What's new in NoScript 11.4.29
Dec 12, 2023
- [nscl] Updated TLDs
- [nscl] Improved reliability of TLD updater
- Removed theme.js console noise
- Fix beta channel updates breakage due to browser_specific_settings override
- [nscl] Several content-side performance improvements
- Reduce synchronous policy retrieval impact on file: and ftp: document loading performance
- More commands for which a keyboard shortcut can be configured
- [L10n] Updated de, fi, mk, nl, pl, ru, sq, tr, uk, pt_BR, zh_CN, zh_TW
- Explicit Android compatibility declaration
New in NoScript 11.4.28 (Oct 10, 2023)
- Prevent URL leaks from media placeholders (thanks NDevTK for report)
- [nscl] Support for in-tree TLDs updates
New in NoScript 11.4.27 (Sep 13, 2023)
- [XSS] Better specificity of HTML elements preliminary checks
- [XSS] Better specificity of potential fragmented injection through framework syntax detection (thanks Rom623, barbaz et al)
- [nscl] RegExp.combo(): RegExp creation by combination for better readability and comments
- [nscl] Replaced lib/sha256.js with web platform native implementation (thanks Martin for suggested patch)
- [nscl] Fixed property/function mismatch (thanks Alex)
- Fixed operators precedence issue #312 (thanks Alex)
- [nscl] Prevent dead object access on BF cache (thanks jamhubub and mriehm)
New in NoScript 11.4.26 (Jul 25, 2023)
- [Android] Fixed regression preventing NoScript prompts from being shown
- [XSS] Fallback to execute most demanding regular expressions asynchronously
- [XSS] Removed obsolete Flash-related checks
- [XSS] Make InjectionChecker's regular expressions easier to debug
- [XSS] Updated OpenID regexp
New in NoScript 11.4.25 (Jul 13, 2023)
- [L10n] Updated ru, tr, zh_CN
- Improved visual cues for selected presets (issue #235, thanks @unsungNovelty for report)
- [Android] Fixed regression: preset labels not correctly sized in landscape mode
- Fixed regression removing hover effect from toolbar buttons
New in NoScript 11.4.24 (Jun 30, 2023)
- [XSS] Fix Base64 hash checks interfering with query string checks (thanks barbaz for reporting)
- [TabGuard] Stop exempting domains bidirectionally by default
- [TabGuard] Fix destination domain being reported as the trigger of a warning prompt when all the other tab-tied domains have been exempted (thanks barbaz for report)
New in NoScript 11.4.23 (Jun 30, 2023)
- [TabGuard] Exclude non-scriptable content types from suspects
- [TabGuard] Check for chains of about:blank puppet tabs
- Mirror NoScript's badge content in the context menu to provide more info (e.g. on XSS or TG status) whenever the toolbar icon is hidden
- [TabGuard] Short circuit requests in non-anonymized tabs
- [TabGuard] Decouple tab ties cutting from one-shot authorized loads cases for same-site navigation
- [TabGuard] Load with credentials when reloading from NoScript's UI
- [TabGuard] "TG" badge on the NoScript icon when the selected tab is anonymized
- [TabGuard] Cut ties and restore authorization info on manual reloads
- [TabGuard] Remove Set-Cookie headers from anonymized requests to prevent unreversible authorization loss
- [TabGuard] Keep track of anonymized requests
- [TabGuard] Keep track of anonymized tabs
- [TabGuard] Fix "never prompt" option's label not being clickable
- [TabGuard] Introduce prompt granularity options (default: prompt only on POST requests)
- Removed invalid CSS
- Avoid unnecessary prompt resizing
- Prevent focus-related console warning when opening prompts
New in NoScript 11.4.22 (May 18, 2023)
- [L10n] Updated uk
- Consistently apply DEFAULT policy to top-level data: URLs
New in NoScript 11.4.21 (Apr 7, 2023)
- Fixed mislabeled Tor Browser settings override option
- [L10n] Updated mk
New in NoScript 11.4.20 (Mar 21, 2023)
- Generalized prompt safety hooks
- Better blob: URL support
New in NoScript 11.4.19 (Mar 21, 2023)
- [nscl] Improved cross-window patch cascading
- [nscl] Avoid unneeded side effects when checking for zombie patched objects
- [nscl] Prompt safety hooks
- [L10n] Updated fr, fi
- Fix font family typo (!283, thanks alex-kinokon)
New in NoScript 11.4.18 (Mar 3, 2023)
- [Firefox on Linux] Fixed detached window UI gets closed when its decoration is clicked (thanks richard for reporting)
New in NoScript 11.4.17 (Mar 3, 2023)
- [nscl] Settings persistence made more reliable and resilient against sync storage unavailability
- [Windows] Changed the tab enforcement toggling shortcut to "Alt+Shift+Comma" (still "Alt+Shift+Space" on desktop OSes other than Windows) - issue #281
- Updated copyright year
- Removed unused files from the source tree
- Fixed "Firefox" being shown instead of "Tor Browser" in the Security Level override option label
- [L10n] Updated pl, tr
New in NoScript 11.4.16 (Feb 13, 2023)
- [L10n] Updated de, nl, pl, ru, sq, zh_CN
- Always open the windowed standalone UI when invoked from the Alt+Shift+N shortcut
- Alt+Shift+Space shortcut to toggle restrictions enforcement for current tab (issue #129, thanks PF4Public for RFE)
New in NoScript 11.4.15 (Feb 1, 2023)
- Use the actual browser's brand name for Tor Browser derivatives
- Always open the windowed standalone UI when invoked from the contextual menu (thanks ZeroUnderscoreOu for reporting)
New in NoScript 11.4.14 (Jan 4, 2023)
- Updated HTML event attributes list
- Uniformed indexed directory Firefox UI emulation to prevent a script blocking bypass on file:// resources (thanks RyotaK for reporting)
- Fixed error being logged in the console on scriptless pages when hitting [Delete] or [Backspace] (thanks barbaz for reporting)
- Work-around for background page misteriously being unloaded sometimes by Firefox
- [L10n] Updated Transifex configuration
New in NoScript 11.4.13 (Nov 27, 2022)
- Ensure theme changes are synchronized across windows, including private ones (thanks barbaz for reporting)
- [UI] Ensure prompts are always centered relative to the parent window in multi-monitors setups
- Switch to "Modern Red Evil" icon contributed by fatboy
- Work-around for Chromium unable to load the placeholder icon
- Themed placeholders
- [nscl] Fixed placeholder fallback styles on Gecko embedding documents
- [L10n] New Romanian (ro) locale (thanks Simona Iacob and Inpresentia I.)
New in NoScript 11.4.12 (Nov 15, 2022)
- [L10n] Updated is, mk
- [L10n] New Finnish (fi) locale (thanks RJuho, olavinto and ricky.tigg)
- [L10n] New Ukrainian (uk) locale (thanks Kataphan, MuS and uniss)
- [L10n] New Persian (fa) locale (thanks voxp and magnifico)
New in NoScript 11.4.11 (Sep 15, 2022)
- Fix broken NoScript dialogs when browser.privatebrowsing.autostart = true (issue#259, thanks foenix for reporting)
- Avoid using fallback origins for main_frame loads
New in NoScript 11.4.10 (Sep 1, 2022)
- [TabTies] Cascade and merge ties in a shared pool, to prevent them from being cut by closing a middle tab (thanks NDevTK for reporting)
- Extended origin normalization to top-level documents (thanks NDevTK for reporting)
- [TabGuard] Fixed regression in about:blank handling (thanks NDevTK for reporting)
- Better origin guess for requests from sandboxed iframes (thanks NDevTK for reporting)
- More precise tracking of implicit origins in tab URLs
- [nscl] Stricter criteria for cutting tab relations (thanks NDevTK for reporting)
- Use window.origin when fetching policies for inheriting special URLs (thanks NDevTK for reporting)
- Better build script compatibility
New in NoScript 11.4.9 (Aug 21, 2022)
- [L10n] Updated pl, tr, zh_CN
- [TabGuard] Abort the load when the warning dialog is closed by any mean except the OK button
- [TabGuard] Stricter criteria for cutting tab relations (thanks fatboy for reporting)
New in NoScript 11.4.8 (Aug 21, 2022)
- Cross-tab identity leak protection ("TabGuard", see tor-browser#41071, thanks barbaz and fatboy for testing)
- [TabGuard] Better request lifecycle management
- [L10n] Updated de, it, nl, ru, sq
- [l10n] Automatic pull for 100% completed translations only
New in NoScript 11.4.7 (Aug 8, 2022)
- [XSS] Fixed regression in invalid characters optimization causing false negatives (thanks Tsubasa for reporting)
- Minor build script enhancement
New in NoScript 11.4.6 (May 30, 2022)
- [nscl] Copy NOSCRIPT elements' attribute in emulated replacements (issue #238)
- [XSS] Correct for concurrency in timeout checks
- [UI] Flatter preset appearance
- [UI] Focus visual feedback adjustments
- Inclusion-time TLD updates
- Updated HTML events
- [L10n] Updated pl
- Opaque white for vintage lock icons
- [L10n] Updated is
New in NoScript 11.4.5 (Apr 18, 2022)
- Improved preset sizing
- Reduce toolbar bottom shaded line tickness
- [L10n] Updated he
- Various user-driven visual tweaks
- Fixed vintage icon brightness in automatic light mode
- Minor icon tweaks
New in NoScript 11.4.4 (Apr 1, 2022)
- [L10n] Updated mk
- Removed "clearclick" item from default settings
- Better layout for mixed status icons
New in NoScript 11.4.3 (Mar 28, 2022)
- Reversed colors in Modern Red permissive icons for better contrast
- Fixed regression causing only signed builds to complete
New in NoScript 11.4.2 (Mar 28, 2022)
- Dark scheme for high contrast toolbar buttons (issue #142)
- Reduce toolbar unused space
- Better contrast for "unsafe" URL labels
- Cleaner and more definite checked preset layout
- Less blurry focus halo
- [l10n] Updated pt_BR (thanks @DavidBrazSan)
- Removed eyes from default disabled and unrestricted small icons
- Improved preset label positioning
- Improved visual cues for selected presets (issue #235, thanks @unsungNovelty for report)
- Fixed regression removing hover effect from toolbar buttons
- More balanced Modern Red icon set
- [L10n] Updated de, es, fr is, nl, ru, sq, tr, zh_CN
- Move XSS options down one line
- New "Enable restrictions on browser restart" option
- Localizable Modern Red / Vintage Blue switch.
- Minor cross-theme visual tweakings
- Override dark vintage theme brightness filter on images for important UX cues
- Fix too wide CSS scope bleeding into page style (thanks SuperPat45 for report)
New in NoScript 11.4.1 (Mar 23, 2022)
- Support for reverting to the "Vintage Blue" style (NoScript Options/Appearance)
- Various tweaks to the "Moder Red" dark and light themes
New in NoScript 11.4 (Mar 21, 2022)
- Visual refresh based on Simply Secure concept artwork
- Full Dark/Light color schemes support
- [l10n] Many languages updates
- Include ServiceWorker-initiated fetch requests in UI reporting (thanks 0_o for report)
- Remove redundant style patching
- Prompts can be closed by keyboard: Enter emulates the default button click, Escape the cancel action
- Ensure better visibility for in-popup message box
- Sticky toolbar and scrollable fixed-height content in browserAction popups
- [XSS] Automatically reload page when clearing XSS choice from popup
- [XSS] Enable "Clear XSS Choices" button only if some item is selected
- Remember last active tab when opening the option window
- Avoid useless reload if no actual change has happened in enforcement status
- Fix for regression: request and execution attempts not being reported anymore in the UI if restrictions are disabled (thanks Stefan Mey for report)
- Dark mode support
- Improved high contrast layout
- Fixed automatic reload not always triggered for CUSTOM tweakings
- More consistent cross-browser widgets
- Partial status indicator on the left of the icon, to accommodate Chromium's badge position
- Make focus hint less elusive for needed capability widgets
- More accurate blocking stats
New in NoScript 11.3.7 (Mar 2, 2022)
- Always avoid DNS resolution when a HTTP(S) proxy is used (thanks nojake for reporting)
New in NoScript 11.3.6 (Feb 28, 2022)
- Make high contrast and draggable toolbar items mutually exclusive
- [Chromium] Fix high contrast option not working
- Avoid flashing empty graveyard on popup opening
- More deterministic DnD placeholder creation
- [L10n] Updated fr, es, nl, zh_CN
- Make disabled buttons draggable and hidden enabled buttons interactive when the "graveyard" is open
- Close UI and reload immediately when enabling global/tab restrictions or disabling them for the tab only
New in NoScript 11.3.5 (Feb 28, 2022)
- [L10n] Updated de, mk, ru, sq, tr
- Fix regressions in draggable toolbar buttons
- [Android] Better styling for icon buttons in message box
New in NoScript 11.3.4 (Feb 25, 2022)
- Avoid closing the customizer on arrow up key context selection change (thanks barbaz for reporting)
- Prominently warn user whenever restrictions are disabled
- Better accessibility and styling for popup global buttons
- [L10n] Updated de
- Fix for contextual permissions display inconsistencies in options panel (thanks barbaz for reporting)
New in NoScript 11.3.3 (Feb 21, 2022)
- [Android] Improved CUSTOM panel portrait layout
- Play nice with the Viewhance extension
- Avoid synchronous fetching for remote embedding documents
- Fixed typo in UI context dropdown initial selection
- Fixed wrong label for http: sites in contextual policy UI (thanks barbaz for reporting)
- Fix for first party context policy ignored on first load in new tabs (thanks ayi for reporting)
- Consolidate best effort policy fetching
- Use correct context for all subresources checks (thanks user72 for reporting) queries on Firefox (thanks vexity for reporting)
- [L10n] Updated de, es, he
New in NoScript 11.3.2 (Feb 18, 2022)
- Prevent LAN protection from breaking webRequest blocking on the Tor Browser (thanks TorBrowserUser for reporting)
New in NoScript 11.3.1 (Feb 18, 2022)
- Ensure onBeforRequest is always synchronous on Chromium
- Remove dns permission for Chromium, since the asynchronous API is useless in synchronous webRequest
- Fix regression: CUSTOM UI broken on Gecko 77 and below
- Localized reset button
- [nscl] Fix for null origin URL objects breaking Sites parser (thanks kinet1k for reporting)
- [L10n] Updated translations
New in NoScript 11.3 (Feb 16, 2022)
- LAN capability to check for cross-zone WAN to LAN requests (thanks barbaz for ABE webext contributions)
- Contextual policies (different capabilities for the same origin, depending on the top-level domain) configurable in the CUSTOM panel (thanks NLnet for financial support)
New in NoScript 11.2.25 (Feb 14, 2022)
- More robust policy fetching
- [Firefox] Fix regression causing file:// policy not to be correctly enforced sometimes
New in NoScript 11.2.23 (Feb 11, 2022)
- [nscl] Fix rare breakages due to xray cloning
New in NoScript 11.2.22 (Feb 11, 2022)
- Parallel sync/async for best effort policy fetching under any circumstance
New in NoScript 11.2.21 (Feb 10, 2022)
- Better fallback for failing syncMessage
- [XSS] Simplified preemptive name sanitization
New in NoScript 11.2.20 (Feb 9, 2022)
- [L10n] Updated de
- [XSS] Fix false positive warning when "name" is in the query string (thanks John Shield / DuckDuckGo for reporting)
New in NoScript 11.2.19 (Feb 4, 2022)
- [XSS] Faster invalidCharsRx initialization on Gecko 78 and above
- [XSS] More resilient name handling
- [nscl] Use HTTPS SyncMessage endpoint for Chromium too (works around lack of file access by default on packed extensions breaking NoScript)
New in NoScript 11.2.18 (Feb 4, 2022)
- [nscl] Use HTTPS SyncMessage endpoint for Chromium too (works around lack of file access by default on packed extensions breaking NoScript)
New in NoScript 11.2.16 (Feb 1, 2022)
- Fallback to synchronous policy fetching if the document is already loaded (e.g. on updates)
- [XSS] Interactive testing made a bit easier
- [nscl] Mitigate side effects of dead objects on patched windows during extension updates
- [XSS] Fix false positive on Microsoft authentication (thanks GrK and Hanna_Payne for reporting)
- [nscl] Work-around for object element initialization inconsistencies on Firefox (thanks skriptimaahinen for reporting)
- [L10n] Updated fr
- Better support for service workers in unrestricted modes (thanks Mark McVeigh for reporting)
New in NoScript 11.2.15 (Jan 20, 2022)
- [Android] Work-around for Firefox "forgetting" tabs
- [nscl] Improved cross-frame auto-patching
New in NoScript 11.2.14 (Dec 31, 2021)
- [nscl] Updated SyncMessage fixes conflict with other content blockers (thanks gwarser, barbaz and Baraoic)
- [XSS] Tweaked risky operator check prevents false positive on outbound Twitter navigation (thanks @muchtypo for reporting)
- [XSS] Better logging for JS fragment detection
- [XSS] Fixed performance regression in invalid character ranges generation causing random XSS "DOS" false positives
- Fetch policy for baseURI if document.domain is empty
- [L10n] Updated ja, lt, pl, ru, zh_CN
- Always fetch policy synchronously, if missing
- Fixed undetermined status icon on BF cache page loads
- [nscl] Fix webgl blocking regression due to xray wrappers confusion (thanks skriptimaahinen)
- [nscl] Prevent unnecessary breakages on pages inspecting canvas.getContext when webgl is disabled
- [nscl] Reduce the risk to interfere with scripts messing with the media attribute (issue #207)
New in NoScript 11.2.13 (Dec 29, 2021)
- [XSS] Tweaked risky operator check prevents false positive on outbound Twitter navigation (thanks @muchtypo for reporting)
- [XSS] Better logging for JS fragment detection
- [XSS] Fixed performance regression in invalid character ranges generation causing random XSS "DOS" false positives
- Fetch policy for baseURI if document.domain is empty
- [L10n] Updated ja, lt, pl, ru, zh_CN
- Always fetch policy synchronously, if missing
- Fixed undetermined status icon on BF cache page loads
- [nscl] Fix webgl blocking regression due to xray wrappers confusion (thanks skriptimaahinen)
- [nscl] Prevent unnecessary breakages on pages inspecting canvas.getContext when webgl is disabled
- [nscl] Reduce the risk to interfere with scripts messing with the media attribute (issue #207)
New in NoScript 11.2.11 (Jul 28, 2021)
- [nscl] Fixed JavaScript access to CSS rules broken on Chromium when unrestricted CSS is disabled - issue #204
- Prevent Chromium builds from being sent to AMO for signing
- [nscl] Fixed CPU/RAM overload on some pages with unrestricted CSS disabled but scripting enabled (not recommended setting) - issue #194, issue #199
- [nscl] Fixed CPU spikes on Chromium triggered by automatic file downloads (thanks ptheborg for report)
New in NoScript 11.2.10 (Jul 25, 2021)
- Cross-browser file naming consistency, in spite of version numbering incompatibilities
- [nscl] Fix for potential race conditions on certain page transitions (issue #205)
- Handle exception when accessing navigator.serviceWorker on sandboxed frames
- MS Edge support
New in NoScript 11.2.9 (Jun 24, 2021)
- [L10n] Updated de, mk
- Replace deprecated extension.getURL() with runtime.getURL()
- REUSE-compliant licensing boilerplate
- Remove unused/refactored-out files
- Relicensing as GPL3+
- [nscl] Fixed infinite recursion issue on window.open wrappers
- Avoid treating JavaScript files as embeddings when opened as top-level documents
New in NoScript 11.2.8 (May 20, 2021)
- Quiet down unnecessary debug logging (issue #191)
- [L10n] Updated he, de
- Fix meta refresh sometimes ignored on Firefox 78 ESR (issue #192, thanks hackerncoder for report)
- Chromium-specific build-time customizations
New in NoScript 11.2.7 (May 6, 2021)
- Better prompt layout (no accidental scrollbar)
- [nscl] Fix regression causing media patches to break some pages (thanks l0drex for report, issue #189)
New in NoScript 11.2.6 (May 4, 2021)
- [nscl] Various webgl blocking enhancements
- Remove also sticky-positioned elements with click+DEL on scriptless pages (thanks skriptimaahinen for RFE)
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fixed race condition causing external CSS not to be rendered sometimes when unrestricted CSS is disabled
- Avoid document rewriting for noscript meta refresh emulation in most cases
- [nscl] Fixed XHTML pages broken when served with application/xml MIME type and no "object" capability
- [nscl] Switch early content script configuration to use /nscl/service/DocStartInjection.js
- Configurable "unrestricted CSS" capability to for sites where the CSS PP0 mitigation should be disabled (e.g TRUSTED)
- [nscl] Fix CSS PP0 mitigation still interfering with some WebExtensions (thanks barbaz for report)
- [XSS] Increased sensitivity and specificity of risky operator pre-checks
New in NoScript 11.2.4 (Mar 29, 2021)
- CSS resources prefetching as a mitigation against CSS PP0 (https://github.com/Yossioren/pp0)
- [L10n] Updated br, de, el, es, fr, he, is, nl, pl, pt_BR, ru, sq, tr, zh_CN
- [nscl] Inteception of webgl context creation in OffscreenCanvas too
- Fixed configuration upgrades not applied on manual updates (thanks Nan for reporting)
- Mitigation for misbehaving pages repeating failed requests in a tight loop
- [UI] More understandable label for the cascading restrictions option
- [nscl] More refactoring out in NoScript Commons Library
- [nscl] patchWindow improvements
New in NoScript 11.2.3 (Feb 18, 2021)
- [L10n] Purged non-inclusive terms from obsolete messages
- Added red halo feedback in CUSTOM preset for noscript element capability
- Fixed missing red halo feedback in CUSTOM preset for inline scripts and other capabilities sometimes
- Fixed race condition causing noscript elements not to be rendered sometimes
New in NoScript 11.2.2 (Feb 17, 2021)
- Fixed typo in version checked on noscript capability update.
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW.
New in NoScript 11.2.1 (Feb 17, 2021)
- Configurable capability to show noscript elements on script-disabled pages
- [UI] Minor CSS Chromium compatibility fix
- [nscl] Refactoring to use Policy and its dependencies from the NoScript Commons Library
- Switch to faster and easier to maintain tld.js from nscl
- [UI] Fix punycode inconsistencies
- [UI] improve preset and site controls alignment
- Provide feedback in the CUSTOM tab for WebGL usage attempts even if the canvas element is not attached to the DOM
- [L10n] Updated de, ja
- Updated HTML events
- Prevent double script on trusted file:// pages in some edge cases
- Prevent detection of wrapped functions (e.g. in WebGL interception) on Chromium
New in NoScript 11.2 (Jan 27, 2021)
- [XSS] New UI to reveal and selectively remove permanent user choices
- [L10n] Updated de
- Webgl hook refactored on nscl/content/patchWindow.js and made Chromium-compatibile
- Updated TLDs
New in NoScript 11.1.9 (Jan 19, 2021)
- Return null when webgl is not allowed (thanks Matthew Finkel for patch)
- [XSS] Fixed memoization bug resulting in performance degradation on some payloads
- [XSS] Include call stack in debugging log output
- [XSS] Skip naps when InjectionChecker runs in its own worker
- Shortcut for easier XSS filter testing
- More lenient filter to add a new entry to per-site permissions
- [L10n] Updated de
- Replace script-embedded bitmap with css-embedded SVG as the placeholder logo
- Updated TLDs
- Remove source map reference causing console noise
- Fix per-site permissions UI glitches when base domain is added to existing subdomain (thanks barbaz for reporting)
New in NoScript 11.1.8 (Jan 8, 2021)
- [XSS] Fix for old pre-screening optimization exploitable to bypass the filter in recent browsers - thanks Tsubasa
- FUJII (@reinforchu) for reporting
- Replace DOM-based entity decoding with the he.js pure JS library
- Updated copyright statement
- Updated browser-polyfill.js
- Removed obsolete fastclick.js dependency
- [l10n] Updated de (thanks ib and Musonius)
- Updated TLDs
New in NoScript 11.1.7 (Dec 23, 2020)
- Optimize serviceWorker tracking for heavy tabs usage (thanks vadimm and barbaz for investigation)
- Force placeholder visibility on Youtube embeddings
- Fixed popup opening being slowed down if options UI is opened (thanks Sirus for report)
- Explicit failure for wrong settings importation formats
- Updated TLDs
New in NoScript 11.1.6 (Dec 11, 2020)
- Better handling of concurrent prompts issues (thanks billarbor for reporting)
- Remove z-index boosting from ancestors when placeholder is collapsed or replaced (issue #162)
- Fixed permission keyboard shortcuts being triggered with modifiers like CTRL (thanks barbaz for report)
- More accurate blockage reporting, with better filtering of page's own CSP effects
- [UI] Fixed bug in CUSTOM sites filtering (thanks barbaz for reporting)
- Fixed bug in automatic HTML events build-time updates
- Updated HTML events
- Updated TLDs
- [L10n] Updated sv_SE
- Better handling 0 width / 0 height media placeholders
New in NoScript 11.1.5 (Nov 6, 2020)
- Updated TLD
- Fixed potential infinite loop via DOMContentLoaded
- Work-around for Firefox 82 media redirection bug (thanks ppxxbu and skriptimaahinen)
- Updated TLDs
New in NoScript 11.1.4 (Oct 27, 2020)
- Fixed sloppy CSP media blocker detection breaking MSE
- blob: media placeholders on Chromium
- Fixed race condition causing temporary settings not to survive updates sometimes
- Updated TLDs
- [Mobile] Improved prompts appearance on Android
New in NoScript 11.1.4 RC 3 (Oct 26, 2020)
- Fixed sloppy CSP media blocker detection breaking MSE
- blob: media placeholders on Chromium
New in NoScript 11.1.3 (Oct 12, 2020)
- Fixed regression: document media and font restrictions always cascaded (thanks BrainDedd for report)
- Remove domPolicy logging when debugging is off
- Trivial reordering from Mozilla source
- Updated TLDs
New in NoScript 11.1.1 (Oct 8, 2020)
- Updated TLDs
- Better heuristic to figure out missing data while computing contextual policies
- Fixed regression breaking per-tab restrictions disablement (thanks Horsefly for report)
New in NoScript 11.0.46 (Sep 21, 2020)
- Updated TLDs
- [L10n] Updated is
- Fixed file:// and ftp:// specific content scripts not runnning in subdocuments
- Fixed deferred scripts in file:// pages may run twice (issue #155)
- Fixed rendering bug with scrolled file:// pages on soft reload (thanks Iouri for report)
- Fixed 11.0.44 regression: ghost media item reported on every page
- Better emulation of SVG events
New in NoScript 11.0.44 (Sep 15, 2020)
- Dispatch synthetic SVGLoad event in soft load when needed
- [L10n] Updated da, es
- Fixed namespacing issues with script replacements
- Fixed media placeholder not shown when blocking Youtube movies
- Work around for unpredictable content script execution order
- Ensure content of NoScript prompts is always visible
- Fixed soft reload messing with non UTF-8 encodings (thanks "Quest" for reporting)
- Updated TLDs
- [XSS] Fixed escape detection bug causing strage false positives (thanks Dave Howorth for report)
New in NoScript 11.0.43 (Sep 9, 2020)
- Fix for some race conditions causing corruptions in non-HTML non-XML documents
New in NoScript 11.0.42 (Sep 7, 2020)
- Avoid useless "seen" reports from onBeforeRequest()
- Catch broadcast messaging errors
- Make build.sh tag push even already created tags
- Updated TLDs
- Work-around for applying DOM CSP to non-HTML XML documents (thanks skriptimaahinen)
- Document freezing to handle SVG and other XML documents as a fallback before CSP insertion
- Refactored and improved syncFetchPolicy fallback for file: and ftp: special cases
New in NoScript 11.0.41 (Aug 25, 2020)
- More precise event suppression mechanism
- Fixed regression: events suppressed on file:// pages unless scripts are allowed
- Updated TLDs
New in NoScript 11.0.40 RC 2 (Aug 24, 2020)
- Avoid synchronous policy fetching whenever possible
New in NoScript 11.0.39 (Aug 21, 2020)
- Fix reload loops on broken file: HTML documents (thanks bernie for report)
- [XSS] Updated HTML event attributes
- Local policy fallback for file: and ftp: URLs using window.name rather than sessionStorage
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Added "Revoke temporary permissions on NoScript updates, even if the browser is not restarted" advanced option
- Let temporary permissions survive NoScript updates (shameless hack)
- Fixed some traps around Messages abstraction
- Ignore search / hash on policy matching of domain-less URLs (e.g. file:///...)
- Updated TLDs
- Fixed automatic scrolling hampers usability on long sites lists in popup
- Better timing for event attributes removal/restore
- Work-arounds for edge cases in synchronous page loads bypassing webRequest (thanks skriptimaahinen)
New in NoScript 11.0.38 (Aug 17, 2020)
- Better timing for event attributes removal/restore
- Work-arounds for edge cases in synchronous page loads bypassing webRequest (thanks skriptimaahinen)
- [L10n] Updated bn
New in NoScript 11.0.37 (Aug 11, 2020)
- Simpler and more reliable sendSyncMessage implementation and usage
- SendSyncMessage support for multiple suspension requests (should fix extension script injection issues)
- Updated TLDs
New in NoScript 11.0.36 (Aug 7, 2020)
- Fixed regression: temporary permissions revocation not working anymore on privileged pages
- SendSyncMessage script execution safety net more compatible with other extensions (e.g. BlockTube)
New in NoScript 11.0.35 (Aug 7, 2020)
- Avoid unnecessary reloads on temporary permissions revocation
- [UI] Removed accidental cyan background for site labels
- [L10n] Updated es
- Work-around for conflict with extensions inserting elements into content pages' DOM early
- [XSS] Updated HTML events
- Updated TLDs
- Fixed buggy policy references in the Options dialog
- More accurate NOSCRIPT element emulation
- Anticipate onScriptDisabled surrogates to first script-src 'none' CSP violation
- isTrusted checks for all the content events
- Improved look in mobile portrait mode
- Let SyncMessage prevent undesired script execution scheduled during suspension
New in NoScript 11.0.34 (Jul 13, 2020)
- Fixed regression breaking network-based CSP injection
New in NoScript 11.0.33 (Jul 10, 2020)
- Switch from HTTP to DOM event based CSP reporting in compatible browsers
- [XSS] Updated HTML event attributes
- Updated TLDs
New in NoScript 11.0.32 (Jun 23, 2020)
- [L10n] Updated it, mk, sv_SE
- Fixed setting CUSTOM permissions in private mode may cause the TRUSTED preset to become temporary
- Updated TLDs
- [XSS] Updated HTML 5 events support
- More compact high contrast appearance
New in NoScript 11.0.31 (Jun 10, 2020)
- Focus "OK" button on dialog-mode UI
- Fixed various toolbar buttons DnD issues
- Updated TLDs
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fixed very low contrast HTTPS-only label in High Contrast
- mode
New in NoScript 11.0.30 (Jun 5, 2020)
- Discoverable option to force site-leaking UI in PBM/Incognito
- [L10n] Updated he
- Easier keyboard navigation of preset configuration
- Yellow-less UI palette
New in NoScript 11.0.29 (Jun 5, 2020)
- Consistent focus appearance across desktop and mobile
- Fixed regression on Firefox 68 for Android: UI cannot be closed (thanks swalchko for report)
New in NoScript 11.0.28 (Jun 5, 2020)
- Don't enforce Incognito UI restrictions if the "Override Tor Browser Security Level preset" option is checked
- Incognito-aware permissions persistence and UI
- (https://trac.torproject.org/projects/tor/ticket/29957)
- Removed inline preset options relics
- Reset non-secure site matches to DEFAULT unless setting
- UNTRUSTED to avoid confusion on preset changes
- [A11y] Keyboard-based UI navigation
- Updated TLDs
- Work-around Gecko 77 cached CSP issues (thanks acat for https://trac.torproject.org/projects/tor/ticket/34305)
New in NoScript 11.0.26 (May 18, 2020)
- UI adjustments for better mobile experience (thanks Bram Pitoyo for suggestions)
- Updated HTML 5 events archive
- Updated TLDs
- Fixed hard reload needed after releasing restrictions (regression on Firefox Beta)
- Fixed 3rd party scripts blocking regression on Firefox
- Trunk due to XBL removal (thanks guardao for reporting)
- Fixed typo in unused yet code
New in NoScript 11.0.25 (Apr 21, 2020)
- [XSS] Fixed false positives and timeouts (thanks riaggren for report)
New in NoScript 11.0.24 (Apr 17, 2020)
- Fixed SoundCloud login broken by NoScript being enabled
- [XSS] Updated HTML5 events
- Updated TLDs
New in NoScript 11.0.23 (Mar 26, 2020)
- Updated TLDs
- Further refresh syntax parsing leniency (thanks insertscript)
New in NoScript 11.0.22 (Mar 23, 2020)
- Updated TLDs
- [L10n] Updated he
- Uniform refresh url matching across HTTP and DOM checks (thanks insertscript)
New in NoScript 11.0.21 (Mar 23, 2020)
- Fixed URL matching regexp (thanks insertscript)
New in NoScript 11.0.20 (Mar 23, 2020)
- More aggressive blocking for data: refresh attempts (thanks insertscript)
New in NoScript 11.0.19 (Mar 19, 2020)
- Prevent ANY redirection to data: URIs in documents
New in NoScript 11.0.18 (Mar 17, 2020)
- Automated "Updated TLDs" commit
- Updated TLDs
- Apply "font-family: Inter" to the mobile stylesheet only
- Support synonims for "release"
New in NoScript 11.0.17 (Mar 15, 2020)
- Updated TLDs
- Force CSP inheritance for redirections to data: URIs on Gecko pre-69
- Added CSS reference to Inter font to improve UI look on Fenix
New in NoScript 11.0.15 (Mar 3, 2020)
- Fixed CapsCSP bug allowing data: URLs to bypass font blocking (thanks dcent and skriptimaahinen)
- [XSS] Prevent DOS detection from being triggered for already aborted requests (thanks barbaz)
- [L10n] Updated es and added bn
- [XSS] More accurate base64 checks on hash
- Updated TLDs
- Minor adjustments for Firefox Preview (Fenix) compatibility
- Refactored XSS filter into an asynchronous worker to better handle DOS attempts
- [XSS] Abort on InjectionChecker timeouts
- [XSS] Updated recognized HTML events
- Fixed autoreload after popup closing broken on Vivaldi
New in NoScript 11.0.13 (Jan 30, 2020)
- [Chromium] Fix SyncMessage broken by feature-policy headers
- Remove "application" manifest.json key from Chromium packages
New in NoScript 11.0.12 (Jan 10, 2020)
- [L10n] Updated ru
- Unrestricted tab support for service workers and their included 3rd party scripts
- Record document origins in TabStatus
- Support for reporting service workers and their imported scripts in UI
- Cross-browser request properties normalization
- Updated TLDs
- Fixed initial requst URL lost across redirections
- Updated copyright statement
- Fixed settings export button broken on Vivaldi (issue #124)
- Fixed UNTRUSTED domains accidentally set in "match HTTPS only" mode (issue #126)
New in NoScript 11.0.11 (Dec 30, 2019)
- [L10n] Updated da, de, fr, he, it, mk, nl, ru, sq, tr, zh_TW
- Fixed UI not working on pages were sessionStorage is disabled
- Updated TLDs
- Added "ping" (beacon/ping) capability control
New in NoScript 11.0.10 (Dec 24, 2019)
- Order change in html5 events source
- Updated TLDs
- Removed unused "privacy" permission
- Fixed shortcut and context menu doing nothing unless browserAction icon is visible on Firefox (issue 58)
- [L10n] Updated de, fr, he, nl, tr
- Updated TLDs
- Fix minor typo regarding appearance redundancy (issue 61)
- Fixed scripts could not be enabled on file: SVG documents
New in NoScript 11.0.10 RC 3 (Dec 24, 2019)
- Order change in html5 events source
- Updated TLDs
- Removed unused "privacy" permission
New in NoScript 11.0.10 RC 2 (Dec 12, 2019)
- Fixed shortcut and context menu doing nothing unless browserAction icon is visible on Firefox (issue 58)
- [L10n] Updated de, fr, he, nl, tr
- Updated TLDs
- Fix minor typo regarding appearance redundancy (issue 61)
New in NoScript 11.0.10 RC 1 (Nov 26, 2019)
- Updated TLDs
- Fixed scripts could not be enabled on file: SVG documents
New in NoScript 11.0.9 (Nov 19, 2019)
- [Chromium] Prevent duplicated MSE placeholders (e.g. on Youtube)
- Fixed external scripts included in HEAD of file:// pages failing (issue #115)
- [XSS] Updated HTML 5 events inventory
- Best effort to make media placeholders visible and clickable
- Placeholders for MSE on Chromium too
- Use invalid IP rather than domain name to prevent offline status from breaking sync messaging in Chromium
- Removed empty exportFunction() Chromium shim
- Updated TLDs
New in NoScript 11.0.8 (Nov 8, 2019)
- [L10n] Updated da, ja, lt, mk, nl
- Fixed onionSecure setting persistence issue (Tor ticket #32362)
- Fixed CSP DOM injection breaking XML documents rendering
New in NoScript 11.0.8 RC 1 (Nov 7, 2019)
- [L10n] Updated da, ja, lt, mk, nl
- Fixed onionSecure setting persistence issue
- Fixed CSP DOM injection breaking XML documents rendering
New in NoScript 11.0.7 (Nov 7, 2019)
- Use fragments to reinsert and run previously blocked scripts
- Fetch policies asynchronously for about: and javascript:
- URLs
- Remove loop around XHR
New in NoScript 11.0.7 RC 1 (Nov 4, 2019)
- Use fragments to reinsert and run previously blocked scripts
- Fetch policies asynchronously for about: and javascript: URLs
- Remove loop around XHR
New in NoScript 11.0.6 (Nov 4, 2019)
- Compute the correct origin for the policy to be fetched from about:blank and javascript: URLs
- Work-around for Youtube video elements positioned off-display at replacement time
- Version numbers for Chromium dev builds compatible with Chromestore requirements
- Script blocking before policy is fetched only for synchronous loads
- Make tests not to run automatically on dev mode startup anymore
New in NoScript 11.0.4 (Oct 29, 2019)
- [Tor] Treat .onion sites whose protocol is HTTP as if it was HTTPS
- [Mobile] Blocked scripts count displayed in the browser action menu item
- Consolidated missing endpoint error detection in Messages
- More compatible Messages abstraction
- Progressive count of debug messages to better trace asynchronous execution
- [XSS] Fixed false positive (property assignment)
- Fixed typo causing initializing promise not being cached
- Avoid unnecessary page reloads on extension updates
- Fixed undefined variable error when in debugging mode
- [Tor] Display .onion sites as "secure" in the UI (tickets #27313 and #27307)
- Support for splitting sync storage items into chunks, to allow synchronization of big policies across devices
- IPv4 subnet shortcut matching
- Fallback to local storage for any item exceeding limits (fixes persistence problems on Chromium)
- Alternate version numbering for Chromium pre-releases
- Simplified, less noisy and more resilient Messages abstraction implementation (thanks barbaz for reporting)
- Handle edge-case policy retrieval for file:// pages loaded by session restore on startup and alike
- Improved Chromium development-build workflow
- Fix CSP violation reporting management of "fake" blocked-uri like "eval"
- Recursive webgl context monkeypatching across same origin windows (thanks skriptimaahinen for concept and patch)
- Replaced cookie-based hacks with synchronous messaging (currently shimmed) to retrieve fallback and per-tab restriction policies
- Work-around for Chromium not supporting frameAncestors
- in webRequest
- [L10n] Updated Transifex-managed ca, da, it, nl, ru, sv_SE
- [XSS] Updated HTML5 events
- Updated TLDs
- Fixed "Cascade top document restrictions" option not always applied to embedded elements (thanks barbaz for reporting)
- Removed XSS prompt for timeouts
New in NoScript 11.0.4 RC 13 (Oct 21, 2019)
- More robust SyncMessage implementation coping with XHR suspension inconsistencies on Firefox
New in NoScript 11.0.4 RC 11 (Oct 10, 2019)
- [Tor] Display .onion sites as "secure" in the UI (tickets #27313 and #27307)
- Fixed typo causing Chromium builds not to be created in the XPI directory
New in NoScript 11.0.4 RC 10 (Oct 9, 2019)
- Support for splitting sync storage items into chunks, to allow synchronization of big policies across devices
- [L10n] Updated ca, nl
- Overwrite Chromium zip on reiterated builds
New in NoScript 11.0.4 RC 3 (Sep 30, 2019)
- [XSS] Fixed false positives with parameters named "src"
- Static click-to-play placeholders
- [L10n] New da, is, pl, sq, zh_TW Transifex-managed locales
- [L10n] Updated sv_SE Transifex-managed locale
New in NoScript 11.0.3 (Aug 20, 2019)
- [Tor] Work-around for prompts being huge when resistFingerprinting is enabled
- [XSS] Fixed false positives due to overzealous HTML attribute checking
- [XSS] Enabled InjectionChecker logging when debugging mode is on
- Work-around for browser.i18n.getMessage() API in content scripts giving away browser's real locale (Tor issue #31287)
- Updated TLDs
- [L10n] Updated Transifex-managed he, is, nb, ru, sq, zh_TW
New in NoScript 11.0.2 (Jul 29, 2019)
- Restored "classic" pasted HTML sanitization feature, Now triggered by drag'n'drop too (thanks barbaz for patch)
- Fixed bug in browser type detection by content scripts (thanks barbaz)
- Added "Collapse blocked objects" option in Blocked Objects prompt
- Fixed corner case when application/* content types should match "media" rather than "object" (thanks skriptimaahinen for reporting)
- Replacement clicks are now intercepted even if a content placeholder is obstructed by an overlay
- More graceful handling of chrome: origins (thanks skriptimaahinen for reporting)
- CSP building optimizations
- Updated TLDs.
- [L10n] Updated Transifex-managed locales br, de, it, ms, nl, ru, tr, nb, sv_SE and zh_CN
New in NoScript 11.0.2 RC 2 (Jul 26, 2019)
- Updated TLDs.
- [L10n] Updated Transifex-managed locales br, de, it, ms, nl, ru, tr
- Fixed bug in browser type detection by content scripts
- Fixed paste sanitization bugs and make it work on drag and drop tool
New in NoScript 11.0.2 RC 1 (Jul 25, 2019)
- Restored "classic" pasted HTML sanitization feature
- Added "Collapse blocked objects" option in Blocked Objects prompt
- Fixed corner case when application/* content types should match "media" rather than "object" (thanks skriptimaahinen
- Replacement clicks are now intercepted even if a content placeholder is obstructed by an overlay
- More graceful handling of chrome: origins (thanks skriptimaahinen for reporting)
- CSP building optimizations
- [L10n] Updated Transifex-managed nb, sv_SE and zh_CN
- Updated TLDs
New in NoScript 11.0 (Jul 11, 2019)
- [XSS] Fixed false positives with parameters named "src"
- Static click-to-play placeholders
- [L10n] New da, is, pl, sq, zh_TW Transifex-managed locales
- [L10n] Updated sv_SE Transifex-managed locale
New in NoScript 10.6.3 (Jun 17, 2019)
- Multiple fixes in embeddings replacement (thanks barbaz For reporting)
- Fixed [Import] settings button on Android
- [XSS] JSON reduction optimizations
- [XSS] XSS checks performance improvements play nicer with ResistFingerprinting
- [XSS] Fully asynchronous InjectionChecker, prevents freezes On heavy payloads
- Skip page autoreloads on transitions between temporary and Permanent presets of the same kind
- Updated TLDs
New in NoScript 10.6.3 RC 7 (May 30, 2019)
- Further work-around for [Import] settings button inconsistencies on Android
- Updated TLDs
New in NoScript 10.6.3 RC 6 (May 30, 2019)
- Fixed [Import] settings button on Android
New in NoScript 10.6.3 RC 4 (May 28, 2019)
- XSS checks performance improvements play nicer with resistFingerprinting
New in NoScript 10.6.3 RC 3 (May 28, 2019)
- Fully asynchronous InjectionChecker, prevents freezes on heavy payloads
New in NoScript 10.6.2 (May 23, 2019)
- Removed work-around for https://bugzil.la/1532530 (now
- Fixed and backported to the Tor Browser too)
- Fixed media.mediasource.enabled breakage (thanks
- Skriptimaahinen for patch)
- Reference internal pages as absolute URLs for Chromium
- Compatibility
- Updated TLDs
- [Locale] Updated Transifex-managed locales (es, ms, tr)
New in NoScript 10.6.1 (Apr 11, 2019)
- Make RequestGuard's header processing synchronous as needed
- Fixed inconsistencies handling browser-internal URLs
- Fixed resetting options works just once per session
- (defaults reference current settings) - issue #69
- [Locale] Updated Transifex-managed locales (de, fr, it, tr,
- Nl)
New in NoScript 10.6 (Apr 8, 2019)
- Limit wrappedJSObject usages to compatible browsers
- [Chromium] Merged chromium branch (unified code base)
- [Locale] Updated Transifex-managed locales
- Updated TLDs
New in NoScript 10.2.5 (Mar 25, 2019)
- [XSS] Improved detection of privileged origins (fixes an about:tor to DuckDuckGo false positive)
New in NoScript 10.2.4 (Mar 21, 2019)
- Improved prompts layout (thanks Ton for suggestion)
- Improved unscanned POST blocking
New in NoScript 10.2.3 (Mar 20, 2019)
- [l10n] Updated Transifex-managed locales
- Fixed POST searches from the url bar causing XSS warnings
- Fixed popup top buttons not visible in high contrast appearance mode (thanks pjaworski for reporting)
- Optimized popup layout initialization
New in NoScript 10.2.2 (Mar 18, 2019)
- x [L10n] Updated Transifex-managed locales
- Cascading top document's restrictions to subdocuments is now an option in the General section and defaults to true on the Tor Browser only
- "Scan uploads for potential cross-site attacks" and "Ask confirmation for cross-site POST requests which could not be scanned" options: in Tor Browser default false and true, respectively, as a work-around for mozbug 1532530
- [Tor] "Override Tor Browser Security Level preset" option
- [Tor] Selective handling of Tor Browser specific settings
- Updated TLDs
- [XSS] Updated event names
- Safer cookie-less check for unrestricted tabs from subdocs
- [Build] Easier version bumps to next rc (build.sh bump rcX)
- Fixed unrestricted tabs not affecting about:blank subframes (issue #48, thanks musonius for reporting)
- [XSS] Updated known HTML events lists
- [Locale] Added sv_SE (by Jonatan Nyberg)
New in NoScript 10.2.1 (Dec 24, 2018)
- Cascade top document's restrictions to subframes (Tor issue #28873)
- Fixed restored media element from placeholder not loadingpreviously blocked content automatically
- Fixed placeholders missing for some blocked embeddings (Tor ticket #28720)
New in NoScript 10.2.0 (Nov 29, 2018)
- [L10n] Updated fr, he
- Allow origin-less fetch for extensions (issue #41)
- Fixed meta refresh inside NOSCRIPT emulation breaking
- Firefox's built-in refresh blocking
- Fixed issue #35 "tabId is not defined" on startup
- Darker red badge background to ensure text is kept white across browsers
New in NoScript 10.1.9.9 (Oct 17, 2018)
- Prevention of potential race condition in the new per-tab configuration cookie-based hack
- Better cross-platfrom build script compatibility
- Per-tab configuration cookie-based hack, leaves window.name alone
- Various build scripts fixes
New in NoScript 10.1.9.9 RC 1 (Oct 14, 2018)
- Per-tab configuration cookie-based hack, leaves window.name alone
- Various build scripts fixes
New in NoScript 10.1.9.8 (Oct 10, 2018)
- Fixed preset customization UI showing inherited DEFAULT permissions if a protocol-level preset exists
- Simplified CSP HTTP header injection, avoiding report-to until actually supported by browsers
- [L10n] Updated ru (thanks fatboy)
- [Tor] Better UX for overriding protocol-level permissions
- [Build] Option to force TLD updates
- [L10n] Updated (es, ru) and new (el, he, ms, nb) locales from OTF's Localization Lab Transifex project
- [L10n] no_BO translation by comradekingu
- FTP directory UI emulation on script-disabled domains
- Include ftp:// URLs in non-secure domain matching (thanks Rassilon for RFE)
New in NoScript 10.1.9.7 RC 1 (Sep 27, 2018)
- FTP directory UI emulation on script-disabled domains
- Include ftp:// URLs in non-secure domain matching (thanks Rassilon for RFE)
New in NoScript 10.1.9.6 (Sep 14, 2018)
- [TB] Gracefully handle legacy external message recipients
- [XSS] Updated known HTML5 events
- Better IPV6 support
- UI support for protocol-only entries
New in NoScript 10.1.9.6 RC 2 (Sep 11, 2018)
New in NoScript 10.1.9.6 RC 1 (Sep 11, 2018)
- UI support for protocol-only entries
New in NoScript 10.1.9.5 (Sep 10, 2018)
- Fix for various content script timing related issues (thanks therube for reporting)
New in NoScript 10.1.9.4 (Sep 10, 2018)
- Prevent total breakages when policies accidentally map to invalid match patterns
- Internal messaging dispatch better coping with multiple option windows
- Avoid multiple CSP DOM insertions
New in NoScript 10.1.9.3 (Sep 10, 2018)
- Fixed message handling regression breaking embedders and causing potential internal message loops
New in NoScript 10.1.9.2 (Sep 10, 2018)
- More efficient window.name-based tab-scoped permissions persistence
- Fixed URL parsing bugs
- Fixed bug in requestKey generation
- [Build] Enhanced TLD data update subsystem
- [UI] CUSTOM presets gets initialized with currently applied preset, including temporary/permanent status
- Improved internal message dispatching, avoiding potential race conditions
- [L10n] Transifex integration
- Work-around for DOM-injected CSP not being honored when appended to the root element, rather than HEAD
- Transparent support for FQDNs
- Better file: protocol support
- Full-page placeholders for media/plugin documents
New in NoScript 10.1.9.2 RC 2 (Sep 5, 2018)
- [L10n] Transifex integration
- Work-around for DOM-injected CSP not being honored when appended to the root element, rather than HEAD
- Transparent support for FQDNs
- Better UI support for file:// URLs
New in NoScript 10.1.9.2 RC 1 (Sep 4, 2018)
- Better file: protocol support
- Full-page placeholders for media/plugin documents
New in NoScript 10.1.9.1 (Aug 30, 2018)
- Fixed NOSCRIPT emulation not running in contexts where service workers are disabled, such as private windows
- [Build] Fixed TLD regexp generation broken by CRLF characters in input public suffix list
New in NoScript 10.1.9 (Aug 30, 2018)
- Completely revamped CSP backend, enforcing policies both in webRequest and in the DOM
- Reload-less service worker busting
- removed obsoleted failsafes, including forced reloads
- Better timing for popup UI feedback on permissions changes
- [Tor] Reordered startup sequence to better cooperate with embedders like the Tor Browser
- Send out a "started" message after initialization to help embedders (like the Tor browser) interact with NoScript
- [Build] Better support for versions bumps
- Updated TLDs
- [Build] Improved TLD auto-updater
New in NoScript 10.1.9 RC 6 (Aug 29, 2018)
- Fixed typo in restricted.js inclusion
New in NoScript 10.1.9 RC 5 (Aug 29, 2018)
- Better timing for popup UI feedback on permissions changes
New in NoScript 10.1.9 RC 4 (Aug 29, 2018)
- Reload-less service worker busting.
New in NoScript 10.1.9 RC 3 (Aug 28, 2018)
- [Tor] Reordered startup sequence to better cooperate with embedders like the Tor Browser
New in NoScript 10.1.9 RC 2 (Aug 28, 2018)
- Send out a "started" message after initialization to help embedders (like the Tor browser) interact with NoScript
New in NoScript 10.1.9 RC 1 (Aug 27, 2018)
- Completely revamped CSP backend, enforcing policies both in webRequest and in the DOM
- removed obsoleted failsafes, including forced reloads
- [Build] Better support for versions bumps
- Updated TLDs
- [Build] Improved TLD auto-updater
New in NoScript 10.1.8.23 (Aug 25, 2018)
- Hot fix for reload loops before CSP management refactoring.
New in NoScript 10.1.8.22 (Aug 25, 2018)
- Fixed reload loop on unrestricted tabs.
New in NoScript 10.1.8.20 (Aug 24, 2018)
- Fixed Sites.domainImplies() misplaced optimization.
- build.sh support for quick stable release
- [L10n] Added Catalan (ca)
New in NoScript 10.1.8.19 (Aug 24, 2018)
- Fixed onResponseHeader failing on session restore because of onBeforeRequest not having being called.
- Fixed regression: framed documents' URLs not being reported in the UI (thanks xaex for report)
New in NoScript 10.1.8.19 RC 1 (Aug 23, 2018)
- Fixed regression: framed documents' URLs not being reported in the UI (thanks xaex for report)
New in NoScript 10.1.8.18 (Aug 23, 2018)
- More resilient and optimized Sites.domainImplies()
- Update ChildPolicies when automatic temp TRUST for top-level documents is enabled
- Fixed messages from content scripts being "eaten" by the wrong dispatcher when UI is open (thanks skriptimaahinen)
- Fixed typo causing accidental permissions/status mismatches being checked only while pages are still loading (thanks skriptimaahinen)
- Fixed typo in XSS name sanitization script injection (thanks skriptimaahinen)
New in NoScript 10.1.8.17 (Aug 23, 2018)
- Fix: Sites.domainImplies() should match subdomains
- More coherent wrapper around the webemessaging API
- Fixed inconsistencies affecting ChildPolicies content script auto-generated matching rules.
- Fixed potential issues with cross-process messages
- Simpler and more reliable safety net to ensure CSP headers are injected last among WebExtensions
- Fixed regression causing refresh loops on pages which use type="object" requests to load images, css and other types
- [L10n] ru and de translations
- [XSS] Updated HTML events auto-generate matching code to use both latest Mozilla source code and archived data since FirefoESR 52
- New dynamic scripts management strategy based on the browser.contentScripts API, should fisome elusive, likely requestFilter-induced, bugs
- Fixed no-dot domains threated as empty TLDs (thanks Peter Wu for patch)
- Removed requestFilter hack for dynamic scripts management
- [L10n] br and tr translations (thanks Transifex/OTF, https://www.transifex.com/otf/noscript/)
- Best effort to have webRequest.onHeaderReceived listener run last (issue #6, thanks kkapsner)
- [L10n] Localized "NoScript Options" title (thanks Diklabyte)
- Fixed inline scripts not being reported to UI (thanks skriptimaahinen for patch)
- Skip non-content windows when deferring startup page loads (thanks Rob Wu for reporting)
- Broader detection of UTF-8 encoding in responses (thanks Rob Wu for reporting)
- Improved support for debugging code removal in releases
- Fixed startup race condition with pending request tracking
- Fixed updating NoScript reloads tabs with revoked temporary permissions.
New in NoScript 10.1.8.17 RC 8 (Aug 22, 2018)
- Fix: Sites.domainImplies() should match subdomains
- More coherent wrapper around the webex messaging API
New in NoScript 10.1.8.17 RC 7 (Aug 22, 2018)
- Fixed inconsistencies affecting ChildPolicies content script auto-generated matching rules.
- Fixed potential issues with cross-process messages
New in NoScript 10.1.8.17 RC 6 (Aug 21, 2018)
- Simpler and more reliable safety net to ensure CSP headers are injected last among WebExtensions
New in NoScript 10.1.8.17 RC 5 (Aug 19, 2018)
- Fixed regression causing refresh loops on pages which use type="object" requests to load images, css and other types
New in NoScript 10.1.8.17 RC 4 (Aug 19, 2018)
- More reliable attempt to have webRequest.onHeaderReceived listener run last (issue #6, thanks kkapsner)
- [L10n] ru and de translations
- [XSS] Updated HTML events auto-generate matching code to use both latest Mozilla source code and archived data since Firefox ESR 52
New in NoScript 10.1.8.17 RC 3 (Aug 18, 2018)
- New dynamic scripts management strategy based on the browser.contentScripts API, should fix some elusive, likely requestFilter-induced, bugs
- Fixed no-dot domains threated as empty TLDs (thanks Peter Wu for patch)
- Removed requestFilter hack for dynamic scripts management
- [L10n] br and tr translations (thanks Transifex/OTF, https://www.transifex.com/otf/noscript/)
New in NoScript 10.1.8.17 RC 2 (Aug 6, 2018)
- Best effort to have webRequest.onHeaderReceived listener run last
- [L10n] Localized "NoScript Options" title
New in NoScript 10.1.8.17 RC 1 (Aug 4, 2018)
- Fixed inline scripts not being reported to UI
- Skip non-content windows when deferring startup page loads
- Broader detection of UTF-8 encoding in responses
- Improved support for debugging code removal in releases
- Fixed startup race condition with pending request tracking
- Fixed updating NoScript reloads tabs with revoked temporary permissions.
New in NoScript 10.1.8.16 (Jul 28, 2018)
- Fixed random stallings on page transitions.
New in NoScript 10.1.8.9 (Jul 27, 2018)
- Fixed externally handled resources opened in popups broken by dynamic script injection (thanks rpr and paulmcg for reporting)
- More edge case covered in dynamic script injection (thanks skriptimaahinen for reporting)
- Fixed some resource loading feedback glitches
- [XSS] Updated HTML event attributes matching
- Updated TLDs
- Fixed stalling embedded objects load on dynamic script injection (thanks therube for reporting)
- [L10n] Updated it (thanks Sebastiano Pistore)
- Work-around for serviceWorker loads bypassing webRequest (thanks therube for reporting)
- More flexible CSS layout for preset buttons (thanks fatboy)
- Improved edge case script disablement detection
- More reliable handling of edge cases on startup (thanks therube for reporting)
- Fixed dynamic script injection failing sometimes with "No matching message handler" error (thanks skriptimaahinen for reporting)
- [Tor Browser, Linux] Replaced unicode glyphs not being rendered on some browsers / platforms
- Prevent multiple canScript content messages during the same page load
- [Tor/ESR60] Removed useless work-around suggested in moz bug 1410755, which caused Tor Browser content process crashes
New in NoScript 10.1.8.9 RC 8 (Jul 26, 2018)
- More edge case covered in dynamic script injection.
New in NoScript 10.1.8.9 RC 7 (Jul 26, 2018)
- Fixed some resource loading feedback glitches
- [XSS] Updated HTML event attributes matching
- Updated TLDs
New in NoScript 10.1.8.9 RC 6 (Jul 26, 2018)
- Fixed stalling embedded objects load on dynamic script injection
- [L10n] Updated it
New in NoScript 10.1.8.9 RC 5 (Jul 25, 2018)
- Fixed infinite reload loops on scripting permissions mismatches.
New in NoScript 10.1.8.9 RC 4 (Jul 25, 2018)
- Work-around for serviceWorker loads bypassing webRequest
- More flexible CSS layout for preset buttons (thanks fatboy)
- Improved edge case script disablement detection
New in NoScript 10.1.8.9 RC 3 (Jul 23, 2018)
- More reliable handling of edge cases on startup
- Fixed dynamic script injection failing sometimes with "No matching message handler" error
New in NoScript 10.1.8.9 RC 2 (Jul 21, 2018)
- Fixed externally handled resources opened in popups broken by dynamic script injection
- [Tor Browser, Linux] Replaced unicode glyphs not being rendered on some browsers / platforms
- Prevent multiple canScript content messages during the same page load
New in NoScript 10.1.8.9 RC 1 (Jul 19, 2018)
- [TB64] Removed useless work-around suggested in moz bug 1410755, which caused Tor Browser content process crashes.
New in NoScript 10.1.8.8 (Jul 18, 2018)
- Prevent script injection from messing with content-disposition=attachment responses.
New in NoScript 10.1.8.8 RC 1 (Jul 17, 2018)
- Prevent script injection from messing with content-disposition=attachment responses.
New in NoScript 10.1.8.7 (Jul 17, 2018)
- Fixed regression breaking meta refresh with relative URLs.
New in NoScript 10.1.8.5 (Jul 16, 2018)
- Completed fix for quoted URLs in meta refresh.
New in NoScript 10.1.8.4 (Jul 16, 2018)
- [L10n] Fixed es translation (thanks Deckan)
- Cosmetic bug fixes
- Updated TLDs
New in NoScript 10.1.8.3 (Jul 16, 2018)
- [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
- Fixed meta-refresh emulation confused by quoted URLs
- [ESR60] Fixed dynamic script injection issues with XML feeds (thanks skriptimaahinen for report)
- [ESR60] Work-around for Moz Bug 1410755
- Autosize preset buttons to accomodater bigger localized labels
- [L10n] Shortened de labels (thanks musonius)
- More graceful handling of internal and restricted URLs
- [L10n] Added de, es, fr, it, nl, pt_BR and zh_CN locales (courtesy of Mozilla's localization campaign)
- Switch to inline elements as "NOSCRIPT" HTML replacements
- Fixed subframe content changes producing ambiguous NoScript icon feedback
- More meaningful/useful popup on (semi)privileged documents
- [Tor Browser] Work-around for crypto-based uiid function failing on startup
- [Tor Browser] Backported new dynamic script injection to ESR60
- Included license files in the XPI
- [XSS] In-depth protection against native ES6 modules abuse
- Fixed dynamic script injection issues
- MSE media reporting and blocking (e.g. on Youtube)
New in NoScript 10.1.8.3 RC 11 (Jul 13, 2018)
- [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
- Fixed meta-refresh emulation confused by quoted URLs
- Fixed regression - popup first row not showing the active preset initially
- [ESR60] Fixed some edge cases still breaking feeds
New in NoScript 10.1.8.3 RC 10 (Jul 12, 2018)
- Fixed dynamic script injection issues with XML feeds
- [ESR60] Work-around for Moz Bug 1410755
- Autosize preset buttons to accomodater bigger localized labels
- [L10n] Shortened de labels (thanks musonius)
New in NoScript 10.1.8.3 RC 9 (Jul 10, 2018)
- More specific exceptions for dynamic script injection
- [L10n] Shortened de labels
New in NoScript 10.1.8.3 RC 8 (Jul 9, 2018)
- More specific exceptions for dynamic script injection
- More graceful handling of internal and restricted URLs
- [L10n] Added de, es, fr, it, nl, pt_BR and zh_CN locales
- Custom "no-script" element as "NOSCRIPT" HTML replacement
- Fixed console.log breakage in content pages
New in NoScript 10.1.8.3 RC 7 (Jul 7, 2018)
- Fixed various issues with dynamic script injection
- Fixed subframe content changes producing ambiguous NoScript icon feedback
- More meaningful/useful popup on (semi)privileged documents
New in NoScript 10.1.8.3 RC 6 (Jul 4, 2018)
- [Tor Browser] Work-around for crypto-based uiid function failing on startup
- [Tor Browser] Backported new dynamic script injection to ESR60
New in NoScript 10.1.8.3 RC 5 (Jul 4, 2018)
- Fixed dynamic script injection regression breaking images loaded as frame content (thanks Quest for report)
- Included license files in the XPI
New in NoScript 10.1.8.3 RC 4 (Jul 2, 2018)
- Tentative fix for content scripts asynchronous registration issues, take 3.
New in NoScript 10.1.8.3 RC 3 (Jul 2, 2018)
- [XSS] In-depth protection against native ES6 modules abuse
New in NoScript 10.1.8.3 RC 2 (Jun 20, 2018)
- Tentative fix for content scripts asynchronous registration issues.
New in NoScript 10.1.8.3 RC 1 (Jun 19, 2018)
- MSE media reporting and blocking (e.g. on Youtube)
New in NoScript 10.1.8.2 (May 30, 2018)
- Popup toolbar buttons fully configurable via Drag'n'Drop
- Removed redundant leading "NoScript" in window titles
- Work-around for Firefox 60 bug breaking about:blank pages when a WebExtension declares a "document_start" CSS (thanks skriptimaahinen for report and fix)
- Fixed buttons in the "hide area" still responsive to clicks
New in NoScript 10.1.8.2 RC 3 (May 23, 2018)
- Work-around for Firefox 60 bug breaking about:blank pages when a WebExtension declares a "document_start" CSS
New in NoScript 10.1.8.2 RC 2 (May 5, 2018)
- More discoverable toolbar customization UI
- Fixed hidden buttons being persisted in reversed order
- Fixed buttons in the "hide area" still responsive to clicks
New in NoScript 10.1.8.2 RC 1 (May 4, 2018)
- Popup toolbar buttons fully configurable via Drag'n'Drop.
New in NoScript 10.1.8.1 (Apr 28, 2018)
- [UI] "Disable restrictions for this tab" button in popup
- [UI] "Disable restrictions globally" button in popup
- Fixed some content blocking stats collection bugs
- Fixed data: and blob: URIs could be loaded as object and media sources independently from the parent page's permissions (thanks skriptimaahinen for report)
- Several performance improvement in inter-process content blocking stats synchronization (thanks Rob Wu for report)
- [UI] Improved in-popup messages
- [UI] Simplified URL management in "Allow object" prompt
- Fixed dynamic scripts URL matching inconsistencies
New in NoScript 10.1.8.1 RC 3 (Apr 27, 2018)
- Fixed data: and blob: URIs could be loaded as object and media sources independently from the parent page's permissions
- Several performance improvement in inter-process content blocking stats synchronization
New in NoScript 10.1.8.1 RC 2 (Mar 27, 2018)
- [UI] Improved in-popup messages
- [UI] More consistent interactions between the bulk restrictions disablement features
New in NoScript 10.1.8.1 RC 1 (Mar 26, 2018)
- [UI] "Disable restrictions for this tab" button in popup
- [UI] "Disable restrictions globally" button in popup
- [UI] Simplified URL management in "Allow object" prompt
- Fixed dynamic scripts URL matching inconsistencies
New in NoScript 10.1.7.5 (Mar 23, 2018)
- Fixed edge case CSP injection bug (thanks Rob Wu)
- Optimized dynamic script injection (thanks Rob Wu)
- Fixed potential leak on dynamic script injection (thanks Rob Wu for report)
- Now NoScript's UI on privileged pages explains permissions cannot be configured there, rather than bluntly opening the Options page (thanks Rob Wu for suggestion)
New in NoScript 10.1.7.4 RC 3 (Mar 22, 2018)
- Fixed script enablement status not correctly detected on some pages rolling their own CSP (causing NOSCRIPT element and META refresh emulation not to be triggered)
New in NoScript 10.1.7.4 RC 2 (Mar 21, 2018)
- Fixed "Appearance" NoScript Options tab missing on Android
- [XSS] Fixed semicolon-separated JSON payloads DDOSing the JSON-optimizer, e.g. with syndication.twitter.com subframes (thanks KonomiKitten and pal1000 for reports)
- [UI] Renamed "Scripts globally allowed (dangerous)" option to "No permissions enforcement (dangerous)" to better reflect its actual effect
- [UI] Better feedback about "No permission enforcement" by disabling the "Preset customization" section and and the "Per-site Permissions" tab
- [UI] Moved XSS-related options to the "Advanced" tab
New in NoScript 10.1.7.4 RC 1 (Mar 18, 2018)
- Fixed disabled webgl breaking feeds on script-enabled sites
- Enhanced dynamic script injection if browser.contentScripts API is available
- Expanded support for webgl canvas placeholders
New in NoScript 10.1.7.3 (Mar 17, 2018)
- Fixed infinite script count report loops on some sites (thanks AuntyJack, @ALoss2 and others for reporting)
- Fixed localhost not being recognized as a domain (thanks skriptimaahinen for patch)
- Fixed regression causing NOSCRIPT element and META refreshes not to be emulated anymore on script-disabled pages (thanks barbaz and fatboy for reporting)
New in NoScript 10.1.7.2 (Mar 16, 2018)
- Fixed bug causing some pages and RSS feeds to fail without access to NoScript UI.
New in NoScript 10.1.7 (Mar 15, 2018)
- "Needed type" feedback in Custom preset for data: and blob: fonts (thanks skriptimaahinen for report)
- Pressing DEL while left-mousing down on a fixed/absolutely positioned element of a script-disabled page removes it, allowing users to dismiss in-content popup "windows" and blocking overlays
- Fixed changing sites permission resets local preferences regression from 10.1.7rc1 (thanks pal1000 for report)
- Fixed data: and blob: fonts not blocked even if the "font" permission is not given to the main document (thanks skriptimaahinen for report and preliminary patch)
- "Appearance|List full addresses in the permissions popup" option, off by default, to simplify the popup UI
- "webgl" requirement feedback in CUSTOM permissions
- "webgl" placeholder wherever possible
- Activated beta channel updates from secure.informaction.com
- WebGL blocking now honored on scripted pages
- Quantum RC versions are hosted on secure.informaction.com from now on due to beta channel deprecation on AMO
New in NoScript 10.1.7 RC 2 (Mar 9, 2018)
- "Appearance>List full addresses in the permissions popup" option, off by default, to simplify the popup UI
- "webgl" requirement feedback in CUSTOM permissions
- "webgl" placeholder wherever possible
- Activated beta channel updates from secure.informaction.com
New in NoScript 10.1.7 RC 1 (Mar 6, 2018)
- WebGL blocking now honored on scripted pages
- Quantum RC versions are hosted on secure.informaction.com from now on due to beta channel deprecation on AMO
New in NoScript 10.1.6.6 RC 2 (Feb 17, 2018)
- Tab selection persistence on Options Page reloads
- Automatically close Options Page on popup UI permissions changes to avoid inconsistencies / unresponsiveness
- Fixed regression: per-sites permissions list not updated after addition
New in NoScript 10.1.6.6 RC 1 (Feb 16, 2018)
- Tabbed options sections
- Appearance option to turn off script count badge
- Appearance option to hide context menu item
- Fixed legacy import bug creating too permissive DEFAULT presets
- Fixed 10.1.6.2 regression: enabling object placeholders affected DEFAULT permissions
New in NoScript 10.1.6.5 (Feb 9, 2018)
- Context menu on web pages to access main UI
- Fixed UI regression showing only the two rightmost components of IPv4 addresses
- [XSS] More specific and unobtrusive handling of window.name sanitization
- Fixed "XSS User Choices" not being included in Export files
New in NoScript 10.1.6.5 RC 4 (Feb 7, 2018)
- Context menu on web pages to access main UI
- Fixed UI regression showing only the two rightmost components of IPv4 addresses
New in NoScript 10.1.6.5 RC 3 (Feb 6, 2018)
- [XSS] Better ordering of window.name sanitization
New in NoScript 10.1.6.5 RC 2 (Feb 6, 2018)
- [XSS] More specific and unobtrusive handling of window.name sanitization
New in NoScript 10.1.6.5 RC 1 (Feb 6, 2018)
- Fixed "XSS User Choices" not being included in Export files
New in NoScript 10.1.6.4 (Jan 29, 2018)
- Fixed race condition on XSS filter first load
- Fixed duplicate entries in UI on page reloads (thanks 8-bit for reporting)
- Spinner for long sites lists in Options page
- Removed obsolete work-around for accidental TRUSTED preset wiping
- [UI] Fixed clicking on capability's label doesn't toggle the related checkbox (thanks dhouwn and olf for reporting)
- [XSS] Fixed false positives on badly encoded URLs (thanks sage11 for reporting)
New in NoScript 10.1.6.4 RC 4 (Jan 20, 2018)
- Fixed duplicate entries in UI on page reloads
- Spinner for long sites lists in Options page
New in NoScript 10.1.6.4 RC 3 (Jan 18, 2018)
- Removed obsolete work-around for accidental TRUSTED preset wiping.
New in NoScript 10.1.6.4 RC 2 (Jan 16, 2018)
- [UI] Fixed clicking on capability's label doesn't toggle the related checkbox.
New in NoScript 10.1.6.4 RC 1 (Jan 15, 2018)
- [XSS] Fixed false positives on badly encoded URLs
New in NoScript 10.1.6.3 (Jan 10, 2018)
- Improved tooltip clarity
- Added version number to the browser action tooltip (thanks therube for RFE)
- More restrictive domain matching in the main UI for "fake" TLDs, showing pseudo 2nd level domains containing one dot
- Domain matching now treats unknown no-dot domains (not in the public suffixes list) as TLDs everywhere (fix finally not overwritten by auto-generated tld.js)
- Fixed rc4 regression causing synchronized changes not to be persisted
- Smarter XSS popup behavior when reporting concurrent events from/to the same origins
- Fixed full breakage when sync storage is disabled
- Improved layout on small screens (less than 10cm wide)
- Moved preset customization into its own (more discoverable) global Options section, rather than embedded in assignment
- Improved validation of manual entries
- Needed capabilities highlighted also on short-hand domain matched entries inside the CUSTOM preset
- Domain matching now works also for manually entered TLDs and pseudo-TLDs, such as "gov.us" or "cloudflare.net"
New in NoScript 10.1.6.3 RC 5 (Jan 9, 2018)
- Domain matching now treats unknown no-dot domains (not in the public suffixes list) as TLDs everywhere (fix finally not overwritten by auto-generated tld.js)
- Fixed rc4 regression causing synchronized changes not to be persisted
- Smarter XSS popup behavior when reporting concurrent events from/to the same origins
New in NoScript 10.1.6.3 RC 4 (Jan 8, 2018)
- Fixed full breakage when sync storage is disabled.
New in NoScript 10.1.6.3 RC 3 (Jan 7, 2018)
- Domain matching now threats unknown no-dot domains (not in the public suffixes list) as TLDs everywhere
- Improved layout on small screens (less than 10cm wide)
New in NoScript 10.1.6.3 RC 2 (Jan 5, 2018)
- Moved preset customization into its own (more discoverable) global Options section, rather than embedded in assignment
- Improved validation of manual entries
- Needed capabilities highlighted also on short-hand domain matched entries inside the CUSTOM preset
New in NoScript 10.1.6.3 RC 1 (Jan 3, 2018)
- Domain matching now works also for manually entered TLDs and pseudo-TLDs, such as "gov.us" or "cloudflare.net"
New in NoScript 10.1.6.2 (Dec 30, 2017)
- Individual temporary / permanent TRUSTED preset buttons
- Removed customizability of DEFAULT, TRUSTED and UNTRUSTED preset from the popup (reported as a major source of confusion) while keeping it in the Options tab
- Better display on mobile devices in portrait mode
- Fixed focus bug on mobile devices
- Fixed confirmation prompt when loading Site Info for the first time being ignored
- Fixed import feature failing on some full JSON "Classic" export files (thanks Floe for reporting)
- Fixed policy serialization bug causing temporary TRUSTED sites to be listed in the UNTRUSTED array as well (thanks pal1000 for reporting)
- Fixed action icon being disabled on Options tabs and not re-enabled when navigating away in the same tab (thanks geek99 for reporting)
New in NoScript 10.1.6.2 RC 1 (Dec 29, 2017)
- Individual temporary / permanent TRUSTED preset buttons
- Removed customizability of DEFAULT, TRUSTED and UNTRUSTED preset from the popup (reported as a major source of confusion) while keeping it in the Options tab
- Fixed policy serialization bug causing temporary TRUSTED sites to be listed in the UNTRUSTED array as well (thanks pal1000 for reporting)
- Fixed action icon being disabled on Options tabs and not re-enabled when navigating away in the same tab (thanks geek99 for reporting)
New in NoScript 10.1.6.1 (Dec 24, 2017)
- Reduced UI sizes in desktop version
- Work-around for Firefox bug preventing the Export button from working on non-Windows platforms
New in NoScript 10.1.6.1 RC 1 (Dec 21, 2017)
- Reduced UI sizes in desktop version
- Work-around for Firefox bug preventing the Export button from working on non-Windows platforms
New in NoScript 10.1.6 (Dec 19, 2017)
- [XSS] Improved sensitivity of JSON whitelisting
- [XSS] Improved specificity of nested URL checks
- New configuration export implementation, more convoluted but not requiring the "downloads" permission
New in NoScript 10.1.5.9 (Dec 17, 2017)
- Bug fixes and improvements.
New in NoScript 10.1.5.8 (Dec 16, 2017)
- First "Quantum" release candidate with Android support
- Inverted order of domains vs full sites in popup
New in NoScript 10.1.5.8 RC 2 (Dec 15, 2017)
- First "Quantum" release candidate with Android support.
New in NoScript 10.1.5.8 RC 1 (Dec 12, 2017)
- Inverted order of domains vs full sites in popup.
New in NoScript 10.1.5.7 (Dec 11, 2017)
- Settings import functionality, backward compatible with NoScript 5 formats
- Settings export functionality
- [XSS] The filter now automatically skips embedded documents which would normally be blocked
- Base domain matching now uses a single dot rule for unknown, private or "fake" TLDs (e.g. www.acme.corp → acme.corp)
- [XSS] Fixed regression from 10.1.5.6rc2 (thanks Masato Kinugava for reporting)
- Better feedback for errors in the policy's debug JSON view (thanks E-Raser for RFE)
New in NoScript 10.1.5.6 (Dec 9, 2017)
- removed yandex.st from default whitelist (see https://forums.informaction.com/viewtopic.php?t=23655)
- [XSS] Streamlined multiple unescaping standards handling
- [XSS] Generalized work-around for browser's URL parsing oddities (thanks Masato Kinugava for reporting)
- "Temporarily set top-level sites to TRUSTED" option
- [XSS] Fixed user choices forgot across browser sessions
New in NoScript 10.1.5.7 RC 1 (Dec 9, 2017)
- Better feedback for errors in the policy's debug JSON view (thanks E-Raser for RFE)
New in NoScript 10.1.5.6 RC 5 (Dec 8, 2017)
- Removed work-around for http://bugzil.la/1387340 (causing misrenderings on zoomed pages)
- [XSS] Streamlined multiple unescaping standards handling
New in NoScript 10.1.5.6 RC 4 (Dec 8, 2017)
- [XSS] Generalized work-around for browser's URL parsing oddities (thanks Masato Kinugava for reporting)
New in NoScript 10.1.5.6 RC 3 (Dec 8, 2017)
- [XSS]Work-around for excessive leniency in URL attribute HTML parsing(thanks Masato Kinugava for reporting)
New in NoScript 10.1.5.6 RC 2 (Dec 7, 2017)
- "Temporarily set top-level sites to TRUSTED" option
- [XSS] Fixed user choices forgot across browser sessions
New in NoScript 10.1.5.6 RC 1 (Dec 5, 2017)
- [XSS] Better fix for 2nd level interactive bypass
New in NoScript 10.1.5.5 (Dec 5, 2017)
- [UI] Clicking on the domain label now opens the "Security and privacy info" webpage (like middle click on "Classic").
- "Reset to Defaults" button in the options window
- Improved content script initialization logic (thanks Rob Wu for suggestions)
- [XSS] Fixed 2nd level interactive bypass (thanks Masato Kinugava for reporting)
- Fixed sites manually added from the Options textbox don't stick (thanks Just_Golem for reporting)
New in NoScript 10.1.5.3 (Dec 3, 2017)
- Fixed regression causing NoScript to ask to reload pages in order to show permissions more than once upon installation
- Removed most animations causing older system to lag when large permissions lists are displayed in Options
New in NoScript 10.1.5.4 RC 1 (Dec 3, 2017)
- Fixed sites manually added from the Options textbox don't stick
New in NoScript 10.1.5.1 (Dec 2, 2017)
- Fixed regression from new "fail fast" XSS filter main loop, causing cross-site requests to Google to trigger false positives (thanks Steve M for reporting)
New in NoScript 10.1.5 (Dec 2, 2017)
- [XSS] Added "Always block requests from ... to ..." in XSS warning prompt
- [XSS] Fixed url decoding bug (thanks Masato Kinugawa for reporting)
- Fixed some blocked items not reported in the UI (thanks Bo Elam for reporting)
- Changed the CSP internal report URI to noscript-csp.invalid (thanks Tom Schuster Mario Heiderich for RFE)
- Removed unused MSE detection code (thanks Rob Wu for reporting)
New in NoScript 10.1.4 (Dec 1, 2017)
- Fixed script enablement feedback dependant on page's own CSP (thanks Rob Wu for reporting)
- Fixed MSE detection injection using window.eval (thanks Rob Wu for reporting)
- Fixed window being resized and NoScript UI shown in a separate popup when triggered on a maximized window
- General performance improvement by removing unnecessary asynchronous webRequest listeners
New in NoScript 10.1.3 (Nov 30, 2017)
- Hotfix for wiped TRUSTED permissions
- Hotfix for NoScript failing to load if XSS was disabled in previous session
New in NoScript 10.1.3 RC 3 (Nov 28, 2017)
- Fixed immutable permissions for TRUSTED and UNTRUSTED presets negating all the others (thanks Stefan Scholl for reporting)
- Work-around for Moz Bug #1402110 (thanks David Ross for reporting)
- Fixed XSS whitelist not being cleared from Options
- Fixed XSS whitelist trying to using sync even if disabled (thanks Rob Wu for reporting)
New in NoScript 10.1.3 RC 1 (Nov 28, 2017)
- Work-around for Firefox not displaying NOSCRIPT elements on pages where scripts are blocked by CSP
- The Alt+Shift+N shortcut now opens the NoScript UI also on windows with no toolbars containing NoScript's icon
- "unsafe" (non-HTTPS) matching is now automatically selected on non-HTTPS pages (fixes the perception that you set a site to TRUSTED and it reverted to DEFAULT)
- Full addresses are shown again to be choosen in UI, together with base domains
- Better auto-reload logic
- Fixed NoScript back-end to work also if sync storage is disabled (thanks Rob Wu for reporting)
- Fixed potential fingerprinting through placeholder icon (thanks Rob Wu for reporting)
New in NoScript 10.1.2 (Nov 23, 2017)
- Added "Revoke temporary permissions" button
- Added "Temporarily allow all this page" button
- Simplified popup listing, showing base domains only (full origin URLs can still be entered in the Options window to further tweak permissions)
- Fixed UI not launching in Incognito mode
- Fixed changing permissions in the CUSTOM preset affecting the DEFAULT permissions sometimes
- Fixed UI almost unusable in High Contrast mode
- Fixed live bookmark feeds blocked if "fetch" permissions were not given
- Fixed background requests from other WebExtensions being blocked
New in NoScript 10.1.1 (Nov 21, 2017)
- First pure WebExtension release
- CSP-based first-party script script blocking
- Active content blocking with DEFAULT, TRUSTED, UNTRUSTED and CUSTOM (per site) presets
- Extremely responsive XSS filter leveraging the asynchronous webRequest API
- On-the-fly cross-site requests whitelisting
New in NoScript 10.1.1 RC 99 (Nov 21, 2017)
- First pure WebExtension release
- CSP-based first-party script script blocking
- Active content blocking with DEFAULT, TRUSTED, UNTRUSTED and CUSTOM (per site) presets
- Extremely responsive XSS filter leveraging the asynchronous webRequest API
- On-the-fly cross-site requests whitelisting
New in NoScript 5.1.7 (Nov 17, 2017)
- [Surrogate] Fixed regression breaking source matching in 5.1.6.
New in NoScript 5.1.5 (Nov 9, 2017)
- Fixed content process cross-framescript leak
- [ESR] Fixed bookmarklets not being executed
New in NoScript 5.1.5 RC 2 (Nov 7, 2017)
- Fixed content process cross-framescript leak
New in NoScript 5.1.5 RC 1 (Nov 7, 2017)
- [ESR] Fixed bookmarklets not being executed
New in NoScript 5.1.4 (Oct 30, 2017)
- [Nightly] Fixed Import/Export Options button
- Fixed bookmarlets broken when scripts globally allowed
- [Tor Browser] Fixed jumping icon on updates (ticket #23968)
- [Surrogate] Better sandbox memory management
- Removed special Add-ons manager uninstall warning hooks
New in NoScript 5.1.4 RC 1 (Oct 25, 2017)
- Fixed bookmarlets broken when scripts globally allowed
- [Tor Browser] Fixed jumping icon on updates (ticket #23968)
- [Surrogate] Better sandbox memory management
- Removed special Add-ons manager uninstall warning hooks
New in NoScript 5.1.3 (Oct 23, 2017)
- [e10s] Fixed some bookmarklet / URL bar JavaScript emulation multi-process regressions
- [Palemoon] Fixed NoScript button position not customizable on the first window (thanks yes_noscript for reporting)
- Fixed bookmarklet execution subject to AllowURLBarJS too
- Fixed Palemoon urlbar breakage on browser restart
- [Whitelist] about:tabcrashed made mandatory (internal)
New in NoScript 5.1.3 RC 3 (Oct 23, 2017)
- [e10s] Fixed some bookmarklet / URL bar JavaScript emulation multi-process regressions
- [Palemoon] Fixed NoScript button position not customizable on the first window
New in NoScript 5.1.3 RC 2 (Oct 18, 2017)
- Fixed bookmarklet execution subject to AllowURLBarJS too.
New in NoScript 5.1.3 RC 1 (Oct 16, 2017)
- Fixed Palemoon urlbar breakage on browser restart
- [Whitelist] about:tabcrashed made mandatory (internal)
New in NoScript 5.1.2 (Oct 14, 2017)
- Fixed allowing scripts on one tab blocking them in other (torproject.org issue #23747, thanks cypherpunks for report)
- Fixed startup sequence
- [Whitelist] about:tabcrashed added to default whitelist
- Added unlimitedStorage WebExtensions permissions for saferpreferences migration
- Fixed some restartless lifecycle quirks
- Fixed toolbar button position changes across upgrades
- Fixed NoScript release notes page shown upon restartlessupdates, rather than on next restart
- Fixed Tor Browser's extension preference overrides ignoredby NoScript
- Fixed status bar not recognized on some browsers stillsupporting it
- Work-around for the Tor Browser preventing NoScript fromresolving its own UI's XML entities
New in NoScript 5.1.2 RC 7 (Oct 13, 2017)
- Fixed allowing scripts on one tab blocking them in other (torproject.org issue #23747, thanks cypherpunks for report)
New in NoScript 5.1.2 RC 6 (Oct 12, 2017)
- Fixed startup sequence
- [Whitelist]about:tabcrashed added to default whitelist
New in NoScript 5.1.2 RC 5 (Oct 11, 2017)
- Added unlimitedStorage WebExtensions permissions for safer preferences migration
- Fixed some residual restartless lifecycle quirks
New in NoScript 5.1.2 RC 4 (Oct 11, 2017)
- Fixed some some more restartless lifecycle quirks.
New in NoScript 5.1.2 RC 3 (Oct 9, 2017)
- Fixed some quirks upon restartless lifecycle events
- Fixed toolbar button position changes across upgrades
New in NoScript 5.1.2 RC 2 (Oct 7, 2017)
- Fixed NoScript release notes page shown upon restartless updates, rather than on next restart
- Fixed Tor Browser's extension preference overrides ignored by NoScript
- Fixed status bar not recognized on some browsers still supporting it
New in NoScript 5.1.2 RC 1 (Oct 2, 2017)
- Work-around for the Tor Browser preventing NoScript from resolving its own UI's XML entities.
New in NoScript 5.1.1 (Oct 2, 2017)
- Fixed regression breaking webworkers (e.g. on Protonmail)
New in NoScript 5.1.0 (Sep 29, 2017)
- Fixed placeholders not shown in Fx 57 and above
- [WebExtension] Reduced legacy settings backup size
- [Nightly] Work-around for nsIDOMHTML* interfaces removal
- Restartless (bootstrapped) desktop version, and most likely the last hybrid (embedded WebExtension) before the pure WebExtension release
New in NoScript 5.1.0 RC 2 (Sep 28, 2017)
- [Nightly] Work-around for nsIDOMHTML* interfaces removal
New in NoScript 5.1.0 RC 1 (Sep 27, 2017)
- Restartless (bootstrapped) desktop version, and most likely the last hybrid (embedded WebExtension) before the pure WebExtension release
New in NoScript 5.0.10 (Sep 12, 2017)
- Fixed some moz-webextension: subrequests blocked in content blocking mode
- Removed whitelist and surrogate references to persona.org
- [Seamonkey] Fixed status bar visibility regression (thanks Mc for reporting)
- [Nightly] Fixed various XSS filter UI breakages
- [Nightly] Patched deprecated usages of nsIURI.path
- [XSS] Fixed false positive on amazonaws.com (thanks Robby Stokoe for reporting)
- [Surrogate] New ampush.io tracker surrogate (thanks barbaz)
New in NoScript 5.0.10 RC 4 (Sep 6, 2017)
- [Regression] Fixed infinite redirect loops on some sites as soon as allowed
- [Regression] Restored accidentally erased default whitelist
New in NoScript 5.0.10 RC 3 (Sep 6, 2017)
- Fixed some moz-webextension: subrequests blocked in content blocking mode
- Removed whitelist and surrogate references to persona.org
New in NoScript 5.0.10 RC 2 (Sep 5, 2017)
- [Seamonkey] Fixed status bar visibility regression
New in NoScript 5.0.10 RC 1 (Sep 1, 2017)
- [Nightly] Fixed various XSS filter UI breakages
- [Nightly] Patched deprecated usages of nsIURI.path
- [XSS] Fixed false positive on amazonaws.com (thanks Robby Stokoe for reporting)
- [Surrogate] New ampush.io tracker surrogate (thanks barbaz)
New in NoScript 5.0.9 (Aug 28, 2017)
- [WebExt] Make sure the embedded WebExtension cannot interfere with the legacy side beside preference migration
- [Nightly] Fixed breakage from bug 1390106
- [Nightly] Work-around for HTMLEmbedElement removal
- [Nightly] Fixed first run UI visibility check
- [XSS] Work-around for Google notifications false positive
- [Nightly] Fixed startup breakage
- [Surrogates] Fixed noisy google-analytics replacement
- [Nightly] Fixed view-source: breakage
New in NoScript 5.0.9 RC 1 (Aug 10, 2017)
- [Nightly] Fixed startup breakage
- [Surrogates] Fixed noisy google-analytics replacement
- [Nightly] Fixed view-source: breakage
New in NoScript 5.0.8.1 (Jul 28, 2017)
- [ABE] XHR matches both TYPE_XMLHTTPREQUEST and TYPE_FETCH
- [ABE] Updated INCLUSION types to match newest specific types from nsIContentType constants. OTHER still matches any type except "historically supported" ones (SCRIPT, CSS, IMAGE, OBJ, OBJSUB, MEDIA, FONT, SUBDOC, XBL, PING, XHR, DTD) for backward compatibility: please use UNKNOWN to match just TYPE_OTHER (i.e. request whose type is not specifically mapped yet by the nsIContentType API).
- [e10s] Fixed INCLUSION type marked as OTHER for any request when Electrolysis is enabled (thanks barbaz for reporting)
- [XSS] Fixed excessive recursion causing GC-related hangs on some ads-intensive websites (like der-postillion.de)
New in NoScript 5.0.8.1 RC 1 (Jul 28, 2017)
- [Surrogate] Fixed google-analytics replacement regression
New in NoScript 5.0.8 RC 4 (Jul 27, 2017)
- [ABE] Fixed regression: HTTP methods HEAD, OPTIONS and TRACE were not matched by ABE's parser grammar anymore
- [ABE] OTHER now matches any type not mapped by the "static" ABE request types (including newest nsIContentPolicy.TYPE_* constants), while UNKNOWN matches just TYPE_OTHER
- [ABE] XHR matches both TYPE_XMLHTTPREQUEST and TYPE_FETCH
New in NoScript 5.0.8 RC 3 (Jul 26, 2017)
- [ABE] Updated INCLUSION types to match newest specific types from nsIContentType constants. OTHER still matches TYPE_WEBSOCKET for backward compatibility, please use UNKNOWN for anything not specifically mapped yet by the nsIContentType API. Thanks barbaz for reporting.
New in NoScript 5.0.8 RC 2 (Jul 26, 2017)
- [e10s] Fixed INCLUSION type marked as OTHER for any request when Electrolysis is enabled (thanks barbaz for reporting)
New in NoScript 5.0.8 RC 1 (Jul 26, 2017)
- [XSS] Fixed excessive recursion causing GC-related hangs on some ads-intensive websites (like der-postillion.de)
New in NoScript 5.0.7.1 (Jul 24, 2017)
- [WebExt] Fixed incompatibility with Firefox 54
- [WebExt] Initiated preference migration via embedded WebExtension
- [e10s] Fixed HTTP redirection issues with e10s enabled
- [Surrogate] Updated googletag replacement
- Fixed HTML5 Media documents blockage delay if no other embedded content is forbidden
- [XSS] Fixed bug causing false positives
New in NoScript 5.0.7.1 RC 1 (Jul 24, 2017)
- [WebExt] Fixed incompatibility with Firefox 54
New in NoScript 5.0.7 RC 3 (Jul 24, 2017)
- [WebExt] Initiated preference migration via embedded WebExtension
New in NoScript 5.0.7 RC 2 (Jul 22, 2017)
- [e10s] Fixed HTTP redirection issues with e10s enabled (thanks PLD for reporting)
- [Surrogate] Updated googletag replacement (thanks barbaz)
- Fixed HTML5 Media documents blockage delay if no other embedded content is forbidden (thanks Georg Koppen for reporting)
New in NoScript 5.0.7 RC 1 (Jul 11, 2017)
- [XSS] Fixed bug causing false positives.
New in NoScript 5.0.6 (Jul 3, 2017)
- [XSS] Fixed performance regression in handling of big JSON payloads causing the browser to freeze on loading pages with Facebook tracking subframes
- [Surrogates] Updated ga replacement (thanks barbaz)
- [L10n] Updated tr (thanks Volkan Gezer)
- [L10n] Updated de (thanks milupo
- [XSS] Fixed regression in window.name sanitization (thanks Gareth Heyes for reporting)
- [XSS] Work-around for Mavo-script operator translation side effects (thanks Gareth Heyes for reporting)
New in NoScript 5.0.6 RC 6 (Jul 1, 2017)
- [Surrogates] Updated ga replacement (thanks barbaz)
New in NoScript 5.0.6 RC 5 (Jun 30, 2017)
- [XSS] Fixed performance regression in handling of big JSON payloads causing the browser to freeze on loading pages with Facebook tracking subframes
- [Surrogates] Updated ga replacement (thanks barbaz)
- [L10n] Updated tr (thanks Volkan Gezer)
- [L10n] Updated de (thanks milupo)
New in NoScript 5.0.6 RC 4 (Jun 5, 2017)
- [XSS] Fixed regression in Mavo expression detection (the fididn't actually ship in RC3, thanks Gareth Heyes for 4 reporting)
- [XSS] Fixed regression in Mavo expression detection (thanks Gareth Heyes for reporting)
- [XSS] Fixed regression in window.name sanitization (thanks Gareth Heyes for reporting)
- [XSS] Work-around for Mavo-script operator translation side effects (thanks Gareth Heyes for reporting)
New in NoScript 5.0.5 (Jun 5, 2017)
- [XSS] Updated XSS filter with latest Gecko Atoms and ES features (thanks Maxim Rupp for reporting)
- [XSS] Added countermeasures against XSS vectors exploiting Mavo-script template expressions (thanks Krzysztof Kotowicz and Gareth Heyes for reporting)
New in NoScript 5.0.5 RC 12 (May 27, 2017)
- Fixed reported origins ordering glitch.
New in NoScript 5.0.5 RC 11 (May 27, 2017)
- [XSS] Fixed regression in Mavo-script detection.
New in NoScript 5.0.5 RC 10 (May 26, 2017)
- [XSS] Brutal crackdown on Mavo-script expressions.
New in NoScript 5.0.5 RC 9 (May 25, 2017)
- [XSS] Improved handling of Mavo-script translation edge cases (thanks Gareth Heyes for reporting)
New in NoScript 5.0.5 RC 8 (May 24, 2017)
- [XSS] More aggressive filter against Mavo-script madness (thanks Gareth Heyes for reporting)
- [XSS] Fixed bug in Mavo-script countermeasures (thanks Gareth Heyes for reporting)
- [XSS] Further countermeasures against more Mavo-script madness (thanks Gareth Heyes for reporting)
- Fixed UI synchronization regression take 2
- Fixed UI synchronization regression
- [XSS] Further countermeasures against Mavo-script madness (thanks Gareth Heyes for reporting)
New in NoScript 5.0.4 (May 11, 2017)
- [XSS] Added countermeasures against several vectors exploiting client-side JavaScript templating frameworks
- [XSS] Fixed e10s-related regression in window.name sanitization
- Fixed "Allow local links" breaking file:/// URL loading in Gecko 53 and above
- Fixed JSON viewer working only on JavaScript-enabled URLs
New in NoScript 5.0.4 RC 2 (May 8, 2017)
- [XSS] Fixed e10s-related regression in window.name sanitization.
New in NoScript 5.0.4 RC 1 (Apr 26, 2017)
- Fixed "Allow local links" breaking file:/// URL loading in Gecko 53 and above
- Fixed JSON viewer working only on JavaScript-enabled URLs
New in NoScript 5.0.3 (Apr 22, 2017)
- Fixed global JavaScript enablement for HTTPS sites breaking the UI (Tor ticket #21923)
- noscript.webext.enabled preference to control embedded WebExtension startup
- Fixed XHR regression (thanks Oleksandr Popov for reporting)
- Fixed compatibility issues with some WebExtensions (thanks Oleksandr Popov for reporting)
New in NoScript 5.0.3 RC 5 (Apr 18, 2017)
- Fixed global JavaScript enablement for HTTPS sites breaking the UI (Tor ticket #21923)
- Adjusted the embedded WebExtension's manifest to reflect the target version upon whole userbase migration
New in NoScript 5.0.3 RC 3 (Mar 29, 2017)
- noscript.webext.enabled preference to control embedded WebExtension startup.
New in NoScript 5.0.3 RC 2 (Mar 20, 2017)
- Fixed XHR regression (thanks Oleksandr Popov for reporting)
- Fixed compatibility issues with some WebExtensions (thanks Oleksandr Popov for reporting)
New in NoScript 5.0.2 (Mar 18, 2017)
- Fixed thumbnails broken even if noscript.bgThumbs.allowed is true (thanks rick for reporting)
- [e10s] Restored absolutely positioned elements removal by mousedown + DEL key (broken by e10s)
- Absolutely positioned elements removal by mousedown + DEL key now working also on whitelisted pages (controlled by noscript.eraseFloatingElements about:config preference, thanks MegaWolf for RFE)
- Fixed blocked XHR requests in frames not reflected in the menu UI (thanks aocab and barbaz for reporting)
- [Locale] Improved nl translation (thanks Kris)
New in NoScript 5.0.2 RC 3 (Mar 17, 2017)
- Fixed thumbnails broken even if noscript.bgThumbs.allowed is true.
New in NoScript 5.0.2 RC 2 (Mar 16, 2017)
- [e10s] Restored absolutely positioned elements removal by mousedown + DEL key (broken by e10s)
- Absolutely positioned elements removal by mousedown + DEL key now working also on whitelisted pages (controlled by noscript.eraseFloatingElements about:config preference, thanks MegaWolf for RFE)
New in NoScript 5.0.2 RC 1 (Mar 16, 2017)
- Fixed blocked XHR requests in frames not reflected in the menu UI (thanks aocab and barbaz for reporting)
- [Locale] Improved nl translation (thanks Kris)
New in NoScript 5.0.1 (Mar 8, 2017)
- Fixed regression, some sites not being shown in UI
- Fixed recently blocked menu not working on e10s
New in NoScript 5.0.1 RC 1 (Mar 7, 2017)
- Fixed regression, some sites not being shown in UI
- Fixed recently blocked menu not working on e10s
New in NoScript 5.0 RC 2 (Feb 13, 2017)
- Dramatically Improved UI synchronization performance impact on load-intensive web pages.
New in NoScript 5.0 RC 1 (Jan 28, 2017)
- Embedded WebExtension
- [e10s] Fixed permissions out of sync when content processes are more than one (thanks Ian Fennel for report)
- [Surrogates] Update google-analytics replacement (thanks ng4never for reporting and barbaz for implementation)
New in NoScript 2.9.5.3 (Jan 18, 2017)
- Fixed https://trac.torproject.org/projects/tor/ticket/20471
- Fixed FRAME blocking issue on non-e10s browsers
- Fixed incompatibility with LastPass non-AMO version 4.x
- Fixed cross-domain HTTPS requests in the same subdomain triggering XSS false positives
- ABE sandbox now enforced by CSP sandbox directive
- Fixed sites marked as untrusted could not be reallowed on the same tab
- Removed obsolete noscript.docShellJSBlocking preference
New in NoScript 2.9.5.3 RC 5 (Jan 17, 2017)
- Fixed incompatibility with LastPass non-AMO version 4.x.
New in NoScript 2.9.5.3 RC 4 (Jan 16, 2017)
- Fixed ABE sandbox overly restrictive on Gecko 50 and above
- Fixed UI synchronization issue (thanks Klayton for report)
- Fixed browsers older than Gecko 50 unaffected by ABE's sandbox action
- Fixed cross-domain HTTPS requests in the same subdomain triggering XSS false positives
New in NoScript 2.9.5.3 RC 1 (Jan 13, 2017)
- ABE sandbox now enforced by CSP sandbox directive
- Fixed sites marked as untrusted could not be re-allowed on the same tab
- Removed obsolete noscript.docShellJSBlocking preference
New in NoScript 2.9.5.2 (Nov 29, 2016)
- Fixed Stylish editor breakage
- Fixed media blocking delayed with Tor Browser's "Medium" Security Sider preset
- Fixed frame blocking issues
- Fixed top-level media loads issues
- Fixed apparent delay in menu UI feedback
- Fixed some XSS filter over-sensitivity regressions
- Fixed "Allow local links" causing file:// URLs to fail
- [Locale] Updated nl
New in NoScript 2.9.5.2 RC 3 (Nov 28, 2016)
- Fixed frame blocking issues
- Fixed top-level media loads issues
New in NoScript 2.9.5.2 RC 2 (Nov 26, 2016)
- Fixed apparent delay in menu UI feedback
- Further XSS positives tweakings
New in NoScript 2.9.5.2 RC 1 (Nov 25, 2016)
- Fixed some XSS filter over-sensitivity regressions
- Fixed "Allow local links" causing file:// URLs to fail
- [Locale] Updated nl (thanks Ton)
New in NoScript 2.9.5.1 (Nov 22, 2016)
- Fixed some pages not loading on 1st attempt when e10s is enabled (thanks Semtex for reporting)
New in NoScript 2.9.5 (Nov 22, 2016)
- Full e10s compatibility
- Fixed big whitelists being reset to default permissions on e10s-enabled browsers (thanks sabret00the and Internet User for reporting)
- Better fifor some embedding permissions issues (thanks barbaz for reporting)
- MediaSource blocking support (Tor Project)
- Better handling of media types loaded as top-level documents
- Declared (but untested) Palemoon support (thanks barbaz)
- [System Principal] included in the mandatory allowed list
- Fixed allow scripts globally requiring a restart (thanks FFreestyleRR for reporting
- Fixed embeddings autoreload on e10s-disabled browsers
- TODO: MediaSource blocking support
- Improved autoreload responsiveness and precision
- Fixed IFrame over-blocking bug (thanks G113 for report)
- Fixed sites involved in background requests being not reported in the UI, even if intercepted and/or blocked (thanks GH113 for reporting)
- Fixed typo in PasteHandler (thanks barbaz for reporting)
- Fixed embedding-related automatic reload issues (thanks barbaz and tmeader for reporting)
- Fixed compatibility regression with Firefo45
- [Surrogate] Fixed file:// replacements broken (thanks barbaz for reporting)
- TODO: MediaSource blocking support
- Fixed typo in XSS filter breaking JSON cross-site requests
- Fixed automatic reload issues (thanks GH113 for reporting)
- Fixed UI not always synchronized on startup (thanks GH113 for reporting)
- Fixed incompatibilities with older Firefodown to 45 (thanks barbaz for reporting)
- Fixed automatic reload impossible to be disabled (thanks GH113 for reporting)
- Fixed UI initially not synced on new windows (thanks GH113 for reporting)
- Fixed bug in secure cookie enforcement upgrading all the unsecure cookies on secure connections even if a secure cookie for the domain existed, increasing chances of incompatibilities (thanks PDL for reporting)
- Fixed escaping issues in the noscript.js preference file (thanks PDL for reporting)
New in NoScript 2.9.5.1 RC 1 (Nov 22, 2016)
- Fixed some pages not loading on 1st attempt when e10s is enabled.
New in NoScript 2.9.5 RC 35 (Nov 21, 2016)
- Better fix for some embedding permissions issues
- MediaSource blocking support (Tor Project)
- Better handling of media types loaded as top-level documents
- Declared (but untested) Palemoon support
New in NoScript 2.9.5 RC 33 (Nov 17, 2016)
- [System Principal] included in the mandatory allowed list
- Partial fix for some embedding permissions issues
New in NoScript 2.9.5 RC 32 (Nov 16, 2016)
- Fixed allow scripts globally requiring a restart
- TODO: Fix top level embedding issues (barbaz)
- TODO: MediaSource blocking support (Tor Project)
New in NoScript 2.9.5 RC 31 (Nov 16, 2016)
- Fixed embeddings autoreload on e10s-disabled browsers
- TODO: MediaSource blocking support
New in NoScript 2.9.5 RC 30 (Nov 16, 2016)
- Improved autoreload responsiveness and precision
- Fixed IFrame over-blocking bug (thanks G113 for report)
New in NoScript 2.9.5 RC 29 (Nov 15, 2016)
- Fixed sites involved in background requests being not reported in the UI, even if intercepted and/or blocked
- Fixed typo in PasteHandler
New in NoScript 2.9.5 RC 25 (Nov 14, 2016)
- Fixed typo in XSS filter breaking JSON cross-site requests
New in NoScript 2.9.0.14 (Aug 8, 2016)
- Fixed live bookmarks in Firefox 48 or above.
New in NoScript 2.9.0.13 (Aug 2, 2016)
- Added missing "s" in noscript.mandatory/about:feeds.
New in NoScript 2.9.0.12 (Jul 29, 2016)
- Updated DNT implementation to match the most recent spec about navigator.doNotTrack values (thanks Francois Merier)
- [XSS] Better compatibility with Unionbank's website (thanks Brent for reporting)
- Fixed bug 1278735 (JavaScript disabled in private windows)
- Fixed JSON viewer not working
- about:feed in the mandatory whitelist to fix bug 1272139
- [XSS] Disable JavaScript on FTP-served pages when a potential DOM XSS threat is detected (thanks Emanuel Bronshtein @e3amn2l for reporting)
- Fixed DOS through script-triggered ClickToPlay confirmation dialogs in a loop (thanks Emanuel Bronshtein @e3amn2l for reporting)
- Fixed placeholder links might be potentially used as XSS vectors if stars were properly aligned(thanks Emanuel Bronshtein @e3amn2l for reporting)
- [Surrogate] Updated google-analytics.com replacement ( thanks noscriptsplox)
- [XSS] Fixed regression (thanks Masato Kinugawa for report)
New in NoScript 2.9.0.2 (Jan 8, 2016)
- Version bump to work around AMO's 404 when serving 2.9.0.1
New in NoScript 2.9.0.1 (Jan 8, 2016)
- Replaced "for each ()" with "for (... of ...)"
- Removed array comprehension usage
- Removed compatibility with Gecko lt 13
- Fixed conflict w/ KeeFox + CTR
New in NoScript 2.9.0.1 RC 2 (Jan 7, 2016)
- Replaced "for each ()" with "for (... of ...)"
- Removed array comprehension usage
- Removed compatibility with Gecko lt 13
New in NoScript 2.9.0.1 RC 1 (Jan 4, 2016)
- Fixed conflict w/ KeeFox + CTR (thanks amloessb for report) https://forums.informaction.com/viewtopic.php?p=80581
New in NoScript 2.9 (Jan 2, 2016)
- [e10s] Fixed "Temporarily allow top-level sites by default" broken by Electrolysis
- Fixed "key.revokeTemp" preference management bug
New in NoScript 2.7 (Nov 23, 2015)
- Removed informaction.com, flashgot.net and maone.net from the default whitelist to reduce the potential attack surface
- Removed vestigial noscript.forbidData preference
- Fixed shorthands not checked for ftp(s) sites
- [Surrogate] Fixed googletag replacement
- Fixed incompatibility with importScript() from workers breaking new reCaptcha implementation
New in NoScript 2.6.9.39 (Oct 19, 2015)
- Work-around for a XSS "false positive" caused by nwolb.com passing Javascript code across subdomains in window.name
New in NoScript 2.6.9.39 RC 1 (Oct 11, 2015)
- Work-around for a XSS "false positive" caused by nwolb.com passing Javascript code across subdomains in window.name
New in NoScript 2.6.9.38 (Oct 9, 2015)
- Fixed breakage due to const declarations behavior changes in latest Firefox nightlies.
New in NoScript 2.6.9.37 (Sep 28, 2015)
- [Surrogate] enhanced gogletags.com replacement (thanks therube)
- Fixed subtle bug in load context association causing an origin mismatch in one corner case (thanks Gareth Heyes for reporting)
New in NoScript 2.6.9.37 RC 2 (Sep 28, 2015)
- Fixed bug: launching a bookmarklet on about:newTab caused allow scripts globally for that tab (thanks James Strange for reporting)
- [L10n] Updated French translation (thanks Syl)
- Fixed NOSCRIPT element hidden on Javascript-disabled pages (moz bug 1208818)
New in NoScript 2.6.9.37 RC 1 (Aug 31, 2015)
- [Surrogate] enhanced gogletags.com replacement
- Fixed subtle bug in load context association causing an origin mismatch in one corner case
New in NoScript 2.6.9.36 (Aug 20, 2015)
- [L10n] Fixed typo in nb-NO (thanks Mikkel H.)
- [e10s] Fixed top-level site auto-whitelisting broken
- [e10s] Fixed MozBug 1196477 (crash with allowLocalLinks)
- Shorthands reliability improvements
- [ClearClick] fixed console spam due to missing XPCOM interfaces for HTML elements
- In order to help Netflix users with the new video delivery system, users who have netflix.com already in their whitelist get https://*.nflxvideo.net whitelisted as well on upgrade
New in NoScript 2.6.9.36 RC 2 (Aug 20, 2015)
- [L10n] Fixed typo in nb-NO (thanks Mikkel H.)
- [e10s] Fixed top-level site auto-whitelisting broken
- [e10s] Fixed MozBug 1196477 (crash with allowLocalLinks)
- Shorthands reliability improvements
New in NoScript 2.6.9.36 RC 1 (Aug 16, 2015)
- [ClearClick] fixed console spam due to missing XPCOM interfaces for HTML elements
- In order to help Netflix users with the new video delivery system, users who have netflix.com already in their whitelist get https://*.nflxvideo.net whitelisted as well on upgrade
New in NoScript 2.6.9.35 (Aug 12, 2015)
- [Surrogate] googletagservices.com replacement now supports custom googletag objects (thanks barbaz)
- [Surrogate] fixed surrogates stopped working on older Gecko versions (thanks barbaz)
- [XSS] Work-around for false positive on some Yahoo! URLs
- Corrected mistyped about:pocket-saved whitelist entry
- Fixed race condition in ABE options observer causing l.getRowCount() console spam
New in NoScript 2.6.9.35 RC 2 (Aug 12, 2015)
- [Surrogate] fixed surrogates stopped working on older Gecko versions - take 2 (thanks barbaz)
- [Surrogate] googletagservices.com replacement now supports custom googletag objects (thanks barbaz)
- [Surrogate] fixed surrogates stopped working on older Gecko versions
- [XSS] Work-around for false positive on some Yahoo! URLs
- Corrected mistyped about:pocket-saved whitelist entry
- Fixed race condition in ABE options observer causing l.getRowCount() console spam
New in NoScript 2.6.9.34 (Aug 3, 2015)
- [Surrogate] Fixed a bug preventing some replacements from running
- [XSS] Fixed over-optimized JSON and dots erasure allowing for a filter bypass in specific (and likely rare) circumstances (thanks Gareth Heyes for reporting)
New in NoScript 2.6.9.34 RC 1 (Jul 31, 2015)
- [XSS] Fixed over-optimized JSON and dots erasure allowing for a filter bypass in specific (and likely rare) circumstances (thanks Gareth Heyes for reporting)
New in NoScript 2.6.9.33 (Jul 30, 2015)
- [XSS] Fixed bug in minimal inline JavaScript fragment detection (thanks Frederik Braun for reporting)
- [L10n] Updated Russian (thanks fatboy).
- [Surrogate] fixed scope conflicts caused by the $S() object replacement wrapper (e.g. with some EA games)
New in NoScript 2.6.9.33 RC 2 (Jul 29, 2015)
- [XSS] Fixed bug in minimal inline JavaScript fragment detection (thanks Frederik Braun for reporting)
New in NoScript 2.6.9.33 RC 1 (Jul 28, 2015)
- [Surrogate] fixed scope conflicts caused by the $S() object replacement wrapper (e.g. with some EA games)
New in NoScript 2.6.9.32 (Jul 27, 2015)
- Added domains required for Netflix playback to the default whitelist
- Fixed inline script blocking broken by latest Nightlies
- Fixed NOSCRIPT elements not being shown in script-blocked pages on Firefox betas
- [Surrogate] shimmed or replaced code causing deprecations
- [Surrogate] updated googletag replacement (thanks barbaz)
- [XSS] Fixed regression in minimal inline JavaScript fragment detection (thanks Gareth Heyes for reporting)
- Fixed edge case causing JavaScript redirections detection to fail on http://qklnk.co/ (thanks Jess Hampshire for RFE)
New in NoScript 2.6.9.32rc4 (Jul 27, 2015)
- [Surrogate] fixed regression causing some replacements not to work correctly.
New in NoScript 2.6.9.32rc3 (Jul 27, 2015)
- Added domains required for Netflix playback to the default whitelist
- Fixed inline script blocking broken by latest Nightlies
- Fixed NOSCRIPT elements not being shown in script-blocked pages on Firefox betas
- [Surrogate] shimmed or replaced code causing deprecations
- [Surrogate] updated googletag replacement (thanks barbaz)
New in NoScript 2.6.9.32rc2 (Jul 23, 2015)
- [XSS] Fixed regression in minimal inline JavaScript fragment detection (thanks Gareth Heyes for reporting)
New in NoScript 2.6.9.32rc1 (Jul 22, 2015)
- Fixed edge case causing JavaScript redirections detection to fail on http://qklnk.co/
New in NoScript 2.6.9.31 (Jul 16, 2015)
- [XSS] Fixed attribute injection checks regression)
New in NoScript 2.6.9.30 (Jul 9, 2015)
- Fixed noscript.allowWhitelistUpdates preference being ignored
- Filtering out whitelist additions not required by the the specific current browser type and version
- Added about:pocket-save and about:pocket-signup to the default whitelist
- More restrictive and accurate INCLUSION type check (thanks Meee for reporting)
- [XSS] Further invalid characters optimization refinement (thanks Mathias Karlsson for reporting)
- [XSS] Fixed XML stripping optimization to prevent inline injections (thanks Mathias Karlsson for reporting)
- Default whitelist maintenance: removed prototypejs.org, cdnjs.cloudflare.com; restored maps.googleapis.com
- [XSS] Updated inline event handlers related code preventing potential 2nd order injections on very badly coded websites (thanks Mathias Karlsson for reporting)
New in NoScript 2.6.9.30 RC 5 (Jul 8, 2015)
- Fixed about:packet-save whitelisted instead of about:pocket-saved
- Fixed noscript.allowWhitelistUpdates preference being ignored
- Filtering out whitelist additions not required by the the specific current browser type and version
New in NoScript 2.6.9.30 RC 4 (Jul 7, 2015)
- Added about:pocket-save and about:pocket-signup to the default whitelist
- More restrictive and accurate INCLUSION type check
New in NoScript 2.6.9.30 RC 3 (Jul 4, 2015)
- [XSS] Further invalid characters optimization refinement
New in NoScript 2.6.9.30 RC 2 (Jul 4, 2015)
- [XSS] Fixed XML stripping optimization to prevent inline injections (thanks Mathias Karlsson for reporting)
- Default whitelist maintenance: removed prototypejs.org, cdnjs.cloudflare.com; restored maps.googleapis.com
New in NoScript 2.6.9.30 RC 1 (Jul 2, 2015)
- [XSS] Updated inline event handlers related code preventing potential 2nd order injections on very badly coded websites
New in NoScript 2.6.9.29 (Jul 1, 2015)
- [XSS] Improved specificity of invalid characters optimization to remove a string literal breaking detection bypass (thanks Mathias Karlsson for reporting)
New in NoScript 2.6.9.28 (Jun 30, 2015)
- Narrowed googleapis.com default whitelist entry to ajax.googleapis.com
- [Surrogate] Updated gigya.com and 2mdn.net replacements
New in NoScript 2.6.9.28 RC 1 (Jun 29, 2015)
- Default whitelist retroactive removal ability
- Removed vjs.zendcdn.net from the default whitelist
New in NoScript 2.6.9.27 (Jun 18, 2015)
- Fixed media elements being blocked on first (uncached) request (thanks RobertDrew for reporting)
- noscript.middlemouse_temp_allow_main_site about:config preference to control whether middle-clicking the toolbar button should allow current top document's site (thanks barbaz)
- [L10n] Updated Belarusian (thanks Dzmitry Drazdou)
- Default whitelist retroactive removal ability
- Removed vjs.zendcdn.net from the default whitelist
New in NoScript 2.6.9.26 (May 29, 2015)
- Extended the redirectTo() safety net for to all the internal redirections
- Work-around for redirectTo() breaking Flash plugin subrequests
- Got ChannelReplacement backed by HTTPChannel.redirectTo() whenever possible (should fix moz-bug 1153256 for good)
- Fixed double redirection in HTTPS enforcing
New in NoScript 2.6.9.26 RC 3 (May 29, 2015)
- Extended the redirecTo() safety net for to all the internal redirections
New in NoScript 2.6.9.26 RC 1 (May 28, 2015)
- Got ChannelReplacement backed by HTTPChannel.redirectTo() whenever possible (should fix moz-bug 1153256 for good)
- Fixed double redirection in HTTPS enforcing
New in NoScript 2.6.9.25 (May 25, 2015)
- Fixed regression preventing HTTPS enforcing exceptions from
New in NoScript 2.6.9.24 (May 25, 2015)
- Fix for intermittent crashes on older Gecko versions
New in NoScript 2.6.9.23 (May 23, 2015)
- Work-around for moz-bug 1167371
- Fixed fatal regression on Firefo34 and below
- Improved backward compatibility
- Work-around for anonymized plugin subrequests being vetoed by channel event sink
- Fixed backward compatibility PopupBoxObject shim
- [E10s] Fixed cascading permissions broken when checks are performed cross-process
- [Surrogate] Removed deprecated "for each" constructs from replacements
- [L10n] Updated ru-RU (thanks negodnik)
- Tentative fifor Bug 1153256 (thanks Dragana Damjanovic)
- Added about:preferences to the mandatory whitelist
- Removed legacy STS support
- [Surrogate] 2mdn.net inclusion replacement (thanks barbaz)
- [E10s] Restored inline JavaScript blocking
New in NoScript 2.6.9.23 RC 3 (May 22, 2015)
- Work-around for anonymized plugin subrequests being vetoed by channel event sink
- Fixed backward compatibility PopupBoxObject shim
New in NoScript 2.6.9.23 RC 2 (May 21, 2015)
- [E10s] Fixed cascading permissions broken when checks are performed cross-process
- [Surrogate] Removed deprecated "for each" constructs from replacements
- Fixed missing default preferences
New in NoScript 2.6.9.23 RC 1 (May 20, 2015)
- [L10n] Updated ru-RU (thanks negodnik)
- Tentative fix for Bug 1153256 (thanks Dragana Damjanovic)
- Added about:preferences to the mandatory whitelist
- Removed legacy STS support
- [Surrogate] 2mdn.net inclusion replacement (thanks barbaz)
- [E10s] Restored inline JavaScript blocking
New in NoScript 2.6.9.22 (Apr 21, 2015)
- [Surrogate] Generalized OWASP antiClickjacking replacement
- [Surrogate] Wordpress scriptless site auto-show replacement
- bootstrapcdn.com in default whitelist
New in NoScript 2.6.9.21 (Apr 7, 2015)
- Added "mediasource:" to the mandatory whitelist
- [Surrogate] Updated googletagservices.com replacement
- Better compatibility with SDK-based add-ons using data: URIs
New in NoScript 2.6.9.20 RC 1 (Mar 30, 2015)
- Fixed inconsistencies in data: URIs handling
New in NoScript 2.6.9.19 (Mar 21, 2015)
- [Surrogate] .gigya.com replacement provided by barbaz
- [Surrogate] js.stripe.com replacement provided by barbaz
- Improved usability of new Yahoo! video activation
- Added googlevideo.com to the default whitelist because it's now required to play Youtube movies
New in NoScript 2.6.9.19 RC 1 (Mar 20, 2015)
- Improved usability of new Yahoo! video activation
- Added googlevideo.com to the default whitelist because it's now required to play Youtube movies
New in NoScript 2.6.9.18 (Mar 14, 2015)
- Fixed restrictSubdocScripts/globalHTTPSWhitelist interaction issue (thanks Tor Project for report)
- Fixed regression always disabling scripts whenever site's host name is a IPv6 literal (thanks ipv6user for report)
- Fixed menu automatic disappearance on mouse exit broken by Firefox 36 changes (thanks randavis, cumdacon and barbaz for report)
New in NoScript 2.6.9.18 RC 3 (Mar 13, 2015)
- Fixed restrictSubdocScripts/globalHTTPSWhitelist interaction issue
New in NoScript 2.6.9.18 RC 2 (Mar 12, 2015)
- Fixed regression always disabling scripts whenever site's host name is a IPv6 literal.
New in NoScript 2.6.9.18 RC 1 (Mar 10, 2015)
- Fixed menu automatic disappearance on mouse exit broken by Firefox 36 changes
New in NoScript 2.6.9.17 (Mar 10, 2015)
- Fixed cascadePermissions/globalHTTPSWhitelist interaction issue with IFRAMEs (thanks Tor Project for report)
- Fixed cascadePermissions being enforced also if the top document is implicitly allowed by the globalHTTPSWhitelist policy, rather than explicitly whitelisted, causing HTTP subdocument and scripts to be unintendendly allowed when the top document is HTTPS (thanks Tor Project for report)
- [Surrogate] Update Google Analytics replacement (thanks barbaz)
New in NoScript 2.6.9.17 RC 2 (Mar 7, 2015)
- Fixed cascadePermissions/globalHTTPSWhitelist interaction issue with IFRAMEs
New in NoScript 2.6.9.17 RC 1 (Mar 6, 2015)
- Fixed cascadePermissions being enforced also if the top document is implicitly allowed by the globalHTTPSWhitelist policy, rather than explicitly whitelisted, causing HTTP subdocument and scripts to be unintendendly allowed when the top document is HTTPS
- [Surrogate] Update Google Analytics replacement
New in NoScript 2.6.9.16 (Mar 2, 2015)
- [Surrogate] Updated Gravatar surrogate (thanks barbaz)
- Additional HTML sanitization when pasting rich text into content-editable elements (thanks .mario for RFE)
- Introduced framework for E10s migration, starting with new features and fixes
- Removed deprecated let () expressions from the code base
New in NoScript 2.6.9.15 (Feb 20, 2015)
- Fixed regression in 2.6.9.12 causing data: URI documents to be scripting-enabled (thanks GOF for tweet)
New in NoScript 2.6.9.14 (Feb 18, 2015)
- [Surrogate] OWASP legacy Javascript-based "antiClickjack" protection surrogate to unhide "protected" pages when scripting is disabled (thanks Thrawn)
- Restored noscript.forbidXHR functionality trying to make it more web-compatible (thanks barbaz for RFE)
New in NoScript 2.6.9.14 RC 2 (Feb 18, 2015)
- [Surrogate] OWASP legacy Javascript-based "antiClickjack" protection surrogate to unhide "protected" pages when scripting is disabled.
New in NoScript 2.6.9.14 RC 1 (Feb 12, 2015)
- Restored noscript.forbidXHR functionality trying to make it more web-compatible
New in NoScript 2.6.9.13 (Feb 11, 2015)
- [XSS] Fixed bugs in comment stripping optimization
- [XSS] Better protection against some ES6 attacks
- Removed support for XMLHttpRequest blocking (noscript.forbidXHR preference). The same functionality, if really needed, can still be achieved through ABE anyway.
New in NoScript 2.6.9.13 RC 3 (Feb 11, 2015)
- [XSS] Fixed regression in stripping optimizations
New in NoScript 2.6.9.13 RC 2 (Feb 11, 2015)
- [XSS] Fixed bug in comment stripping optimization
New in NoScript 2.6.9.13 RC 1 (Feb 10, 2015)
- [XSS] Better protection against some ES6 attacks
- Removed support for XMLHttpRequest blocking (noscript.forbidXHR preference). The same functionality, if really needed, can still be achieved through ABE anyway.
New in NoScript 2.6.9.12 (Feb 5, 2015)
- Fixed origin checking bug causing sandboxed IFRAMEs to have scripting always disabled (thanks Ellad Tadmor for report)
New in NoScript 2.6.9.11 (Jan 17, 2015)
- [Surrogate] microsoftSupport surrogate to force the content to be shown if scripts are disabled (thanks thunderscript)
- Check private browsing against chrome rather than content windows (prevents annoying warning console messages)
New in NoScript 2.6.9.10 (Dec 27, 2014)
- Fixed regression: permanently allow a web site erasing temporary whitelist items (thanks smersh for reporting)
- Fixed private windows detection for UI adaptation broken in SeaMonkey (thanks barbaz for reporting)
- Made the Permanent "allow" commands in private windows' checkbox look and behave like the other options in the "Appearance" tab, i.e. controlling the visibility of the menu item by the same name
New in NoScript 2.6.9.10 RC 1 (Dec 24, 2014)
- Fixed private windows detection for UI adaptation broken in SeaMonkey
- Made the Permanent "allow" commands in private windows' checkbox look and behave like the other options in the "Appearance" tab, i.e. controlling the visibility of the menu item by the same name
New in NoScript 2.6.9.9 (Dec 20, 2014)
- Updated GPL.txt and NoScript_License.txt with current FSF information (thanks Thomas Spura for reporting)
- Fixed regression causing "Revoke temporary permissions" gitches (thanks barbaz for reporting)
- Moved the Permanent "allow" commands in private windows' menu toggle next to the 'Options' command
New in NoScript 2.6.9.9 RC 1 (Dec 18, 2014)
- Updated GPL.txt and NoScript_License.txt with current FSF information (thanks Thomas Spura for reporting)
- Fixed regression causing "Revoke temporary permissions" gitches (thanks barbaz for reporting)
- Moved the Permanent "allow" commands in private windows' menu toggle next to the 'Options' command
New in NoScript 2.6.9.8 (Dec 17, 2014)
- 'Permanent "allow" commands in private windows' preference in NoScript Options|Appearance (inverse of noscript.volatilePrivatePermissions)
- 'Permanent "allow" commands in private windows' toggle in NoScript menu while in Private Browsing mode, controlled by noscript.showVolatilePrivatePermissionsToggle
- Fixed regression in Cascade Permissions mode (thanks Kitty Box for reporting)
- Fixed whitelisting regression on Gecko 25 and below (e.g. Palemoon)
- Actually prevent temporary whitelist items from being saved in prefs (thanks to Mike Perry)
New in NoScript 2.6.9.8 RC 2 (Dec 16, 2014)
- Fixed whitelisting regression on Gecko 25 and below (e.g. Palemoon)
New in NoScript 2.6.9.8 RC 1 (Dec 16, 2014)
- Actually prevent temporary whitelist items from being saved in prefs (thanks to Mike Perry)
New in NoScript 2.6.9.7 (Dec 15, 2014)
- Fixed inconsistencies in the globalHttpsWhitelist option implementation (thanks Mike Perry for reporting)
- Volatile temporary whitelist, never gets saved to disk (thanks to Tor Project for sponsorship)
- Never show permanent whitelist modifying commands when in private mode unless the noscript.volatilePrivatePermissions preference is false (thanks to Tor Project for sponsorship)
- noscript.allowWhitelistUpdate preference to control whether NoScript should be able to tweak the whitelist on version updates when the 3rd party requirements for an already whitelisted website change (thanks Thencent for RFE)
New in NoScript 2.6.9.7 RC 2 (Dec 15, 2014)
- Fixed inconsistencies in the globalHttpsWhitelist option implementation (thanks Mike Perry for reporting)
New in NoScript 2.6.9.7 RC 1 (Dec 13, 2014)
- Volatile temporary whitelist, never gets saved to disk (thanks to Tor Project for sponsorship)
- Never show permanent whitelist modifying commands when in private mode, unless the oscript.volatilePrivatePermissions preference is false (thanks to Tor Project for sponsorship)
- noscript.allowWhitelistUpdate preference to control whether NoScript should be able to tweak the whitelist on version updates when the 3rd party requirements for an already whitelisted website change (thanks Thencent for RFE)
New in NoScript 2.6.9.6 (Dec 4, 2014)
- Built-in force HTTPS list, seeded with www.youtube.com
- Work-around for bogus Youtube embedded frame activation patterns
- Fixed bookmarklet execution regression in older Firefox versions
- Fixed subdocuments of a [System Principal] page not being allowed when they should in cascade permission modes
New in NoScript 2.6.9.6 RC 3 (Dec 4, 2014)
- Built-in force HTTPS list, seeded with www.youtube.com
- Work-around for bogus Youtube embedded frame activation patterns (thanks al_9x for reporting)
New in NoScript 2.6.9.6 RC 2 (Dec 2, 2014)
- Fixed bookmarklet execution regression in older Firefox versions
New in NoScript 2.6.9.6 RC 1 (Nov 27, 2014)
- Fixed sub-documents of a [System Principal] page not being allowed when they should in cascade permission modes
New in NoScript 2.6.9.5 (Nov 25, 2014)
- Fixed memory leak when a top-level browser window is closed
- [XSS] compatibility tweak for swisspost.ch
- Miscellaneous HTTPS URLs lockdown
- Support for full-encrypted https://noscript.net
- Updated Twitter surrogate
- Work-around for thumbnail generation protection being broken by some add-ons
- Fully disable background processed thumbnail generation unless noscript.bgThumbs.allowed about:config preference is set to true
- Control JavaScript enabled in background thumbail generation through the noscript.bgThumbs.disableJS about:config preference
- Forcing remote browsers used for thumbnail generation to disable JavaScript (thanks vpoint for reporting)
- [Surrogate] Invodo dummy replacement
New in NoScript 2.6.9.5 RC 2 (Nov 24, 2014)
- Support for full-encrypted https://noscript.net
- Updated Twitter surrogate (thanks ozjuggler and barbaz)
- Work-around for thumbnail generation protection being broken by some add-ons
- Fully disable background processed thumbnail generation unless noscript.bgThumbs.allowed about:config preference is set to true
- Control JavaScript enabled in background thumbnail generation through the noscript.bgThumbs.disableJS about:config preference
New in NoScript 2.6.9.5 RC 1 (Nov 18, 2014)
- Forcing remote browsers used for thumbnail generation to disable JavaScript (thanks vpoint for reporting)
- [Surrogate] Invodo dummy replacement
New in NoScript 2.6.9.4 (Nov 17, 2014)
- Added vimeocdn.com as a vimeo.com dependency if already whitelisted
- [Surrogate] Enabling imgserve.com age verification button even if JavaScript is disabled
- Fixed IP6 to IP4 mapping bug (thanks stack / inventati)
New in NoScript 2.6.9.3 (Oct 24, 2014)
- More accurate referrer checks for some edge cases (thanks AlbertMTom for reporting)
- [ABE] More restrictive local IP checks (thanks AlbertMTom for reporting)
- More permissive AddressMatcher IP parser
- [XSS] Improved sensitivity (thanks Masato Kinugawa)
New in NoScript 2.6.9.3 RC 2 (Oct 23, 2014)
- [ABE] More restrictive local IP checks (thanks AlbertMTom for reporting)
- More permissive AddressMatcher IP parser
New in NoScript 2.6.9.3 RC 1 (Oct 20, 2014)
- [XSS] Improved sensitivity (thanks Masato Kinugawa)
New in NoScript 2.6.9.2 (Oct 20, 2014)
- Improved sensitivity (thanks Masato Kinugawa)
New in NoScript 2.6.9.2 RC 2 (Oct 17, 2014)
- [XSS] Improved sensitivity
New in NoScript 2.6.9.2 RC 1 (Oct 16, 2014)
- [XSS] Improved sensitivity
New in NoScript 2.6.9.1 (Oct 14, 2014)
- [XSS] focus-based exfiltration protection
- [XSS] Fixed false positive in risky operators detection
New in NoScript 2.6.9.1 RC 2 (Oct 11, 2014)
- [XSS] Improved focus-based exfiltration protection
New in NoScript 2.6.9.1 RC 1 (Oct 11, 2014)
- [XSS] focus-based exfiltration protection (thanks Masato Kinugawa for reporting)
- [XSS] Fixed false positive in risky operators detection (thanks Roman Vock for reporting)
New in NoScript 2.6.9 (Oct 6, 2014)
- [XSS] Improved location-based exfiltration protection
- [Surrogate] login.person.org inclusion (thanks barbaz)
- [XSS] Fixed 2.6.8.43 regressions
- [XSS] Improved specificity for eval-like patterns
- Switched to a treeview for faster management of very long whitelists (thanks barbaz for patch)
- Tentative work-around for potential performance problems reportedly related to Australis support
New in NoScript 2.6.9 RC 3 (Oct 3, 2014)
- [XSS] Improved location-based exfiltration protection (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.9 RC 2 (Oct 3, 2014)
- [Surrogate] login.person.org inclusion (thanks barbaz)
- [XSS] Fixed 2.6.8.43 regressions
- [XSS] Improved specificity for eval-like patterns
New in NoScript 2.6.9 RC 1 (Oct 1, 2014)
- Switched to a treeview for faster management of very long whitelists
- Tentative work-around for potential performance problems reportedly related to Australis support
New in NoScript 2.6.8.43 (Sep 29, 2014)
- [XSS] Protection against some exfiltration attacks based on arithmetic operators (thanks Masato Kinugawa and File Descriptor AKA XSS Jigsaw for reporting)
New in NoScript 2.6.8.43 RC 1 (Sep 27, 2014)
- [XSS] Protection against some exfiltration attacks based on arithmetic operators (thanks Masato Kinugawa and File Descriptor AKA XSS Jigsaw for reporting)
New in NoScript 2.6.8.42 (Sep 22, 2014)
- User-facing "Reload the current tab only" option
- Fixed subtle bug in ScriptSurrogate.replaceScript()
- Fixed HTTPS and cascading permission policies not applying to XHR and XBL checks
- [XSS] Fixed ES6-based bypasses (thanks Masato Kinugava for reporting)
- [XSS] window.name exfiltration protection (thanks Masato Kinugava for reporting)
- Fixed script sources enumeration breakage in Firefox 35 Moz Bug 1068508, thanks Octoploid for reporting)
New in NoScript 2.6.8.42 RC 2 (Sep 22, 2014)
- Fixed subtle bug in ScriptSurrogate.replaceScript()
- Fixed HTTPS and cascading permission policies not applying to XHR and XBL checks
- [XSS] Fixed ES6-based bypasses (thanks Masato Kinugava for reporting)
- [XSS] window.name exfiltration protection (thanks Masato Kinugava for reporting)
New in NoScript 2.6.8.42 RC 1 (Sep 17, 2014)
- Fixed script sources enumeration breakage in Firefox 35 (Moz Bug 1068508, thanks Octoploid for reporting)
New in NoScript 2.6.8.41 (Sep 12, 2014)
- Improved Australis toolbar compatibility (thanks Quicksaver for help)
- Added "Always ask" checkbox to the removal confirmation dialog (thanks agaxwtmp for RFE)
- Fixed Options dialog broken on ancient Firefox versions
- [XSS] Fixed false positive within *.adxns.com
New in NoScript 2.6.8.41 RC 2 (Sep 11, 2014)
- Added "Always ask" checkbox to the removal confirmation dialog (thanks agaxwtmp for RFE)
- Fixed Options dialog broken on ancient Firefox versions
New in NoScript 2.6.8.41 RC 1 (Sep 10, 2014)
- Improved Australis toolbar compatibility (thanks Quicksaver for patch)
- [XSS] Fixed false positive within *.adxns.com
New in NoScript 2.6.8.40 (Sep 2, 2014)
- Fixed regression causing script inclusions with non-standard ports to be always blocked
- [ABE] Improved ruleset editing UI (thanks barbaz for patch)
New in NoScript 2.6.8.40 RC 2 (Sep 1, 2014)
- Fixed regression causing script inclusions with non-standard ports to be always blocked
New in NoScript 2.6.8.40 RC 1 (Aug 28, 2014)
- [ABE] Improved ruleset editing UI (thanks barbaz for patch).
New in NoScript 2.6.8.39 RC 2 (Aug 27, 2014)
- [Surrogate] Removed DARLA surrogate and reimplemented its work-around as a XSS filter exception
- Bookmarklets] Fixed bookmarklets broken when JavaScript is enabled
New in NoScript 2.6.8.39 RC1 (Aug 26, 2014)
- [Surrogate] Work-around for DARLA surrogate breaking Yahoo! Mail.
New in NoScript 2.6.8.38 (Aug 25, 2014)
- Fixed regression preventing Youtube movies from playing
- Completed work-around for Firefox's Bug 1044351
- [Surrogate] Improved Yahoo! DARLA source matching
New in NoScript 2.6.8.37 RC 2 (Aug 16, 2014)
- [XSS] Support for new insidious ES6 constructs introduced in Firefox 34 (thanks .mario for reporting)
- [HTTPS] Experimental "Allow HTTPS scripts globally on HTTPS documents" mode
New in NoScript 2.6.8.37 RC 1 (Jul 30, 2014)
- [Surrogate] Yahoo! "DARLA" ads loader post-execution surrogate prevents the browser from stalling due to the many window.name-based XSSes intentionally used by this ads delivery script
New in NoScript 2.6.8.36 (Jul 29, 2014)
- [Surrogate] Updated adf.ly replacement (thanks kasper93 for coding)
- [Surrogate] Updated connect.facebook.net replacement
- Fixed bookmarklet emulation compatibility issue breaking some add-ons which rely on the new getShortcutOrURIAndPostData() function signature
- Fixed regression causing preventing the Blocked Objects list from being manually reset
New in NoScript 2.6.8.36 RC 1 (Jul 26, 2014)
- [Surrogate] Updated adf.ly replacement (thanks kasper93 for coding)
- [Surrogate] Updated connect.facebook.net replacement
- Fixed bookmarklet emulation compatibility issue breaking some add-ons which rely on the new getShortcutOrURIAndPostData() function signature
New in NoScript 2.6.8.35 (Jul 25, 2014)
- Improved compatibility with browser built-in Click To Play
- Recently blocked sites are now recorded per-window (causing automatic oblivion of data from Private Browsing windows when they're closed)
- Recently blocked sites are not collected at all unless the menu item is configured to be shown (thanks Barbaz for RFE and patch)
New in NoScript 2.6.8.35 RC 1 (Jul 24, 2014)
- Recently blocked sites are now recorded per-window (causing automatic oblivion of data from Private Browsing windows when they're closed)
- Recently blocked sites are not collected at all unless the menu item is configured to be shown (thanks Barbaz for RFE and patch)
New in NoScript 2.6.8.34 (Jul 17, 2014)
- Added "cdn.directvid.com/*.jsx" to inclusionTypeChecking.exceptions in order to let the directvid video player work
- Better compatibility with null principal origins created by the Add-on SDK (thanks neilemon for reporting)
New in NoScript 2.6.8.33 (Jul 9, 2014)
- Fixed regression in smart reloading of just allowed HTML Media elements (thanks barbaz for reporting)
New in NoScript 2.6.8.32 (Jul 8, 2014)
- Fixed regression: NOSCRIPT element not shown on non-whitelisted pages
- Replaced Ci.nsIDOMHTML(Video|Audio)Element (about to be removed) with window.(Video|Audio)Element counterparts (see Moz Bug 1034304)
- Fixed jammed icon on the navigation bar when "left clicking on toolbar icon toggles..." option is checked
New in NoScript 2.6.8.32 RC 3 (Jul 7, 2014)
- Fixed regression: NOSCRIPT element not shown on non-whitelisted pages
New in NoScript 2.6.8.32 RC 2 (Jul 7, 2014)
- Replaced Ci.nsIDOMHTML(Video|Audio)Element (about to be removed) with window.(Video|Audio)Element counterparts (see Moz Bug 1034304)
New in NoScript 2.6.8.32 RC 1 (Jul 5, 2014)
- Fixed jammed icon on the navigation bar when "left clicking on toolbar icon toggles..." option is checked (thanks Larry for reporting)
New in NoScript 2.6.8.31 (Jul 2, 2014)
- Updated HTML5 and Gecko-specific markup elements list
- Fixed "too much recursion" book in bookmarklet emulation when executing window.open(..., "_self") (thanks al_9x)
- Improved icons consistence with cascading permissions
- Fixed 2.6.8.30rc1 regression: broken local file loads
- Make "[Temporarily] Allow all this page" affect only the top-level document's origin when cascading permissions mode is enabled
- [Surrogate] Fixed regression about a small change in sandboprincipal management breaking some surrogates, including Google Analytics
- [CAPS] better compatibility with Firefo30's restored checkloaduri prefs hack
- UI support for cascadePermissions and restrictSubdocScripting
- "NoScript Options|Advanced|Trusted|Cascade top document's permissions to 3rd party scripts" user-facing preference
- "NoScript Options|Advanced|Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages" user-facing preference
- Backported cascadePermissions and restrictSubdocScripting support to ESR 24
New in NoScript 2.6.8.30 RC 4 (Jun 27, 2014)
- Improved icons consistency with cascading permissions
- Fixed 2.6.8.30rc1 regression: broken local file loads
New in NoScript 2.6.8.29 (Jun 25, 2014)
- [Surrogate] googletagservices.com replacement (thanks Guest and barbaz)
- Fixed bookmarklet emulation "Object.getPrototypeOf(...).open is undefined" failure on Nightly (thanks Ria and barbaz for reporting)
New in NoScript 2.6.8.29 RC 1 (Jun 9, 2014)
- [Surrogate] googletagservices.com replacement (thanks Guest and barbaz)
- Fixed bookmarklet emulation "Object.getPrototypeOf(...).open is undefined" failure on Nightly (thanks Ria and barbaz for reporting)
New in NoScript 2.6.8.28 (Jun 4, 2014)
- Fixed bookmarklet execution on non-whitelisted page causing scripts to be globally allowed (thanks barbaz and therube for reporting)
New in NoScript 2.6.8.28 RC 1 (Jun 4, 2014)
- Fixed bookmarklet execution on non-whitelisted page causing scripts to be globally allowed (thanks barbaz and therube for reporting)
New in NoScript 2.6.8.27 (Jun 3, 2014)
- Work-around for bug 1005552 (backport to ESR)
- [Surrogate] External script surrogates are now triggered whenever a matching script fails to load, no matter the reason, e.g. NoScript permissions, ABE, ABP or RequestPolicy (thanks bonanza for RFE)
- [XSS] Worked around OpenID-related false positive (thanks Gunnar for reporting)
- [XSS] Better work around for false positive in gmx.com new webmail, designed to work across all its implementations
New in NoScript 2.6.8.27 RC 3 (Jun 2, 2014)
- [Surrogate] Better trigger timing
- Work-around for bug 1005552 (backport to ESR)
New in NoScript 2.6.8.27 RC 2 (May 31, 2014)
- [Surrogate] External script surrogates are now triggered whenever a matching script fails to load, no matter the reason, e.g. NoScript permissions, ABE, ABP or RequestPolicy (thanks bonanza for RFE)
New in NoScript 2.6.8.26 (May 30, 2014)
- [XSS] Worked around OpenID-related false positive
- [XSS] Better work around for false positive in gmx.com new webmail, designed to work across all its implementations
New in NoScript 2.6.8.26 (May 27, 2014)
- [XSS] gmx.com false positive work-around extended to international domains (thanks dood_97 for reporting)
- [XSS] gmx.com false positive work-around extended to mail.com (thanks boris for reporting)
- noscript.cascadePermissions preliminary backend implementation
- noscript.restrictSubdocScripting preliminary backend implementation
New in NoScript 2.6.8.26 RC 1 (May 24, 2014)
- [XSS] gmx.com false positive work-around extended to international domains (thanks dood_97 for reporting)
- [XSS] gmx.com false positive work-around extended to mail.com (thanks boris for reporting)
- noscript.cascadePermissions preliminary backend implementation
- noscript.restrictSubdocScripting preliminary backend implementation
New in NoScript 2.6.8.25 (May 21, 2014)
- [ABE] Fixed inability to discriminate loads inititated from the URL bar on latest Nightlies (thanks Soothsayer for reporting)
- [XSS] Fixed false positive on new gmx.com login (thanks Luigi and LeeB for reporting)
- [Surrogate] Fixed new google-analytics.com surrogate causing Google Spreadsheet's columns not to be resizable (thanks bobbybrown for reporting)
New in NoScript 2.6.8.25 RC 1 (May 20, 2014)
- [Surrogate] Fixed new google-analytics.com surrogate causing Google Spreadsheet's columns not to be resizable (thanks Luigi for reporting)
- [XSS] Fixed false positive on new gmx.com login (thanks bobbybrown for reporting)
New in NoScript 2.6.8.24 (May 15, 2014)
- Synthetic load events are sent and error events are suppressed for blocked script elements, in order to work around strict script inclusion enforcers. This feature is triggered by default only by Require.js module imports, but can be fully configured by noscript.fakeScriptLoadEvents.* about:config preferences:
- .enabled: switches this feature on/off
- .onlyRequireJS: if true (default) applies the feature only to script inclusions initiated by Require.js
- .exceptions: AddressMatcher pattern matching the source URLs of script elements which should not cause fake load events when blocked
- .docExceptions: AddressMatcher pattern matching the URLs of documents where no fake load event must be raised
- Improved toStaticHTML() implementation (thanks .mario for reporting)
- Removed useless ICC profiles from some icons (thanks taffit for RFE)
- [Surrogate] Improved google-analytics.com (ga) surrogate
- [XSS] Fixed characters redundancy reduction bug (thanks Masato Kinugawa for reporting)
- [XSS] Fixed typo in the new regular expression literals stripping routine implementation (thanks Masato Kinugawa for reporting)
- [XSS] Fixed subtle bug in regular expression literals stripping optimization, potentially causing false negatives in edge cases (thanks Masato Kinugawa for reporting)
- Work-around for Firefobug causing popup.hidePopup() to fail sometimes and NoScript's on-hover menu needing a click to be closed
New in NoScript 2.6.8.24 RC 4 (May 13, 2014)
- Synthetic load events are sent and error events are suppressed for blocked script elements, in order to work around strict script inclusion enforcers such as Require.js (this feature is configured by the noscript.fakeScriptLoadEvents about:config preference)
- Improved toStaticHTML() implementation (thanks .mario for reporting)
- Removed useless ICC profiles from some icons (thanks taffit for RFE)
New in NoScript 2.6.8.24 RC 3 (May 12, 2014)
- [XSS] Fixed characters redundancy reduction bug
New in NoScript 2.6.8.24 RC 2 (May 12, 2014)
- [XSS] Fixed typo in the new regular expression literals stripping routine implementation
New in NoScript 2.6.8.24 RC 1 (May 12, 2014)
- [XSS] Fixed subtle bug in regular expression literals stripping optimization, potentially causing false negatives in edge cases
New in NoScript 2.6.8.23 (May 5, 2014)
- Work-around for Firefox bug causing popup.hidePopup() to fail sometimes and NoScript's on-hover menu needing a click to be closed
New in NoScript 2.6.8.22 (May 5, 2014)
- Better algorithm for menu items ordering
New in NoScript 2.6.8.21 (May 5, 2014)
- Fixed XSL check regression (thanks barbaz for reporting)
- Work-around for bug 1005552
- [Surrogate] Gravatar dummy replacement
- [Australis] Support for reversed menu on surrogate status/addon bars
New in NoScript 2.6.8.21 RC 1 (Apr 30, 2014)
- [Surrogate] Gravatar dummy replacement
- [Australis] Support for reversed menu on surrogate status/addon bars
New in NoScript 2.6.8.20 (Apr 15, 2014)
- Partially restored "Allow local links" functionality (works for HTML file:// links but not for embedded resources and scripted loads)
- "allowLocalLinks.from" about:config preference to define a whitelist (in ABE URL pattern list syntax) which, if valid and not empty, overrides the JavaScript whitelist which is reused by legacy default for pages allowed to open file:// links (Gecko 28 and above)
- "allowLocalLinks.to" about:config preference to define a whitelist (in ABE URL pattern list syntax) which, if valid and not empty, limits the file:// links which can be opened by allowed pages (Gecko 28 and above)
- Removed "Allow rich text copy and paste from external clipboard" option from the UI if the browser doesn't support CAPS (Gecko 28 and above)
- Implemented early permission changes enforcement on not yet reloaded pages, to better match the old CAPS-based behavior (thanks therube for reporting)
- [Surrogates] Fixed Google Analytics surrogate breaking some javascript: links (thanks Will for reporting)
- [L18n] Fixed Finnish typo (thanks Kalle Niemitalo for reporting)
- [XSS] Removed OAuth-triggered false positive (thanks Gunnar Scherf for reporting)
- [XSS] Stricter checks for HTTPS requests from a same domain origin with different scheme (thanks LouiseRBaldwin for reporting)
New in NoScript 2.6.8.20 RC 2 (Apr 14, 2014)
- Implemented early permission changes enforcement on not yet reloaded pages, to better match the old CAPS-based behavior (thanks therube for reporting)
New in NoScript 2.6.8.20 RC 1 (Apr 14, 2014)
- [Surrogates] Fixed Google Analytics surrogate breaking some javascript: links (thanks Will for reporting)
- [L18n] Fixed Finnish typo (thanks Kalle Niemitalo for reporting)
- [XSS] Removed OAuth-triggered false positive (thanks Gunnar Scherf for reporting)
- [XSS] Stricter checks for HTTPS requests from a same domain origin with different scheme (thanks LouiseRBaldwin for reporting)
New in NoScript 2.6.8.19 (Mar 25, 2014)
- Fixed CAPS initialization broken in Gecko 27 and below
- Fixed wildcard port matching broken in Gecko 28 and below
New in NoScript 2.6.8.19 RC 1 (Mar 24, 2014)
- Fixed wildcard port matching broken in Gecko 28 and below
New in NoScript 2.6.8.18 (Mar 24, 2014)
- Fixed some bookmarklets being broken by Gecko 28
- [Surrogate] Fixed some surrogates being broken by Gecko 28
- Disabled CAPS-based script blocking for Gecko 28 and above
- Fixed XSLT blocking broken by recent Gecko changes (thanks Xenos for reporting)
New in NoScript 2.6.8.18 RC 1 (Mar 10, 2014)
- Fixed XSLT blocking broken by recent Gecko changes (thanks Xenos for reporting)
New in NoScript 2.6.8.17 (Mar 5, 2014)
- CSS tweak for Australis support (thanks Jared Wein)
- Fixed new bookmarklet execution module accidentally using X rays wrappers and therefore failing to interact with expando variables
New in NoScript 2.6.8.17 RC 1 (Mar 3, 2014)
- CSS tweak for Australis support (thanks Jared Wein)
- Fixed new bookmarklet execution module accidentally using X rays wrappers and therefore failing to interact with expando variables
New in NoScript 2.6.8.16 (Feb 28, 2014)
- Closing a placeholder doesn't collapse its space anymore, unless the noscript.placeholderCollapseOnClose is set to true or the "Collapse blocked objects" Embeddings option is checked (thanks Elmart for RFE)
- Further bookmarklet emulation improvements yet (thanks porl for RFEs)
New in NoScript 2.6.8.16 RC 4 (Feb 27, 2014)
- Closing a placeholder doesn't collapse its space anymore, unless the noscript.placeholderCollapseOnClose is set to true or the "Collapse blocked objects" Embeddings option is checked (thanks Elmart for RFE)
New in NoScript 2.6.8.16 RC 3 (Feb 26, 2014)
- Further bookmarklet emulation improvements yet (thanks porl for RFEs)
New in NoScript 2.6.8.16 RC 2 (Feb 24, 2014)
- Further bookmarklet emulation improvements (thanks porl for testbed)
New in NoScript 2.6.8.16 RC 1 (Feb 24, 2014)
- More faithful bookmarklet corner-cases emulation
New in NoScript 2.6.8.15 (Feb 24, 2014)
- [Surrogate] Fixed bug preventing local filesystem replacements (file:/// URLs) from being loaded
- [Surrogate] Fixed Surrogate sandbobeing nuked and causing many web pages to break
- Fixed various bookmarklet emulation regressions caused by Firefo24 compatibility efforts (thanks porl for reporting)
- [L10n] Fixed double newline escaping in some localized strings (thanks porl for reporting)
- [Surrogate] Fixed regression: some surrogates not being correctly initialized (thanks barbaz for reporting)
- [Surrogate] Fixed replacements not being parsed as Unicode text
- Fixed listeners and timers in sandboxed non-whitelisted scripts on Gecko 27 and above
- Work-around for Firefo27 and above preventing bookmarklets from attaching event listeners on non-whitelisted pages (thanks porl for reporting)
New in NoScript 2.6.8.15 RC 5 (Feb 22, 2014)
- Fixed various bookmarklet emulation regressions caused by Firefox 24 compatibility efforts (thanks porl for reporting)
- [L10n] Fixed double newline escaping in some localized strings (thanks porl for reporting)
New in NoScript 2.6.8.15 RC 4 (Feb 18, 2014)
- [Surrogate] Fixed regression: some surrogates not being correctly initialized (thanks barbaz for reporting)
New in NoScript 2.6.8.15 RC 3 (Feb 14, 2014)
- [Surrogate] Fixed replacements not being parsed as Unicode text
New in NoScript 2.6.8.15 RC 2 (Feb 13, 2014)
- Fixed listeners and timers in sandboxed non-whitelisted scripts on Gecko 27 and above
New in NoScript 2.6.8.15 RC 1 (Feb 12, 2014)
- Work-around for Firefox 27 and above preventing bookmarklets from attaching event listeners on non-whitelisted pages (thanks porl for reporting)
New in NoScript 2.6.8.14 (Feb 12, 2014)
- Fixed bookmarklet execution disabling JavaScript on whitelisted pages (Firefox >= 29, thanks vsemozhetbyt for reporting mozbug 970445)
- [ABE] Improved compatibility with .local domains (thanks func0der for reporting)
New in NoScript 2.6.8.14 RC 1 (Jan 28, 2014)
- [ABE] Improved compatibility with .local domains (thanks func0der for reporting)
New in NoScript 2.6.8.13 (Jan 22, 2014)
- Restored z-order mobility for options dialog on Linux (thanks barbaz for RFE)
- Moved ClearClick options into their own "Advanced" sub-tab (thanks Thrawn for RFE)
- Minor options dialog tweakings
- Removed External Filters options panel
- The option dialog is non-modal and recycled now (thanks barbaz for RFE)
New in NoScript 2.6.8.13 RC 2 (Jan 20, 2014)
- Moved ClearClick options into their own "Advanced" sub-tab (thanks Thrawn for RFE)
- Minor options dialog tweakings
- Removed External Filters options panel
New in NoScript 2.6.8.12 (Jan 16, 2014)
- Improved work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=958962
- [Surrogate] Prevent blank ModPagespeed-patched pages when meta refresh inside NOSCRIPT elements is blocked (thanks thunderscript and barbaz)
- Fixed one-time this.getSite() error on startup
- Browser Console support
- [Locale] Updated fr (thanks Jack Black)
- Fixed feed reader broken on non-whitelisted sites in non-stable Firefox (thanks LouCypher for reporting)
New in NoScript 2.6.8.12 RC 4 (Jan 14, 2014)
- Improved work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=958962
- [Surrogate] Prevent blank ModPagespeed-patched pages when meta refresh inside NOSCRIPT elements is blocked (thanks thunderscript and barbaz)
New in NoScript 2.6.8.12 RC 3 (Jan 14, 2014)
- Work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=958962
New in NoScript 2.6.8.12 RC 2 (Jan 13, 2014)
- Fixed one-time this.getSite() error on startup
- Browser Console support
New in NoScript 2.6.8.12 RC 1 (Jan 11, 2014)
- Fixed feed reader broken on non-whitelisted sites in non-stable Firefox (thanks LouCypher for reporting)
New in NoScript 2.6.8.11 (Jan 9, 2014)
- [XSS] Fixed nested URL parsing optimization bug (thanks Masato Kinugawa for reporting)
- [XSS] Abort, rather than filter, potential charset-based attacks ( thanks Masato Kinugawa for reporting)
- [XSS] Improved Ebay compatibility (thanks Markus Wienand for reporting)
- [XSS] Fixed bad charset check regression from rc6 (thanks Masato Kinugawa for reporting)
- [XSS] Fixed bad charset checks not honoring exceptions (thanks Masato Kinugawa for reporting)
- Adopted the Components.utils.blockScriptForGlobal() API where possible
- [XSS] Further improvements in recursive link checks (thanks Masato Kinugawa for reporting)
- [XSS] Better checks for combined data/javascript URIs (thanks Masato Kinugawa for reporting)
- [XSS] Restored fuzzy HTML sniffing in nested data URI (thanks Masato Kinugawa for reporting)
- [XSS] Improved data URI checks (thanks Masato Kinugawa for reporting)
- [XSS] Enhanced recursive link checks (Thanks PK Cano for reporting)
- [XSS] Stricter HTML checks on second-order data URI injections exactly fitting whole URL attributes (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.11 RC 9 (Jan 7, 2014)
- [XSS] Fixed nested URL parsing optimization bug
New in NoScript 2.6.8.11 RC 8 (Jan 7, 2014)
- [XSS] Abort, rather than filter, potential charset-based attacks (thanks Masato Kinugawa for reporting)
- [XSS] Improved Ebay compatibility (thanks Markus Wienand for reporting)
New in NoScript 2.6.8.11 RC 7 (Jan 6, 2014)
- [XSS] Fixed bad charset check regression from rc6 (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.11 RC 6 (Jan 6, 2014)
- [XSS] Fixed bad charset checks not honoring exceptions (thanks Masato Kinugawa for reporting)
- Adopted the Components.utils.blockScriptForGlobal() API where possible
New in NoScript 2.6.8.11 RC 5 (Jan 6, 2014)
- [XSS] Further improvements in recursive link checks (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.11 RC 4 (Jan 4, 2014)
- [XSS] Better checks for combined data/javascript URIs (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.11 RC 3 (Jan 4, 2014)
- [XSS] Restored fuzzy HTML sniffing in nested data URI (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.11 RC 2 (Jan 3, 2014)
- [XSS] Improved data URI checks (thanks Masato Kinugawa for reporting)
- [XSS] Enhanced recursive link checks (Thanks PK Cano for reporting)
New in NoScript 2.6.8.11 RC 1 (Jan 3, 2014)
- [XSS] Stricter HTML checks on second-order data URI injections exactly fitting whole URL attributes (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.10 (Jan 3, 2014)
- [XSS] Fixed regression causing Google Talk false positive (thanks Stuart Young for report)
- Made about:srcdoc placeholder URL for seamless iframes "mandatory" to reflect its actual permissions status (thanks barbaz for RFE)
New in NoScript 2.6.8.9 (Dec 30, 2013)
- [XSS] Stricter HTML checks (thanks Masato Kinugawa for reporting)
- [ClearClick] Exception to cope with Youtube's Google+ comments
- [XSS] Better data: URI detection (thanks Masato Kinugawa for reporting)
- [XSS] Improved pure HTML checks (thanks Masato Kinugawa for reporting)
- [XSS] Fixed InjectionChecker tolerance bug (thanks Masato Kinugawa for reporting)
- [XSS] Improved sanitization
New in NoScript 2.6.8.9 RC 3 (Dec 28, 2013)
- [XSS] Improved pure HTML checks (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.9 RC 2 (Dec 27, 2013)
- [XSS] Better fix for InjectionChecker tolerance bug (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.8.8 RC 2 (Dec 17, 2013)
- Enforce docShell-based script blocking for Gecko > 28
New in NoScript 2.6.8.8 RC 1 (Dec 11, 2013)
- [Surrogate] addthis.com widget emulation (thanks Mathnerd314)
New in NoScript 2.6.8.7 RC 4 (Nov 30, 2013)
- Fixed performance regression in request identity tracking
New in NoScript 2.6.8.7 RC 3 (Nov 30, 2013)
- Protection against new SQLXSSI obfuscation techinques
New in NoScript 2.6.8.7 RC 2 (Nov 28, 2013)
- Fixed noscript.allowedMimeRegExp ignoring the FONT pseudo-type take 2 (thanks barbaz for reporting)
New in NoScript 2.6.8.7 RC 1 (Nov 28, 2013)
- Fixed noscript.allowedMimeRegExp ignoring the FONT pseudo-type (thanks barbaz for reporting)
New in NoScript 2.6.8.6 (Nov 28, 2013)
- Fixed bugs in noscript.allowedMimeRegExp support (thanks barbaz for reporting)
- [ABE] Fixed increased asynchronicity in Gecko's network processing causing intermittent failures (thanks barbaz and al_9x for reporting)
- [Surrogate] Fixed bug in asynchronous Google Analytics API emulation (thanks Lucas Malor for reporting)
- Fixed missing icon for blocked objects when no script is present in the page and scrips are globally allowed
New in NoScript 2.6.8.6 RC 1 (Nov 18, 2013)
- [Surrogate] Fixed bug in asynchronous Google Analytics API emulation (thanks Lucas Malor for reporting)
- Fixed missing icon for blocked objects when no script is present in the page and scrips are globally allowed
New in NoScript 2.6.8.5 (Nov 8, 2013)
- [ClearClick] Fixed empty contentEditable elements cannot receive keyboard events in cross-site frames (breaking latest Youtube comments)
- [XSS] Fixed false positive on redirected script inclusions (breaking Stripe payments on Humblebundle, thanks ableeker for reporting)
- [Surrogate] Better GA, GAPI, Twitter and Facebook compatibility
New in NoScript 2.6.8.5 RC 1 (Oct 31, 2013)
- [Surrogate] Better GA, GAPI, Twitter and Facebook compatibility
New in NoScript 2.6.8.4 (Oct 24, 2013)
- Fixed shortcut bookmarklet execution requiring noscript.allowURLBarJS preference to be true on Firefox 25 beta
- [Surrogate] Better emulation of for Google Analytics asynchronous tracking (for instance, fixes GMail's "Sign in" link)
- [ClearClick] Fixed exception being thrown on Firefox 27 alpha (Nightly)
- Fixed URL bar enhancements broken by Firefox 25 beta
- Fixed SetVariable/GetVariable failing on dynamically created Flash elements, e.g. with SFWObject
New in NoScript 2.6.8.4 RC 3 (Oct 24, 2013)
- Fixed shortcut bookmarklet execution requiring noscript.allowURLBarJS preference to be true on Firefox 25 beta (thanks ivank for report)
New in NoScript 2.6.8.4 RC 2 (Oct 24, 2013)
- [Surrogate] Better emulation of for Google Analytics asynchronous tracking (for instance, fixes GMail's "Sign in" link)
- [ClearClick] Fixed exception being thrown on Firefox 27 alpha (Nightly)
- Fixed URL bar enhancements broken by Firefox 25 beta
New in NoScript 2.6.8.4 RC 1 (Oct 16, 2013)
- Fixed SetVariable/GetVariable failing on dynamically created Flash elements, e.g. with SFWObject.
New in NoScript 2.6.8.3 (Oct 15, 2013)
- Fixed complex bookmarklet execution requiring synchronous XHR in a content policy callback
- Fixed full-page plugins failed activation until the page is reloaded
- Fixed full-page HTML5 media failing to play after activation until the page is reloaded
New in NoScript 2.6.8.3 RC 3 (Oct 14, 2013)
- Fixed complex bookmarklet execution requiring synchronous XHR in a content policy callback
New in NoScript 2.6.8.2 (Oct 12, 2013)
- Fixed request methods different than POST being turned into GET by internal channel redirection when the DNS entry is not cached yet
- Fixed regression from CTP fix: some kinds of embedded objects being displayed, even though in disabled state, along with placeholders
New in NoScript 2.6.8.3 RC 2 (Oct 12, 2013)
- Fixed full-page plugins failed activation until the page is reloaded
New in NoScript 2.6.8.3 RC 1 (Oct 12, 2013)
- Fixed full-page HTML5 media failing to play after activation until the page is reloaded.
New in NoScript 2.6.8.2 RC 1 (Sep 21, 2013)
- Fixed regression from CTP fix: some kinds of embedded objects being displayed, even though in disabled state, along with placeholders
New in NoScript 2.6.8.1 (Sep 21, 2013)
- Added to the default whitelist some CDN subdomains dedicated to serve popular open source JS libraries (thanks t3g for RFE)
- Fixed notification box issues with Seamonkey (thanks barbaz)
- Work-around for broken CTP notifications (bug 903675)
- Work-around for Youtube comments XSS false (?) positive
- [Locale] Updated fr (thanks Jack Black)
New in NoScript 2.6.7.1 (Aug 15, 2013)
- [XSS] Fixed false positive on GMail when opening the Google Docs file picker
- [XSS] Fixed parameter elision bug
- Protection against another variant of error-based SQLXSSI
New in NoScript 2.6.7.1 RC 1 (Aug 8, 2013)
- Protection against two new specific variants of SQLXSSI
New in NoScript 2.6.7 (Aug 8, 2013)
- Fixed HTML 5 media content types not blocked when loaded as top-level documents (thanks al_9x for reporting)
- [XSS] Fixed bug in SQLXSSI detection (thanks Alex Inführ for reporting)
- Fixed resources from resource: origin (such as PDF.js fonts) being unnecessarily blocked in restrictive embed blocking mode
- Removed "ReferenceError: PolicyState is not defined" message appearing sometimes in the console dump on startup
- Fixed scrollbars removed in frames activated from placeholder (thanks al_9x for reporting)
New in NoScript 2.6.7 RC 2 (Aug 7, 2013)
- Removed further "ReferenceError: PolicyState is not defined" messages
- [XSS] Fixed bug in SQLXSSI detection (thanks Alex Inführ for reporting)
New in NoScript 2.6.7 RC 1 (Aug 6, 2013)
- Fixed resources from resource: origin (such as PDF.js fonts) being unnecessarily blocked in restrictive embed blocking mode
- Removed "ReferenceError: PolicyState is not defined" message appearing sometimes in the console dump on startup
- Fixed scrollbars removed in frames activated from placeholder
New in NoScript 2.6.6.9 (Jul 22, 2013)
- [XSS] Added several experimental / unofficial markup atoms to the build-time matcher generator (thanks .mario for reporting)
New in NoScript 2.6.6.9 RC 1 (Jul 22, 2013)
- [XSS] Added several experimental / unofficial markup atoms to the build-time matcher generator.
New in NoScript 2.6.6.8 (Jul 8, 2013)
- [XSS] Protection against filter evasion exploiting Adobe Flash URL parsing and charset handling bugs (thanks Soroush Dalili for reporting)
New in NoScript 2.6.6.8 RC 1 (Jul 6, 2013)
- [XSS] Protection against filter evasion exploiting Adobe Flash URL parsing and charset handling bugs (thanks Soroush Dalili for reporting)
New in NoScript 2.6.6.7 (Jul 3, 2013)
- Fixed ClearClick triggered by recently changed browser built-in Click To Play placeholders (bug 889228)
- [Locale] Updated Czech
New in NoScript 2.6.6.6 (Jun 11, 2013)
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with the WebGL pseudo type (thanks Thrawn for RFE)
New in NoScript 2.6.6.6 RC 1 (Jun 10, 2013)
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with the WebGL pseudo type
New in NoScript 2.6.6.5 (Jun 10, 2013)
- Better fix for Nightly breakages
New in NoScript 2.6.6.4 (Jun 10, 2013)
- Fixed some recent breakages on Nightly
New in NoScript 2.6.6.3 (Jun 10, 2013)
- Improved "fixable" JavaScript links detection (thanks asdf for RFE)
New in NoScript 2.6.6.3 RC 1 (May 29, 2013)
- Improved "fixable" JavaScript links detection (thanks asdf for RFE)
New in NoScript 2.6.6.2 (May 17, 2013)
- Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
- Improved placeholder management for full-document plugin content, e.g. makes Youtube embeddings more usable on Facebook
New in NoScript 2.6.6.2 RC 1 (May 7, 2013)
- Improved placeholder management for full-document plugin content, e.g. makes Youtube embeddings more usable on Facebook
New in NoScript 2.6.6.1 (Apr 30, 2013)
- Fixed backward compatibility issue with recent channel cloning changes
- [XSS] Compatibility with certain redirector URL patterns (thanks Stephen Faherty for reporting)
- [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
- [Locale] Updated Esperanto (thanks Michael Wolf)
- [Locale] Updated Upper Serbian (thanks Michael Wolf)
New in NoScript 2.6.6.1 RC 1 (Apr 24, 2013)
- [ABE] Fixed latest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
- [Locale] Updated Esperanto (thanks Michael Wolf)
- [Locale] Updated Upper Serbian (thanks Michael Wolf)
New in NoScript 2.6.6 (Apr 4, 2013)
- Added per-window private browsing support to some background requests
- Improved channel cloning for internal redirections
- Added further Microsoft mail services dependencies to the default whitelist
- [XSS] Fixed character class bug (thanks Masato Kinugawa for reporting)
- [XSS] Fixed potential jQuery-based injection (thanks Masato Kinugawa for reporting)
- Improved handling of some moz-null principal instances in ABE requests (thanks Thrawn for reporting)
- New 360Haven surrogate lets the site work with 1st party scripts allowed and ads/tracker scripts forbidden
New in NoScript 2.6.6 RC 4 (Mar 21, 2013)
- [XSS] Fixed character class bug
New in NoScript 2.6.6 RC 3 (Mar 21, 2013)
- [XSS] Fixed potential jQuery-based injection (thanks Masato Kinugawa for reporting)
New in NoScript 2.6.6 RC 2 (Mar 20, 2013)
- Improved handling of some moz-null principal instances in ABE requests (thanks Thrawn for reporting)
New in NoScript 2.6.6 RC 1 (Mar 18, 2013)
- New 360Haven surrogate lets the site work with 1st party scripts allowed and ads/tracker scripts forbidden
New in NoScript 2.6.5.9 (Mar 12, 2013)
- Fixed outlook.com UI broken in Nightly by work-around for bug 677050
- Removed STS support for Gecko >= 4, which provides built-in HSTS
- Work around for multiple object creation causing UI inconsistencies
- [XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource()
New in NoScript 2.6.5.9 RC 2 (Mar 11, 2013)
- Removed STS support for Gecko >= 4, which provides built-in HSTS
- Work around for multiple object creation causing UI inconsistencies (thanks al_9x for reporting)
New in NoScript 2.6.5.9 RC 1 (Mar 1, 2013)
- [XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource()
New in NoScript 2.6.5.8 (Feb 26, 2013)
- Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
- "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
- "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
- Inclusion type checks exception for yandex.st
- [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments (thanks RAJAH235 for reporting)
New in NoScript 2.6.5.8 RC 3 (Feb 22, 2013)
- Fixed Google Analytics cross-site checks breaking GMail composition window
New in NoScript 2.6.5.8 RC 2 (Feb 21, 2013)
- Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
- "Mark as untrusted" button on the site info page
- "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
- Inclusion type checks exception for yandex.st
New in NoScript 2.6.5.8 RC 1 (Feb 20, 2013)
- [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments (thanks RAJAH235 for reporting)
New in NoScript 2.6.5.7 (Feb 19, 2013)
- Made "Yes, remove all protections" the default button in the removal warning dialog
- [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
- [XSS] Removed host redirection chance on XSS-vulnerable pages
New in NoScript 2.6.5.7 RC 1 (Feb 14, 2013)
- Fixed post-response encoding checks applied to UTF-8 pages too
- Removed host redirection chance on XSS-vulnerable pages
New in NoScript 2.6.5.6 (Feb 12, 2013)
- [XSS] Smarter syntax check optimization, removes harmful side effect
New in NoScript 2.6.5.5 (Feb 12, 2013)
- [XSS] Fixed bug in broken string literals balancing
New in NoScript 2.6.5.4 (Feb 12, 2013)
- [XSS] Obfuscated string literals detection
New in NoScript 2.6.5.3 (Feb 12, 2013)
- [XSS] Improved parsing while decoding mixed-charset encoded URLs
- [XSS] Better decoding of maliciously mixed-charset encoded strings
New in NoScript 2.6.5.2 (Feb 8, 2013)
- [XSS] Work-around for a Gecko race condition allowing some script-enabled attackers to make the charset-mismatch checks abort prematurely.
New in NoScript 2.6.5.1 (Feb 6, 2013)
- [XSS] Forced unicode conversions more resilient to invalid input
New in NoScript 2.6.4.4 (Jan 29, 2013)
- Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
- [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method
- Allow/Forbid button on the site info page
New in NoScript 2.6.4.4 RC 3 (Jan 27, 2013)
- Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
New in NoScript 2.6.4.4 RC 2 (Jan 23, 2013)
- [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method
New in NoScript 2.6.4.4 RC 1 (Jan 18, 2013)
- Allow/Forbid button on the site info page.
New in NoScript 2.6.4.3 (Jan 15, 2013)
- [Surrogate] Less aggressive but more compatible adf.ly surrogate (it automatically skips ad but requires scripts enabled on adf.ly)
- Fixed whitelist listbocouldn't be fully selected by CTRL+A in recent
- Firefoversions (thanks Guardian for reporting)
- [Surrogate] dimtus.com scriptless automatic image revelation
- [Surrogate] imageteam.org scriptless automatic image revelation
- [External Filters] Fixed cache API compatibility issue
New in NoScript 2.6.4.3 RC 1 (Jan 4, 2013)
- [Surrogate] dimtus.com scriptless automatic image revelation
- [Surrogate] imageteam.org scriptless automatic image revelation
- [External Filters] Fixed cache API compatibility issue
New in NoScript 2.6.4.2 (Dec 28, 2012)
- ClearClick] Fixed miscalculations in screenshot comparison
- Fixed wrong placeholder position for standalone HTML 5 video content
- "Appearance" option to hide the "About NoScript" menu item
- Deny loading of any empty Flash object
- Fixed HSB locale (thanks Michael Wolf)
- Fixed forced HTTPS breaks redirects on Firefox >= 18
- Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes
- Fixed broken early HTTP observer on Firefox >= 18
- xFixed anti-popunder surrogate breaking BFCache
New in NoScript 2.6.4.2 RC 5 (Dec 23, 2012)
- Fixed wrong plaecholder position for standalone HTML 5 video content.
New in NoScript 2.6.4.2 RC 4 (Dec 22, 2012)
- "Appearance" option to hide the "About NoScript" menu item
- Deny loading of any empty Flash object
- Fixed HSB locale
New in NoScript 2.6.4.2 RC 3 (Dec 21, 2012)
- Fixed forced HTTPS breaks redirects on Firefox >= 18
- Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes
New in NoScript 2.6.4.2 RC 2 (Dec 18, 2012)
- Fixed broken early HTTP observer on Firefox >= 18
New in NoScript 2.6.4.1 (Dec 18, 2012)
- Fixed new placeholder close button being hidden on some Youtube pages
New in NoScript 2.6.4 (Dec 17, 2012)
- [XSS] Improved compatibility with Twitter's cross-site requests
- Close button on embedding placeholder (like using shift+click on the placeholder itself). Shift clicking the close button bypasses it.
- Fixed placeholders intercepting clicks from overlaid elements
- Fixed unbound embed enablement confirmation dialog size
New in NoScript 2.6.4 RC 1 (Dec 14, 2012)
- Fixed unbound embed enablement confirmation dialog size.
New in NoScript 2.6.3 (Dec 4, 2012)
- [XSS] Further tweaks to reduce false positives
- [XSS] The "maybe JS" step now removes leading parens, reducing false positives e.g. on Picasa
- [Surrogate] Work-around for anti-popunder surrogate causing Ebay to recreate phantom cookies on page unload
- Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus) breaking bookmarlets and URL bar Javascript support after being updated for Firefox 17
- Removed some console noise
- [Surrogate] Updated adf.ly surrogate to work with new links
New in NoScript 2.6.3 RC 4 (Dec 1, 2012)
- [XSS] Further tweaks to reduce false positives
New in NoScript 2.6.2 (Dec 1, 2012)
- Fixed Google links anonymizer surrogate interfering with the "Search
- tools" button
- Fixed impossible to copy lines from Console² if opened by NoScript
- [XSS] Exception for wpcomwidgets.com safe inclusions
- Slightly reduced About box width
New in NoScript 2.6.2 RC 4 (Nov 28, 2012)
- [XSS] Further tweaks to reduce false positives
New in NoScript 2.6.2 RC 3 (Nov 27, 2012)
- [XSS] The "maybe JS" step now removes leading parens, reducing false positives e.g. on Picasa
New in NoScript 2.6.2 RC 2 (Nov 22, 2012)
- Fixed Google links anonymizer surrogate interfering with the "Search tools" button
New in NoScript 2.6.2 RC 1 (Nov 19, 2012)
- Fixed impossible to copy lines from Console� if opened by NoScript
- [XSS] Exception for wpcomwidgets.com safe inclusions
- Slightly reduced About box width
New in NoScript 2.6.1 (Nov 13, 2012)
- [XSS] Better compatibility with Ebay's saved searches
- [Surrogate] Imagebax.com scriptless ads skipping redirection
- Fixed first non-cached page load in a session from about:newtab failing
- Removed legacy XUL script blocking code
- Added optional diagnostic to centralized channel aborting
- Fixed bug in Java URLs resolution
New in NoScript 2.6.1 RC 1 (Nov 6, 2012)
- Fixed bug in Java URLs resolution
New in NoScript 2.6 (Nov 2, 2012)
- Improved long URL wrapping for more manageable plugin placeholder tooltips
- Fixed ABE notifications bleeding out of the viewport when very long URLs are involved
- [Surrogate] More efficient deferred script loading and syntacheck,
- saves memory and startup time from unused surrogates
- [Surrogate] Picbucks.com scriptless ads skipping redirection
- [Surrogate] Imagebunk.com scriptless image revealing
- [Surrogate] Picsee.net scriptless image revealing
- Added navigator.doNotTrack property support
New in NoScript 2.6 RC 2 (Nov 2, 2012)
- [Surrogate] More efficient deferred script loading and syntax check, saves memory and startup time from unused surrogates
- [Surrogate] Picbucks.com scriptless ads skipping redirection
- [Surrogate] Imagebunk.com scriptless image revealing
- [Surrogate] Picsee.net scriptless image revealing
New in NoScript 2.6 RC 1 (Oct 30, 2012)
- Added navigator.doNotTrack property support
New in NoScript 2.5.9 (Oct 26, 2012)
- Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content allowed) to the default whitelist (required by MS mail services)
- [XSS] Removed false positive on some Google Gadgets; the work-around can be disabled by setting the noscript.filterXExceptions.ggadgets about:config preference to false
- Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with FRAMEs and IFRAMEs as well
- Fixed redirections involving sites marked as untrusted causing inconsistencies in page permissions, with JavaScript being blocked even if the site is whitelisted x Fixed regression on older Gecko versions causing NoScript to believe the browser is proxied when it's not
New in NoScript 2.5.9 RC 3 (Oct 25, 2012)
- Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content allowed) to the default whitelist (required by MS mail services)
- [XSS] Removed false positive on some Google Gadgets; the work-around can be disabled by setting the noscript.filterXExceptions.ggadgets about:config preference to false
New in NoScript 2.5.9 RC 2 (Oct 20, 2012)
- Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
- Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with FRAMEs and IFRAMEs as well
- Fixed redirections involving sites marked as untrusted causing inconsistencies in page permissions, with JavaScript being blocked even if the site is whitelisted
New in NoScript 2.5.9 RC 1 (Oct 19, 2012)
- Fixed regression on older Gecko versions causing NoScript to believe the browser is proxied when it's not.
New in NoScript 2.5.8 (Oct 18, 2012)
- Work-around for unique origins being assigned to URL bar loads by Gecko 16 and above interfering with some ABE rules
- Work-around for bug 797684 patch causing ABE's Sandbox action to fail
- Work-around for regression from Mozilla bug 797684 fix causing frames not to be blocked correctly in recent >= 18 builds
- Slightly revised About box to make more room for contributors
New in NoScript 2.5.8 RC 1 (Oct 15, 2012)
- Work-around for regression from Mozilla bug 797684 fix causing frames not to be blocked correctly in recent >= 18 builds
- Slightly revised About box to make more room for contributors
New in NoScript 2.5.7 (Oct 6, 2012)
- Fixed synchronous timeout emulation ordering bug in bookmarklet execution on scriptless pages
- [XSS] Fixed comment preprocessing optimization affecting free JavaScript detection
- [XSS] Fixed second order data: URLs sanitization issue, Fixed meta refresh blocker notification bar broken on Gecko < 4Fixed iframe placeholder positioning issue
- Fixed regression in placeholder positioning
- [ClearClick] Fixed false positive on cross-site SVG document embeddings
New in NoScript 2.5.7 RC 4 (Oct 5, 2012)
- [XSS] Fixed comment preprocessing optimization affecting free JavaScript detection.
- [XSS] Fixed second order data: URLs sanitization issue.
New in NoScript 2.5.7 RC 3 (Oct 1, 2012)
- Fixed meta refresh blocker notification bar broken on Gecko < 4
- Fixed iframe placeholder positioning issue
New in NoScript 2.5.7 RC 2 (Sep 28, 2012)
- Fixed regression in placeholder positioning
New in NoScript 2.5.7 RC 1 (Sep 26, 2012)
- [ClearClick] Fixed false positive on cross-site SVG document embeddings
New in NoScript 2.5.6 RC 1 (Sep 24, 2012)
- Force placeholders to frontmost position e.g. on HTML 5 Youtube content
- New icon for blocked embeddings on globally allowed pages
New in NoScript 2.5.5 (Sep 13, 2012)
- More reliable Java applet origin identification
- Cross-browser work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=789773
New in NoScript 2.5.5 RC 1 (Sep 12, 2012)
- More reliable Java applet origin identification
- Work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=789773
New in NoScript 2.5.4 (Sep 5, 2012)
- Fixed HTTP checks not being skipped anymore for some chrome-generated XMLHttpRequest requests because of a Gecko 15 change
- Work-around for cloned DOM nodes not retaining additional
- chrome-attached information anymore, thus breaking placeholders in some cases
- Fixed placeholder post-enablement event channeling broken by Sandbox changes
- Fixed placeholder sizes messed up by changes in Gecko 17
- Work-around for broken content policy call for Java plugin on Gecko 17 and above
New in NoScript 2.5.4 RC 2 (Sep 3, 2012)
- Fixed meta-refresh emulation regression in Gecko 16 and below
New in NoScript 2.5.3 (Aug 28, 2012)
- [XSS] Fixed false positives on URLs containing an ASP.NET cookieless session identifier
- noscript.eraseFloatingElements about:config preference to switch the mousedown + del key floating popup erasing feature off and on
- Limited the mousedown + del key floating popup erasing feature to pages where scripts are forbidden and to absolute or fixed position elements
- Fixed JavaScript URL non-void expression evaluation in the URL bar causing scripts to get globally allowed
- [XSS] Work-around for a Gecko URL parsing quirk
New in NoScript 2.5.3 RC 3 (Aug 27, 2012)
- noscript.eraseFloatingElements about:config preference to switch the mousedown + del key floating popup erasing feature off and on
- Limited the mousedown + del key floating popup erasing feature to pages where scripts are forbidden and to absolute or fixed position elements
New in NoScript 2.5.2 (Aug 23, 2012)
- [ClearClick] Improved protection against clickjacking timing attacks
- Fine tuned floating div (in-page popup) removal by locking it to the nearest positioned ancestor and wallowing the mouseup event if the DEL key has been hit after last mousedown
New in NoScript 2.5.2 RC 1 (Aug 16, 2012)
- Fine tuned floating div (in-page popup) removal by locking it to the nearest positioned ancestor and swallowing the mouseup event if the DEL key has been hit after last mousedown
New in NoScript 2.5.1 (Aug 16, 2012)
- Holding the left mouse button down on a page element and hitting the DEL key will remove it (useful to forcibly kill in-page popups when scripts are disabled)
- Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java globals have been removed from the DOM
- [XSS] Work-around for Mozilla TBPL DOS
- Fixed Silverlight and Flash scripted initialization patches being broken by recent JavaScript interpreter changes
- Work-around for hp-ww.com misconfiguration (JavaScript files served with bogus content-type header)
New in NoScript 2.5.1 RC 1 (Aug 3, 2012)
- Work-around for hp-ww.com misconfiguration (JavaScript files served with bogus content-type header)
New in NoScript 2.5 (Jul 30, 2012)
- [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
- Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height
- [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
- Fixed placeholders for absolutely positioned elements may cause layout
- glitches
- Fixed interaction with built-in Firefox's click-to-play causing infinite object activation loop
New in NoScript 2.5 RC 6 (Jul 30, 2012)
- [XSS] Further reduction in false positives triggered by XML payloads
New in NoScript 2.5 RC 2 (Jul 24, 2012)
- Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height
- Fixed placeholders for absolutely positioned elements may cause layout glitches
New in NoScript 2.5 RC 1 (Jul 23, 2012)
- Fixed interaction with built-in Firefox's click-to-play causing infinite object activation loop.
New in NoScript 2.4.9 RC 2 (Jul 21, 2012)
- Added ability to replace obsolete default whitelist entries
- Replaced browserid.org with persona.org in the default whitelist
- Improved anti-DOS protection
- Better usability with some HTML5 Youtube videos
- Reverted to the ctrl+shift+S main keyboard shortcut
- [XSS] Fixed XML preprocessing breaking detection of some E4X constructs
New in NoScript 2.4.9 RC 1 (Jul 17, 2012)
- [XSS] Protection against error-based SQLI with a XSS payload
New in NoScript 2.4.8 (Jul 11, 2012)
- Work-around for Mozilla bug 771655 (broken debugger)
- Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is taken by the debugger
- Fixed feed: and pcast: URLs not being unwrapped in some checks
- Removed assumptions of a body element from some code paths which may handle generic XML documents
New in NoScript 2.4.8 RC 1 (Jul 6, 2012)
- Fixed feed: and pcast: URLs not being unwrapped in some checks
- Removed assumptions of a body element from some code paths which may handle generic XML documents
New in NoScript 2.4.7 (Jun 29, 2012)
- [ClearClick] Fixed Tumblr widgets false positive
- [XSS] Fixed false positive with some Base64-encoded Yahoo News subrequests
- Fixed regression, noscript.allowedMimeRegExp not working anymore for plugins other than Java, Flash and Silverlight
- Auto-anchored multi-valued regexp preferences can now be separated by regular spaces rather than just newlines (this behavior was documented but not actually implemented for noscript.allowedMimeRegExp)
New in NoScript 2.4.6 (Jun 12, 2012)
- [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
- [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
- [XSS] Fixed document.cookie minimal assignment false negative (thanks
- Masato Kinugawa for report)
- [XSS] Fixed dotted query parameter names false positives, affecting
- OpenID, Hotmail and other services (thanks Gavin H for report)
- Fixed some messages being dumped to the console even if logging is
- turned off (thanks marbler for report)
New in NoScript 2.4.5 (Jun 12, 2012)
- [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
- [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
- Dalili and Ahamed Nafeez for reporting)
- [XSS] Improved unconventional assignments detection (thanks Masato
- Kinugawa for report)
- [Locale] Corrected he-IL merge (thanks baryoni)
- [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
- [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
- kind of concatenated assignments (thanks Masato Kinugawa for report)
- [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
- [XSS] More aggressive obsolete charsets filtering (thanks Masato
- Kinugawa for report)
New in NoScript 2.4.4 (Jun 5, 2012)
- Locale] Updated he-IL
- Fixed early synthetic DNS notification causing blank stripe on the bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked
New in NoScript 2.4.4. RC 1 (May 30, 2012)
- Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked.
New in NoScript 2.4.3 (May 28, 2012)
- Fixed JS links detection not resolving JS string escapes
- Fixed HTML 5 parser detection in META refresh processing being broken by a removed browser preference
- Fixed exception raised by inclusion type checks when parent document's URI has no host
- [XSS] Better detection of free inline script injections (without string literal evasion) inside function calls
- The noscript.allowedMimeRegExp preference now applies also to Java, Flash and Silverlight mime types
New in NoScript 2.4.3 RC 2 (May 24, 2012)
- [XSS] Better detection of free inline script injections (without string literal evasion) inside function calls
New in NoScript 2.4.3 RC 1 (May 23, 2012)
- The noscript.allowedMimeRegExp preference now applies also to Java, Flash and Silverlight mime types
New in NoScript 2.4.2 (May 21, 2012)
- [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging to the LAN anymore for the purpose of cross-zone request forgery checks
- in order to safely work-around DNS misconfiguration issues in the wild
- [ABE] Fixed router WEB UI fingerprinting failing on some devices because of redirection loops
- [XSS] Protection against HPP attacks exploiting URL parsing quirks specific to ASP Classic
- Fixed first application updates check failing on Nightly (bug 754393)
- [XSS] Fixed false positive regression on some file hosting sites
New in NoScript 2.4.2 RC 4 (May 18, 2012)
- [XSS] Fixed regression blocking any suspect HPP attack silently
New in NoScript 2.4.2 RC 2 (May 15, 2012)
- Fixed first application updates check failing on Nightly (bug 754393)
New in NoScript 2.4.2 RC 1 (May 14, 2012)
- [XSS] Fixed false positive regression on some file hosting sites.
New in NoScript 2.4.1 RC 3 (May 11, 2012)
- [XSS] Fixed bug in the InjectionChecker tokenization
- Added inclusion type check exception to the lesscss Google Code file repository, often used as a CDN
New in NoScript 2.4.1 RC 2 (May 10, 2012)
- [Surrogate] adagionet.com inclusion surrogate
- Fixed "Allow sites open through bookmarks" regression
New in NoScript 2.4.1 RC 1 (May 7, 2012)
- [XSS] Protection against exploitation of classic MS ASP's coalescing of same-name query parameters
- [XSS] Protection against URL injections in in window.name
- [XSS] Fixed case-sensitivity bug in detection of unicode escape sequences
New in NoScript 2.4 (May 5, 2012)
- [XSS] Improved global exception injection detection
- [XSS] Fixed bug in late window.name payload checking
- [Locale] Fixed broken overlay on Basque localized browsers
New in NoScript 2.4 RC 7 (May 4, 2012)
- [XSS] Improved InjectionChecker detection of in-code multiple insertions
- [XSS] InjectionChecker detection of single assignment evaluation through global exception handling
- [Locale] Fixed broken overlay on Basque localized browsers
New in NoScript 2.4 RC 6 (Apr 30, 2012)
- [Surrogate] Skimlinks surrogate script.
New in NoScript 2.4 RC 1 (Apr 28, 2012)
- [Surrogate] Fixed surrogates broken on Nightly
New in NoScript 2.3.9 (Apr 27, 2012)
- [ClearClick] More tolerant snapshot comparation algorithm (partially backported from NSA) to reduce false positives (tweaked by the noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
- [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in obscuration by windowed lugins checks
- Fixed compatibility regressions on Firefox 3.x
- Following links from the About dialog now closes it (thanks Guardian for suggestions)
- Fixed NOSCRIPT META refreshes blocking not working when scripts are globally allowed (thanks and Ken and Tom T. for reporting)
- [ClearClick] Fixed false positives caused by accelerated graphics with some plugin content
New in NoScript 2.3.9 RC 4 (Apr 26, 2012)
- [ClearClick] Fixed false positives caused by accelerated graphics with some plugin content.
New in NoScript 2.3.9 RC 3 (Apr 23, 2012)
- Fixed compatibility regressions on Firefox 3.x
- Following links from the About dialog now closes it
- Fixed NOSCRIPT META refreshes blocking not working when scripts are globally allowed
New in NoScript 2.3.9 RC 2 (Apr 21, 2012)
- [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in obscuration by windowed plugins checks
New in NoScript 2.3.9 RC 1 (Apr 20, 2012)
- [ClearClick] More tolerant snapshot comparation algorithm (partially backported from NSA) to reduce false positives (tweaked by the noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
New in NoScript 2.3.8 RC 2 (Apr 16, 2012)
- Fixed 2.3.8rc1 regression slowing down flashvars parsing in some cases
- Fixed redirections in legacy frames not being blocked
- [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site
New in NoScript 2.3.8 RC 1 (Apr 15, 2012)
- Smart integration with the new browser-native click to play: if a plugin object is manually allowed from NoScript's UI, it gets also natively activated (noscript.smartClickToPlay about:config preference)
- Improved active content identity tracking, to avoid redundant blocking steps across reloads
New in NoScript 2.3.7 RC 4 / 2.3.6 (Apr 9, 2012)
- [ClearClick] Further refinements in TrafficLight compatibility and "rapid fire" sensitvity.
New in NoScript 2.3.7 RC 4 (Apr 7, 2012)
- [ClearClick] Further "rapid fire" protection sensitivity tweaking.
New in NoScript 2.3.7 RC 3 (Apr 6, 2012)
- [ClearClick] Work-around for "rapid fire" protection interfering with some add-ons, such as 1Password.
New in NoScript 2.3.7 RC 2 (Apr 3, 2012)
- [ClearClick] Compatibility with Bitdefender TrafficLight
New in NoScript 2.3.7 RC 1 (Mar 29, 2012)
- [XSS] Enhanced InjectionChecker tolerance to certain URL patterns containing domain-names as parameter values.
New in NoScript 2.3.6 RC 4 (Mar 27, 2012)
- Restored Nightly compatibility, broken by bug 719154
New in NoScript 2.3.6 RC 1 (Mar 22, 2012)
- [XSS] Fixed false positive with query string patterns mimicking array access.
New in NoScript 2.3.5 (Mar 18, 2012)
- Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail.
- [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes.
- [ClearClick] Better special-casing for same-site embedded objects
- [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs.
- [XSS] Better window.name protection.
- [XSS] Improved detection of javascript: URL injections.
New in NoScript 2.3.5 RC 6 / 2.3.4 (Mar 17, 2012)
- Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail.
New in NoScript 2.3.5 RC 5 (Mar 16, 2012)
- [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes.
New in NoScript 2.3.5 RC 4 (Mar 16, 2012)
- [ClearClick] Better special-casing for same-site embedded objects
New in NoScript 2.3.5 RC 3 (Mar 14, 2012)
- [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs.
New in NoScript 2.3.5 RC 2 (Mar 14, 2012)
- [XSS] Further refinements in the window.name protection features.
New in NoScript 2.3.5 RC 1 (Mar 12, 2012)
- [XSS] Fixed window.name being checked only for JavaScript injections, skipping pure HTML ones
- [XSS] Improved detection of javascript: URL injections
New in NoScript 2.3.4 (Mar 9, 2012)
- [ClearClick] Fixed subtle bug which may lead to infinite loops in some cases
New in NoScript 2.3.2 (Feb 27, 2012)
- [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
- [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding
- [XSS] Added event injection checks for scriptless pages too, in order to
- prevent edge-case execution on permissions change
- [XSS] Fixed InjectionChecker JavaScript scanning bug
- [XSS] Improved HTML detection accuracy
- Better tagging of surrogate sandboxes for about:memory debugging
- Improved glinks surrogate
New in NoScript 2.3.1 (Feb 20, 2012)
- Surrogate to let news pages escape Digg's frame
- [ClearClick] Improved compatibility with cross-frame overlapping shadows
- Removed ClearClick bypass based on a Firefox SVG CSS filter bug
- adf.ly surrogate to automaticaly skip the interstitial page even if scripts are disabled
- Improved Google search surrogates
- New surrogate against Google's scriptless tracking of search results navigation
New in NoScript 2.3 (Feb 11, 2012)
- Fixed about:newtab not considered as a local origin by ABE
- Added blob:, about:memory and about:support to the automatic whitelist
- Added reflected script inclusion check exception for intensedebate.com
- Fixed CSS issues on Gecko 1.8
New in NoScript 2.2.9 (Feb 6, 2012)
- Right click on NoScript menu items copies the site to the clipboard, if any under the pointer, or all the page-related script sources prepended with a status mark: + for whitelisted, - for default, ! for untrusted
- Added browserid.org to the default whitelist
- Improved default whitelist update mechanism
- Fixed some Flash movies failing to load on Nightly
- Fixed incompatibility between surrogates / content augmentations (e.g. toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for reporting
- NoScript won't attempt to load the release notes page if the site is unreachable
New in NoScript 2.2.8 (Jan 25, 2012)
- [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested documents.
New in NoScript 2.2.8 RC 2 (Jan 19, 2012)
- Fixed regression, 2.2.8rc1 swallowing clicks on some nested documents.
New in NoScript 2.2.6 (Jan 13, 2012)
- Fixed sanitization reporting bug
New in NoScript 2.2.5 (Jan 3, 2012)
- [ClearClick] Better compatibility with recent Disqus widget versions
New in NoScript 2.2.4 (Dec 20, 2011)
- Fixed some localizations having newlines replaced with 'n' characters
New in NoScript 2.2.3 RC 4 (Dec 6, 2011)
- Configuration import/export directory is persisted across sessions
New in NoScript 2.2.3 RC 3 (Dec 6, 2011)
- Generalized checks on drag and drop payloads
- [XSS] Tightened checks on reflected javascript: URIs
New in NoScript 2.2.3 RC 2 (Dec 6, 2011)
- [Surrogate] DOMContentLoad listeners on windows (thanks al_9x for RFE)
New in NoScript 2.2.3 RC 1 (Dec 6, 2011)
- [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
- [Surrogate] More homogeneous treatment for file-based surrogates (thanks
- al_9x for RFE)
New in NoScript 2.2.2 RC 4 (Nov 28, 2011)
- Protection against a new XSS technique based on HTML 5 DnD
New in NoScript 2.2.1 (Nov 28, 2011)
- [Locale] Updated he-il (thanks baryoni)
- [ClearClick] Fixed incompatibility with the FoxTab add-on
New in NoScript 2.2 (Nov 16, 2011)
- [ClearClick] Improved protection against Clickjacking on nested windowed Flash targets
New in NoScript 2.1.9 (Nov 11, 2011)
- [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec used instead of "1.8"
New in NoScript 2.1.8 (Nov 4, 2011)
- Improved anti-popunder built-in surrogate
- Fixed object autowiring upon placeholder activation regressed by recent
- surrogate sandboxing changes
New in NoScript 2.1.7 (Oct 24, 2011)
- Fixed subrequests matching an Anon action rule not being shown in
- the logs if already anonymized by the browser
New in NoScript 2.1.5 (Oct 17, 2011)
- Improved object wiring emulation on placeholder activation (thanks al_9x
- for report and code
New in NoScript 2.1.4 RC 2 (Oct 3, 2011)
- Fixed speculative parsing causing inclusion surrogates to be executed twice.
New in NoScript 2.1.3 (Sep 26, 2011)
- [Surrogate] Disqus surrogate to fix misplaced placeholder (thanks al_9x
- for code)
- [L10n] Bengali (thanks svarnava)
- Fixed missing placeholder for hidden embeddings (thanks royallin for
- reporting)
New in NoScript 2.1.2.8 RC 1 (Sep 8, 2011)
- Google Plus One surrogate (thanks al_9x for code)
- Removed t.co surrogate, since Twitter implemented a NOSCRIPT fallback
New in NoScript 2.1.2.7 (Sep 8, 2011)
- Better load progress feedback for hosts which are not DNS-cached yet
New in NoScript 2.1.2.7 RC2 (Aug 19, 2011)
- Fixed OBJECT document inclusions failing under some circumstances.
New in NoScript 2.1.2.7 RC1 (Aug 19, 2011)
- Prevent any website from embedding view-source URIs inside frames
- Firefox 9.0a1 compatibility
New in NoScript 2.1.2.6 (Aug 19, 2011)
- Temporarily disabled anti-anti-adblocker surrogate on any site except those explicitly added to noscript.surrogate.ab.sources preference, as a work-around for bug 677652
- Lazy initialization is deferred also when a file:// URL is loaded as the home page
New in NoScript 2.1.2.5 (Aug 1, 2011)
- Fixed bookmarklets from sidebars not working on JS-disabled pages
- Improved Twitter surrogate for Fx 3.x
New in NoScript 2.1.2.4 rc3 (Jul 20, 2011)
- Fixed url bar regression from rc2
New in NoScript 2.1.2.4 rc1 (Jul 16, 2011)
- Restored compatibility with bit.ly (now bitly.com)
New in NoScript 2.1.2.3 (Jul 15, 2011)
- Refactoring and isolation of the rapid fire protection
New in NoScript 2.1.2 rc3 (Jul 4, 2011)
- Fixed work around for Bug 668690 breaking feed viewer.
New in NoScript 2.1.1.2 rc1 (Jun 12, 2011)
- Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
- noise on trunk after bug 311007 landed.
New in NoScript 2.1.1.1 rc1 (Jun 2, 2011)
- Reduced request garbage collection frequency
New in NoScript 2.1.0.5 (May 21, 2011)
- Fixed recent memory optimizations breaking compatibility with some
- extensions.
New in NoScript 2.1.0.4 rc5 (May 7, 2011)
- Fixed Seamonkey hanging on some pages
New in NoScript 2.1.0.3 (Apr 30, 2011)
- Updated ro
- Restored some locales gone missing in previous dev build
New in NoScript 2.1.0.3 rc2 (Apr 19, 2011)
- Fixed Yahoo Toolbar breaking first browser window if NoScript 2.1.0.2 is
- installed
- Various additional startup optimizations
New in NoScript 2.1.0.2 (Apr 15, 2011)
- Improved XML prescreening
New in NoScript 2.1.0.2 rc2 (Apr 2, 2011)
- Fixed AddressMatcher broken by RegExp changes in latest Minefield (
- thanks linuser for reporting)
New in NoScript 2.0.9.9 (Mar 10, 2011)
- Fixed spaces in ipecho response breaking WAN IP detection with one of
- the mirrors
- Experimental built-in profiler for debugging purposes
New in NoScript 2.0.9.8 (Feb 15, 2011)
- Fixed empty tooltip for embedded placeholder on some RTL pages (thanks
- Saad for reporting)
- Truncate URLs in placeholders tooltips at the the query string or hash,
- to increase readability (thanks anystupidassname for RFE)
- Increased WAN IP checks interval to 1 hour reducing log spam on routers
- Removed some obsolete code
New in NoScript 2.0.9.7 (Feb 2, 2011)
- Fixed status label menu popping up in a wrong position
- Updated locales
New in NoScript 2.0.9.6 (Jan 19, 2011)
- X-Do-Not-Track after a DNS cache miss causing some embedded content
- requests to fail
- Contribution button on the bottom of the Options dialog
New in NoScript 2.0.9.3 (Jan 5, 2011)
- Fixed some cross-site requests containing JSON-like fragments broken
New in NoScript 2.0.9.2 (Jan 3, 2011)
- Fixed forbid META refresh inside NOSCRIPT elements regression
New in NoScript 2.0.8.1 (Dec 14, 2010)
- Fixed new IFRAME-based Youtube embedding method broken on non whitelisted pages with embedding restrictions.
New in NoScript 2.0.8 rc1 (Dec 4, 2010)
- LiveConnect interception time reduced by 10 on Firefo3.6 and by 100 on
- Firefo4 (about 1ms each)
- Restored LiveConnect interception logging (LOG_CONTENT_INTERCEPTI mask)
- Fixed bug in fake redirections code, causing it not to honor the
- redirection limit settings (thanks Peter Eckersley)
- [XSS] Improved SQLXSSI detection accuracy
- Updated revsci surrogate
New in NoScript 2.0.7 (Nov 28, 2010)
- [XSS] Detection and filtering of hexadecimal and binary encoded
- reflected XSS through SQL injection (SQLXSSI), partially found and
- disclosed (raw hexadecimal variant only) by Aditya K Sood
New in NoScript 2.0.5.1 rc1 (Nov 12, 2010)
- Improved LoadGroup integration of the new internal redirection machinery
- for better loading progress feedback.
New in NoScript 2.0.4 (Oct 29, 2010)
- Better logging for the "X-Content-Type-Options: nosniff" activity
- noscript.nosniff about:config preference to control whether enforcing
- "X-Content-Type-Options: nosniff" (true, default) or not (false)
New in NoScript 2.0.3.5 (Oct 18, 2010)
- Fixed right-click on the toolbar button switching permissions
New in NoScript 2.0.3.3 (Oct 4, 2010)
- Changed noscript.forbidIFramesContext about:config preference default to 3 (same base domain) to ensure better usability on complex sites (e.g.new Twitter) for people who's blocking iframes on trusted sites x Optimal sensitivity calibration for Hover UI trigger events
New in NoScript 2.0.3.2 (Sep 21, 2010)
- Work-around for first script element in body of a framed document not being executed unless password manager is enabled on Minefield
- Work-around for surrogates not being executed in frames on Minefield
New in NoScript 2.0.3 (Sep 11, 2010)
- Improved compatibility of the popunder surrogate
- Fixed broken meebo.com detached windows
- Updated it-IT
New in NoScript 2.0.3 rc1/ 2.0.2.5 (Sep 6, 2010)
- [UI] Clickless "on over" opening of the status bar menu, can be disabled
- via noscript.hoverUI about:config preference (thanks safemode for RFE)
- Fixed embedded fonts requiring the page to be allowed, rather than the
- just the object, if embedded in data: URIs (thanks Alexander Konovalenko
- for reporting)
New in NoScript 2.0.2.5 (Sep 4, 2010)
- Further FBML compatibility improvements.
New in NoScript 2.0.2.3 (Aug 20, 2010)
- Fixed optimization bug which may lead to slower checks on specific
- source patterns
New in NoScript 2.0.1 (Aug 9, 2010)
- noscript.abe.localExtras about:config preference can specify net
- resources (space separated IPs and/or subnets) to be considered as
- LOCAL by ABE, in addition to the "regular" private subnetworks and the
- auto-detected WAN IP (thanks ammdispose for suggestion)
- Better compatibility with iframes containing very tiny
- pages (e.g. horizontal Flattr buttons)
- Fixed page-level surrogates not always being executed inside iframes
- (thanks al_9for reporting)
- Fixed XML tags with no attributes which are omonymous of
- "sensitive" HTML tags triggering XSS false positives
New in NoScript 2.0.1 rc1/ 2.0 (Aug 2, 2010)
- Fixed meta redirections being broken sometimes when a NOSCRIPT element
- activation is forced on a JavaScript-enabled page.
New in NoScript 2.0 (Jul 28, 2010)
- Fixed Google thumbs surrogate broken by recent Gecko changes
- Work-around for client(Height|Width) miscalculation
New in NoScript 2.0 rc2 / 1.10 (Jul 15, 2010)
- External filters now receive the object URL as their 4th argument .
New in NoScript 1.9.9.99 (Jul 6, 2010)
- Emergency fix for a page reload bug on Mac OS X causing high processor
- consumption after permission changes.
New in NoScript 1.9.9.98 rc1 (Jun 28, 2010)
- Surrogate for Google Search thumbnails when Google is not whitelisted
- Automatic reload on permission change setting now affects pages containing embeddings which change status too, whose reload can be also forced through the noscript.autoReload.embedders preference:
- 0 - never reload 1 - inherit the noscript.autoReload setting 2 - force reload
- Prevent reload on pages where a 3rd party script changed its permissions status but the top-level is forbidden and unchanged
- Surrogate to use InstallTrigger on AMO even if addons.mozilla.org is not whitelisted
New in NoScript 1.9.9.97 (Jun 25, 2010)
- Fixed ClearClick false positives on F3.5 and below (thanks Deniz Sofu for reporting) Compatibility version bump for Seamokey trunk v 1.9.9.97rc1 Fixed '@' surrogates being ran on scriptless pages Recentering on the parent form for ClearClick checks over a form widget reduces false positives over obstructed frames v 1.9.9.96
- Fixed Script Surrogates activation glitches v 1.9.9.95
- Fixed wrongly sized placeholders on Youtube (regression from rc1) v 1.9.9.95rc2
- More accurated feedback on nested object blocking (thanks al_9for reporting) + External filters command line template updated with request origin as the 3rd argument v 1.9.9.95rc1
- imagebam surrogate kills popups over images and popunders on click + imagehaven surrogate kills popups over images and popunders on click + inserstitialBosurrogate kills interstital on imagevenue.com + "!@" prefixed surrogates run no matter whether scripts are enabled or disabled for the page (in a DOMContentLoaded event handler) Fixed JS redirect handling causing duplicate object placeholders on scriptless pages containing embeddings only Fixed ABE's SELF checks fail on redirects which contain a browser URL v 1.9.9.94
- Fixed bookmarklets support on non-whitelisted pages broken in non-Places browsers like SeaMonkey (thanks therube for reporting) Better icon feedback on page where there's no script element but some plugin content has been blocked v 1.9.9.93
- Fixed ClearClick false positives when RTL content or browser settings put the vertical scrollbar on the left (thanks Mark Callow for report) Fixed setting noscript.checkInjectionType to false did not disable the feature (thanks al_9for report) More accurate embedded object replacement (thanks al_9for report) v 1.9.9.92
- Fixed Places-related bug on Minefield (thanks mpz for reporting) noscript.forbidIFrameContext=3 (allow same base domain) falls back to 2 (allow same domain) if either the parent or the frame is marked as untrusted (thanks al_9for suggestion) v 1.9.9.91
- More compatible docShell reaching, works around some buggy extensions which wrap browser.webNavigation just partially InjectionChecker's XML reduction more compatible with SAML v 1.9.9.90
- Optimal timing for page-level surrogates in frames ClearClick exceptions are considered independently from the JavaScript whitelist as they should More consistent web bugs blocking with forced NOSCRIPT elements, take 2 (thanks al_9for reporting) v 1.9.9.89
- More consistent web bugs blocking with forced NOSCRIPT elements, take 2 (thanks al_9for reporting) More consistent icon feedback with docShell-based cascading JS blocking (thanks al_9for reporting) v 1.9.9.88
- Inclusion type checks try to infer file type from directory-like URLs More consistent web bugs blocking with forced NOSCRIPT elements Fixed object placeholder regressions in Gecko < 1.9 (thanks Rob for reporting) Version compatibility bump to Firefo3.7a6pre
New in NoScript 1.9.9.96 (Jun 24, 2010)
- Fixed Script Surrogates activation glitches v 1.9.9.95
- Fixed wrongly sized placeholders on Youtube (regression from rc1)
New in NoScript 1.9.9.87 (Jun 13, 2010)
- Improved URL parsing in META refresh interception
- Optimized * universal pattern in AddressMatcher
- Better error reporting during the execution of location bar scriptlets
New in NoScript 1.9.9.81 (May 28, 2010)
- Experimental blocking of page refreshes happening inside untrusted unfocused tabs, should provide protection against Aviv Raff's scriptless "tabnabbing" variant. Enabled by default, can be controlled through the noscript.forbidBGRefresh about:config integer preference. Address patterns matching pages which shouldn't be affected can be listed in the noscript.forbidBGRefresh.exceptions preference
- Fixed XSS false positive in new 3.7 add-ons manager
- Fixed meta-refresh URL parsing mismatch
- Fixed import script surrogates being broken by a 1.9.9.79 regression
New in NoScript 1.9.9.80 (May 27, 2010)
- Fixed "Partially allowed scripts" icon shown instead of the "Scripts allowed but some objects blocked" one when the blocked objects' domains are not whitelisted for scripting
- Fixed "Scripts allowed but some objects blocked" icon not being used for blocked web fonts
- (ABE) Deny on INCLUSION don't trigger a notification even if the blocked request is for a subdocument (the blocking is logged in the Console, use SUB if user-facing notification is needed)
- Fixed privileged XMLHttpRequests for untrusted resources being blocked if HTTP redirections occurred
- Better compatibility with IronPort web-based tools
New in NoScript 1.9.9.77 (May 18, 2010)
- ABE INCLUSION (type1, type2, type3...) pseudo-method allows rules to take
- request type (e.g. SCRIPT vs CSS) in account
- ABE SELF (same domain) and SELF+(same base domain) pseudo-origins
- Fixed iconic feedback inconsistencies when untrusted blocked objects
- are mixed with full-trusted content (tanks al_9for reporting)
- Fixed Injection Checker false positives on some kinds of complenested
- URLs (thanks Sirdarckcat for reporting)
- Tweaked ClearClick for Disqus compatibility (thanks John for reporting)
New in NoScript 1.9.9.74 (May 3, 2010)
- Fixed false positive issue with empty cross-site POST request.
New in NoScript 1.9.9.71 (Apr 30, 2010)
- Added "Allowed with untrusted sources and blocked objects" icon
- Fixed minor inconsistencies in new partial allowance feedback icons
New in NoScript 1.9.9.69 (Apr 21, 2010)
- Further compatibility improvements in complex bookmarklets handling.
New in NoScript 1.9.9.63 (Apr 16, 2010)
- Removed ":0" wildcards from NoScript menu in ignorePorts=false mode to prevent confusing behaviors (thanks al_9x for suggestion)
- Embedding-only sites are shown in the Untrusted menu if placeholders are set to be hidden for untrusted embeddings (thanks al_9x for suggestion)
New in NoScript 1.9.9.61 (Apr 6, 2010)
- Fixed InjectionChecker infinite recursion bug on certain requests
- Fixed plugin activation patches not being applied under some
- circumstances
New in NoScript 1.9.9.57 (Mar 20, 2010)
- Fixed feed subscription broken on sites implementing X-Frame-Policy
- Included js.wlxrs.com in default whitelist in order to make Hotmail
- login work out-of-the-box for new users
New in NoScript 1.9.9.50 (Feb 27, 2010)
- Updated ABE grammar to use new AddressMatcher syntactic sugar
- Alert about ABE syntax errors when option dialog gets focused after a
- ruleset editing
New in NoScript 1.9.9.47 (Feb 13, 2010)
- Fixed XSS checks skipped on some reloads
- Improved content placeholder management
- Mobile version bump
New in NoScript 1.9.9.45 (Feb 5, 2010)
- Enhanced compatibility with Paypal encrypted buttons
- Fixed some anti-popunder surrogate incompatibilities
New in NoScript 1.9.9.42 (Jan 28, 2010)
- ClearClick: more efficient code paths specific to Fx 3.6 and above
- Fixed zoom-related ClearClick false positives on Fx 3.6 and above
- Fixed fonts being reported as "unknown" type in Blocked Objects menu
New in NoScript 1.9.9.39 (Jan 21, 2010)
- Fixed quirks mode triggered by surrogate execution on Gecko
New in NoScript 1.9.9.36 (Jan 18, 2010)
- Anti-Popunder surrogate now applies to all HTTP pages by default
- DNS activity logging facility (disabled by default)
- Slight optimization of DNS lookups
- Temptative fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501446
- crasher (thanks timeless)
New in NoScript 1.9.9.30 (Jan 4, 2010)
- Injection Checker compatibility with Livejournal comment posting
- Improved ClearClick compatibility with Facebook applications
New in NoScript 1.9.9.27 (Dec 19, 2009)
- Placeholder enhancements backported to Gecko 1.8.x
- Fixed missing placeholders on Gecko 1.8.x (thanks al9_x for reporting)
New in NoScript 1.9.9.18 (Nov 28, 2009)
- Removed residual compound attribute-based injection chance
New in NoScript 1.9.9.17 (Nov 26, 2009)
- Fixed residual crash issue when favicons need to be redirected to HTTPS
- Enhanced ClearClick compatibility with Photbucket
New in NoScript 1.9.9.14 (Oct 28, 2009)
- Fixed page loading issues (hard to reproduce but reported by many)
New in NoScript 1.9.9.12 (Oct 27, 2009)
- Allowing a plugin object which size is not set reloads the page,
- assuming that scripts are used to size it
- Google Translate SS exception
- ClearClick subexception
- Updated localizations
- Removed current URL leaking into RegEp properties if invisible link
- detection is enabled
- Hijack checks must skip error pages (thanks luntrus for report)
- Fied SS false positive at travelocity.com (thanks Chris Lonsberry)
New in NoScript 1.9.9.11 (Oct 14, 2009)
- Reorganization of the "Embeddings" (FKA "Plugins") options panel
- "Forbid , " option in the "Embeddings" panel
- "Forbid @font-face" option in the "Embeddings" panel
- ClearClick report id made selectable (thanks therube for RFE)
New in NoScript 1.9.9.07 (Oct 6, 2009)
- Improved Google Analytics surrogate, handling form submissions (thanks
- Alan Baxter for report)
New in NoScript 1.9.9.01 (Sep 25, 2009)
- Fixed InjectionChecker micro-injecion scanning bug (thanks Sirdarckcat
- for reporting)
New in NoScript 1.9.8.9 (Sep 24, 2009)
- First public Strict Transport Security implementation, see
- http://hackademix.net/2009/09/23/strict-transport-security-in-noscript/
- Fixed Javascript disabled in about:neterror pages if the broken
- destination page is marked as untrusted (thanks al_9for report)
- Improved HTTPS enforcement, honoring original referer
- Fixed a potential "unresponsive script" InjectionChecker condition
- (thanks Sirdarckcat for reporting)
- Fixed help links not opening from NoScript's UI on Minefield
- Fixed ABE LOCAL symbol matching 172.16.0.0/16 rather than the
- whole 172.16.0.0/12 (thanks Antal for reporting)
New in NoScript 1.9.8.86 (Sep 14, 2009)
- Fixed kongregate.com incompatibility
New in NoScript 1.9.8.85 (Sep 14, 2009)
New in NoScript 1.9.8.8 (Sep 3, 2009)
- Improved bookmarklet setTimeout() emulation (delay ordering is
- honored and pseudo-recursion is supported)
- Update locales
New in NoScript 1.9.8.7 (Aug 26, 2009)
- Fixed minor bugs in "Recent blocked sites" implementation
- Updated Rumenian
- Fixed encoding issue with configuration import/export/sync
New in NoScript 1.9.8.4 (Aug 20, 2009)
- Fixed ABE internal redirection on DNS cache miss interfering with injection checks under some circumstances
New in NoScript 1.9.8.1 (Aug 12, 2009)
- Fixed Mac OS X specific hang bug triggered by STATUS_RESOLVING DNS
- notifications for some sub-requests
New in NoScript 1.9.8 (Aug 11, 2009)
- ABE's caching DNS requests now send STATUS_RESOLVING notifications
- (thanks al9_for RFE)
- Improved injection checks (thanks Sirdarckcat for reporting)
- Fixed invalid chars in host names causing loads to fail without any
- visible error feedback
- Work around for breakages caused by the .NET Framework Assistant,
- http://adblockplus.org/blog/the-return-of-net-framework-assistant
- ABE grammar source (ABE.g) included in the distributed XPI (thanks
- al9_for noticing its absence)
New in NoScript 1.9.7.9 (Aug 5, 2009)
- Improved XSS filter compatibility with some decimal coordinates
- patterns
- Fixed JavaScript IFrame manipulation causes documents to be loaded
- in a new window sometimes (thanks Derek Greentree for reporting)
New in NoScript 1.9.7.7 (Aug 1, 2009)
- x Fixed DNS cache status interfering with HTTPS redirections
- v 1.9.7.6:
- + Fixed HTTPS-bound active content restrictions preferences not being
- honored sometimes (thanks Peter Meier for reporting)
- v 1.9.7.5:
- + HTML 5 video and audio are blocked also when loaded as documents
- in a frame or in a top-level window
- v 1.9.7.4:
- x Decoupled legacy frame blocking from "Forbid IFrames" (thanks
- Grumpy Old Lady for reporting)
- v 1.9.7.3:
- x Fixed IFrame blocking being delayed to DNS resolution when ABE is
- active (thanks Mike A. for reporting)
- x Fixed Frame blocking leading to extra history entries on unblocking
- v 1.9.7.2:
- x Content serviced with the "Content-disposition: attachment" header
- (forced downloads) should not be subject to plugin blocking
- policies (thanks nagan for reporting)
- x ABE checks should be skipped for XHR requests made from chrome
- v 1.9.7.1:
- x Inclusion type checks accomodating hosting errors in AOL gadgets,
- outbrain.com widgets and E-junkie libraries
- x Fixed es-CL locale metadata
New in NoScript 1.9.69 (Jul 23, 2009)
- Fixed default whitelist not being installed on first run anymore
- since 1.9.6's fix for multibyte temporary allow / mark as untrusted
New in NoScript 1.9.6.8 (Jul 22, 2009)
- Works with: Firefox: 1.5 – 3.6a1pre
- Inclusion content type checking now graces default file extensions
- Improved XSS filter pre-screening efficiency
- Prefixed content type based inclusion blocking message
New in NoScript 1.9.3.3 (May 26, 2009)
- Fixed fatal exception on JSON XSS checks.
New in NoScript 1.9.3.2 (May 26, 2009)
- Fixed whitelist import/export broken by new global import/export.
New in NoScript 1.9.3.1 (May 26, 2009)
- Fixed automatic secure cookie management being enabled by default.
New in NoScript 1.9.3 (May 26, 2009)
- Redirect loops caused by HTTPS enforcement now trigger the standard redirect loop error page (thanks Matt McCutchen for RFE).
- Fixed https-forced embedded objects not being loaded unless already cached (thanks Matt McCutchen for report).
New in NoScript 1.9.2.93 (May 26, 2009)
- Fixed 1.9.2.92 regression breaking "Revoke temporary permissions".
New in NoScript 1.9.2.92 (May 26, 2009)
- Improved bookmarklet support, trying to turn setTimeout calls into synchronous ones and to execute trusted imported scripts (e.g. in the Readability bookmarklet).
- Slighty "beautifyed" JSON export format (one preference per line).
- Fixed 1.9.2.91 regression, preventing permissions changes made in NoScript Options from being saved under some random circumstances.
New in NoScript 1.9.2.91 (May 26, 2009)
- Import and Export buttons in NoScript Options to backup and restore the whole NoScript configuration (preferences and permissions) to and from a text file.
New in NoScript 1.9.2.9 (May 26, 2009)
- Native media (audio/video HTML 5 elements) blocking.
- Huge refactoring modularizing XSS, ABE, ClearClick, HTTPS extras and utility classes.
New in NoScript 1.9.2.8 (May 14, 2009)
- 100x speedup of bookmark-based configuration persistence
- NoScript tries to synchronize its configuration with foreign bookmarks when the "Backup configuration in bookmarks" gets enabled in order to ease adding new "slaves".
- Excluded temporary permissions from bookmark-based synchronization.
- Fixed XMark synchronization failing because of XMark's 4KB limit on bookmark URIs.
- Fixed opening the [NoScript] configuration bookmark hanging the AutoPager extension.
- Disqus ClearClick exception.
- Feedly ClearClick exception.
New in NoScript 1.9.2.7 (May 14, 2009)
- "NoScript Options|Notification|Display release notes on update" checkbox.
- Fixed XSLT blocking regression.
New in NoScript 1.9.2.6 (May 4, 2009)
- NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.
New in NoScript 1.9.2.5 (May 4, 2009)
- One-time startup prompt to ask users *beforehand* if they want to install/keep or permanently delete the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above.
- Fixed filterset bug: it could be disabled but not removed.
- Fixed "Attempt to fix JS links" not working for drop-down lists on Gecko < 1.9 (thanks therube for report).
- Updated zh-CN translation.
- Updated el-GR translation.
New in NoScript 1.9.2.4 (Apr 30, 2009)
- Improved Gecko >= 1.9.1 support.
- Updated nl-NL translation.
- Fixed notification icons broken on Minefield (Fx 3.6a1pre).
- Fixed blocked objects in "restrictions on trusted sites" mode not being counted for "partially allowed" reporting.
New in NoScript 1.9.2.3 (Apr 30, 2009)
- Localization-agnostic title for configuration sync bookmark.
- Localizable info page when opening the configuration sync bookmark.
- Fixed external XSLT sources not being reported in NoScript menus even if blocked unless a different type of active content comes from the same origin.
- A "NoScript development support filterset" gets added to AdBlock Plus, whitelisting the noscript.net, flashgot.net, informaction.com and hackademix.net web sites recently broken by an aggressive EasyList campaign against sites sponsoring NoScript development.
- ABP users are informed both on the install and on the release notes pages, so they can easily disable the filterset if they whish to.
New in NoScript 1.9.2.2 (Apr 30, 2009)
- Performance optimization of preferences bookmark-based persistence.
- Fied residual object blocking glitches (thanks Aerik, Pirlouy and Endor).
New in NoScript 1.9.2 (Apr 24, 2009)
- Experimental "Backup NoScript configuration in a bookmark for easy synchronization" feature (enable it in "NoScript Options|General").
- Fixed potential DNS leak in some proxied setups when opening URLs with FQDNs as their hostnames (thanks Rolf Wendolsky for report).
New in NoScript 1.9.1.91 (Apr 14, 2009)
- Fixed notifications reporting "Forbidden" on some partially allowed pages.
New in NoScript 1.9.1.9 (Apr 12, 2009)
- Fixed notifications reporting "Partially allowed" on fully allowed pages (thanks Grant Parris for report).
- Fixed source code (view-source: originated) POST requests being turned into GET requests.
New in NoScript 1.9.1.8 (Apr 11, 2009)
- New "partially allowed subcontent" icon to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled.
- New script sources inventory behavior reporting "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed unless their hosting document is allowed too.
- New "noscript.clearClick.subexceptions" preference to list sources of embedded content which don't need to be protected by ClearClick.
- ClearClick compatibility with the "ShareThis" extension.
New in NoScript 1.9.1.7 (Apr 11, 2009)
- Fixed multiple placeholder regression on Gecko < 1.9 (Firefox 2.x).
New in NoScript 1.9.1.6 (Apr 2, 2009)
- Improved ClearClick specificity on zoomed pages (fixes a false positive on GMail's Flash-based attach link when zoom is active).
- Temporarily disabled ClearClick on 3.6a1pre because of bug 486200.
New in NoScript 1.9.1.5 (Apr 2, 2009)
- XSLT stylesheets are regarded as active content and blocked by default on untrusted documents and/or from untrusted origins.
- "Forbid IFrame" compatibility with the Google Notebook extension.
- Fixed HTTP not enforced on redirected background requests.
- Fixed work-around for bug 453825 work-around causing unhandled error messages visible in Firebug.
New in NoScript 1.9.1.4 (Mar 26, 2009)
- Fixed placeholder size miscalculation for hidden blocked objects.
- Fixed HTTPS enforcing on documents causing an initial aborted HTTP documents request on Gecko < 1.9.
New in NoScript 1.9.1.3 (Mar 26, 2009)
- Fixed URIPatternList glob compiling bug.
New in NoScript 1.9.1.2 (Mar 18, 2009)
- HTTPS forced on background requests (images, stylesheets, scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE).
- Fennec 1.0b1 compatibility.
New in NoScript 1.9.1.1 (Mar 18, 2009)
- Fixed XSS false positive on SAMLP payloads.
New in NoScript 1.9.1 (Mar 11, 2009)
- ClearClick performance boost on crowded documents.
- Updated French translation.
- Reduced log spam on content blocking.
New in NoScript 1.9.0.92 (Mar 11, 2009)
- Yieldmanager script surrogate.
- x Fixed "Attempt to fix JavaScript links" causing middle-clicks to open JS link targets twice on Gecko 1.8
New in NoScript 1.9.0.91 (Mar 11, 2009)
- ClearClick incident reporting tool.
New in NoScript 1.9.0.9 (Mar 11, 2009)
- Fixed 20 seconds hang in injection checker on URLs containing long sequences of the "
New in NoScript 1.9.0.8 (Mar 4, 2009)
- Work around for Mozilla bug 453825.
New in NoScript 1.9.0.7 (Mar 4, 2009)
- Work around for SimpleViewer and other Flash movies replaced with innerHTML breaking on nsIContentPolicy presence.
New in NoScript 1.9.0.6 (Feb 22, 2009)
- Fixed page-level surrogates in subframes being executed too much early to be effective.
- Work-around for bug 4066046.
- Fixed incompatibility with the wfx_Versions extension.
- Fixed double activation for nested OBJECT elements, e.g. apple.com QuickTime movies.
- Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20.
New in NoScript 1.9.0.5 (Feb 16, 2009)
- Upper limits for JS link detection loop (thanks Wladimir Palant)
- about:certerror added to the intrinsic whitelist
- ClearClick compatibility with the Link Alert extension
- 3rd party script blocking improvements
- Updated Slovak translation
New in NoScript 1.9.0.4 (Feb 7, 2009)
- Fixed XHTML namespacing issues.
New in NoScript 1.9.0.3 (Feb 7, 2009)
- Fixed E4X hijacking false positive with scripts delimited by XML comments and containing XML.
New in NoScript 1.9.0.2 (Feb 7, 2009)
- Fixed X-FRAME-OPTIONS not working inside OBJECT elements.
- Restored broken compatibility with Seamonkey 1.0.x
New in NoScript 1.9.0.1 (Feb 7, 2009)
- Work around for edge case false positive on plugins embedded in cross-site framesets.
New in NoScript 1.9 (Jan 31, 2009)
- Improved ClearClick sensitivity.
New in NoScript 1.8.9.9 (Jan 31, 2009)
- Experimental X-FRAME-OPTIONS compatibility support (see http://hackademix.net/2009/01/29/x-frame-options-in-firefox/ and http://evil.hackademix.net/frameopts/ )
- Updated pt-BR translation.
- Fixed freeze on Poken URLs.
- Fixed URIs nested in query string being normalized with trailing slash.
New in NoScript 1.8.9.8 (Jan 31, 2009)
- Support for page-level surrogate scripts, executed before pages whose URL matches sources patterns starting with "@" start loading.
- Enhanced "catch all" Google Analytics surrogate.
- Refactored the Silverlight IsVersionSupported() patch to use ScriptSurrogate.execute().
- Streamlined Silverlight support.
- Instant placeholders, being shown before page finishes loading.
New in NoScript 1.8.9.7 (Jan 26, 2009)
- Improved script surrogation reliability.
- Fixed URIValidator preferences not being updated at runtime.
- Updated Sweden locale.
New in NoScript 1.8.9.6 (Jan 26, 2009)
- Evernote compatibility hacks.
New in NoScript 1.8.9.5 (Jan 26, 2009)
- Stricter checks for the "Attempt to fix JavaScript link" feature and emulation of form submission links.
New in NoScript 1.8.9.4 (Jan 26, 2009)
- Fixed minimum sized placeholder potentially exceeding smaller frames (thanks greenhatch for report about BetFair's menu).
- Fixed ClearClick form bounds miscalculation with negative coords.
- Fixed document loaded in a nested iframe when enabling a blocked legacy frame.
New in NoScript 1.8.9.3 (Jan 26, 2009)
- Extensible script surrogate mechanism (surrogating Google Analytics by default, look at noscript.surrogate.* in about:config).
- noscript.placeholderMinSize (default 32) forces a minimum pixel size on object placeholders.
- Cleaned up noscript.jsHack for custom usages.
New in NoScript 1.8.9.2 (Jan 17, 2009)
- Fixed page loading stalled sometimes when the final destination of a redirected script inclusion gets blocked by NoScript.
New in NoScript 1.8.9.1 (Jan 17, 2009)
- Fixed 3rd party script files starting with an XML comment being "swallowed" (breaking myway.com, netaddress.com and others).
New in NoScript 1.8.9 (Jan 16, 2009)
- New noscript.clearclick.exceptions preference to specify URL patterns of page where clickjacking shouldn't be checked.
- .ebay.com ClearClick exception to temporarily work-around a false positive on one-click bids too difficult to reproduce.
- Performance optimization of the JSON and E4X hijacking protection.
- Compatibility with Amazon one-click.
- Removed __count__ usage triggering a deprecated warning in Fx 3.0.x
- Relaxed XSS checks from same-domain HTTPSHTTP requests
- Improved E4X hijacking detection, skips leading XML comments in scripts.
- Updated Japanese translation.
New in NoScript 1.8.8.95 (Jan 16, 2009)
- JSON and E4X hijacking protection (Gecko >= 1.9.0.4 required).
New in NoScript 1.8.8.94 (Jan 16, 2009)
- Removed a potential document leak.
New in NoScript 1.8.8.93 (Jan 16, 2009)
- Improved accuracy of the new simulated onchange event handler.
New in NoScript 1.8.8.92 (Jan 16, 2009)
- Work-around for 1.9.2a1 Components.utils.lookupMethod() breakage.
- Restored placeholder outline on 1.9.2a1
New in NoScript 1.8.8.91 (Jan 16, 2009)
- Added browser-built-in about:xyz URLs to the permanent whitelist.
- Simulated onchange event handling for simple HTML select drop-down with URL-like options.
- Work-around for bug 453825 triggered by hack for bug 472495 and breaking smugmug.com Flash-based fullscreen slideshows.
New in NoScript 1.8.8.9 (Jan 16, 2009)
- New zoom-guessing algorithm, giving more accurate results than nsIMarkupDocumentViewer.fullZoom built-in property, to fix ClearClick false positives at some fractional zoom levels.
New in NoScript 1.8.8.8 (Jan 8, 2009)
- Kazakh translation (thanks Baurzhan Muftakhidinov)
- ClearClick optimization by canvas recycling
- Work-around for bug 472495
New in NoScript 1.8.8.5 (Dec 30, 2008)
- Further optimization of Base64 injection checks.
- More accurate clipping of scrolling frames in ClearClick.
New in NoScript 1.8.8 (Dec 28, 2008)
- Fixed rare ClearClick false positives on the bottom edge of scrolling frames
- Fixed ClearClick false positive on some cnbc.com videos
New in NoScript 1.8.7.6 (Dec 18, 2008)
- Improved specificity for "location=code" injection checks
- Compatibility with Facebook Connect JSON patterns
New in NoScript 1.8.7.4 (Dec 8, 2008)
- Contextual disablement with visual feedback for "Revoke temporary permissions" and "Temporarily allow all on this page" toolbar buttons
- Improved early detection of event attribute XSS
- Updated Arabic translation by Khaled Hosny
New in NoScript 1.8.7.3 (Dec 8, 2008)
- Better viewport framing when scrollbars are present
- Compatibility with Firefox 3.2a1pre
New in NoScript 1.8.7.2 (Dec 8, 2008)
- Work-around for Google Toolbar 5 Beta conflict
- Work-around for newTabURL incompatibility
- Adaptation to bug 464754
New in NoScript 1.8.7.1 (Dec 8, 2008)
- Fixed issues with noscript.forbidIFrameContext = 0
New in NoScript 1.8.7 (Dec 2, 2008)
- Updated zh-CN locale
- Enhanced interaction with AdBlock Plus tabs appearing over NoScript placeholders
- Flash-specific placeholder icon
- Java-specific placeholder icon
- Silverlight-specific placeholder icon
- Improved ClearClick compatibility with Google Street View (thanks natron for report)
- Finer grained object reload algorithm for mass permission changes from the "Blocked objects" menu (thanks Cinthya Wells for report)
New in NoScript 1.8.6 (Nov 24, 2008)
- Greatly increased sticky menu / Fennec UI responsiveness
- Refactoring of ClearClick's document patching code
- Removed translucency transition from sticky menu
- Extra QA for release
- Updated localizations
New in NoScript 1.8.5 (Nov 18, 2008)
- ClearClick enablement options on the ClearClick warning dialog
- ClearClick session whitelist
- Forced non-sticky behavior when there's just one site to allow and noscript.sticky.liveReload is unset
- Fixed placeholders not working on Fx 3.1
New in NoScript 1.8.4.1 (Nov 10, 2008)
- Fixed incompatibility causing Tor Button to endlessy reload the page when disabled.
New in NoScript 1.8.3.6 (Oct 27, 2008)
- Malay translation (thanks Joshua Issac)
- Croatian translation (thanks Stiepan A. Kovac)
New in NoScript 1.8.3.3 (Oct 21, 2008)
- Fixed redirection issue (thanks pumaro for report)
New in NoScript 1.8.3 (Oct 18, 2008)
- ClearClick work-around for misleading snapshot artifacts with justified text (thanks tmr250z for report)
- Fixed redirection blocking issue causing to some pages to hang in "loading..." status for a long time (thanks Mel Reyes for report)
New in NoScript 1.8.2.8 (Oct 13, 2008)
- More aggressive bound trimming (for elements sized 24x24 or more) fixes false positives on Yahoo! Movies
- Semantic containers being ignored by ClearClick fixes issues with Yahoo! Mail
New in NoScript 1.8.2.4 (Oct 11, 2008)
- Fixed late breaking POST injection checker regression, causing problems on some forms
New in NoScript 1.8.2.1 (Oct 9, 2008)
- ClearClick technology backported to Gecko 1.8.1 based browsers such as Firefox 2.0.x and SeaMonkey 1.1.x
New in NoScript 1.8.2 (Oct 7, 2008)
- New "ClearClick" protection, specifically addressing Clickjacking, Clickjacket and other UI-redressing vulnerabilities: UI interaction with embedded objects is disabled if they're obstructed or not clearly visible
- "ClearClick protection" and "Opacize embedded objects" controls in "NoScript Options|Plugins", to enable/disable them on untrusted and/or trusted pages
- Frame breaker emulation for frames where JS is disabled, controlled by the noscript.emulateFrameBreak about:config preference
- Fixed recursion problem with new legacy frame management
- Changed noscript.forbidIFrameContext default to 3 (allow same domain) unless "forbid non-HTTPS active content" is enforced: if this is the case, scheme must be the same as well.
New in NoScript 1.8.1.3 (Sep 18, 2008)
- Fixed further "HTTPS|Automatic Secure Cookie Management" glitches affecting lwn.net and DNN (thanks Matthew Hile and LWN for reports)
- Localization updates
- Fixed http://*.sub.domain:1234 site matching working only with "0" (wildcard) port
- Fixed Torbutton JS status reporting
New in NoScript 1.8.1.2 (Sep 17, 2008)
- Switched "HTTPS|Automatic Secure Cookie Management" off by default: even if all the reported login issues (especially the ebay.com one) have been fixed, it probably deserves more testing from opt-in volunteers before a general "default-on" release
- Unsafe cookies can be handled either globally (default), or per tab (noscript.secureCookies.perTab)
- Fixed "force HTTPS" not working across some redirection patterns
New in NoScript 1.8.1 (Sep 16, 2008)
- Fixed minor bugs in automatic fall-back for insecure cookies
- Updated localization
New in NoScript 1.7.9 (Aug 20, 2008)
- Fixed JS button auto-navigation problem with relative URLs
- JavaScript redirections detected also in the onload attribute of the body element
New in NoScript 1.7.8 (Aug 7, 2008)
- InjectionChecker optimization to skip neutral dotted patterns
- JS link fixing works also with JS buttons
- Fixed IFrame always blocked if port number differs from parent and noscript.forbidIFramesContext is 3
- Fixed reload inconsistencies in blacklist mode
- Changed noscript.autoReload.global default back to true, but global permission changes will cause reload only for the current tab, unless noscript.autoReload.allTabsOnGlobal is set to true
New in NoScript 1.7.7 (Jul 15, 2008)
- QA for release
- Localization updates
- Moved changelog online and removed full GPL text to reduce XPI size
New in NoScript 1.7.6 (Jul 7, 2008)
New in NoScript 1.7.4 (Jun 30, 2008)
- Force top level site to be always the most reachable in the menu (on the bottom)
- Fixed import issue with edited lists using DOS newlines
- Minor cascading permissions bug fixes (sometimes a subdomain was not removed from the blacklist when its parent was whitelisted, leading to usability confusion because blacklist always prevails)
- Experimental work-around for a WMP crash when a page containing an embedded movie is opened in the same window where another movie is already playing
New in NoScript 1.7.1 (Jun 26, 2008)
- Fixed changing permissions on one tab reload all tabs issue
New in NoScript 1.6.9.3 (Jun 17, 2008)
- Fixed Injection Checker false positive regression on URIs which contain encoded newline characters
New in NoScript 1.6.9 (Jun 12, 2008)
- Firefox 3.1a1pre compatibility
- Faster Base64 injection checks
New in NoScript 1.6.8 (Jun 5, 2008)
- Fixed false positives in new Base64 decoding Injection Checker
New in NoScript 1.6.5 (May 10, 2008)
- Fixed XSS URL sanitization issue with some proxy configurations
- Fixed false positives caused by Image(...).jpg file names
New in NoScript 1.6.4 (May 5, 2008)
- More effective cross-site POST blocking
- Estonian translation (thanks aivo)
New in NoScript 1.6.0 (Apr 17, 2008)
- Specific shadowed status icon for pages where some origins are allowed and all the remaining have been marked as untrusted
- Reviewed Russian translation (Alexander Sokolov and Sergei Smirnov)
- Dropped blockCssScanners code (SafeHistory and SafeCache extensions provide better prevention against navigation history sniffing)
- Further QA for release
New in NoScript 1.5.8 (Apr 10, 2008)
- Optimization of Injection Checker for iGoogle Calendar Widget
- Fixed edge-case false positives due to URL encoding mixed to symmetric brackets
- Fixed legacy Seamonkey UI regression introduced by Songbird compatibility
New in NoScript 1.5.6 (Mar 28, 2008)
- Minor enhancements to IFRAME blocking
New in NoScript 1.5.0 (Mar 17, 2008)
- Slovenian translation (thanks Toma� Ma�us)
- Special bookmark management made compatible with Suiterunner's sidebar (thanks therube for reporting)
- Extra QA for release