May 7th, 2013· Fixed backward compatibility issue with recent channel cloning changes
· [XSS] Compatibility with certain redirector URL patterns (thanks Stephen F. for reporting)
· [ABE] Fixed letest Tab Mix Plus version (4.1.0) causing loads started from the address bar to be considered cross-site
· [Locale] Updated Esperanto (thanks Michael Wolf)
· [Locale] Updated Upper Serbian (thanks Michael Wolf)
April 16th, 2013· Added per-window private browsing support to some background requests
· Improved channel cloning for internal redirections
· Added further Microsoft mail services dependencies to the default whitelist
· [XSS] Fixed character class bug (thanks Masato Kinugawa for reporting)
· [XSS] Fixed potential jQuery-based injection (thanks Masato Kinugawa for reporting)
· Improved handling of some moz-null principal instances in ABE requests (thanks Thrawn for reporting)
· New 360Haven surrogate lets the site work with 1st party scripts allowed and ads/tracker scripts forbidden
March 29th, 2013· Fixed outlook.com UI broken in Nightly by work-around for bug 677050 (thanks Raùl Duràn of Microsoft for troubleshooting help)
· Removed STS support for Gecko >= 4, which provides built-in HSTS
· Work around for multiple object creation causing UI inconsistencies (thanks al_9x for reporting)
· [XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource() (thanks yahoo mail user for report)
March 29th, 2013· [XSS] Fixed character class bug (thanks Masato Kinugawa for reporting)
March 4th, 2013· [XSS] Work-around for false positives caused by Gecko >= 18 changes in Function.prototype.toSource() (thanks yahoo mail user for report).
March 4th, 2013· Automatic Google Analytics web bugs blocking if google-analytics.com is not whitelisted
· "Mark as untrusted" button on the site info page (thanks SwissBIT for RFE)
· "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
· Inclusion type checks exception for yandex.st
· [XSS] Exception for requests across *.photobucket.com subdomains, which may legitimately contain syntactically valid Javascript fragments (thanks RAJAH235 for reporting)
February 19th, 2013· Made "Yes, remove all protections" the default button in the removal warning dialog
· [XSS] Fixed post-response encoding checks applied to UTF-8 pages too (thanks Masato Kinugawa for reporting)
· [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks Masato Kinugawa for reporting)
January 30th, 2013· Fixed plugin placeholders not shown for plugin documents on Gecko >= 19 (thanks therube for reporting)
· [Surrogate] Support for callbacks in Google Analytics' _gaq.push() method (thanks Paola Moro for reporting)
· Allow/Forbid button on the site info page (thanks Edward Huff for RFE)
January 19th, 2013· [Surrogate] Less aggressive but more compatible adf.ly surrogate (it automatically skips ad but requires scripts enabled on adf.ly)
· Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent Firefox versions (thanks Guardian for reporting)
· [Surrogate] dimtus.com scriptless automatic image revelation
· [Surrogate] imageteam.org scriptless automatic image revelation
· [External Filters] Fixed cache API compatibility issue
December 27th, 2012· [ClearClick] Fixed miscalculations in screenshot comparison
· Fixed wrong placeholder position for standalone HTML 5 video content (thanks mjh563 for reporting)
· "Appearance" option to hide the "About NoScript" menu item
· Deny loading of any empty Flash object
· Fixed HSB locale (thanks Michael Wolf)
· Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for reporting)
· Work-around for Gecko calling nsIContentPolicy::shouldProcess() with null location for Flash objects sometimes (thanks al_9x for report)
· Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer for reporting)
· Fixed anti-popunder surrogate breaking BFCache (thanks whatever for reporting)
December 18th, 2012· Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
· for reporting).
December 18th, 2012· Fixed new placeholder close button being hidden on some Youtube pages
December 4th, 2012· [XSS] Further tweaks to reduce false positives (thanks Edward C. Kim for reporting)
· [XSS] The "maybe JS" step now removes leading parens, reducing false positives e.g. on Picasa (thanks jerriy for reporting)
· [Surrogate] Work-around for anti-popunder surrogate causing Ebay to recreate phantom cookies on page unload (thanks mjh563 for reporting)
· Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus) breaking bookmarlets and URL bar Javascript support after being updated for Firefox 17
· Removed some console noise
· [Surrogate] Updated adf.ly surrogate to work with new links
November 14th, 2012· [XSS] Better compatibility with Ebay's saved searches
· [Surrogate] Imagebax.com scriptless ads skipping redirection
· Fixed first non-cached page load in a session from about:newtab failing
· Removed legacy XUL script blocking code
· Added optional diagnostic to centralized channel aborting
· Fixed bug in Java URLs resolution
November 2nd, 2012· Improved long URL wrapping for more manageable plugin placeholdertooltips
· Fixed ABE notifications bleeding out of the viewport when very long URLs are involved
· [Surrogate] More efficient deferred script loading and syntax check, saves memory and startup time from unused surrogates
· [Surrogate] Picbucks.com scriptless ads skipping redirection
· [Surrogate] Imagebunk.com scriptless image revealing
· [Surrogate] Picsee.net scriptless image revealing
· Added navigator.doNotTrack property support
October 26th, 2012· Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content allowed) to the default whitelist (required by MS mail services)
· [XSS] Removed false positive on some Google Gadgets; the work-around can be disabled by setting the noscript.filterXExceptions.ggadgets about:config preference to false (thanks Silvana for reporting)
· Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES with the noscript.allowedMimeRegExp preference
· Made mimetype whitelisting through the noscript.allowedMimeRegExp preference work with FRAMEs and IFRAMEs as well
· Fixed redirections involving sites marked as untrusted causing inconsistencies in page permissions, with JavaScript being blocked even if the site is whitelisted (thanks al_9x for reporting)
· Fixed regression on older Gecko versions causing NoScript to believe the browser is proxied when it's not
October 18th, 2012· Work-around for unique origins being assigned to URL bar loads by Gecko 16 and above interfering with some ABE rules
· Work-around for bug 797684 patch causing ABE's Sandbox action to fail
· Work-around for regression from Mozilla bug 797684 fix causing frames not to be blocked correctly in recent >= 18 builds
· Slightly revised About box to make more room for contributors
October 8th, 2012· Fixed synchronous timeout emulation ordering bug in bookmarklet execution on scriptless pages (thanks Infocatcher for reporting)
· [XSS] Fixed comment preprocessing optimization affecting free JavaScript detection, thanks Masato Kinugawa for reporting
· [XSS] Fixed second order data: URLs sanitization issue, thanks Masato Kinugawa for reporting
· Fixed meta refresh blocker notification bar broken on Gecko < 4 (thanks nitou for reporting)
· Fixed iframe placeholder positioning issue (thanks al_9x for report)
· Fixed regression in placeholder positioning (thanks al_9x for report)
· [ClearClick] Fixed false positive on cross-site SVG document embeddings (thanks Steffen for reporting)
September 25th, 2012· [XSS] Fixed slow regular expression causing some base64 request payloads to trigger false positives (thanks Mirko Tasler for reporting)
· Force placeholders to frontmost position e.g. on HTML 5 Youtube content
· New icon for blocked embeddings on globally allowed pages (thanks therube for RFE)
September 14th, 2012· More reliable Java applet origin identification
· Cross-browser work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=789773
September 5th, 2012· Fixed HTTP checks not being skipped anymore for some chrome-generated XMLHttpRequest requests because of a Gecko 15 change
· Work-around for cloned DOM nodes not retaining additional chrome-attached information anymore, thus breaking placeholders in some cases (thanks al_9x for reporting)
· Fixed placeholder post-enablement event channeling broken by Sandbox changes
· Fixed placeholder sizes messed up by changes in Gecko 17
· Work-around for broken content policy call for Java plugin on Gecko 17 and above (thanks marty60 for reporting)
August 29th, 2012· [XSS] Fixed false positives on URLs containing an ASP.NET cookieless session identifier (thanks Trupti Chaudhari for reporting)
· noscript.eraseFloatingElements about:config preference to switch the mousedown + del key floating popup erasing feature off and on
· Limited the mousedown + del key floating popup erasing feature to pages where scripts are forbidden and to absolute or fixed position elements
· Fixed JavaScript URL non-void expression evaluation in the URL bar causing scripts to get globally allowed (thanks al_9x for reporting)
· [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for reporting)
August 24th, 2012· [ClearClick] Improved protection against clickjacking timing attacks (thanks Nafeez Ahmed for reporting)
· Fine tuned floating div (in-page popup) removal by locking it to the nearest positioned ancestor and swallowing the mouseup event if the DEL key has been hit after last mousedown
August 16th, 2012· Holding the left mouse button down on a page element and hitting the DEL key will remove it (useful to forcibly kill in-page popups when scripts are disabled)
· Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking protection implementation detail
· Disabled LiveConnect interception on Gecko 16 or better, since Java globals have been removed from the DOM
· [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for reporting)
· Fixed Silverlight and Flash scripted initialization patches being broken by recent JavaScript interpreter changes
· Work-around for hp-ww.com misconfiguration (JavaScript files served with bogus content-type header)
July 30th, 2012· [XSS] Improved XML handling algorithm preserves E4X detection accuracy while removing false positives, e.g. against OAUTH payloads
· Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height (thanks ochristi for report)
· [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can be disabled by setting the noscript.filterXExceptions.yahoo about:config preference to false)
· Fixed placeholders for absolutely positioned elements may cause layout glitches (thanks al_9x for reporting)
· Fixed interaction with built-in Firefox's click-to-play causing infinite object activation loop (thanks al_9x for reporting)
July 25th, 2012· Work-around for additional browser tools placed on the bottom of the content messing with NoScript's notification height (thanks ochristi for report)
· Fixed placeholders for absolutely positioned elements may cause layout glitches (thanks al_9x for reporting)
July 11th, 2012· Work-around for Mozilla bug 771655 (broken debugger)
· Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is taken by the debugger
· Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks Alex Inführ for reporting)
· Removed assumptions of a body element from some code paths which may handle generic XML documents
June 29th, 2012· [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for report)
· [XSS] Fixed false positive with some Base64-encoded Yahoo News subrequests
· Fixed regression, noscript.allowedMimeRegExp not working anymore for plugins other than Java, Flash and Silverlight
· Auto-anchored multi-valued regexp preferences can now be separated by regular spaces rather than just newlines (this behavior was documented but not actually implemented for noscript.allowedMimeRegExp)
June 12th, 2012· [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
· [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
· [XSS] Fixed document.cookie minimal assignment false negative (thanks Masato Kinugawa for report)
· [XSS] Fixed dotted query parameter names false positives, affecting OpenID, Hotmail and other services (thanks Gavin H for report)
· Fixed some messages being dumped to the console even if logging is turned off (thanks marbler for report)
June 11th, 2012· [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
· [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
· Dalili and Ahamed Nafeez for reporting)
· [XSS] Improved unconventional assignments detection (thanks Masato
· Kinugawa for report)
· [Locale] Corrected he-IL merge (thanks baryoni)
· [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
· [XSS] More regular expression objects caching as a speed optimization
· [XSS] Removed optimization shortcut causing false negatives on some
· kind of concatenated assignments (thanks Masato Kinugawa for report)
· [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
· [XSS] More aggressive obsolete charsets filtering (thanks Masato
· Kinugawa for report)
June 5th, 2012· [Locale] Updated he-IL (thanks baryoni)
· Fixed early synthetic DNS notification causing blank stripe on the bottom of the first browser window if started maximized or fullscreen - Removed Firefox 2.x compatibility code
· Fixed regression from 2.4.3rc3 causing same-site stylesheets to be checked for mime type mismatches and XSLT inclusions to be incorrectly blocked (thanks hanfi for reporting)
May 28th, 2012· Fixed JS links detection not resolving JS string escapes (thanks vyznev for reporting)
· Fixed HTML 5 parser detection in META refresh processing being broken by a removed browser preference
· Fixed exception raised by inclusion type checks when parent document's URI has no host
· [XSS] Better detection of free inline script injections (without string literal evasion) inside function calls
· The noscript.allowedMimeRegExp preference now applies also to Java, Flash and Silverlight mime types
May 21st, 2012· [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging to the LAN anymore for the purpose of cross-zone request forgery checks in order to safely work-around DNS misconfiguration issues in the wild (thanks siu and ralf for reporting)
· [ABE] Fixed router WEB UI fingerprinting failing on some devices because of redirection loops
· [XSS] Protection against HPP attacks exploiting URL parsing quirks specific to ASP Classic (thanks Soroush Dalili for reporting)
· Fixed first application updates check failing on Nightly (bug 754393)
· [XSS] Fixed false positive regression on some file hosting sites (thanks Janne Maekelae for reporting)
May 11th, 2012· [XSS] Protection against exploitation of classic MS ASP's coalescing of same-name query parameters (thanks Soroush Dalili for reporting)
· [XSS] Protection against URL injections in in window.name
· [XSS] Fixed case-sensitivity bug in detection of unicode escape sequences (thanks Masato Kinugawa for reporting)
· [Surrogate] adagionet.com inclusion surrogate
· Fixed "Allow sites open through bookmarks" regression (thanks jerryi and therube for reporting)
· [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil Purviance for reporting)
· Added inclusion type check exception to the lesscss Google Code file repository, often used as a CDN
May 5th, 2012· Improved temporary permissions management during bookmarklet execution
· [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)
· [XSS] Improved InjectionChecker detection of in-code multiple insertions (thanks Krzysztof Kotowicz)
· [XSS] InjectionChecker detection of single assignment evaluation through global exception handling (thanks Gareth Heyes)
· [Locale] Fixed broken overlay on Basque localized browsers (thanks afa for reporting)
· [XSS] Fixed bug in late window.name payload checking (thanks Soroush Dalili for reporting)
April 26th, 2012· [ClearClick] More tolerant snapshot comparation algorithm (partially backported from NSA) to reduce false positives (tweaked by the noscript.clearClick.threshold percentage value in about:config)
· Removed about:credits from default whitelist
· [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in obscuration by windowed plugins checks
· Fixed compatibility regressions on Firefox 3.x
· Following links from the About dialog now closes it (thanks Guardian for suggestions)
· Fixed NOSCRIPT META refreshes blocking not working when scripts are globally allowed (thanks and Ken and Tom T. for reporting)
· [ClearClick] Fixed false positives caused by accelerated graphics with some plugin content
April 23rd, 2012· Smart integration with the new browser-native click to play: if a plugin object is manually allowed from NoScript's UI, it gets also natively activated (noscript.smartClickToPlay about:config preference)
· Improved active content identity tracking, to avoid redundant blocking steps across reloads
· Fixed redirections in legacy frames not being blocked (thanks "utente" for reporting)
· [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site
April 17th, 2012· [ClearClick] Work-around for "rapid fire" protection interfering with some add-ons, such as 1Password (thanks Mike Tselikman for report) and FloatNotes (thanks endofmiles and Tom T. for reports)
· [ClearClick] Compatibility with Bitdefender TrafficLight (thanks Christopher A. M. Gerlach for reporting)
· [XSS] Enhanced InjectionChecker tolerance to certain URL patterns containing domain-names as parameter values (thanks gazer75 for report)
March 27th, 2012· Restored Nightly compatibility, broken by bug 719154
· [ClearClick] improved compatibility with Disqus widgets (thanks El Cid for reporting)
· [AddressMatcher] Optimized trailing "*" in glob expressions
· Fixed origin URL detection flawed when certain wrapped URIs are loaded (thanks Masato Kinugawa for reporting)
· [XSS] Fixed false positive with query string patterns mimicking array access (thanks Aicke Schulz for reporting)
March 19th, 2012· Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail (thanks DG42 for original report, Alan Baxter for providing a test account, all the forum staff and many users for their help in reproducing)
· [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes (thanks Tom T. and Patrick E. for reporting)
· [ClearClick] Better special-casing for same-site embedded objects
· [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs
· [XSS] Better window.name protection (thanks Masato Kinugawa for report)
· [XSS] Improved detection of javascript: URL injections
March 9th, 2012· [ClearClick] Fixed subtle bug which may lead to infinite loops in some cases (thanks GµårÐïåñ for reporting)
February 27th, 2012· [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
· [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
· Masato Kinugawa for reporting)
· [XSS] Added event injection checks for scriptless pages too, in order to
· prevent edge-case execution on permissions change
· [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
· Kinugawa for reporting)
· [XSS] Improved HTML detection accuracy
· Better tagging of surrogate sandboxes for about:memory debugging
· Improved glinks surrogate
February 20th, 2012· Surrogate to let news pages escape Digg's frame
· [ClearClick] Improved compatibility with cross-frame overlapping shadows
· Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks .mario for reporting)
· adf.ly surrogate to automaticaly skip the interstitial page even if scripts are disabled
· Improved Google search surrogates
· New surrogate against Google's scriptless tracking of search results navigation
February 11th, 2012· Fixed about:newtab not considered as a local origin by ABE
· Added blob:, about:memory and about:support to the automatic whitelist
· Added reflected script inclusion check exception for intensedebate.com
· Fixed CSS issues on Gecko 1.8
February 5th, 2012· Right click on NoScript menu items copies the site to the clipboard, if any under the pointer, or all the page-related script sources prepended with a status mark: + for whitelisted, - for default, ! for untrusted (thanks Tom T. for RFE)
· Added browserid.org to the default whitelist
· Improved default whitelist update mechanism
· Fixed some Flash movies failing to load on Nightly (thanks Nova6K0 for reporting)
· Fixed incompatibility between surrogates / content augmentations (e.g. toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for reporting
· NoScript won't attempt to load the release notes page if the site is unreachable
January 25th, 2012· [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested documents
January 19th, 2012· [ClearClick] Protection against two steps interaction attack based on HTML5 DnD (thanks .mario for reporting)
January 13th, 2012· [XSS] Fixed sanitization reporting bug
January 3rd, 2012· [ClearClick] Better compatibility with recent Disqus widget versions
December 20th, 2011· Fixed some localizations having newlines replaced with 'n' characters
December 6th, 2011· Configuration import/export directory is persisted across sessions
November 25th, 2011· [Locale] Updated he-il (thanks baryoni)
· [ClearClick] Fixed incompatibility with the FoxTab add-on
November 16th, 2011· [ClearClick] Improved protection against Clickjacking on nested windowed
· Flash targets (thanks Sommerrain and Tom T for reporting)
November 10th, 2011· [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec used instead of "1.8"
November 3rd, 2011· Improved anti-popunder built-in surrogate
· Fixed object autowiring upon placeholder activation regressed by recent surrogate sandboxing changes
October 24th, 2011· [ABE] Fixed subrequests matching an Anon action rule not being shown in the logs if already anonymized by the browser
October 17th, 2011· Improved object wiring emulation on placeholder activation (thanks al_9x
· for report and code)
October 13th, 2011· Fixed speculative parsing causing inclusion surrogates to be executed twice (thanks al_9x for reporting)
Find us on Google+
