NoScript - the safest Firefox experience
NoScript CHANGELOG
[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change
v 1.8.8.5
=====================================================================
x Further optimization of Base64 injection checks
x More accurate clipping of scrolling frames in ClearClick
v 1.8.8.4
=====================================================================
x Performance optimization of Base64 injection checks (thanks Dave
Griffiths for reporting an Ebay chatroom issue)
v 1.8.8.3
=====================================================================
+ More specific injection checks for scriptless targets
+ Compatibility with the Fire.fm extension
x Fixed sporadic swallowed clicks on Google Street View
v 1.8.8.2
=====================================================================
x Fixed file:/// not showing anymore in NoScript menus
v 1.8.8.1
=====================================================================
x Fixed possible long-running loop on complex JSON-like requests
v 1.8.8
=====================================================================
x Fixed rare ClearClick false positives on the bottom edge of
scrolling frames
x Fixed ClearClick false positive on some cnbc.com videos
v 1.8.7.8
=====================================================================
+ Compatibility with Fennec Alpha 2
v 1.8.7.7
=====================================================================
+ InjectionChecker checks HTML injections on untrusted targets too
+ Chained and nested JSON support (necessary to graceufully handle
some Facebook APIs)
x Fixed too much aggressive data: URL sanitization
x Fixed sites whose URL doesn't support host not showing in menu
(thanks timeless for report)
v 1.8.7.6
=====================================================================
x Improved specificity for "location=code" injection checks
x Compatibility with Facebook Connect JSON patterns
v 1.8.7.5
=====================================================================
x Heavy optimization of JSON reduction routine (up to 100x speedup),
thanks Brian Krebs and Amy Buzby for reports and samples
x Fixed top-level plugin content difficult to allow by clicking its
placeholder when other plugin-interacting extensions are active
v 1.8.7.4
=====================================================================
+ Contextual disablement with visual feedback for "Revoke temporary
permissions" and "Temporarily allow all on this page" toolbar
buttons (thanks WAPCE for suggestion).
x Improved early detection of event attribute XSS
x Updated Arabic translation by Khaled Hosny
v 1.8.7.3
=====================================================================
x Better viewport framing when scrollbars are present (thanks
timeless for report)
x Compatibility with Firefox 3.2a1pre
1.8.7.2
=====================================================================
x Work-around for Google Toolbar 5 Beta conflict
x Work-around for newTabURL incompatibility
x Adaptation to bug 464754
1.8.7.1
=====================================================================
x Fixed issues with noscript.forbidIFrameContext = 0 (thanks Aerik
for report)
v 1.8.7
=====================================================================
+ Updated zh-CN locale
+ Enhanced interaction with AdBlock Plus tabs appearing over
NoScript placeholders
+ Flash-specific placeholder icon
+ Java-specific placeholder icon
+ Silverlight-specific placeholder icon
+ Improved ClearClick compatibility with Google Street View (thanks
natron for report)
+ Finer grained object reload algorithm for mass permission changes
from the "Blocked objects" menu (thanks Cinthya Wells for report)
v 1.8.6.4
=====================================================================
+ Improved compatibility with AdBlock Plus, by ensuring NoScript is
always the latest content policy to run
v 1.8.6.3
=====================================================================
x Fixed automatically hidden notification bar make open menu
disappear sometimes (thanks w-sky for report)
v 1.8.6.2
=====================================================================
x More consistent menu items with non-standard port sites
v 1.8.6.1
=====================================================================
x NoScript doesn't attempt to force placeholders visibility or size
anymore, in order to minimize layout alteration (use the "Blocked
objects" menu to enable less visible objects)
x Improved frame/iframe placeholder accuracy
x Fixed ClearClick false positive on http://www.st-audio.de
v 1.8.6
=====================================================================
+ Greatly increased sticky menu / Fennec UI responsiveness
+ Refactoring of ClearClick's document patching code
- Removed translucency transition from sticky menu
x Extra QA for release
x Updated localizations
v 1.8.5.5
=====================================================================
+ Better algorithm to handle semi-transparent elements, preventing
edgy ClearClick false positives (e.g. sign-in menu on try.soup.io)
v 1.8.5.4
=====================================================================
+ Better algorithm to "single out" plugin content prevents edgy
ClearClick false positives with absolutely positioned elements
overlaying transparent plugin content, like in NFL.com scores page
+ Improved ClearClick plugin object snapshots
v 1.8.5.3
=====================================================================
x Fixed ClearClick false positives on absolutely positioned elements
exceeding document size (thanks Apoc2400)
v 1.8.5.2
=====================================================================
x Improved ClearClick panning algorithm reducing false positives on
partially hidden benign plugin content
v 1.8.5.1
=====================================================================
x Fixed minor CSS error breaking the "Forbid scripts globally" icon
v 1.8.5
=====================================================================
+ ClearClick enablement options on the ClearClick warning dialog
+ ClearClick session whitelist
x Forced non-sticky behavior when there's just one site to allow
and noscript.sticky.liveReload is unset
x Fixed placeholders not working on Fx 3.1
v 1.8.4.93
=====================================================================
x Fixed mp3.walmart.com crash
v 1.8.4.92
=====================================================================
x Tweaked keyboard-triggered popup position
x Fixed "Allow global" menuitem not working
x Fixed "About" dialog's links not working
x Base64 XSS decoding tweaks
x Notification bar tweaks
v 1.8.4.91
=====================================================================
+ Support for XSS origin anchored exceptions, starting with "^@"
x Improved accuracy of ClearClick subframe management near borders
v 1.8.4.9
=====================================================================
x ClearClick false positives on large "guillotined" Flash applets
reduced by trimming a 20% border (thanks Scott Gale for report)
v 1.8.4.8
=====================================================================
x Fixed about:xyz URLs matched literally without dropping search and
fragment (thanks Daniel Holbert for report)
x Fixed parts of the sticky menu staying persistently translucent
(thanks Aerik for report)
v 1.8.4.7
=====================================================================
x Restored old positioning algorithms for context menus
v 1.8.4.6
=====================================================================
x Fixed top-level automatic allow not working with non-standard port
numbers (thanks Ulobor for report)
v 1.8.4.5
=====================================================================
x Fixed clicking on icon not hiding menu on Fx 2
x Fixed Entrecard ClearClick false positive
x Fixed AntiXSS filter false positive on some forum ads
v 1.8.4.4
=====================================================================
x Fixed menu usability issues on Fx 2
v 1.8.4.3
=====================================================================
+ Sticky UI enabled by default for all left click popups except the
one on the notification bar
x Fixed off-screen status icon context menu on Fx 2
x Further tweaks in menu positioning and sticky UI usability
x Fixed ClearClick checks causing changes in framed form appearance
v 1.8.4.2
=====================================================================
+ Click-driven scroll buttons for sticky menu on Fennec
+ Several accessibility and appearance sticky menu improvements
x Fixed keyboard-triggered sticky menu unusable on maximized browser
windows (thanks Alan Baxter for report)
v 1.8.4.1
=====================================================================
x Fixed incompatibility causing Tor Button to endlessy reload the
page when disabled.
v 1.8.4
=====================================================================
+ Official Fennec support
+ Enabled ClearClick on trusted sites by default
+ Improved ClearClick internal whitelisting
+ Port numbers (mostly) ignored in site matching by default
+ Exprimental "sticky" menu UI (default for Fennec toolbar button,
attached to ctrl+shift+S shortcut on other browsers)
+ noscript.sticky.liveReload about:config preference can be used to
turn on automatic reload during operation on the new sticky menu
+ noscript.sticky about:config preference turns on sticky menu for
left-click on the status bar icon
v 1.8.3.9.1
=====================================================================
x Fixed regression from experimental Fennec support, placeholder not
working sometimes (thanks Alan Baxter for report)
v 1.8.3.9
=====================================================================
+ First experimental Fennec-compatible build
x Fixed Torbutton global Javascript-disablement issue
v 1.8.3.8
=====================================================================
x Fixed ClearClick false positive on semi-transparent Flash objects
overlapping other content elements (thanks txhawkeye for report)
v 1.8.3.7
=====================================================================
x Restored Silverlight blocking on trusted pages for Firefox 2.0.x
(thanks al_9x for report)
v 1.8.3.6
=====================================================================
+ Malay translation (thanks Joshua Issac)
+ Croatian translation (thanks Stiepan A. Kovac)
v 1.8.3.5
=====================================================================
x Fx 3.1 compatibility for JavaScript keyword bookmarklets and JS
URLs entered in the location bar
v 1.8.3.4
=====================================================================
x Fixed Blocked Objects menu ordering issue (thanks Andy R.)
x Fixed forced visibility issue with ClearClick-checked embeddings
x Fixed inter-confessional "Make temporary permissions permanent"
bug (thanks Alan Baxter for reports)
v 1.8.3.3
=====================================================================
x Fixed redirection issue (thanks pumaro for report)
v 1.8.3.2
=====================================================================
x Fixed problem with tab navigation on forms inside frames (thanks
vivek for report)
v 1.8.3.1
=====================================================================
x Fixed notification bar not disappearing after allowing everything
x Fixed edge ClearClick cases with FullZoomed pages (thanks
Sirdarckcat for report)
v 1.8.3
=====================================================================
x ClearClick work-around for misleading snapshot artifacts with
justified text (thanks tmr250z for report)
x Fixed redirection blocking issue causing to some pages to hang in
"loading..." status for a long time (thanks Mel Reyes for report)
v 1.8.2.95
=====================================================================
x Fixed click swallowing issues with scaled images (thanks Alan
Baxter for reporting)
x Fixed about:blank invisible frames shouldn't be opaqued (thanks Mc
for reporting)
v 1.8.2.94
=====================================================================
x Fixed ClearClick false positive when transparent plugin content has
a visible HTML background (thanks therube for reporting)
x Fixed rendering glitch at the bottom of pages where notification
bar is removed (thanks Bill Peavy for reporting)
v 1.8.2.93
=====================================================================
x Fixed random internal class name generation issue
x Enhanced "opaque embed" style
v 1.8.2.92
=====================================================================
x Fixed broken clicks on some frames (1.8.2.91 regression)
v 1.8.2.91
=====================================================================
x Fixed some "Opaque embedded objects" glitches
v 1.8.2.9
=====================================================================
x Improved viewport bounds matching
x Fixed incompatibility with iMacros (thanks OneMen)
x Fixed redirected frames 404 issue (thanks pumaro)
v 1.8.2.8
=====================================================================
x More aggressive bound trimming (for elements sized 24x24 or more)
fixes false positives on Yahoo! Movies
x Semantic containers being ignored by ClearClick fixes issues with
Yahoo! Mail
v 1.8.2.7
=====================================================================
x Better algorithm for ClearClick form expansion
x Work-around for scaled images causing broken screenshots
x Automatic scrollbars are not considered while taking screenshots
v 1.8.2.6
=====================================================================
x Bounds trimming for elements with size greater than 64x64 to take
in account fancy CSS overlay borders (like on last.fm player,thanks
tmr250z for report)
x Fixed Gecko 1.8.x complaints about missing getElementsByClassName
(thanks therube for report)
v 1.8.2.5
=====================================================================
x Fixed external protocols (mailto:, e2k:...) not working outside
frames (thanks Robert Janc for reporting)
v 1.8.2.4
=====================================================================
x Fixed late breaking POST injection checker regression, causing
problems on some forms
v 1.8.2.3
=====================================================================
x Fixed minor horizontal offset miscalculation regression, causing
weird snapshots under some scrolling conditions (incidentally, also
on NoScript's install button - thanks Chuck Linart for report)
v 1.8.2.2
=====================================================================
+ Adapted Frame Break Emulation to alternate framebusting idioms
+ Several localization updates
+ Added a separate "Forbid FRAME" option for legacy FRAME elements
(thanks Office Angel, al_9x and Chaosas for request and discussion)
+ Legacy FRAMEs nested inside IFRAMEs are forbidden by default if
IFRAME blocking is on (about:config noscript.forbidMixedFrames)
x Fixed some ClearClick false positives when enabled for trusted
sites or with some extensions mixing content and chrome
x Fixed mailto: URIs not working inside frames
x Fixed various typos in English localization of new features
x Restored compatibility with Fx 1.5.0.x (thanks Kevin for help)
v 1.8.2.1
=====================================================================
x ClearClick technology backported to Gecko 1.8.1 based browsers such
as Firefox 2.0.x and SeaMonkey 1.1.x
v 1.8.2
=====================================================================
+ New "ClearClick" protection, specifically addressing Clickjacking,
Clickjacket and other UI-redressing vulnerabilities: UI interaction
with embedded objects is disabled if they're obstructed or not
clearly visible (thanks Sirdarckcat, RSnake, Michal Zalewski and
Matt Mastracci for inspiration and discussion)
+ "ClearClick protection" and "Opacize embedded objects" controls in
"NoScript Options|Plugins", to enable/disable them on untrusted
and/or trusted pages
+ Frame breaker emulation for frames where JS is disabled, controlled
by the noscript.emulateFrameBreak about:config preference
x Fixed recursion problem with new legacy frame management
x Changed noscript.forbidIFrameContext default to 2 (allow same
domain) unless "forbid non-HTTPS active content" is enforced: if
this is the case, scheme must be the same as well.
v 1.8.1.9
=====================================================================
+ Opacized objects are forced to a minimum size of 50x50 pixels
+ Opacized iframes get automatic scrollbars when content overflows
(thanks RSnake for discussion)
+ Enhanced legacy frames management (thanks RSnake for report)
x OBJECT elements embedding documents are treated like IFRAMEs
+ Improved Allow Page commands on pages changing document.domain
v 1.8.1.8
=====================================================================
x Refined anti-clickjacking opacization triggers to defeat malicious
delay attempts (thanks Sirdarckcat for discussion)
x Ignore port number when checking permissions for script inclusion
(thanks Vito Delre for zshare.net upload report)
v 1.8.1.7
=====================================================================
+ Specific "clickjacking" countermeasure working on non-whitelisted
pages by default even if "Forbid IFRAME" is not checked: all plugin
objects and frames are forcibly rendered opaque when embedding page
is not in your whitelist. If you want to protect whitelisted pages,
the best protection is still checking "Forbid IFRAME" together with
"Apply these restrictions to trusted site as well" in the Plugins
options panel (thanks Sirdarckcat for brainstorming)
v 1.8.1.6
=====================================================================
x Lowered sensibility to javascript: URLs (thanks C@rb0n for report)
x Fixed HTTP redirections from sites marked as untrusted sites
forbidding JavaScript on the landing page even if whitelisted
(thanks Willsee for reporting)
v 1.8.1.5
=====================================================================
x Fixed HTTPS cookie downgrading regression introduced in 1.8.1.4
v 1.8.1.4
=====================================================================
+ Leading regexp-like patterns reduction in InjectionChecker (thanks
Nick Fnord for issue reporting)
x Fixed conflict with some extensions authenticating to web sites,
like Google Reader Notifier (thanks naviretlav for report)
v 1.8.1.3
=====================================================================
x Fixed further "HTTPS|Automatic Secure Cookie Management" glitches
affecting lwn.net and DNN (thanks Matthew Hile and LWN for reports)
x Localization updates
x Fixed http://*.sub.domain:1234 site matching working only with "0"
(wildcard) port (thanks t3chnomanc3r for report).
x Fixed Torbutton JS status reporting
v 1.8.1.2
=====================================================================
x Switched "HTTPS|Automatic Secure Cookie Management" off by default:
even if all the reported login issues (especially the ebay.com one)
have been fixed, it probably deserves more testing from opt-in
volunteers before a general "default-on" release
+ Unsafe cookies can be handled either globally (default), or per tab
(noscript.secureCookies.perTab)
x Fixed "force HTTPS" not working across some redirection patterns
v 1.8.1.1
=====================================================================
+ On the fly patching of bookmarklets using setTimeout() executed on
untrusted pages
x Fixed Automatic Secure Cookie Management preventing log in on
ebay.com and other complex multi-domain sites
v 1.8.1
=====================================================================
x Fixed minor bugs in automatic fall-back for insecure cookies
x Updated localizations
v 1.8.0.7
=====================================================================
+ Panel for HTTPS-related options in the "Advanced" section
+ New Tor-friendly whitelist behaviours configurable in
NoScript Options|Advanced|HTTPS: you can choose to apply the active
content whitelist on HTTPS sites only, either always or just when
a proxy is in use.
x Better "automatic" behavior for securing cookies:
we check HTTPS response setting cookies and
1) if host is in the noscript.secureCookiesExceptions list we let
it pass through
2) if host is in the noscript.secureCookiesForced list we append a
";Secure" flag to every non-secure cookie set by this response
3) otherwise, we just log unsafe cookies BUT if no secure cookie
is set, we patch all these cookies with ";Secure" like in #2.
However, if a navigation from an encrypted to a non-encrypted
part of the same site happens in the same tab, NoScript removes
its ";Secure" patch to ensure compatibility. When it happens,
this event is logged to the Error Console with an advice
to try forcing HTTPS for this site.
v 1.8.0.6
=====================================================================
+ Changed "Forced Secure Cookies" enablement policy to per domain
opt-in, controlled by the noscript.secureCookiesForced about:config
preference. HTTPS sites listed in this preference get their
Set-Cookie headers patched with the Secure flag, sites listed in
noscript.secureCookiesException are ignored and the others have
their non-secure cookies logged in the Error Console.
+ Experimental noscript.httpsForced about:config preference listing
domains where HTTPS should be forced (HTTP requests are forcibly
redirected to their HTTPS version by NoScript)
v 1.8.0.5
=====================================================================
+ Experimental "Forced Secure Cookies" feature, mitigates HTTPS
cookie hijacking attacks (http://tinyurl.com/cookiehijack).
Enabled by default, it can be disabled either globally, by toggling
the noscript.secureCookies about:config preference, or for specific
domains only, by listing them (space or comma separated) in the
noscript.secureCookiesException about:config preference.
Ref: http://hackademix.net/2008/09/10/noscript-vs-insecure-cookies/
v 1.8.0.4
=====================================================================
x Fixed GMail external login and GToolbar activation issues (thanks
mldgr and Dan Virkler for reporting)
v 1.8.0.3
=====================================================================
x Work around for weird meez.com object "code" attribute usage with
java: prefix (thanks sarai18 for reporting)
v 1.8.0.2
=====================================================================
x Improved InjectionChecker.reduceXML() method to work with whole
documents rather than just fragments, removing a XSS false positive
on outsourced GMail logins (thanks PrinceofWeasels for report)
v 1.8.0.1
=====================================================================
x Tweaked bracket balancing algorithm (thanks Buherátor for report)
v 1.8
=====================================================================
+ "Make page permissions permanent" command
+ Meaningful tooltip for "Allow all in this page" and "Temporarily
allow all in this page", listing affected sites
+ More meaningful tooltip for Revoke Temporary Permission, listing
affected sites and counting affected objects (Gecko >= 1.9)
x Rationalized keyboard accelerators for English menu items
v 1.7.9.3
=====================================================================
x Fixed excessive substitutions in nested query string sanitization
(thanks David Lubertozzi for reporting)
x Fixed POST data removal in cross-site requests from null origins
causing Google Gear not to work (thanks obatron for report).
v 1.7.9.2
=====================================================================
x DOS checks in InjectionChecker base64 decoding routines (thanks WHK
and Sirdarckcat for PoC and reporting)
v 1.7.9.1
=====================================================================
x Various localization fixes (thanks Francesco Lodolo)
x InjectionChecker optimization over complex XML fragments
v 1.7.9
=====================================================================
x Fixed JS button auto-navigation problem with relative URLs
+ JavaScript redirections detected also in the onload attribute of
the body element (thanks timeless)
v 1.7.8.5
=====================================================================
x Partially restored Untrusted menu behavior to allow blacklisting
subdomains of a trusted domain
v 1.7.8.4
=====================================================================
x Fixed very large uploads (250MB and above) causing XSS false
positives (thanks sharpie)
v 1.7.8.3
=====================================================================
x Fixed XPC error during certain uploads causing XSS false positive
(thanks sharpie)
v 1.7.8.2
=====================================================================
x Fixed wrong "Allow all this page" label in Appearance options panel
x Fixed tab character in mailto: URLs triggering sanitization and all
new line characters being turned into spaces (thanks Claudio
Salazar Moyano for reporting)
v 1.7.8.1
=====================================================================
+ "Allow all this page" menu item
+ "Temporarily allow all this page" toolbar button
+ "Revoke temporary permissions" toolbar button
x Removed "Mark as untrusted" menu items for explicitly whitelisted
sites (thanks BigRedBrent for suggestion)
v 1.7.8
=====================================================================
x InjectionChecker optimization to skip neutral dotted patterns (
thanks Sirdarckcat for reporting)
+ JS link fixing works also with JS buttons
x Fixed IFrame always blocked if port number differs from parent and
noscript.forbidIFramesContext is 3 (thanks al_9x for reporting)
x Fixed reload inconsistencies in blacklist mode (thanks therube)
x Changed noscript.autoReload.global default back to true, but global
permission changes will cause reload only for the current tab,
unless noscript.autoReload.allTabsOnGlobal is set to true
v 1.7.7.6
=====================================================================
+ Improved bracket balancing in syntax checks for short expressions
+ New "partially untrusted" and "untrusted" status icons for
Globally Allow (GA) mode
+ Less confusing "Mark as untrusted" commands are shown in GA mode
instead of "Forbid"
x Fixed sticky "Revoke temporary permission" command after operating
temporary permissions for the same site both in GA and GF mode
(thanks Alan Baxter for reporting)
x Fixed status bar icon disappearing when forbidding a site in
GA mode
x Other minor bug fixes in GA blacklisting mode (thanks Alan Baxter
and therube for reporting)
x Fixed Silverlight issues (thanks Urbane.Tiger)
x Changed noscript.autoReload.global default to false (global
permission changes won't cause an automatic reload)
v 1.7.7.5
=====================================================================
x Separate temporary whitelists for normal and Globally Allow modes
v 1.7.7.4
=====================================================================
x Better behaved Seamonkey classic installer on Linux
v 1.7.7.3
=====================================================================
x Temporary whitelist is automatically revoked if user switches to
"Allow scripts globally": this way temporarily allowed sites can't
be accidentally marked as untrusted by manually revoking or
restarting while still in global mode (thanks lakrids for report)
v 1.7.7.2
=====================================================================
x Fixed over-zealous sanitization on untrusted requests when URL is
not UTF-8 encoded (thanks Sven Schoderboeck for report)
x Improved KMeleon compatibility (thanks jk-)
v 1.7.7.1
=====================================================================
+ InjectionChecker tests also POST data uploaded from trusted sources
x Tweaked URL checking to recognize and bypass bracketed session IDs
(thanks benizi for report)
x Double overlay of bookmark code prevented (thanks stansmith)
x Fixed resetting preferences does not affect Global Allow mode (
thanks Alan Baxter for report)
x Fixed XSS false positive on some bracketed Ebay search queries
(thanks Lucas Malor for report)
x Better cache handling on plugin document reload (thanks Alan Baxter
for report)
v 1.7.7
=====================================================================
x QA for release
x Localization updates
x Moved changelog online and removed full GPL text to reduce XPI size
v 1.7.6.4
=====================================================================
x Dramatic (100:1) InjectionChecker performance boost on very long
strings (thanks Lucas Malor for reporting)
v 1.7.6.3
=====================================================================
x InjectionChecker speed optimization for over-complex Bugzilla
search queries (thanks Lucas Malor for reporting)
v 1.7.6.2
=====================================================================
x Main site always on the bottom of the menu even if subdomains are
present
x "Revoke Temporary Permissions" honors the
noscript.autoReload.allTabsOnPageAction preference
x Further InjectionChecker optimization for gmodules URLs
v 1.7.6.1
=====================================================================
x Fixed bookmarklets which navigate to a new location (e.g.
del.icio.us) disabling Javascript in the current tab when invoked
from a non-whitelisted site (thanks dingaling for reporting)
v 1.7.6
=====================================================================
x QA for release
v 1.7.5.4
=====================================================================
+ "Temporary allow all this page" will affect the most specific
targets listed in NoScript's menu among "2nd level base domains",
"full domains" or "full addresses", unless it's overridden by the
noscript.allowPageLevel about:config preference (1 = full address,
2 = full domain, 3 = 2nd level base domain)
x noscript.autoReload.allTabsOnPageAction about:config preference set
to false by default, to prevent confusion among untrained users
v 1.7.5.3
=====================================================================
+ "Temporary allow all this page" will reload the current tab only,
behavior controlled by noscript.autoReload.allTabsOnPageAction
about:config preference (thanks robertmarley for hinting)
+ Whitelisting sites from NoScript Options|Whitelist obeys to the
noscript.untrustedGranularity preference
x Fixed "about:" DocShell being JavaScript-disabled (thanks therube
for reporting)
x Fixed "about:cache" becoming unresponsive if JS link detection is
enabled (thanks Martin Focke for reporting)
v 1.7.5.2
=====================================================================
+ Work-around for NewTabURL buggy detection of a new tab
x Optimization of InjectionChecker for long nested URLs, e.g. those
used by some gmodules widgets
v 1.7.5.1
=====================================================================
+ noscript.requireReloadRegExp about:config preference to force
quick page reload on allowing for selected plugin mime types
+ Moveplayer plugin page reloading for one-click enablement
v 1.7.4
=====================================================================
+ Force top level site to be always the most reachable in the menu
(on the bottom)
x Fixed import issue with edited lists using DOS newlines
x Minor cascading permissions bug fixes (sometimes a subdomain was
not removed from the blacklist when its parent was whitelisted,
leading to usability confusion because blacklist always prevails)
x Experimental work-around for a WMP crash when a page containing an
embedded movie is opened in the same window where another movie
is already playing (thanks SledgeFox for reporting)
v 1.7.3
=====================================================================
x Minor refinements to the docShell JS blocking machinery to make it
play nice with other docShell-based permission handlers, such as
Tab Mix Plus
v 1.7.2
=====================================================================
+ New values for the noscript.docShellJSBlocking preference:
0 - no docShell JS blocking
1 - (default) docShell JS blocking for untrusted sites (enables
effective blacklists for defalut-deny modes)
2 - docShell JS blocking for every non-whitelisted site (enables
cross-frame inheritance of JS blocking)
x Fixed JavaScript enablement failing on some framed pages until
the site is opened in a new tab (thanks rukia for reporting)
x Fixed Firefox preference window not showing with some Linux themes
(thanks tom1978 for reporting)
x Fixed micro-injection false positive with 1password.com logins
(thanks bwoodruff)
v 1.7.1
=====================================================================
x Fixed changing permissions on one tab reload all tabs issue (thanks
redhat71 for reporting)
1.7
=====================================================================
+ JS redirect detector sensibility enhancement (thanks timeless)
+ "Temporarily allow all this page" command made visible by default
v 1.6.9.9
=====================================================================
+ More consistent UI in blacklist mode
x Fixed "Allow Scripts Gloabally" not working anymore
v 1.6.9.8
=====================================================================
x Restored the noscript.forbidData preference to its orginal "true"
default value (thanks Sirdarckcat for reporting an issue in the
about:blank context prevented by this change)
v 1.6.9.7
=====================================================================
x Fixed malfunctioning XUL error pages issue caused by the new
docShell-level JavaScript blocking
x Fixed visualization issue on the toolbar in blacklist mode when all
scripts of a page are untrusted
x Hide "Revoke temporary permissions" menu item in blacklist mode
v 1.6.9.6
=====================================================================
+ New "Temporarily allow all this page" command (hidden by default,
to be enabled in NoScript Options|Appearance)
+ noscript.docShellJSBlocking about:config preference controlling
the new additional docShell-level JavaScript permission enforcement
+ Separators in Untrusted menu
v 1.6.9.5
=====================================================================
+ Micro event-based DOS injections detection (thanks thornmaker)
+ (EXPERIMENTAL) More consistent blacklist behavior, blocking objects
even if "Scripts globally allowed" is checked, unless
"Plugins|Block every object coming from an untrusted site" is off
v 1.6.9.4
=====================================================================
x Base64 decoded invalid characters handling optimization
x Regression fix: XSS exceptions not being honored (thanks hi_RAM)
v 1.6.9.3
=====================================================================
x Fixed Injection Checker false positive regression on URIs which
contain encoded newline characters (thanks Kostas)
v 1.6.9.2
=====================================================================
x Fixed Injection Checker checking ASCII 43 as a "plus" sign but not
as a www-form-encoded space (thanks Sirdarckcat for report)
x Google search anti-XSS exception now checks for real TLDs, rather
than short 2nd level domains (thanks Sirdarckcat for report)
+ Refactored unescaping flow, allowing for easier extension
+ Ebay-style unescaping
v 1.6.9.1
=====================================================================
+ Improved XSS JavaScript unicode escape handling
+ Recursive JSON reduction, dramatically cutting analysis time on
complex JSON URLs, e.g. for some Orkut widgets
x Critical work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=439276
v 1.6.9
=====================================================================
+ Firefox 3.1a1pre compatibility
x Faster Base64 injection checks
v 1.6.8.2
=====================================================================
+ Better reporting of dynamically included external scripts, e.g.
ajax.googleapis.com on goosh.org
v 1.6.8.1
=====================================================================
x Fixed regression: right-click on the status bar and "open UI"
keyboard shortcut broken.
v 1.6.8
=====================================================================
x Fixed false positives in new Base64 decoding Injection Checker
v 1.6.7
=====================================================================
+ Base64 decoding in URI Injection Checker, thanks Zoiz for Yahoo PoC
-- see http://zoiz.web.id/xss-corner/base64-encoded-xss.html
x Extra NOSCRIPT element showing won't add SCRIPT elements on buggy
pages like evite.com (thanks zgendron and other reporters)
v 1.6.6
=====================================================================
x Fixed two bytes subnet shorthands broken if protocol is specified
x Fixed subnet shorthands not matching URLs with non-standard ports
x Firefox 3.0.* version bump
x Fixed XSS false positive on block.opendns.com
v 1.6.5
=====================================================================
x Fixed XSS URL sanitization issue with some proxy configurations
(thanks Philipp Gühring for reporting and testing)
x Fixed false positives caused by Image(...).jpg file names
v 1.6.4
=====================================================================
x More effective cross-site POST blocking
+ Estonian translation (thanks aivo)
v 1.6.3
=====================================================================
x Work-around for Songbird 0.5 bug (nsIEffectiveTLDService present
but not really working)
v 1.6.1
=====================================================================
+ Better feedback for blacklisted items on the page, by appending
untrusted sites count to "Untrusted" menu label
x Fixed bogus "allowed.yu" label for partially allowed pages where
all forbidden sites are marked as untrusted
v 1.6
=====================================================================
+ Specific shadowed status icon for pages where some origins are
allowed and all the remaining have been marked as untrusted
+ Reviewed Russian translation (Alexander Sokolov and Sergei Smirnov)
x Dropped blockCssScanners code (SafeHistory and SafeCache extensions
provide better prevention against navigation history sniffing)
+ Further QA for release
v 1.5.9.2
=====================================================================
x Fixed some Error Console noise (thanks timeless)
x Better Seamonkey installation algorithm (thanks therube)
v 1.5.9.1
=====================================================================
x Fixed infinite loop on some pages if noscript.blockCssScanners is
true (thanks tlu and Itsnow for report)
x Placeholder compatibility with latest trunk
(https://bugzilla.mozilla.org/show_bug.cgi?id=292789)
x Better installer for Seamonkey classic
v 1.5.9
=====================================================================
x Fixed regression from Songbird compatibility, making the Options
button on the notification bar unusable when status bar was hidden
x Turned default for noscript.xss.trustExternal value to true
x Experimental protection against getComputedStyle() history sniffing
attacks (you can enable it switching the noscript.blockCssScanners
about:config preference to true)
v 1.5.8
=====================================================================
x Optimization of Injection Checker for iGoogle Calendar Widget
(thanks JonCage for report)
x Fixed edge-case false positives due to URL encoding mixed to
symmetric brackets(thanks Lundholm for report)
x Fixed legacy Seamonkey UI regression introduced by Songbird
compatibility (thanks therube for report)
v 1.5.7
=====================================================================
+ Tweaked for Songbird compatibility
x Version bump for Firefox 3.0pre
v 1.5.6
=====================================================================
x Minor enhancements to IFRAME blocking
1.5.5
=====================================================================
+ Bracket balancing for inline JS literal-breaking micro injections
v 1.5.4
=====================================================================
+ InjectionChecker speed optimizations, preventing timeout on overly
complex JSON requests (thanks John Danfort for report)
v 1.5.3
=====================================================================
+ Forbid toplevel site command in bold (thanks therube)
x Fixed rare XSS false positives on iGoogle
x Fixed "allowURLBarJS" preference cannot be disabled (thanks Aerik)
v 1.5.2
=====================================================================
x Fixed unwanted blocking of some trusted Java applets thanks Mick
Bramhall for report)
1.5.1
=====================================================================
x Slightly revised icon set (thanks Karlosak and WAPCE for hints)
x Fixed bookmarklets invoked twice on untrusted sites (thanks al_9x)
v 1.5
=====================================================================
+ Slovenian translation (thanks Tomaž Mačus)
x Special bookmark management made compatible with Suiterunner's
sidebar (thanks therube for reporting)
x Extra QA for release
v 1.4.9.9
=====================================================================
x Bookmarklet handling code adapted again to cope with methods moved
from PlacesUtils to PlacesUIUtils after Fx 3 beta 4
v 1.4.9.8
=====================================================================
+ Prevention of Java applet same origin policy bypass via malformed
class name (see http://tinyurl.com/2u387t)
+ Improved icons
x Fixed chrome "domain" showing in menus (thanks Aerik)
v 1.4.9.7
=====================================================================
+ New noscript.allowURLBarJS about:config preference allows
javascript: and data: URLs to be run interactively from the
location bar, e.g. for bookmarklet testing, even if currently
displayed site is not whitelisted (default true)
+ Improved overall bookmarklet compatibility on Firefox 3
x Adapted bookmarklet handling code to latest Places refactoring with
openXXX() methods in PlaceUtils (thanks Tobu for report)
v 1.4.9.6
=====================================================================
x Fixed "Forbid chrome:" menu items on some pages (thanks niko322)
v 1.4.9.5
=====================================================================
x Version bump for Firefox 3.0b5pre
v 1.4.9.4
=====================================================================
+ Added client-side policy control for new Firefox 3 cross-site XHR,
configurable via noscript.forbidXHR about:config preference:
0 - Allow any XHR
1 - Allow cross-site XHR across trusted sites only (default)
2 - Allow same-site XHR only (like Firefox 2)
3 - Forbid all XHR
v 1.4.9.3
=====================================================================
x Fixed Firebug JS injection causing blocked IFrame
x Fixed plugin document detection making Acrobat Reader plugin hang
v 1.4.9.2
=====================================================================
x Minor InjectionChecker enhancements
v 1.4.9.1
=====================================================================
x Reduced vertical size of NoScript options panel for better usage
on constrained devices (thanks pstepper for report)
v 1.4.9
=====================================================================
+ Improved Silverlight object identity based on "source" param
v 1.4.8
=====================================================================
+ Better differentiation of Flash-based movie players and other
general purpose plugin content instances by taking in account
flashvars attributes and param elements.
+ Improved Silverlight placeholders, now shown in real time and
supporting more activation schemes
v 1.4.7
=====================================================================
+ Safe Silverlight placeholders restored by emulating the
IsVersionSupported() machinery (placeholders are usually delayed
by 3 secs or more)
v 1.4.6
=====================================================================
x Silverlight plugin objects in content blocking mode made completely
disabled (not just content-less) until they're allowed per-page
x Work around for a conflict with the PDF Download extension conflict
(thanks greenknight for report)
v 1.4.5
=====================================================================
x Fixed Silverlight unblocking hooks not working if all kinds of
plugin content and IFrames are blocked (thanks al_9x for report)
v 1.4.4
=====================================================================
+ Content unblocking machinery made compatible with new Silverlight
activation schemes (thanks al_9x and Alan Baxter for report)
v 1.4.3
=====================================================================
+ Further fuzzification of injection checker patterns
x Slightly released window.name checks to allow some legitimate frame
tricks, e.g. in eBay Cross-promotions (thanks jlovie for report)
x External URI validation decoding changed to accomodate ISO-8859 and
other encodings, rather than UTF-8 only (thanks Alf Buccheim)
v 1.4.2
=====================================================================
+ Bookmarklet return values support on Mozilla trunk
x Fixed mailto: empty URL (new mail message) considered invalid
v 1.4.1
=====================================================================
x Fixed "onclick.match is not a function" issue when clicking on
named anchors with no href (thanks wangyi6854 for report)
v 1.4
=====================================================================
+ Updated translations
x Revised window.name injection checks to be more lenient on GModules
x Extra QA for release
x Fixed about dialog size to correctly show contributor list in any
language
v 1.3.8
=====================================================================
x Fixed eMusic incompatibilities (thanks Mel Reyes)
v 1.3.7
=====================================================================
+ Added wildcard type entry in Blocked Objects temporary allow menu
x Fixed minor bugs in Blocked Objects menu early implementation
v 1.3.6
=====================================================================
+ Descriptive icon for content types when possible on object
placeholders and menu items
x Improved CSS injection rules (thanks Azurite for report)
v 1.3.5
=====================================================================
+ More consistent plugin content temporary permissions management:
object permissions are granted per-session(not bound to the current
tab anymore) and honor the "Revoke Temporary Permissions" command.
+ "Temporary allow content-type@http://site.com" commands in the
"Blocked Objects" menu temporary allows plugin content matching a
certain mime type (e.g. shockwave-flash) on the whole site.
x Increased readability of the "Blocked Objects" menu by using plain
font style instead of italics even if permissions are temporary
x Reduced console pollution on Linux
x Work-around for XPathResult not working in sandboxed bookmarklets
v 1.3.4
=====================================================================
+ "Blocked Objects" menu to temporarily allow plugin content even
when placeholder is hidden or not easy to see
+ "Block every object coming from a site marked as untrusted" option
in Plugins tab (checked by default)
x Further XSS filter sensibility refinement
x Fixed double separators sometimes in menus (thanks niko322)
x Fixed "StumbleUpon Discovery" not compatible with "Forbid IFrames"
(thanks niko322)
x Fixed URI protocol handler protection removing mailto: line breaks
(thanks Alf Buchheim)
v 1.3.3
=====================================================================
x Allow data: URIs in script src attributes on trusted sites (thanks
Kravvitz for report)
x Fixed "a.getAttribute is not a function" issue (thanks wangyi6854
for report)
v 1.3.2
=====================================================================
+ Scriptless support for history.go(x), history.forward() and
history.back() links/buttons (thanks timeless for suggestion)
+ resource: URI path traversal protection
+ New "noscript.allowedMimeRegExp" about:config option to whitelist
some content types not to be blocked by "Forbid other plugins", for
instance "application/pdf" or "image/.*"
+ Plugin content is always forbidden if coming from sites explicitely
marked as "Untrusted" (blacklisted). This behavior can be disabled
by setting the "noscript.alwaysBlockUntrustedContent" about:config
option to false (thanks NakedStranger for suggestion).
x Fixed XSS false positive at mail.yahoo.com
x noscript.jsredirectFollow preference more effective on blank but
not empty (i.e. space only) body (thanks timeless for suggestion)
v 1.3.1
=====================================================================
x Fixed missing plugin content placeholder regression on some gaming
sites (thanks Aerik and hewee for report)
v 1.3
=====================================================================
+ "Revoke temporary permissions" command in NoScript floating menus
+ Fixed plugin content placeholder sometime missing on background
tabs Linux issue (thanks WAPCE for report)
v 1.2.9.6
=====================================================================
+ Better plugin content placeholder management
+ noscript.canonicalFQDN about:config preference to control
canonicalization of domains ending with a dot.
+ Updated translations
v 1.2.9.5
=====================================================================
+ Transparent blocking of non-text frames (thanks sam41177878))
v 1.2.9.4
=====================================================================
+ Tweaked preliminary URL screening optimizations to enhance
Injection Cheker sensibility (thanks Gareth Heyes)
v 1.2.9.3
=====================================================================
+ Updated Injection Checker to take in account upper Unicode
JavaScript identifiers (thanks Gareth Heyes)
v 1.2.9.2
=====================================================================
x Further reduced false positives with post-syntax danger checks
v 1.2.9.1
=====================================================================
x Fixed issues with trans-domain redirections, stacking entries in
the previously viewed site's menu (thanks Hanspeter Spalinger)
v 1.2.9
=====================================================================
x Set noscript.jsredirectFollow default to false
x Extra QA for release
v 1.2.8
=====================================================================
+ Injection Checker optimization on very long query strings
x Fixed OpenId XSS false positive on blogger.com (thanks dondado)
v 1.2.7
=====================================================================
x Fixed Yahoo search XSS false positive by double checking valid JS
fragments for potential danger (10x firefoxisgreat2008 for report)
x Fixed the "form fields forgotten" issue by disabling the jsHack
feature which caused it. If you need jsHack and you can afford this
problem, just set the noscript.jsHackRegExp about:config preference
to a regular expression matching the URLs where you want it enabled
x Fixed content placeholders not showing on some sites
x Fixed POST payload shouldn't stripped as a consequence of injection
checking (thanks theiago for report)
v 1.2.6
=====================================================================
x Updated localizations
x Extra QA for release
v 1.2.5
=====================================================================
x Work-around for conflict with Tab Mix Plus dev. in Fx 3's Places
(http://tmp.garyr.net/forum/viewtopic.php?t=8052)
v 1.2.4
=====================================================================
x Fixed NOSCRIPT content shown in pages allowed on the fly with
"Temporarily allow top-level sites" (thanks Pirlouy for report)
v 1.2.3
=====================================================================
+ Improved Injection Checker JSON compatibility, now recursively
checking content of string attributes
x Further JS syntax check optimizations
x Fixed potential XBL-based crash after successful -moz-binding
injection (thanks Gareth Heyes for reporting)
x More discreet XSS notification for subframes
v 1.2.2
=====================================================================
x Changed noscript.filterXGetRx default to make single quote removal
happen only after positive injection checks (thanks sirdarckcat for
suggestion)
v 1.2.1
=====================================================================
x Fixed placeholder not shown for plugin content loaded in frames
(thanks Apoc2400)
x Revised InjectionChecker made compatible with JSON GET parameters
(thanks "Wilderness Of Mirrors")
v 1.2
=====================================================================
+ Better protection against Flash-based XSS and other plugin-related
cross-site attacks
+ Better feedback for allowable sites from embedded redirections
(thanks Leo Häfliger for report)
+ XSS filtering in subframes gets notified (was silent by default)
x Fixed temporary allowed site prevents parent from being allowed
permanently (e.g. in auto-allow mode)
x Fixed stand-alone WM plugin pages delayed blocking (thanks therube)
x Extra QA for release
x Updated localizations
v 1.1.9.9
=====================================================================
+ Hardened injection checker (thanks Gareth Heyes)
x Better compatibility with Wikimedia sites
x Fixed rtsp: and mms: plugin content always considered untrusted
(thanks Florian Gerstenlauer for report)
x Fixed one-click plugin activation (with no confirmation) sometimes
deferred to next page refresh (thanks Erwin J. Knöll for report)
v 1.1.9.8
=====================================================================
+ Experimental noscript.jsHack about:config preference containing JS
code to be executed before page loads in order to accomodate for
missing features (default implants a fake urchinTracker, see
http://forums.mozillazine.org/viewtopic.php?p=3183986#3183986)
v 1.1.9.7
=====================================================================
+ new "Revoke temporary permissions" command
+ new Plugins option: "Collapse blocked objects"
+ new Plugins option: "No placeholder for object coming from sites
marked as untrusted"
x Fixed OBJECT count bug when placholders are not shown
x Work-around for IETab incompatibility with noscript.contentBlocker
v 1.1.9.6
=====================================================================
x Object placeholder rendering optimization
x Extra QA for release
v 1.1.9.5
=====================================================================
+ Plugins disabled by default on unknown sites
x References to "Macromedia Flash" changed into "Adobe Flash"
x Fixed wrong OBJECT count reported after 1st notification
v 1.1.9.4
=====================================================================
+ XBL protection compatible with extensions using XMLHttpRequest from
a content-triggered event handler (e.g. Book Burro or PriceDrop)
v 1.1.9.3
=====================================================================
+ non-destructive cross-site XBL protection (handles the same case as
https://bugzilla.mozilla.org/show_bug.cgi?id=387971)
x Better edge-case handling in invisible links detection (thanks
Alexander Nikkta)
v 1.1.9.2
=====================================================================
+ Pre-scan optimization for unicode-escaped ASCII in InjectionChecker
+ Better compatibility with URLs containing HTML entities
v 1.1.9.1
=====================================================================
x Work-around for Minefield content policy / DOM interaction
regression (thanks mmortal03)
v 1.1.9
=====================================================================
x Extra QA for release
+ Menu rendering speed optimizations
+ Emulated TLD Effective service up to 100x speedup
+ InjectionChecker performance up to 50x speedup (thanks therube)
+ Fixed leak regression from 1.1.8.3 redirection handling refinements
(thanks L. David Baron)
x Fixed Firefox notifications not shown if NoScript notifications
were suppressed (thanks gecco)
v 1.1.8.9
=====================================================================
x Fixed content-blocking regression (thanks L.A.R. Grizzly)
v 1.1.8.8
=====================================================================
x Better Google Toolbar compatibility (thanks brandonksu)
v 1.1.8.7
=====================================================================
+ More consistent and compatible bottom notification bar
v 1.1.8.6
=====================================================================
+ "Notifications" option to change message bar automatic hiding delay
x Fixed multiple profile problems on SeaMonkey (thanks therube)
x Fixed incompatibility with Translation Panel and other extensions
(regression from 1.1.8.5 beta)
v 1.1.8.5
=====================================================================
+ Improved HTML attribute injection checks (thanks Gareth Heyes)
+ More flexible noscript.forbidXBL about:config preference:
0 - allow all XBL
1 - allow trusted and data: (Fx 3) XBL on any site
2 - allow trusted and data: (Fx 3) XBL on trusted sites
3 - allow only trusted XBL on trusted sites
4 - allow only trusted XBL from the same site or chrome (default)
5 - allow only chrome XBL
v 1.1.8.4
=====================================================================
x Fixed installation issue on SeaMonkey (thanks R.N. Folsom)
v 1.1.8.3
=====================================================================
+ The "noscript.tempGlobal" about:config preference causes the
"Globally Allow" status to be revoked at the end of each session
(thanks chconnor and Alan Baxter for suggestion)
+ The "noscript.lockPrivilegedUI" about:config preference blocks
Error Console and DOM Inspector (useful in locked down setup to
prevent preferences from being unlocked by user's chrome JS code)
+ More reliable base domain recognition
+ Switch to nsIEffectiveTLDService on Gecko >= 1.9 above (Firefox 3)
+ nsIEffectiveTLDService emulation on Gecko < 1.9 (Firefox 2)
x Updated translations
x Additional QA for release
v 1.1.8.2
=====================================================================
+ Friendlier IFrame handling (thanks war59312 and A. Baxter)
x Fixed Silverlight new detection scheme broken by IFrame blocking
x Fixed compatibility issue with Cooliris send link (thanks Tschua)
v 1.1.8.1
=====================================================================
+ More flexible and reliable redirection management
v 1.1.8
=====================================================================
+ Version bump for Firefox 3
+ Temporarily allow sites matching the regular expression(s) in the
noscript.whitelistRegExp about:config preference (thanks MaZe)
x Further QA for release
x Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes)
x Fixed shorthands broken when XSS protection was off (thanks MaZe)
v 1.1.7.9
=====================================================================
+ Notify bar for jar document blocking
x Fixed GreaseMonkey's XMLHttpRequest compatibility regression
x Fixed confusing option, "Forbid other plugins" shouldn't imply
forbidding Java, Flash and Silverlight.
v 1.1.7.8
=====================================================================
+ JAR uris are forbidden from loading as documents by default, see
http://noscript.net/faq#jar for details
+ Block untrusted XBL (thanks Sirdarckcat for inspiration)
x Various IFrame blocking refinements
v 1.1.7.7
=====================================================================
x Fixed installation problems with addons.mozilla.org automatic
update
v 1.1.7.6
=====================================================================
+ srv.br "special" TLD (thanks Rodrigo Ristow Branco)
+ Better protection against "setter" based XSS vectors and encoded
"name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see
http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/ )
+ Improved hidden links management, preserves original body CSS
attributes when possible (thanks mdots)
v 1.1.7.4
=====================================================================
+ new noscript.forbidIFramesContext about:config option controls
if actually enforcing IFRAME blocking depending on the parent page:
0 -- block always
1 -- block if parent is in a different site (default)
2 -- block if parent is in a different domain
3 -- block if parent is in a different 2nd level domain
+ Minefield version bump (0.3.0a9pre)
x XSideBar keyboard shortcut compatibility (thanks Philip Chee)
v 1.1.7.3
=====================================================================
x Work-around for hidden link detection being triggered by some CSS
reporting offsetHeight 0 for anchors (thanks Gerrit Heeres)
v 1.1.7.2
=====================================================================
+ Object placeholders' minimum size set to 32x32 for visibility
+ Object placeholder override for Microsoft® Silverlight™
x Fixed "Forbid IFRAME" blocking also Flash (thanks niko322)
x Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans)
x Fixed IFRAME in place activation shouldn't reload parent page
v 1.1.7.1
=====================================================================
+ New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's
request, see http://sla.ckers.org/forum/read.php?13,15701,15840
x Fixed logic inconsistency between "Plugins/Forbid xyx" and
"Plugins/Forbid other plugins" (thanks Kadeos);
x Fixed overzealous behaviour of JS link detection (thanks Kadeos and
plu for reporting)
v 1.1.7
=====================================================================
+ Further QA for release
+ Improvements in script redirection management
v 1.1.6.27 (1.1.7RC2)
=====================================================================
+ New "Forbid Web Bugs" option in the Advanced/Untrusted panel
x Fixed startup "sudden death" issue (thanks Alan Baxter)
v 1.1.6.26 (1.1.7RC1)
=====================================================================
+ Moved plugin content options to a new top-level "Plugins" tab
+ New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by
default like "Plugins/Forbid Java™"
+ New "Plugins/Apply these restrictions to trusted sites too" option
+ Enchanced sensibility for the JS URL detection feature
+ New "jsredirectForceShow" option to always display JavaScript-only
navigation URLs at the bottom of pages, no matter what the visible
content is (per timeless' RFE)
+ UTF-8 escaping awareness for InjectionChecker pre-syntax evaluator
+ Arabic (thanks Nassim Dhaher)
+ Indonesian(thanks regfreak)
+ Experimental Intel MidBrowser support
+ Experimental preference locking support (look at the mozilla.cfg
sample inside the XPI for details)
x Fixed meta-refresh notification failing to appear sometimes
x Cleanup of the counter-measures against Sirdarckcat's redirected
script trick (available for Fx >= 2.0 only) with user feedback
x Fixed full address no more shown in allowing menu for numeric IP
or TCP-IP explicit port URLs (thanks blahhhy for report)
x noscriptOptionsWidth entity to localize option dialog size
v 1.1.6.25
=====================================================================
+ Fix for Sirdarckcat's JS redirection trick
v 1.1.6.24
=====================================================================
+ Fixed XSS notification infobar not showing
v 1.1.6.23
=====================================================================
+ Work-around for Daily Dilbert extension's CSS bug hijacking status
bar icons (thanks gumble and Archaeopterix for reporting)
v 1.1.6.22
=====================================================================
x Fixed toolbar icon breaking when "Scripts Globally Allowed" and no
script found in page (thanks Claus Valca and Gecco for reporting)
v 1.1.6.21
=====================================================================
x Fixed infobar icon not always properly updated upon tab-switching
(regression from 1.1.6.20 feedback fix)
v 1.1.6.20
=====================================================================
x Fixed inconsistent status icon feedback (thanks Alan Baxter)
v 1.1.6.19
=====================================================================
x Fix for the massive breakage on Mozilla trunk caused by landing of
the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=377696
(thanks Quarantine and Peter(6) for reporting)
v 1.1.6.18
=====================================================================
+ noscript.safeJSRx preference allows to specify a regular expression
matching statements allowed in a top-level javascript: URL. Default
value allows sessionstore prompt javascript:window.close() trick
(http://forums.mozillazine.org/viewtopic.php?p=3033780#3033780)
v 1.1.6.17
=====================================================================
+ Smarter JS link fixing on untrusted sites (thanks timeless)
+ Smarter allowable sites detection/reporting if domain tricks are
being used.
x Fixed CTRL+Enter address bar SeaMonkey feature (thanks blindtrust)
x Fixed conflict with SiteAdvisor tooltips
v 1.1.6.16
=====================================================================
x Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from
working: browser packages are whitelisted by default, extensions
and other chrome packages can be optionally whitelisted adding a
noscript.forbidChromeExceptions.packageName preference set to true,
and the noscript.forbidChromeScripts preference defaults to false
now, since Bug 292789 couldn't do any harm unless some extension
does very stupid things.
x Fixed incompatibility with the BookmarksHome extension
v 1.1.6.15
=====================================================================
+ Support for keyword-driven bookmarklets on untrusted pages (thanks
Mike Rocker and therube for report/request)
+ noscript.forbidChromeScripts preference (true by default), prevents
script tags in content (non chrome:/resource:/file:) documents from
referencing chrome: scripts, see
https://bugzilla.mozilla.org/show_bug.cgi?id=292789
x Fix for fast reload not working on Minefield
v 1.1.6.14
=====================================================================
x Work-around for a reload problem caused by Firekeeper 0.2.11
x Version bump for Minefield
v 1.1.6.13
=====================================================================
+ Enhanced the "multi-port shorthand" feature to accept "*" wildcard
for subdomains, e.g. "http://*.google.com:0" matches every http
google subdomain with any port number (thanks Dave Faraldo for RFE)
+ Added a "noscript.fixURI.exclude" about:config preference where
protocols which should not be escaped by NoScript can be specified
as a space-separated list (thanks therube for inspiration)
v 1.1.6.12
=====================================================================
+ URI Validator facility for on-demand protection against URI-based
exploits. You can add your uri-validator anchored regular
expressions as an about:config preference named like
"noscript.urivalid.protocolname" to validate the URI substring
immediately following scheme + colon (see the noscript.urivalid.aim
pre-configured example entry)
x Minor change in query string parser, it doesn't drop "=" splitted
chunks exceeding the first two anymore
v 1.1.6.11
=====================================================================
+ Optional blocking of tracking images (also known as "Web Bugs")
embedded inside NOSCRIPT tags: it can be enable through the
noscript.blockNSWB about:config property (thanks lakrids/Arimfe)
v 1.1.6.10
=====================================================================
x Fixed configuration conflict preventing javascript: links from
opening in some circumstances (thanks england and haklin)
v 1.1.6.08
=====================================================================
x Fix for popup content loaded in the opener window regression (from
mail/news exploitation protection)
v 1.1.6.07
=====================================================================
x Further refinement of URL protocol handler protection to cope with
special configuration-depending cases with mail/news protocols
(not affecting SeaMonkey) - thanks Rios and McFeters for generic
PoC, thanks Darkdata for specific test case
v 1.1.6.06
=====================================================================
x Early protection against URL protocol handling exploitation (see
http://tinyurl.com/37o23j and Mozilla bug 389106)
x Fix to ampersand being sometimes escaped by anti-XSS filters
v 1.1.6.05
=====================================================================
+ Protection against UTF-7 encoded XSS attacks
x Improved plugin content blocking in background tabs
x Better XSS query string processing preserves "exotic" patterns
v 1.1.6.04
=====================================================================
+ Smarter Anti-XSS filters allowing non-latin characters
x Kill duplicates in "Partially allowed" statistics
x Switched to getDefaultBranch() for volatile CAPS preferences in
order to grant a clean "Safe Mode" even after Firefox crashes
(thanks Benjamin Smedberg for suggestion)
v 1.1.6.03
=====================================================================
+ Allowed sites and partial counts in the infobar when scripts are
"Partially allowed" (timeless suggestion)
+ Window.name payload attacks neutralization
x Fixed over-optimization of JS detection relying on syntax errors
v 1.1.6.02
=====================================================================
x Fixed "Unresponsive Script" on specific complex URL patterns
(many thanks to Sue Petersen)
v 1.1.6.01
=====================================================================
x Fixed "Clear private data" window not closing if you hit "OK" on
browser exit with Firefox < 3.0 (thanks VT for first report)
v 1.1.6
=====================================================================
+ "Light" injection checks are enabled also with "Scripts Globally
allowed" (notice that allowing scripts globally is still a very bad
idea, since POST injections and other XSS attacks launched using
JavaScript, Java or Flash are virtually undetectable)
x Better XSS notification/UI feedback on partial loads
x Depth limit to URL decoding
x Work-around for JS Development Environment scoped evaluation being
blocked by noscript.safeToplevel feature
x Extra QA for public release
v 1.1.5.07
=====================================================================
x Extra QA and optimization for very complex URLs
v 1.1.5.06
=====================================================================
x Huge performance and accuracy enhancement in injection detector
x Bookmarklet bypass for Minefield Places (thanks Hwasung Kim)
v 1.1.5.05
=====================================================================
+ Smarter injection detector for trusted to trusted requests
x Fixed "this.docShell has no properties" issue (many thanks therube)
x Fixed external URLs not opening in IETab (thanks chili1)
v 1.1.5.04
=====================================================================
x Fixed traceback regression skipping checks on permissions change
v 1.1.5.03
=====================================================================
x Fixed XSS notification message bar not showing sometimes
v 1.1.5.02
=====================================================================
x More accurate origin detection on META refresh
v 1.1.5.01
=====================================================================
+ XSS filter sensibility enhancement
+ Notifications for Flash-based XSS too
v 1.1.5
=====================================================================
x Removed about:neterror from the permanent non-deletable whitelist
(for the super-paranoids, thanks Aerik)
x Minor bug fix, anti-XSS notification bar skipped when an URL nested
in a query string gets sanitized
x Extra QA for public release
v 1.1.4.9.070627
=====================================================================
+ Added "0" shorthand to match all *explicit* IP ports on the same
protocol/host, e.g. http://acme.com:0 matches http://acme.com:8080
and http://acme.com:9999, but neither https://acme.com:8080 nor
http://acme.com
+ Partial numeric IPv4 are matched up to the 2nd leftmost byte, e.g.
"192.168" matches 192.168.0.22 and "10.0.0" matches 10.0.0.33
x Minor cosmetic tweaks to XSS notifications threshold
x Improved reload on permissions change
v 1.1.4.9.070624
=====================================================================
+ Optimization of active counter-measures
x Additional QA for public bug fixing automatic update
v 1.1.4.9.070623
=====================================================================
+ More lenient yet the safest XSS filters
x Fixed a leak happening when a secondary browser window is closed
v 1.1.4.9.070622r3
=====================================================================
x Fixed some popup not closing issue (thanks Angelo Dicerni)
v 1.1.4.9.070622r2
=====================================================================
x Fixed issue with usernames embedded in home page (thanks england)
v 1.1.4.9.070622r1
=====================================================================
x Fixed incompatibility with certain malformed Ebay search URIs
(thanks to Marc Van Buggenhout for reporting)
v 1.1.4.9.070622
=====================================================================
+ Full anti-XSS protection for every trusted URL opened from external
applications
+ Protection against all the currently known cross-browser exploits
targeting Firefox (Larholm, Rios, MacManus...)
v 1.1.4.9.070621
=====================================================================
+ Additional checks for toplevel windows (thanks dveditz)
x Work-around for interference of some tab-related extension with
external URL interception
v 1.1.4.9.070620
=====================================================================
+ Protection against so called "Universal XSS" through JS URLs opened
by external applications, as explained in
http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html
v 1.1.4.9
=====================================================================
+ noscript.injectionCheck about:config option adds first-line
detection for XSS injections in GET requests originated by
whitelisted sites and landing on top level windows. Value can be:
0 - never check
1 - check cross-site requests from temporary allowed sites
2 - check every cross-site request (default)
3 - check every request
+ noscript.jsredirectIgnore about:config option enables/disables
the new "Detect and show JavaScript redirections" feature
+ noscript.jsredirectFollow about:config option enables/disables
auto-following if a single redirect is detected on a textless page
x "Allow top level sites by default" won't affect sites that have
been manually forbidden during the current session (to make
this exception permanent, mark the site as untrusted)
v 1.1.4.8.070618
=====================================================================
+ New placeholders for plugin content can be right clicked like any
"regular" link, e.g. to "Save Link As..." or "Copy Link Location"
+ Placeholders for plugin content are rendered real-time during load
+ Experimental detection of JavaScript redirections (thanks timeless)
x Fixed glitch in plugin replacement with JS enabled (thanks lulu135)
v 1.1.4.8.070617
=====================================================================
x Fixed untrusted blacklist import bug (thanks MZFuser)
v 1.1.4.8.070606
=====================================================================
+ edu.tw special TLD (thanks twocs)
+ New noscript.autoReload.global about:config preference controls if
automatic reload affects global allow / forbid (thanks lulu135)
+ New noscript.autoReload.allTabs about:config preference controls if
automatic reload affacts all or just current tab (thanks lulu135)
v 1.1.4.8.070602
=====================================================================
x Removed console error message on document unload in SeaMonkey
v 1.1.4.8.070530
=====================================================================
x Fixed toggle shortcut regression (thanks therube)
v 1.1.4.8.070529
=====================================================================
x Automatic fixup of trailing dot domains, replacing them on the
fly with their canonical name (thanks fartron and timeless)
+ "in.th" special TLD (thanks Kridsada)
x Fixed minor notification glitches in Fx 1.5 (thanks arete7)
v 1.1.4.8.070528
=====================================================================
x Performance optimization of options dialog closure for long
whitelists used in conjunction with long blackists (thanks arete7)
x Automatic notification hiding for background tabs (thanks arete7)
v 1.1.4.8.070523
=====================================================================
x Improved notification consistency with back-forward navigation
x Better compatibility with Google Desktop Search and Paypal email
notifications
v 1.1.4.8.070522
=====================================================================
+ "org.uy", "net.uy" and "edu.uy" special TLDs (thanks Mauricio)
x Nicer url randomization
x Improved notification on nested URL XSS sanitization
x Fixed external load request detection failing "randomly" in some
setups (regression from the IETab incompatibility work-around)
v 1.1.4.8.070521
=====================================================================
x Fixed regression from bug 53901 work-around, "Mark as untrusted
menu" not working anymore (thanks Ricky Ridgdill)
v 1.1.4.8.070520
=====================================================================
x Resolved 070509 conflict with IETab + Tab Mix Plus causing some
tab-diverted links to open in new windows (thanks to Nuttysman,
niko322, Alan Baxter)
v 1.1.4.8.070514
=====================================================================
x Sanitized URI randomization (thanks kuza55 for inspiration)
x *Fast* reload also with fragment URI (thanks Martin Focke)
v 1.1.4.8.070513
=====================================================================
x Fixed last minute regression slipped in Anti-XSS GET filter (some
suspicious query strings entirely removed, rather than sanitized)
v 1.1.4.8.070512
=====================================================================
+ Appearence Option to show/hide "Allow" menu items(thanks mamas6667)
x Updated locales (cs-CZ, en-GB, pl-PL)
v 1.1.4.8.070511
=====================================================================
x Fixed "black boxes" glitch on page unload (thanks jdopple)
x Fixed XSS exceptions must allow blank value (thanks Martin Focke)
x Fixed reloading URLs with hash(thanks Martin Focke)
x Work-around for Minefield bug displaying wrong labels on cloned
menu items (thanks Itsnow)
x Fixed regression, menu popup not shown by keyboard shortcut when
both toolbar button and status bar element are hidden (thanks
niko322)
v 1.1.4.8.070509
=====================================================================
+ noscript.xss.trustExternal about:config preference controls if
anti-XSS filters should be bypassed for URLs opened from external
applications like email clients (default false)
+ noscript.xss.trustTemp about:config preference controls if anti-XSS
should be bypassed if URLs are opened from "temporary allow"ed
sites (default true, thanks Salim for suggestion)
x Wikipedia default XSS exception tweaked to include apostrophes in
titles (thanks Alan Baxter for report)
v 1.1.4.8.070505
=====================================================================
x Better compatibility with Google Toolbar's translation service
v 1.1.4.8.070502
=====================================================================
x Fixed Linux Flash blocking crash when placeholders are active
(thanks mastro for report)
x (Hopefully) Last bug fix in referrer XSS sanitization (thanks
Alan Baxter)
v 1.1.4.8.070501
=====================================================================
x Further bug fix in referrer XSS notification template
v 1.1.4.8.070502
=====================================================================
x Fixed Linux Flash blocking crash when placeholders are active
(thanks mastro for report)
x (Hopefully) ultimate fix in referrer XSS sanitization (thanks Alan
Baxter)
v 1.1.4.8.070501
=====================================================================
x Further cosmetic bug fix in referrer XSS notification template
v 1.1.4.8.070430
=====================================================================
x Localization updates and release QA
v 1.1.4.8.070429
=====================================================================
+ Shortcut to show NoScript menu works even if status bar icon and
toolbar button are both hidden
x Fixed "Options..." button not working if status bar was hidden
(thanks napiertt and joymus)
x Fixed regression in XSS notifications due to 070427 fix (some XSS
suspicious requests were silently cancelled, rather than sanitized
and notified)
x Fixed "empty Untrusted menu" (thanks niko322)
v 1.1.4.8.070428
=====================================================================
x Fixed using keyboard shortcut always shows status icon
x Fixed closing toolbar button menu always shows status icon
v 1.1.4.8.070428
=====================================================================
x Fixed using keyboard shortcut always shows status icon
x Fixed closing toolbar button menu always shows status icon
v 1.1.4.8.070427
=====================================================================
x Fixed referrer sanitization glitch (thanks Alan Baxter)
v 1.1.4.8.070426
=====================================================================
x Fixed Refresh Blocker and Tab Mix plus redirection permissions
incompatibility (thanks tabasco.kfarmer and Mc)
x Fixed SeaMonkey "removed content" placeholder (thanks therube)
x Fixed Seamonkey "Reset" button placement (thanks Phil Chee)
v 1.1.4.8.070425
=====================================================================
+ Experimental "noscript.contentBlocker" about:config preference
to block Java, Flash and other plugins in whitelisted sites as well
x Fixed bug in toolbar button Untrusted submenu (thanks Steve1000)
x Better XSS management on whitelisting automatic reloads (XSS checks
for whitelisting reloads can be disabled by toggling off the
"noscript.xss.trustReloads" preference in about:config)
v 1.1.4.8.070424
=====================================================================
+ "Reset" command in Options Dialog resets options to their default
values (thanks Frank Myers)
+ Always bypass cache on XSS Unsafe Reload (thanks Jussi Lahtinen)
+ Serbian translation (thanks Ivan Pesic)
x Improved Wikipedia XSS exception
v 1.1.4.8.070423
=====================================================================
+ Lituanian (thanks to Mindaugas Jakutis)
x Additional localization updates and minor fixes
v 1.1.4.8.070422
=====================================================================
+ Forbid META redirection inside NOSCRIPT element in Seamonkey too
+ XSS notifications for Fx 1.5 too
+ XSS status bar icon appears when XSS activity is detected:
left/right click opens XSS menu, middle click hides icon
+ META redirection status bar icon appears when needed:
click follows redirection once, shift+click remembers for session,
middle click hides icon
x Fixed a regression (070420 only) with Import/Export buttons broken
x Fixed toolbar button removal messing with other NoScript menus
(thanks niko322 for report)
x Fixed file:// URL item not showing anymore regression
(thanks Shingoshi for report)
x Fixed regression in Option Dialog: removing from whitelist didn't
work if applied to just one site (multiple batch did work, though)
- thanks Alan Baxter for report
v 1.1.4.8.070420
=====================================================================
x Fixed "Forbid other plugins implies Forbid Flash" - thanks Dwedit
x Fixed Options dialog issues with Fx 1.5
v 1.1.4.8
=====================================================================
x Minor improvements in XSS exceptions regular expression parsing
x Fixed last-minute Seamonkey breakage (many thanks therube!!!)
v 1.1.4.8RC3 (1.1.4.7.070420.1)
=====================================================================
x Further refinement in XSS filters (thanks niko322)
v 1.1.4.8RC2 (1.1.4.7.070420)
=====================================================================
x Fixed 2nd level domain toggle option (thanks therube)
x Fixed multi-window feedback synchronization (thanks lakrids)
v 1.1.4.8RC1 (1.1.4.7.070419)
=====================================================================
+ Option to block META refresh inside NOSCRIPT elements: a prompt
will be shown asking if you want to follow the redirect, and
choice will be remebered across the current session
(noscript.forbidMetaRefresh.remember preference, dismissing the
notification with its close button means "keep blocked")
thanks rsnake and Alan Baxter for suggestion (Firefox 2 only)
+ "XSS-Unsafe Reload" menu item in the XSS notification bar popup
+ "XSS FAQ" menu item in the XSS notification bar popup
+ noscript.xss.notify.subframes about:config preference to control
notification for XSS in subframes (default false, suppressed)
+ Option to toggle sites by (2nd level) domain, rather than full URL
x Default "Show NoScript menu" shortcut changed to Ctrl+Shift+S
(Ctrl+Shift+X conflicting with "change direction" Firefox command)
x moved "Show Console" from XSS notify button to an "Options" popup
x Options Dialog reorganization
x Right click on toolbar button and status bar elements opens menu
x Mass-removal speedup in Options Dialog|Whitelist
v 1.1.4.7.070414
=====================================================================
+ Finer grained treatment for data: and javascript: urls in frames,
whose domain is considered the one of the nearest window ancestor
having a meaningful web address (thanks to Vectorspace for his
suggestion)
v 1.1.4.7.070413
=====================================================================
+ "noscript.globalwarning" about:config hidden preference controls
wether a warning prompt should be issued or not whenever user
switches on scripts globally (true by default)
x Improved Anti-XSS Protection compatibility with some message boards
(special thanks to Aerik and Olaf Schweppe)
v 1.1.4.7
=====================================================================
+ First "official" anti-XSS release
+ New plugin content detection algorithm defeats latest aggressive
Flash cloaking strategies (e.g. http://www.hardocp.com/ )
+ Improved subframe detection, includes object elements (e.g.
http://www.operamini.com/demo/ )
+ Improved fast reload, preserving form input data.
+ Minefield full compatibility
v 1.1.4.6.070409
=====================================================================
x Fixed weird intermittent interference with dynamic JavaScript
inclusion via document.write() used by some JavaScript libraries
(e.g. Prototype, Dojo or Tiny-MCE)
v 1.1.4.6.070404
=====================================================================
x Drastic reduction of XSS redirection-related false positives
v 1.1.4.6.070325
=====================================================================
x Fixed regression, leak happening on window closure (10x pirlouy)
x Fixed regression, file:// entries missing from menus (10x therube)
v 1.1.4.6.070322
=====================================================================
+ Safer behaviour on reloading/whitelisting a XSSed page
v 1.1.4.6.070321
=====================================================================
+ XSS sanitization of the whole request URL
+ XSS sanitization of the referrer URL
+ XSS filters exceptions for some "trusted" addresses requiring
cross-site complex query strings (controlled by a regexp in the
noscript.filterXExceptions hidden preference, defaults to Google
search and Yahoo search)
+ Better general search engine compatibility with anti-XSS filters
x Several performance optimizations
v 1.1.4.6.070318
=====================================================================
+ First anti-XSS countermeasures round: "default deny" sanitization
is applied to every request coming from an unknown (restricted)
site and landing on a trusted (scripting allowed) site:
1. GET requests with a query string get all the matches for the
noscript.filterXGetRx regular expression replaced with space
2. POST requests are turned into no-data GET
3. Every request filtering action is logged to the Console, while a
short notification is issued through the info-bar* (if enabled)
*Info-bar notifications require Fx 2.0 or above
Behaviours 1 and 2 can be controlled from NoScript Options|Advanced
v 1.1.4.6.070317
=====================================================================
x Customizable keyboard shortcuts (about:config - noscript.keys.*)
x Quick toggle (by shortcut or toolbar) behaviour changed to
*Temporarily* Allow / Forbid (old behaviour can be restored by
setting the about:config noscript.toggle.temp pref to false)
v 1.1.4.6.070316
=====================================================================
+ Super fast reloading after toggling permissions
+ Hebrew (thanks to Asaf Bartov)
x removed mozillazine.org and mozilla.org from the default list
(thanks Wladimir Palant)
x Fixed a resource deallocation issue (thanks Higmmer)
x Fixed a potential slowdown on startup
x Removed logging code slipped in a release
v 1.1.4.6.070304
=====================================================================
+ Added many ".id" special TLDs (thanks FatMan)
x Fixed localization-related bugs (e.g. untrusted menu showing just
the first character for each site)
x Other minor bug fixes
v 1.1.4.6.070302
=====================================================================
+ SeaMonkey compatible keyboard shortcuts
+ Added a couple of about:config options (noscript.keys.*) to disable
keyboard shortcuts: just blank their values. Notice: changing the
option value to a different key is possible, but it doesn't
actually work (yet?)
x Fixed a regression in the "Export" functionality
v 1.1.4.6
=====================================================================
x Stable "blacklist" release
+ Vietnamese (thanks tonynguyen)
+ Galician (thanks roebek)
v 1.1.4.5.070222
=====================================================================
x Fixed a "Mark as untrusted" menu item bug
v 1.1.4.5.070210
=====================================================================
x Fixed a bug affecting some locales on Mozilla/SeaMonkey/Fx 1.0
v 1.1.4.5.070207
=====================================================================
x "Forbid" doesn't mark the site as untrusted by default anymore (old
behaviour can be restored via "noscript.forbidImpliesUntrust" pref)
v 1.1.4.5.070127
=====================================================================
+ Experimental blacklist ("Mark as untrusted" + "Untrusted|Allow")
+ Global shortcut toggling top level status: "CTRL + SHIFT + \"
+ Global shortcut to NoScript menu: "CTRL + SHIFT + X"
+ Extra control on NOSCRIPT elements rendering
+ "Allow Globally" menu item is optional now (shown by default)
+ "Link Local Files" optional permission for trusted sites
+ "noscript.excaps" hidden pref for CAPS conflicts resolution (e.g.
with Google Toolbar and other Google extensions)
+ "Temporarily allow top-level sites by default" new preference
(not advised and disabled by default)
+ Menu items referring to current location are hilighted in bold
+ New preference in Options|General controls toolbar button reaction
to left click (default none, optional toggles top level status)
+ net.uk, com.uk and org.uk pseudo TLDs
v 1.1.4.5.061231
=====================================================================
x Fixed "cancel with non-failure status code" assertion
v 1.1.4.5.061221
=====================================================================
+ Minefield (3.0a2) support
+ Fixed plugin placeholder trunk issue (thanks timeless for report)
+ added *.ua "special" TLDs (thanks Devan Chetty)
v 1.1.4.5.061206
=====================================================================
+ Added org.in and co.sy to the "special" TLDs list
x Fixed some bookmarklet quirks (not in trunk, though)
x Fixed a bug in "uk.xyz" special TLDs management
v 1.1.4.5.061030
=====================================================================
x Minefield fix: feedback during/after document loading (bug 335251)
x Minefield fix: bookmarklet on the fly enablement (bug 351633)
x Restored Flock compatibility
v 1.1.4.5
=====================================================================
+ Some user interface tweakings in the Options UI
+ Several optimizations
x Fixed XML issue
x Fixed BFCache side-effects on certain pages
x Fixed a timing bug in stand-alone plugin interception
v 1.1.4.4
=====================================================================
+ be-BY (Belarusian) thanks to DRKA
+ JavaScript links fixing made compatible with AllPeers
+ Better interception of plugin content
x Fixed a plugin placeholder bug (thanks to tanstaafl for reporting)
x Fixed interception of xml and xhtml content (thanks to Poly Peptide, hrikjsen,
Redoute and johnnydrinkwater for reporting)
x Fixed some strict warnings (thanks to timeless for reporting)
v 1.1.4.3
=====================================================================
+ Emulated Firefox 1.0.x top-level plugin content blocking behaviour
+ uk-UA (Ukrainian) thanks to MozUA
+ th-TH (Thai) thanks to Qen
+ fa-IR (Persian) thanks to Pedram Veisi
+ el-GR (Greek) thanks to Sonickydon
+ en-GB (English GB) thanks to Ian Moody
+ hr-HR (Croatian) thanks to Krcko
x Other updated translations
x Fixed plugin content reloading bug
v 1.1.4.2
=====================================================================
+ Notifications Firefox 2+ compatible
x Fixed whitelist import bug (phantom resource:xyz entry)
x Fixed "removeLinkFixer" warning (thanks to Pablo)
v 1.1.4.1
=====================================================================
+ Left clicking on NoScript toolbar button toggles permissions for
current top-level site
+ Shift+Click on a Java/Flash/Object placeholder temporarily hides it
+ "Attempt to fix JavaScript links" now skips "real" hash URLs
+ Added live.com to the default whitelist (for MS webmails)
x Removed a leak caused by "Attempt to fix JavaScript links" option
x Fixed Macedonian translation
v 1.1.4
=====================================================================
+ "Allow sites opened through bookmarks" option
+ Notification delay in seconds can be changed through the
"noscript.notify.hideDelay" about:config preference
x Removed bogus JS messages on SeaMonkey startup
x Fixed bookmarklet support to work with the new "Places" code,
the bookmark sidebar and the bookmark manager
x Added mozilla.com to the default whitelist
x Always honour "Attempt to fix JavaScript links" option (links
were processed anyway if "Forbid <a...ping>" was enabled)
v 1.1.3.9
=====================================================================
x Fixed temporary memory leak when loading pages containing plugins
(many thanks to Steve England)
x JavaScript links should not be "fixed" when scripts are globally
allowed (thanks Lt. Worf)
v 1.1.3.8
=====================================================================
x Another emergency release to fix Babelzilla bugs with Asian
languages (mass-reverting to 1.1.3.5 properties files to be sure).
- Removed permanent whitelist (all the web sites can can
be forbidden from the UI, no more about:config need)
v 1.1.3.7
=====================================================================
x Fixed some localization bugs with Hungarian and other languages
v 1.1.3.6
=====================================================================
+ "Fix JavaScript links" option: enabled by default, attempts to
automatically turn JavaScript links into regulars anchors on load
+ Advanced options "Allow <a ping...>" on trusted sites (defaults to
the browser settings) and "Forbid <a ping...>" on untrusted sites
(default yes) give user control on the new, debated "ping" anchor
attribute
+ New hidden (about:config) boolean preference "noscript.consoleDump"
controls if blocked contents must be logged to the console (false
by default)
+ Slovak (thanks to Slovak Soft)
+ Romanian (thanks to Ultravioletu)
+ Hungarian (thanks to LocaLiceR)
+ Chinese Traditional (thanks to Chiu Po-Jung)
v 1.1.3.5
=====================================================================
+ "Truncate title" option: enabled by default, even on whitelisted
sites, is a quick & dirty work around for Firefox DOS bug 319004
+ "com.xy" 2nd level domains are always considered special TLDs
+ Other special TLDs added
x Fixed "Forbid other plugins" semantics: Java and Flash should
remain allowed unless their specific "Forbid" option is flagged.
x Fixed portuguese locale bug
v 1.1.3.4
=====================================================================
+ Flock support
+ Finnish (thanks to Mika Pirinen)
+ Norwegian bokmål (thanks to Håvard Mork)
v 1.1.3.3
=====================================================================
+ Placeholder icon can be hidden (NoScript Options|Advanced)
+ Message bar notifications can be set to go away automatically after
5 seconds
+ Bulgarian (thanks to Georgi Marchev)
+ Simplified Chinese (thanks to George C. Tsoi)
+ Russian (thanks to Alexander Sokolov)
+ Turkish (thanks to Engin Yazılan)
x Best effort XPCOM auto registration on Mozilla Suite installation
x Minor menu formatting glitches removed
x Some about:xxx URLs added to the default whitelist
v 1.1.3.2
=====================================================================
+ Bookmarklet support. It allows JS on current page just for the
bookmarklet execution lifespan. If you don't want or don't need it,
turn on "NoScript Options|Advanced|Forbid Bookmarklets"
x Fixed right-click status label crash affecting pre-1.8 browser. Now
status label context menu works on Mozilla and Firefox 1.0.x too.
v 1.1.3.1
=====================================================================
+ Option to skip confirmation when temporarily unblocking objects
+ Optional status bar label (with Firefox-only context menu)
+ Support for Unicode domains
x Work-around for Firefox bug #307678 (dialogs freeze)
x Handle about:neterror and about: (help) "always allowed" exception
v 1.1.3
=====================================================================
+ Toolbar button
+ Java/Flash/Plugin content can be temporarily allowed (for the
current tab) with a left click on its placeholder
+ Further optimizations in site matching
+ Japanese (thanks to beerboy)
+ Polish (thanks to Lukasz Biegaj)
+ Catalan (thanks to Joan-Josep Bargues)
+ Czech (thanks to Petr Jirsa)
x Bug fix: "Allow JavaScript Globally" didn't affect Java, Flash and
Plugin immediately
v 1.1.2.20050901
=====================================================================
x Bug fix: temporarily allowed sites were not removed if no
permission change happened in the following session
v 1.1.2
=====================================================================
+ Java/Flash/Plugins blocking works in Mozilla Suite / SeaMonkey too
+ Huge performance (up to 100x) improvements in policy matching
+ More consistent temporary sites handling (allowing a temporary
domain while subdomains are allowed, now forbids ancestors of that
domain but not its subdomains anymore on restart)
+ Added "ar.com" to the list of "special" TLDs
x No more "phantom" http:// and https:// entries in whitelist
v 1.1.1
=====================================================================
x Fixed a bug with whitelist synchronization from the Options window
x Fixed little Spanish locale issue
v 1.1.0
=====================================================================
+ Customizable message position, top or bottom (new default)
+ Customizable audio sample for feedback
+ (Firefox only) Advanced options to forbid Java™, Flash® and other
plugins (Java™ forbidden by default, since many users don't
know the difference between Java and JavaScript)
+ Advanced options to allow rich-text clipboard on trusted sites
+ Portoguese translation (thanks to Dario Ornelas)
x New (less ambiguous) "partially allowed" icon
x Audio feedback off by default
x Statusbar icon hidden status persists across sessions
x Proper jar: scheme handling (will allow per-domain selection when
Firefox bug preventing it is patched -
see https://bugzilla.mozilla.org/show_bug.cgi?id=298823)
x jar: scheme can be allowed only temporarily (see above)
x No more browser activity stop after permission changes
v 1.0.9
=====================================================================
+ Temporarily allow URLs (for current session only): temporary items
are shown in italics font
+ Clean uninstall in Deer Park
+ Added jar: to the default white-list, to allow about:plugin
and other "special" URLs to work out-of-the-box
x Better work-arounds for Firefox synchronization bugs
x Fixed conflict when a "View Source" window was open
v 1.0.8
=====================================================================
+ Whole addresses are shown when a port number is specified, no
matter which the Appearance options are, since enabling a domain
doesn't enable it for non-standard ports (thanks to jayvdb for
suggestion)
+ Stop every browser activity before changing policies (this should
be a workaround for most crashes dued to Firefox CAPS bugs)
v 1.0.7
=====================================================================
+ "Popup blocker" style notification message (Firefox only)
+ Autoreload synchronizes every view whose permissions have changed
+ Spanish translation (thanks to Alberto Martínez)
x Improved subframes management in the contextual menu
x Better UI support for "special" TLDS like co.uk, co.nz and others
x Improved support for numeric addresses
x Audio feedback with more discreet sound effect :-)
v 1.0.6
=====================================================================
+ Whitelist import/export (thanks hsmwrv for suggestion)
+ Only 2nd level (base) domains shown by default in the "Allow" menu
items (easier operation for non-geeks; geeks can still revert to
the old fine grained interface using the "Appearance" options)
+ Blocked scripts audio feedback (thanks to Markus for suggestion)
+ about:config/noscript.permanent can be changed live (no FF restart)
x chrome content URL are properly whitelisted (XUL error pages OK)
x Fixed empty permanent list problem (thanks to Patrick and Oremina
for report)
v 1.0.5
=====================================================================
+ "Appearance" option to hide/show popup menu and status bar icon; if
you decide to hide both, options are still reachable through the
Extension Manager context menu (thanks Dick Minor for suggestion)
+ 2nd level domain trick doesn't clutter Options Dialog anymore
(http[s]:// auto-prefixed domains are hidden in whitelist)
x Fixed menu layout (thanks to TheOneKEA for report)
v 1.0.4
=====================================================================
+ Automatically creates http:// and https:// prefixed URLs when a 2nd
level domain (xyz.com) is allowed, as a workaround for Firefox not
matching URLs with a raw 2nd level domain if no protocol is listed
(thanks to Laura for report)
+ "Allowed" status feedback for chrome:// URLs (pacanukeha)
x Core functionality refactored in a XPCOM service
v 1.0.3
=====================================================================
+ Feedback about actual presence of script elements in current page
(white "S" icons if no script tag is found, while number of found
tags is shown in the tooltip - thanks to Volker for suggestion)
+ Feedback about partial permissions in pages containing subframes
(a broken red "stop" sign means only some frames are forbidden)
+ Events are coalesced for better performance and stability
+ Improved options dialog usability (new items are ensured visible
and "delete" key performs mouse-less site removal)
+ Added hotmail/msn/passport domains to default whitelist (thanks to
Swann for suggestion)
+ Added googlesyndication.com and noscript.net to permanent list ;)
x Fixed whitelist options dialog sometimes "forgetting" recently
added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for
their reports)
v 1.0.2
=====================================================================
+ Option dialog shortcuts (thanks to Ulysses for suggestion)
+ French translation (thanks to Xavier Robin)
x NoScript doesn't ignore port number in URLs anymore
x moved "Options" and "About" items to the top of status bar menu
(thanks to Filipp0s for suggestion and for the smaller icons too)
x added mozillazine.org and gmail.google.com to default allow list
x no duplicates in menu when multiple frames share the same
ancestor domain (e.g. mozillazine.org)
v 1.0.1
=====================================================================
+ Contextual menu for easy operation in statusbar-less windows
+ Current page is automatically reloaded when permissions are changed
+ Support for implicit subdomain inclusion (e.g. if you add
mozilla.org, you allow www.mozilla.org, addons.mozilla.org etc.)
+ German translation (thanks to my friend Thomas Weber)
x Fixed localization issue
x Work around for Firefox occasional crashes
v 1.0
=====================================================================
First public release
