied inconsistencies handling browser-internal URLs
- Fied resetting options works just once per session
- (defaults reference current settings) - issue #69
- [Locale] Updated Transife-managed locales (de, fr, it, tr, nl)
New in NoScript for Firefox 10.6.1 RC1 (Apr 9, 2019)
- Make RequestGuard's header processing synchronous as needed
- Fied inconsistencies handling browser-internal URLs
- Fied resetting options works just once per session
- (defaults reference current settings) - issue #69
- [Locale] Updated Transife-managed locales (de, fr, it, tr, nl)
New in NoScript for Firefox 10.6 (Apr 8, 2019)
- Limit wrappedJSObject usages to compatible browsers
- [Chromium] Merged chromium branch (unified code base)
- [Locale] Updated Transifex-managed locales
- Updated TLDs
New in NoScript for Firefox 10.2.5 (Mar 25, 2019)
- x [XSS] Improved detection of privileged origins (fixes an
- about:tor to DuckDuckGo false positive)
New in NoScript for Firefox 10.2.4 (Mar 20, 2019)
- Improved prompts layout (thanks Ton for suggestion)
- Improved unscanned POST blocking
New in NoScript for Firefox 10.2.3 (Mar 20, 2019)
- Fixed POST searches from the url bar causing XSS warnings
- Fixed popup top buttons not visible in high contrast appearance mode (thanks pjaworski for reporting)
- Optimized popup layout initialization
New in NoScript for Firefox 10.2.3 RC3 (Mar 20, 2019)
- Updated Transifex-managed locales
New in NoScript for Firefox 10.2.2 (Mar 18, 2019)
- Cascading top document's restrictions to subdocuments is now
- An option in the General section and defaults to true on
- The Tor Browser only
- "Scan uploads for potential cross-site attacks" and "Ask
- Confirmation for cross-site POST requests which could not
- Be scanned" options: in Tor Browser default false and true,
- Respectively, as a work-around for mozbug 1532530
- [Tor] "Override Tor Browser Security Level preset" option
- [Tor] Selective handling of Tor Browser specific settings
- Updated TLDs
- [XSS] Updated event names
- Safer cookie-less check for unrestricted tabs from subdocs
- [Build] Easier version bumps to next rc (build.sh bump rcX)
- Fixed unrestricted tabs not affecting about:blank subframes
- (issue #48, thanks musonius for reporting)
- [XSS] Updated known HTML events lists
- [Locale] Added sv_SE (by Jonatan Nyberg)
New in NoScript for Firefox 10.2.2 RC4 (Mar 16, 2019)
- Cascading top document's restrictions to subdocuments is now an option in the General section and defaults to true on the Tor Browser only
New in NoScript for Firefox 10.2.2 RC3 (Mar 14, 2019)
- "Scan uploads for potential cross-site attacks" and "Ask confirmation for cross-site POST requests which could not be scanned" options: in Tor Browser default false and true respectively, as a work-around for mozbug 1532530
- [Tor] "Override Tor Browser Security Level preset" option
- [Tor] Selective handling of Tor Browser specific settings
- Updated TLDs
- [XSS] Updated event names
New in NoScript for Firefox 10.2.2 RC2 (Dec 27, 2018)
- Safer cookie-less check for unrestricted tabs from subdocs
- [Build] Easier version bumps to next rc (build.sh bump rcX)
New in NoScript for Firefox 10.2.2 RC1 (Dec 27, 2018)
- Cascade top document's restrictions to subframes (Tor issue #28873)
- Fixed restored media element from placeholder not loading previously blocked content automatically
- Fixed placeholders missing for some blocked embeddings (Tor ticket #28720)
New in NoScript for Firefox 10.2.1 (Dec 24, 2018)
- Cascade top document's restrictions to subframes (Tor Issue #28873)
- Fixed restored media element from placeholder not loading previously blocked content automatically
- Fixed placeholders missing for some blocked embeddings (Tor ticket #28720)
New in NoScript for Firefox 10.2.1 RC 3 (Dec 18, 2018)
- Cascade top document's restrictions to subframes (Tor issue #28873)
New in NoScript for Firefox 10.2.1 RC 2 (Dec 8, 2018)
- Fixed restored media element from placeholder not loading previously blocked content automatically
New in NoScript for Firefox 5.1.9 (Nov 26, 2018)
- Fixed automatic reload bug (thanks ThomasW and barbaz for reporting)
New in NoScript for Firefox 10.2.0 (Nov 26, 2018)
- [L10n] Updated fr, he
- Allow origin-less fetch for extensions (issue #41)
- Fixed meta refresh inside NOSCRIPT emulation breaking
- Firefox's built-in refresh blocking
- Fixed issue #35 "tabId is not defined" on startup
- Darker red badge background to ensure text is kept white
- across browsers
- </pre>
New in NoScript for Firefox 10.1.9.9 (Oct 16, 2018)
- Prevention of potential race condition in the new per-tab
- configuration cookie-based hack
- Better cross-platfrom build script compatibility
- Per-tab configuration cookie-based hack, leaves window.name alone
- Various build scripts fixes
New in NoScript for Firefox 10.1.9.9 RC2 (Oct 15, 2018)
- Prevention of potential race condition in the new per-tab configuration cookie-based hack
- Better cross-platfrom build script compatibility
New in NoScript for Firefox 10.1.9.8 (Oct 7, 2018)
- Fixed preset customization UI showing inherited DEFAULT
- permissions if a protocol-level preset exists
- Simplified CSP HTTP header injection, avoiding report-to
- until actually supported by browsers
- [L10n] Updated ru (thanks fatboy)
- [Tor] Better UX for overriding protocol-level permissions
- [Build] Option to force TLD updates
- [L10n] Updated (es, ru) and new (el, he, ms, nb) locales
- from OTF's Localization Lab Transifex project
- [L10n] no_BO translation by comradekingu
- FTP directory UI emulation on script-disabled domains
- Include ftp:// URLs in non-secure domain matching (thanks
- Rassilon for RFE)
New in NoScript for Firefox 10.1.9.7 RC2 (Oct 6, 2018)
- [Tor] Better UX for overriding protocol-level permissions
- [Build] Option to force TLD updates[L10n] Updated (es, ru) and new (el, he, ms, nb) locales from OTF's Localization Lab Transifex project[L10n] no_BO translation by comradekingu
New in NoScript for Firefox 5.1.9 RC1 (Oct 5, 2018)
- Fixed automatic reload bug (thanks ThomasW and barbaz for reporting)
New in NoScript for Firefox 10.1.9.7 RC1 (Sep 27, 2018)
- FTP directory UI emulation on script-disabled domains
- Include ftp:// URLs in non-secure domain matching (thanks Rassilon for RFE)
New in NoScript for Firefox 10.1.9.6 (Sep 14, 2018)
- [TB] Gracefully handle legacy external message recipients
- [XSS] Updated known HTML5 events
- Better IPV6 support
- UI support for protocol-only entries
New in NoScript for Firefox 10.1.9.6 RC2 (Sep 11, 2018)
New in NoScript for Firefox 5.1.8.7 (Sep 10, 2018)
- Security] Fixed script blocking bypass zero-day (thanksZerodium forunresponsible disclosure,
- [Surrogate] Fixed typo in 2mdn replacement (thansk barbaz)
- [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
- [XSS] In-depth protection against native ES6 modules abuse
- Fixed classic beta channel users being accidentally migrated to stable (thanks barbaz)
New in NoScript for Firefox 5.1.8.7 RC4 (Sep 10, 2018)
- Security] Fixed script blocking bypass zero-day (thanksZerodium forunresponsible disclosure,
- [Surrogate] Fixed typo in 2mdn replacement (thansk barbaz)
New in NoScript for Firefox 10.1.9.6 RC1 (Sep 10, 2018)
- [Surrogate] Fixed 2mdn surrogate compatibility issues (thanks barbaz)
New in NoScript for Firefox 10.1.9.5 (Sep 10, 2018)
- Fix for various content script timing related issues (thanks therube for reporting)
New in NoScript for Firefox 10.1.9.2 (Sep 9, 2018)
- More efficient window.name-based tab-scoped permissions
- persistence
- Fixed URL parsing bugs
- Fixed bug in requestKey generation
- [Build] Enhanced TLD data update subsystem
- [UI] CUSTOM presets gets initialized with currently applied
- preset, including temporary/permanent status
- Improved internal message dispatching, avoiding potential
- race conditions
- [L10n] Transifex integration
- Work-around for DOM-injected CSP not being honored when
- appended to the root element, rather than HEAD
- Transparent support for FQDNs
- Better file: protocol support
- Full-page placeholders for media/plugin documents
New in NoScript for Firefox 10.1.9.2 RC2 (Sep 5, 2018)
- [L10n] Transifex integration
- Work-around for DOM-injected CSP not being honored when appended to the root element, rather than HEAD
- Transparent support for FQDNs
- Better UI support for file:// URLs
New in NoScript for Firefox 10.1.9.2 RC1 (Sep 4, 2018)
- Better file: protocol support
- Full-page placeholders for media/plugin documents
New in NoScript for Firefox 10.1.9.1 (Aug 31, 2018)
- Fixed NOSCRIPT emulation not running in contexts where service workers are disabled, such as private windows (thanks Peter Wu for patch)
- [Build] Fixed TLD regexp generation broken by CRLF characters in input public suffix list
New in NoScript for Firefox 10.1.9 (Aug 30, 2018)
- Completely revamped CSP backend, enforcing policies both in webRequest and in the DOM
- Reload-less service worker busting
- Removed obsoleted failsafes, including forced reloads
- Better timing for popup UI feedback on permissions changes
- [Tor] Reordered startup sequence to better cooperate with embedders like the Tor Browser
- Send out a "started" message after initialization to help embedders (like the Tor browser) interact with NoScript
- [Build] Better support for versions bumps
- Updated TLDs
- [Build] Improved TLD auto-updater
New in NoScript for Firefox 10.1.9 RC6 (Aug 29, 2018)
- Fixed typo in restricted.js inclusion
New in NoScript for Firefox 10.1.9 RC2 (Aug 28, 2018)
- Send out a "started" message after initialization to help embedders (like the Tor browser) interact with NoScript
New in NoScript for Firefox 10.1.8.23 (Aug 27, 2018)
- Hotfix for reload loops before CSP management refactoring
New in NoScript for Firefox 10.1.8.20 (Aug 24, 2018)
- Fixed Sites.domainImplies() misplaced optimization.
- build.sh support for quick stable release
- [L10n] Added Catalan (ca)
New in NoScript for Firefox 10.1.8.17 RC7 (Aug 22, 2018)
- Fixed inconsistencies affecting ChildPolicies content script auto-generated matching rules.
- Fixed potential issues with cross-process messages
New in NoScript for Firefox 10.1.8.17 RC6 (Aug 21, 2018)
- Simpler and more reliable safety net to ensure CSP headers are injected last among WebExtensions
New in NoScript for Firefox 10.1.8.17 RC5 (Aug 19, 2018)
- Fixed regression causing refresh loops on pages which use type="object" requests to load images, css and other types
New in NoScript for Firefox 10.1.8.17 RC2 (Aug 6, 2018)
- Best effort to have webRequest.onHeaderReceived listener run last (issue #6, thanks kkapsner)
- [L10n] Localized "NoScript Options" title (thanks Diklabyte)
New in NoScript for Firefox 10.1.8.17 RC1 (Aug 5, 2018)
- Fixed inline scripts not being reported to UI (thanks skriptimaahinen for patch)
- Skip non-content windows when deferring startup page loads (thanks Rob Wu for reporting)
- Broader detection of UTF-8 encoding in responses (thanks Rob Wu for reporting)
- Improved support for debugging code removal in releases
- Fixed startup race condition with pending request tracking
- Fixed updating NoScript reloads tabs with revoked temporary permissions.
New in NoScript for Firefox 10.1.8.16 (Aug 2, 2018)
- Fixed random stallings on page transitions (thanks sage11, Brush and pbelleisle for reporting)
New in NoScript for Firefox 10.1.8.16 RC1 (Jul 30, 2018)
- Fixed random stallings on page transitions (thanks sage11, Brush and pbelleisle for reporting)
New in NoScript for Firefox 10.1.8.15 RC1 (Jul 30, 2018)
- Fixed browser action icon not bein updated on BF cache navigation (thanks therube for reporting)
New in NoScript for Firefox 10.1.8.13 RC1 (Jul 30, 2018)
- Fixed regression in NOSCRIPT elements emulation
New in NoScript for Firefox 10.1.8.11 RC1 (Jul 30, 2018)
- Fixed some video streams not playing anymore
New in NoScript for Firefox 10.1.8.10 RC1 (Jul 30, 2018)
- Fixed window.stop() being called on empty frames, causing WYSIWYG editors to break (thanks Dave Allen for reporting)
New in NoScript for Firefox 10.1.8.12 (Jul 28, 2018)
- Fixed some video streams not playing anymore.
New in NoScript for Firefox 10.1.8.10 (Jul 28, 2018)
- Fixed window.stop() being called on empty frames, causing WYSIWYG editors to break (thanks Dave Allen for reporting)
New in NoScript for Firefox 10.1.8.9 (Jul 27, 2018)
- Fixed externally handled resources opened in popups broken by dynamic script injection (thanks rpr and paulmcg for reporting)
- More edge case covered in dynamic script injection (thanks skriptimaahinen for reporting)
- Fixed some resource loading feedback glitches
- [XSS] Updated HTML event attributes matching
- Updated TLDs
- Fixed stalling embedded objects load on dynamic script injection (thanks therube for reporting)
- [L10n] Updated it (thanks Sebastiano Pistore)
- Work-around for serviceWorker loads bypassing webRequest(thanks therube for reporting)
- More flexible CSS layout for preset buttons (thanks fatboy)
- Improved edge case script disablement detection
- More reliable handling of edge cases on startup (thanks therube for reporting)
- Fixed dynamic script injection failing sometimes with "No matching message handler" error (thanks skriptimaahinen for reporting)
- [Tor Browser, Linux] Replaced unicode glyphs not being rendered on some browsers / platforms
- Prevent multiple canScript content messages during the same page load
- [Tor/ESR60] Removed useless work-around suggested in moz bug
- 1410755, which caused Tor Browser content process crashes
New in NoScript for Firefox 10.1.8.9 RC9 (Jul 27, 2018)
- Simpler and more solid handling of webgl inside documents embedded through object elements
New in NoScript for Firefox 10.1.8.9 RC7 (Jul 26, 2018)
- Fixed some resource loading feedback glitches
- [XSS] Updated HTML event attributes matching
- Updated TLDs
New in NoScript for Firefox 10.1.8.9 RC5 (Jul 25, 2018)
- Fixed infinite reload loops on scripting permissions mismatches.
New in NoScript for Firefox 10.1.8.9 RC4 (Jul 25, 2018)
- Work-around for serviceWorker loads bypassing webRequest (thanks therube for reporting)
- More flexible CSS layout for preset buttons (thanks fatboy)
- Improved edge case script disablement detection
New in NoScript for Firefox 10.1.8.9 RC3 (Jul 23, 2018)
- More reliable handling of edge cases on startup
- x Fixed dynamic script injection failing sometimes with
- "No matching message handler" error
New in NoScript for Firefox 10.1.8.9 RC2 (Jul 21, 2018)
- Fixed externally handled resources opened in popups broken by dynamic script injection (thanks rpr and paulmcg for reporting)
- [Tor Browser, Linux] Replaced unicode glyphs not being rendered on some browsers / platforms
- Prevent multiple canScript content messages during the same page load
New in NoScript for Firefox 10.1.8.9 RC1 (Jul 19, 2018)
- [TB64] Removed useless work-around suggested in moz bug 1410755, which caused Tor Browser content process crashes
New in NoScript for Firefox 10.1.8.8. RC1 (Jul 17, 2018)
- Prevent script injection from messing with content-disposition=attachment responses.
New in NoScript for Firefox 10.1.8.7 (Jul 17, 2018)
- Fixed regression breaking meta refresh with relative URLs
New in NoScript for Firefox 10.1.8.3 (Jul 16, 2018)
- [SS] Fied InjectionChecker choking at some big JSON payloads sents as POST form data
- Fixed meta-refresh emulation confused by quoted URLs [
- ESR60] Fied dynamic script injection issues with ML feeds (thanks skriptimaahinen for report)
- [ESR60] Work-around for Moz Bug 1410755
- Autosize preset buttons to accomodater bigger localized labels
- [L10n] Shortened de labels (thanks musonius)
- More graceful handling of internal and restricted URLs (thanks skriptimaahinen for report)
- [L10n] Added de, es, fr, it, nl, pt_BR and zh_CN locales (courtesy of Mozilla's localization campaign)
- Switch to inline elements as "NOSCRIPT" HTML replacements
- Fixed subframe content changes producing ambiguous NoScript icon feedback
- More meaningful/useful popup on (semi)privileged documents
- [Tor Browser] Work-around for crypto-based uiid function failing on startup
- [Tor Browser] Backported new dynamic script injection to ESR60
- Included license files in the PI
- [XSS] In-depth protection against native ES6 modules abuse
- Fied dynamic script injection issues (thanks skriptimaahinen for help)
- MSE media reporting and blocking (e.g. on Youtube)
New in NoScript for Firefox 5.1.8.7 RC3 (Jul 13, 2018)
- [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
New in NoScript for Firefox 10.1.8.3 RC11 (Jul 13, 2018)
- [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
- Fixed meta-refresh emulation confused by quoted URLs
- Fixed regression - popup first row not showing the active preset initially
- [ESR60] Fixed some edge cases still breaking feeds
New in NoScript for Firefox 5.1.8.7 RC2 (Jul 12, 2018)
- [XSS] In-depth protection against native ES6 modules abuse
New in NoScript for Firefox 5.1.8.6 (Jul 12, 2018)
- Fixed 2mdn surrogate compatibility issues (thanks barbaz)
New in NoScript for Firefox 10.1.8.3 RC10 (Jul 12, 2018)
- Fixed dynamic script injection issues with XML feeds (thanks skriptimaahinen for report)
- [ESR60] Work-around for Moz Bug 1410755
- Autosize preset buttons to accomodater bigger localized labels
- [L10n] Shortened de labels (thanks musonius)
New in NoScript for Firefox 10.1.8.3 RC9 (Jul 10, 2018)
- More specific exceptions for dynamic script injection (thanks skriptimaahinen for report)
- Shortened de labels (thanks musonius)
New in NoScript for Firefox 10.1.8.3 RC8 (Jul 9, 2018)
- More specific exceptions for dynamic script injection (thanks skriptimaahinen for report)
- More graceful handling of internal and restricted URLs (thanks skriptimaahinen for report)
- [L10n] Added de, es, fr, it, nl, pt_BR and zh_CN locales (courtesy of Mozilla's localization campaign)
- Custom "no-script" element as "NOSCRIPT" HTML replacement
- Fixed console.log breakage in content pages (thanks skriptimaahinen for report)
New in NoScript for Firefox 10.1.8.3 RC7 (Jul 7, 2018)
- Fixed various issues with dynamic script injection
- Fixed subframe content changes producing ambiguous NoScript icon feedback
- More meaningful/useful popup on (semi)privileged documents
New in NoScript for Firefox 10.1.8.3 RC6 (Jul 3, 2018)
- [Tor Browser] Work-around for crypto-based uiid function failing on startup
- [Tor Browser] Backported new dynamic script injection to ESR60
New in NoScript for Firefox 10.1.8.3 RC5 (Jul 3, 2018)
- Fixed dynamic script injection regression breaking images loaded as frame content (thanks Quest for report)
- Included license files in the XPI
New in NoScript for Firefox 10.1.8.3 RC4 (Jul 2, 2018)
- Tentative fix for content scripts asynchronous registration issues, take 3 (thanks skriptimaahinen for report)
New in NoScript for Firefox 10.1.8.3 RC2 (Jun 20, 2018)
- Tentative fix for content scripts asynchronous registration issues (thanks skriptimaahinen for report)
New in NoScript for Firefox 10.1.8.3 RC1 (Jun 19, 2018)
- MSE media reporting and blocking (e.g. on Youtube)
New in NoScript for Firefox 10.1.8.2 (May 30, 2018)
- Popup toolbar buttons fully configurable via Drag'n'Drop
- Removed redundant leading "NoScript" in window titles
- Work-around for Firefox 60 bug breaking about:blank pages
- When a WebExtension declares a "document_start" CSS (thanks
- Skriptimaahinen for report and fix)
- Fixed buttons in the "hide area" still responsive to clicks
New in NoScript for Firefox 10.1.8.2 RC3 (May 23, 2018)
- Work-around for Firefox 60 bug breaking about:blank pages when a WebExtension declares a "document_start" CSS
New in NoScript for Firefox 10.1.8.2 RC2 (May 5, 2018)
- More discoverable toolbar customization UI
- Fixed hidden buttons being persisted in reversed order
- Fixed buttons in the "hide area" still responsive to clicks
New in NoScript for Firefox 10.1.8.2 RC1 (May 4, 2018)
- Popup toolbar buttons fully configurable via Drag'n'Drop
New in NoScript for Firefox 10.1.81 (Apr 28, 2018)
- + [UI] "Disable restrictions for this tab" button in popup
- + [UI] "Disable restrictions globally" button in popup
- X Fixed some content blocking stats collection bugs (Thanks
- Rob Wu and skriptimaahinen for reports)
- X Fixed data: and blob: URIs could be loaded as object and
- Media sources independently from the parent page's
- Permissions (thanks skriptimaahinen for report)
- X Several performance improvement in inter-process content
- Blocking stats synchronization (thanks Rob Wu for report)
- X [UI] Improved in-popup messages
- X [UI] Simplified URL management in "Allow object" prompt
- X Fixed dynamic scripts URL matching inconsistencies
New in NoScript for Firefox 10.1.8.1 RC 4 (Apr 27, 2018)
- Fixed some content blocking stats collection bugs (Thanks Rob Wu and skriptimaahinen for reports)
New in NoScript for Firefox 10.1.8.1 RC 2 (Mar 27, 2018)
- [UI] Improved in-popup messages
- [UI] More consistent interactions between the bulk restrictions disablement features
New in NoScript for Firefox 10.1.8.1 RC 1 (Mar 26, 2018)
- [UI] "Disable restrictions for this tab" button in popup
- [UI] "Disable restrictions globally" button in popup
- [UI] Simplified URL management in "Allow object" prompt
- Fixed dynamic scripts URL matching inconsistencies
New in NoScript for Firefox 10.1.7.5 RC1 (Mar 23, 2018)
- Fixed edge case CSP injection bug
- Optimized dynamic script injection
- Fixed potential leak on dynamic script injection
- Now NoScript's UI on privileged pages explains permissions cannot be configured there, rather than bluntly opening the Options page
New in NoScript for Firefox 10.1.7.4 (Mar 22, 2018)
- Fixed script enablement status not correctly detected on some pages rolling their own CSP (causing NOSCRIPT element and META refresh emulation not to be triggered)
- Fixed "Appearance" NoScript Options tab missing on Android
- [XSS] Fixed semicolon-separated JSON payloads DDOSing the JSON-optimizer, e.g. with syndication.twitter.com subframes
- (thanks KonomiKitten and pal1000 for reports)
- [UI] Renamed "Scripts globally allowed (dangerous)" option to "No permissions enforcement (dangerous)" to better reflect its actual effect
- [UI] Better feedback about "No permission enforcement" by disabling the "Preset customization" section and and the "Per-site Permissions" tab
- [UI] Moved XSS-related options to the "Advanced" tab
- Fixed disabled webgl breaking feeds on script-enabled sites (thanks pal1000 for reporting)
- Enhanced dynamic script injection if browser.contentScripts API is available
- Expanded support for webgl canvas placeholders
New in NoScript for Firefox 10.1.7.4 RC3 (Mar 22, 2018)
- Fixed script enablement status not correctly detected on some pages rolling their own CSP (causing NOSCRIPT element and META refresh emulation not to be triggered)
New in NoScript for Firefox 10.1.7.4 RC2 (Mar 21, 2018)
- Fixed "Appearance" NoScript Options tab missing on Android
- [XSS] Fixed semicolon-separated JSON payloads DDOSing the JSON-optimizer, e.g. with syndication.twitter.com subframes
- [UI] Renamed "Scripts globally allowed (dangerous)" option to "No permissions enforcement (dangerous)" to better reflect its actual effect
- [UI] Better feedback about "No permission enforcement" by disabling the "Preset customization" section and and the "Per-site Permissions" tab
- [UI] Moved XSS-related options to the "Advanced" tab
New in NoScript for Firefox 10.1.7.4 RC1 (Mar 18, 2018)
- Fixed disabled webgl breaking feeds on script-enabled sites (thanks pal1000 for reporting)
- Enhanced dynamic script injection if browser.contentScripts API is available
- Expanded support for webgl canvas placeholders
New in NoScript for Firefox 10.1.7.3 (Mar 17, 2018)
- Fixed infinite script count report loops on some sites
- (thanks AuntyJack, @ALoss2 and others for reporting)
- Fixed localhost not being recognized as a domain (thanks
- Skriptimaahinen for patch)
- Fixed regression causing NOSCRIPT element and META refreshes
- Not to be emulated anymore on script-disabled pages (thanks
- Barbaz and fatboy for reporting)
New in NoScript for Firefox 10.1.7.2 (Mar 16, 2018)
- Fixed bug causing some pages and RSS feeds to fail without
- access to NoScript UI
New in NoScript for Firefox 10.1.7 (Mar 14, 2018)
- x "Needed type" feedback in Custom preset for data: and blob: fonts (thanks skriptimaahinen for report)
- Pressing DEL while left-mousing down on a fixed/absolutely positioned element of a script-disabled page removes it, allowing users to dismiss in-content popup "windows" and blocking overlays
- Fixed changing sites permission resets local preferences regression from 10.1.7rc1 (thanks pal1000 for report)
- Fixed data: and blob: fonts not blocked even if the "font"permission is not given to the main document (thanks skriptimaahinen for report and preliminary patch)
- "Appearance|List full addresses in the permissions popup" option, off by default, to simplify the popup UI
- "webgl" requirement feedback in CUSTOM permissions
- "webgl" placeholder wherever possible
- Activated beta channel updates from secure.informaction.com
- WebGL blocking now honored on scripted pages
- Quantum RC versions are hosted on secure.informaction.com from now on due to beta channel deprecation on AMO
New in NoScript for Firefox 10.1.7 RC 3 (Mar 13, 2018)
- Pressing DEL while on a fixed/absolutely positioned element of a script-disabled page removes it, allowing users to dismiss in-content popup "windows" and blocking overlays
- Fixed changing sites permission resets local preferences regression from 10.1.7rc1 (thanks pal1000 for report)
- Fixed data: and blob: fonts not blocked even if the "font" permission is not given to the main document (thanks skriptimaahinen for report and preliminary patch)
New in NoScript for Firefox 10.1.7 RC 2 (Mar 9, 2018)
- "Appearance>List full addresses in the permissions popup"
- option, off by default, to simplify the popup UI
- "webgl" requirement feedback in CUSTOM permissions
- "webgl" placeholder wherever possible
- Activated beta channel updates from secure.informaction.com
New in NoScript for Firefox 10.1.7 RC 1 (Mar 6, 2018)
- WebGL blocking now honored on scripted pages
- Quantum RC versions are hosted on secure.informaction.com from now on due to beta channel deprecation on AMO
New in NoScript for Firefox 10.1.6.6 RC 2 (Feb 17, 2018)
- Tab selection persistence on Options Page reloads
- Automatically close Options Page on popup UI permissions changes to avoid inconsistencies / unresponsiveness
- Fixed regression: per-sites permissions list not updated after addition (thanks bo elam for report)
New in NoScript for Firefox 10.1.6.6 RC 1 (Feb 16, 2018)
- Tabbed options sections
- Appearance option to turn off script count badge
- Appearance option to hide context menu item
- Fixed legacy import bug creating too permissive DEFAULT presets (thanks Grumpy Old Lady for reporting)
- Fixed 10.1.6.2 regression: enabling object placeholders affected DEFAULT permissions (thanks Pansa for reporting)
New in NoScript for Firefox 10.1.6.5 (Feb 9, 2018)
- Context menu on web pages to access main UI
- Fixed UI regression showing only the two rightmost
- components of IPv4 addresses
- [XSS] More specific and unobtrusive handling of window.name
- sanitization
- Fixed "XSS User Choices" not being included in Export files
New in NoScript for Firefox 10.1.6.5 RC 4 (Feb 7, 2018)
- Fixed race condition on XSS filter first load
- Fixed duplicate entries in UI on page reloads (thanks 8-bit for reporting)
- Spinner for long sites lists in Options page
- Removed obsolete work-around for accidental TRUSTED preset wiping
- [UI] Fixed clicking on capability's label doesn't toggle the related checkbox (thanks dhouwn and olf for reporting)
- [XSS] Fixed false positives on badly encoded URLs (thanks sage11 for reporting)
New in NoScript for Firefox 10.1.6.5 RC 3 (Feb 6, 2018)
- [XSS] Better ordering of window.name sanitization
New in NoScript for Firefox 10.1.6.5 RC 1 (Feb 5, 2018)
- Fixed "XSS User Choices" not being included in Export files
New in NoScript for Firefox 10.1.6.4 (Jan 29, 2018)
- Fixed race condition on XSS filter first load
- Fixed duplicate entries in UI on page reloads (thanks 8-bit for reporting)
- Spinner for long sites lists in Options page
- Removed obsolete work-around for accidental TRUSTED preset wiping
- [UI] Fixed clicking on capability's label doesn't toggle the related checkbox (thanks dhouwn and olf for reporting)
- [XSS] Fixed false positives on badly encoded URLs (thanks sage11 for reporting)
New in NoScript for Firefox 10.1.6.4 RC 4 (Jan 20, 2018)
- Fixed duplicate entries in UI on page reloads (thanks 8-bit for reporting)
- Spinner for long sites lists in Options page
New in NoScript for Firefox 10.1.6.4 RC 3 (Jan 18, 2018)
- Removed obsolete work-around for accidental TRUSTED preset wiping
New in NoScript for Firefox 10.1.6.4 RC 2 (Jan 15, 2018)
- Fixed clicking on capability's label doesn't toggle the related checkbox (thanks dhouwn and olf for reporting)
New in NoScript for Firefox 10.1.6.4 RC 1 (Jan 15, 2018)
- [XSS] Fixed false positives on badly encoded URLs
New in NoScript for Firefox 10.1.6.3 (Jan 10, 2018)
- Improved tooltip clarity
- Added version number to the browser action tooltip (thanks therube for RFE)
- More restrictive domain matching in the main UI for "fake"
- TLDs, showing pseudo 2nd level domains containing one dot
- Domain matching now treats unknown no-dot domains (not in the public suffixes list) as TLDs everywhere (fix finally not overwritten by auto-generated tld.js)
- Fixed rc4 regression causing synchronized changes not to be persisted
- Smarter XSS popup behavior when reporting concurrent events from/to the same origins
- Fixed full breakage when sync storage is disabled
- Improved layout on small screens (less than 10cm wide)
- Moved preset customization into its own (more discoverable) global Options section, rather than embedded in assignment
- Improved validation of manual entries
- Needed capabilities highlighted also on short-hand domain matched entries inside the CUSTOM preset
- Domain matching now works also for manually entered TLDs and pseudo-TLDs, such as "gov.us" or "cloudflare.net"
New in NoScript for Firefox 10.1.6.3 RC 6 (Jan 9, 2018)
- More restrictive domain matching in the main UI for "fake" TLDs, showing pseudo 2nd level domains containing one dot
New in NoScript for Firefox 10.1.6.3 RC 5 (Jan 9, 2018)
- Domain matching now treats unknown no-dot domains (not in the public suffixes list) as TLDs everywhere (fix finally not overwritten by auto-generated tld.js)
- Fixed rc4 regression causing synchronized changes not to be persisted
- Smarter XSS popup behavior when reporting concurrent events from/to the same origins
New in NoScript for Firefox 10.1.6.3 RC 4 (Jan 7, 2018)
- x Fixed full breakage when sync storage is disabled
New in NoScript for Firefox 10.1.6.3 RC 2 (Jan 5, 2018)
- Moved preset customization into its own (more discoverable) global Options section, rather than embedded in assignment
- Improved validation of manual entries
- Needed capabilities highlighted also on short-hand domain matched entries inside the CUSTOM preset
New in NoScript for Firefox 10.1.6.3 RC 1 (Jan 3, 2018)
- Domain matching now works also for manually entered TLDs and pseudo-TLDs, such as "gov.us" or "cloudflare.net"
New in NoScript for Firefox 10.1.6.2 (Dec 30, 2017)
- Individual temporary / permanent TRUSTED preset buttons
- Removed customizability of DEFAULT, TRUSTED and UNTRUSTED
- preset from the popup (reported as a major source of
- confusion) while keeping it in the Options tab
- Better display on mobile devices in portrait mode
- Fixed focus bug on mobile devices
- Fixed confirmation prompt when loading Site Info for the
- first time being ignored
- Fixed import feature failing on some full JSON "Classic"
- export files (thanks Floe for reporting)
- Fixed policy serialization bug causing temporary TRUSTED
- sites to be listed in the UNTRUSTED array as well (thanks
- pal1000 for reporting)
- Fixed action icon being disabled on Options tabs and not
- re-enabled when navigating away in the same tab (thanks
- geek99 for reporting)
New in NoScript for Firefox 10.1.6.2 RC2 (Dec 30, 2017)
- Better display on mobile devices in portrait mode
- Fixed focus bug on mobile devices
- Fixed confirmation prompt when loading Site Info for the
- first time being ignored
- Fixed import feature failing on some full JSON "Classic"
- export files (thanks Floe for reporting)
New in NoScript for Firefox 10.1.6.2 RC1 (Dec 29, 2017)
- Individual temporary / permanent TRUSTED preset buttons
- Removed customizability of DEFAULT, TRUSTED and UNTRUSTED preset from the popup (reported as a major source of confusion) while keeping it in the Options tab
- Fixed policy serialization bug causing temporary TRUSTED sites to be listed in the UNTRUSTED array as well (thanks pal1000 for reporting)
- Fixed action icon being disabled on Options tabs and not re-enabled when navigating way in the same tab (thanks geek99 for reporting)
New in NoScript for Firefox 10.1.6.1 (Dec 24, 2017)
- Reduced UI sizes in desktop version
- Work-around for Firefox bug preventing the Export button from working on non-Windows platforms
New in NoScript for Firefox 10.1.6.1 RC1 (Dec 21, 2017)
- Reduced UI sizes in desktop version
- Work-around for Firefox bug preventing the Export button from working on non-Windows platforms
New in NoScript for Firefox 10.1.6 (Dec 18, 2017)
- [XSS] Improved sensitivity of JSON whitelisting
- [XSS] Improved specificity of nested URL checks
- New configuration export implementation, more convoluted but not requiring the "downloads" permission
New in NoScript for Firefox 10.1.5.9 (Dec 17, 2017)
- Fixed some XSS false positives
- Fixed out of scale rendering regression on high DPI screens
New in NoScript for Firefox 10.1.5.8 (Dec 16, 2017)
- Fix for linux rendering performance issues
- First "Quantum" release candidate with Android support
- Inverted order of domains vs full sites in popup
New in NoScript for Firefox 10.1.5.8 RC 2 (Dec 15, 2017)
- First "Quantum" release candidate with Android support
New in NoScript for Firefox 10.1.5.8 RC 1 (Dec 12, 2017)
- Tentative fix for rendering and performance issues on Linux
- Inverted order of domains vs full sites in popup
New in NoScript for Firefox 10.1.5.7 (Dec 10, 2017)
- Settings import functionality, backward compatible with NoScript 5 formats
- Settings export functionality
- [XSS] The filter now automatically skips embedded documents which would normally be blocked
- Base domain matching now uses a single dot rule for unknown, private or "fake" TLDs (e.g. www.acme.corp → acme.corp)
- [XSS] Fixed regression from 10.1.5.6rc2
- Better feedback for errors in the policy's debug JSON view
New in NoScript for Firefox 10.1.5.7 RC 1 (Dec 9, 2017)
- x Better feedback for errors in the policy's debug JSON view
New in NoScript for Firefox 10.1.5.6 (Dec 9, 2017)
- removed yandex.st from default whitelist
- [XSS] Streamlined multiple unescaping standards handling
- [XSS] Generalized work-around for browser's URL parsing oddities (thanks Masato Kinugava for reporting)
- "Temporarily set top-level sites to TRUSTED" option
- [XSS] Fixed user choices forgot across browser sessions
New in NoScript for Firefox 10.1.5.6 RC5 (Dec 8, 2017)
- Removed work-around for http://bugzil.la/1387340 (causing misrenderings on zoomed pages)
- [XSS] Streamlined multiple unescaping standards handling
New in NoScript for Firefox 10.1.5.6 RC4 (Dec 8, 2017)
- [XSS] Generalized work-around for browser's URL parsing oddities (thanks Masato Kinugava for reporting)
New in NoScript for Firefox 10.1.5.6 RC3 (Dec 8, 2017)
- [XSS]Work-around for excessive leniency in URL attribute HTML parsing(thanks Masato Kinugava for reporting)
New in NoScript for Firefox 10.1.5.6 RC2 (Dec 7, 2017)
- "Temporarily set top-level sites to TRUSTED" option
- [XSS] Fixed user choices forgot across browser sessions
New in NoScript for Firefox 10.1.5.6 RC1 (Dec 5, 2017)
- [XSS] Better fix for 2nd level interactive bypass (thanks Masato Kinugava for reporting)
New in NoScript for Firefox 10.1.5.5 (Dec 5, 2017)
- [UI] Clicking on the domain label now opens the "Security
- and privacy info" webpage (like middle click on "Classic").
- + "Reset to Defaults" button in the options window
- Improved content script initialization logic (thanks Rob Wu
- for suggestions)
- [XSS] Fixed 2nd level interactive bypass (thanks Masato
- Kinugava for reporting)
New in NoScript for Firefox 10.1.5.4 RC 1 (Dec 3, 2017)
- Fixed sites manually added from the Options textbox don't stick (thanks Just_Golem for reporting)
New in NoScript for Firefox 10.1.5.3 (Dec 3, 2017)
- Fixed regression causing NoScript to ask to reload pages in order to show permissions more than once upon installationRemoved most animations causing older system to lag when large permissions lists are displayed in Options
New in NoScript for Firefox 10.1.4 (Dec 1, 2017)
- Fixed script enablement feedback dependant on page's own CSP
- Fixed MSE detection injection using window.eval
- Fixed window being resized and NoScript UI shown in a separate popup when triggered on a maximized window
- General performance improvement by removing unnecessary asynchronous webRequest listeners
New in NoScript for Firefox 10.1.3 (Nov 30, 2017)
- Hotfix for wiped TRUSTED permissions
- Hotfix for NoScript failing to load if XSS was disabled in previous session
New in NoScript for Firefox 10.1.3c3 (Nov 30, 2017)
- Fixed immutable permissions for TRUSTED and UNTRUSTED presets negating all the others (thanks Stefan Scholl for reporting)
- Work-around for Moz Bug #1402110 (thanks David Ross for reporting)
- Fixed XSS whitelist not being cleared from Options
- Fixed XSS whitelist trying to using sync even if disabled (
- thanks Rob Wu for reporting)
New in NoScript for Firefox 10.1.3c1 (Nov 30, 2017)
- Work-around for Firefox not displaying NOSCRIPT elements on pages where scripts are blocked by CSP
- The Alt+Shift+N shortcut now opens the NoScript UI also on windows with no toolbars containing NoScript's icon
- "unsafe" (non-HTTPS) matching is now automatically selected on non-HTTPS pages (fixes the perception that you set a site to TRUSTED and it reverted to DEFAULT)
- Full addresses are shown again to be choosen in UI, together with base domains
- Better auto-reload logic
- Fixed NoScript back-end to work also if sync storage is disabled (thanks Rob Wu for reporting)
- Fixed potential fingerprinting through placeholder icon (thanks Rob Wu for reporting)
New in NoScript for Firefox 10.1.2 (Nov 23, 2017)
- Added "Revoke temporary permissions" button
- Added "Temporarily allow all this page" button
- Simplified popup listing, showing base domains only (full origin URLs can still be entered in the Options window to further tweak permissions)
- Fixed UI not launching in Incognito mode
- Fixed changing permissions in the CUSTOM preset affecting the DEFAULT permissions sometimes
- Fixed UI almost unusable in High Contrast mode
- Fixed live bookmark feeds blocked if "fetch" permissions were not given
- Fixed background requests from other WebExtensions being blocked
New in NoScript for Firefox 10.1.1 (Nov 21, 2017)
- First pure WebExtension release
- CSP-based first-party script script blocking
- Active content blocking with DEFAULT, TRUSTED, UNTRUSTED and CUSTOM (per site) presets
- Extremely responsive XSS filter leveraging the asynchronous webRequest API
- On-the-fly cross-site requests whitelisting
New in NoScript for Firefox 10.1.1 RC 99 (Nov 21, 2017)
- First pure WebExtension release
- CSP-based first-party script script blocking
- Active content blocking with DEFAULT, TRUSTED, UNTRUSTED and CUSTOM (per site) presets
- Extremely responsive XSS filter leveraging the asynchronous webRequest API
- On-the-fly cross-site requests whitelisting
New in NoScript for Firefox 5.1.7 RC 1 (Nov 17, 2017)
- [Surrogate] Fixed regression breaking source matching in 5.1.6
New in NoScript for Firefox 5.1.6 RC 1 (Nov 17, 2017)
- [Fx58] Fixed complete breakage due to nsIPrefBranch changes in 58 (for Firefox Developer Edition users)
New in NoScript for Firefox 5.1.5 (Nov 8, 2017)
- Fixed content process cross-framescript leak
- [ESR] Fixed bookmarklets not being executed
New in NoScript for Firefox 5.1.5 RC 1 (Nov 7, 2017)
- [ESR] Fixed bookmarklets not being executed
New in NoScript for Firefox 5.1.4 RC 1 (Oct 25, 2017)
- Fixed bookmarlets broken when scripts globally allowed
- [Tor Browser] Fixed jumping icon on updates (ticket #23968)
- [Surrogate] Better sandbox memory management
- Removed special Add-ons manager uninstall warning hooks
New in NoScript for Firefox 5.1.3 (Oct 23, 2017)
- [e10s] Fixed some bookmarklet / URL bar JavaScript emulation multi-process regressions
- [Palemoon] Fixed NoScript button position not customizableon the first window (thanks yes_noscript for reporting)
- Fixed bookmarklet execution subject to AllowURLBarJS too
- Fixed Palemoon urlbar breakage on browser restart
- [Whitelist] about:tabcrashed made mandatory (internal)
New in NoScript for Firefox 5.1.3 RC 3 (Oct 23, 2017)
- [e10s] Fixed some bookmarklet / URL bar JavaScript emulation multi-process regressions
- [Palemoon] Fixed NoScript button position not customizable on the first window (thanks yes_noscript for reporting)
New in NoScript for Firefox 5.1.3 RC 2 (Oct 18, 2017)
- Fixed bookmarklet execution subject to AllowURLBarJS too
New in NoScript for Firefox 5.1.3 RC 2 (Oct 18, 2017)
- Fixed bookmarklet execution subject to AllowURLBarJS too
New in NoScript for Firefox 5.1.3 RC 1 (Oct 16, 2017)
- Fixed Palemoon urlbar breakage on browser restart
- [Whitelist] about:tabcrashed made mandatory (internal)
New in NoScript for Firefox 5.1.2 (Oct 13, 2017)
- Fixed allowing scripts on one tab blocking them in other (torproject.org issue #23747)
- Fixed startup sequence
- [Whitelist] about:tabcrashed added to default whitelist
- Added unlimitedStorage WebExtensions permissions for safer preferences migration
- Fixed some restartless lifecycle quirks
- Fixed toolbar button position changes across upgrades
- Fixed NoScript release notes page shown upon restartless updates, rather than on next restart
- Fixed Tor Browser's extension preference overrides ignored by NoScript
- Fixed status bar not recognized on some browsers still supporting it
- Work-around for the Tor Browser preventing NoScript from resolving its own UI's XML entities
New in NoScript for Firefox 5.1.1 (Oct 1, 2017)
- Fixed regression breaking webworkers (e.g. on Protonmail)
New in NoScript for Firefox 5.1.0 (Sep 30, 2017)
- Fixed placeholders not shown in Fx 57 and above
- [WebExtension] Reduced legacy settings backup size
- [Nightly] Work-around for nsIDOMHTML* interfaces removal
- Restartless (bootstrapped) desktop version, and most likely the last hybrid (embedded WebExtension) before the pure WebExtension release
New in NoScript for Firefox 5.1.0 RC 3 (Sep 29, 2017)
- [Seamonkey] Fixed status icon regression
- Fixed placeholders not shown in Fx 57 and above
- Fixed various restartless lifecycle issues
- [WebExtension] Reduced legacy settings backup size
New in NoScript for Firefox 5.1.0 RC 2 (Sep 29, 2017)
- Work-around for nsIDOMHTML* interfaces removal
New in NoScript for Firefox 5.1.0 RC 1 (Sep 27, 2017)
- Restartless (bootstrapped) desktop version, and most likely the last hybrid (embedded WebExtension) before the pure WebExtension release
New in NoScript for Firefox 5.0.10 (Sep 12, 2017)
- Fixed some moz-webextension: subrequests blocked in content
- blocking mode
- Removed whitelist and surrogate references to persona.org
- [Seamonkey] Fixed status bar visibility regression
- [Nightly] Fixed various XSS filter UI breakages
- [Nightly] Patched deprecated usages of nsIURI.path
- [XSS] Fixed false positive on amazonaws.com
- [Surrogate] New ampush.io tracker surrogate
New in NoScript for Firefox 5.0.9 (Aug 22, 2017)
- [WebExt] Make sure the embedded WebExtension cannot interfere with the legacy side beside preference migration
- [Nightly] Fixed breakage from bug 1390106
- [Nightly] Work-around for HTMLEmbedElement removal
- [Nightly] Fixed first run UI visibility check
- [XSS] Work-around for Google notifications false positive
- [Nightly] Fixed startup breakage
- [Surrogates] Fixed noisy google-analytics replacement
- [Nightly] Fixed view-source: breakage
New in NoScript for Firefox 5.0.8.1 (Jul 31, 2017)
- [ABE] XHR matches both TYPE_XMLHTTPREQUEST and TYPE_FETCH
- [ABE] Updated INCLUSION types to match newest specific types from nsIContentType constants. OTHER still matches any type except "historically supported" ones (SCRIPT, CSS, IMAGE, OBJ, OBJSUB, MEDIA, FONT, SUBDOC, XBL, PING, XHR, DTD) for backward compatibility: please use UNKNOWN to match just TYPE_OTHER (i.e. request whose type is not specifically mapped yet by the nsIContentType API).
- [e10s] Fixed INCLUSION type marked as OTHER for any request when Electrolysis is enabled
- [XSS] Fixed excessive recursion causing GC-related hangs on some ads-intensive websites (like der-postillion.de)
New in NoScript for Firefox 5.0.8.1 RC 1 (Jul 28, 2017)
- [Surrogate] Fixed google-analytics replacement regression
New in NoScript for Firefox 5.0.8 RC6 (Jul 28, 2017)
- [ABE] Fixed regression: OTHER should not match MEDIA and FONT (thanks barbaz for reporting)
New in NoScript for Firefox 5.0.8 RC5 (Jul 27, 2017)
- Fixed regression: OTHER matching scripts, too (thanks barbaz for reporting)
New in NoScript for Firefox 5.0.8 RC4 (Jul 27, 2017)
- [ABE] Fixed regression: HTTP methods HEAD, OPTIONS and TRACE were not matched by ABE's parser grammar anymore
- [ABE] OTHER now matches any type not mapped by the "static" ABE request types (including newest nsIContentPolicy.TYPE_* constants), while UNKNOWN matches just TYPE_OTHER
- [ABE] XHR matches both TYPE_XMLHTTPREQUEST and TYPE_FETCH
New in NoScript for Firefox 5.0.8 RC3 (Jul 26, 2017)
- [ABE] Updated INCLUSION types to match newest specific types from nsIContentType constants. OTHER still matches TYPE_WEBSOCKET for backward compatibility, please use UNKNOWN for anything not specifically mapped yet by the nsIContentType API. Thanks barbaz for reporting.
New in NoScript for Firefox 5.0.8 RC2 (Jul 26, 2017)
- [e10s] Fixed INCLUSION type marked as OTHER for any request when Electrolysis is enabled (thanks barbaz for reporting)
New in NoScript for Firefox 5.0.8 RC1 (Jul 25, 2017)
- [XSS] Fixed excessive recursion causing GC-related hangs on some ads-intensive websites (like der-postillion.de)
New in NoScript for Firefox 5.0.7.1 (Jul 25, 2017)
- [WebExt] Fixed incompatibility with Firefox 54
- [WebExt] Initiated preference migration via embedded
- WebExtension
- [e10s] Fixed HTTP redirection issues with e10s enabled
- (thanks PLD for reporting)
- [Surrogate] Updated googletag replacement (thanks barbaz)
- Fixed HTML5 Media documents blockage delay if no other
- embedded content is forbidden (thanks Georg Koppen for
- reporting)
- [XSS] Fixed bug causing false positives (thanks Georg
- Koppen for reporting)
New in NoScript for Firefox 5.0.7.1 RC1 (Jul 24, 2017)
- [WebExt] Fixed incompatibility with Firefox 54
New in NoScript for Firefox 5.0.7 RC2 (Jul 22, 2017)
- [e10s] Fixed HTTP redirection issues with e10s enabled (thanks PLD for reporting)
- [Surrogate] Updated googletag replacement (thanks barbaz)
- Fixed HTML5 Media documents blockage delay if no other embedded content is forbidden (thanks Georg Koppen for reporting)
New in NoScript for Firefox 5.0.7 RC1 (Jul 11, 2017)
- [XSS] Fixed bug causing false positives (thanks Georg Koppen for reporting)
New in NoScript for Firefox 5.0.6 (Jul 3, 2017)
- [Surrogates] Updated ga replacement
New in NoScript for Firefox 5.0.6 RC 5 (Jun 30, 2017)
- [XSS] Fixed performance regression in handling of big JSON payloads causing the browser to freeze on loading pages with Facebook tracking subframes
- [Surrogates] Updated ga replacement (thanks barbaz)
- [L10n] Updated tr (thanks Volkan Gezer)
- [L10n] Updated de (thanks milupo)
New in NoScript for Firefox 5.0.6 RC 4 (May 31, 2017)
- Fixed regression in Mavo expression detection
New in NoScript for Firefox 5.0.6 RC 3 (May 31, 2017)
- Fixed regression in Mavo expression detection
New in NoScript for Firefox 5.0.6 RC 2 (May 31, 2017)
- Fixed regression in window.name sanitization
New in NoScript for Firefox 5.0.6 RC 1 (May 30, 2017)
- [XSS] Work-around for Mavo-script operator translation side effects (thanks Gareth Heyes for reporting)
New in NoScript for Firefox 5.0.5 (May 30, 2017)
- Updated XSS filter with latest Gecko Atoms and ES features (thanks Maxim Rupp for reporting)
- Added countermeasures against XSS vectors exploiting Mavo-script template expressions (thanks Krzysztof Kotowicz and Gareth Heyes for reporting)
New in NoScript for Firefox 5.0.5 RC 12 (May 27, 2017)
- Fixed reported origins ordering glitch
New in NoScript for Firefox 5.0.5 RC 11 (May 27, 2017)
- [XSS] Fixed regression in Mavo-script detection (thanks Gareth Heyes for reporting)
New in NoScript for Firefox 5.0.5 RC 10 (May 26, 2017)
- Brutal crackdown on Mavo-script expressions
New in NoScript for Firefox 5.0.5 RC 9 (May 25, 2017)
- Improved handling of Mavo-script translation edge cases
New in NoScript for Firefox 5.0.5 RC 8 (May 24, 2017)
- [XSS] More aggressive filter against Mavo-script madness
New in NoScript for Firefox 5.0.5 RC 7 (May 24, 2017)
- [XSS] Fixed bug in Mavo-script countermeasures
New in NoScript for Firefox 5.0.5 RC 6 (May 24, 2017)
- [XSS] Further countermeasures against more Mavo-script
New in NoScript for Firefox 5.0.5 RC 5 (May 24, 2017)
- Fixed UI synchronization regression take 2
New in NoScript for Firefox 5.0.5 RC 4 (May 24, 2017)
- Fixed UI synchronization regression
New in NoScript for Firefox 5.0.5 RC 3 (May 24, 2017)
- [XSS] Further countermeasures against Mavo-script madness
New in NoScript for Firefox 5.0.4 (May 11, 2017)
- [XSS] Added countermeasures against several vectors exploiting client-side JavaScript templating frameworks
- [XSS] Fixed e10s-related regression in window.name sanitization
- Fixed "Allow local links" breaking file:/// URL loading inGecko 53 and above
- Fixed JSON viewer working only on JavaScript-enabled URLs
New in NoScript for Firefox 5.0.3 RC 3 (May 11, 2017)
- [XSS] Added countermeasures against several vectors exploiting client-side JavaScript templating frameworks
New in NoScript for Firefox 5.0.4 RC 2 (May 7, 2017)
- [XSS] Fixed e10s-related regression in window.name sanitization
New in NoScript for Firefox 5.0.4 RC 1 (Apr 26, 2017)
- Fixed "Allow local links" breaking file:/// URL loading in Gecko 53 and above
- Fixed JSON viewer working only on JavaScript-enabled URLs
New in NoScript for Firefox 5.0.3 (Apr 23, 2017)
- Fied global JavaScript enablement for HTTPS sites breaking
- the UI (Tor ticket #21923)
- noscript.webet.enabled preference to control embedded
- WebEtension startup
- Fied HR regression (thanks Oleksandr Popov for reporting)
- Fied compatibility issues with some WebEtensions (thanks Oleksandr Popov for reporting)
New in NoScript for Firefox 5.0.3 RC 5 (Apr 18, 2017)
- Fixed global JavaScript enablement for HTTPS sites breaking the UI (Tor ticket #21923)
New in NoScript for Firefox 5.0.3 RC 4 (Mar 30, 2017)
- Adjusted the embedded WebExtension's manifest to reflect the target version upon whole userbase migration
New in NoScript for Firefox 5.0.3 RC 3 (Mar 29, 2017)
- Fixed thumbnails broken even if noscript.bgThumbs.allowed is true
New in NoScript for Firefox 5.0.3 RC 2 (Mar 20, 2017)
New in NoScript for Firefox 5.0.2 (Mar 17, 2017)
- Fixed thumbnails broken even if noscript.bgThumbs.allowed is true
- [e10s] Restored absolutely positioned elements removal by mousedown + DEL key (broken by e10s)
- Absolutely positioned elements removal by mousedown + DEL key now working also on whitelisted pages (controlled by noscript.eraseFloatingElements about:config preference
- Fixed blocked XHR requests in frames not reflected in the menu UI
- [Locale] Improved nl translation (thanks Kris)
New in NoScript for Firefox 5.0.2 RC 3 (Mar 17, 2017)
- Fixed thumbnails broken even if noscript.bgThumbs.allowed is true (thanks rick for reporting)
New in NoScript for Firefox 5.0.2 RC 2 (Mar 16, 2017)
- [e10s] Restored absolutely positioned elements removal by mousedown + DEL key (broken by e10s)
- Absolutely positioned elements removal by mousedown + DEL key now working also on whitelisted pages (controlled by noscript.eraseFloatingElements about:config preference)
New in NoScript for Firefox 5.0.2 RC 1 (Mar 15, 2017)
- Fixed blocked XHR requests in frames not reflected in the menu UI (thanks aocab and barbaz for reporting)
- [Locale] Improved nl translation (thanks Kris)
New in NoScript for Firefox 5.0.1 (Mar 8, 2017)
- Fixed regression, some sites not being shown in UI
- Fixed recently blocked menu not working on e10s
New in NoScript for Firefox 5.0 (Mar 5, 2017)
- Embedded WebExtension
- Dramatically Improved UI synchronization performance impact on load-intensive web pages
- [e10s] Fixed permissions out of sync when content processes are more than one
- [Surrogates] Update google-analytics replacement
New in NoScript for Firefox 5.0 RC 2 (Feb 13, 2017)
- Dramatically Improved UI synchronization performance impact on load-intensive web pages
New in NoScript for Firefox 5.0 RC 1 (Jan 30, 2017)
- Embedded WebExtension
- [e10s] Fixed permissions out of sync when content processes are more than one
- [Surrogates] Update google-analytics replacement
New in NoScript for Firefox 2.9.5.3 RC 6 (Jan 18, 2017)
- Fixed https://trac.torproject.org/projects/tor/ticket/20471
- Fixed FRAME blocking issue on non-e10s browsers
New in NoScript for Firefox 2.9.5.3 RC 5 (Jan 17, 2017)
- Fixed incompaitibility with LastPass non-AMO version 4.x
New in NoScript for Firefox 2.9.5.3 RC 4 (Jan 16, 2017)
- Fixed ABE sandbox overly restrictive on Gecko 50 and above
New in NoScript for Firefox 2.9.5.3 RC 3 (Jan 16, 2017)
- Fixed UI synchronization issue (thanks Klayton for report)
New in NoScript for Firefox 2.9.5.3 RC 2 (Jan 16, 2017)
- Fixed browsers older than Gecko 50 unaffected by ABE's sandbox action (thanks barbaz for reporting)
- Fixed cross-domain HTTPS requests in the same subdomain triggering XSS false positives (thanks Robert Aldridge for reporting)
New in NoScript for Firefox 2.9.5.3 RC 1 (Jan 16, 2017)
- ABE sandbox now enforced by CSP sandbox directive
- Fixed sites marked as untrusted could not be reallowed on the same tab
- removed obsolete noscript.docShellJSBlocking preference
New in NoScript for Firefox 2.9.5.2 RC 5 (Nov 29, 2016)
- Fixed Stylish editor breakage
New in NoScript for Firefox 2.9.5.2 RC 4 (Nov 28, 2016)
- Fixed media blocking delayed with Tor Browser's "Medium" Security Sider preset
New in NoScript for Firefox 2.9.5.2 RC 3 (Nov 28, 2016)
- Fixed frame blocking issues
- Fixed top-level media loads issues
New in NoScript for Firefox 2.9.5.2 RC 2 (Nov 28, 2016)
- Fixed apparent delay in menu UI feedback
- Further XSS positives tweakings
New in NoScript for Firefox 2.9.5.2 RC 1 (Nov 25, 2016)
- Fixed some XSS filter over-sensitivity regressions
- Fixed "Allow local links" causing file:// URLs to fail
- [Locale] Updated nl (thanks Ton)
New in NoScript for Firefox 2.9.5.1 (Nov 23, 2016)
- Fixed some pages not loading on 1st attempt when e10s is enabled (thanks Semtex for reporting)
New in NoScript for Firefox 2.9.5 (Nov 23, 2016)
- Full e10s compatibility
- Fied big whitelists being reset to default permissions on e10s-enabled browsers (thanks sabret00the and Internet User for reporting)
- Better fi for some embedding permissions issues
- MediaSource blocking support
- Better handling of media types loaded as top-level documents
- Declared (but untested) Palemoon support
- [System Principal] included in the mandatory allowed list
- Fied allow scripts globally requiring a restart (thanks FFreestyleRR for reporting
- Fied embeddings autoreload on e10s-disabled browsers
- Improved autoreload responsiveness and precision
- Fied IFrame over-blocking bug
- Fied sites involved in background requests being not reported in the UI, even if intercepted and/or blocked
- Fied typo in PasteHandler
- Fied embedding-related automatic reload issues
- Fied compatibility regression with Firefo 45
- [Surrogate] Fied file:// replacements broken
- Fied typo in SS filter breaking JSON cross-site requests
- Fied automatic reload issues
- Fied UI not always synchronized on startup
- Fied incompatibilities with older Firefo down to 45
- Fied automatic reload impossible to be disabled
- Fied UI initially not synced on new windows
- Fied bug in secure cookie enforcement upgrading all the unsecure cookies on secure connections even if a secure cookie for the domain eisted, increasing chances of incompatibilities
- Fied escaping issues in the noscript.js preference file
New in NoScript for Firefox 2.9.5.1 RC 1 (Nov 22, 2016)
- Fixed some pages not loading on 1st attempt when e10s is enabled
New in NoScript for Firefox 2.9.5 RC 35 (Nov 21, 2016)
- Better fix for some embedding permissions issues
- MediaSource blocking support
- Better handling of media types loaded as top-level documents
- Declared (but untested) Palemoon support
New in NoScript for Firefox 2.9.5 RC 33 (Nov 18, 2016)
- [System Principal] included in the mandatory allowed list
- Partial fix for some embedding permissions issues (barbaz)
- TODO: MediaSource blocking support (Tor Project)
New in NoScript for Firefox 2.9.5 RC 32 (Nov 16, 2016)
- Fixed allow scripts globally requiring a restart
- TODO: Fix top level embedding issues
- TODO: MediaSource blocking support
New in NoScript for Firefox 2.9.5 RC 31 (Nov 16, 2016)
- Fixed embeddings autoreload on e10s-disabled browsers
- TODO: MediaSource blocking support
New in NoScript for Firefox 2.9.5 RC 30 (Nov 16, 2016)
- Improved autoreload responsiveness and precision
- Fixed IFrame over-blocking bug
New in NoScript for Firefox 2.9.5 RC 29 (Nov 16, 2016)
- Fixed sites involved in background requests being not reported in the UI, even if intercepted and/or blocked
- Fixed typo in PasteHandler
New in NoScript for Firefox 2.9.5 RC 28 (Nov 16, 2016)
- Fixed embedding-related automatic reload issues
New in NoScript for Firefox 2.9.5 RC 27 (Nov 16, 2016)
- Fixed compatibility regression with Firefox 45
New in NoScript for Firefox 2.9.5 RC 26 (Nov 15, 2016)
- [Surrogate] Fixed file:// replacements broken
- TODO: MediaSource blocking support
New in NoScript for Firefox 2.9.5 RC 25 (Nov 15, 2016)
- Fixed typo in XSS filter breaking JSON cross-site requests
New in NoScript for Firefox 2.9.5 RC 24 (Nov 15, 2016)
- Fixed automatic reload issues (thanks GH113 for reporting)
New in NoScript for Firefox 2.9.5 RC 23 (Nov 14, 2016)
- Fixed UI not always synchronized on startup
- Fixed incompatibilities with older Firefox down to 45
- TODO: MediaSource blocking support
New in NoScript for Firefox 2.9.5 RC 22 (Nov 14, 2016)
- Fixed automatic reload impossible to be disabled
- Fixed UI initially not synced on new windows
- TODO: MediaSource blocking support
New in NoScript for Firefox 2.9.5 RC 21 (Nov 14, 2016)
- Full e10s compatibility
- Fixed bug in secure cookie enforcement upgrading all the unsecure cookies on secure connections even if a secure cookie for the domain existed, increasing chances of incompatibilities
- Fixed escaping issues in the noscript.js preference file
New in NoScript for Firefox 2.9.0.14 RC 1 (Aug 8, 2016)
- Fixed live bookmarks in Firefox 48 or above
New in NoScript for Firefox 2.9.0.13 (Aug 2, 2016)
- Added missing "s" in noscript.mandatory/about:feeds
New in NoScript for Firefox 2.9.0.12 RC 2 (Jul 25, 2016)
- Updated DNT implementation to match the most recent spec about navigator.doNotTrack values
- [XSS] Better compatibility with Unionbank's website
- Fixed bug 1278735
- Fixed JSON viewer not working
- about:feed in the mandatory whitelist to fix bug 1272139
- [XSS] Disable JavaScript on FTP-served pages when a potential DOM XSS threat is detected
- Fixed DOS through script-triggered ClickToPlay confirmation dialogs in a loop
- Fixed placeholder links might be potentially used as XSS vectors if stars were properly aligned
New in NoScript for Firefox 2.9.0.12 RC 1 (May 22, 2016)
- [Surrogate] Updated google-analytics.com replacement
- [XSS] Fixed regression (thanks Masato Kinugawa for report)
New in NoScript for Firefox 2.9.0.11 RC 1 (Apr 6, 2016)
- [XSS] Fixed infrastructure issue preventing one filter from being automatically synchronized with Mozilla's source code as designed
- [XSS] Added filtering for a potential CSRF vector
New in NoScript for Firefox 2.9.0.10 RC 1 (Mar 22, 2016)
- Fixed placeholder activation in Gecko 45 and above
New in NoScript for Firefox 2.9.0.9 RC 1 (Mar 21, 2016)
- [XSS] Compatibility exception for the Printfriendly add-on
- Removed msn.com from the default whitelist, since it seems to be unable to support HTTPS consistently
New in NoScript for Firefox 2.9.0.8 RC 1 (Mar 20, 2016)
- Fixed incompatibility with Firefox below version 38
- Tentative fix for an issue with explicit ports in HTTPS upgraded URLs (like MSN.com)
New in NoScript for Firefox 2.9.0.7 RC 2 (Mar 19, 2016)
- [HTTPS] Removed legacy redirection methods when redirectTo() is available in HTTP channels, fixing YouTube embedding problem
- Replaced newChannel() with newChannel2() on Gecko 48
New in NoScript for Firefox 2.9.0.6 (Mar 18, 2016)
- [HTTPS] Limit httpsDefWhitelist effect to document loads
- [XSS] Reduced eval aliasing checks false positives
New in NoScript for Firefox 2.9.0.5 (Mar 16, 2016)
- [XSS] Improved detection of computed property accessors
- [HTTPS] Fixed httpsDefWhitelist breaking OCSP
- [HTTPS] Fixed httpsDefWhitelist breaking yui.yahooapis.com
- [XSS] Fixed OpenID-related false positive
- Restored Nightly compatibility broken by bug 1253016
- Fixed regression in HTTPS enforcing exceptions
- [Surrogate] Updated googletag replacement
- [Surrogate] Updated ga replacement
- [XSS] Improved replacement for dangerous keywords/built-in properties
- [HTTPS] noscript.httpsDefWhitelist option to automatically upgrade to HTTPS sites found in the default whitelist
New in NoScript for Firefox 2.9.0.5 RC 4 (Mar 16, 2016)
- [XSS] Improved detection of computed property accessors
New in NoScript for Firefox 2.9.0.5 RC 3 (Mar 15, 2016)
- [HTTPS] Fixed httpsDefWhitelist breaking OCSP (thanks al_9x for reporting)
- [HTTPS] Fixed httpsDefWhitelist breaking yui.yahooapis.com (thanks Rob Greenberg for reporting
- [XSS] Fixed OpenID-related false positive
New in NoScript for Firefox 2.9.0.5 RC 2 (Mar 14, 2016)
- Restored Nightly compatibility broken by bug 1253016
- Fixed regression in HTTPS enforcing exceptions
New in NoScript for Firefox 2.9.0.5 RC 1 (Mar 14, 2016)
- [Surrogate] Updated googletag replacement (thanks barbaz)
- [Surrogate] Updated ga replacement (thanks barbaz)
- [XSS] Improved replacement for dangerous keywords/built-in properties (thanks Emanuel Bronshtein @e3amn2l for report)
- [HTTPS] noscript.httpsDefWhitelist option to automatically upgrade to HTTPS sites found in the default whitelist (enabled by default, thanks Mazin Amhed for reporting
New in NoScript for Firefox 2.9.0.4 (Feb 11, 2016)
- Fixed InjectionChecker over-optimization bug
- [l10n] Updated ar
New in NoScript for Firefox 2.9.0.3 RC 1 (Feb 3, 2016)
- Fixed NoScript blocking WebExtensions by default
- Fixed XSS filter JSON sanitization bug
New in NoScript for Firefox 2.9.0.2 (Jan 8, 2016)
- Version bump to work around AMO's 404 when serving 2.9.0.1
New in NoScript for Firefox 2.9.0.1 RC 2 (Jan 8, 2016)
- Replaced "for each ()" with "for (... of ...)"
- Removed array comprehension usage
- Removed compatibility with Gecko lt 13
New in NoScript for Firefox 2.9.0.1 RC 1 (Jan 4, 2016)
- Fixed conflict w/ KeeFox + CTR (thanks amloessb for report)
New in NoScript for Firefox 2.9 (Jan 4, 2016)
- [e10s] Fixed "Temporarily allow top-level sites by default" broken by Electrolysis
- Fixed "key.revokeTemp" preference management bug
New in NoScript for Firefox 2.7 RC 1 (Nov 23, 2015)
- removed informaction.com, flashgot.net and maone.net from nthe default whitelist to reduce the potential attack surface
- removed vestigial noscript.forbidData preference
- Fixed shorthands not checked for ftp(s) sites (thanks Leon Winter for patch)
- [Surrogate] Fixed googletag replacement (thanks barbaz)
- Fixed incompatibility with importScript() from workers breaking new reCaptcha implementation (thanks Mr_KrzYch00 for reporting)
New in NoScript for Firefox 2.6.9.39 (Oct 26, 2015)
- Work-around for a XSS "false positive" caused by nwolb.com passing Javascript code across subdomains in window.namei
New in NoScript for Firefox 2.6.9.39 RC 1 (Oct 12, 2015)
- Work-around for a XSS "false positive" caused by nwolb.com
- passing Javascript code across subdomains in window.name
New in NoScript for Firefox 2.6.9.38 (Oct 9, 2015)
- Includes changes from the previous RC version
New in NoScript for Firefox 2.6.9.38 RC 1 (Oct 9, 2015)
- Fixed breakage due to const declarations behavior changes in latest Firefox nightlies
New in NoScript for Firefox 2.6.9.37 RC 2 (Sep 29, 2015)
- Fixed bug: launching a bookmarklet on about:newTab caused allow scripts globally for that tab
- [L10n] Updated French translation
- Fixed NOSCRIPT element hidden on Javascript-disabled pages
New in NoScript for Firefox 2.6.9.37 RC 1 (Aug 31, 2015)
- [Surrogate] enhanced gogletags.com replacement
- Fixed subtle bug in load context association causing an origin mismatch in one corner case
New in NoScript for Firefox 2.6.9.36 (Aug 20, 2015)
- [L10n] Fixed typo in nb-NO
- [e10s] Fixed top-level site auto-whitelisting broken
- [e10s] Fixed MozBug 1196477 (crash with allowLocalLinks)
- Shorthands reliability improvements
- [ClearClick] fixed console spam due to missing XPCOM interfaces for HTML elements
- In order to help Netflix users with the new video delivery system, users who have netflix.com already in their whitelist get https://*.nflxvideo.net whitelisted as well on upgrade
New in NoScript for Firefox 2.6.9.36 RC 2 (Aug 20, 2015)
- Fixed typo in nb-NO (thanks Mikkel H.)
- Fixed top-level site auto-whitelisting broken
- Fixed MozBug 1196477 (crash with allowLocalLinks)
- Shorthands reliability improvements
New in NoScript for Firefox 2.6.9.36 RC 1 (Aug 17, 2015)
- [ClearClick] fixed console spam due to missing XPCOM interfaces for HTML elements
- In order to help Netflix users with the new video delivery system, users who have netflix.com already in their whitelist get https://*.nflxvideo.net whitelisted as well on upgrade
New in NoScript for Firefox 2.6.9.35 (Aug 12, 2015)
- googletagservices.com replacement now supports custom googletag objects (thanks barbaz)
- fixed surrogates stopped working on older Gecko versions (thanks barbaz)
- Work-around for false positive on some Yahoo! URLs
- Corrected mistyped about:pocket-saved whitelist entry
- Fixed race condition in ABE options observer causing l.getRowCount() console spam
New in NoScript for Firefox 2.6.9.35 RC 2 (Aug 12, 2015)
- Fixed surrogates stopped working on older Gecko versions - take 2 (thanks barbaz)
New in NoScript for Firefox 2.6.9.35 RC 1 (Aug 12, 2015)
- Googletagservices.com replacement now supports custom googletag objects (thanks barbaz)
- Fixed surrogates stopped working on older Gecko versions
- Work-around for false positive on some Yahoo! URLs
- Corrected mistyped about:pocket-saved whitelist entry
- Fixed race condition in ABE options observer causing l.getRowCount() console spam
New in NoScript for Firefox 2.6.9.34 (Aug 3, 2015)
- Fixed a bug preventing some replacements from running
- Fixed over-optimized JSON and dots erasure allowing for a filter bypass in specific (and likely rare) circumstances
New in NoScript for Firefox 2.6.9.34 RC 1 (Jul 31, 2015)
- Fixed over-optimized JSON and dots erasure allowing for a filter bypass in specific (and likely rare) circumstances
New in NoScript for Firefox 2.6.9.33 RC 2 (Jul 29, 2015)
- XSS: Fixed bug in minimal inline JavaScript fragment detection
New in NoScript for Firefox 2.6.9.33 RC 1 (Jul 28, 2015)
- Surrogate: fixed scope conflicts caused by the $S() object replacement wrapper (e.g. with some EA games)
New in NoScript for Firefox 2.6.9.32 (Jul 27, 2015)
- Added domains required for Netflix playback to the default whitelist
- Fixed inline script blocking broken by latest Nightlies
- Fixed NOSCRIPT elements not being shown in script-blocked pages on Firefox betas
- [Surrogate] shimmed or replaced code causing deprecations
- [Surrogate] updated googletag replacement
- [XSS] Fixed regression in minimal inline JavaScript fragment detection (thanks Gareth Heyes for reporting)
- Fixed edge case causing JavaScript redirections detection to fail on http://qklnk.co/
New in NoScript for Firefox 2.6.9.32 RC 2 (Jul 23, 2015)
- XSS: Fixed regression in minimal inline JavaScript fragment detection
New in NoScript for Firefox 2.6.9.32 RC 1 (Jul 22, 2015)
- Fixed edge case causing JavaScript redirections detection to fail on http://qklnk.co/
New in NoScript for Firefox 2.6.9.31 (Jul 16, 2015)
- XSS: Fixed attribute injection checks regression
New in NoScript for Firefox 2.6.9.30 (Jul 9, 2015)
- Fixed noscript.allowWhitelistUpdates preference being ignored
- Filtering out whitelist additions not required by the the specific current browser type and version
- Added about:pocket-save and about:pocket-signup to the default whitelist
- More restrictive and accurate INCLUSION type check
- [XSS] Further invalid characters optimization refinementx [XSS] Fixed XML stripping optimization to prevent inline injections
- Default whitelist maintenance: removed prototypejs.org, cdnjs.cloudflare.com; restored maps.googleapis.com
- [XSS] Updated inline event handlers related code preventing potential 2nd order injections on very badly coded websites
New in NoScript for Firefox 2.6.9.30 RC 5 (Jul 8, 2015)
- Fixed about:packet-save whitelisted instead of about:pocket-saved
- Fixed noscript.allowWhitelistUpdates preference being ignored
- Filtering out whitelist additions not required by the specific current browser type and version
New in NoScript for Firefox 2.6.9.30 RC 4 (Jul 7, 2015)
- Added about:pocket-save and about:pocket-signup to the default whitelist
- More restrictive and accurate INCLUSION type check
New in NoScript for Firefox 2.6.9.30 RC 3 (Jul 4, 2015)
- [XSS] Further invalid characters optimization refinement
New in NoScript for Firefox 2.6.9.30 RC 2 (Jul 4, 2015)
- [XSS] Fixed XML stripping optimization to prevent inline injections
- Default whitelist maintenance: removed prototypejs.org, cdnjs.cloudflare.com; restored maps.googleapis.com
New in NoScript for Firefox 2.6.9.30 RC 1 (Jul 2, 2015)
- [XSS] Updated inline event handlers related code preventing potential 2nd order injections on very badly coded websites
New in NoScript for Firefox 2.6.9.29 (Jul 1, 2015)
- [XSS] Improved specificity of invalid characters optimization to remove a string literal breaking detection bypass
New in NoScript for Firefox 2.6.9.28 (Jun 30, 2015)
- Narrowed googleapis.com default whitelist entry to ajax.googleapis.com
- [Surrogate] Updated gigya.com and 2mdn.net replacements
New in NoScript for Firefox 2.6.9.28 RC 1 (Jun 29, 2015)
- Default whitelist retroactive removal ability
- Removed vjs.zendcdn.net from the default whitelist
New in NoScript for Firefox 2.6.9.27 (Jun 18, 2015)
- Fixed media elements being blocked on first (uncached) request
- noscript.middlemouse_temp_allow_main_site about:config preference to control whether middle-clicking the toolbar button should allow current top document's site
- [L10n] Updated Belarusian
- Default whitelist retroactive removal ability
- Removed vjs.zendcdn.net from the default whitelist
New in NoScript for Firefox 2.6.9.26 RC 3 (May 29, 2015)
- Extended the redirecTo() safety net for to all the internal redirections
New in NoScript for Firefox 2.6.9.26 RC 2 (May 29, 2015)
- Work-around for redirecTo() breaking Flash plugin subrequests
New in NoScript for Firefox 2.6.9.26 RC 1 (May 28, 2015)
- Got ChannelReplacement backed by HTTPChannel.redirectTo() whenever possible (should fix moz-bug 1153256 for good)
- Fixed double redirection in HTTPS enforcing
New in NoScript for Firefox 2.6.9.25 (May 25, 2015)
- Fixed regression preventing HTTPS enforcing exceptions from being honored
New in NoScript for Firefox 2.6.9.24 (May 25, 2015)
- Fix for intermittent crashes on older Gecko versions
New in NoScript for Firefox 2.6.9.23 (May 23, 2015)
- Work-around for moz-bug 1167371
- Fixed fatal regression on Firefox 34 and below
- Improved backward compatibility
- Work-around for anonymized plugin subrequests being vetoed by channel event sink
- Fixed backward compatibility PopupBoxObject shim
- [E10s] Fixed cascading permissions broken when checks are performed cross-process
- [Surrogate] Removed deprecated "for each" constructs from replacements
- [L10n] Updated ru-RU (thanks negodnik)
- Tentative fix for Bug 1153256 (thanks Dragana Damjanovic)
- Added about:preferences to the mandatory whitelist
- Removed legacy STS support
- [Surrogate] 2mdn.net inclusion replacement (thanks barbaz)
- [E10s] Restored inline JavaScript blocking
New in NoScript for Firefox 2.6.9.23 RC 4 (May 23, 2015)
- Work-around for moz-bug 1167371
- Fixed fatal regression on Firefox 34 and below
- Improved backward compatibility
New in NoScript for Firefox 2.6.9.23 RC 3 (May 22, 2015)
- Work-around for anonymized plugin subrequests being vetoed by channel event sink
- Fixed backward compatibility PopupBoxObject shim
New in NoScript for Firefox 2.6.9.23 RC 2 (May 21, 2015)
- [E10s] Fixed cascading permissions broken when checks are performed cross-process
- [Surrogate] Removed deprecated "for each" constructs from replacements
- Fixed missing default preferences
New in NoScript for Firefox 2.6.9.23 RC 1 (May 20, 2015)
- [L10n] Updated ru-RU
- Tentative fix for Bug 1153256
- Added about:preferences to the mandatory whitelist
- Removed legacy STS support
- [Surrogate] 2mdn.net inclusion replacement
- [E10s] Restored inline JavaScript blocking
New in NoScript for Firefox 2.6.9.22 (Apr 21, 2015)
- [Surrogate] Generalized OWASP antiClickjacking replacement
- [Surrogate] Wordpress scriptless site auto-show replacement
- bootstrapcdn.com in default whitelist
New in NoScript for Firefox 2.6.9.21 RC 1 (Apr 7, 2015)
- Added "mediasource:" to the mandatory whitelist
- [Surrogate] Updated googletagservices.com replacement
- Better compatibility with SDK-based add-ons using data: URIs
New in NoScript for Firefox 2.6.9.20 (Mar 31, 2015)
- Improved "Recently blocked sites..." recording
New in NoScript for Firefox 2.6.9.20 RC 1 (Mar 30, 2015)
- Fixed inconsistencies in data: URIs handling
New in NoScript for Firefox 2.6.9.19 (Mar 21, 2015)
- [Surrogate] .gigya.com replacement
- [Surrogate] js.stripe.com replacement
- Improved usability of new Yahoo! video activation
- Added googlevideo.com to the default whitelist because it's now required to play Youtube movies
New in NoScript for Firefox 2.6.9.19 RC 1 (Mar 20, 2015)
- Improved usability of new Yahoo! video activation
- Added googlevideo.com to the default whitelist because it's now required to play Youtube movies
New in NoScript for Firefox 2.6.9.18 RC 3 (Mar 13, 2015)
- Fixed restrictSubdocScripts/globalHTTPSWhitelist interaction issue
New in NoScript for Firefox 2.6.9.18 RC 2 (Mar 12, 2015)
- Fixed regression always disabling scripts whenever site's host name is a IPv6 literal
New in NoScript for Firefox 2.6.9.18 RC 1 (Mar 10, 2015)
- Fixed menu automatic disappearance on mouse exit broken by Firefox 36 changes
New in NoScript for Firefox 2.6.9.17 RC 2 (Mar 7, 2015)
- Fixed cascadePermissions/globalHTTPSWhitelist interaction issue with IFRAMEs (
New in NoScript for Firefox 2.6.9.17 RC 1 (Mar 6, 2015)
- Fixed cascadePermissions being enforced also if the top document is implicitly allowed by the globalHTTPSWhitelist policy, rather than explicitly whitelisted, causing HTTP subdocument and scripts to be unintendendly allowed when the top document is HTTPS
- [Surrogate] Update Google Analytics replacement
New in NoScript for Firefox 2.6.9.16 RC 1 (Mar 2, 2015)
- [Surrogate] Updated Gravatar surrogate
- Additional HTML sanitization when pasting rich text into content-editable elements
- Introduced framework for E10s migration, starting with new features and fixes
- Removed deprecated let () expressions from the code base
New in NoScript for Firefox 2.6.9.15 (Feb 20, 2015)
- Fixed regression in 2.6.9.12 causing data: URI documents to be scripting-enabled
New in NoScript for Firefox 2.6.9.14 RC 2 (Feb 18, 2015)
- Surrogate: OWASP legacy Javascript-based "antiClickjack" protection surrogate to unhide "protected" pages when scripting is disabled
New in NoScript for Firefox 2.6.9.14 RC 1 (Feb 12, 2015)
- Restored noscript.forbidXHR functionality trying to make it more web-compatible
New in NoScript for Firefox 2.6.9.13 RC 3 (Feb 11, 2015)
- Fixed bug in comment stripping optimization
New in NoScript for Firefox 2.6.9.13 RC 1 (Feb 10, 2015)
- Better protection against some ES6 attacks
- Removed support for XMLHttpRequest blocking noscript.forbidXHR preference). The same functionality, if really needed, can still be achieved through ABE anyway.
New in NoScript for Firefox 2.6.9.12 (Feb 5, 2015)
- Fixed origin checking bug causing sandboxed IFRAMEs to have scripting always disabled
New in NoScript for Firefox 2.6.9.11 (Jan 17, 2015)
- [Surrogate] microsoftSupport surrogate to force the content to be shown if scripts are disabled
- Check private browsing against chrome rather than content windows (prevents annoying warning console messages)
New in NoScript for Firefox 2.6.9.10 RC 2 (Dec 27, 2014)
- Fixed regression: permanently allow a web site erasing temporary whitelist items
New in NoScript for Firefox 2.6.9.10 RC 1 (Dec 24, 2014)
- Fixed private windows detection for UI adaptation broken in SeaMonkey
- Made the Permanent "allow" commands in private windows' checkbox look and behave like the other options in the "Appearance" tab, i.e. controlling the visibility of the menu item by the same name
New in NoScript for Firefox 2.6.9.9 RC 1 (Dec 18, 2014)
- Updated GPL.txt and NoScript_License.txt with current FSF information
- Fixed regression causing "Revoke temporary permissions" gitches
- Moved the Permanent "allow" commands in private windows' menu toggle next to the 'Options' command
New in NoScript for Firefox 2.6.9.8 (Dec 17, 2014)
- 'Permanent "allow" commands in private windows' preference in NoScript Options|Appearance (inverse of noscript.volatilePrivatePermissions)
- 'Permanent "allow" commands in private windows' toggle in NoScript menu while in Private Browsing mode, controlled by noscript.showVolatilePrivatePermissionsToggle
- Fixed regression in Cascade Permissions mode
New in NoScript for Firefox 2.6.9.8 RC 2 (Dec 16, 2014)
- Fixed whitelisting regression on Gecko 25 and below (e.g. Palemoon)
New in NoScript for Firefox 2.6.9.8 RC 1 (Dec 16, 2014)
- Actually prevent temporary whitelist items from being saved in prefs
New in NoScript for Firefox 2.6.9.7 RC 2 (Dec 15, 2014)
- Fixed inconsistencies in the globalHttpsWhitelist option implementation
New in NoScript for Firefox 2.6.9.7 RC 1 (Dec 13, 2014)
- Volatile temporary whitelist, never gets saved to disk
- Never show permanent whitelist modifying commands when in private mode, unless the oscript.volatilePrivatePermissions preference is false
- noscript.allowWhitelistUpdate preference to control whether NoScript should be able to tweak the whitelist on version pdates when the 3rd party requirements for an already whitelisted website change
New in NoScript for Firefox 2.6.9.6 RC 3 (Dec 4, 2014)
- Built-in force HTTPS list, seeded with www.youtube.com
- Work-around for bogus Youtube embedded frame activation patterns
New in NoScript for Firefox 2.6.9.6 RC 2 (Dec 2, 2014)
- Fixed bookmarklet execution regression in older Firefox versions
New in NoScript for Firefox 2.6.9.6 RC 1 (Nov 27, 2014)
- Fixed subdocuments of a [System Principal] page not being allowed when they should in cascade permission modes
New in NoScript for Firefox 2.6.9.5 (Nov 25, 2014)
- Fixed memory leak when a top-level browser window is closed
- [XSS] compatibility tweak for swisspost.ch
- Miscellaneous HTTPS URLs lockdown
New in NoScript for Firefox 2.6.9.5 RC 2 (Nov 24, 2014)
- Support for full-encrypted https://noscript.net
- Updated Twitter surrogate
- Work-around for thumbnail generation protection being broken by some add-ons
- Fully disable background processed thumbnail generation unless noscript.bgThumbs.allowed about:config preference is set to true
- Control JavaScript enabled in background thumbail generation through the noscript.bgThumbs.disableJS
- about:config preference
New in NoScript for Firefox 2.6.9.5 RC 1 (Nov 18, 2014)
- Forcing remote browsers used for thumbnail generation to disable JavaScript
- [Surrogate] Invodo dummy replacement
New in NoScript for Firefox 2.6.9.4 RC 1 (Nov 15, 2014)
- Added vimeocdn.com as a vimeo.com dependency if already withlisted
- [Surrogate] Enabling imgserve.com age verification button even if JavaScript is disabled
- Fixed IP6 to IP4 mapping bug (thanks stack / inventati)
New in NoScript for Firefox 2.6.9.3 (Oct 24, 2014)
- More accurate referrer checks for some edge cases
New in NoScript for Firefox 2.6.9.3 RC 2 (Oct 23, 2014)
- [ABE] More restrictive local IP checks
- More permissive AddressMatcher IP parser
New in NoScript for Firefox 2.6.9.2 RC 1 (Oct 16, 2014)
- [XSS] Improved sensitivity
New in NoScript for Firefox 2.6.9.1 RC 2 (Oct 11, 2014)
- [XSS] Improved focus-based exfiltration protection
New in NoScript for Firefox 2.6.9.1 RC 1 (Oct 11, 2014)
- [XSS] focus-based exfiltration protection
- [XSS] Fixed false positive in risky operators detection
New in NoScript for Firefox 2.6.9 (Oct 6, 2014)
- [XSS] Fixed bug in location-based exfiltration protection
New in NoScript for Firefox 2.6.9 RC 3 (Oct 3, 2014)
- [XSS] Improved location-based exfiltration protection
New in NoScript for Firefox 2.6.9 RC 2 (Oct 3, 2014)
- [Surrogate] login.person.org inclusion
- [XSS] Fixed 2.6.8.43 regressions
- [XSS] Improved specificity for eval-like patterns
New in NoScript for Firefox 2.6.9 RC 1 (Oct 1, 2014)
- Switched to a treeview for faster management of very long whitelists
- Tentative work-around for potential performance problems reportedly related to Australis support
New in NoScript for Firefox 2.6.8.43 RC 1 (Sep 27, 2014)
- Protection against some exfiltration attacks based on arithmetic operators
New in NoScript for Firefox 2.6.8.42 (Sep 22, 2014)
- User-facing "Reload the current tab only" option
- [XSS] Improved window.name exfiltration protection
New in NoScript for Firefox 2.6.8.42 RC 2 (Sep 22, 2014)
- Fixed subtle bug in ScriptSurrogate.replaceScript()
- Fixed HTTPS and cascading permission policies not applying to XHR and XBL checks
- [XSS] Fixed ES6-based bypasses
- [XSS] window.name exfiltration protection
New in NoScript for Firefox 2.6.8.42 RC 1 (Sep 17, 2014)
- Fixed script sources enumeration breakage in Firefox 35 (Moz Bug 1068508)
New in NoScript for Firefox 2.6.8.41 (Sep 12, 2014)
- Improved Australis toolbar compatibility
- Added "Always ask" checkbox to the removal confirmation dialog
- Fixed Options dialog broken on ancient Firefox versions
- [XSS] Fixed false positive within *.adxns.com
New in NoScript for Firefox 2.6.8.41 RC 2 (Sep 11, 2014)
- Added "Always ask" checkbox to the removal confirmation dialog
- Fixed Options dialog broken on ancient Firefox versions
New in NoScript for Firefox 2.6.8.41 RC 1 (Sep 10, 2014)
- Improved Australis toolbar compatibility
- [XSS] Fixed false positive within *.adxns.com
New in NoScript for Firefox 2.6.8.40 RC 2 (Sep 1, 2014)
- Fixed regression causing script inclusions with non-standard ports to be always blocked
New in NoScript for Firefox 2.6.8.40 RC 1 (Aug 28, 2014)
- [ABE] Improved ruleset editing UI
New in NoScript for Firefox 2.6.8.39 RC 2 (Aug 27, 2014)
- [Surrogate] Removed DARLA surrogate and reimplemented its work-around as a XSS filter exception
- [Bookmarklets] Fixed bookmarklets broken when JavaScript is enabled
New in NoScript for Firefox 2.6.8.39 RC 1 (Aug 26, 2014)
- [Surrogate] Work-around for DARLA surrogate breaking Yahoo! Mail
New in NoScript for Firefox 2.6.8.38 RC 2 (Aug 25, 2014)
- Fixed regression preventing Youtube movies from playing
New in NoScript for Firefox 2.6.8.38 RC 1 (Aug 25, 2014)
- Completed work-around for Firefox's Bug 1044351
- [Surrogate] Improved Yahoo! DARLA source matching
New in NoScript for Firefox 2.6.8.37 RC 2 (Aug 16, 2014)
- [XSS] Support for new insidious ES6 constructs introduced in Firefox 34
- [HTTPS] Experimental "Allow HTTPS scripts globally on HTTPS documents" mode
New in NoScript for Firefox 2.6.8.37 RC 1 (Jul 30, 2014)
- [Surrogate] Yahoo! "DARLA" ads loader post-execution surrogate prevents the browser from stalling due to the many window.name-based XSSes intentionally used by this ads delivery script
New in NoScript for Firefox 2.6.8.36 (Jul 29, 2014)
- Fixed regression causing preventing the Blocked Objects list from being manually reset
New in NoScript for Firefox 2.6.8.36 RC 1 (Jul 26, 2014)
- [Surrogate] Updated adf.ly replacement (thanks kasper93 for coding)
- [Surrogate] Updated connect.facebook.net replacement
- Fixed bookmarklet emulation compatibility issue breaking some add-ons which rely on the new getShortcutOrURIAndPostData() function signature
New in NoScript for Firefox 2.6.8.35 (Jul 25, 2014)
- Improved compatibility with browser built-in Click To Play
- Recently blocked sites are now recorded per-window (causing automatic oblivion of data from Private Browsing windows when they're closed)
- Recently blocked sites are not collected at all unless the menu item is configured to be shown (thanks Barbaz for RFE and patch)
New in NoScript for Firefox 2.6.8.35 RC 1 (Jul 24, 2014)
- Recently blocked sites are now recorded per-window (causing automatic oblivion of data from Private Browsing windows when they're closed)
- Recently blocked sites are not collected at all unless the menu item is configured to be shown
New in NoScript for Firefox 2.6.8.34 (Jul 17, 2014)
- Added "cdn.directvid.com/*.jsx" to inclusionTypeChecking.exceptions in order to let the directvid video player work
- Better compatibility with null principal origins created by the Add-on SDK
New in NoScript for Firefox 2.6.8.33 (Jul 9, 2014)
- Fixed regression in smart reloading of just allowed HTML Media elements
New in NoScript for Firefox 2.6.8.32 RC 3 (Jul 7, 2014)
- Fixed regression: NOSCRIPT element not shown on non-whitelisted pages
New in NoScript for Firefox 2.6.8.32 RC 2 (Jul 7, 2014)
- Replaced Ci.nsIDOMHTML(Video|Audio)Element (about to be removed) with window.(Video|Audio)Element counterparts (see Moz Bug 1034304)
New in NoScript for Firefox 2.6.8.32 RC 1 (Jul 5, 2014)
- Fixed jammed icon on the navigation bar when "left clicking on toolbar icon toggles..." option is checked
New in NoScript for Firefox 2.6.8.31 (Jul 1, 2014)
- Updated HTML5 and Gecko-specific markup elements list
- Fixed "too much recursion" book in bookmarklet emulation when executing window.open(..., "_self") (thanks al_9x)
- Improved icons consistence with cascading permissions
- Fixed 2.6.8.30rc1 regression: broken local file loads
- Make "[Temporarily] Allow all this page" affect only the top-level document's origin when cascading permissions mode is enabled
- [Surrogate] Fixed regression about a small change in sandbox principal management breaking some surrogates, including Google Analytics
- [CAPS] better compatibility with Firefox 30's restored checkloaduri prefs hack
- UI support for cascadePermissions and restrictSubdocScripting
- "NoScript Options|Advanced|Trusted|Cascade top document's permissions to 3rd party scripts" user-facing preference
- "NoScript Options|Advanced|Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages" user-facing preference
- Backported cascadePermissions and restrictSubdocScripting support to ESR 24
New in NoScript for Firefox 2.6.8.30 RC 5 (Jun 30, 2014)
- Updated HTML5 and Gecko-specific markup elements list
- Fixed "too much recursion" bug in bookmarket emulation when executing window.open(..., "_self") (thanks al_9x)
New in NoScript for Firefox 2.6.8.30 RC 4 (Jun 26, 2014)
- Improved icons consistency with cascading permissions
- Fixed 2.6.8.30rc1 regression: broken local file loads
New in NoScript for Firefox 2.6.8.30 RC 3 (Jun 26, 2014)
- Make "[Temporarily] Allow all this page" affect only the top-level document's origin when cascading permissions mode is enabled
New in NoScript for Firefox 2.6.8.30 RC 2 (Jun 26, 2014)
- [Surrogate] Fixed regression about a small change in sandbox principal management breaking some surrogates, including Google Analytics
New in NoScript for Firefox 2.6.8.30 RC 1 (Jun 25, 2014)
- [CAPS] better compatibility with Firefox 30's restored checkloaduri prefs hack
- UI support for cascadePermissions and restrictSubdocScripting
- "NoScript Options|Advanced|Trusted|Cascade top document's permissions to 3rd party scripts" user-facing preference
- "NoScript Options|Advanced|Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages" user-facing preference
- Backported cascadePermissions and restrictSubdocScripting support to ESR 24
New in NoScript for Firefox 2.6.8.29 (Jun 23, 2014)
- [Surrogate] googletagservices.com replacement
- Fixed bookmarklet emulation "Object.getPrototypeOf(...).open is undefined" failure on Nightly (thanks Ria and barbaz for reporting)
New in NoScript for Firefox 2.6.8.29 RC 1 (Jun 9, 2014)
- [Surrogate] googletagservices.com replacement
- Fixed bookmarklet emulation "Object.getPrototypeOf(...).open is undefined" failure on Nightly
New in NoScript for Firefox 2.6.8.28 RC 1 (Jun 4, 2014)
- Fixed bookmarklet execution on non-whitelisted page causing scripts to be globally allowed
New in NoScript for Firefox 2.6.8.27 (Jun 3, 2014)
- Work-around for bug 1005552 (backport to ESR)
- [Surrogate] External script surrogates are now triggered whenever a matching script fails to load, no matter the reason, e.g. NoScript permissions, ABE, ABP or RequestPolicy
- [XSS] Worked around OpenID-related false positive
- [XSS] Better work around for false positive in gmx.com new webmail, designed to work across all its implementations
New in NoScript for Firefox 2.6.8.27 RC 3 (Jun 2, 2014)
- [Surrogate] Better trigger timing
- Work-around for bug 1005552 (backport to ESR)
New in NoScript for Firefox 2.6.8.27 RC 2 (May 31, 2014)
- [Surrogate] External script surrogates are now triggered whenever amatching script fails to load, no matter the reason, e.g. NoScript permissions, ABE, ABP or RequestPolicy
New in NoScript for Firefox 2.6.8.27 RC 1 (May 30, 2014)
- [XSS] Worked around OpenID-related false positive
- [XSS] Better work around for false positive in gmx.com new webmail, designed to work across all its implementations
New in NoScript for Firefox 2.6.8.26 (May 27, 2014)
- Includes all the changes featured in the previous Beta versions
New in NoScript for Firefox 2.6.8.26 RC 1 (May 24, 2014)
- [XSS] gmx.com false positive work-around extended to international domains
- [XSS] gmx.com false positive work-around extended to mail.com
- noscript.cascadePermissions preliminary backend implementation
- noscript.restrictSubdocScripting preliminary backend implementation
New in NoScript for Firefox 2.6.8.25 (May 21, 2014)
- [ABE] Fixed inability to discriminate loads inititated from the URL bar on latest Nightlies
- [XSS] Fixed false positive on new gmx.com login
- [Surrogate] Fixed new google-analytics.com surrogate causing Google Spreadsheet's columns not to be resizable
New in NoScript for Firefox 2.6.8.25 RC 1 (May 20, 2014)
- [Surrogate] Fixed new google-analytics.com surrogate causing Google Spreadsheet's columns not to be resizable
- [XSS] Fixed false positive on new gmx.com login
New in NoScript for Firefox 2.6.8.24 (May 15, 2014)
- Synthetic load events are sent and error events are suppressed for blocked script elements, in order to work around strict script inclusion enforcers. This feature is triggered by default only by Require.js module imports, but can be fully configured by noscript.fakeScriptLoadEvents. about:config preferences:
- .enabled: switches this feature on/off
- .onlyRequireJS: if true (default) applies the feature only to script inclusions initiated by Require.js
- .exceptions: AddressMatcher pattern matching the source URLs of script elements which should not cause fake load events when blocked
- .docExceptions: AddressMatcher pattern matching the URLs of documents where no fake load event must be raised
- Improved toStaticHTML() implementation
- Removed useless ICC profiles from some icons
- [Surrogate] Improved google-analytics.com (ga) surrogate
- [XSS] Fixed characters redundancy reduction bug
- [XSS] Fixed typo in the new regular expression literals stripping routine implementation (thanks Masato Kinugawa for reporting)
- [XSS] Fixed subtle bug in regular expression literals stripping
- optimization, potentially causing false negatives in edge cases
- Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
- and NoScript's on-hover menu needing a click to be closed
New in NoScript for Firefox 2.6.8.24 RC 5 (May 15, 2014)
- More flexible implementation of the fake script load events feature, triggered by default only by Require.js module imports, can be fully configured by noscript.fakeScriptLoadEvents.
- about:config preferences:
- .enabled: switches this feature on/off
- .onlyRequireJS: if true (default) applies the feature only to script inclusions initiated by Require.js
- .exceptions: AddressMatcher pattern matching the source URLs of script elements which should not cause fake load events when blocked
- .docExceptions: AddressMatcher pattern matching the URLs of documents
- where no fake load event must be raised
New in NoScript for Firefox 2.6.8.24 RC 4 (May 13, 2014)
- Synthetic load events are sent and error events are suppressed for blocked script elements, in order to work around strict script inclusion enforcers such as Require.js (this feature is configured by the noscript.fakeScriptLoadEvents about:config preference)
- Improved toStaticHTML() implementation (thanks .mario for reporting)
- Removed useless ICC profiles from some icons (thanks taffit for RFE)
New in NoScript for Firefox 2.6.8.24 RC 3 (May 12, 2014)
- [XSS] Fixed characters redundancy reduction bug
New in NoScript for Firefox 2.6.8.24 RC 2 (May 12, 2014)
- [XSS] Fixed typo in the new regular expression literals stripping routine implementation
New in NoScript for Firefox 2.6.8.24 RC 1 (May 12, 2014)
- [XSS] Fixed subtle bug in regular expression literals stripping optimization, potentially causing false negatives in edge cases
New in NoScript for Firefox 2.6.8.23 (May 5, 2014)
- Work-around for Firefox bug causing popup.hidePopup() to fail sometimes and NoScript's on-hover menu needing a click to be closed
New in NoScript for Firefox 2.6.8.22 (May 5, 2014)
- Better algorithm for menu items ordering
New in NoScript for Firefox 2.6.8.21 RC 2 (May 5, 2014)
- Fixed XSL check regression
- Work-around for bug 1005552
New in NoScript for Firefox 2.6.8.21 RC 1 (Apr 30, 2014)
- [Surrogate] Gravatar dummy replacement
- [Australis] Support for reversed menu on surrogate status/addon bars
New in NoScript for Firefox 2.6.8.20 (Apr 15, 2014)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.20 RC 3 (Apr 15, 2014)
- Partially restored "Allow local links" functionality (works for HTML file:// links but not for embedded resources and scripted loads)
- "allowLocalLinks.from" about:config preference to define a whitelist in ABE URL pattern list syntax) which, if valid and not empty, overrides the JavaScript whitelist which is reused by legacy default for pages allowed to open file:// links (Gecko 28 and above)
- "allowLocalLinks.to" about:config preference to define a whitelist in ABE URL pattern list syntax) which, if valid and not empty, limits the file:// links which can be opened by allowed pages Gecko 28 and above)
- Removed "Allow rich text copy and paste from external clipboard" option from the UI if the browser doesn't support CAPS (Gecko 28 and above)
New in NoScript for Firefox 2.6.8.20 RC 2 (Apr 14, 2014)
- Implemented early permission changes enforcement on not yet reloaded pages, to better match the old CAPS-based behavior
New in NoScript for Firefox 2.6.8.20 RC 1 (Apr 14, 2014)
- [Surrogates] Fixed Google Analytics surrogate breaking some javascript: links
- [L18n] Fixed Finnish typo
- [XSS] Removed OAuth-triggered false positive
- [XSS] Stricter checks for HTTPS requests from a same domain origin with different scheme
New in NoScript for Firefox 2.6.8.19 (Mar 25, 2014)
- Fixed CAPS initialization broken in Gecko 27 and below
- Fixed wildcard port matching broken in Gecko 28 and below
New in NoScript for Firefox 2.6.8.18 (Mar 24, 2014)
- Fixed some bookmarklets being broken by Gecko 28
- [Surrogate] Fixed some surrogates being broken by Gecko 28
- Disabled CAPS-based script blocking for Gecko 28 and above
- Fixed XSLT blocking broken by recent Gecko changes
New in NoScript for Firefox 2.6.8.18 RC 1 (Mar 10, 2014)
- Fixed XSLT blocking broken by recent Gecko changes
New in NoScript for Firefox 2.6.8.17 (Mar 5, 2014)
- Includes changes from the previous RC version
New in NoScript for Firefox 2.6.8.17 RC 1 (Mar 3, 2014)
- CSS tweak for Australis support (thanks Jared Wein)
- Fixed new bookmarklet execution module accidentally using X rays wrappers and therefore failing to interact with expando variables
New in NoScript for Firefox 2.6.8.16 (Feb 28, 2014)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.16 RC 4 (Feb 27, 2014)
- Closing a placeholder doesn't collapse its space anymore, unless the noscript.placeholderCollapseOnClose is set to true or the "Collapse blocked objects" Embeddings option is checked
New in NoScript for Firefox 2.6.8.16 RC 3 (Feb 26, 2014)
- Further bookmarklet emulation improvements yet
New in NoScript for Firefox 2.6.8.16 RC 2 (Feb 24, 2014)
- Further bookmarklet emulation improvements
New in NoScript for Firefox 2.6.8.16 RC 1 (Feb 24, 2014)
- More faithful bookmarklet corner-cases emulation
New in NoScript for Firefox 2.6.8.15 (Feb 24, 2014)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.15 RC 5 (Feb 22, 2014)
- Fixed various bookmarklet emulation regressions caused by Firefox 24 compatibility efforts
- [L10n] Fixed double newline escaping in some localized strings
New in NoScript for Firefox 2.6.8.15 RC 4 (Feb 18, 2014)
- [Surrogate] Fixed regression: some surrogates not being correctly initialized
New in NoScript for Firefox 2.6.8.15 RC 3 (Feb 14, 2014)
- [Surrogate] Fixed replacements not being parsed as Unicode text
New in NoScript for Firefox 2.6.8.15 RC 2 (Feb 13, 2014)
- Fixed listeners and timers in sandboxed non-whitelisted scripts on Gecko 27 and above
New in NoScript for Firefox 2.6.8.15 RC 1 (Feb 12, 2014)
- Work-around for Firefox 27 and above preventing bookmarklets from attaching event listeners on non-whitelisted pages
New in NoScript for Firefox 2.6.8.14 (Feb 12, 2014)
- Fixed bookmarklet execution disabling JavaScript on whitelisted pages
New in NoScript for Firefox 2.6.8.14 RC 1 (Jan 29, 2014)
- [ABE] Improved compatibility with .local domains
New in NoScript for Firefox 2.6.8.13 (Jan 22, 2014)
- The option dialog is non-modal and recycled now
New in NoScript for Firefox 2.6.8.13 RC 2 (Jan 20, 2014)
- Moved ClearClick options into their own "Advanced" sub-tab
- Minor options dialog tweakings
- Removed External Filters options panel
New in NoScript for Firefox 2.6.8.12 (Jan 14, 2014)
- Includes changes from previous RC versions
New in NoScript for Firefox 2.6.8.12 RC 4 (Jan 14, 2014)
- Improved work-around for Bug 958962: No way to consistently enable elements using Cu.blockScriptForGlobal() early (e.g. in "content-document-global-created" observer?)
- [Surrogate] Prevent blank ModPagespeed-patched pages when meta refresh inside NOSCRIPT elements is blocked
New in NoScript for Firefox 2.6.8.12 RC 3 (Jan 14, 2014)
- Work-around for: No way to consistently enable elements using Cu.blockScriptForGlobal() early (e.g. in "content-document-global-created" observer?)
New in NoScript for Firefox 2.6.8.12 RC 2 (Jan 13, 2014)
- Fixed one-time this.getSite() error on startup
- Browser Console support
New in NoScript for Firefox 2.6.8.12 RC 1 (Jan 11, 2014)
- Fixed feed reader broken on non-whitelisted sites in non-stable Firefox
New in NoScript for Firefox 2.6.8.11 (Jan 9, 2014)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.11 RC 10 (Jan 9, 2014)
- [XSS] Fixed new inline script blocking approach (in Firefox Nightly) not triggering NOSCRIPT element fallbacks
New in NoScript for Firefox 2.6.8.11 RC 9 (Jan 7, 2014)
- [XSS] Fixed nested URL parsing optimization bug
New in NoScript for Firefox 2.6.8.11 RC 8 (Jan 7, 2014)
- [XSS] Abort, rather than filter, potential charset-based attacks
- [XSS] Improved Ebay compatibility
New in NoScript for Firefox 2.6.8.11 RC 7 (Jan 6, 2014)
- [XSS] Fixed bad charset check regression from rc6
New in NoScript for Firefox 2.6.8.11 RC 6 (Jan 6, 2014)
- [XSS] Fixed bad charset checks not honoring exceptions
- Adopted the Components.utils.blockScriptForGlobal() API where possible
New in NoScript for Firefox 2.6.8.11 RC 5 (Jan 6, 2014)
- [XSS] Further improvements in recursive link checks
New in NoScript for Firefox 2.6.8.11 RC 4 (Jan 4, 2014)
- [XSS] Better checks for combined data/javascript URIs
New in NoScript for Firefox 2.6.8.11 RC 3 (Jan 4, 2014)
- [XSS] Restored fuzzy HTML sniffing in nested data URI
New in NoScript for Firefox 2.6.8.11 RC 2 (Jan 4, 2014)
- [XSS] Improved data URI checks
- [XSS] Enhanced recursive link checks
New in NoScript for Firefox 2.6.8.11 RC 1 (Jan 3, 2014)
- [XSS] Stricter HTML checks on second-order data URI injections exactly fitting whole URL attributes
New in NoScript for Firefox 2.6.8.10 (Jan 3, 2014)
- [XSS] Fixed regression causing Google Talk false positive
- Made about:srcdoc placeholder URL for seamless iframes "mandatory" to reflect its actual permissions status
New in NoScript for Firefox 2.6.8.9 (Dec 30, 2013)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.9 RC 5 (Dec 30, 2013)
- [XSS] Stricter HTML checks
New in NoScript for Firefox 2.6.8.9 RC 4 (Dec 30, 2013)
- [XSS] Better data: URI detection
New in NoScript for Firefox 2.6.8.9 RC 3 (Dec 28, 2013)
- [XSS] Improved pure HTML checks
New in NoScript for Firefox 2.6.8.9 RC 2 (Dec 27, 2013)
- [XSS] Better fix for InjectionChecker tolerance bug
New in NoScript for Firefox 2.6.8.9 RC 1 (Dec 27, 2013)
- [XSS] Fixed InjectionChecker tolerance bug
- [XSS] Improved sanitization
New in NoScript for Firefox 2.6.8.8 RC 2 (Dec 17, 2013)
- Enforce docShell-based script blocking for Gecko > 28
New in NoScript for Firefox 2.6.8.8 RC 1 (Dec 11, 2013)
- [Surrogate] addthis.com widget emulation
New in NoScript for Firefox 2.6.8.7 (Dec 3, 2013)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.7 RC 4 (Nov 30, 2013)
- Fixed performance regression in request identity tracking
New in NoScript for Firefox 2.6.8.7 RC 3 (Nov 30, 2013)
- Protection against new SQLXSSI obfuscation techinques
New in NoScript for Firefox 2.6.8.7 RC 2 (Nov 28, 2013)
- Fixed noscript.allowedMimeRegExp ignoring the FONT pseudo-type take 2
New in NoScript for Firefox 2.6.8.7 RC 1 (Nov 28, 2013)
- Fixed noscript.allowedMimeRegExp ignoring the FONT pseudo-type
New in NoScript for Firefox 2.6.8.6 (Nov 28, 2013)
- Includes fixes from the previous RC versions
New in NoScript for Firefox 2.6.8.6 RC 2 (Nov 28, 2013)
- Fixed bugs in noscript.allowedMimeRegExp support
- [ABE] Fixed increased asynchronicity in Gecko's network processing causing intermittent failures
New in NoScript for Firefox 2.6.8.6 RC 1 (Nov 18, 2013)
- [Surrogate] Fixed bug in asynchronous Google Analytics API emulation
- Fixed missing icon for blocked objects when no script is present in the page and scrips are globally allowed
New in NoScript for Firefox 2.6.8.5 (Nov 8, 2013)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.5 RC 2 (Nov 8, 2013)
- [ClearClick] Fixed empty contentEditable elements cannot receive keyboard events in cross-site frames (breaking latest Youtube comments)
- [XSS] Fixed false positive on redirected script inclusion
New in NoScript for Firefox 2.6.8.5 RC 1 (Oct 31, 2013)
- [Surrogate] Better GA, GAPI, Twitter and Facebook compatibility
New in NoScript for Firefox 2.6.8.4 (Oct 24, 2013)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.4 RC 3 (Oct 24, 2013)
- Fixed shortcut bookmarklet execution requiring noscript.allowURLBarJS preference to be true on Firefox 25 beta
New in NoScript for Firefox 2.6.8.4 RC 2 (Oct 24, 2013)
- [Surrogate] Better emulation of for Google Analytics asynchronous tracking (for instance, fixes GMail's "Sign in" link)
- [ClearClick] Fixed exception being thrown on Firefox 27 alpha (Nightly)
- Fixed URL bar enhancements broken by Firefox 25 beta
New in NoScript for Firefox 2.6.8.4 RC 1 (Oct 18, 2013)
- Fixed SetVariable/GetVariable failing on dynamically created Flash elements, e.g. with SFWObject
New in NoScript for Firefox 2.6.8.3 (Oct 15, 2013)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.3 RC 3 (Oct 14, 2013)
- Fixed complex bookmarklet execution requiring synchronous XHR in a content policy callback
New in NoScript for Firefox 2.6.8.3 RC 2 (Oct 12, 2013)
- Fixed full-page plugins failed activation until the page is reloaded
New in NoScript for Firefox 2.6.8.3 RC 1 (Oct 12, 2013)
- Fixed full-page HTML5 media failing to play after activation until the page is reloaded
New in NoScript for Firefox 2.6.8.2 (Oct 10, 2013)
- Includes changes from the previous RC versions
New in NoScript for Firefox 2.6.8.2 RC 2 (Oct 1, 2013)
- Fixed request methods different than POST being turned into GET by internal channel redirection when the DNS entry is not cached yet
New in NoScript for Firefox 2.6.8.2 RC 1 (Sep 21, 2013)
- Fixed regression from CTP fix: some kinds of embedded objects being
- displayed, even though in disabled state, along with placeholders
New in NoScript for Firefox 2.6.8.1 (Sep 21, 2013)
- Includes changes from the previous RC version
New in NoScript for Firefox 2.6.8.1 RC 1 (Sep 21, 2013)
- Removed automatic whitelisting of open source JS libraries CDNs for users which have googleapis.com whitelisted
New in NoScript for Firefox 2.6.8 RC 1 (Sep 21, 2013)
- Added to the default whitelist some CDN subdomains dedicated to serve popular open source JS libraries (thanks t3g for RFE)
- Fixed notification box issues with Seamonkey (thanks barbaz)
- Work-around for broken CTP notifications (bug 903675)
- Work-around for Youtube comments XSS false (?) positive
- [Locale] Updated fr
New in NoScript for Firefox 2.6.7.1 (Aug 15, 2013)
- [XSS] Fixed false positive on GMail when opening the Google Docs file picker
- [XSS] Fixed false positive on GMail when opening the Google Docs file picker
- Protection against another variant of error-based SQLXSSI
New in NoScript for Firefox 2.6.7.1 RC 2 (Aug 15, 2013)
- [XSS] Fixed false positive on GMail when opening the Google Docs file picker
New in NoScript for Firefox 2.6.7.1 RC 1 (Aug 15, 2013)
- Protection against two new specific variants of SQLXSSI
New in NoScript for Firefox 2.6.7 (Aug 8, 2013)
- Fixed HTML 5 media content types not blocked when loaded as top-level documents
- [XSS] Fixed bug in SQLXSSI detection (thanks Alex Inführ for reporting)
- Fixed resources from resource: origin (such as PDF.js fonts) being unnecessarily blocked in restrictive embed blocking mode
- Removed "ReferenceError: PolicyState is not defined" message appearing sometimes in the console dump on startup
- Fixed scrollbars removed in frames activated from placeholder
New in NoScript for Firefox 2.6.7 RC 3 (Aug 8, 2013)
- Fixed HTML 5 media content types not blocked when loaded as top-level
New in NoScript for Firefox 2.6.7 RC 2 (Aug 7, 2013)
- Removed further "ReferenceError: PolicyState is not defined" messages
- [XSS] Fixed bug in SQLXSSI detection
New in NoScript for Firefox 2.6.7 RC 1 (Aug 6, 2013)
- Fixed resources from resource: origin (such as PDF.js fonts) being unnecessarily blocked in restrictive embed blocking mode
- Removed "ReferenceError: PolicyState is not defined" message appearing sometimes in the console dump on startup
- Fixed scrollbars removed in frames activated from placeholder
New in NoScript for Firefox 2.6.6.9 (Jul 22, 2013)
- [XSS] Added several experimental / unofficial markup atoms to the build-time matcher generator
New in NoScript for Firefox 2.6.6.8 (Jul 8, 2013)
- [XSS] Protection against filter evasion exploiting Adobe Flash URL parsing and charset handling bugs
New in NoScript for Firefox 2.6.6.8 RC 1 (Jul 6, 2013)
- [XSS] Protection against filter evasion exploiting Adobe Flash URL parsing and charset handling bugs
New in NoScript for Firefox 2.6.6.7 (Jul 3, 2013)
- Fixed ClearClick triggered by recently changed browser built-in Click To Play placeholders (bug 889228)
- [Locale] Updated Czech
New in NoScript for Firefox 2.6.6.6 (Jun 11, 2013)
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with the WebGL pseudo type
New in NoScript for Firefox 2.6.6.6 RC 1 (Jun 10, 2013)
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with the WebGL pseudo type
New in NoScript for Firefox 2.6.6.5 (Jun 10, 2013)
- Better fix for Nightly breakages
New in NoScript for Firefox 2.6.6.4 (Jun 10, 2013)
- Fixed some recent breakages on Nightly
New in NoScript for Firefox 2.6.6.3 (Jun 10, 2013)
- Improved "fixable" JavaScript links detection
New in NoScript for Firefox 2.6.6.3 RC 1 (May 29, 2013)
- Improved "fixable" JavaScript links detection
New in NoScript for Firefox 2.6.6.2 (May 17, 2013)
- Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
- Improved placeholder management for full-document plugin content, e.g.
- makes Youtube embeddings more usable on Facebook
New in NoScript for Firefox 2.6.6.2 RC 2 (May 17, 2013)
- Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
New in NoScript for Firefox 2.6.6.2 RC 1 (May 7, 2013)
- Improved placeholder management for full-document plugin content, e.g.
- makes Youtube embeddings more usable on Facebook
New in NoScript for Firefox 2.6.6.1 (Apr 30, 2013)
- Fixed backward compatibility issue with recent channel cloning changes
- [XSS] Compatibility with certain redirector URL patterns
- [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
- [Locale] Updated Esperanto
- [Locale] Updated Upper Serbian
New in NoScript for Firefox 2.6.6.1 RC 1 (Apr 24, 2013)
- [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
- [Locale] Updated Esperanto (thanks Michael Wolf)
- [Locale] Updated Upper Serbian
New in NoScript for Firefox 2.6.6 (Apr 4, 2013)
- Added per-window private browsing support to some background requests
- Improved channel cloning for internal redirections
- Added further Microsoft mail services dependencies to the default whitelist
- [XSS] Fixed character class bug
- [XSS] Fixed potential jQuery-based injection
- Improved handling of some moz-null principal instances in ABE requests
- New 360Haven surrogate lets the site work with 1st party scripts allowed and ads/tracker scripts forbidden
New in NoScript for Firefox 2.6.5.9 (Mar 12, 2013)
- Fixed outlook.com UI broken in Nightly by work-around for bug 677050
- Removed STS support for Gecko >= 4, which provides built-in HSTS
- Work around for multiple object creation causing UI inconsistencies[XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource()
New in NoScript for Firefox 2.6.5.8 (Feb 26, 2013)
- Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
- "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
- "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
- Inclusion type checks exception for yandex.st
- [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments (thanks RAJAH235 for reporting)
New in NoScript for Firefox 2.6.5.8 RC 3 (Feb 21, 2013)
- Fixed Google Analytics cross-site checks breaking GMail composition window
New in NoScript for Firefox 2.6.5.8 RC 2 (Feb 21, 2013)
- Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
- "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
- "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
- Inclusion type checks exception for yandex.st
New in NoScript for Firefox 2.6.5.8 RC 1 (Feb 20, 2013)
- [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments
New in NoScript for Firefox 2.6.5.7 (Feb 19, 2013)
- Made "Yes, remove all protections" the default button in the removal warning dialog
- [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
- [XSS] Removed host redirection chance on XSS-vulnerable pages
New in NoScript for Firefox 2.6.5.6 (Feb 11, 2013)
- [XSS] Smarter syntax check optimization, removes harmful side effect
New in NoScript for Firefox 2.6.5.5 (Feb 11, 2013)
- [XSS] Fixed bug in broken string literals balancing
New in NoScript for Firefox 2.6.5.4 (Feb 11, 2013)
- [XSS] Obfuscated string literals detection
New in NoScript for Firefox 2.6.5.3 (Feb 9, 2013)
- [XSS] Improved parsing while decoding mixed-charset encoded URLs
- [XSS] Better decoding of maliciously mixed-charset encoded strings
New in NoScript for Firefox 2.6.5.2 (Feb 8, 2013)
- [XSS] Work-around for a Gecko race condition allowing some script-enabled attackers to make the charset-mismatch checks abort prematurely
New in NoScript for Firefox 2.6.5.1 (Feb 6, 2013)
- [XSS] Forced unicode conversions more resilient to invalid input
New in NoScript for Firefox 2.6.5 (Feb 6, 2013)
- [XSS] More exotic charset awareness added to script injection checks
- [XSS] Removed limited injection chance allowing redirection of XSS vulnerable pages to an integral IP
- "Security Downgrade Warning" suggests blacklist mode as a better option than uninstalling, to retain scripting-unrelated protections
- Removed legacy uninstall hooks and related localized strings
New in NoScript for Firefox 2.6.4.4 (Jan 29, 2013)
- Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
- [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method
- Allow/Forbid button on the site info page
New in NoScript for Firefox 2.6.4.4 RC 3 (Jan 28, 2013)
- Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
New in NoScript for Firefox 2.6.4.4 RC 2 (Jan 23, 2013)
- [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method
New in NoScript for Firefox 2.6.4.4 RC 1 (Jan 18, 2013)
- Allow/Forbid button on the site info page
New in NoScript for Firefox 2.6.4.3 (Jan 15, 2013)
- [Surrogate] Less aggressive but more compatible adf.ly surrogate (it automatically skips ad but requires scripts enabled on adf.ly)
- Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent Firefox versions
- [Surrogate] dimtus.com scriptless automatic image revelation
- [Surrogate] imageteam.org scriptless automatic image revelation
- [External Filters] Fixed cache API compatibility issue
New in NoScript for Firefox 2.6.4.2 (Dec 27, 2012)
- [ClearClick] Fixed miscalculations in screenshot comparison
- Fixed wrong placeholder position for standalone HTML 5 video content
- "Appearance" option to hide the "About NoScript" menu item
- Deny loading of any empty Flash object
- Fixed HSB locale (thanks Michael Wolf)
- Fixed forced HTTPS breaks redirects on Firefox >= 18
- Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes
- Fixed broken early HTTP observer on Firefox >= 18
- Fixed anti-popunder surrogate breaking BFCache
New in NoScript for Firefox 2.6.4.2 RC 5 (Dec 27, 2012)
- Fixed wrong plaecholder position for standalone HTML 5 video content
New in NoScript for Firefox 2.6.4.2 RC 4 (Dec 22, 2012)
- "Appearance" option to hide the "About NoScript" menu item
- Deny loading of any empty Flash object
- Fixed HSB locale
New in NoScript for Firefox 2.6.4.2 RC 3 (Dec 21, 2012)
- Fixed forced HTTPS breaks redirects on Firefox >= 18
- Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes
New in NoScript for Firefox 2.6.4.2 RC 2 (Dec 19, 2012)
- Fixed broken early HTTP observer on Firefox >= 18
New in NoScript for Firefox 2.6.4.2 RC 1 (Dec 18, 2012)
- Fixed anti-popunder surrogate breaking BFCache
New in NoScript for Firefox 2.6.4.1 (Dec 18, 2012)
- Fixed new placeholder close button being hidden on some Youtube pages
New in NoScript for Firefox 2.6.4 (Dec 17, 2012)
- [XSS] Improved compatibility with Twitter's cross-site requests
- Close button on embedding placeholder (like using shift+click on the placeholder itself). Shift clicking the close button bypasses it.
- Fixed placeholders intercepting clicks from overlaid elements
- Fixed unbound embed enablement confirmation dialog size
New in NoScript for Firefox 2.6.3 (Dec 4, 2012)
- [XSS] Further tweaks to reduce false positives
- [XSS] The "maybe JS" step now removes leading parens, reducing false positives e.g. on Picasa
- [Surrogate] Work-around for anti-popunder surrogate causing Ebay to recreate phantom cookies on page unload
- Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus) breaking bookmarklets and URL bar Javascript support after being updated for Firefox 17
- Removed some console noise
- [Surrogate] Updated adf.ly surrogate to work with new links
New in NoScript for Firefox 2.6.2 (Nov 22, 2012)
- Fixed Google links anonymizer surrogate interfering with the "Search tools" button
- Fixed impossible to copy lines from Console² if opened by NoScript
- [XSS] Exception for wpcomwidgets.com safe inclusions
- Slightly reduced About box width
New in NoScript for Firefox 2.6.1 (Nov 13, 2012)
- [XSS] Better compatibility with Ebay's saved searches
- [Surrogate] Imagebax.com scriptless ads skipping redirection
- Fixed first non-cached page load in a session from about:newtab failing
- Removed legacy XUL script blocking code
- Added optional diagnostic to centralized channel aborting
- Fixed bug in Java URLs resolution
New in NoScript for Firefox 2.6 (Nov 2, 2012)
- Improved long URL wrapping for more manageable plugin placeholder tooltips
- Fixed ABE notifications bleeding out of the viewport when very long URLs are involved
- [Surrogate] More efficient deferred script loading and syntax check, saves memory and startup time from unused surrogates
- [Surrogate] Picbucks.com scriptless ads skipping redirection
- [Surrogate] Imagebunk.com scriptless image revealing
- [Surrogate] Picsee.net scriptless image revealing
- Added navigator.doNotTrack property support
New in NoScript for Firefox 2.5.9 (Oct 26, 2012)
- Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content allowed) to the default whitelist (required by MS mail services)
- [XSS] Removed false positive on some Google Gadgets; the work-around can be disabled by setting the noscript.filterXExceptions.ggadgets about:config preference to false
- Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with FRAMEs and IFRAMEs as well
- Fixed redirections involving sites marked as untrusted causing inconsistencies in page permissions, with JavaScript being blocked even if the site is whitelisted
- Fixed regression on older Gecko versions causing NoScript to believe the browser is proxied when it's not
New in NoScript for Firefox 2.5.8 (Oct 18, 2012)
- Work-around for unique origins being assigned to URL bar loads by Gecko 16 and above interfering with some ABE rules
- Work-around for bug 797684 patch causing ABE's Sandbox action to fail
- Work-around for regression from Mozilla bug 797684 fix causing frames not to be blocked correctly in recent >= 18 builds
- Slightly revised About box to make more room for contributors
New in NoScript for Firefox 2.5.7 (Oct 6, 2012)
- Fixed synchronous timeout emulation ordering bug in bookmarklet execution on scriptless pages
- [XSS] Fixed comment preprocessing optimization affecting free JavaScript detection
- [XSS] Fixed second order data: URLs sanitization issue
- Fixed meta refresh blocker notification bar broken on Gecko < 4
- Fixed iframe placeholder positioning issue
- Fixed regression in placeholder positioning
- [ClearClick] Fixed false positive on cross-site SVG document embeddings
New in NoScript for Firefox 2.5.6 (Sep 26, 2012)
- [XSS] Fixed slow regular expression causing some base64 request payloads to trigger false positives
- Force placeholders to frontmost position e.g. on HTML 5 Youtube content
- New icon for blocked embeddings on globally allowed pages
New in NoScript for Firefox 2.5.5 (Sep 13, 2012)
- More reliable Java applet origin identification
- Cross-browser work-around for bug 789773 - nsIWebProgressListener implementations referencing the load's window in onStateChange() (like NoScript or Roboform) cause popup loads to be aborted and the browser to hang on exit
New in NoScript for Firefox 2.5.4 (Sep 5, 2012)
- Fixed HTTP checks not being skipped anymore for some chrome-generated XMLHttpRequest requests because of a Gecko 15 change
- Work-around for cloned DOM nodes not retaining additional chrome-attached information anymore, thus breaking placeholders in some cases
- Fixed placeholder post-enablement event channeling broken by Sandbox changes
- Fixed placeholder sizes messed up by changes in Gecko 17
- Work-around for broken content policy call for Java plugin on Gecko 17 and above
New in NoScript for Firefox 2.5.3 (Aug 28, 2012)
- [XSS] Fixed false positives on URLs containing an ASP.NET cookieless session identifier
- noscript.eraseFloatingElements about:config preference to switch the mousedown
- del key floating popup erasing feature off and on
- Limited the mousedown + del key floating popup erasing feature to pages where scripts are forbidden and to absolute or fixed position elements
- Fixed JavaScript URL non-void expression evaluation in the URL bar causing scripts to get globally allowed
- XSS] Work-around for a Gecko URL parsing quirk
New in NoScript for Firefox 2.5.2 (Aug 22, 2012)
- [ClearClick] Improved protection against clickjacking timing attacks
- Fine tuned floating div (in-page popup) removal by locking it to the nearest positioned ancestor and swallowing the mouseup event if the DEL key has been hit after last mousedown
New in NoScript for Firefox 2.5.1 (Aug 13, 2012)
- Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it (useful to forcibly kill in-page popups when scripts are disabled)
- Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java globals have been removed from the DOM
- XSS] Work-around for Mozilla TBPL DOS
- Fixed Silverlight and Flash scripted initialization patches being broken by recent JavaScript interpreter changes
New in NoScript for Firefox 2.5.1 RC 1 (Aug 2, 2012)
- Work-around for hp-ww.com misconfiguration (JavaScript files served with bogus content-type header)
New in NoScript for Firefox 2.5 (Jul 30, 2012)
- [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
- Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height
- [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
- Fixed placeholders for absolutely positioned elements may cause layout glitches
- Fixed interaction with built-in
New in NoScript for Firefox 2.5 RC 6 (Jul 30, 2012)
- [XSS] Further reduction in false positives triggered by XML payloads
New in NoScript for Firefox 2.5 RC 5 (Jul 30, 2012)
- Further hack to remove the height attribute automatically set on the notification stack by browser tools
New in NoScript for Firefox 2.5 RC 4 (Jul 30, 2012)
- Hack to automatically restore the notification bar position as the last of its sibling DOM nodes, as a better work-around for browser tools messing with its height
- Removed ineffective CSS-based work-around for the browser tools splitter messing with NoScript notification's height
New in NoScript for Firefox 2.5 RC 3 (Jul 28, 2012)
- [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
- [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
New in NoScript for Firefox 2.5 RC 2 (Jul 24, 2012)
- Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height
- Fixed placeholders for absolutely positioned elements may cause layout glitches
New in NoScript for Firefox 2.5 RC 1 (Jul 23, 2012)
- Fixed interaction with built-in Firefox's click-to-play causing infinite object activation loop
New in NoScript for Firefox 2.4.9 (Jul 21, 2012)
- Added ability to replace obsolete default whitelist entries
- Replaced browserid.org with persona.org in the default whitelist
- Improved anti-DOS protection
- Better usability with some HTML5 Youtube videos
- Reverted to the ctrl+shift+S main keyboard shortcut
- [XSS] Fixed XML preprocessing breaking detection of some E4X constructs
- [XSS] Protection against error-based SQLI with a XSS payload
New in NoScript for Firefox 2.4.8 (Jul 11, 2012)
- Work-around for Mozilla bug 771655 (broken debugger)
- Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is taken by the debugger
- Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks Alex Inführ for reporting)
- Removed assumptions of a body element from some code paths which may handle generic XML documents
New in NoScript for Firefox 2.4.7 (Jun 29, 2012)
- [ClearClick] Fixed Tumblr widgets false positive
- [XSS] Fixed false positive with some Base64-encoded Yahoo News subrequests
- Fixed regression, noscript.allowedMimeRegExp not working anymore for plugins other than Java, Flash and Silverlight
- Auto-anchored multi-valued regexp preferences can now be separated by regular spaces rather than just newlines (this behavior was documented but not actually implemented for noscript.allowedMimeRegExp)
New in NoScript for Firefox 2.4.6 (Jun 13, 2012)
- [XSS] Updated execution sink checks
- [XSS] Fixed newline parsing bug
- [XSS] Fixed document.cookie minimal assignment false negative
- [XSS] Fixed dotted query parameter names false positives, affecting OpenID, Hotmail and other services
- Fixed some messages being dumped to the console even if logging is turned off
New in NoScript for Firefox 2.4.5 (Jun 12, 2012)
- [XSS] Improved E4X handling
- [XSS] Fixed regression allowing some alert-only PoCs
- [XSS] Improved unconventional assignments detection
- [Locale] Corrected he-IL merge
- [XSS] Improved data: URIs detection
- [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some kind of concatenated assignments
- [XSS] Improved "Maybe JS" heuristic
- [XSS] More aggressive obsolete charsets filtering
New in NoScript for Firefox 2.4.4 (Jun 5, 2012)
- [Locale] Updated he-IL
- Fixed early synthetic DNS notification causing blank stripe on the bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked
New in NoScript for Firefox 2.4.4 RC 1 (May 30, 2012)
- Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked
New in NoScript for Firefox 2.4.3 (May 28, 2012)
- Fixed JS links detection not resolving JS string escapes
- Fixed HTML 5 parser detection in META refresh processing being broken by a removed browser preference
- Fixed exception raised by inclusion type checks when parent document's URI has no host
- [XSS] Better detection of free inline script injections (without string literal evasion) inside function calls
- The noscript.allowedMimeRegExp preference now applies also to Java, Flash and Silverlight mime types
New in NoScript for Firefox 2.4.2 (May 21, 2012)
- [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
- to the LAN anymore for the purpose of cross-zone request forgery checks
- in order to safely work-around DNS misconfiguration issues in the wild
- [ABE] Fixed router WEB UI fingerprinting failing on some devices
- because of redirection loops
- [XSS] Protection against HPP attacks exploiting URL parsing quirks
- specific to ASP Classic
- Fixed first application updates check failing on Nightly
- [XSS] Fixed false positive regression on some file hosting sites
New in NoScript for Firefox 2.4.2 RC 2 (May 14, 2012)
- Fixed first application updates check failing on Nightly (bug 754393)
New in NoScript for Firefox 2.4.2 RC 1 (May 14, 2012)
- [XSS] Fixed false positive regression on some file hosting sites
New in NoScript for Firefox 2.4.1 (May 11, 2012)
- [XSS] Protection against exploitation of classic MS ASP's coalescing of same-name query parameters
- [XSS] Protection against URL injections in in window.name
- [XSS] Fixed case-sensitivity bug in detection of unicode escape sequences
- [Surrogate] adagionet.com inclusion surrogate
- Fixed "Allow sites open through bookmarks" regression
- [XSS] Fixed bug in the InjectionChecker tokenization
- Added inclusion type check exception to the lesscss Google Code file repository, often used as a CDN
New in NoScript for Firefox 2.3.8 (Apr 19, 2012)
- Smart integration with the new browser-native click to play: if a plugin object is manually allowed from NoScript's UI, it gets also natively activated (noscript.smartClickToPlay about:config preference)
- Improved active content identity tracking, to avoid redundant blocking steps across reloads
- Fixed redirections in legacy frames not being blocked
- [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site
New in NoScript for Firefox 2.3.7 (Apr 9, 2012)
- [ClearClick] Work-around for "rapid fire" protection interfering with some add-ons, such as 1Password and FloatNotes
- [ClearClick] Compatibility with Bitdefender TrafficLight
- [XSS] Enhanced InjectionChecker tolerance to certain URL patterns containing domain-names as parameter values
New in NoScript for Firefox 2.3.6 (Mar 27, 2012)
- Restored Nightly compatibility, broken by bug 719154
- [ClearClick] improved compatibility with Disqus widgets
- [AddressMatcher] Optimized trailing "*" in glob expressions
- Fixed origin URL detection flawed when certain wrapped URIs are loaded
- [XSS] Fixed false positive with query string patterns mimicking array access
New in NoScript for Firefox 2.3.5 (Mar 17, 2012)
- Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail
- [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes
- [ClearClick] Better special-casing for same-site embedded objects
- [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs
- [XSS] Better window.name protection
- [XSS] Improved detection of javascript: URL injections
New in NoScript for Firefox 2.3.4 (Mar 12, 2012)
- [ClearClick] Fixed subtle bug which may lead to infinite loops in some cases
New in NoScript for Firefox 2.3.3 (Mar 12, 2012)
- Improved InjectionChecker logging
- Reduced false positive rate on HTML injection checks
- [ClearClick] Fixed clicking on some plugin content causing elements of the parent page to become white
- [ClearClick] Fixed minor bugs triggered by ABP placeholders
- [ClearClick] Protection against partial obscuration via Flash objects with OS-native wmode values
- [XSS] Further sensitivity tweaks
- [XSS] Better compatibility with some 3rd party ads on Ebay
- [XSS] Fixed false positive on dotted name-value assignments chained with semicolons (e.g. on some Yahoo-served ads)
New in NoScript for Firefox 2.3.2 (Feb 27, 2012)
- [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
- [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks Masato Kinugawa for reporting)
- [XSS] Added event injection checks for scriptless pages too, in order to prevent edge-case execution on permissions change
- [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato Kinugawa for reporting)
- [XSS] Improved HTML detection accuracy
- Better tagging of surrogate sandboxes for about:memory debugging
- Improved glinks surrogate
New in NoScript for Firefox 2.3 (Feb 13, 2012)
- Fixed about:newtab not considered as a local origin by ABE
- Added blob:, about:memory and about:support to the automatic whitelist
- Added reflected script inclusion check exception for intensedebate.com
- Fixed CSS issues on Gecko 1.8
New in NoScript for Firefox 2.2.8 (Feb 13, 2012)
- [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested documents
New in NoScript for Firefox 2.2.7 (Jan 19, 2012)
- [ClearClick] Protection against two steps interaction attack based on HTML5 DnD
New in NoScript for Firefox 2.2.6 (Jan 13, 2012)
- [XSS] Fixed sanitization reporting bug
New in NoScript for Firefox 2.2.5 (Jan 4, 2012)
- [ClearClick] Better compatibility with recent Disqus widget versions
New in NoScript for Firefox 2.2.4 (Dec 20, 2011)
- Fixed some localizations having newlines replaced with 'n' characters
New in NoScript for Firefox 2.2.4 RC 3 (Dec 18, 2011)
- Fixed regression in SWFObject emulation for plugin placeholders
- Fixed top-level surrogates broken by ECMAv5 version specification
New in NoScript for Firefox 2.2.2 (Dec 6, 2011)
- [Surrogate] Wrapped in lexical scoped blocks scripts also when debug mode is on
- [Surrogate] Early one-time syntax checks on setup
- [ClearClick] Better compatibility with some GMail embeddings
- [XSS] Better compatibility with Visual Studio in-browser documentation
- [ClearClick] Fixed Adblock Plus causing false positives on Fx 3.6
- Improved HTML 5 DnD XSS protection
- [Locale] Lithuanian
New in NoScript for Firefox 2.2.3 RC 4 (Dec 6, 2011)
- Configuration import/export directory is persisted across sessions
New in NoScript for Firefox 2.2.3 RC 2 (Dec 2, 2011)
- [Surrogate] DOMContentLoad listeners on windows
New in NoScript for Firefox 2.2.2 RC 4 (Nov 28, 2011)
- Protection against a new XSS technique based on HTML 5 DnD
New in NoScript for Firefox 2.2.1 RC 3 (Nov 19, 2011)
- [Locale] Updated he-il
- [ClearClick] Fixed incompatibility with the FoxTab add-on
New in NoScript for Firefox 2.2.1 RC 2 (Nov 19, 2011)
- [XSS] Deeper decoding on sanitization
New in NoScript for Firefox 2.2.1 RC 1 (Nov 19, 2011)
- [XSS] More accurate recursive decoding
New in NoScript for Firefox 2.2 (Nov 16, 2011)
- [ClearClick] Improved protection against Clickjacking on nested windowed Flash targets
New in NoScript for Firefox 2.1.9 (Nov 10, 2011)
- [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec used instead of "1.8"
New in NoScript for Firefox 2.1.9 RC 3 (Nov 7, 2011)
- [Surrogate] JavaScript 1.8 support (thanks al_9x for RFE)
- Better heuristic for XSSI detection
- Removed previous work-around XSSI exceptions
- Fixed some DOM traversal bugs
- Refined Google search meta refresh blocking exception
- Added meta refresh blocking exception for t.co (Twitter URL shortener)
New in NoScript for Firefox 2.1.9 RC 2 (Nov 7, 2011)
- Work-around for XSSI checks breaking some Yahoo! Mail features
New in NoScript for Firefox 2.1.9 RC 1 (Nov 7, 2011)
- New noscript.forbidMetaRefresh.exceptions url pattern preference
- Meta refresh blocking exception for Google Search (blank page shown otherwise if meta refresh blocking is enabled, cookies are disabled for Google and Google Search scripting is forbidden)
New in NoScript for Firefox 2.1.8 (Oct 29, 2011)
- Improved anti-popunder built-in surrogate
- Fixed object autowiring upon placeholder activation regressed by recent surrogate sandboxing changes
New in NoScript for Firefox 2.1.8 RC 2 (Oct 27, 2011)
- noscript.xss.checkInclusions about:config preference (default true) controls whether the new protection against reflected cross-site script inclusion (XSSI) is enabled or not
- noscript.xss.checkInclusions.exceptions about:confing preference to disable XSSI checks for certain script sources
New in NoScript for Firefox 2.1.8 RC 1 (Oct 24, 2011)
- Protection against reflected script inclusion
- Fixed logged error message on permissions change
New in NoScript for Firefox 2.1.7 RC 2 (Oct 22, 2011)
- [ABE] Fixed subrequests matching an Anon action rule not being shown in the logs if already anonymized by the browser
New in NoScript for Firefox 2.1.7 RC 1 (Oct 22, 2011)
- Fixed error console noise regression from menu fixes
New in NoScript for Firefox 2.1.6 (Oct 21, 2011)
- noscript.keys.tempAllowPage about:config preference to configure a keyboard shortcut for "Temporarily allow all this page"
- noscript.keys.revokeTemp about:config preference to configure a keyboard shortcut for "Revoke temporary permissions"
- noscript.menuAccelerators about:config preference to switch keyboard accelerators for "(Temporary) allow all this page" menu items on/off
- Fixed notifications get all shown on the top in a tab where one notification has already been shown on the top
- Fixed quasi-leak (zombie compartment) after using the NoScript menu on a page where embedded content is present, until the menu is opened on another page
- [ABE] Fixed Anonymize actions logged twice
New in NoScript for Firefox 2.1.6 RC 1 (Oct 17, 2011)
- [Surrogate] Fixed sandboxed surrogates unable to set global variables
New in NoScript for Firefox 2.1.5 (Oct 17, 2011)
- Improved object wiring emulation on placeholder activation
New in NoScript for Firefox 2.1.5 RC 4 (Oct 12, 2011)
- Improved object wiring emulation on placeholder activation
New in NoScript for Firefox 2.1.5 RC 3 (Oct 10, 2011)
- [Surrogate] noscript.surrogate.sandbox preference to control the execution method for inclusion surrogates
New in NoScript for Firefox 2.1.5 RC 2 (Oct 10, 2011)
- Work-around for CORS incompatibility with internal redirects
- Removed legacy threading management support
New in NoScript for Firefox 2.1.5 RC 1 (Oct 8, 2011)
- [Surrogate] Surrogates triggered by content policy calls get executed in a sandbox
- Moved SWFObject and Silverlight patching to early scripts
- Replaced every reference to XHR's "on..." event handler properties with their addEventListener() counterparts, to cope with bug 687332 fallouts
New in NoScript for Firefox 2.1.4 (Sep 29, 2011)
- Fixed speculative parsing causing inclusion surrogates to be executed twice
New in NoScript for Firefox 2.1.3 RC 4 (Sep 23, 2011)
- Fixed missing placeholder for plugin documents when collapsing blocked object preference is set (thanks Mc for reporting)
- Removed problematic "(Temporarily) Allow all on this page" access keys
- Even better euristic to match id-less replaced embeddings on reload
New in NoScript for Firefox 2.1.3 RC 3 (Sep 21, 2011)
- Better euristic to match id-less replaced embeddings on reload
New in NoScript for Firefox 2.1.3 RC 2 (Sep 21, 2011)
- [XSS] Better compatibility with Facebook Connect apps
New in NoScript for Firefox 2.1.3 RC 1 (Sep 21, 2011)
- Fixed unblocking HTML 5 media clips from placeholder causes the throbber to spin indefinitely
- Fixed "..txt" (rather than ".txt") being appended as the default file extension when exporting NoScript's configuration / whitelist
- Fixed inital directory uncorrectly initialized by the configuration export dialog on some platforms
New in NoScript for Firefox 2.1.2.9 RC 1 (Sep 19, 2011)
- Facebook Connect surrogate
- Removed outdated anti-anti-adblocker surrogate
New in NoScript for Firefox 2.1.2.8 (Sep 19, 2011)
- Fixed placeholders hard to activate on HTML 5 Youtube videos
New in NoScript for Firefox 2.1.2.8 RC 2 (Sep 7, 2011)
- [XSS] Improved out-of-the-box compatibility with some Facebook games
- Fixed plugin blocking not working sometimes on file:// pages loadeded before any network activity
New in NoScript for Firefox 2.1.2.8 RC 1 (Sep 1, 2011)
- Google Plus One surrogate
- Removed t.co surrogate, since Twitter implemented a NOSCRIPT fallback
New in NoScript for Firefox 2.1.2.7 (Sep 1, 2011)
- Better load progress feedback for hosts which are not DNS-cached yet
New in NoScript for Firefox 2.1.2.7 RC 3 (Aug 24, 2011)
- Improved Google Analytics surrogate
- More intuitive handling of the "live" behavior of the ABE ruleset editor when syntax errors are introducd
New in NoScript for Firefox 2.1.2.7 RC 2 (Aug 19, 2011)
- Fixed OBJECT document inclusions failing under some circumstances
New in NoScript for Firefox 2.1.2.7 RC 1 (Aug 17, 2011)
- Prevent any website from embedding view-source URIs inside frames
- Firefox 9.0a1 compatibility
New in NoScript for Firefox 2.1.2.6 (Aug 17, 2011)
- Temporarily disabled anti-anti-adblocker surrogate on any site except those explicitly added to noscript.surrogate.ab.sources preference, as a work-around for bug 677652
- Lazy initialization is deferred also when a file:// URL is loaded as the home page
New in NoScript for Firefox 2.1.2.6 RC 8 (Aug 13, 2011)
- Temporarily disabled anti-anti-adblocker surrogate on any site except those explicitly added to noscript.surrogate.ab.sources preference, as a work-around for bug 677652
- Lazy initialization is deferred also when a file:// URL is loaded as the home page
New in NoScript for Firefox 2.1.2.6 RC 7 (Aug 11, 2011)
- More accurate work around for bug 677050
New in NoScript for Firefox 2.1.2.6 RC 6 (Aug 11, 2011)
- Work around for Nightly bug 677050
New in NoScript for Firefox 2.1.2.6 RC 5 (Aug 11, 2011)
- Fixed rapid-fire cross-site interaction protection interfering with some keyboard-based UI patterns
New in NoScript for Firefox 2.1.2.6 RC 4 (Aug 11, 2011)
- Fixed Firefox's built-in feed renderer broken unless about:feeds is whitelisted
New in NoScript for Firefox 2.1.2.6 RC 3 (Aug 11, 2011)
- Plugin origin checks now account for multiple extra-codebase archives
- Work around for HTTPS script inclusions on JavaScript-disabled pages being loaded, albeit not executed
- [ClearClick] Tentative work-around for ABP's "Block..." tab causing false positives on nested documents
New in NoScript for Firefox 2.1.2.6 RC 2 (Aug 3, 2011)
- Work-around for content policy inconsistencies in Java applet origins handling
New in NoScript for Firefox 2.1.2.6 RC 1 (Aug 3, 2011)
- Surrogate for the t.co Twitter URL shortener, which would otherwise require JavaScript
- USER ruleset conveniently pre-selected when ABE options are opened
- Improved invisible links detection approach
New in NoScript for Firefox 2.1.2.5 (Aug 3, 2011)
- Fixed bookmarklets from sidebars not working on JS-disabled pages
- Improved Twitter surrogate for Fx 3.x
New in NoScript for Firefox 2.1.2.4 RC 1 (Jul 16, 2011)
- [ClearClick] Restored compatibility with bit.ly (now bitly.com)
New in NoScript for Firefox 2.1.2.3 RC 3 (Jul 16, 2011)
- [ClearClick] Refactoring and isolation of the rapid fire protection
New in NoScript for Firefox 2.1.2.3 RC 2 (Jul 16, 2011)
- [ClearClick] Further refinement of rapid fire detection on tab switching
New in NoScript for Firefox 2.1.2.3 RC 1 (Jul 16, 2011)
- [ClearClick] Fixed delay on first event response after some kinds of tab switching
New in NoScript for Firefox 2.1.2.2 (Jul 16, 2011)
- [ClearClick] Fixed false positives due to backwards incompatibilities with Fx 3.5 and below
- [Nightly compat] Fixed import/export broken by nsIJSON interface changes in recent nightly builds
New in NoScript for Firefox 2.1.2 RC 5 (Jul 9, 2011)
- ClearClick protection against rapid fire cross-site interaction AKA "double-clickjacking",
New in NoScript for Firefox 2.1.2 RC 4 (Jul 9, 2011)
- ClearClick protection against view-source content extraction attacks
- Current version number shown directly in all the "About NoScript" menu items
- Fixed NoScript icon status not updated when a tab is moved to a new window
New in NoScript for Firefox 2.1.2 RC 3 (Jul 9, 2011)
- Fixed work around for Bug 668690 breaking feed viewer
New in NoScript for Firefox 2.1.2 RC 2 (Jul 1, 2011)
- Disabled NoScript's X-Frame-Options support on Firefox 3.6.10 and above, where it is built-in
- Work around for Bug 668690 affecting Gecko 2.0 and above
New in NoScript for Firefox 2.1.2 RC 1 (Jul 1, 2011)
- Fixed startup error in Nightly due to the merge of event target interfaces in bug 658714
New in NoScript for Firefox 2.1.1.2 (Jun 30, 2011)
- Fixed conflict with Firebug console
- Removed legacy code in content policy and ClearClick
New in NoScript for Firefox 2.1.1.2 RC 9 (Jun 25, 2011)
- Fixed surrogates causing duplicate history entries for some sites on Firefox 5 Work around for bug 666371 breaking popunder surrogate and legitimate popups on some sites
New in NoScript for Firefox 2.1.1.2 RC 7 (Jun 25, 2011)
- Work-around for Nightly bug breaking the "View image" command
- Improved Google Analytics surrogate
New in NoScript for Firefox 2.1.1.2 RC 6 (Jun 25, 2011)
- HTML 5 media blocking extended to Mozilla's audio API extension
- Improved handling of resource prefetching through object elements
- Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the default whitelist and to the whitelists of Hotmail users, after Microsoft explained that this is the future-proof permission needed to ensure compatibility with the Live webmail
New in NoScript for Firefox 2.1.1.2 RC 5 (Jun 25, 2011)
- Full page reload is not triggered anymore when invisible plugin objects are activated if the parent page has been loaded by a POST HTTP request
- Full page reload is not triggered anymore on invisible frame activation
- Fixed "Blocked Objects" menu missing on Hotmail inbox
- Object elements used to prefetch JavaScript and CSS content are not blocked anymore, provided that the parent is whitelisted, This behavior can be disabled in about:config, noscript.allowCachingObjects
New in NoScript for Firefox 2.1.1.2 RC 4 (Jun 25, 2011)
- Added msc.wlxrs.com to the default whitelist as requested by the Hotmail team (new domain required for Hotmail to work)
- One-time merge of the default whitelist to integrate services already whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
- Work-around for scripts served from amazonaws.com having wrong media type sometimes
New in NoScript for Firefox 2.1.1.2 RC 3 (Jun 13, 2011)
- Work-around for an unfixable (JavaScript fragments get actually uploaded cross-site) false positive on Verizon login
New in NoScript for Firefox 2.1.1.2 RC 2 (Jun 11, 2011)
- Work-around for an unfixable (JavaScript fragments get actually uploaded cross-site) false positive on Verizon
New in NoScript for Firefox 2.1.1.2 RC 1 (Jun 11, 2011)
- Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing noise on trunk after bug 311007 landed
New in NoScript for Firefox 2.1.1.1 (Jun 11, 2011)
- Improved embedded object activation on Javascript-enabled pages via dynamic method proxies
New in NoScript for Firefox 2.1.1.1 RC 1 (Jun 1, 2011)
- Reduced request garbage collection frequency
New in NoScript for Firefox 2.1.1 (Jun 1, 2011)
- Fixed toolbar button hidden in popup windows
New in NoScript for Firefox 2.1.0.6 RC 13 (May 28, 2011)
- Fixed placeholders broken on trunk after fix for Gecko's bug 308590
New in NoScript for Firefox 2.1.0.6 RC 12 (May 28, 2011)
- Added paypal.com and paypalobjects.com to the default whitelist, to cope with the new in-page contribution setup at AMO and reduce XSS risks
- Improved toStaticHTML() emulation
New in NoScript for Firefox 2.1.0.6 RC 11 (May 28, 2011)
- Fixed broken toolbar button on first window opened during first run ever on Firefox 4.x
New in NoScript for Firefox 2.1.0.6 RC 10 (May 28, 2011)
- Tentative fix for double HTTP requests sent sometimes upon DNS refresh
- Fixed XSS false positive on Google's Talk Gadget loading
New in NoScript for Firefox 2.1.0.6 RC 9 (May 28, 2011)
- Improved bookmarklet execution handling (thanks @nomaded for reporting)
- Compatibility bump for Fx 7.0a1
New in NoScript for Firefox 2.1.0.6 RC 8 (May 28, 2011)
- Further and less likely ASP-related tricks in InjectionChecker
- Fixed bookmarklets and JavaScript URLs broken in about:blank unless imports are allowed
- JavaScript URL bar shortcuts are now treated as bookmarklet and executed by default
New in NoScript for Firefox 2.1.0.6 RC 7 (May 28, 2011)
- More ASP idiosyncrasies taken in account by InjectionChecker
New in NoScript for Firefox 2.1.0.6 RC 6 (May 28, 2011)
- Fixed false positive in anti-exfiltration HTML injection checks
New in NoScript for Firefox 2.1.0.6 RC 5 (May 21, 2011)
- Fixed rc2 frame blocking regression
New in NoScript for Firefox 2.1.0.6 RC 4 (May 21, 2011)
- Per-site WebGL blocking support (WebGL is implicitly disabled whereve JavaScript is not allowed; it can be blocked on any other site by checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site by clicking on a placeholder of the blocked canvas or by using the "Blocked objects..." menu if no canvas had been inserted in the page)
New in NoScript for Firefox 2.1.0.6 RC 3 (May 21, 2011)
- Work-around for Cocoon add-on being broken by NoScript's early usage of the IO Service
New in NoScript for Firefox 2.1.0.6 RC 2 (May 21, 2011)
- Fixed plugin documents can't be opened in NewsFox if embedding restrictions are in place
New in NoScript for Firefox 2.1.0.6 RC 1 (May 21, 2011)
- Fixed broken anti image exfiltration rules in HTML injection checks on noscripted pages
New in NoScript for Firefox 2.1.0.5 (May 21, 2011)
- Fixed recent memory optimizations breaking compatibility with some extensions
New in NoScript for Firefox 2.1.0.3 (Apr 30, 2011)
- [L10n] Updated ro
- Restored some locales gone missing in previous dev build
New in NoScript for Firefox 2.1.0.2 (Apr 11, 2011)
- Improved XML prescreening
New in NoScript for Firefox 2.1.0.2 RC 5 (Apr 11, 2011)
New in NoScript for Firefox 2.1.0.2 RC 4 (Apr 6, 2011)
- More robust surrogate execution
New in NoScript for Firefox 2.1.0.2 RC 3 (Apr 6, 2011)
- Label automatically hidden when NoScript's toolbar buttons are added to the add-ons bar
New in NoScript for Firefox 2.1.0.2 RC 2 (Apr 1, 2011)
- Fixed AddressMatcher broken by RegExp changes in latest Minefield
New in NoScript for Firefox 2.1.0.2 RC 1 (Mar 28, 2011)
- Fixed ABE options panel regressions due to the changed storage
New in NoScript for Firefox 2.1.0.1 (Mar 28, 2011)
- Removed googlesyndication.com from the default whitelist
- Added securecode.com ("Verified by VISA") to the default whitelist, in order to prevent surprise transaction failures
- [XSS] Exception for POST requests coming from a secure albeit not whitelisted Verified by Visa (securecode.com) origin
- [ABE] Fixed bug causing excessive console noise from permissive rules
- Updated locales
New in NoScript for Firefox 2.1 (Mar 28, 2011)
- Fixed various Script Surrogate inconsistencies
New in NoScript for Firefox 2.1.0 RC 6 (Mar 28, 2011)
- ABE] Rulesets now are stored as preferences rather than files for faster startup (less I/O) and more consistent settings management
- [ABE/Sync] Rulesets are integrated into Firefox Sync for preferences too
- On first Firefox 4 run toolbar icon now gets added to the add-on bar instead of the navigation bar if the latter is invisible, even if the former is invisible as well (many users seem to expect it there)
- Fixed additional toolbar buttons too wide when labels are shown
- Fixed some Script Surrogate regressions
- Work around for alert on new windows due to Mozilla's bug 608628
- Fixed placeholder not shown for embed elements placed inside invalid object elements
New in NoScript for Firefox 2.1.0 RC 5 (Mar 28, 2011)
- Firefox Sync integration can be switched off through the noscript.sync.enabled about:config preference
- Fixed false positive regression from recent Firefox 4 optimizations
New in NoScript for Firefox 2.1.0 RC 4 (Mar 28, 2011)
- Further version-specific Script Surrogate optimizations
New in NoScript for Firefox 2.1.0 RC 3 (Mar 23, 2011)
- First shot at Firefox Sync native integration, synchronizes everything except custom ABE rules
- [ABE] Optimized origin tracing
- [ABE] INC(MEDIA) subtype matching HTML5 video and audio requests
- [ABE] INC(FONT) subtype matching font embedding requests
- Huge refactoring in regular expression usage to optimize for Fx 4
- Script Surrogate optimization
New in NoScript for Firefox 2.1.0 RC 2 (Mar 21, 2011)
- [ABE] Work-around for some Java plugin requests bypassing HTTP observers
- [ABE] Media HTML elements and plugin sub-requests are matched by the OBJ inclusion subtype
- [ABE] Font requests are matched by the OTHER inclusion subtype
New in NoScript for Firefox 2.1.0 RC 1 (Mar 14, 2011)
- Fixed iframe content being sometimes opened in new tabs on Fx 4 when ABE is enabled and DNS cache is missed
New in NoScript for Firefox 2.0.9.9 (Mar 8, 2011)
- Fixed spaces in ipecho response breaking WAN IP detection with one of the mirrors
- Experimental built-in profiler for debugging purposes
New in NoScript for Firefox 2.0.9.9 RC 6 (Mar 4, 2011)
- Fixed spaces in ipecho response breaking WAN IP detection
- Experimental built-in profiler for debugging purposes
New in NoScript for Firefox 2.0.9.9 RC 5 (Mar 4, 2011)
- Compatibility with Fire.fm
- [XSS] Compatibility with latest Readability
- Tentative work-around for a WAN IP detection issue after sleep/wakeup
New in NoScript for Firefox 2.0.9.9 RC 4 (Mar 4, 2011)
- Forced text-plain on documents which miss a content-type header but send "X-Content-Type-Options: nosniff"
- Increased compatibility of the X-Content-Options implementation
New in NoScript for Firefox 2.0.9.9 RC 3 (Mar 4, 2011)
- Work-around for surrogates not being executed on latest Fx 4 builds
- X-Content-Options implementation more compatible with Browserscope
New in NoScript for Firefox 2.0.9.9 RC 2 (Feb 28, 2011)
- Fixed AJAX fallback last-minute breakage
New in NoScript for Firefox 2.0.9.9 RC 1 (Feb 28, 2011)
- Improved XSS filter to protect against potential risks from new HTML 5
- features
- AJAX fallback support via Google's _escaped_fragment_ recommendation,
- can disabled by toggling the noscript.ajaxFallback.enabled preference
- New noscript.placeholderLongTip about:config preference to control whether embedding placeholder tooltips should include query strings and hash fragments or not (true by default)
New in NoScript for Firefox 2.0.9.8 (Feb 15, 2011)
- Fixed empty tooltip for embedded placeholder on some RTL pages
- Truncate URLs in placeholders tooltips at the the query string or hash, to increase readability
- Increased WAN IP checks interval to 1 hour reducing log spam on routers
- Removed some obsolete code
New in NoScript for Firefox 2.0.9.8 RC 2 (Feb 15, 2011)
- Fixed all IPv6 addresses in fc80::/24 subnet being erronously treated like link-local addresses
- Fixed "Unsafe Reload" not working for sanitized POST requests from untrusted to trusted sites
- Better compatibility with Paypal button hosted on non-whitelisted sites
New in NoScript for Firefox 2.0.9.8 RC 1 (Feb 7, 2011)
- [UI] Fixed toolbar button being added on the right of the window resizer
- when Fx 4 is run for the first time with NoScript and the add-on bar is
- visible
- [UI] Hitting the "show UI" shortcut (ctrl+shift+S) a second time
- dismisses NoScript's popup menu (thanks jso for RFE)
- Restored header reordering after DNT header is added, in order to match
- Firefox 4's header fingerprint
New in NoScript for Firefox 2.0.9.7 (Jan 31, 2011)
- Fixed status label menu popping up in a wrong position
- Updated locales
New in NoScript for Firefox 2.0.9.7 RC 5 (Jan 31, 2011)
- Fixed external filters submenu not removed when external filters are
- disabled
- Blocked objects menus show IFRAME/FRAME rather than mime type info for
- blocked frames
- Restored legacy status label by popular request
- Sticky menu can be triggered by left clicking on status label now
New in NoScript for Firefox 2.0.9.7 RC 4 (Jan 29, 2011)
- Work-around for menu icons hidden with some Linux distros and themes
- Changed the X-Do-Not-Track header name to DNT in anticipation of an IETF
- Internet-Draft, per Jonathan Mayer
- noscript.doNotTrack.forced gets honored for local addresses now
- Fixed partial external filter definition could not be saved
- Fixed empty external filter whitelist could not be validated
New in NoScript for Firefox 2.0.9.7 RC 3 (Jan 29, 2011)
- Fixed exception on cross-site POST requests from URIs not supporting
- the host component
- Fixed JS redirection detection being activated also on whitelisted pages sometimes
New in NoScript for Firefox 2.0.9.7 RC 2 (Jan 29, 2011)
- 64x64 icon for Fx 4's add-ons manager
- Fixed bookmarklet execution machinery active even when JavaScript is
- disabled by Firefox's content options
- Tentative work-around for toolbar button being oriented vertically in
- some themes, disrupting toolbar's layout
- More updated locales
New in NoScript for Firefox 2.0.9.7 RC 1 (Jan 29, 2011)
- Fixed a ClearClick bypass possible to whitelisted attackers who can run
- JavaScript
- Updated locales
- Improved K-Meleon portability (thanks jk- for RFE
New in NoScript for Firefox 2.0.9.6 (Jan 19, 2011)
- Fixed X-Do-Not-Track after a DNS cache miss causing some embedded content requests to fail
New in NoScript for Firefox 2.0.9.5 (Jan 19, 2011)
- Fixed NoScript toolbar buttons having wrong orientation in "icon and text" mode
New in NoScript for Firefox 2.0.9.4 (Jan 19, 2011)
- Fixed toolbar button does not open the menu (unless you click the little arrow) if you disable hovering and toggling
- Removed dynamic localization fallback at runtime
- Added static localization fallback to the build system
- Localization layout cleanup x Legacy files cleanup
New in NoScript for Firefox 2.0.9.4 RC 2 (Jan 19, 2011)
- Removed toolbarbutton-specific stylings
- Better web compatibility for X-Content-Options
- Better home router compatibility for X-Do-Not-Track
New in NoScript for Firefox 2.0.9.4 RC 1 (Jan 19, 2011)
- Fixed DoNotTrack exceptions/forced patterns not being enforced
- Tentative work-around for basic HTTP authentication failing with some servers when X-Do-Not-Track is sent
New in NoScript for Firefox 2.0.9.3 (Jan 5, 2011)
- Fixed some cross-site requests containing JSON-like fragments broken
New in NoScript for Firefox 2.0.9.2 (Dec 29, 2010)
- Fixed forbid META refresh inside NOSCRIPT elements regression
New in NoScript for Firefox 2.0.9.1 (Dec 29, 2010)
- Fixed partial options dialog breakage (ClearClick and Import/Export)
New in NoScript for Firefox 2.0.9 (Dec 29, 2010)
- Removed JAR blocking (obsolete in supported browser versions)
- Removed emulated TLD service
- Hidden status bar icon option on applications which have no status bar
- Fixed noscript.doNotTrack.* preferences not being honored
New in NoScript for Firefox 2.0.9 RC 5 (Dec 29, 2010)
- Fixed wrong popup position on status bar icon (Fx 3.6.x and below only)
New in NoScript for Firefox 2.0.9 RC 4 (Dec 29, 2010)
- X-Do-Not-Track and X-Behavioral-Ad-Opt-Out (tracking opt-out) support, controlled by the noscript.doNotTrack.* about:config preferences
- Restored "left+click on NoScript icon reopens the menu in legacy mode even if it's already opened in hover mode" feature
- Fixed bug preventing channel replacement when the HTTP method changes Embedded permissions are now bound to the embedding site
- Fixed permissions keys for Flash embeddings include FlashVars PARAMETER elements, rather than just attributes
- Fixed embedding permission changes not honoring disabled autoreload preferences
New in NoScript for Firefox 2.0.9 RC 3 (Dec 29, 2010)
- Middle clicking toolbar button temporarily allows all on current page
- Removed forced embedding opacization legacy feature
- Removed tooltips from icons spawning hover UI
- Disabled permission toggling on left+click for hover UI toolbar buttons (can be reenabled by setting noscript.hoverUI.excludeToggling to true)
- Fixed notification regression
New in NoScript for Firefox 2.0.9 RC 2 (Dec 29, 2010)
- No extra spacer added on addon-bar during first customization
- Long menus automatically scroll to the bottom when opened from the bottom of the browser
- Fixed legacy status bar icon switching permissions on left+click like the toolbar button
- Fixed legacy status bar icon always getting "after_start" popup position
New in NoScript for Firefox 2.0.9 RC 1 (Dec 29, 2010)
- Improved anti-popunder surrogate
- Check for UI accessibility of Firefox 4 with hidden addon-bar and automatic installation of toolbar button on fail
- Fixed whitelisted iframe blocking getting in the way of web content embedded by privileged tabs (e.g. Firefox 4's add-on manager)
- [ClearClick] slightly shorter viewport to accomodate Facebook's "Like" mini buttons
- Fixed tooltips getting in the way of hover UI - Removed status bar label
- Fixed regression: permissions changes on sites with non-standard ports failed to trigger page reload
- Fixed layout issue triggered by JS redirect detection
New in NoScript for Firefox 2.0.8.1 (Dec 15, 2010)
- Fixed new IFRAME-based Youtube embedding method broken on non whitelisted pages with embedding restrictions
New in NoScript for Firefox 2.0.8 (Dec 15, 2010)
- Fixed toolbar buttons icon size on Firefox 4 Windows theme
- XSS check on permissions changes, suppressing events and forcing filtered reload if an injection is found
- Fixed graphic glitches on menu showing with accelerated graphics
- Fixed permission changes causing unrelated tabs to be reloaded when automatic permissions had been previously granted
New in NoScript for Firefox 2.0.8 RC 2 (Dec 15, 2010)
- Fixed unhandled exception caused by LiveConnect interception logging
- Optimized QueryInterface generation
- [ABE] 6to4 IP addresses support
- Fixed LiveConnect interception firing a dummy JVM sometimes on Gecko 2.0
New in NoScript for Firefox 2.0.8 RC 1 (Dec 15, 2010)
- LiveConnect interception time reduced by 10 on Firefox 3.6 and by 100 on Firefox 4 (about 1ms each)
- Restored LiveConnect interception logging (LOG_CONTENT_INTERCEPT mask) Fixed bug in fake redirections code, causing it not to honor the redirection limit settings
- [XSS] Improved SQLXSSI detection accuracy
- Updated revsci surrogate
New in NoScript for Firefox 2.0.7 (Nov 26, 2010)
- [XSS] Detection and filtering of hexadecimal and binary encoded
- reflected XSS through MySQL injection, partially found and disclosed
- (raw hexadecimal variant only)
New in NoScript for Firefox 2.0.6 (Nov 26, 2010)
- Bug fixes and improvements in LiveConnect interception
- Fixed random "win is null" error message (thanks timeless for report)
New in NoScript for Firefox 2.0.6 RC 4 (Nov 26, 2010)
- Java packages exposed by LiveConnect on the window object are made
- unaccessible wherever Java is blocked by embedding restrictions
New in NoScript for Firefox 2.0.6 RC 3 (Nov 26, 2010)
- [ABE] Work-around for Flash video playback and other HTTP subrequests
- from plugins sometimes failing on latest Minefield builds
New in NoScript for Firefox 2.0.6 RC 2 (Nov 26, 2010)
- [ABE] Fixed 2.0.6rc1 regression: broken internal redirections
New in NoScript for Firefox 2.0.6 RC 1 (Nov 26, 2010)
- "Security and privacy info" pages shown also by middle-clicking items
- in NoScript Options|Whitelist (thanks dhown for RFE)
- [XSS] Better compatibility with 4shared embedded movies
- [ABE] Fixed regression: Anon action interfering with IFrame blocking
- when DNS record for current request is cached (thanks al_9x for report)
New in NoScript for Firefox 2.0.5.1 (Nov 12, 2010)
- Improved LoadGroup integration of the new internal redirection machinery for better loading progress feedback.
New in NoScript for Firefox 2.0.5 (Nov 12, 2010)
- Fixed stability issue when forcing HTTPS on images
New in NoScript for Firefox 2.0.5 RC3 (Nov 12, 2010)
- Faster and more "correct" hack for internal redirections
New in NoScript for Firefox 2.0.5 RC2 (Nov 12, 2010)
- Experimental asynchronous channel replacement for ABE and HTTPS enforcement, should prevent issues with image caching
- Work-around for Google/Youtube bug, sending "Content-Type: text/plain" header for script files even with "X-Content-Type-Options: nosniff" (see http://forums.informaction.com/viewtopic.php?f=7&t=5304)
New in NoScript for Firefox 2.0.5 RC1 (Nov 12, 2010)
- Fixed automatic allowing for XMLHttpRequest of sites with explicit port numbers whose domain is allowed (thanks evanpelt for reporting)
New in NoScript for Firefox 2.0.4 (Oct 29, 2010)
- Better logging for the "X-Content-Type-Options: nosniff" activity
- noscript.nosniff about:config preference to control whether enforcing
- "X-Content-Type-Options: nosniff" (true, default) or not (false)
New in NoScript for Firefox 2.0.4 RC1 (Oct 29, 2010)
- "X-Content-Type-Options: nosniff" support
- Fixed using bookmarklets with noscript.allowBookmarkletImports set to false erronously adds current website to the JavaScript whitelist
New in NoScript for Firefox 2.0.3.5 (Oct 18, 2010)
- Fixed right-click on the toolbar button switching permissions
New in NoScript for Firefox 2.0.3.4 (Oct 18, 2010)
- Bold "Recently blocked" menu and items which have been attempted to load from the currently displayed web site (thanks therube for RFE)
- Removed legacy (pre Fx 3) notification code
New in NoScript for Firefox 2.0.3.3 (Oct 6, 2010)
- Changed noscript.forbidIFramesContext about:config preference default to 3 (same base domain) to ensure better usability on complex sites (e.g. new Twitter) for people who's blocking iframes on trusted sites
- Optimal sensitivity calibration for Hover UI trigger events
New in NoScript for Firefox 2.0.3.3 RC3 (Sep 29, 2010)
- Improved Hover UI usability with the noscript.hoverUI.delayStop about:config preference, dictating how many milliseconds the mouse must stand still on NoScript's icon before NoScript's menu is displayed
New in NoScript for Firefox 2.0.3.3 RC2 (Sep 29, 2010)
- Surrogate scripts are no longer wrapped inside anonymous functions, in order to allow top-level variables to be forced read-only by using the const keyword; built-in surrogates have been retrofitted to prevent scope clashes, by adding anonymous function wrappers as needed
New in NoScript for Firefox 2.0.3.3 RC1 (Sep 29, 2010)
- Configurable enter and exit delays for the hover UI behavior, via noscript.hoverUI.delay* about:config preferences
- Improved compatibility with very short frames (like the top bar on www.blogger.com)
- Removed legacy code specializing TYPE_OTHER
New in NoScript for Firefox 2.0.3.2 (Sep 21, 2010)
- Work-around for first script element in body of a framed document not being executed unless password manager is enabled on Minefield
- Work-around for surrogates not being executed in frames on Minefield
New in NoScript for Firefox 2.0.3 (Sep 11, 2010)
- Improved compatibility of the popunder surrogate
- Fixed broken meebo.com detached windows
- Updated it-IT
New in NoScript for Firefox 2.0.2.5 (Sep 4, 2010)
- Further FBML compatibility improvements
New in NoScript for Firefox 2.0.2.4 RC1 (Aug 31, 2010)
- [HSTS] Fixed SSL certifiacate error pages not being patched (removing the expert interface) when a broken HSTS site is open for the first time
New in NoScript for Firefox 2.0.2.3 (Aug 21, 2010)
- Fixed optimization bug which may lead to slower checks on specific source patterns
New in NoScript for Firefox 2.0.2.2 (Aug 21, 2010)
- Huge InjectionChecker speed optimization, prevents most DOS false positives caused by checks timeout (thanks Sylvia Oberstein for report)
New in NoScript for Firefox 2.0.2.1 (Aug 18, 2010)
- [Surrogate] Fixed fallback regression
New in NoScript for Firefox 2.0.1 (Aug 7, 2010)
- [ABE] noscript.abe.localExtras about:config preference can specify net resources (space separated IPs and/or subnets) to be considered as LOCAL by ABE, in addition to the "regular" private subnetworks and the auto-detected WAN IP
- [ClearClick] Better compatibility with iframes containing very tiny pages (e.g. horizontal Flattr buttons)
- Fixed page-level surrogates not always being executed inside iframes
- [XSS] Fixed XML tags with no attributes which are omonymous of "sensitive" HTML tags triggering XSS false positives
New in NoScript for Firefox 2.0.1 RC4 (Aug 7, 2010)
- Forced NOSCRIPT element activation is not triggered for sources marked as untrusted
- Update for Firefox 4.0b4pre compatibility (bug 546606)
New in NoScript for Firefox 2.0.1 RC3 (Aug 7, 2010)
- Improved interaction between surrogates and NOSCRIPT element activation
- Fixed potential recursion issue during DNS resolution on SeaMonkey trunk
- Fixed https://bugzilla.mozilla.org/show_bug.cgi?id=584334
- Fixed using IPv6 URL syntax causes confusion to some proxies
- Compatibility checks updates
New in NoScript for Firefox 2.0.1 RC2 (Aug 7, 2010)
- [ABE] "X-ABE-Fingerprint: Off" header can be sent by web servers which don't want / need to be fingerprinted by ABE's WAN IP protection
- [ABE] User agent header "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" is sent to help administrators finding info about ABE's fingerprinting
- [ABE] Fingerprint checks are performed every 15 minutes, rather than 5
- Fixed early access to document.documentElement breaking XBL bindings on SeaMonkey trunk
New in NoScript for Firefox 2.0.1 RC1 (Aug 7, 2010)
- Fixed meta redirections being broken sometimes when a NOSCRIPT element activation is forced on a JavaScript-enabled page
New in NoScript for Firefox 2.0 (Jul 28, 2010)
- [Surrogate] Fixed Google thumbs surrogate broken by recent Gecko changes
- [ClearClick] Work-around for client(Height|Width) miscalculation
New in NoScript for Firefox 2.0 RC8 (Jul 28, 2010)
- Full hand-over to InjectionChecker for untrusted origin requests as well
- More efficient UI synchronization system
- Fixed status icon not being correctly updated when a new script source gets added after page is loaded
New in NoScript for Firefox 2.0 RC7 (Jul 28, 2010)
- More web-compatible NOSCRIPT element handling on mixed permissions pages
New in NoScript for Firefox 2.0 RC6 (Jul 28, 2010)
- WAN IP checks logged on Error Console (thanks al_9x for RFE)
New in NoScript for Firefox 2.0 RC5 (Jul 28, 2010)
- Experimental cross-zone CSRF protection for flawed routers which expose their WAN IP on their LAN interface (thanks al_9x for report)
New in NoScript for Firefox 2.0 RC4 (Jul 28, 2010)
- Anti-anti-adblocker generic page-level surrogate
- Minimal surrogates for several ad/tracking sources
- Revsci surrogate (thanks al_9x)
- Work-around for medicare.gov "benign" XSS
New in NoScript for Firefox 2.0 RC3 (Jul 28, 2010)
- Fixed X-Frame-Options being checked for plugin embeddings as well (thanks Richard Johnson for reporting)
New in NoScript for Firefox 2.0 RC2 (Jul 28, 2010)
- External filters now receive the object URL as their 4th argument
New in NoScript for Firefox 1.10 (Jul 15, 2010)
- ABE built-in ruleset editor
- Button to reset ABE's defaults
- Fixed setting noscript.cp.last to false causing embeddings not to be blocked
- Fixed 2nd order InjectionChecker bypass (thanks Sirdarckcat for report)
- External filters now receive the object referrer as their 3rd argument
New in NoScript for Firefox 1.9.9.99 (Jul 7, 2010)
- Emergency fix for a page reload bug on Mac OS X causing high CPU consumption after permission changes (thanks "D A" for reporting)
New in NoScript for Firefox 1.9.9.98 (Jul 7, 2010)
- Improved ClearClick clipping accuracy on framesets
- Improved ClearClick clipping accuracy on nested scrolling elements
New in NoScript for Firefox 1.9.9.98 RC6 (Jul 7, 2010)
- Fixed work-around for Mozilla's bug 576492 breaking NoScript on browser restart
New in NoScript for Firefox 1.9.9.98 RC5 (Jul 7, 2010)
- Support for the latest Gecko 2 XPCOM changes
- Work-around for Mozilla's bug 576492
New in NoScript for Firefox 1.9.9.98 RC4 (Jul 7, 2010)
- noscript.surrogates.debug preference enables console logging of uncaught exceptions happening in surrogates (thanks al_9x for suggestion)
- Better error handling in surrogates, prevents a failing scripts to abort the others
- Improved AMO surrogates, allows right-click menu to work on install buttons (thanks Mc for reporting)
New in NoScript for Firefox 1.9.9.98 RC3 (Jul 7, 2010)
- Fixed bug on edge case minimum placeholder size computation when object to be replaced is out of the current viewport
- Version compatibility bump for Firefox 4.0b2pre
- Fixed regression: untrusted icon not being shown when all the sources of a page are untrusted (thanks al_9x for reporting)
New in NoScript for Firefox 1.9.9.98 RC2 (Jul 7, 2010)
- window.toStaticHTML implementation
- Improved placeholders for embeds nested in ActiveX OBJECT elements
New in NoScript for Firefox 1.9.9.98 RC1 (Jul 7, 2010)
- Surrogate for Google Search thumbnails when Google is not whitelisted
- Automatic reload on permission change setting now affects pages
- containing embeddings which change status too, whose reload can be also
- forced through the noscript.autoReload.embedders preference:
- never reload
- inherit the noscript.autoReload setting
- force reload
- Prevent reload on pages where a 3rd party script changed its
- permissions status but the top-level is forbidden and unchanged
- Surrogate to use InstallTrigger on AMO even if addons.mozilla.org is not
- whitelisted
New in NoScript for Firefox 1.9.9.97 (Jun 25, 2010)
- Fixed ClearClick false positives on Fx 3.5 and below
- Compatibility version bump for Seamokey trunk
New in NoScript for Firefox 1.9.9.97 RC 1 (Jun 25, 2010)
- Fixed '@' surrogates being ran on scriptless pages
- Recentering on the parent form for ClearClick checks over a form widget reduces false positives over obstructed frames
New in NoScript for Firefox 1.9.9.96 (Jun 24, 2010)
- Fixed Script Surrogates activation glitches
New in NoScript for Firefox 1.9.9.95 (Jun 24, 2010)
- Fixed wrongly sized placeholders on Youtube (regression from rc1)
New in NoScript for Firefox 1.9.9.95 RC 2 (Jun 24, 2010)
- More accurated feedback on nested object blocking
- External filters command line template updated with request origin as the 3rd argument
New in NoScript for Firefox 1.9.9.95 RC 1 (Jun 24, 2010)
- imagebam surrogate kills popups over images and popunders on click
- imagehaven surrogate kills popups over images and popunders on click
- inserstitialBox surrogate kills interstital on imagevenue.com
- "!@" prefixed surrogates run no matter whether scripts are enabled or disabled for the page (in a DOMContentLoaded event handler)
- Fixed JS redirect handling causing duplicate object placeholders on scriptless pages containing embeddings only
- Fixed ABE's SELF checks fail on redirects which contain a browser URL
New in NoScript for Firefox 1.9.9.94 (Jun 24, 2010)
- Fixed bookmarklets support on non-whitelisted pages broken in non-Places browsers like SeaMonkey
- Better icon feedback on page where there's no script element but some plugin content has been blocked
New in NoScript for Firefox 1.9.9.93 (Jun 24, 2010)
- Fixed ClearClick false positives when RTL content or browser settings put the vertical scrollbar on the left
- Fixed setting noscript.checkInjectionType to false did not disable the feature
- More accurate embedded object replacement
New in NoScript for Firefox 1.9.9.92 (Jun 24, 2010)
- Fixed Places-related bug on Minefield (thanks mpz for reporting)
- noscript.forbidIFrameContext=3 (allow same base domain) falls back to 2 (allow same domain) if either the parent or the frame is marked as untrusted
New in NoScript for Firefox 1.9.9.91 (Jun 24, 2010)
- More compatible docShell reaching, works around some buggy extensions which wrap browser.webNavigation just partially
- InjectionChecker's XML reduction more compatible with SAML
New in NoScript for Firefox 1.9.9.90 Beta (Jun 18, 2010)
- Optimal timing for page-level surrogates in frames
- ClearClick exceptions are considered independently from the JavaScript whitelist as they should
- More consistent web bugs blocking with forced NOSCRIPT elements, take 2
New in NoScript for Firefox 1.9.9.89 Beta (Jun 18, 2010)
- Inclusion type checks try to infer file type from directory-like URLs
- More consistent web bugs blocking with forced NOSCRIPT elements
- Fixed object placeholder regressions in Gecko < 1.9
New in NoScript for Firefox 1.9.9.87 (Jun 18, 2010)
- Improved URL parsing in META refresh interception
- Optimized * universal pattern in AddressMatcher
- Better error reporting during the execution of location bar scriptlets
New in NoScript for Firefox 1.9.9.86 (Jun 18, 2010)
- Better timing for page-level script surrogates inside frames
- mime/type@http://site.com syntax support for noscript.allowedMimeRegExp preference
- Improved XSS checks accuracy (less false positives) and performance
- Enhanced management of recent Silverlight versions
New in NoScript for Firefox 1.9.9.85 (Jun 18, 2010)
- More accurate checks for META inside NOSCRIPT with HTML 5 parser
- Fixed possible DOS condition on some kinds of very long URLs
New in NoScript for Firefox 1.9.9.84 (Jun 18, 2010)
- Improved heuristic for background refresh automatic blocking and reenablement
- Fixed regressed "Follow" button on META refresh inside NOSCRIPT element
New in NoScript for Firefox 1.9.9.83 (Jun 18, 2010)
- Fixed some sites refreshing themselves even if another load has been initiated
New in NoScript for Firefox 1.9.9.82 (Jun 18, 2010)
- More discreet and automated anti-tabnagging protection (refreshes are blocked on unfocused tabs and get automatically executed only when tab gets in focus again)
- Slight optimization of AddressMatcher tests on .site.com clauses
- Fixed noscript.forbidBGRefresh.exceptions not being honored
- Better handling of error conditions happening during ABE's channel replacement internal redirections
- Fixed minor feedback icon glitches
New in NoScript for Firefox 1.9.9.81 (May 28, 2010)
- Experimental blocking of page refreshes happening inside untrusted unfocused tabs, should provide protection against Aviv Raff's scriptless "tabnabbing" variant. Enabled by default, can be controlled through the noscript.forbidBGRefresh about:config integer preference
- 0 - no blocking
- 1 - block refreshes on untrusted unfocused tabs
- 2 - block refreshes on trusted unfocused tabs
- 3 - block refreshes on both trusted and untrusted unfocused tab
- Address patterns matching pages which shouldn't be affected can be listed in the noscript.forbidBGRefresh.exceptions preference
- Fixed XSS false positive in new 3.7 add-ons
- Fixed meta-refresh URL parsing mismatch
- Fixed import script surrogates being broken by a 1.9.9.79 regression
New in NoScript for Firefox 1.9.9.80 (May 28, 2010)
- Fixed "Partially allowed scripts" icon shown instead of the "Scripts allowed but some objects blocked" one when the blocked objects' domains are not whitelisted for scripting
- Fixed "Scripts allowed but some objects blocked" icon not being used for blocked web fonts
- (ABE) Deny on INCLUSION don't trigger a notification even if the blocked request is for a subdocument (the blocking is logged in the Console, use SUB if user-facing notification is needed
- Fixed privileged XMLHttpRequests for untrusted resources being blocked if HTTP redirections occurred
- Better compatibility with IronPort web-based tools
New in NoScript for Firefox 1.9.9.79 (May 22, 2010)
- Script surrogates whose source starts with the '!' get executed on pages where scripts are disabled (on document DOM completion, rather than before HTML parsing starts like regular surrogates)
New in NoScript for Firefox 1.9.9.78 (May 22, 2010)
- Redirect cache for scripts and XBL only
- Fixed cross-site CSS being blocked under some circumstances (e.g. on Flickr and Yahoo)
New in NoScript for Firefox 1.9.9.77 (May 22, 2010)
- ABE INCLUSION(type1, type2, type3...) pseudo-method allows rules to take request type (e.g. SCRIPT vs CSS) in account
- ABE SELF+ (same domain) and SELF++ (same base domain) pseudo-origins
- Fixed iconic feedback inconsistencies when untrusted blocked objects are mixed with full-trusted content
- Fixed Injection Checker false positives on some kinds of complex nested URLs
- Tweaked ClearClick for Disqus compatibility
New in NoScript for Firefox 1.9.9.76 (May 22, 2010)
- Fixed broken menu on Minefield when External Filters are enabled
- Fixed about: URL not being shown in NoScript menu
- Removed minor strict warnings on Minefield
New in NoScript for Firefox 1.9.9.75 (May 22, 2010)
- Redirected site caching now skips plugin content
- Removed __parent__ usages for Minefield compatibility
- Removed some strict warnings
New in NoScript for Firefox 1.9.9.74 (May 3, 2010)
- Fixed false positive issue with empty cross-site POST requests (thanks Bahamut for reporting)
New in NoScript for Firefox 1.9.9.73 (May 3, 2010)
- Fixed potential double-firing command issue on Firefox Mobile
- Added about:addons and about:home to the mandatory whitelist
- Improved responsivity and usability on Firefox Mobile
New in NoScript for Firefox 1.9.9.72 (May 3, 2010)
- Fixed configuration import/export/synchronization bug introduced by "configuration presets" for Firefox Mobile
- Finger-friendlier UI on Firefox Mobile
New in NoScript for Firefox 1.9.9.71 (Apr 30, 2010)
- Added "Allowed with untrusted sources and blocked objects" icon
- Fixed minor inconsistencies in new partial allowance feedback icons
New in NoScript for Firefox 1.9.9.70 (Apr 30, 2010)
- Compatibility and better integration with latest Firefox Mobile
- Experimental external filters for plugin content (e.g. Blitzableiter for Adobe Flash), see NoScript Options|Advanced|External Filters (Fx >=3.5)
- New specific partial status icon for pages where all scripts are allowed but some objects are blocked
- "about:blank" won't be shown as a secondary source in NoScript's UI. Old behavior can be restored by setting the noscript.showBlankSources preference to true
- googleapis.com in the default whitelist x Fixed 2nd order indirect InjectionChecker bypass (thanks Sirdarckcat for reporting)
New in NoScript for Firefox 1.9.9.69 (Apr 21, 2010)
- Further compatibility improvements in complex bookmarklets handling
New in NoScript for Firefox 1.9.9.68 (Apr 21, 2010)
- Better asynchronous bookmarklets handling, should not crash on Readability anymore
- Ultimate (maybe!) fix for trunk bug 556739 breakage
New in NoScript for Firefox 1.9.9.67 (Apr 21, 2010)
- Better fix for trunk bug 556739 breakage
New in NoScript for Firefox 1.9.9.66 (Apr 19, 2010)
- Further embed-only sites in menu fixes (thanks al_9x for reporting)
New in NoScript for Firefox 1.9.9.65 (Apr 18, 2010)
- Fixed bookmarklet support broken on trunk by bug 556739 (thanks dhouwn for reporting)
New in NoScript for Firefox 1.9.9.64 (Apr 18, 2010)
- Better untrusted menu behavior on embedding only sources (thanks al_9x for reporting)
- Improved InjectionChecker compatibility with OpenID and other complex requests (thanks Jamie Cox for reporting)
- Fixed accurate Base64 injection checks breaking some encrypted Paypal buttons
New in NoScript for Firefox 1.9.9.63 (Apr 15, 2010)
- Removed ":0" wildcards from NoScript menu in ignorePorts=false mode to prevent confusing behaviors (thanks al_9x for suggestion)
- Embedding-only sites are shown in the Untrusted menu if placeholders are set to be hidden for untrusted embeddings (thanks al_9x for suggestion)
New in NoScript for Firefox 1.9.9.62 (Apr 15, 2010)
- Improved XSS filter sensitivity for Base64-encoded payloads (thanks Stefano Di Paola for suggestion)
- Improved Facebook connect compatibility (thanks Peter Alexander for reporting)
- Removed __count__ usage in DNS cache management (SpiderMonkey compat)
- Fixed "Attempt to fix Javascript links" not working when the javascript: scheme is mixed-case (thanks al_9x for reporting)
New in NoScript for Firefox 1.9.9.61 (Apr 6, 2010)
- Fixed InjectionChecker infinite recursion bug on certain requests (thanks dhouwn for reporting)
- Fixed plugin activation patches not being applied under some circumnstances
New in NoScript for Firefox 1.9.9.60 (Apr 6, 2010)
- Pluggable site info page can be opened by middle-click or shift+click on any site entry in NoScript's menus, and can be configured by editing the noscript.siteInfoProvider about:config preference
- More user-friendly management of non-standard TCP ports
- Fixed release notes page might break session restore sometimes
- Locale files maintenance
- Object sources won't appear in main menu when embedding restrictions apply to whitelist; previous behavior can be restored by setting the noscript.alwaysShowObjectSources to false (thanks al_9x for RFE)
New in NoScript for Firefox 1.9.9.59 (Apr 6, 2010)
- Better management of cached requests x Fixed allowing objects from "Blocked objects" reloading only the first of each URL/mime pair group (thanks al_9x for reporting)
- Improved Facebook widgets compatibility (thanks Peter Alexander and Chuck Mullen for reporting)
- Fixed "Allow scripts globally" setting being ignored by the bulk configuration import feature (thanks Mike Perry for reporting)
- Fixed "Mark as untrusted" menu items being shown in "Allow scripts globally" mode even if both "Untusted" and "Mark as untrusted" are unchecked in the Appearace options tab (thanks Mike Perry for reporting)
- Improved bookmarklets support
- Minor bug fixes in jolly port matching x Improved Anti-Popunder surrogate (thanks justaguest for reporting)
New in NoScript for Firefox 1.9.9.58 (Apr 6, 2010)
- Fixed HTMLObjectElement plugin content being blocked by X-Frame-Options checks
New in NoScript for Firefox 1.9.9.57 (Mar 18, 2010)
- Fixed feed subscription broken on sites implementing X-Frame-Policy (regression from 1.9.9.56)
- Included js.wlxrs.com in default whitelist in order to make Hotmail login work out-of-the-box for new users
New in NoScript for Firefox 1.9.9.56 (Mar 18, 2010)
- More reload-friendly and permission-friendly X-Frame-Policy error page
- Fixed bug in method surrogation for replaced/blocked plugin objects
New in NoScript for Firefox 1.9.9.55 (Mar 18, 2010)
- Method surrogation for replaced and blocked plugin objects
- Regression fix: documents loaded in object elements not being checked for X-Frame-Policy anymore
- Performance and accuracy improvements in plugin placeholder handling
New in NoScript for Firefox 1.9.9.54 (Mar 18, 2010)
- Improved Flash version detection emulation
New in NoScript for Firefox 1.9.9.53 (Mar 18, 2010)
- Remote whitelist and blacklist subscription, controlled by the noscript. subscription.trustedURL and noscript.subscription.untrustedURL about:config preference
- Fixed: lists export feature shouldn't include temporary and mandatory entries
New in NoScript for Firefox 1.9.9.52 (Mar 18, 2010)
- Version bump for latest trunk apps compatibility
New in NoScript for Firefox 1.9.9.51 (Mar 18, 2010)
- Better bookmarklet imports management, more compatible with not cached 3rd party scripts
- Fixed manually allowing a domain should always imply addresses with ports if noscript.ignorePorts is true
New in NoScript for Firefox 1.9.9.50 (Feb 27, 2010)
- Updated ABE grammar to use new AddressMatcher syntactic sugar
- Alert about ABE syntax errors when option dialog gets focused after a ruleset editing
New in NoScript for Firefox 1.9.9.49 (Feb 27, 2010)
- .x.y AddressMatcher syntactic sugar, matching both x.y and *.x.y
- InjectionChecker speed and accuracy improvements
- Fixed top-level site not being correctly positioned and highlighted in permissions menu sometimes
- Fixed post-XSS "Unsafe reload" not working properly sometimes
New in NoScript for Firefox 1.9.9.48 (Feb 27, 2010)
- Fixed a second level InjectionChecker bypass, requiring an open redirect which accepts and uses unfiltered data: URIs. Responsible disclosure by the SecuriTeam Secure Disclosure (SSD) project
- Fixed reload on permission change being triggered on the nearest 10 tabs only
- Fixed permanent address entry being added to the whitelist if domain is already allowed upon bookmarklet execution
- Better UI behavior for URLs with non-standard ports
- Updated nb-NO localization
New in NoScript for Firefox 1.9.9.47 (Feb 13, 2010)
- Fixed XSS checks skipped on some reloads
- Improved content placeholder management
- Mobile version bump
New in NoScript for Firefox 1.9.9.46 (Feb 13, 2010)
- Fixed uneeded tab reload issue related to untrusted subdomains
- Optimized reload checks for the "hundreds of tabs" case, in order to prevent UI locking
- Improved XSS checks on file uploads, should not hang even on gigabytes
- Trunk compatibility version bump
New in NoScript for Firefox 1.9.9.45 (Feb 5, 2010)
- Enhanced compatibility with Paypal encrypted buttons
- Fixed some anti-popunder surrogate incompatibilities
New in NoScript for Firefox 1.9.9.44 (Feb 5, 2010)
- Fixed allowing a Flash object causing a page reload sometimes
- Script Surrogate to work around Facebook's "noscript" cookie
- Fixed minor incompatibilities caused by the anti-popunder surrogate
New in NoScript for Firefox 1.9.9.43 (Feb 5, 2010)
- Fixed broken popup issue on some sites
- Fixed ghost sites in context menus on about:blank after a complex frame structure with redirects has been shown in the same tab
- Fixed XSS false positive on certain nested URL patterns
New in NoScript for Firefox 1.9.9.42 (Jan 28, 2010)
- ClearClick: more efficient code paths specific to Fx 3.6 and above
- Fixed zoom-related ClearClick false positives on Fx 3.6 and above
- Fixed fonts being reported as "unknown" type in Blocked Objects menu
New in NoScript for Firefox 1.9.9.41 (Jan 28, 2010)
- Fix for newline-based double-reflection InjectionChecker bypass
- Surrogate scripts from local files: surrogate's replacement is treated as a file:// URL and resolved against current browser profile if it starts with "file://", "./" or "../"
New in NoScript for Firefox 1.9.9.40 (Jan 28, 2010)
- Improved bookmarklet compatibility
New in NoScript for Firefox 1.9.9.39 (Jan 20, 2010)
- Fixed quirks mode triggered by surrogate execution on Gecko < 1.9.1
New in NoScript for Firefox 1.9.9.38 (Jan 20, 2010)
- Fix for some popups broken by 1.9.9.37
New in NoScript for Firefox 1.9.9.37 (Jan 20, 2010)
- Fixed potential infinite loop occurring when window.open is called in a recursive context, e.g. on Google Reader
- Fixed mishandling of non-default 1 value for the proxiedDNS preference
New in NoScript for Firefox 1.9.9.36 (Jan 18, 2010)
- Anti-Popunder surrogate now applies to all HTTP pages by default
- DNS activity logging facility (disabled by default)
- Slight optimization of DNS lookups
- Temptative fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501446 crasher
New in NoScript for Firefox 1.9.9.35 (Jan 7, 2010)
- Updated Firefox Mobile (Fennec) compatibility
- Improved and generalized Anti-Popunder surrogate
New in NoScript for Firefox 1.9.9.34 (Jan 7, 2010)
- Anti-Popunder surrogate extended to AWEmpire popunders (on empornium.us by default, customizable in noscript.surrogates.popunder.sources)
- Fixed bug in bookmarklet support on about:blank
- Improved InjectionChecker compatibility with letitbit.net uploads
- Improved InjectionChecker compatibility with Rapidshare uploads
New in NoScript for Firefox 1.9.9.33 (Jan 7, 2010)
- Better HTTPS/HTTP redirection support
New in NoScript for Firefox 1.9.9.32 (Jan 7, 2010)
- Further InjectionChecker optimizations, providing a dramatic speed boost on nested URLs (e.g. on iGoogle and many ad networks)
New in NoScript for Firefox 1.9.9.31 (Jan 7, 2010)
- InjectionChecker accuracy optimization, preventing false positives in some edge cases with nested URLs
New in NoScript for Firefox 1.9.9.30 (Dec 30, 2009)
- Injection Checker compatibility with Livejournal comment posting
- Improved ClearClick compatibility with Facebook applications
New in NoScript for Firefox 1.9.9.29 (Dec 30, 2009)
- Temptative work-around for hard to reproduce content policy DOS false positive on comcast.net
New in NoScript for Firefox 1.9.9.28 (Dec 30, 2009)
- Work-around for a Flash player double-instantiation bug in Gecko 1.9.0 preventing some movies from playing
- Removed placeholder enhancements for Gecko 1.8.x, due to unwanted side effects on some sites
New in NoScript for Firefox 1.9.9.27 (Dec 19, 2009)
- Placeholder enhancements backported to Gecko 1.8.x
- Fixed missing placeholders on Gecko 1.8.x
New in NoScript for Firefox 1.9.9.26 (Dec 18, 2009)
- Reduced reflow chances on placeholder activation
- Improved InjectionChecker compatibility with Facebook Connect
New in NoScript for Firefox 1.9.9.25 (Dec 18, 2009)
- Fixed Flash swallowed clicks regression on Gecko 1.8.x
New in NoScript for Firefox 1.9.9.24 (Dec 18, 2009)
- Fixed "Temporarily allow" regression
New in NoScript for Firefox 1.9.9.23 (Dec 18, 2009)
- Specific scriptless partial permissions icon for partially allowed framesets
- Reduced disk activity on permission change
- Work-around for a Java initialization failure
New in NoScript for Firefox 1.9.9.22 (Dec 15, 2009)
- Fixed "no partial icon when frameset and frame are scriptless" issue
New in NoScript for Firefox 1.9.9.21 (Dec 15, 2009)
- Better bounding checks for Gecko 1.9.2-compatible ClearClick
- Fixed residual bfcache-related issues
New in NoScript for Firefox 1.9.9.20 (Dec 15, 2009)
- ClearClick made compatible with Gecko 1.9.2
- ClearClick optimization for plugin content
- Improved opacity management in ClearClick
- Added ability for page-level script surrogates to run before page load even on untrusted sites
- New "imdb" script surrogate to watch IMDB trailers without allowing doubleclick.com
- Improved Google Analytics surrogate
- Turned the "fap" surrogate into a generic "popunder" one
- Fixed blocked embeddings info being wiped during bfcache lifecycle
New in NoScript for Firefox 1.9.9.19 (Dec 15, 2009)
- Optimized matching for HTML 5 event handlers injection
- "Allow sites opened through bookmarks" won't allow sites previously marked as untrusted
- Turned the noscript.canonicalFQDN to false by default
- Improved embedded objects identity checks upon reloads
New in NoScript for Firefox 1.9.9.18 (Nov 28, 2009)
- Removed residual compound attribute-based injection chance
New in NoScript for Firefox 1.9.9.17 (Nov 28, 2009)
- Fixed residual crash issue when favicons need to be redirected to HTTPS
- Enhanced ClearClick compatibility with Photbucket
New in NoScript for Firefox 1.9.9.16 (Nov 28, 2009)
- Better object unblocking behavior, triggering a page reload if allowed object has no layout (i.e. was meant to be scripted only), increasing usability of trusted restrictions e.g. in VMWare Server's console
- Work-around for a Firefox image caching crashing bug triggered by HTTPS enforcement on mixed content
- Improved compatibility with Ebay
New in NoScript for Firefox 1.9.9.15 (Nov 17, 2009)
- Fixed HTTPS enforcement for embedded images breaking HTTP authentication
- Fixed XHR breakage when called from a Worker
- Skip link fixing on right click
- Improved bookmarklet execution mechanism
- Improved compatibility of InjectionChecker with Facebook Connect
- Improved compatibility of InjectionChecker with Lycos Mail
New in NoScript for Firefox 1.9.9.14 (Oct 28, 2009)
- Fixed page loading issues (hard to reproduce but reported by many)
New in NoScript for Firefox 1.9.9.13 (Oct 28, 2009)
- Fixed page loading regression from "Hijack checks skip error pages" optimization in 1.9.9.12 (hard to reproduce but reported by many)
- Fixed attribution of Romanian translation
New in NoScript for Firefox 1.9.9.12 (Oct 27, 2009)
- Allowing a plugin object which size is not set causes a page reload, assuming that scripts would be used to size it
- Google Translate XSS exception
- abine:* ClearClick subexception
- Updated localizations
- Removed current URL leaking into RegExp properties if invisible link detection is enabled
- Hijack checks must skip error pages
- Fixed XSS false positive at travelocity.com
New in NoScript for Firefox 1.9.9.11 (Oct 14, 2009)
- Reorganization of the "Embeddings" (FKA "Plugins") options panel
- "Forbid / " option in the "Embeddings" panel
- "Forbid @font-face" option in the "Embeddings" panel
- ClearClick report id made selectable
New in NoScript for Firefox 1.9.9.10 (Oct 14, 2009)
- Webfonts blocking from untrusted sources and on untrusted pages, controlled by the noscript.forbidFonts about:config preference (UI planned for later)
- noscript.forbidMedia about:config preference controlling HTML 5 media blocking independently from the "Forbid other plugins" setting (UI planned for later)
- Improved live object allowing/forbidding
- Fixed potential false positives generated by Spidermonkey's decompiler artifacts
New in NoScript for Firefox 1.9.9.09 (Oct 14, 2009)
- Fixed noscript.forbidData not being honored
- Fixed Trillian to Yahoo Mail! XSS false positive
New in NoScript for Firefox 1.9.9.08 (Oct 14, 2009)
- Fixed potential cache issues due by header cloning on internal redirects
New in NoScript for Firefox 1.9.9.07 (Oct 5, 2009)
- Improved Google Analytics surrogate, handling form submissions
New in NoScript for Firefox 1.9.9.06 (Oct 5, 2009)
- Added https://mail.google.com/* to X-Frame-Options parent whitelist, in order to allow GMail/Calendar mashups via extensions and GreaseMonkey
- Fixed noscript.forbidIFrameContext set to 0 blocking top-level web pages loading
- Fixed Yahoo! Mail login persistence issue
New in NoScript for Firefox 1.9.9.05 (Oct 2, 2009)
- Improved emulation of complex bookmarklet import sequences
- Fixed potential issue in new InjectionChecker C++ style comments code
New in NoScript for Firefox 1.9.9.04 (Oct 2, 2009)
- Fixed header cloning bug in internal redirections
- Better management of C++ style comments in InjectionChecker
- Fixed legacy frames retargeting bug
New in NoScript for Firefox 1.9.9.03 (Oct 2, 2009)
- noscript.frameOptions.enabled about:config preference to control if the X-Frame-Options header must be honored
- noscript.frameOptions.parentWhitelist preference to exclude some parent window from X-Frame-Options checks on their embedded frames
- Enhanced internal redirection mechanism
- Fixed Weave 0.7pre log window incompatibility
New in NoScript for Firefox 1.9.9.02 (Oct 2, 2009)
- Improved InjectionChecker's heuristic
New in NoScript for Firefox 1.9.9.01 (Sep 24, 2009)
- Fixed InjectionChecker micro-injecion scanning bug
New in NoScript for Firefox 1.9.9 (Sep 24, 2009)
- First public Strict Transport Security implementation
- Fixed Javascript disabled in about:neterror pages if the broken destination page is marked as untrusted
- Improved HTTPS enforcement, honoring original referer
- Fixed a potential "unresponsive script" InjectionChecker condition
- Fixed help links not opening from NoScript's UI on Minefield
- Fixed ABE LOCAL symbol matching 172.16.0.0/16 rather than the whole 172.16.0.0/12
New in NoScript for Firefox 1.9.8.89 (Sep 24, 2009)
- InjectionChecker optimization on long Base64 sequences
New in NoScript for Firefox 1.9.8.88 (Sep 24, 2009)
- X-Frame-Options applied only to ultimate load, after redirection (compatibility with IE8's and Chrome's implementation)
- Fixed Flash activation bug on Gecko
New in NoScript for Firefox 1.9.8.87 (Sep 24, 2009)
- Quantserve surrogate script
- Added en-GB locale to legacy Seamonkey install script
New in NoScript for Firefox 1.9.8.86 (Sep 14, 2009)
- Fixed kongregate.com incompatibility
New in NoScript for Firefox 1.9.8.85 (Sep 14, 2009)
- Updated MK locale
- QA for release
New in NoScript for Firefox 1.9.8.84 (Sep 14, 2009)
- Flash object emulation to fool SWFObject 2.2 version detection without instantiating a real Flash object
New in NoScript for Firefox 1.9.8.83 (Sep 14, 2009)
- Fixed bug in the new Flash early instantiation management
New in NoScript for Firefox 1.9.8.82 (Sep 14, 2009)
- Upper limit to bookmarklet setTimeout() emulation, in order to prevent infinite pseudo-loops
- Improved InjectionChecker algorithms
- Early URL-less Flash objects are instantiated only if Flash permissions have been already granted to the origin site
New in NoScript for Firefox 1.9.8.81 (Sep 14, 2009)
- Fixed issue with early manipulation of Flash objects whose source URL has not been set yet
New in NoScript for Firefox 1.9.8.8 (Sep 3, 2009)
- Improved bookmarklet setTimeout() emulation (delay ordering is honored and pseudo-recursion is supported)
- Update locales
New in NoScript for Firefox 1.9.8.7 (Aug 25, 2009)
- Fixed minor bugs in "Recent blocked sites" implementation
- Updated Rumenian
- Fixed encoding issue with configuration import / export / sync (thanks m_c for reporting)
New in NoScript for Firefox 1.9.8.61 (Aug 25, 2009)
- Optimization of multiple regexp preferences
- Fixed XSS filter exceptions not being honored if URL contains percent-encoded character which are invalid UTF-8 code points (thanks Bueller007 for reporting)
- Fixed UTF8 overdecoding checks interfering with some Japanese sites (thanks Bueller007 for reporting)
New in NoScript for Firefox 1.9.8.6 (Aug 25, 2009)
- Reset command in "Recently blocked sites" menu (thanks Fred for suggestion)
- For privacy reasons "Recently blocked sites" are erased everytime user purges history
- Temporary permissions are revoked and "Recently blocked sites" are erased everytime user exits the "Private Browsing" mode
- Fixed DNS-sensitive frame blocking bug
New in NoScript for Firefox 1.9.8.5 (Aug 25, 2009)
- New "Recently blocked sites" menu to allow active content origins which have been recently blocked but are unrelated with current page (e.g. loaded in custom frames provided by extensions)
- Fixed some glitch in temporary permissions handling (thanks computerfreaker for reporting)
- Simplified bookmarklet permissions granting
- Simplified ABERequest lifecycle management
- Prevented potential memory leak
New in NoScript for Firefox 1.9.8.4 (Aug 20, 2009)
- Fixed ABE internal redirection on DNS cache miss interfering with injection checks under some circumstances
New in NoScript for Firefox 1.9.8.3 (Aug 20, 2009)
- Full HTML 5 event attributes InjectionChecker support
- Fixed DNS resolution notification causing event loop spinning and perceived slowness of "Open all in tabs" command
- Removed InjectionChecker bypass (thanks Sirdarckcat for reporting)
- Updated locales
New in NoScript for Firefox 1.9.8.2 (Aug 20, 2009)
- Improved protection against DOS attacks (thanks Gereth Heyes for testbed)
New in NoScript for Firefox 1.9.8.1 (Aug 20, 2009)
- Fixed Mac OS X specific hang bug triggered by STATUS_RESOLVING DNS notifications for some sub-requests
New in NoScript for Firefox 1.9.8 (Aug 10, 2009)
- ABE's caching DNS requests now send STATUS_RESOLVING notifications
- Improved injection checks
- Fixed invalid chars in host names causing loads to fail without any
- visible error feedback
- Work around for breakages caused by the .NET Framework Assistant,
- ABE grammar source (ABE.g) included in the distributed XPI
New in NoScript for Firefox 1.9.7.9 (Aug 4, 2009)
- Improved XSS filter compatibility with some decimal coordinates patterns
- Fixed JavaScript IFrame manipulation causes documents to be loaded in a new window sometimes
New in NoScript for Firefox 1.9.7.86 (Aug 4, 2009)
- Improved XSS filter compatibility with MySpace modules
New in NoScript for Firefox 1.9.7.85 (Aug 4, 2009)
- Improved permission change speed for very long lists / very slow CPUs
New in NoScript for Firefox 1.9.7.84 (Aug 4, 2009)
- Fixed HTTPS-forced subrequests being cancelled sometimes
New in NoScript for Firefox 1.9.7.83 (Aug 4, 2009)
- Fixed HTTPS-forced subrequests being cancelled sometimes
New in NoScript for Firefox 1.9.7.82 (Aug 4, 2009)
- Fixed URL classifier not being called for hosts whose DNS record is not cached yet by ABE
New in NoScript for Firefox 1.9.7.81 (Aug 4, 2009)
- Fixed domain name resolution delayed for cached failed responses after a network reconnection
New in NoScript for Firefox 1.9.7.8 (Aug 4, 2009)
- Fixed invisible links detection turning some links into absolutely positioned if they have no layout on load
- Improved specificity of data: URL injection detection
New in NoScript for Firefox 1.9.7.7 (Jul 31, 2009)
- Fixed DNS cache status interfering with HTTPS redirections
New in NoScript for Firefox 1.9.7.6 (Jul 31, 2009)
- Fixed HTTPS-bound active content restrictions preferences not being honored sometimes
New in NoScript for Firefox 1.9.7.5 (Jul 31, 2009)
- HTML 5 video and audio are blocked also when loaded as documents in a frame or in a top-level window
New in NoScript for Firefox 1.9.7.4 (Jul 30, 2009)
- Decoupled legacy frame blocking from "Forbid IFrames"
New in NoScript for Firefox 1.9.7.3 (Jul 30, 2009)
- Fixed IFrame blocking being delayed to DNS resolution when ABE is active
- Fixed Frame blocking leading to extra history entries on unblocking
New in NoScript for Firefox 1.9.7.2 (Jul 30, 2009)
- Content serviced with the "Content-disposition: attachment" header
- (forced downloads) should not be subject to plugin blocking
- policies
- ABE checks should be skipped for XHR requests made from chrome
New in NoScript for Firefox 1.9.7.1 (Jul 30, 2009)
- Inclusion type checks accomodating hosting errors in AOL gadgets,
- outbrain.com widgets and E-junkie libraries
- Fixed es-CL locale metadata
New in NoScript for Firefox 1.9.6.9 (Jul 22, 2009)
- Fixed default whitelist not being installed on first run anymore since 1.9.6's fix for multibyte temporary allow / mark as untrusted
New in NoScript for Firefox 1.9.6.8 (Jul 22, 2009)
- Inclusion content type checking now graces default file extensions
- Improved XSS filter pre-screening efficiency
- Prefixed content type based inclusion blocking message
New in NoScript for Firefox 1.9.6.7 (Jul 22, 2009)
- Fixed inclusion content type checks blocking Twitter JSON feeds loaded via SCRIPT elements (thanks Mel Reyes for reporting)
New in NoScript for Firefox 1.9.6.6 (Jul 21, 2009)
- Inclusion content type checks made more tolerant to dynamically generated scripts and stylesheets (thanks therube for reporting)
New in NoScript for Firefox 1.9.6.5 (Jul 21, 2009)
- New layer of inclusion protection, checks whether 3rd party scripts and CSSs are served with proper content type (it can be disabled via noscript.checkInclusionType preference; exception patterns can be listed in the noscript.checkInclusionType.exceptions preference)
- Fixed subdomain matching glitch with 1 char subdomain prefixes
New in NoScript for Firefox 1.9.6.4 (Jul 20, 2009)
- Block JAR remote resources being loaded as documents" now blocks also script and CSS cross-site inclusions
New in NoScript for Firefox 1.9.6.3 (Jul 20, 2009)
- Fixed XSS false positives when asynchronous activity must be performed in ABE
New in NoScript for Firefox 1.9.6.2 (Jul 20, 2009)
- Fixed missing plugin placeholder when IFrames are forbidden
New in NoScript for Firefox 1.9.6.1 (Jul 20, 2009)
- Fixed session restore broken by some 1.9.6 ABE optimizations
- Fixed XMarks compatibility issue
New in NoScript for Firefox 1.9.6 (Jul 20, 2009)
- Support for raw IP and subnets with address prefix/mask syntax in ABE rulesets
- Improved UTF-8 XSS protection
- Fixed ABE resource lists parsing glitches
- Improved "Anonymous" (formerly "Logout") ABE action behavior
- Fixed IP display in Allow/Forbid menu items on Gecko >= 1.9
- Added ABE local rulesets to configuration import/export dataset
- Fixed multibyte domain names couldn't be temporarily allowed nor marked as untrusted
New in NoScript for Firefox 1.9.5.73 (Jul 20, 2009)
- Fixed "live" plugin unblocking broken on some sites (thanks therube for reporting)
New in NoScript for Firefox 1.9.5.72 (Jul 20, 2009)
- Fixed CSS bug preventing placeholders from being hidden with Shift+click
New in NoScript for Firefox 1.9.5.71 (Jul 20, 2009)
- Fixed Seamonkey 1.x breakage from 1.9.5.7
New in NoScript for Firefox 1.9.5.7 (Jul 20, 2009)
- ABE Logout action strips query strings from potential authorization and session-related parameters and neutralizes non-idempotent requests by switching their method to GET and removing uploads x Fixed DNS optimizations causing ABE's "Logout" action to abort the request sometimes (Gecko
New in NoScript for Firefox 1.9.5.6 (Jul 20, 2009)
- Work around for Tab Mix Plus beta breaking bookmarklets and URL bar JavaScript one liners on untrusted sites (Fx 3.5)
New in NoScript for Firefox 1.9.5.5 (Jul 20, 2009)
- New Notifications|ABE option to disable ABE notifications + External requests on default ports to domain names different than "localhost" resolving to 127.0.0.1 don't generate notifications, in order to reduce spam from misconfigured hosts files (activity gets still logged to the Error Console and notifications can be restored by toggling the noscript.ABE.notify.namedLoopback preference)
New in NoScript for Firefox 1.9.5.4 (Jul 20, 2009)
- Fixed incompatibility with back-forward gestures in Mouse Gesture Redux
- Fixed "Open all tabs" glitches
New in NoScript for Firefox 1.9.5.3 (Jul 20, 2009)
- Fixed Google Analytics surrogates causing some sites to open "undefined" URLs
New in NoScript for Firefox 1.9.5.2 (Jul 20, 2009)
- Fixed ABE RFC 3330 support bug
New in NoScript for Firefox 1.9.5.1 (Jul 20, 2009)
- Work around for NewTabUrl incompatibility x Fixed undisclosed yet parsing bug (credits will be given where due in a later release)
New in NoScript for Firefox 1.9.5 (Jun 29, 2009)
- Fixed forbidden objects in allowed documents not causing partially allowed icon on first load in Gecko < 1.9 (thanks al9_x for report)
- Fixed forbidden objects in mixed trusted/blacklisted pages not causing partially allowed icon (thanks al9_x for report)
New in NoScript for Firefox 1.9.4.91 (Jun 29, 2009)
- Fixed late request cancelation of scripts preventing page from complete loading
- Fixed refreshing ABE rulesets enabling back disabled local rulesets
New in NoScript for Firefox 1.9.4.9 (Jun 29, 2009)
- Fixed DNS cache purging bug (thanks therube for reporting)
New in NoScript for Firefox 1.9.4.8 (Jun 29, 2009)
- Parallelization of DNS activity bringing huge ABE performance gain
- Minor fixes in LOCAL policies enforcing
New in NoScript for Firefox 1.9.4.7 (Jun 29, 2009)
- Fixed possible deadlock introduced in 1.9.4.6 x Fixed DNS cache purging bug
New in NoScript for Firefox 1.9.4.6 (Jun 29, 2009)
- Refactoring of content policy related code x Another memory optimization iteration x Restored automatic Seamonkey profile install cleaner
New in NoScript for Firefox 1.9.4.5 (Jun 29, 2009)
- Further memory footprint and performance ABE optimizations
New in NoScript for Firefox 1.9.4.4 (Jun 29, 2009)
- Origin tracing speed and accuracy improvements + Enhanced frame busting emulation
New in NoScript for Firefox 1.9.4.3 (Jun 29, 2009)
- Optimized garbage collection in DNS 2nd level cache
New in NoScript for Firefox 1.9.4.2 (Jun 29, 2009)
- Fixed mixed content SSL false positives when ABE enabled x Fixed file:// entry added to whitelist everytime a 2nd level domain gets allowed on Gecko >= 1.9 (thanks GµårÐïåñ for reporting)
New in NoScript for Firefox 1.9.4.1 (Jun 29, 2009)
- Implemented 2nd level DNS cache fixing some artifacts/crashes on Google Maps and some latency issues in Gecko < 1.9 (thanks therube and Alan Baxter for reporting)
New in NoScript for Firefox 1.9.4 RC2 (Jun 29, 2009)
- Fixed page content getting randomly scrambled during heavily concurrent loads when ABE's asynchronous networking is enabled x Fixed password manager autofill failing sometimes (thanks Tommy Coe for reporting)
New in NoScript for Firefox 1.9.4 RC (Jun 29, 2009)
- First stable ABE (Application Boundaries Enforcer) release + Improved JavaScript form submission emulation (thanks aladin235 for reporting about Twitter logout button) + Asyncrhonous networking in Gecko >= 1.9 for ABE preflight requests and DNS checks (can be turned off by noscript.asyncNetworking about:config preference) + noscript.ABE.legacySupport about:config preference to enable ABE on older, less supported platforms (Gecko < 1.9) + Modularized SeaMonkey uninstaller + Bookmarklet emulation made compatible with latest Fx 3.5 builds x Better UI feedback about CAPS parsing artifacts
New in NoScript for Firefox 1.9.3.92 (Jun 29, 2009)
- Fixed missing site rules being repeatedly fetched after 12 hours timeout
New in NoScript for Firefox 1.9.3.91 (Jun 29, 2009)
- Added gstatic.com (Google Maps and other services) to the default whitelist Fixed broken embeddings from file:// URLs (thanks Endor for report)
New in NoScript for Firefox 1.9.3.9 (Jun 29, 2009)
- Fixed import/export buttons for whitelist and full configuration overriding each other (thanks Alan Baxter for reporting)
New in NoScript for Firefox 1.9.3.8 (Jun 29, 2009)
- Precise reporting of ABE DNS failures + Automatically include browser origins in Accept predicates x Lighter XSS checks, relying on ABE for pre-screening when possible (preventing some timeout-related false positives and random hangs)
New in NoScript for Firefox 1.9.3.7 (Jun 29, 2009)
- More accurate NOSCRIPT web-bugs blocking, skipping same origin images and scripted pages (thanks Jorgo for suggestion) x Working link to ABE documentation in NoScript Options|Advanced|ABE x Fixed ABE external editor failing to open on Mac OS X (thanks David Bass for reporting)
New in NoScript for Firefox 1.9.3.6 (Jun 29, 2009)
- Improved Google Analytics script surrogates + New Imagefap anti-popup script surrogates + Seamonkey 1.x streamlined installation process (profile local installations are not supported anymore, but switching to browser-wide is automatic on update) + Seamonkey 1.x automatic uninstall procedure (button provided in NoScript Options)
New in NoScript for Firefox 1.9.3.5 (Jun 29, 2009)
- First public Application Boundaries Enforcer (ABE) prototype, see NoScript Options|Advanced|ABE + SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
New in NoScript for Firefox 1.9.3.4 (Jun 29, 2009)
- First public Application Boundaries Enforcer (ABE) prototype, see NoScript Options|Advanced|ABE + SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
New in NoScript for Firefox 1.9.3.3 (May 24, 2009)
- Fixed fatal exception on JSON XSS checks (thanks HeikoAdams for report)
New in NoScript for Firefox 1.9.3.2 (May 22, 2009)
- Fixed whitelsit import/export broken by new global import/export ( thanks Tim Johnson for report)
New in NoScript for Firefox 1.9.3.1 (May 21, 2009)
- Fixed automatic secure cookie management being enabled by default (thanks therube for report)
New in NoScript for Firefox 1.9.3 (May 20, 2009)
- Redirect loops caused by HTTPS enforcement now trigger the standard redirect loop error page (thanks Matt McCutchen for RFE)
- Fixed https-forced embedded objects not being loaded unless already cached (thanks Matt McCutchen for report)
New in NoScript for Firefox 1.9.2.8 (May 13, 2009)
- 100x speedup of bookmark-based configuration persistence
- NoScript tries to synchronize its configuration with foreign bookmarks when the "Backup configuration in bookmarks" gets enabled in order to ease adding new "slaves"
- Excluded temporary permissions from bookmark-based synchronization
- Fixed XMark synchronization failing because of XMark's 4KB limit on bookmark URIs
- Fixed opening the [NoScript] configuration bookmark hanging the AutoPager extension
- Disqus ClearClick exception
- Feedly ClearClick exception
New in NoScript for Firefox 1.9.2.6 (May 2, 2009)
- NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.
New in NoScript for Firefox 1.9.2.5 (May 2, 2009)
- One-time startup prompt to ask users if they wants to install/keep the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above
- Fixed filterset bug: it could be disabled but not removed.
- Fixed "Attempt to fix JS links" not working for drop-down lists on
- Gecko < 1.9 (thanks therube for report)
- Updated zh-CN translation
- Updated el-GR translation
New in NoScript for Firefox 1.9.2.4 (Apr 30, 2009)
- Improved Gecko >= 1.9.1 support
- Updated nl-NL translation
- Fixed notification icons broken on Minefield (Fx 3.6a1pre)
- Fixed blocked objects in "restrictions on trusted sites" mode not being counted for "partially allowed" reporting
New in NoScript for Firefox 1.9.2 (Apr 24, 2009)
- Experimental "Backup NoScript configuration in a bookmark for easy synchronization" feature (enable it in "NoScript Options|General")
- Fixed potential DNS leak in some proxied setups when opening URLs with FQDNs as their hostnames (thanks Rolf Wendolsky for report).
New in NoScript for Firefox 1.9.1.91 (Apr 15, 2009)
- Fixed notifications reporting "Forbidden" on some partially allowed pages
New in NoScript for Firefox 1.9.1.9 (Apr 13, 2009)
- Fixed notifications reporting "Partially allowed" on fully allowed
- pages
- Fixed source code (view-source: originated) POST requests being
- turned into GET requests
New in NoScript for Firefox 1.9.1.8 (Apr 11, 2009)
- New "partially allowed subcontent" icon to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled
- New script sources inventory behavior reporting "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed unless their hosting document is allowed too
- New "noscript.clearClick.subexceptions" preference to list sources of embedded content which don't need to be protected by ClearClick
- ClearClick compatibility with the "ShareThis" extension
New in NoScript for Firefox 1.9.1.6 (Apr 2, 2009)
- Improved ClearClick specificity on zoomed pages (fixes a false positive on GMail's Flash-based attach link when zoom is active)
- Temporarily disabled ClearClick on 3.6a1pre because of bug 486200
New in NoScript for Firefox 1.9.1.4 (Mar 26, 2009)
- Fixed placeholder size miscalculation for hidden blocked objects (thanks al9_x for report)
- Fixed HTTPS enforcing on documents causing an initial aborted HTTP documents request on Gecko < 1.9 (thanks al_9x for report)
New in NoScript for Firefox 1.9.1.2 (Mar 19, 2009)
- HTTPS forced on background requests (images, stylesheets, scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE)
- Fennec 1.0b1 compatibility
New in NoScript for Firefox 1.9.1 (Mar 11, 2009)
- ClearClick performance boost on crowded documents
- Updated French translation
- Reduced log spam on content blocking
New in NoScript for Firefox 1.9.0.8 (Mar 4, 2009)
- Work around for Mozilla bug 453825
New in NoScript for Firefox 1.9.0.7 (Mar 4, 2009)
- Work around for SimpleViewer and other Flash movies replaced with innerHTML breaking on nsIContentPolicy presence (thanks Steffen Zahn for reporting).
New in NoScript for Firefox 1.9.0.6 (Feb 23, 2009)
- Fixed page-level surrogates in subframes being executed too much early to be effective (thanks GossamerGremlin for report)
- Work-around for bug 4066046 (thanks Alice0755)
- Fixed incompatibility with the wfx_Versions extension (thanks Archaeopteryx for report)
- Fixed double activation for nested OBJECT elements, e.g. apple.com QuickTime movies (thanks al_9 for report)
- Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20 (thanks al_9x for report)
New in NoScript for Firefox 1.9.0.5 (Feb 16, 2009)
- pper limits for JS link detection loop
- about:certerror added to the intrinsic whitelist
- ClearClick compatibility with the Link Alert extension
- 3rd party script blocking improvements
- Updated Slovak translation
New in NoScript for Firefox 1.9.0.4 (Feb 7, 2009)
- Fixed XHTML namespacing issues (thanks dhouwn for report)
New in NoScript for Firefox 1.9.0.2 Beta (Feb 2, 2009)
- Fixed X-FRAME-OPTIONS not working inside OBJECT elements
- Restored broken compatibility with Seamonkey 1.0.x (thanks James Andrewartha for report)
New in NoScript for Firefox 1.9 (Feb 1, 2009)
- Improved ClearClick sensitivity (thanks Eric Lawrence for report)
New in NoScript for Firefox 1.8.9.8 Beta (Jan 27, 2009)
- Support for page-level surrogate scripts, executed before pages
- whose URL matches sources patterns starting with "@" start loading
- x Enhanced "catch all" Google Analytics surrogate (thanks Jesse
- Andrew for reporting)
- x Refactored the Silverlight IsVersionSupported() patch to use
- ScriptSurrogate.execute()
- x Streamlined Silverlight support
- Instant placeholders, being shown before page finishes loading
New in NoScript for Firefox 1.8.9.7 (Jan 25, 2009)
- Improved script surrogation reliability
- Fixed URIValidator preferences not being updated at runtime
- Updated Sweden locale
New in NoScript for Firefox 1.8.9.5 Beta (Jan 24, 2009)
- Stricter checks for the "Attempt to fix JavaScript link" feature and emulation of form submission links (thanks Jah for report)
New in NoScript for Firefox 1.8.9.4 Beta (Jan 21, 2009)
- Fixed minimum sized placeholder potentially exceeding smaller frames (thanks greenhatch for report about BetFair's menu)
- Fixed ClearClick form bounds miscalculation with negative coords (thanks Zjakki Willems for report about BlogSpot's search feature)
- Fixed document loaded in a nested iframe when enabling a blocked legacy frame
New in NoScript for Firefox 1.8.9.2 (Jan 18, 2009)
- Fixed page loading stalled sometimes when the final destination of a redirected script inclusion gets blocked by NoScript
New in NoScript for Firefox 1.8.9 (Jan 16, 2009)
- New noscript.clearclick.exceptions preference to specify URL patterns of page where clickjacking shouldn't be checked *.ebay.com ClearClick exception to temporarily work-around a false positive on one-click bids too difficult to reproduce x Performance optimization of the JSON and E4X hijacking protection x Compatibility with Amazon one-click
- Removed __count__ usage triggering a deprecated warning in Fx 3.0.x x Relaxed XSS checks from same-domain HTTPSHTTP requests
- Improved E4X hijacking detection, skips leading XML comments in scripts (http://forums.mozillazine.org/viewtopic.php?p=5488645)
- Updated Japanese translation
New in NoScript for Firefox 1.8.8.94 Beta (Jan 12, 2009)
- Removed a potential document leak
New in NoScript for Firefox 1.8.8.8 (Jan 8, 2009)
- Kazakh translation (thanks Baurzhan Muftakhidinov)
- ClearClick optimization by canvas recycling
- Work-around for bug 472495
New in NoScript for Firefox 1.8.8.5 (Jan 5, 2009)
- Further optimization of Base64 injection checks
- More accurate clipping of scrolling frames in ClearClick
New in NoScript for Firefox 1.8.8.4 Beta (Dec 29, 2008)
- Performance optimization of Base64 checks (thanks Dave Griffiths for reporting an Ebay chatroom issue)
New in NoScript for Firefox 1.8.8 (Dec 28, 2008)
- Fixed rare ClearClick false positives on the bottom edge of scrolling frames
- Fixed ClearClick false positive on some cnbc.com videos
New in NoScript for Firefox 1.8.7.6 (Dec 18, 2008)
- Improved specificity for "location=code" injection checks
- Compatibility with Facebook Connect JSON patterns
New in NoScript for Firefox 1.8.7.4 (Dec 8, 2008)
- Contextual disablement with visual feedback for "Revoke temporary permissions" and "Temporarily allow all on this page" toolbar buttons (thanks WAPCE for suggestion). x Improved early detection of event attribute XSS x Updated Arabic translation by Khaled Hosny
New in NoScript for Firefox 1.8.7 (Dec 2, 2008)
- Updated zh-CN locale
- Enhanced interaction with AdBlock Plus tabs appearing over NoScript placeholders
- Flash-specific placeholder icon
- Java-specific placeholder icon
- Silverlight-specific placeholder icon
- Improved ClearClick compatibility with Google Street View (thanks natron for report)
- Finer grained object reload algorithm for mass permission changes from the "Blocked objects" menu
New in NoScript for Firefox 1.8.6 (Nov 25, 2008)
- Greatly increased sticky menu / Fennec UI responsiveness
- Refactoring of ClearClick's document patching code
- Removed translucency transition from sticky menu
- Extra QA for release
- Updated localizations
New in NoScript for Firefox 1.8.5 (Nov 17, 2008)
- ClearClick enablement options on the ClearClick warning dialog
- ClearClick session whitelist
- Forced non-sticky behavior when there's just one site to allow and noscript.sticky.liveReload is unset
- Fixed placeholders not working on Fx 3.1
New in NoScript for Firefox 1.8.4.5 Beta / 1.8.4.1 (Nov 11, 2008)
- Fixed clicking on icon not hiding menu on Fx 2
- Fixed Entrecard ClearClick false positive
- Fixed AntiXSS filter false positive on some forum ads
New in NoScript for Firefox 1.8.4.1 (Nov 8, 2008)
- Fixed incompatibility causing Tor Button to endlessy reload the page when disabled.
New in NoScript for Firefox 1.8.3.6 (Oct 27, 2008)
- Malay translation (thanks Joshua Issac)
- Croatian translation (thanks Stiepan A. Kovac)
New in NoScript for Firefox 1.8.3.3 (Oct 20, 2008)
- Fixed redirection issue (thanks pumaro for report)
New in NoScript for Firefox 1.8.3.2 (Oct 19, 2008)
- Fixed problem with tab navigation on forms inside frames
New in NoScript for Firefox 1.8.2.9 Beta / 1.8.2.8 (Oct 13, 2008)
- Improved viewport bounds matching
- Fixed incompatibility with iMacros (thanks OneMen)
- Fixed redirected frames 404 issue (thanks pumaro)
New in NoScript for Firefox 1.8.2.5 Beta / 1.8.2.4 (Oct 10, 2008)
- Fixed mailto: protocol not working outside frames (thanks Robert Janc for reporting)
New in NoScript for Firefox 1.8.2.4 (Oct 10, 2008)
- Fixed late breaking POST injection checker regression, causing problems on some forms
New in NoScript for Firefox 1.8.2.2 (Oct 10, 2008)
- Adapted Frame Break Emulation to alternate framebusting idioms
- Several localization updates
- Added a separate "Forbid FRAME" option for legacy FRAME elements (thanks OfficeAngel for request)
- Legacy FRAMEs nested inside IFRAMEs are forbidden by default if IFRAME blocking is on (about:config noscript.forbidMixedFrames)
- Fixed some ClearClick false positives when enabled for trusted sites or with some extensions mixing content and chrome
- Fixed mailto: URIs not working inside frames
- Fixed various typos in English localization of new features
- Restored compatibility with Fx 1.5.0.x (thanks Kevin for help)
New in NoScript for Firefox 1.8.2.1 (Oct 8, 2008)
- ClearClick technology backported to Gecko 1.8.1 based browsers such as Firefox 2.0.x and SeaMonkey 1.1.x
New in NoScript for Firefox 1.8.2 (Oct 7, 2008)
- New "ClearClick" protection, specifically addressing Clickjacking, Clickjacket and other UI-redressing vulnerabilities: UI interaction with embedded objects is disabled if they're obstructed or not clearly visible (thanks Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for inspiration and discussion)
- "ClearClick protection" and "Opacize embedded objects" controls in "NoScript Options|Plugins", to enable/disable them on untrusted and/or trusted pages
- Frame breaker emulation for frames where JS is disabled, controlled by the noscript.emulateFrameBreak about:config preference
- Fixed recursion problem with new legacy frame management
- Changed noscript.forbidIFrameContext default to 3 (allow same domain) unless "forbid non-HTTPS active content" is enforced: if this is the case, scheme must be the same as well.
New in NoScript for Firefox 1.8.1.3 (Sep 18, 2008)
- Version 1.8.3
- Brand new suite of features enhancing HTTPS effectiveness:
- Force HTTPS on most sensitive sites
- Option to disable active content on whitelisted sites which are not served through HTTPS, either always or when connecting through a proxy ("Tor mode"), to mitigate domain spoofing risks in hostile environments
- Automatic and customizable Secure Cookie Management, to protect against HTTPS cookie hijacking. Important: if you got troubles logging in on some sites with this feature on, please get latest development build and, if it does not help, follow the easy advices given in this FAQ
- Better bookmarklet compatibility on untrusted sites.
- Temporarily allow all this page toolbar button.
- Revoke temporary permissions toolbar button.
- Several improvements in blacklisting mode: even if whitelisting is still the recommended safest mode, you can use Allow scripts globally and still block sites you mark as untrusted. More important, you can still enjoy full Anti-XSS protection even while you're keeping JavaScript allowed everywhere.
New in NoScript for Firefox 1.8.1.2 (Sep 17, 2008)
- Switched "HTTPS|Automatic Secure Cookie Management" off by default: even if all the reported login issues (especially the ebay.com one) have been fixed, it probably deserves more testing from opt-in volunteers before a general "default-on" release
- Unsafe cookies can be handled either globally (default), or per tab (noscript.secureCookies.perTab)
- Fixed "force HTTPS" not working across some redirection patterns
New in NoScript for Firefox 1.8.1 (Sep 16, 2008)
- Fixed minor bugs in automatic fall-back for insecure cookies x Updated localizations
New in NoScript for Firefox 1.8 (Sep 3, 2008)
- "Make page permissions permanent" command + Meaningful tooltip for "Allow all in this page" and "Temporarily allow all in this page", listing affected sites
- More meaningful tooltip for Revoke Temporary Permission, listing affected sites and counting affected objects (Gecko >= 1.9) x Rationalized keyboard accelerators for English menu items
New in NoScript for Firefox 1.7.9 (Aug 21, 2008)
- Fixed JS button auto-navigation problem with relative URLs JavaScript redirections detected also in the onload attribute of the body element (thanks timeless)
New in NoScript for Firefox 1.7.6 (Jul 6, 2008)
New in NoScript for Firefox 1.7.1 (Jun 27, 2008)
- Fixed changing permissions on one tab reload all tabs issue (thanks redhat71 for reporting)
New in NoScript for Firefox 1.6.9.3 (Jun 16, 2008)
- Fixed Injection Checker false positive regression on URIs which contain encoded newline characters (thanks Kostas)
New in NoScript for Firefox 1.6.9.1 (Jun 16, 2008)
- Improved XSS JavaScript unicode escape handling Recursive JSON reduction, dramatically cutting analysis time on complex JSON URLs, e.g. for some Orkut widgets
New in NoScript for Firefox 1.1.9.6 (Dec 15, 2007)
- Object placeholder rendering optimization
- Extra QA for release
New in NoScript for Firefox 1.1.9 (Dec 6, 2007)
- Extra QA for release
- Menu rendering speed optimizations
- Emulated TLD Effective service up to 100x speedup
- InjectionChecker performance up to 50x speedup
- Fixed leak regression from 1.1.8.3 redirection handling refinements
- Fixed Firefox notifications not shown if NoScript notifications were suppressed (thanks gecco)
New in NoScript for Firefox 1.1.8 (Nov 12, 2007)
- Version bump for Firefox 3
- Temporarily allow sites matching the regular expression(s) in the
- noscript.whitelistRegExp about:config preference
- Further QA for release
- Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes)
- Fixed shorthands broken when XSS protection was off
New in NoScript for Firefox 1.1.7.7 (Nov 5, 2007)
- Fixed installation problems with addons.mozilla.org automatic update
New in NoScript for Firefox 1.1.7.2 (Sep 17, 2007)
- Object placeholders' minimum size set to 32x32 for visibility
- Object placeholder override for Microsoft� Silverlight�
- Fixed "Forbid IFRAME" blocking also Flash (thanks niko322)
- Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans)
- Fixed IFRAME in place activation shouldn't reload parent page
New in NoScript for Firefox 1.1.7 (Sep 11, 2007)
- Further QA for release
- Improvements in script redirection management
New in NoScript for Firefox 1.1.6.23 (Sep 4, 2007)
- Work-around for Daily Dilbert extension's CSS bug hijacking statusbar icons (thanks gumble and Archaepterix for reporting)
- Fixed toolbar icon breaking when "Scripts Globally Allowed" and no script found in page (thanks Claus Valca and Gecco for reporting)
- Fixed infobar icon not always properly updated upon tab-switching (regression from 1.1.6.20 feedback fix)
New in NoScript for Firefox 1.1.6.20 (Sep 3, 2007)
- fixed inconsistent status icon feedback
New in NoScript for Firefox 1.1.6.15 (Aug 20, 2007)
- Support for keyword-driven bookmarklets on untrusted pages (thanks Mike Rocker and therube for report/request)noscript.forbidChromeScripts preference (true by default), prevents script tags in content (non chrome:/resource:/file:) documents from referencing chrome
- Fix for fast reload not working on Minefield
- Fixed noscript.forbid ChromeScripts preventing RSS subscribe UI from working: browser packages are whitelisted by default, extensions and other chrome packages can be optionally whitelisted adding a noscript. forbidChrome Exceptions. package Name preference set to true, and the noscript. forbid ChromeScripts preference defaults to false now, since Bug 292789 couldn't do any harm unless some extension does very stupid things.
New in NoScript for Firefox 1.1.6.12 (Aug 2, 2007)
- Fixed configuration conflict preventing javascript: links from opening in some circumstances (thanks england and haklin)
- Optional blocking of tracking images (also known as "Web Bugs") embedded inside NOSCRIPT tags: it can be enable through the noscript.blockNSWB about:config property
- URI Validator facility for on-demand protection against URI-based exploits. You can add your uri-validator anchored regular expressions as an about:config preference named like "noscript.urivalid.protocolname" to validate the URI substring immediately following scheme colon (see the noscript.urivalid.aim pre-configured example entry)
- Minor change in query string parser, it doesn't drop "=" splitted chunks exceeding the first two anymore
New in NoScript for Firefox 1.1.6.08 (Jul 26, 2007)
- Fix for popup content loaded in the opener window regression (from mail/news exploitation protection)
New in NoScript for Firefox 1.1.6.06 (Jul 24, 2007)
- Early protection against URL protocol handling exploitation (see http://tinyurl.com/37o23j and Mozilla bug 389106)
- Fix to ampersand being sometimes escaped by anti-XSS filters
New in NoScript for Firefox 1.1.5 (Jun 28, 2007)
- Removed about:neterror from the permanent non-deletable whitelist (for the super-paranoids, thanks Aerik)
- Minor bug fix, anti-XSS notification bar skipped when an URL nested in a query string gets sanitized
- Extra QA for public release
New in NoScript for Firefox 1.1.4.9 (Jun 20, 2007)
- noscript.injectionCheck about:config option adds first-line detection for XSS injections in GET requests originated by whitelisted sites and landing on top level windows. Value can be: 0 - never check / 1 - check cross-site requests from temporary allowed sites / 2 - check every cross-site request (default) / 3 - check every request
- noscript.jsredirectIgnore about:config option enables/disables the new "Detect and show JavaScript redirections" feature
- noscript.jsredirectFollow about:config option enables/disables auto-following if a single redirect is detected on a textless page
- "Allow top level sites by default" won't affect sites that have been manually forbidden during the current session (to make this exception permanent, mark the site as untrusted)
New in NoScript for Firefox 1.1.4.8.70523 (May 28, 2007)
- Improved notification consistency with back-forward navigation
- Better compatibility with Google Desktop Search and Paypal email
New in NoScript for Firefox 1.1.4.8.070521 (May 22, 2007)
- Fixed regression from bug 53901 work-around, "Mark as untrusted menu" not working anymore
New in NoScript for Firefox 1.1.6.16 (Aug 20, 2007)
- Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from working: browser packages are whitelisted by default, extensions and other chrome packages can be optionally whitelisted adding a noscript.forbidChromeExceptions.packageName preference set to true, and the noscript.forbidChromeScripts preference defaults to false now, since Bug 292789 couldn't do any harm unless some extension does very stupid things.
New in NoScript for Firefox 1.1.4.8.070423 (Apr 24, 2007)
- Lituanian (thanks to Mindaugas Jakutis)
- Additional localization updates and minor fixes
New in NoScript for Firefox 1.1.4.8 (Apr 21, 2007)
- Minor improvements in XSS exceptions regular expression parsing
- Fixed last-minute Seamonkey breakage (many thanks therube!!!)
- 1.1.4.8RC3 (1.1.4.7.070420.1)