NoScript Updates

NoScript 2.4.1

Thu, 10 May 2012 13:09:44 +0000

+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
  same-name query parameters (thanks  Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
  sequences (thanks Masato Kinugawa for reporting)
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
  therube for reporting)
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
  Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
  repository, often used as a CDN

NoScript 2.4

Fri, 04 May 2012 11:25:41 +0000

x Improved temporary permissions management during bookmarklet execution
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)
+ [XSS] Improved InjectionChecker detection of in-code multiple insertions
  (thanks Krzysztof Kotowicz)
+ [XSS] InjectionChecker detection of single assignment evaluation through
  global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
  for reporting)
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
  Dalili for reporting)

NoScript 2.3.9

Wed, 25 Apr 2012 22:44:07 +0000

+ [ClearClick] More tolerant snapshot comparation algorithm (partially
  backported from NSA) to reduce false positives (tweaked by the
  noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
  obscuration by windowed plugins checks
x Fixed compatibility regressions on Firefox 3.x
x Following links from the About dialog now closes it (thanks Guardian for
  suggestions)
x Fixed NOSCRIPT META refreshes blocking not working when scripts are
  globally allowed (thanks and Ken and Tom T. for reporting)
x [ClearClick] Fixed false positives caused by accelerated graphics with
  some plugin content

NoScript 2.3.8

Thu, 19 Apr 2012 09:48:07 +0000

+ Smart integration with the new browser-native click to play: if a plugin
  object is manually allowed from NoScript's UI, it gets also natively 
  activated (noscript.smartClickToPlay about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
  steps across reloads
x Fixed redirections in legacy frames not being blocked (thanks "utente"
  for reporting)
x [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site

NoScript 2.3.7

Sun, 08 Apr 2012 03:28:42 +0000

x [ClearClick] Work-around for "rapid fire" protection interfering with
  some add-ons, such as 1Password (thanks Mike Tselikman for report) and
  FloatNotes (thanks endofmiles and Tom T. for reports)
x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
  Christopher A. M. Gerlach for reporting)
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
  containing domain-names as parameter values (thanks gazer75 for report)

NoScript 2.3.6

Mon, 26 Mar 2012 21:27:00 +0000

x Restored Nightly compatibility, broken by bug 719154 
+ [ClearClick] improved compatibility with Disqus widgets (thanks El Cid
  for reporting)
+ [AddressMatcher] Optimized trailing "*" in glob expressions
x Fixed origin URL detection flawed when certain wrapped URIs are loaded
 (thanks Masato Kinugawa for reporting)
x [XSS] Fixed false positive with query string patterns mimicking array
  access (thanks Aicke Schulz for reporting)

NoScript 2.3.5

Fri, 16 Mar 2012 20:26:49 +0000

x Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing
  Google Music Player to fail (thanks DG42 for original report, Alan Baxter
  for providing a test account, all the forum staff and many users for
  their help in reproducing)
x [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and
  meta refreshes on the affected tab even if document changes (thanks
  Tom T. and Patrick E. for reporting)
x [ClearClick] Better special-casing for same-site embedded objects
x [Surrogate] Global variables introduced by sandboxed surrogates are
  attached as window properties after execution to fix recently surfaced
  scope-related bugs
x [XSS] Better window.name protection  (thanks Masato Kinugawa for report)
x [XSS] Improved detection of javascript: URL injections

NoScript 2.3.4

Thu, 08 Mar 2012 22:06:40 +0000

x [ClearClick] Fixed subtle bug which may lead to infinite loops in some
  cases (thanks GµårÐïåñ for reporting)

NoScript 2.3.3

Thu, 08 Mar 2012 16:45:05 +0000

+ Improved InjectionChecker logging
x Reduced false positive rate on HTML injection checks (thanks therube for
  reporting)
x [ClearClick] Fixed clicking on some plugin content causing elements of
  the parent page to become white (thanks Markus Wienand for report)
x [ClearClick] Fixed minor bugs triggered by ABP placeholders
+ [ClearClick] Protection against partial obscuration via Flash objects
  with OS-native wmode values (thanks David Lin-Shung Huang for reporting)
x [XSS] Further sensitivity tweaks
x [XSS] Better compatibility with some 3rd party ads on Ebay
x [XSS] Fixed false positive on dotted name-value assignments chained with
  semicolons (e.g. on some Yahoo-served ads)

NoScript 2.3.2

Sun, 26 Feb 2012 21:58:12 +0000

x [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
x [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
  Masato Kinugawa for reporting)
+ [XSS] Added event injection checks for scriptless pages too, in order to
  prevent edge-case execution on permissions change
x [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
  Kinugawa for reporting)
x [XSS] Improved HTML detection accuracy
+ Better tagging of surrogate sandboxes for about:memory debugging
x Improved glinks surrogate

NoScript 2.3.1

Mon, 20 Feb 2012 13:10:15 +0000

+ Surrogate to let news pages escape Digg's frame
+ [ClearClick] Improved compatibility with cross-frame overlapping shadows
x Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks
  .mario for reporting)
+ adf.ly surrogate to automaticaly skip the interstitial page even if
  scripts are disabled
x Improved Google search surrogates
+ New surrogate against Google's scriptless tracking of search results
  navigation

NoScript 2.3

Fri, 10 Feb 2012 23:23:24 +0000

x Fixed about:newtab not considered as a local origin by ABE
+ Added blob:, about:memory and about:support to the automatic whitelist
x Added reflected script inclusion check exception for intensedebate.com
x Fixed CSS issues on Gecko 1.8

NoScript 2.2.9

Sat, 04 Feb 2012 11:45:26 +0000

+ Right click on NoScript menu items copies the site to the clipboard, if
  any under the pointer, or all the page-related script sources prepended
  with a status mark: + for whitelisted, - for default, ! for untrusted (
  thanks Tom T. for RFE)
+ Added browserid.org to the default whitelist
x Improved default whitelist update mechanism
x Fixed some Flash movies failing to load on Nightly (thanks Nova6K0 for
  reporting)
x Fixed incompatibility between surrogates / content augmentations (e.g.
  toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for
  reporting
x NoScript won't attempt to load the release notes page if the site is
  unreachable

NoScript 2.2.8

Tue, 24 Jan 2012 21:20:16 +0000

x [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested
  documents

NoScript 2.2.7

Wed, 18 Jan 2012 21:32:10 +0000

x [ClearClick] Protection against two steps interaction attack based on
  HTML5 DnD (thanks .mario for reporting)

NoScript 2.2.6

Thu, 12 Jan 2012 22:53:09 +0000

x [XSS] Fixed sanitization reporting bug

NoScript 2.2.5

Tue, 03 Jan 2012 11:14:15 +0000

x [ClearClick] Better compatibility with recent Disqus widget versions

NoScript 2.2.5rc1

Wed, 21 Dec 2011 16:33:42 +0000

x Work around for Mozilla bug 712649

NoScript 2.2.4

Sun, 18 Dec 2011 22:06:30 +0000

x Fixed some localizations having newlines replaced with 'n' characters

NoScript 2.2.3

Fri, 02 Dec 2011 23:39:46 +0000

+ Configuration import/export directory is persisted across sessions

NoScript 2.2.2

Thu, 01 Dec 2011 21:34:31 +0000

+ [Surrogate] Wrapped in lexical scoped blocks scripts also when debug
  mode is on (thanks al_9x for RFE)
+ [Surrogate] Early one-time syntax checks on setup (thanks al_9x for RFE)
x [ClearClick] Better compatibility with some GMail embeddings
x [XSS] Better compatibility with Visual Studio in-browser documentation
x [ClearClick] Fixed Adblock Plus causing false positives on Fx 3.6
x Improved HTML 5 DnD XSS protection (thanks Soroush Dalili for reporting)
x [Locale] Lithuanian (thanks Algimantas Margevičius)

NoScript 2.2.1

Sun, 20 Nov 2011 08:01:40 +0000

+ [Locale] Updated he-il (thanks baryoni)
x [ClearClick] Fixed incompatibility with the FoxTab add-on

NoScript 2.2

Tue, 15 Nov 2011 23:23:15 +0000

+ [ClearClick] Improved protection against Clickjacking on nested windowed
  Flash targets (thanks Sommerrain and Tom T for reporting)

NoScript 2.1.9

Wed, 09 Nov 2011 19:07:00 +0000

x [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec
  used instead of "1.8"

NoScript 2.1.8

Thu, 27 Oct 2011 21:15:21 +0000

+ Improved anti-popunder built-in surrogate
x Fixed object autowiring upon placeholder activation regressed by recent
  surrogate sandboxing changes

NoScript 2.1.7

Fri, 21 Oct 2011 22:50:19 +0000

x [ABE] Fixed subrequests matching an Anon action rule not being shown in
  the logs if already anonymized by the browser

NoScript 2.1.6

Thu, 20 Oct 2011 21:54:27 +0000

+ noscript.keys.tempAllowPage about:config preference to configure a
  keyboard shortcut for "Temporarily allow all this page"
+ noscript.keys.revokeTemp about:config preference to configure a keyboard
  shortcut for "Revoke temporary permissions"
+ noscript.menuAccelerators about:config preference to switch keyboard
  accelerators for "(Temporary) allow all this page" menu items on/off
x Fixed notifications get all shown on the top in a tab where one
  notification has already been shown on the top
x Fixed quasi-leak (zombie compartment) after using the NoScript menu on
  a page where embedded content is present, until the menu is opened on
  another page (thanks Archaeopteryx for reporting)
x [ABE] Fixed Anonymize actions logged twice (thanks al_9x for reporting)

NoScript 2.1.5

Wed, 12 Oct 2011 09:31:22 +0000

x Improved object wiring emulation on placeholder activation (thanks al_9x
  for report and code)

NoScript 2.1.4

Wed, 28 Sep 2011 21:17:54 +0000

x Fixed speculative parsing causing inclusion surrogates to be executed
  twice (thanks al_9x for reporting)

NoScript 2.1.3

Mon, 26 Sep 2011 07:49:24 +0000

+ [Surrogate] Disqus surrogate to fix misplaced placeholder (thanks al_9x
  for code)
+ [L10n] Bengali (thanks svarnava)
x Fixed missing placeholder for hidden embeddings (thanks royallin for
  reporting)

NoScript 2.1.2.8

Mon, 12 Sep 2011 21:38:13 +0000

x Fixed placeholders hard to activate on HTML 5 Youtube videos

NoScript 2.1.2.7

Sun, 28 Aug 2011 17:56:24 +0000

x Better load progress feedback for hosts which are not DNS-cached yet
  (thanks al_9x for reporting)

NoScript 2.1.2.6

Thu, 11 Aug 2011 12:46:29 +0000

x Temporarily disabled anti-anti-adblocker surrogate on any site except
  those explicitly added to noscript.surrogate.ab.sources preference, as a
  work-around for bug 677652
x Lazy initialization is deferred also when a file:// URL is loaded as the
  home page

NoScript 2.1.2.5

Thu, 28 Jul 2011 16:45:27 +0000

x Fixed bookmarklets from sidebars not working on JS-disabled pages
+ Improved Twitter surrogate for Fx 3.x

NoScript 2.1.2.4

Tue, 26 Jul 2011 19:52:05 +0000

+ Ubuntu-specific startup optimization

NoScript 2.1.2.3

Wed, 13 Jul 2011 21:18:51 +0000

x [ClearClick] Refactoring and isolation of the rapid fire protection

NoScript 2.1.2.2

Mon, 11 Jul 2011 20:42:50 +0000

x [ClearClick] Fixed false positives due to backwards incompatibilities
  with Fx 3.5 and below (thanks chas35 for reporting)
x [Nightly compat] Fixed import/export broken by nsIJSON interface changes
  in recent nightly builds (thanks happy-dude for reporting)

NoScript 2.1.2.1

Sun, 10 Jul 2011 06:14:59 +0000

x Fixed rapid fire cross-site interaction protection interfering with
  keyboard-based tab switching (thanks tikl for reporting)

NoScript 2.1.2

Sat, 09 Jul 2011 11:28:04 +0000

x Minor tweaks to the new rapid fire cross-site interaction protection

NoScript 2.1.1.2

Sun, 26 Jun 2011 13:12:31 +0000

x Fixed conflict with Firebug console
x Removed legacy code in content policy and ClearClick

NoScript 2.1.1.1

Thu, 09 Jun 2011 19:17:30 +0000

+ Improved embedded object activation on Javascript-enabled pages via
  dynamic method proxies (thanks al_9x for RFE)

NoScript 2.1.1

Sun, 29 May 2011 20:36:01 +0000

x Fixed toolbar button hidden in popup windows (thanks Steven Roddis for
  reporting)

NoScript 2.1.0.5

Mon, 16 May 2011 15:52:29 +0000

x Fixed recent memory optimizations breaking compatibility with some
  extensions (thanks Alan Baxter for reporting)

NoScript 2.1.0.3

Sun, 24 Apr 2011 05:32:15 +0000

x [L10n] Updated ro
x Restored some locales gone missing in previous dev build

NoScript 2.1.0.2

Sat, 09 Apr 2011 21:10:50 +0000

x [XSS] Improved XML prescreening

NoScript 2.1.0.1

Sat, 26 Mar 2011 22:48:20 +0000

x Removed googlesyndication.com from the default whitelist
x Added securecode.com ("Verified by VISA") to the default whitelist, in
  order to prevent surprise transaction failures 
x [XSS] Exception for POST requests coming from a secure albeit not
  whitelisted Verified by Visa (securecode.com) origin
x [ABE] Fixed bug causing excessive console noise from permissive rules
x Updated locales

NoScript 2.1

Fri, 25 Mar 2011 15:30:36 +0000

x Fixed various Script Surrogate inconsistencies

NoScript 2.0.9.9

Sun, 06 Mar 2011 08:18:35 +0000

x Fixed spaces in ipecho response breaking WAN IP detection with one of
  the mirrors
+ Experimental built-in profiler for debugging purposes

NoScript 2.0.9.8

Sun, 13 Feb 2011 22:49:36 +0000

x Fixed empty tooltip for embedded placeholder on some RTL pages (thanks
  Saad for reporting)
x Truncate URLs in placeholders tooltips at the the query string or hash,
  to increase readability (thanks anystupidassname for RFE)
x Increased WAN IP checks interval to 1 hour reducing log spam on routers
- Removed some obsolete code

NoScript 2.0.9.7

Sun, 30 Jan 2011 21:43:39 +0000

x Fixed status label menu popping up in a wrong position
x Updated locales