May 7th, 2013· Fixed backward compatibility issue with recent channel cloning changes
· [XSS] Compatibility with certain redirector URL patterns (thanks Stephen F. for reporting)
· [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
· [Locale] Updated Esperanto (thanks Michael Wolf)
· [Locale] Updated Upper Serbian (thanks Michael Wolf)
April 16th, 2013· Added per-window private browsing support to some background requests
· Improved channel cloning for internal redirections
· Added further Microsoft mail services dependencies to the default whitelist
· [XSS] Fixed character class bug (thanks Masato Kinugawa for reporting)
· [XSS] Fixed potential jQuery-based injection (thanks Masato Kinugawa for reporting)
· Improved handling of some moz-null principal instances in ABE requests (thanks Thrawn for reporting)
· New 360Haven surrogate lets the site work with 1st party scripts allowed and ads/tracker scripts forbidden
March 29th, 2013· Fixed outlook.com UI broken in Nightly by work-around for bug 677050 (thanks Raùl Duràn of Microsoft for troubleshooting help)
· Removed STS support for Gecko >= 4, which provides built-in HSTS
· Work around for multiple object creation causing UI inconsistencies (thanks al_9x for reporting)
· [XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource() (thanks yahoo mail user for report)
March 29th, 2013· [XSS] Fixed character class bug (thanks Masato Kinugawa for reporting)
March 4th, 2013· [XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource() (thanks yahoo mail user for report).
March 4th, 2013· Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
· "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
· "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
· Inclusion type checks exception for yandex.st
· [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments (thanks RAJAH235 for reporting)
February 19th, 2013· Made "Yes, remove all protections" the default button in the removal warning dialog
· [XSS] Fixed post-response encoding checks applied to UTF-8 pages too (thanks Masato Kinugawa for reporting)
· [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks Masato Kinugawa for reporting)
January 30th, 2013· Fixed plugin placeholders not shown for plugin documents on Gecko >= 19 (thanks therube for reporting)
· [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method (thanks Paola Moro for reporting)
· Allow/Forbid button on the site info page (thanks Edward Huff for RFE)
January 19th, 2013· [Surrogate] Less aggressive but more compatible adf.ly surrogate (it automatically skips ad but requires scripts enabled on adf.ly)
· Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent Firefox versions (thanks Guardian for reporting)
· [Surrogate] dimtus.com scriptless automatic image revelation
· [Surrogate] imageteam.org scriptless automatic image revelation
· [External Filters] Fixed cache API compatibility issue
December 27th, 2012· [ClearClick] Fixed miscalculations in screenshot comparison
· Fixed wrong placeholder position for standalone HTML 5 video content (thanks mjh563 for reporting)
· "Appearance" option to hide the "About NoScript" menu item
· Deny loading of any empty Flash object
· Fixed HSB locale (thanks Michael Wolf)
· Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for reporting)
· Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes (thanks al_9x for report)
· Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer for reporting)
· Fixed anti-popunder surrogate breaking BFCache (thanks whatever for reporting)
December 18th, 2012· Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
· for reporting).
December 18th, 2012· Fixed new placeholder close button being hidden on some Youtube pages
December 4th, 2012· [XSS] Further tweaks to reduce false positives (thanks Edward C. Kim for reporting)
· [XSS] The "maybe JS" step now removes leading parens, reducing false positives e.g. on Picasa (thanks jerriy for reporting)
· [Surrogate] Work-around for anti-popunder surrogate causing Ebay to recreate phantom cookies on page unload (thanks mjh563 for reporting)
· Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus) breaking bookmarlets and URL bar Javascript support after being updated for Firefox 17
· Removed some console noise
· [Surrogate] Updated adf.ly surrogate to work with new links
November 22nd, 2012· Fixed Google links anonymizer surrogate interfering with the "Search tools" button (thanks Sledge Fox and Brian Admire for reporting)
· Fixed impossible to copy lines from Console² if opened by NoScript (thanks therube for reporting and Phil Chee for suggestion)
· [XSS] Exception for wpcomwidgets.com safe inclusions
· Slightly reduced About box width (thanks GµårÐïåñ for RFE)
November 14th, 2012· [XSS] Better compatibility with Ebay's saved searches
· [Surrogate] Imagebax.com scriptless ads skipping redirection
· Fixed first non-cached page load in a session from about:newtab failing
· Removed legacy XUL script blocking code
· Added optional diagnostic to centralized channel aborting
· Fixed bug in Java URLs resolution
November 2nd, 2012· Improved long URL wrapping for more manageable plugin placeholdertooltips
· Fixed ABE notifications bleeding out of the viewport when very long URLs are involved
· [Surrogate] More efficient deferred script loading and syntax check, saves memory and startup time from unused surrogates
· [Surrogate] Picbucks.com scriptless ads skipping redirection
· [Surrogate] Imagebunk.com scriptless image revealing
· [Surrogate] Picsee.net scriptless image revealing
· Added navigator.doNotTrack property support
October 26th, 2012· Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content allowed) to the default whitelist (required by MS mail services)
· [XSS] Removed false positive on some Google Gadgets; the work-around can be disabled by setting the noscript.filterXExceptions.ggadgets about:config preference to false (thanks Silvana for reporting)
· Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
· Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with FRAMEs and IFRAMEs as well
· Fixed redirections involving sites marked as untrusted causing inconsistencies in page permissions, with JavaScript being blocked even if the site is whitelisted (thanks al_9x for reporting)
· Fixed regression on older Gecko versions causing NoScript to believe the browser is proxied when it's not
October 18th, 2012· Work-around for unique origins being assigned to URL bar loads by Gecko 16 and above interfering with some ABE rules
· Work-around for bug 797684 patch causing ABE's Sandbox action to fail
· Work-around for regression from Mozilla bug 797684 fix causing frames not to be blocked correctly in recent >= 18 builds
· Slightly revised About box to make more room for contributors
October 8th, 2012· Fixed synchronous timeout emulation ordering bug in bookmarklet execution on scriptless pages (thanks Infocatcher for reporting)
· [XSS] Fixed comment preprocessing optimization affecting free JavaScript detection, thanks Masato Kinugawa for reporting
· [XSS] Fixed second order data: URLs sanitization issue, thanks Masato Kinugawa for reporting
· Fixed meta refresh blocker notification bar broken on Gecko < 4 (thanks nitou for reporting)
· Fixed iframe placeholder positioning issue (thanks al_9x for report)
· Fixed regression in placeholder positioning (thanks al_9x for report)
· [ClearClick] Fixed false positive on cross-site SVG document embeddings (thanks Steffen for reporting)
September 25th, 2012· [XSS] Fixed slow regular expression causing some base64 request payloads to trigger false positives (thanks Mirko Tasler for reporting)
· Force placeholders to frontmost position e.g. on HTML 5 Youtube content
· New icon for blocked embeddings on globally allowed pages (thanks therube for RFE)
September 14th, 2012· More reliable Java applet origin identification
· Cross-browser work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=789773
September 5th, 2012· Fixed HTTP checks not being skipped anymore for some chrome-generated XMLHttpRequest requests because of a Gecko 15 change
· Work-around for cloned DOM nodes not retaining additional chrome-attached information anymore, thus breaking placeholders in some cases (thanks al_9x for reporting)
· Fixed placeholder post-enablement event channeling broken by Sandbox changes
· Fixed placeholder sizes messed up by changes in Gecko 17
· Work-around for broken content policy call for Java plugin on Gecko 17 and above (thanks marty60 for reporting)
August 29th, 2012· [XSS] Fixed false positives on URLs containing an ASP.NET cookieless session identifier (thanks Trupti Chaudhari for reporting)
· noscript.eraseFloatingElements about:config preference to switch the mousedown + del key floating popup erasing feature off and on
· Limited the mousedown + del key floating popup erasing feature to pages where scripts are forbidden and to absolute or fixed position elements
· Fixed JavaScript URL non-void expression evaluation in the URL bar causing scripts to get globally allowed (thanks al_9x for reporting)
· [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for reporting)
August 24th, 2012· [ClearClick] Improved protection against clickjacking timing attacks (thanks Nafeez Ahmed for reporting)
· Fine tuned floating div (in-page popup) removal by locking it to the nearest positioned ancestor and swallowing the mouseup event if the DEL key has been hit after last mousedown
August 16th, 2012· Holding the left mouse button down on a page element and hitting the DEL key will remove it (useful to forcibly kill in-page popups when scripts are disabled)
· Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking protection implementation detail
· Disabled LiveConnect interception on Gecko 16 or better, since Java globals have been removed from the DOM
· [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for reporting)
· Fixed Silverlight and Flash scripted initialization patches being broken by recent JavaScript interpreter changes
· Work-around for hp-ww.com misconfiguration (JavaScript files served with bogus content-type header)
July 30th, 2012· [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
· Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height (thanks ochristi for report)
· [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
· Fixed placeholders for absolutely positioned elements may cause layout glitches (thanks al_9x for reporting)
· Fixed interaction with built-in Firefox's click-to-play causing infinite object activation loop (thanks al_9x for reporting)
July 25th, 2012· Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height (thanks ochristi for report)
· Fixed placeholders for absolutely positioned elements may cause layout glitches (thanks al_9x for reporting)
July 11th, 2012· Work-around for Mozilla bug 771655 (broken debugger)
· Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is taken by the debugger
· Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks Alex Inführ for reporting)
· Removed assumptions of a body element from some code paths which may handle generic XML documents
June 29th, 2012· [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for report)
· [XSS] Fixed false positive with some Base64-encoded Yahoo News subrequests
· Fixed regression, noscript.allowedMimeRegExp not working anymore for plugins other than Java, Flash and Silverlight
· Auto-anchored multi-valued regexp preferences can now be separated by regular spaces rather than just newlines (this behavior was documented but not actually implemented for noscript.allowedMimeRegExp)
June 12th, 2012· [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
· [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
· [XSS] Fixed document.cookie minimal assignment false negative (thanks Masato Kinugawa for report)
· [XSS] Fixed dotted query parameter names false positives, affecting OpenID, Hotmail and other services (thanks Gavin H for report)
· Fixed some messages being dumped to the console even if logging is turned off (thanks marbler for report)
June 11th, 2012· [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
· [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
· Dalili and Ahamed Nafeez for reporting)
· [XSS] Improved unconventional assignments detection (thanks Masato
· Kinugawa for report)
· [Locale] Corrected he-IL merge (thanks baryoni)
· [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
· [XSS] More regular expression objects caching as a speed optimization
· [XSS] Removed optimization shortcut causing false negatives on some
· kind of concatenated assignments (thanks Masato Kinugawa for report)
· [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
· [XSS] More aggressive obsolete charsets filtering (thanks Masato
· Kinugawa for report)
June 5th, 2012· [Locale] Updated he-IL (thanks baryoni)
· Fixed early synthetic DNS notification causing blank stripe on the bottom of the first browser window if started maximized or fullscreen - Removed Firefox 2.x compatibility code
· Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked (thanks hanfi for reporting)
May 28th, 2012· Fixed JS links detection not resolving JS string escapes (thanks vyznev for reporting)
· Fixed HTML 5 parser detection in META refresh processing being broken by a removed browser preference
· Fixed exception raised by inclusion type checks when parent document's URI has no host
· [XSS] Better detection of free inline script injections (without string literal evasion) inside function calls
· The noscript.allowedMimeRegExp preference now applies also to Java, Flash and Silverlight mime types
May 21st, 2012· [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging to the LAN anymore for the purpose of cross-zone request forgery checks in order to safely work-around DNS misconfiguration issues in the wild (thanks siu and ralf for reporting)
· [ABE] Fixed router WEB UI fingerprinting failing on some devices because of redirection loops
· [XSS] Protection against HPP attacks exploiting URL parsing quirks specific to ASP Classic (thanks Soroush Dalili for reporting)
· Fixed first application updates check failing on Nightly (bug 754393)
· [XSS] Fixed false positive regression on some file hosting sites (thanks Janne Maekelae for reporting)
May 11th, 2012· [XSS] Protection against exploitation of classic MS ASP's coalescing of same-name query parameters (thanks Soroush Dalili for reporting)
· [XSS] Protection against URL injections in in window.name
· [XSS] Fixed case-sensitivity bug in detection of unicode escape sequences (thanks Masato Kinugawa for reporting)
· [Surrogate] adagionet.com inclusion surrogate
· Fixed "Allow sites open through bookmarks" regression (thanks jerryi and therube for reporting)
· [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil Purviance for reporting)
· Added inclusion type check exception to the lesscss Google Code file repository, often used as a CDN
May 5th, 2012· Improved temporary permissions management during bookmarklet execution
· [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)
· [XSS] Improved InjectionChecker detection of in-code multiple insertions (thanks Krzysztof Kotowicz)
· [XSS] InjectionChecker detection of single assignment evaluation through global exception handling (thanks Gareth Heyes)
· [Locale] Fixed broken overlay on Basque localized browsers (thanks afa for reporting)
· [XSS] Fixed bug in late window.name payload checking (thanks Soroush Dalili for reporting)
April 26th, 2012· [ClearClick] More tolerant snapshot comparation algorithm (partially backported from NSA) to reduce false positives (tweaked by the noscript.clearClick.threshold percentage value in about:config)
· Removed about:credits from default whitelist
· [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in obscuration by windowed plugins checks
· Fixed compatibility regressions on Firefox 3.x
· Following links from the About dialog now closes it (thanks Guardian for suggestions)
· Fixed NOSCRIPT META refreshes blocking not working when scripts are globally allowed (thanks and Ken and Tom T. for reporting)
· [ClearClick] Fixed false positives caused by accelerated graphics with some plugin content
April 23rd, 2012· Smart integration with the new browser-native click to play: if a plugin object is manually allowed from NoScript's UI, it gets also natively activated (noscript.smartClickToPlay about:config preference)
· Improved active content identity tracking, to avoid redundant blocking steps across reloads
· Fixed redirections in legacy frames not being blocked (thanks "utente" for reporting)
· [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site
April 17th, 2012· [ClearClick] Work-around for "rapid fire" protection interfering with some add-ons, such as 1Password (thanks Mike Tselikman for report) and FloatNotes (thanks endofmiles and Tom T. for reports)
· [ClearClick] Compatibility with Bitdefender TrafficLight (thanks Christopher A. M. Gerlach for reporting)
· [XSS] Enhanced InjectionChecker tolerance to certain URL patterns containing domain-names as parameter values (thanks gazer75 for report)
March 27th, 2012· Restored Nightly compatibility, broken by bug 719154
· [ClearClick] improved compatibility with Disqus widgets (thanks El Cid for reporting)
· [AddressMatcher] Optimized trailing "*" in glob expressions
· Fixed origin URL detection flawed when certain wrapped URIs are loaded (thanks Masato Kinugawa for reporting)
· [XSS] Fixed false positive with query string patterns mimicking array access (thanks Aicke Schulz for reporting)
March 19th, 2012· Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail (thanks DG42 for original report, Alan Baxter for providing a test account, all the forum staff and many users for their help in reproducing)
· [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes (thanks Tom T. and Patrick E. for reporting)
· [ClearClick] Better special-casing for same-site embedded objects
· [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs
· [XSS] Better window.name protection (thanks Masato Kinugawa for report)
· [XSS] Improved detection of javascript: URL injections
March 9th, 2012· [ClearClick] Fixed subtle bug which may lead to infinite loops in some cases (thanks GµårÐïåñ for reporting)
February 27th, 2012· [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
· [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
· Masato Kinugawa for reporting)
· [XSS] Added event injection checks for scriptless pages too, in order to
· prevent edge-case execution on permissions change
· [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
· Kinugawa for reporting)
· [XSS] Improved HTML detection accuracy
· Better tagging of surrogate sandboxes for about:memory debugging
· Improved glinks surrogate
February 20th, 2012· Surrogate to let news pages escape Digg's frame
· [ClearClick] Improved compatibility with cross-frame overlapping shadows
· Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks .mario for reporting)
· adf.ly surrogate to automaticaly skip the interstitial page even if scripts are disabled
· Improved Google search surrogates
· New surrogate against Google's scriptless tracking of search results navigation
February 11th, 2012· Fixed about:newtab not considered as a local origin by ABE
· Added blob:, about:memory and about:support to the automatic whitelist
· Added reflected script inclusion check exception for intensedebate.com
· Fixed CSS issues on Gecko 1.8
February 5th, 2012· Right click on NoScript menu items copies the site to the clipboard, if any under the pointer, or all the page-related script sources prepended with a status mark: + for whitelisted, - for default, ! for untrusted (thanks Tom T. for RFE)
· Added browserid.org to the default whitelist
· Improved default whitelist update mechanism
· Fixed some Flash movies failing to load on Nightly (thanks Nova6K0 for reporting)
· Fixed incompatibility between surrogates / content augmentations (e.g. toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for reporting
· NoScript won't attempt to load the release notes page if the site is unreachable
January 25th, 2012· [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested documents
January 19th, 2012· [ClearClick] Protection against two steps interaction attack based on HTML5 DnD (thanks .mario for reporting)
January 13th, 2012· [XSS] Fixed sanitization reporting bug
January 3rd, 2012· [ClearClick] Better compatibility with recent Disqus widget versions
December 20th, 2011· Fixed some localizations having newlines replaced with 'n' characters
December 6th, 2011· Configuration import/export directory is persisted across sessions
November 25th, 2011· [Locale] Updated he-il (thanks baryoni)
· [ClearClick] Fixed incompatibility with the FoxTab add-on
November 16th, 2011· [ClearClick] Improved protection against Clickjacking on nested windowed
· Flash targets (thanks Sommerrain and Tom T for reporting)
November 10th, 2011· [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec used instead of "1.8"
November 3rd, 2011· Improved anti-popunder built-in surrogate
· Fixed object autowiring upon placeholder activation regressed by recent surrogate sandboxing changes
October 24th, 2011· [ABE] Fixed subrequests matching an Anon action rule not being shown in the logs if already anonymized by the browser
October 17th, 2011· Improved object wiring emulation on placeholder activation (thanks al_9x
· for report and code)
August 29th, 2011· Better load progress feedback for hosts which are not DNS-cached yet (thanks al_9x for reporting)
August 18th, 2011· Temporarily disabled anti-anti-adblocker surrogate on any site except those explicitly added to noscript.surrogate.ab.sources preference, as a work-around for bug 677652
· Lazy initialization is deferred also when a file:// URL is loaded as the home page
July 17th, 2011· [ClearClick] Refactoring and isolation of the rapid fire protection
July 11th, 2011· Fixed rapid fire cross-site interaction protection interfering with keyboard-based tab switching (thanks tikl for reporting)
July 4th, 2011· Fixed work around for Bug 668690 breaking feed viewer (thanks Jim Too
· for reporting)
June 27th, 2011· Fixed conflict with Firebug console
· Removed legacy code in content policy and ClearClick
May 31st, 2011· Fixed toolbar button hidden in popup windows (thanks Steven Roddis for reporting)
May 18th, 2011· Fixed recent memory optimizations breaking compatibility with some extensions (thanks Alan Baxter for reporting)
April 29th, 2011· [L10n] Updated ro
· Restored some locales gone missing in previous dev build
April 15th, 2011· [XSS] Improved XML prescreening
March 7th, 2011· Fixed spaces in ipecho response breaking WAN IP detection with one of the mirrors
· Experimental built-in profiler for debugging purposes
February 15th, 2011· Fixed empty tooltip for embedded placeholder on some RTL pages (thanks Saad for reporting)
· Truncate URLs in placeholders tooltips at the the query string or hash, to increase readability (thanks anystupidassname for RFE)
· Increased WAN IP checks interval to 1 hour reducing log spam on routers
· Removed some obsolete code
February 2nd, 2011· Fixed status label menu popping up in a wrong position
· Updated locales
January 24th, 2011· X-Do-Not-Track after a DNS cache miss causing some embedded content
· requests to fail
· Contribution button on the bottom of the Options dialog
January 5th, 2011· Fixed some cross-site requests containing JSON-like fragments broken
December 9th, 2010· Fixed new IFRAME-based Youtube embedding method broken on non
· whitelisted pages with embedding restrictions (thanks al_9x for report)
November 26th, 2010· [XSS] Detection and filtering of hexadecimal and binary encoded reflected XSS through SQL injection (SQLXSSI), partially found and disclosed (raw hexadecimal variant only) by Aditya K Sood
November 11th, 2010· Fixed stability issue when forcing HTTPS on images
October 18th, 2010· [UI] Fixed right-click on the toolbar button switching permissions
October 4th, 2010· Changed noscript.forbidIFramesContext about:config preference default to 3 (same base domain) to ensure better usability on complex sites (e.g. new Twitter) for people who's blocking iframes on trusted sites
· Optimal sensitivity calibration for Hover UI trigger events
September 20th, 2010· Work-around for first script element in body of a framed document not being executed unless password manager is enabled on Minefield
· Work-around for surrogates not being executed in frames on Minefield
September 13th, 2010· [Surrogate] Improved compatibility of the popunder surrogate
· [Surrogate] Fixed broken meebo.com detached windows
· [L10n] Updated it-IT
September 3rd, 2010· [XSS] Further FBML compatibility improvements
August 21st, 2010· [XSS] Fixed optimization bug which may lead to slower checks on specific source patterns
August 7th, 2010· [ABE] noscript.abe.localExtras about:config preference can specify net resources (space separated IPs and/or subnets) to be considered as LOCAL by ABE, in addition to the "regular" private subnetworks and the auto-detected WAN IP (thanks ammdispose for suggestion)
· [ClearClick] Better compatibility with iframes containing very tiny pages (e.g. horizontal Flattr buttons)
· Fixed page-level surrogates not always being executed inside iframes (thanks al_9x for reporting)
· [XSS] Fixed XML tags with no attributes which are omonymous of "sensitive" HTML tags triggering XSS false positives
July 27th, 2010· [Surrogate] Fixed Google thumbs surrogate broken by recent Gecko changes
· [ClearClick] Work-around for client(Height|Width) miscalculation
July 15th, 2010· ABE built-in ruleset editor
· Button to reset ABE's defaults
· Fixed setting noscript.cp.last to false causing embeddings not to be blocked
· Fixed 2nd order InjectionChecker bypass (thanks Sirdarckcat for report)
· External filters now receive the object referrer as their 3rd argument
July 6th, 2010· Emergency fix for a page reload bug on Mac OS X causing high CPU consumption after permission changes (thanks "D A" for reporting)
July 5th, 2010· Improved ClearClick clipping accuracy on framesets
· Improved ClearClick clipping accuracy on nested scrolling elements
June 25th, 2010· Fixed ClearClick false positives on Fx 3.5 and below (thanks Deniz Sofu for reporting)
· Compatibility version bump for Seamokey trunk v 1.9.9.97rc1
June 25th, 2010· Fixed ClearClick false positives on Fx 3.5 and below (thanks Deniz Sofu for reporting)
· Compatibility version bump for Seamokey trunk v 1.9.9.97rc1
June 24th, 2010· Fixed Script Surrogates activation glitches
June 12th, 2010· Improved URL parsing in META refresh interception
· Optimized * universal pattern in AddressMatcher
· Better error reporting during the execution of location bar scriptlets
May 27th, 2010· Fixed "Partially allowed scripts" icon shown instead of the "Scripts allowed but some objects blocked" one when the blocked objects' domains are not whitelisted for scripting (thanks al_9x for reporting)
· Fixed "Scripts allowed but some objects blocked" icon not being used for blocked web fonts (thanks Alan Baxter for reporting)
· (ABE) Deny on INCLUSION don't trigger a notification even if the blocked request is for a subdocument (the blocking is logged in the Console, use SUB if user-facing notification is needed)
· Fixed privileged XMLHttpRequests for untrusted resources being blocked if HTTP redirections occurred (thanks mari for reporting)
· Better compatibility with IronPort web-based tools (thanks Ron Collins for reporting)
May 18th, 2010· ABE INCLUSION(type1, type2, type3...) pseudo-method allows rules to take request type (e.g. SCRIPT vs CSS) in account
· ABE SELF+ (same domain) and SELF++ (same base domain) pseudo-origins
· Fixed iconic feedback inconsistencies when untrusted blocked objects are mixed with full-trusted content (tanks al_9x for reporting)
· Fixed Injection Checker false positives on some kinds of complex nested URLs (thanks Sirdarckcat for reporting)
· Tweaked ClearClick for Disqus compatibility (thanks John for reporting)
May 3rd, 2010· Fixed false positive issue with empty cross-site POST requests (thanks Bahamut for reporting)
April 30th, 2010· Added "Allowed with untrusted sources and blocked objects" icon
· Fixed minor inconsistencies in new partial allowance feedback icons (thanks al_9x for reporting)
April 21st, 2010· Further compatibility improvements in complex bookmarklets handling
April 16th, 2010· Removed ":0" wildcards from NoScript menu in ignorePorts=false mode to prevent confusing behaviors (thanks al_9x for suggestion)
· Embedding-only sites are shown in the Untrusted menu if placeholders are set to be hidden for untrusted embeddings (thanks al_9x for suggestion)
April 5th, 2010· Fixed InjectionChecker infinite recursion bug on certain requests (thanks dhouwn for reporting)
· Fixed plugin activation patches not being applied under some circumnstances
April 3rd, 2010· Pluggable site info page (default http://noscript.net/info/%utf8%;e%) can be opened by middle-click or shift+click on any site entry in NoScript's menus, and can be configured by editing the noscript.siteInfoProvider about:config preference
· More user-friendly management of non-standard TCP ports
· Fixed release notes page might break session restore sometimes
· Locale files maintenance
· Object sources won't appear in main menu when embedding restrictions apply to whitelist; previous behavior can be restored by setting the noscript.alwaysShowObjectSources to false (thanks al_9x for RFE)
March 19th, 2010· Fixed feed subscription broken on sites implementing X-Frame-Policy (regression from 1.9.9.56, thanks al_9x for reporting)
· Included js.wlxrs.com in default whitelist in order to make Hotmail login work out-of-the-box for new users
February 27th, 2010· Updated ABE grammar to use new AddressMatcher syntactic sugar
· Alert about ABE syntax errors when option dialog gets focused after a ruleset editing (thanks al_9x for suggestion)
February 12th, 2010· Enhanced compatibility with Paypal encrypted buttons
· Fixed some anti-popunder surrogate incompatibilities
February 5th, 2010· Enhanced compatibility with Paypal encrypted buttons
· Fixed some anti-popunder surrogate incompatibilities
January 28th, 2010· ClearClick: more efficient code paths specific to Fx 3.6 and above
· Fixed zoom-related ClearClick false positives on Fx 3.6 and above
· Fixed fonts being reported as "unknown" type in Blocked Objects menu
January 22nd, 2010· Fixed quirks mode triggered by surrogate execution on Gecko < 1.9.1 (thanks Power for suggestions).
January 17th, 2010· Anti-Popunder surrogate now applies to all HTTP pages by default
· DNS activity logging facility (disabled by default)
· Slight optimization of DNS lookups
· Temptative fix for https://bugzilla.mozilla.org/show_bug.cgi?id=501446 crasher (thanks timeless)
January 4th, 2010· Injection Checker compatibility with Livejournal comment posting
· Improved ClearClick compatibility with Facebook applications
December 19th, 2009· Placeholder enhancements backported to Gecko 1.8.x
· Fixed missing placeholders on Gecko 1.8.x (thanks al9_x for reporting)
November 28th, 2009· Removed residual compound attribute-based injection chance (thanks Sirdarckcat for reporting)
November 17th, 2009· Fixed HTTPS enforcement for embedded images breaking HTTP authentication
· (thanks polie for report)
· Fixed XHR breakage when called from a Worker (thanks Apeiron for report)
· Skip link fixing on right click
· Improved bookmarklet execution mechanism
· Improved compatibility of InjectionChecker with Facebook Connect
· Improved compatibility of InjectionChecker with Lycos Mail
October 28th, 2009· Fixed page loading issues (hard to reproduce but reported by many)
October 27th, 2009· Allowing a plugin object which size is not set reloads the page, assuming that scripts are used to size it
· Google Translate XSS exception
· abine:* ClearClick subexception
· Updated localizations
· Removed current URL leaking into RegExp properties if invisible link detection is enabled
· Hijack checks must skip error pages (thanks luntrus for report)
· Fixed XSS false positive at travelocity.com (thanks Chris Lonsberry)
October 14th, 2009· Reorganization of the "Embeddings" (FKA "Plugins") options panel
· "Forbid , " option in the "Embeddings" panel
· "Forbid @font-face" option in the "Embeddings" panel
· ClearClick report id made selectable (thanks therube for RFE)
October 6th, 2009· Improved Google Analytics surrogate, handling form submissions (thanks
· Alan Baxter for report)
September 24th, 2009· Fixed InjectionChecker micro-injecion scanning bug (thanks Sirdarckcat for reporting).
September 14th, 2009· Fixed kongregate.com incompatibility (thanks jthill for report)
September 14th, 2009· Updated MK locale
· QA for release
September 3rd, 2009· Improved bookmarklet setTimeout() emulation (delay ordering is
· honored and pseudo-recursion is supported)
· Updated locales
August 26th, 2009· Fixed minor bugs in "Recent blocked sites" implementation
· Updated Rumenian
· Fixed encoding issue with configuration import/export/sync (thanks m_c for reporting)
August 19th, 2009· Fixed ABE internal redirection on DNS cache miss interfering with injection checks under some circumstances.
August 10th, 2009· ABE's caching DNS requests now send STATUS_RESOLVING notifications (thanks al9_x for RFE)
· Improved injection checks (thanks Sirdarckcat for reporting)
· Fixed invalid chars in host names causing loads to fail without any visible error feedback
· Work around for breakages caused by the .NET Framework Assistant, http://adblockplus.org/blog/the-return-of-net-framework-assistant
· ABE grammar source (ABE.g) included in the distributed XPI (thanks al9_x for noticing its absence)
August 5th, 2009· Improved XSS filter compatibility with some decimal coordinates patterns
· Fixed JavaScript IFrame manipulation causes documents to be loaded in a new window sometimes (thanks Derek Greentree for reporting)
July 31st, 2009· Fixed DNS cache status interfering with HTTPS redirections
July 26th, 2009· 1.9.6.96 RC repackaged for release
June 29th, 2009· Fixed forbidden objects in allowed documents not causing partially allowed icon on first load in Gecko < 1.9 (thanks al9_x for report)
· Fixed forbidden objects in mixed trusted/blacklisted pages not causing partially allowed icon (thanks al9_x for report)
May 26th, 2009· Fixed fatal exception on JSON XSS checks (thanks HeikoAdams for
· report)
May 21st, 2009· Fixed whitelsit import/export broken by new global import/export (thanks Tim Johnson for report)
May 14th, 2009· 100x speedup of bookmark-based configuration persistence
· NoScript tries to synchronize its configuration with foreign
· bookmarks when the "Backup configuration in bookmarks" gets enabled
· in order to ease adding new "slaves"
· Excluded temporary permissions from bookmark-based synchronization
· Fixed XMark synchronization failing because of XMark's 4KB limit on
· bookmark URIs
· Fixed opening the [NoScript] configuration bookmark hanging the
· AutoPager extension
· Disqus ClearClick exception
· Feedly ClearClick exception
May 4th, 2009· NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.
April 24th, 2009· Experimental "Backup NoScript configuration in a bookmark for easy synchronization" feature (enable it in "NoScript Options|General")
· x Fixed potential DNS leak in some proxied setups when opening URLs with FQDNs as their hostnames (thanks Rolf Wendolsky for report).
April 14th, 2009· Fixed notifications reporting "Forbidden" on some partially allowed pages.
April 13th, 2009· Fixed notifications reporting "Partially allowed" on fully allowed
· pages (thanks Grant Parris for report)
· Fixed source code (view-source: originated) POST requests being
· turned into GET requests
April 11th, 2009· New "partially allowed subcontent" icon to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled
· New script sources inventory behavior reporting "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed unless their hosting document is allowed too
· New "noscript.clearClick.subexceptions" preference to list sources of embedded content which don't need to be protected by ClearClick
· ClearClick compatibility with the "ShareThis" extension
April 2nd, 2009· Improved ClearClick specificity on zoomed pages (fixes a false
· positive on GMail's Flash-based attach link when zoom is active)
· Temporarily disabled ClearClick on 3.6a1pre because of bug 486200
March 26th, 2009· Fixed placeholder size miscalculation for hidden blocked objects (thanks al9_x for report)
· Fixed HTTPS enforcing on documents causing an initial aborted
· HTTP documents request on Gecko < 1.9 (thanks al_9x for report)
March 18th, 2009· HTTPS forced on background requests (images, stylesheets,
· scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE)
· Fennec 1.0b1 compatibility
March 11th, 2009· ClearClick performance boost on crowded documents
· Updated French translation
· Reduced log spam on content blocking
March 4th, 2009· Work around for Mozilla bug 453825
February 22nd, 2009· Fixed page-level surrogates in subframes being executed too much early to be effective (thanks GossamerGremlin for report)
· Work-around for bug 4066046 (thanks Alice0755)
· Fixed incompatibility with the wfx_Versions extension (thanks Archaeopteryx for report)
· x Fixed double activation for nested OBJECT elements, e.g. apple.com QuickTime movies (thanks al_9 for report)
· Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20 (thanks al_9x for report)
February 16th, 2009· Upper limits for JS link detection loop (thanks Wladimir Palant)
· about:certerror added to the intrinsic whitelist
· ClearClick compatibility with the Link Alert extension
· 3rd party script blocking improvements
· Updated Slovak translation
February 8th, 2009· Fixed XHTML namespacing issues (thanks dhouwn for report)
January 31st, 2009· Improved ClearClick sensitivity (thanks Eric Lawrence for report)
January 26th, 2009· Improved script surrogation reliability
· Fixed URIValidator preferences not being updated at runtime
· Updated Sweden locale
January 17th, 2009· Fixed page loading stalled sometimes when the final destination of a redirected script inclusion gets blocked by NoScript
January 16th, 2009· New noscript.clearclick.exceptions preference to specify URL
· patterns of page where clickjacking shouldn't be checked
· *.ebay.com ClearClick exception to temporarily work-around a false
· positive on one-click bids too difficult to reproduce
· Performance optimization of the JSON and E4X hijacking protection
· Compatibility with Amazon one-click
· Removed __count__ usage triggering a deprecated warning in Fx 3.0.x
· Relaxed XSS checks from same-domain HTTPSHTTP requests
· Improved E4X hijacking detection, skips leading XML comments in
· scripts (http://forums.mozillazine.org/viewtopic.php?p=5488645)
· Updated Japanese translation
January 8th, 2009· Kazakh translation (thanks Baurzhan Muftakhidinov)
· ClearClick optimization by canvas recycling
· Work-around for bug 472495
December 30th, 2008· Further optimization of Base64 injection checks
· More accurate clipping of scrolling frames in ClearClick
December 27th, 2008· Fixed rare ClearClick false positives on the bottom edge of
· scrolling frames
· Fixed ClearClick false positive on some cnbc.com videos
December 18th, 2008· Improved specificity for "location=code" injection checks
· Compatibility with Facebook Connect JSON patterns
December 8th, 2008· Contextual disablement with visual feedback for "Revoke temporary permissions" and "Temporarily allow all on this page" toolbar buttons (thanks WAPCE for suggestion).
· Improved early detection of event attribute XSS
· Updated Arabic translation by Khaled Hosny
December 2nd, 2008· Updated zh-CN locale
· Enhanced interaction with AdBlock Plus tabs appearing over NoScript placeholders
· Flash-specific placeholder icon
· Java-specific placeholder icon
· Silverlight-specific placeholder icon
· Improved ClearClick compatibility with Google Street View (thanks natron for report)
· Finer grained object reload algorithm for mass permission changes from the "Blocked objects" menu (thanks Cinthya Wells for report)
November 24th, 2008· Greatly increased sticky menu / Fennec UI responsiveness
· Refactoring of ClearClick's document patching code
· Removed translucency transition from sticky menu
· Extra QA for release
· Updated localizations
November 16th, 2008· ClearClick enablement options on the ClearClick warning dialog
· ClearClick session whitelist
· Forced non-sticky behavior when there's just one site to allow and noscript.sticky.liveReload is unset
· Fixed placeholders not working on Firefox 3.1
November 8th, 2008· Fixed incompatibility causing Tor Button to endlessy reload the page when disabled.
October 28th, 2008· Malay translation (thanks Joshua Issac)
· Croatian translation (thanks Stiepan A. Kovac)
October 19th, 2008· Fixed redirection issue (thanks pumaro for report).
October 19th, 2008· Fixed problem with tab navigation on forms inside frames.
October 17th, 2008· ClearClick work-around for misleading snapshot artifacts with justified text (thanks tmr250z for report)
· Fixed redirection blocking issue causing to some pages to hang in "loading..." status for a long time (thanks Mel Reyes for report)
October 12th, 2008· 1.8.2.8 fixes an issue with external protocol (mailto:, e2k:, irc:...) not working.
October 11th, 2008· New and improved ClearClick anti-Clickjacking technology to disable user interaction with partially obstructed or not clearly visible embedded objects. Enabled by default on untrusted pages, you can configure it to work on trusted pages as well in NoScript Options|Plugins; most false positive have already been eliminated in 1.8.2.2, and enforcing it everywhere will likely become the default after some other testing testing.
· New Forbid < FRAME > option for cross-site legacy frames, independent from Forbid < IFRAME >. Not to weaken IFRAME protection, legacy cross-site frames which are nested inside same-site IFRAMEs are blocked anyway.
· NoScript Options|Plugins|Opaque embedded objects preference to defeat opacity-based attacks.
· Restored compatibility with 1.5.0.x (note: due to technical limitations of Gecko 1.8, ClearClick is not available but you still get good anti-clickjacking protection from Opaque embedded objects and maximum from Forbid < IFRAME >/< FRAME >)
· Frame breaker emulation on pages where JavaScript is disabled, i.e. something like if (self != top) top.location = location will work.
Suite of features enhancing HTTPS effectiveness:
· 1. Force HTTPS on most sensitive sites
· 2. Option to disable active content on whitelisted sites which are not served through HTTPS, either always or when connecting through a proxy ("Tor mode"), to mitigate domain spoofing risks in hostile environments
· 3. Automatic and customizable Secure Cookie Management, to protect against HTTPS cookie hijacking. Important: if you got troubles logging in on some sites with this feature on, please get latest development build and, if it does not help, follow the easy advices given in this FAQ
· Better bookmarklet compatibility on untrusted sites.
· Temporarily allow all this page toolbar button.
· Revoke temporary permissions toolbar button.
· Several improvements in blacklisting mode: even if whitelisting is still the recommended safest mode, you can use Allow scripts globally and still block sites you mark as untrusted. More important, you can still enjoy full Anti-XSS protection even while you're keeping JavaScript allowed everywhere.
October 8th, 2008· 1.8.2.1 backports the new ClearClick functionality to be compatible with Firefox 2.x, Seamonkey 1.1.x and other Gecko 1.8.1 browsers.
October 7th, 2008· New "ClearClick" protection, specifically addressing Clickjacking, Clickjacket and other UI-redressing vulnerabilities: UI interaction with embedded objects is disabled if they're obstructed or not clearly visible (thanks Sirdarckcat, RSnake, Michal Zalewski and
· Matt Mastracci for inspiration and discussion)
· "ClearClick protection" and "Opacize embedded objects" controls in "NoScript Options|Plugins", to enable/disable them on untrusted and/or trusted pages
· Frame breaker emulation for frames where JS is disabled, controlled by the noscript.emulateFrameBreak about:config preference
· Fixed recursion problem with new legacy frame management
· Changed noscript.forbidIFrameContext default to 3 (allow same domain) unless "forbid non-HTTPS active content" is enforced: if this is the case, scheme must be the same as well.
September 18th, 2008· 1.8.1.2 and 1.8.1.3 fix all the reported login problems AND turn off the Automatic Secure Cookie Management by default, so have no fear to install.
· Anyway, if you decide to turn Automatic Secure Cookie Management on, your feedback about this new feature is very appreciated.
September 17th, 2008Switched "HTTPS|Automatic Secure Cookie Management" off by default:
· even if all the reported login issues (especially the ebay.com one)
· have been fixed, it probably deserves more testing from opt-in
· volunteers before a general "default-on" release
· Unsafe cookies can be handled either globally (default), or per tab
· (noscript.secureCookies.perTab)
· Fixed "force HTTPS" not working across some redirection patterns
September 16th, 2008Brand new suite of features enhancing HTTPS effectiveness:
· 1. Force HTTPS on most sensitive sites
· 2. Option to disable active content on whitelisted sites which are not served through HTTPS, either always or when connecting through a proxy ("Tor mode"), to mitigate domain spoofing risks in hostile environments
· 3. Automatic and customizable Secure Cookie Management, to protect against HTTPS cookie hijacking.
· Make page permissions permanent command permanently enables every site shown as temporarily allowed by NoScript's menu on the current page.
· Improved tooltips for page-level enablement and temporary permission revocation commands, showing affected sites.
· Better compatibility with Google Gears and other extensions.
· Allow all this page command permanently enables every site shown as allowable by NoScript's menu on the current page, unless already marked as untrusted.
· Temporarily allow all this page toolbar button.
· Revoke temporary permissions toolbar button.
· Several improvements in blacklisting mode: even if whitelisting is still the recommended safest mode, you can use Allow scripts globally and still block sites you mark as untrusted. More important, you can still enjoy full Anti-XSS protection even while you're keeping JavaScript allowed everywhere.
· Improved Silverlight management.
· JavaScript links "fixing" on disabled pages works also with buttons now.
· Further optimizations of Anti-XSS filters both in performance and accuracy.
August 31st, 2008· "Make page permissions permanent" command
· Meaningful tooltip for "Allow all in this page" and "Temporarily
· allow all in this page", listing affected sites
· More meaningful tooltip for Revoke Temporary Permission, listing
· affected sites and counting affected objects (Gecko >= 1.9)
· Rationalized keyboard accelerators for English menu items
Find us on Google+
