NoScript - the safest Firefox experience
NoScript CHANGELOG
v 1.6.5
=====================================================================
x Fixed XSS URL sanitization issue with some proxy configurations
(thanks Philipp Gühring for reporting and testing)
x Fixed false positives caused by Image(...).jpg file names
v 1.6.4
=====================================================================
x More effective cross-site POST blocking
+ Estonian translation (thanks aivo)
v 1.6.3
=====================================================================
x Work-around for Songbird 0.5 bug (nsIEffectiveTLDService present
but not really working)
v 1.6.1
=====================================================================
+ Better feedback for blacklisted items on the page, by appending
untrusted sites count to "Untrusted" menu label
x Fixed bogus "allowed.yu" label for partially allowed pages where
all forbidden sites are marked as untrusted
v 1.6
=====================================================================
+ Specific shadowed status icon for pages where some origins are
allowed and all the remaining have been marked as untrusted
+ Reviewed Russian translation (Alexander Sokolov and Sergei Smirnov)
x Dropped blockCssScanners code (SafeHistory and SafeCache extensions
provide better prevention against navigation history sniffing)
+ Further QA for release
v 1.5.9.2
=====================================================================
x Fixed some Error Console noise (thanks timeless)
x Better Seamonkey installation algorithm (thanks therube)
v 1.5.9.1
=====================================================================
x Fixed infinite loop on some pages if noscript.blockCssScanners is
true (thanks tlu and Itsnow for report)
x Placeholder compatibility with latest trunk
(https://bugzilla.mozilla.org/show_bug.cgi?id=292789)
x Better installer for Seamonkey classic
v 1.5.9
=====================================================================
x Fixed regression from Songbird compatibility, making the Options
button on the notification bar unusable when status bar was hidden
x Turned default for noscript.xss.trustExternal value to true
x Experimental protection against getComputedStyle() history sniffing
attacks (you can enable it switching the noscript.blockCssScanners
about:config preference to true)
v 1.5.8
=====================================================================
x Optimization of Injection Checker for iGoogle Calendar Widget
(thanks JonCage for report)
x Fixed edge-case false positives due to URL encoding mixed to
symmetric brackets(thanks Lundholm for report)
x Fixed legacy Seamonkey UI regression introduced by Songbird
compatibility (thanks therube for report)
v 1.5.7
=====================================================================
+ Tweaked for Songbird compatibility
x Version bump for Firefox 3.0pre
v 1.5.6
=====================================================================
x Minor enhancements to IFRAME blocking
1.5.5
=====================================================================
+ Bracket balancing for inline JS literal-breaking micro injections
v 1.5.4
=====================================================================
+ InjectionChecker speed optimizations, preventing timeout on overly
complex JSON requests (thanks John Danfort for report)
v 1.5.3
=====================================================================
+ Forbid toplevel site command in bold (thanks therube)
x Fixed rare XSS false positives on iGoogle
x Fixed "allowURLBarJS" preference cannot be disabled (thanks Aerik)
v 1.5.2
=====================================================================
x Fixed unwanted blocking of some trusted Java applets thanks Mick
Bramhall for report)
1.5.1
=====================================================================
x Slightly revised icon set (thanks Karlosak and WAPCE for hints)
x Fixed bookmarklets invoked twice on untrusted sites (thanks al_9x)
v 1.5
=====================================================================
+ Slovenian translation (thanks Tomaž Mačus)
x Special bookmark management made compatible with Suiterunner's
sidebar (thanks therube for reporting)
x Extra QA for release
v 1.4.9.9
=====================================================================
x Bookmarklet handling code adapted again to cope with methods moved
from PlacesUtils to PlacesUIUtils after Fx 3 beta 4
v 1.4.9.8
=====================================================================
+ Prevention of Java applet same origin policy bypass via malformed
class name (see http://tinyurl.com/2u387t)
+ Improved icons
x Fixed chrome "domain" showing in menus (thanks Aerik)
v 1.4.9.7
=====================================================================
+ New noscript.allowURLBarJS about:config preference allows
javascript: and data: URLs to be run interactively from the
location bar, e.g. for bookmarklet testing, even if currently
displayed site is not whitelisted (default true)
+ Improved overall bookmarklet compatibility on Firefox 3
x Adapted bookmarklet handling code to latest Places refactoring with
openXXX() methods in PlaceUtils (thanks Tobu for report)
v 1.4.9.6
=====================================================================
x Fixed "Forbid chrome:" menu items on some pages (thanks niko322)
v 1.4.9.5
=====================================================================
x Version bump for Firefox 3.0b5pre
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR
v 1.4.9.3
=====================================================================
x Fixed Firebug JS injection causing blocked IFrame
x Fixed plugin document detection making Acrobat Reader plugin hang
v 1.4.9.2
=====================================================================
x Minor InjectionChecker enhancements
v 1.4.9.1
=====================================================================
x Reduced vertical size of NoScript options panel for better usage
on constrained devices (thanks pstepper for report)
v 1.4.9
=====================================================================
+ Improved Silverlight object identity based on "source" param
v 1.4.8
=====================================================================
+ Better differentiation of Flash-based movie players and other
general purpose plugin content instances by taking in account
flashvars attributes and param elements.
+ Improved Silverlight placeholders, now shown in real time and
supporting more activation schemes
v 1.4.7
=====================================================================
+ Safe Silverlight placeholders restored by emulating the
IsVersionSupported() machinery (placeholders are usually delayed
by 3 secs or more)
v 1.4.6
=====================================================================
x Silverlight plugin objects in content blocking mode made completely
disabled (not just content-less) until they're allowed per-page
x Work around for a conflict with the PDF Download extension conflict
(thanks greenknight for report)
v 1.4.5
=====================================================================
x Fixed Silverlight unblocking hooks not working if all kinds of
plugin content and IFrames are blocked (thanks al_9x for report)
v 1.4.4
=====================================================================
+ Content unblocking machinery made compatible with new Silverlight
activation schemes (thanks al_9x and Alan Baxter for report)
v 1.4.3
=====================================================================
+ Further fuzzification of injection checker patterns
x Slightly released window.name checks to allow some legitimate frame
tricks, e.g. in eBay Cross-promotions (thanks jlovie for report)
x External URI validation decoding changed to accomodate ISO-8859 and
other encodings, rather than UTF-8 only (thanks Alf Buccheim)
v 1.4.2
=====================================================================
+ Bookmarklet return values support on Mozilla trunk
x Fixed mailto: empty URL (new mail message) considered invalid
v 1.4.1
=====================================================================
x Fixed "onclick.match is not a function" issue when clicking on
named anchors with no href (thanks wangyi6854 for report)
v 1.4
=====================================================================
+ Updated translations
x Revised window.name injection checks to be more lenient on GModules
x Extra QA for release
x Fixed about dialog size to correctly show contributor list in any
language
v 1.3.8
=====================================================================
x Fixed eMusic incompatibilities (thanks Mel Reyes)
v 1.3.7
=====================================================================
+ Added wildcard type entry in Blocked Objects temporary allow menu
x Fixed minor bugs in Blocked Objects menu early implementation
v 1.3.6
=====================================================================
+ Descriptive icon for content types when possible on object
placeholders and menu items
x Improved CSS injection rules (thanks Azurite for report)
v 1.3.5
=====================================================================
+ More consistent plugin content temporary permissions management:
object permissions are granted per-session(not bound to the current
tab anymore) and honor the "Revoke Temporary Permissions" command.
+ "Temporary allow content-type@http://site.com" commands in the
"Blocked Objects" menu temporary allows plugin content matching a
certain mime type (e.g. shockwave-flash) on the whole site.
x Increased readability of the "Blocked Objects" menu by using plain
font style instead of italics even if permissions are temporary
x Reduced console pollution on Linux
x Work-around for XPathResult not working in sandboxed bookmarklets
v 1.3.4
=====================================================================
+ "Blocked Objects" menu to temporarily allow plugin content even
when placeholder is hidden or not easy to see
+ "Block every object coming from a site marked as untrusted" option
in Plugins tab (checked by default)
x Further XSS filter sensibility refinement
x Fixed double separators sometimes in menus (thanks niko322)
x Fixed "StumbleUpon Discovery" not compatible with "Forbid IFrames"
(thanks niko322)
x Fixed URI protocol handler protection removing mailto: line breaks
(thanks Alf Buchheim)
v 1.3.3
=====================================================================
x Allow data: URIs in script src attributes on trusted sites (thanks
Kravvitz for report)
x Fixed "a.getAttribute is not a function" issue (thanks wangyi6854
for report)
v 1.3.2
=====================================================================
+ Scriptless support for history.go(x), history.forward() and
history.back() links/buttons (thanks timeless for suggestion)
+ resource: URI path traversal protection
+ New "noscript.allowedMimeRegExp" about:config option to whitelist
some content types not to be blocked by "Forbid other plugins", for
instance "application/pdf" or "image/.*"
+ Plugin content is always forbidden if coming from sites explicitely
marked as "Untrusted" (blacklisted). This behavior can be disabled
by setting the "noscript.alwaysBlockUntrustedContent" about:config
option to false (thanks NakedStranger for suggestion).
x Fixed XSS false positive at mail.yahoo.com
x noscript.jsredirectFollow preference more effective on blank but
not empty (i.e. space only) body (thanks timeless for suggestion)
v 1.3.1
=====================================================================
x Fixed missing plugin content placeholder regression on some gaming
sites (thanks Aerik and hewee for report)
v 1.3
=====================================================================
+ "Revoke temporary permissions" command in NoScript floating menus
+ Fixed plugin content placeholder sometime missing on background
tabs Linux issue (thanks WAPCE for report)
v 1.2.9.6
=====================================================================
+ Better plugin content placeholder management
+ noscript.canonicalFQDN about:config preference to control
canonicalization of domains ending with a dot.
+ Updated translations
v 1.2.9.5
=====================================================================
+ Transparent blocking of non-text frames (thanks sam41177878))
v 1.2.9.4
=====================================================================
+ Tweaked preliminary URL screening optimizations to enhance
Injection Cheker sensibility (thanks Gareth Heyes)
v 1.2.9.3
=====================================================================
+ Updated Injection Checker to take in account upper Unicode
JavaScript identifiers (thanks Gareth Heyes)
v 1.2.9.2
=====================================================================
x Further reduced false positives with post-syntax danger checks
v 1.2.9.1
=====================================================================
x Fixed issues with trans-domain redirections, stacking entries in
the previously viewed site's menu (thanks Hanspeter Spalinger)
v 1.2.9
=====================================================================
x Set noscript.jsredirectFollow default to false
x Extra QA for release
v 1.2.8
=====================================================================
+ Injection Checker optimization on very long query strings
x Fixed OpenId XSS false positive on blogger.com (thanks dondado)
v 1.2.7
=====================================================================
x Fixed Yahoo search XSS false positive by double checking valid JS
fragments for potential danger (10x firefoxisgreat2008 for report)
x Fixed the "form fields forgotten" issue by disabling the jsHack
feature which caused it. If you need jsHack and you can afford this
problem, just set the noscript.jsHackRegExp about:config preference
to a regular expression matching the URLs where you want it enabled
x Fixed content placeholders not showing on some sites
x Fixed POST payload shouldn't stripped as a consequence of injection
checking (thanks theiago for report)
v 1.2.6
=====================================================================
x Updated localizations
x Extra QA for release
v 1.2.5
=====================================================================
x Work-around for conflict with Tab Mix Plus dev. in Fx 3's Places
(http://tmp.garyr.net/forum/viewtopic.php?t=8052)
v 1.2.4
=====================================================================
x Fixed NOSCRIPT content shown in pages allowed on the fly with
"Temporarily allow top-level sites" (thanks Pirlouy for report)
v 1.2.3
=====================================================================
+ Improved Injection Checker JSON compatibility, now recursively
checking content of string attributes
x Further JS syntax check optimizations
x Fixed potential XBL-based crash after successful -moz-binding
injection (thanks Gareth Heyes for reporting)
x More discreet XSS notification for subframes
v 1.2.2
=====================================================================
x Changed noscript.filterXGetRx default to make single quote removal
happen only after positive injection checks (thanks sirdarckcat for
suggestion)
v 1.2.1
=====================================================================
x Fixed placeholder not shown for plugin content loaded in frames
(thanks Apoc2400)
x Revised InjectionChecker made compatible with JSON GET parameters
(thanks "Wilderness Of Mirrors")
v 1.2
=====================================================================
+ Better protection against Flash-based XSS and other plugin-related
cross-site attacks
+ Better feedback for allowable sites from embedded redirections
(thanks Leo Häfliger for report)
+ XSS filtering in subframes gets notified (was silent by default)
x Fixed temporary allowed site prevents parent from being allowed
permanently (e.g. in auto-allow mode)
x Fixed stand-alone WM plugin pages delayed blocking (thanks therube)
x Extra QA for release
x Updated localizations
v 1.1.9.9
=====================================================================
+ Hardened injection checker (thanks Gareth Heyes)
x Better compatibility with Wikimedia sites
x Fixed rtsp: and mms: plugin content always considered untrusted
(thanks Florian Gerstenlauer for report)
x Fixed one-click plugin activation (with no confirmation) sometimes
deferred to next page refresh (thanks Erwin J. Knöll for report)
v 1.1.9.8
=====================================================================
+ Experimental noscript.jsHack about:config preference containing JS
code to be executed before page loads in order to accomodate for
missing features (default implants a fake urchinTracker, see
http://forums.mozillazine.org/viewtopic.php?p=3183986#3183986)
v 1.1.9.7
=====================================================================
+ new "Revoke temporary permissions" command
+ new Plugins option: "Collapse blocked objects"
+ new Plugins option: "No placeholder for object coming from sites
marked as untrusted"
x Fixed OBJECT count bug when placholders are not shown
x Work-around for IETab incompatibility with noscript.contentBlocker
v 1.1.9.6
=====================================================================
x Object placeholder rendering optimization
x Extra QA for release
v 1.1.9.5
=====================================================================
+ Plugins disabled by default on unknown sites
x References to "Macromedia Flash" changed into "Adobe Flash"
x Fixed wrong OBJECT count reported after 1st notification
v 1.1.9.4
=====================================================================
+ XBL protection compatible with extensions using XMLHttpRequest from
a content-triggered event handler (e.g. Book Burro or PriceDrop)
v 1.1.9.3
=====================================================================
+ non-destructive cross-site XBL protection (handles the same case as
https://bugzilla.mozilla.org/show_bug.cgi?id=387971)
x Better edge-case handling in invisible links detection (thanks
Alexander Nikkta)
v 1.1.9.2
=====================================================================
+ Pre-scan optimization for unicode-escaped ASCII in InjectionChecker
+ Better compatibility with URLs containing HTML entities
v 1.1.9.1
=====================================================================
x Work-around for Minefield content policy / DOM interaction
regression (thanks mmortal03)
v 1.1.9
=====================================================================
x Extra QA for release
+ Menu rendering speed optimizations
+ Emulated TLD Effective service up to 100x speedup
+ InjectionChecker performance up to 50x speedup (thanks therube)
+ Fixed leak regression from 1.1.8.3 redirection handling refinements
(thanks L. David Baron)
x Fixed Firefox notifications not shown if NoScript notifications
were suppressed (thanks gecco)
v 1.1.8.9
=====================================================================
x Fixed content-blocking regression (thanks L.A.R. Grizzly)
v 1.1.8.8
=====================================================================
x Better Google Toolbar compatibility (thanks brandonksu)
v 1.1.8.7
=====================================================================
+ More consistent and compatible bottom notification bar
v 1.1.8.6
=====================================================================
+ "Notifications" option to change message bar automatic hiding delay
x Fixed multiple profile problems on SeaMonkey (thanks therube)
x Fixed incompatibility with Translation Panel and other extensions
(regression from 1.1.8.5 beta)
v 1.1.8.5
=====================================================================
+ Improved HTML attribute injection checks (thanks Gareth Heyes)
+ More flexible noscript.forbidXBL about:config preference:
0 - allow all XBL
1 - allow trusted and data: (Fx 3) XBL on any site
2 - allow trusted and data: (Fx 3) XBL on trusted sites
3 - allow only trusted XBL on trusted sites
4 - allow only trusted XBL from the same site or chrome (default)
5 - allow only chrome XBL
v 1.1.8.4
=====================================================================
x Fixed installation issue on SeaMonkey (thanks R.N. Folsom)
v 1.1.8.3
=====================================================================
+ The "noscript.tempGlobal" about:config preference causes the
"Globally Allow" status to be revoked at the end of each session
(thanks chconnor and Alan Baxter for suggestion)
+ The "noscript.lockPrivilegedUI" about:config preference blocks
Error Console and DOM Inspector (useful in locked down setup to
prevent preferences from being unlocked by user's chrome JS code)
+ More reliable base domain recognition
+ Switch to nsIEffectiveTLDService on Gecko >= 1.9 above (Firefox 3)
+ nsIEffectiveTLDService emulation on Gecko < 1.9 (Firefox 2)
x Updated translations
x Additional QA for release
v 1.1.8.2
=====================================================================
+ Friendlier IFrame handling (thanks war59312 and A. Baxter)
x Fixed Silverlight new detection scheme broken by IFrame blocking
x Fixed compatibility issue with Cooliris send link (thanks Tschua)
v 1.1.8.1
=====================================================================
+ More flexible and reliable redirection management
v 1.1.8
=====================================================================
+ Version bump for Firefox 3
+ Temporarily allow sites matching the regular expression(s) in the
noscript.whitelistRegExp about:config preference (thanks MaZe)
x Further QA for release
x Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes)
x Fixed shorthands broken when XSS protection was off (thanks MaZe)
v 1.1.7.9
=====================================================================
+ Notify bar for jar document blocking
x Fixed GreaseMonkey's XMLHttpRequest compatibility regression
x Fixed confusing option, "Forbid other plugins" shouldn't imply
forbidding Java, Flash and Silverlight.
v 1.1.7.8
=====================================================================
+ JAR uris are forbidden from loading as documents by default, see
http://noscript.net/faq#jar for details
+ Block untrusted XBL (thanks Sirdarckcat for inspiration)
x Various IFrame blocking refinements
v 1.1.7.7
=====================================================================
x Fixed installation problems with addons.mozilla.org automatic
update
v 1.1.7.6
=====================================================================
+ srv.br "special" TLD (thanks Rodrigo Ristow Branco)
+ Better protection against "setter" based XSS vectors and encoded
"name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see
http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/ )
+ Improved hidden links management, preserves original body CSS
attributes when possible (thanks mdots)
v 1.1.7.4
=====================================================================
+ new noscript.forbidIFramesContext about:config option controls
if actually enforcing IFRAME blocking depending on the parent page:
0 -- block always
1 -- block if parent is in a different site (default)
2 -- block if parent is in a different domain
3 -- block if parent is in a different 2nd level domain
+ Minefield version bump (0.3.0a9pre)
x XSideBar keyboard shortcut compatibility (thanks Philip Chee)
v 1.1.7.3
=====================================================================
x Work-around for hidden link detection being triggered by some CSS
reporting offsetHeight 0 for anchors (thanks Gerrit Heeres)
v 1.1.7.2
=====================================================================
+ Object placeholders' minimum size set to 32x32 for visibility
+ Object placeholder override for Microsoft® Silverlight™
x Fixed "Forbid IFRAME" blocking also Flash (thanks niko322)
x Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans)
x Fixed IFRAME in place activation shouldn't reload parent page
v 1.1.7.1
=====================================================================
+ New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's
request, see http://sla.ckers.org/forum/read.php?13,15701,15840
x Fixed logic inconsistency between "Plugins/Forbid xyx" and
"Plugins/Forbid other plugins" (thanks Kadeos);
x Fixed overzealous behaviour of JS link detection (thanks Kadeos and
plu for reporting)
v 1.1.7
=====================================================================
+ Further QA for release
+ Improvements in script redirection management
v 1.1.6.27 (1.1.7RC2)
=====================================================================
+ New "Forbid Web Bugs" option in the Advanced/Untrusted panel
x Fixed startup "sudden death" issue (thanks Alan Baxter)
v 1.1.6.26 (1.1.7RC1)
=====================================================================
+ Moved plugin content options to a new top-level "Plugins" tab
+ New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by
default like "Plugins/Forbid Java™"
+ New "Plugins/Apply these restrictions to trusted sites too" option
+ Enchanced sensibility for the JS URL detection feature
+ New "jsredirectForceShow" option to always display JavaScript-only
navigation URLs at the bottom of pages, no matter what the visible
content is (per timeless' RFE)
+ UTF-8 escaping awareness for InjectionChecker pre-syntax evaluator
+ Arabic (thanks Nassim Dhaher)
+ Indonesian(thanks regfreak)
+ Experimental Intel MidBrowser support
+ Experimental preference locking support (look at the mozilla.cfg
sample inside the XPI for details)
x Fixed meta-refresh notification failing to appear sometimes
x Cleanup of the counter-measures against Sirdarckcat's redirected
script trick (available for Fx >= 2.0 only) with user feedback
x Fixed full address no more shown in allowing menu for numeric IP
or TCP-IP explicit port URLs (thanks blahhhy for report)
x noscriptOptionsWidth entity to localize option dialog size
v 1.1.6.25
=====================================================================
+ Fix for Sirdarckcat's JS redirection trick
v 1.1.6.24
=====================================================================
+ Fixed XSS notification infobar not showing
v 1.1.6.23
=====================================================================
+ Work-around for Daily Dilbert extension's CSS bug hijacking status
bar icons (thanks gumble and Archaeopterix for reporting)
v 1.1.6.22
=====================================================================
x Fixed toolbar icon breaking when "Scripts Globally Allowed" and no
script found in page (thanks Claus Valca and Gecco for reporting)
v 1.1.6.21
=====================================================================
x Fixed infobar icon not always properly updated upon tab-switching
(regression from 1.1.6.20 feedback fix)
v 1.1.6.20
=====================================================================
x Fixed inconsistent status icon feedback (thanks Alan Baxter)
v 1.1.6.19
=====================================================================
x Fix for the massive breakage on Mozilla trunk caused by landing of
the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=377696
(thanks Quarantine and Peter(6) for reporting)
v 1.1.6.18
=====================================================================
+ noscript.safeJSRx preference allows to specify a regular expression
matching statements allowed in a top-level javascript: URL. Default
value allows sessionstore prompt javascript:window.close() trick
(http://forums.mozillazine.org/viewtopic.php?p=3033780#3033780)
v 1.1.6.17
=====================================================================
+ Smarter JS link fixing on untrusted sites (thanks timeless)
+ Smarter allowable sites detection/reporting if domain tricks are
being used.
x Fixed CTRL+Enter address bar SeaMonkey feature (thanks blindtrust)
x Fixed conflict with SiteAdvisor tooltips
v 1.1.6.16
=====================================================================
x Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from
working: browser packages are whitelisted by default, extensions
and other chrome packages can be optionally whitelisted adding a
noscript.forbidChromeExceptions.packageName preference set to true,
and the noscript.forbidChromeScripts preference defaults to false
now, since Bug 292789 couldn't do any harm unless some extension
does very stupid things.
x Fixed incompatibility with the BookmarksHome extension
v 1.1.6.15
=====================================================================
+ Support for keyword-driven bookmarklets on untrusted pages (thanks
Mike Rocker and therube for report/request)
+ noscript.forbidChromeScripts preference (true by default), prevents
script tags in content (non chrome:/resource:/file:) documents from
referencing chrome: scripts, see
https://bugzilla.mozilla.org/show_bug.cgi?id=292789
x Fix for fast reload not working on Minefield
v 1.1.6.14
=====================================================================
x Work-around for a reload problem caused by Firekeeper 0.2.11
x Version bump for Minefield
v 1.1.6.13
=====================================================================
+ Enhanced the "multi-port shorthand" feature to accept "*" wildcard
for subdomains, e.g. "http://*.google.com:0" matches every http
google subdomain with any port number (thanks Dave Faraldo for RFE)
+ Added a "noscript.fixURI.exclude" about:config preference where
protocols which should not be escaped by NoScript can be specified
as a space-separated list (thanks therube for inspiration)
v 1.1.6.12
=====================================================================
+ URI Validator facility for on-demand protection against URI-based
exploits. You can add your uri-validator anchored regular
expressions as an about:config preference named like
"noscript.urivalid.protocolname" to validate the URI substring
immediately following scheme + colon (see the noscript.urivalid.aim
pre-configured example entry)
x Minor change in query string parser, it doesn't drop "=" splitted
chunks exceeding the first two anymore
v 1.1.6.11
=====================================================================
+ Optional blocking of tracking images (also known as "Web Bugs")
embedded inside NOSCRIPT tags: it can be enable through the
noscript.blockNSWB about:config property (thanks lakrids/Arimfe)
v 1.1.6.10
=====================================================================
x Fixed configuration conflict preventing javascript: links from
opening in some circumstances (thanks england and haklin)
v 1.1.6.08
=====================================================================
x Fix for popup content loaded in the opener window regression (from
mail/news exploitation protection)
v 1.1.6.07
=====================================================================
x Further refinement of URL protocol handler protection to cope with
special configuration-depending cases with mail/news protocols
(not affecting SeaMonkey) - thanks Rios and McFeters for generic
PoC, thanks Darkdata for specific test case
v 1.1.6.06
=====================================================================
x Early protection against URL protocol handling exploitation (see
http://tinyurl.com/37o23j and Mozilla bug 389106)
x Fix to ampersand being sometimes escaped by anti-XSS filters
v 1.1.6.05
=====================================================================
+ Protection against UTF-7 encoded XSS attacks
x Improved plugin content blocking in background tabs
x Better XSS query string processing preserves "exotic" patterns
v 1.1.6.04
=====================================================================
+ Smarter Anti-XSS filters allowing non-latin characters
x Kill duplicates in "Partially allowed" statistics
x Switched to getDefaultBranch() for volatile CAPS preferences in
order to grant a clean "Safe Mode" even after Firefox crashes
(thanks Benjamin Smedberg for suggestion)
v 1.1.6.03
=====================================================================
+ Allowed sites and partial counts in the infobar when scripts are
"Partially allowed" (timeless suggestion)
+ Window.name payload attacks neutralization
x Fixed over-optimization of JS detection relying on syntax errors
v 1.1.6.02
=====================================================================
x Fixed "Unresponsive Script" on specific complex URL patterns
(many thanks to Sue Petersen)
v 1.1.6.01
=====================================================================
x Fixed "Clear private data" window not closing if you hit "OK" on
browser exit with Firefox < 3.0 (thanks VT for first report)
v 1.1.6
=====================================================================
+ "Light" injection checks are enabled also with "Scripts Globally
allowed" (notice that allowing scripts globally is still a very bad
idea, since POST injections and other XSS attacks launched using
JavaScript, Java or Flash are virtually undetectable)
x Better XSS notification/UI feedback on partial loads
x Depth limit to URL decoding
x Work-around for JS Development Environment scoped evaluation being
blocked by noscript.safeToplevel feature
x Extra QA for public release
v 1.1.5.07
=====================================================================
x Extra QA and optimization for very complex URLs
v 1.1.5.06
=====================================================================
x Huge performance and accuracy enhancement in injection detector
x Bookmarklet bypass for Minefield Places (thanks Hwasung Kim)
v 1.1.5.05
=====================================================================
+ Smarter injection detector for trusted to trusted requests
x Fixed "this.docShell has no properties" issue (many thanks therube)
x Fixed external URLs not opening in IETab (thanks chili1)
v 1.1.5.04
=====================================================================
x Fixed traceback regression skipping checks on permissions change
v 1.1.5.03
=====================================================================
x Fixed XSS notification message bar not showing sometimes
v 1.1.5.02
=====================================================================
x More accurate origin detection on META refresh
v 1.1.5.01
=====================================================================
+ XSS filter sensibility enhancement
+ Notifications for Flash-based XSS too
v 1.1.5
=====================================================================
x Removed about:neterror from the permanent non-deletable whitelist
(for the super-paranoids, thanks Aerik)
x Minor bug fix, anti-XSS notification bar skipped when an URL nested
in a query string gets sanitized
x Extra QA for public release
v 1.1.4.9.070627
=====================================================================
+ Added "0" shorthand to match all *explicit* IP ports on the same
protocol/host, e.g. http://acme.com:0 matches http://acme.com:8080
and http://acme.com:9999, but neither https://acme.com:8080 nor
http://acme.com
+ Partial numeric IPv4 are matched up to the 2nd leftmost byte, e.g.
"192.168" matches 192.168.0.22 and "10.0.0" matches 10.0.0.33
x Minor cosmetic tweaks to XSS notifications threshold
x Improved reload on permissions change
v 1.1.4.9.070624
=====================================================================
+ Optimization of active counter-measures
x Additional QA for public bug fixing automatic update
v 1.1.4.9.070623
=====================================================================
+ More lenient yet the safest XSS filters
x Fixed a leak happening when a secondary browser window is closed
v 1.1.4.9.070622r3
=====================================================================
x Fixed some popup not closing issue (thanks Angelo Dicerni)
v 1.1.4.9.070622r2
=====================================================================
x Fixed issue with usernames embedded in home page (thanks england)
v 1.1.4.9.070622r1
=====================================================================
x Fixed incompatibility with certain malformed Ebay search URIs
(thanks to Marc Van Buggenhout for reporting)
v 1.1.4.9.070622
=====================================================================
+ Full anti-XSS protection for every trusted URL opened from external
applications
+ Protection against all the currently known cross-browser exploits
targeting Firefox (Larholm, Rios, MacManus...)
v 1.1.4.9.070621
=====================================================================
+ Additional checks for toplevel windows (thanks dveditz)
x Work-around for interference of some tab-related extension with
external URL interception
v 1.1.4.9.070620
=====================================================================
+ Protection against so called "Universal XSS" through JS URLs opened
by external applications, as explained in
http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html
v 1.1.4.9
=====================================================================
+ noscript.injectionCheck about:config option adds first-line
detection for XSS injections in GET requests originated by
whitelisted sites and landing on top level windows. Value can be:
0 - never check
1 - check cross-site requests from temporary allowed sites
2 - check every cross-site request (default)
3 - check every request
+ noscript.jsredirectIgnore about:config option enables/disables
the new "Detect and show JavaScript redirections" feature
+ noscript.jsredirectFollow about:config option enables/disables
auto-following if a single redirect is detected on a textless page
x "Allow top level sites by default" won't affect sites that have
been manually forbidden during the current session (to make
this exception permanent, mark the site as untrusted)
v 1.1.4.8.070618
=====================================================================
+ New placeholders for plugin content can be right clicked like any
"regular" link, e.g. to "Save Link As..." or "Copy Link Location"
+ Placeholders for plugin content are rendered real-time during load
+ Experimental detection of JavaScript redirections (thanks timeless)
x Fixed glitch in plugin replacement with JS enabled (thanks lulu135)
v 1.1.4.8.070617
=====================================================================
x Fixed untrusted blacklist import bug (thanks MZFuser)
v 1.1.4.8.070606
=====================================================================
+ edu.tw special TLD (thanks twocs)
+ New noscript.autoReload.global about:config preference controls if
automatic reload affects global allow / forbid (thanks lulu135)
+ New noscript.autoReload.allTabs about:config preference controls if
automatic reload affacts all or just current tab (thanks lulu135)
v 1.1.4.8.070602
=====================================================================
x Removed console error message on document unload in SeaMonkey
v 1.1.4.8.070530
=====================================================================
x Fixed toggle shortcut regression (thanks therube)
v 1.1.4.8.070529
=====================================================================
x Automatic fixup of trailing dot domains, replacing them on the
fly with their canonical name (thanks fartron and timeless)
+ "in.th" special TLD (thanks Kridsada)
x Fixed minor notification glitches in Fx 1.5 (thanks arete7)
v 1.1.4.8.070528
=====================================================================
x Performance optimization of options dialog closure for long
whitelists used in conjunction with long blackists (thanks arete7)
x Automatic notification hiding for background tabs (thanks arete7)
v 1.1.4.8.070523
=====================================================================
x Improved notification consistency with back-forward navigation
x Better compatibility with Google Desktop Search and Paypal email
notifications
v 1.1.4.8.070522
=====================================================================
+ "org.uy", "net.uy" and "edu.uy" special TLDs (thanks Mauricio)
x Nicer url randomization
x Improved notification on nested URL XSS sanitization
x Fixed external load request detection failing "randomly" in some
setups (regression from the IETab incompatibility work-around)
v 1.1.4.8.070521
=====================================================================
x Fixed regression from bug 53901 work-around, "Mark as untrusted
menu" not working anymore (thanks Ricky Ridgdill)
v 1.1.4.8.070520
=====================================================================
x Resolved 070509 conflict with IETab + Tab Mix Plus causing some
tab-diverted links to open in new windows (thanks to Nuttysman,
niko322, Alan Baxter)
v 1.1.4.8.070514
=====================================================================
x Sanitized URI randomization (thanks kuza55 for inspiration)
x *Fast* reload also with fragment URI (thanks Martin Focke)
v 1.1.4.8.070513
=====================================================================
x Fixed last minute regression slipped in Anti-XSS GET filter (some
suspicious query strings entirely removed, rather than sanitized)
v 1.1.4.8.070512
=====================================================================
+ Appearence Option to show/hide "Allow" menu items(thanks mamas6667)
x Updated locales (cs-CZ, en-GB, pl-PL)
v 1.1.4.8.070511
=====================================================================
x Fixed "black boxes" glitch on page unload (thanks jdopple)
x Fixed XSS exceptions must allow blank value (thanks Martin Focke)
x Fixed reloading URLs with hash(thanks Martin Focke)
x Work-around for Minefield bug displaying wrong labels on cloned
menu items (thanks Itsnow)
x Fixed regression, menu popup not shown by keyboard shortcut when
both toolbar button and status bar element are hidden (thanks
niko322)
v 1.1.4.8.070509
=====================================================================
+ noscript.xss.trustExternal about:config preference controls if
anti-XSS filters should be bypassed for URLs opened from external
applications like email clients (default false)
+ noscript.xss.trustTemp about:config preference controls if anti-XSS
should be bypassed if URLs are opened from "temporary allow"ed
sites (default true, thanks Salim for suggestion)
x Wikipedia default XSS exception tweaked to include apostrophes in
titles (thanks Alan Baxter for report)
v 1.1.4.8.070505
=====================================================================
x Better compatibility with Google Toolbar's translation service
v 1.1.4.8.070502
=====================================================================
x Fixed Linux Flash blocking crash when placeholders are active
(thanks mastro for report)
x (Hopefully) Last bug fix in referrer XSS sanitization (thanks
Alan Baxter)
v 1.1.4.8.070501
=====================================================================
x Further bug fix in referrer XSS notification template
v 1.1.4.8.070502
=====================================================================
x Fixed Linux Flash blocking crash when placeholders are active
(thanks mastro for report)
x (Hopefully) ultimate fix in referrer XSS sanitization (thanks Alan
Baxter)
v 1.1.4.8.070501
=====================================================================
x Further cosmetic bug fix in referrer XSS notification template
v 1.1.4.8.070430
=====================================================================
x Localization updates and release QA
v 1.1.4.8.070429
=====================================================================
+ Shortcut to show NoScript menu works even if status bar icon and
toolbar button are both hidden
x Fixed "Options..." button not working if status bar was hidden
(thanks napiertt and joymus)
x Fixed regression in XSS notifications due to 070427 fix (some XSS
suspicious requests were silently cancelled, rather than sanitized
and notified)
x Fixed "empty Untrusted menu" (thanks niko322)
v 1.1.4.8.070428
=====================================================================
x Fixed using keyboard shortcut always shows status icon
x Fixed closing toolbar button menu always shows status icon
v 1.1.4.8.070428
=====================================================================
x Fixed using keyboard shortcut always shows status icon
x Fixed closing toolbar button menu always shows status icon
v 1.1.4.8.070427
=====================================================================
x Fixed referrer sanitization glitch (thanks Alan Baxter)
v 1.1.4.8.070426
=====================================================================
x Fixed Refresh Blocker and Tab Mix plus redirection permissions
incompatibility (thanks tabasco.kfarmer and Mc)
x Fixed SeaMonkey "removed content" placeholder (thanks therube)
x Fixed Seamonkey "Reset" button placement (thanks Phil Chee)
v 1.1.4.8.070425
=====================================================================
+ Experimental "noscript.contentBlocker" about:config preference
to block Java, Flash and other plugins in whitelisted sites as well
x Fixed bug in toolbar button Untrusted submenu (thanks Steve1000)
x Better XSS management on whitelisting automatic reloads (XSS checks
for whitelisting reloads can be disabled by toggling off the
"noscript.xss.trustReloads" preference in about:config)
v 1.1.4.8.070424
=====================================================================
+ "Reset" command in Options Dialog resets options to their default
values (thanks Frank Myers)
+ Always bypass cache on XSS Unsafe Reload (thanks Jussi Lahtinen)
+ Serbian translation (thanks Ivan Pesic)
x Improved Wikipedia XSS exception
v 1.1.4.8.070423
=====================================================================
+ Lituanian (thanks to Mindaugas Jakutis)
x Additional localization updates and minor fixes
v 1.1.4.8.070422
=====================================================================
+ Forbid META redirection inside NOSCRIPT element in Seamonkey too
+ XSS notifications for Fx 1.5 too
+ XSS status bar icon appears when XSS activity is detected:
left/right click opens XSS menu, middle click hides icon
+ META redirection status bar icon appears when needed:
click follows redirection once, shift+click remembers for session,
middle click hides icon
x Fixed a regression (070420 only) with Import/Export buttons broken
x Fixed toolbar button removal messing with other NoScript menus
(thanks niko322 for report)
x Fixed file:// URL item not showing anymore regression
(thanks Shingoshi for report)
x Fixed regression in Option Dialog: removing from whitelist didn't
work if applied to just one site (multiple batch did work, though)
- thanks Alan Baxter for report
v 1.1.4.8.070420
=====================================================================
x Fixed "Forbid other plugins implies Forbid Flash" - thanks Dwedit
x Fixed Options dialog issues with Fx 1.5
v 1.1.4.8
=====================================================================
x Minor improvements in XSS exceptions regular expression parsing
x Fixed last-minute Seamonkey breakage (many thanks therube!!!)
v 1.1.4.8RC3 (1.1.4.7.070420.1)
=====================================================================
x Further refinement in XSS filters (thanks niko322)
v 1.1.4.8RC2 (1.1.4.7.070420)
=====================================================================
x Fixed 2nd level domain toggle option (thanks therube)
x Fixed multi-window feedback synchronization (thanks lakrids)
v 1.1.4.8RC1 (1.1.4.7.070419)
=====================================================================
+ Option to block META refresh inside NOSCRIPT elements: a prompt
will be shown asking if you want to follow the redirect, and
choice will be remebered across the current session
(noscript.forbidMetaRefresh.remember preference, dismissing the
notification with its close button means "keep blocked")
thanks rsnake and Alan Baxter for suggestion (Firefox 2 only)
+ "XSS-Unsafe Reload" menu item in the XSS notification bar popup
+ "XSS FAQ" menu item in the XSS notification bar popup
+ noscript.xss.notify.subframes about:config preference to control
notification for XSS in subframes (default false, suppressed)
+ Option to toggle sites by (2nd level) domain, rather than full URL
x Default "Show NoScript menu" shortcut changed to Ctrl+Shift+S
(Ctrl+Shift+X conflicting with "change direction" Firefox command)
x moved "Show Console" from XSS notify button to an "Options" popup
x Options Dialog reorganization
x Right click on toolbar button and status bar elements opens menu
x Mass-removal speedup in Options Dialog|Whitelist
v 1.1.4.7.070414
=====================================================================
+ Finer grained treatment for data: and javascript: urls in frames,
whose domain is considered the one of the nearest window ancestor
having a meaningful web address (thanks to Vectorspace for his
suggestion)
v 1.1.4.7.070413
=====================================================================
+ "noscript.globalwarning" about:config hidden preference controls
wether a warning prompt should be issued or not whenever user
switches on scripts globally (true by default)
x Improved Anti-XSS Protection compatibility with some message boards
(special thanks to Aerik and Olaf Schweppe)
v 1.1.4.7
=====================================================================
+ First "official" anti-XSS release
+ New plugin content detection algorithm defeats latest aggressive
Flash cloaking strategies (e.g. http://www.hardocp.com/ )
+ Improved subframe detection, includes object elements (e.g.
http://www.operamini.com/demo/ )
+ Improved fast reload, preserving form input data.
+ Minefield full compatibility
v 1.1.4.6.070409
=====================================================================
x Fixed weird intermittent interference with dynamic JavaScript
inclusion via document.write() used by some JavaScript libraries
(e.g. Prototype, Dojo or Tiny-MCE)
v 1.1.4.6.070404
=====================================================================
x Drastic reduction of XSS redirection-related false positives
v 1.1.4.6.070325
=====================================================================
x Fixed regression, leak happening on window closure (10x pirlouy)
x Fixed regression, file:// entries missing from menus (10x therube)
v 1.1.4.6.070322
=====================================================================
+ Safer behaviour on reloading/whitelisting a XSSed page
v 1.1.4.6.070321
=====================================================================
+ XSS sanitization of the whole request URL
+ XSS sanitization of the referrer URL
+ XSS filters exceptions for some "trusted" addresses requiring
cross-site complex query strings (controlled by a regexp in the
noscript.filterXExceptions hidden preference, defaults to Google
search and Yahoo search)
+ Better general search engine compatibility with anti-XSS filters
x Several performance optimizations
v 1.1.4.6.070318
=====================================================================
+ First anti-XSS countermeasures round: "default deny" sanitization
is applied to every request coming from an unknown (restricted)
site and landing on a trusted (scripting allowed) site:
1. GET requests with a query string get all the matches for the
noscript.filterXGetRx regular expression replaced with space
2. POST requests are turned into no-data GET
3. Every request filtering action is logged to the Console, while a
short notification is issued through the info-bar* (if enabled)
*Info-bar notifications require Fx 2.0 or above
Behaviours 1 and 2 can be controlled from NoScript Options|Advanced
v 1.1.4.6.070317
=====================================================================
x Customizable keyboard shortcuts (about:config - noscript.keys.*)
x Quick toggle (by shortcut or toolbar) behaviour changed to
*Temporarily* Allow / Forbid (old behaviour can be restored by
setting the about:config noscript.toggle.temp pref to false)
v 1.1.4.6.070316
=====================================================================
+ Super fast reloading after toggling permissions
+ Hebrew (thanks to Asaf Bartov)
x removed mozillazine.org and mozilla.org from the default list
(thanks Wladimir Palant)
x Fixed a resource deallocation issue (thanks Higmmer)
x Fixed a potential slowdown on startup
x Removed logging code slipped in a release
v 1.1.4.6.070304
=====================================================================
+ Added many ".id" special TLDs (thanks FatMan)
x Fixed localization-related bugs (e.g. untrusted menu showing just
the first character for each site)
x Other minor bug fixes
v 1.1.4.6.070302
=====================================================================
+ SeaMonkey compatible keyboard shortcuts
+ Added a couple of about:config options (noscript.keys.*) to disable
keyboard shortcuts: just blank their values. Notice: changing the
option value to a different key is possible, but it doesn't
actually work (yet?)
x Fixed a regression in the "Export" functionality
v 1.1.4.6
=====================================================================
x Stable "blacklist" release
+ Vietnamese (thanks tonynguyen)
+ Galician (thanks roebek)
v 1.1.4.5.070222
=====================================================================
x Fixed a "Mark as untrusted" menu item bug
v 1.1.4.5.070210
=====================================================================
x Fixed a bug affecting some locales on Mozilla/SeaMonkey/Fx 1.0
v 1.1.4.5.070207
=====================================================================
x "Forbid" doesn't mark the site as untrusted by default anymore (old
behaviour can be restored via "noscript.forbidImpliesUntrust" pref)
v 1.1.4.5.070127
=====================================================================
+ Experimental blacklist ("Mark as untrusted" + "Untrusted|Allow")
+ Global shortcut toggling top level status: "CTRL + SHIFT + \"
+ Global shortcut to NoScript menu: "CTRL + SHIFT + X"
+ Extra control on NOSCRIPT elements rendering
+ "Allow Globally" menu item is optional now (shown by default)
+ "Link Local Files" optional permission for trusted sites
+ "noscript.excaps" hidden pref for CAPS conflicts resolution (e.g.
with Google Toolbar and other Google extensions)
+ "Temporarily allow top-level sites by default" new preference
(not advised and disabled by default)
+ Menu items referring to current location are hilighted in bold
+ New preference in Options|General controls toolbar button reaction
to left click (default none, optional toggles top level status)
+ net.uk, com.uk and org.uk pseudo TLDs
v 1.1.4.5.061231
=====================================================================
x Fixed "cancel with non-failure status code" assertion
v 1.1.4.5.061221
=====================================================================
+ Minefield (3.0a2) support
+ Fixed plugin placeholder trunk issue (thanks timeless for report)
+ added *.ua "special" TLDs (thanks Devan Chetty)
v 1.1.4.5.061206
=====================================================================
+ Added org.in and co.sy to the "special" TLDs list
x Fixed some bookmarklet quirks (not in trunk, though)
x Fixed a bug in "uk.xyz" special TLDs management
v 1.1.4.5.061030
=====================================================================
x Minefield fix: feedback during/after document loading (bug 335251)
x Minefield fix: bookmarklet on the fly enablement (bug 351633)
x Restored Flock compatibility
v 1.1.4.5
=====================================================================
+ Some user interface tweakings in the Options UI
+ Several optimizations
x Fixed XML issue
x Fixed BFCache side-effects on certain pages
x Fixed a timing bug in stand-alone plugin interception
v 1.1.4.4
=====================================================================
+ be-BY (Belarusian) thanks to DRKA
+ JavaScript links fixing made compatible with AllPeers
+ Better interception of plugin content
x Fixed a plugin placeholder bug (thanks to tanstaafl for reporting)
x Fixed interception of xml and xhtml content (thanks to Poly Peptide, hrikjsen,
Redoute and johnnydrinkwater for reporting)
x Fixed some strict warnings (thanks to timeless for reporting)
v 1.1.4.3
=====================================================================
+ Emulated Firefox 1.0.x top-level plugin content blocking behaviour
+ uk-UA (Ukrainian) thanks to MozUA
+ th-TH (Thai) thanks to Qen
+ fa-IR (Persian) thanks to Pedram Veisi
+ el-GR (Greek) thanks to Sonickydon
+ en-GB (English GB) thanks to Ian Moody
+ hr-HR (Croatian) thanks to Krcko
x Other updated translations
x Fixed plugin content reloading bug
v 1.1.4.2
=====================================================================
+ Notifications Firefox 2+ compatible
x Fixed whitelist import bug (phantom resource:xyz entry)
x Fixed "removeLinkFixer" warning (thanks to Pablo)
v 1.1.4.1
=====================================================================
+ Left clicking on NoScript toolbar button toggles permissions for
current top-level site
+ Shift+Click on a Java/Flash/Object placeholder temporarily hides it
+ "Attempt to fix JavaScript links" now skips "real" hash URLs
+ Added live.com to the default whitelist (for MS webmails)
x Removed a leak caused by "Attempt to fix JavaScript links" option
x Fixed Macedonian translation
v 1.1.4
=====================================================================
+ "Allow sites opened through bookmarks" option
+ Notification delay in seconds can be changed through the
"noscript.notify.hideDelay" about:config preference
x Removed bogus JS messages on SeaMonkey startup
x Fixed bookmarklet support to work with the new "Places" code,
the bookmark sidebar and the bookmark manager
x Added mozilla.com to the default whitelist
x Always honour "Attempt to fix JavaScript links" option (links
were processed anyway if "Forbid <a...ping>" was enabled)
v 1.1.3.9
=====================================================================
x Fixed temporary memory leak when loading pages containing plugins
(many thanks to Steve England)
x JavaScript links should not be "fixed" when scripts are globally
allowed (thanks Lt. Worf)
v 1.1.3.8
=====================================================================
x Another emergency release to fix Babelzilla bugs with Asian
languages (mass-reverting to 1.1.3.5 properties files to be sure).
- Removed permanent whitelist (all the web sites can can
be forbidden from the UI, no more about:config need)
v 1.1.3.7
=====================================================================
x Fixed some localization bugs with Hungarian and other languages
v 1.1.3.6
=====================================================================
+ "Fix JavaScript links" option: enabled by default, attempts to
automatically turn JavaScript links into regulars anchors on load
+ Advanced options "Allow <a ping...>" on trusted sites (defaults to
the browser settings) and "Forbid <a ping...>" on untrusted sites
(default yes) give user control on the new, debated "ping" anchor
attribute
+ New hidden (about:config) boolean preference "noscript.consoleDump"
controls if blocked contents must be logged to the console (false
by default)
+ Slovak (thanks to Slovak Soft)
+ Romanian (thanks to Ultravioletu)
+ Hungarian (thanks to LocaLiceR)
+ Chinese Traditional (thanks to Chiu Po-Jung)
v 1.1.3.5
=====================================================================
+ "Truncate title" option: enabled by default, even on whitelisted
sites, is a quick & dirty work around for Firefox DOS bug 319004
+ "com.xy" 2nd level domains are always considered special TLDs
+ Other special TLDs added
x Fixed "Forbid other plugins" semantics: Java and Flash should
remain allowed unless their specific "Forbid" option is flagged.
x Fixed portuguese locale bug
v 1.1.3.4
=====================================================================
+ Flock support
+ Finnish (thanks to Mika Pirinen)
+ Norwegian bokmål (thanks to Håvard Mork)
v 1.1.3.3
=====================================================================
+ Placeholder icon can be hidden (NoScript Options|Advanced)
+ Message bar notifications can be set to go away automatically after
5 seconds
+ Bulgarian (thanks to Georgi Marchev)
+ Simplified Chinese (thanks to George C. Tsoi)
+ Russian (thanks to Alexander Sokolov)
+ Turkish (thanks to Engin Yazılan)
x Best effort XPCOM auto registration on Mozilla Suite installation
x Minor menu formatting glitches removed
x Some about:xxx URLs added to the default whitelist
v 1.1.3.2
=====================================================================
+ Bookmarklet support. It allows JS on current page just for the
bookmarklet execution lifespan. If you don't want or don't need it,
turn on "NoScript Options|Advanced|Forbid Bookmarklets"
x Fixed right-click status label crash affecting pre-1.8 browser. Now
status label context menu works on Mozilla and Firefox 1.0.x too.
v 1.1.3.1
=====================================================================
+ Option to skip confirmation when temporarily unblocking objects
+ Optional status bar label (with Firefox-only context menu)
+ Support for Unicode domains
x Work-around for Firefox bug #307678 (dialogs freeze)
x Handle about:neterror and about: (help) "always allowed" exception
v 1.1.3
=====================================================================
+ Toolbar button
+ Java/Flash/Plugin content can be temporarily allowed (for the
current tab) with a left click on its placeholder
+ Further optimizations in site matching
+ Japanese (thanks to beerboy)
+ Polish (thanks to Lukasz Biegaj)
+ Catalan (thanks to Joan-Josep Bargues)
+ Czech (thanks to Petr Jirsa)
x Bug fix: "Allow JavaScript Globally" didn't affect Java, Flash and
Plugin immediately
v 1.1.2.20050901
=====================================================================
x Bug fix: temporarily allowed sites were not removed if no
permission change happened in the following session
v 1.1.2
=====================================================================
+ Java/Flash/Plugins blocking works in Mozilla Suite / SeaMonkey too
+ Huge performance (up to 100x) improvements in policy matching
+ More consistent temporary sites handling (allowing a temporary
domain while subdomains are allowed, now forbids ancestors of that
domain but not its subdomains anymore on restart)
+ Added "ar.com" to the list of "special" TLDs
x No more "phantom" http:// and https:// entries in whitelist
v 1.1.1
=====================================================================
x Fixed a bug with whitelist synchronization from the Options window
x Fixed little Spanish locale issue
v 1.1.0
=====================================================================
+ Customizable message position, top or bottom (new default)
+ Customizable audio sample for feedback
+ (Firefox only) Advanced options to forbid Java™, Flash® and other
plugins (Java™ forbidden by default, since many users don't
know the difference between Java and JavaScript)
+ Advanced options to allow rich-text clipboard on trusted sites
+ Portoguese translation (thanks to Dario Ornelas)
x New (less ambiguous) "partially allowed" icon
x Audio feedback off by default
x Statusbar icon hidden status persists across sessions
x Proper jar: scheme handling (will allow per-domain selection when
Firefox bug preventing it is patched -
see https://bugzilla.mozilla.org/show_bug.cgi?id=298823)
x jar: scheme can be allowed only temporarily (see above)
x No more browser activity stop after permission changes
v 1.0.9
=====================================================================
+ Temporarily allow URLs (for current session only): temporary items
are shown in italics font
+ Clean uninstall in Deer Park
+ Added jar: to the default white-list, to allow about:plugin
and other "special" URLs to work out-of-the-box
x Better work-arounds for Firefox synchronization bugs
x Fixed conflict when a "View Source" window was open
v 1.0.8
=====================================================================
+ Whole addresses are shown when a port number is specified, no
matter which the Appearance options are, since enabling a domain
doesn't enable it for non-standard ports (thanks to jayvdb for
suggestion)
+ Stop every browser activity before changing policies (this should
be a workaround for most crashes dued to Firefox CAPS bugs)
v 1.0.7
=====================================================================
+ "Popup blocker" style notification message (Firefox only)
+ Autoreload synchronizes every view whose permissions have changed
+ Spanish translation (thanks to Alberto Martínez)
x Improved subframes management in the contextual menu
x Better UI support for "special" TLDS like co.uk, co.nz and others
x Improved support for numeric addresses
x Audio feedback with more discreet sound effect :-)
v 1.0.6
=====================================================================
+ Whitelist import/export (thanks hsmwrv for suggestion)
+ Only 2nd level (base) domains shown by default in the "Allow" menu
items (easier operation for non-geeks; geeks can still revert to
the old fine grained interface using the "Appearance" options)
+ Blocked scripts audio feedback (thanks to Markus for suggestion)
+ about:config/noscript.permanent can be changed live (no FF restart)
x chrome content URL are properly whitelisted (XUL error pages OK)
x Fixed empty permanent list problem (thanks to Patrick and Oremina
for report)
v 1.0.5
=====================================================================
+ "Appearance" option to hide/show popup menu and status bar icon; if
you decide to hide both, options are still reachable through the
Extension Manager context menu (thanks Dick Minor for suggestion)
+ 2nd level domain trick doesn't clutter Options Dialog anymore
(http[s]:// auto-prefixed domains are hidden in whitelist)
x Fixed menu layout (thanks to TheOneKEA for report)
v 1.0.4
=====================================================================
+ Automatically creates http:// and https:// prefixed URLs when a 2nd
level domain (xyz.com) is allowed, as a workaround for Firefox not
matching URLs with a raw 2nd level domain if no protocol is listed
(thanks to Laura for report)
+ "Allowed" status feedback for chrome:// URLs (pacanukeha)
x Core functionality refactored in a XPCOM service
v 1.0.3
=====================================================================
+ Feedback about actual presence of script elements in current page
(white "S" icons if no script tag is found, while number of found
tags is shown in the tooltip - thanks to Volker for suggestion)
+ Feedback about partial permissions in pages containing subframes
(a broken red "stop" sign means only some frames are forbidden)
+ Events are coalesced for better performance and stability
+ Improved options dialog usability (new items are ensured visible
and "delete" key performs mouse-less site removal)
+ Added hotmail/msn/passport domains to default whitelist (thanks to
Swann for suggestion)
+ Added googlesyndication.com and noscript.net to permanent list ;)
x Fixed whitelist options dialog sometimes "forgetting" recently
added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for
their reports)
v 1.0.2
=====================================================================
+ Option dialog shortcuts (thanks to Ulysses for suggestion)
+ French translation (thanks to Xavier Robin)
x NoScript doesn't ignore port number in URLs anymore
x moved "Options" and "About" items to the top of status bar menu
(thanks to Filipp0s for suggestion and for the smaller icons too)
x added mozillazine.org and gmail.google.com to default allow list
x no duplicates in menu when multiple frames share the same
ancestor domain (e.g. mozillazine.org)
v 1.0.1
=====================================================================
+ Contextual menu for easy operation in statusbar-less windows
+ Current page is automatically reloaded when permissions are changed
+ Support for implicit subdomain inclusion (e.g. if you add
mozilla.org, you allow www.mozilla.org, addons.mozilla.org etc.)
+ German translation (thanks to my friend Thomas Weber)
x Fixed localization issue
x Work around for Firefox occasional crashes
v 1.0
=====================================================================
First public release
