NoScript - the safest Firefox experience NoScript CHANGELOG [+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change V 1.9.6 ===================================================================== + Support for raw IP and subnets with address prefix/mask syntax in ABE rulesets x Improved UTF-8 XSS protection (thanks Sirdarckcat for discussion) x Fixed ABE resource lists parsing glitches x Improved "Anonymous" (formerly "Logout") ABE action behavior x Fixed IP display in Allow/Forbid menu items on Gecko >= 1.9 x Added ABE local rulesets to configuration import/export dataset x Fixed multibyte domain names couldn't be temporarily allowed nor marked as untrusted (thanks fujita for reporting) v 1.9.5.73 ===================================================================== x Fixed "live" plugin unblocking broken on some sites (thanks therube for reporting) v 1.9.5.72 ===================================================================== x Fixed CSS bug preventing placeholders from being hidden with Shift+click v 1.9.5.71 ===================================================================== x Fixed Seamonkey 1.x breakage from 1.9.5.7 (thanks therube for reporting) v 1.9.5.7 ===================================================================== + ABE Logout action strips query strings from potential authorization and session-related parameters and neutralizes non-idempotent requests by switching their method to GET and removing uploads x Fixed DNS optimizations causing ABE's "Logout" action to abort the request sometimes (Gecko <= 1.8 will abort on Logout anyway if DNS record is not cached) x Improved usability with sites providing their own JS-based UI for HTML5 VIDEO element x Fixed placeholder not clickable if overlayed with a transparent absolutely positioned element x Fixed bug preventing the audio feedback sample from being changed (thanks Rodney Crnkovic for reporting) v 1.9.5.6 ===================================================================== x Work around for Tab Mix Plus beta breaking bookmarklets and URL bar JavaScript one liners on untrusted sites (Fx 3.5) v 1.9.5.5 ===================================================================== + New Notifications|ABE option to disable ABE notifications + External requests on default ports to domain names different than "localhost" resolving to 127.0.0.1 don't generate notifications, in order to reduce spam from misconfigured hosts files (activity gets still logged to the Error Console and notifications can be restored by toggling the noscript.ABE.notify.namedLoopback preference) v 1.9.5.4 ===================================================================== x Fixed incompatibility with back-forward gestures in Mouse Gesture Redux (thanks Kevin Schneider and Andrea Rodofili for reporting) x Fixed "Open all tabs" glitches v 1.9.5.3 ===================================================================== x Fixed Google Analytics surrogates causing some sites to open "undefined" URLs (thanks sanityvoid for reporting) v 1.9.5.2 ===================================================================== x Fixed ABE RFC 3330 support bug (thanks SkyBeam for reporting) v 1.9.5.1 ===================================================================== x Work around for NewTabUrl incompatibility x Fixed undisclosed yet parsing bug (credits will be given where due in a later release) v 1.9.5 ===================================================================== x Fixed forbidden objects in allowed documents not causing partially allowed icon on first load in Gecko < 1.9 (thanks al9_x for report) x Fixed forbidden objects in mixed trusted/blacklisted pages not causing partially allowed icon (thanks al9_x for report) v 1.9.4.91 ===================================================================== x Fixed late request cancelation of scripts preventing page from complete loading x Fixed refreshing ABE rulesets enabling back disabled local rulesets v 1.9.4.9 ===================================================================== x Fixed DNS cache purging bug (thanks therube for reporting) V 1.9.4.8 ===================================================================== x Parallelization of DNS activity bringing huge ABE performance gain x Minor fixes in LOCAL policies enforcing V 1.9.4.7 ===================================================================== x Fixed possible deadlock introduced in 1.9.4.6 x Fixed DNS cache purging bug v 1.9.4.6 ===================================================================== x Refactoring of content policy related code x Another memory optimization iteration x Restored automatic Seamonkey profile install cleaner v 1.9.4.5 ===================================================================== x Further memory footprint and performance ABE optimizations v 1.9.4.4 ===================================================================== + Origin tracing speed and accuracy improvements + Enhanced frame busting emulation + Further DNS optimizations v 1.9.4.3 ===================================================================== x Optimized garbage collection in DNS 2nd level cache v 1.9.4.2 ===================================================================== x Fixed mixed content SSL false positives when ABE enabled x Fixed file:// entry added to whitelist everytime a 2nd level domain gets allowed on Gecko >= 1.9 (thanks GµårÐïåñ for reporting) v 1.9.4.1 ===================================================================== + Implemented 2nd level DNS cache fixing some artifacts/crashes on Google Maps and some latency issues in Gecko < 1.9 (thanks therube and Alan Baxter for reporting) v 1.9.4 RC2 ===================================================================== x Fixed page content getting randomly scrambled during heavily concurrent loads when ABE's asynchronous networking is enabled x Fixed password manager autofill failing sometimes (thanks Tommy Coe for reporting) v 1.9.4 RC1 ===================================================================== + First stable ABE (Application Boundaries Enforcer) release + Improved JavaScript form submission emulation (thanks aladin235 for reporting about Twitter logout button) + Asyncrhonous networking in Gecko >= 1.9 for ABE preflight requests and DNS checks (can be turned off by noscript.asyncNetworking about:config preference) + noscript.ABE.legacySupport about:config preference to enable ABE on older, less supported platforms (Gecko < 1.9) + Modularized SeaMonkey uninstaller + Bookmarklet emulation made compatible with latest Fx 3.5 builds x Better UI feedback about CAPS parsing artifacts v 1.9.3.92 ===================================================================== x Fixed missing site rules being repeatedly fetched after 12 hours timeout v 1.9.3.91 ===================================================================== + Added gstatic.com (Google Maps and other services) to the default whitelist x Fixed broken embeddings from file:// URLs (thanks Endor for report) v 1.9.3.9 ===================================================================== x Fixed import/export buttons for whitelist and full configuration overriding each other (thanks Alan Baxter for reporting) v 1.9.3.8 ===================================================================== + Precise reporting of ABE DNS failures + Automatically include browser origins in Accept predicates x Lighter XSS checks, relying on ABE for pre-screening when possible (preventing some timeout-related false positives and random hangs) v 1.9.3.7 ===================================================================== + More accurate NOSCRIPT web-bugs blocking, skipping same origin images and scripted pages (thanks Jorgo for suggestion) x Working link to ABE documentation in NoScript Options|Advanced|ABE x Fixed ABE external editor failing to open on Mac OS X (thanks David Bass for reporting) v 1.9.3.6 ===================================================================== + Improved Google Analytics script surrogates + New Imagefap anti-popup script surrogates + Seamonkey 1.x streamlined installation process (profile local installations are not supported anymore, but switching to browser-wide is automatic on update) + Seamonkey 1.x automatic uninstall procedure (button provided in NoScript Options) v 1.9.3.5 ===================================================================== + Better placeholder management with weird plugin content nesting (thanks nagan for request) + Faster and more streamlined cross-origin request tracking x Fixed single aster ("*") glob pattern not compiling in URI pattern lists (thanks Sirdarckcat for reporting) x Fixed Fx 2 (Gecko < 1.9) non-secure requests for HTTPS-forced resources being aborted rather than redirected (thanks al_9x for reporting) v 1.9.3.4 ===================================================================== + First public Application Boundaries Enforcer (ABE) prototype, see NoScript Options|Advanced|ABE + SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo (check http://databasement.net/labs/localrodeo/ and http://databasement.net/labs/localrodeo/testcases.php ) v 1.9.3.3 ===================================================================== x Fixed fatal exception on JSON XSS checks (thanks HeikoAdams for report) v 1.9.3.2 ===================================================================== x Fixed whitelist import/export broken by new global import/export ( thanks Tim Johnson for report) v 1.9.3.1 ===================================================================== x Fixed automatic secure cookie management being enabled by default (thanks therube for report) v 1.9.3 ===================================================================== + Redirect loops caused by HTTPS enforcement now trigger the standard redirect loop error page (thanks Matt McCutchen for RFE) x Fixed https-forced embedded objects not being loaded unless already cached (thanks Matt McCutchen for report) v 1.9.2.93 ===================================================================== x Fixed 1.9.2.92 regression breaking "Revoke temporary permissions" v 1.9.2.92 ===================================================================== + Improved bookmarklet support, trying to turn setTimeout calls into synchronous ones and to execute trusted imported scripts (e.g. in the Readability bookmarklet) + Slighty "beautifyed" JSON export format (one preference per line) x Fixed 1.9.2.91 regression, preventing permissions changes made in NoScript Options from being saved under some random circumstances (thanks GµårÐïåñ for reporting) v 1.9.2.91 ===================================================================== + Import and Export buttons in NoScript Options to backup and restore the whole NoScript configuration (preferences and permissions) to and from a text file. v 1.9.2.9 ===================================================================== + Native media (audio/video HTML 5 elements) blocking x Huge refactoring modularizing XSS, ABE, ClearClick, HTTPS extras and utility classes v 1.9.2.8 ===================================================================== + Speedup of bookmark-based configuration persistence + NoScript tries to synchronize its configuration with foreign bookmarks when the "Backup configuration in bookmarks" gets enabled in order to ease adding new "slaves" x Excluded temporary permissions from bookmark-based synchronization x Fixed XMark synchronization failing because of XMark's 4KB limit on bookmark URIs x Fixed opening the [NoScript] configuration bookmark hanging the AutoPager extension + Disqus ClearClick exception + Feedly ClearClick exception v 1.9.2.7 ===================================================================== + "NoScript Options|Notification|Display release notes on update" checkbox x Fixed XSLT blocking regression v 1.9.2.6 ===================================================================== + NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked. v 1.9.2.5 ===================================================================== + One-time startup prompt to ask users *beforehand* if they want to install/keep or permanently delete the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above x Fixed filterset bug: it could be disabled but not removed. x Fixed "Attempt to fix JS links" not working for drop-down lists on Gecko < 1.9 (thanks therube for report) x Fixed XML feeds incorrectly reported as XSLT on XHTML documents (thanks mmcspadden for report) x Updated zh-CN translation x Updated el-GR translation v 1.9.2.4 ===================================================================== + Improved Gecko <= 1.9.1 support x Updated nl-NL translation x Fixed notification icons broken on Minefield (Fx 3.6a1pre) x Fixed blocked objects in "restrictions on trusted sites" mode not being counted for "partially allowed" reporting v 1.9.2.3 ===================================================================== + Localization-agnostic title for configuration sync bookmark + Localizable info page when opening the configuration sync bookmark x Fixed external XSLT sources not being reported in NoScript menus even if blocked unless a different type of active content comes from the same origin + A "NoScript development support filterset" gets added to AdBlock Plus, whitelisting the noscript.net, flashgot.net, informaction.com and hackademix.net web sites recently broken by an aggressive EasyList campaign against sites sponsoring NoScript development. ABP users are informed both on the install and on the release notes pages, so they can easily disable the filterset if they whish to. v 1.9.2.2 ===================================================================== + Performance optimization of preferences bookmark-based persistence x Fixed residual object blocking glitches (thanks Aerik, Pirlouy and Endor) v 1.9.2 ===================================================================== + Experimental "Backup NoScript configuration in a bookmark for easy synchronization" feature (enable it in "NoScript Options|General") x Fixed potential DNS leak in some proxied setups when opening URLs with FQDNs as their hostnames (thanks Rolf Wendolsky for report). v 1.9.1.91 ===================================================================== x Fixed notifications reporting "Forbidden" on some partially allowed pages v 1.9.1.9 ===================================================================== x Fixed notifications reporting "Partially allowed" on fully allowed pages (thanks Grant Parris for report) x Fixed source code (view-source: originated) POST requests being turned into GET requests v 1.9.1.8 ===================================================================== + New "partially allowed subcontent" icon to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled + New script sources inventory behavior reporting "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed unless their hosting document is allowed too + New "noscript.clearClick.subexceptions" preference to list sources of embedded content which don't need to be protected by ClearClick x ClearClick compatibility with the "ShareThis" extension v 1.9.1.7 ===================================================================== x Fixed multiple placeholder regression on Gecko < 1.9 (Firefox 2.x) v 1.9.1.6 ===================================================================== + Improved ClearClick specificity on zoomed pages (fixes a false positive on GMail's Flash-based attach link when zoom is active) x Temporarily disabled ClearClick on 3.6a1pre because of bug 486200 v 1.9.1.5 ===================================================================== + XSLT stylesheets are regarded as active content and blocked by default on untrusted documents and/or from untrusted origins + "Forbid IFrame" compatibility with the Google Notebook extension (thanks chojrak11 for RFE) x Fixed HTTP not enforced on redirected background requests (thanks al_9x for report) x Fixed work-around for bug 453825 work-around causing unhandled error messages visible in Firebug (thanks Pavol Goga for report) v 1.9.1.4 ===================================================================== x Fixed placeholder size miscalculation for hidden blocked objects (thanks al9_x for report) x Fixed HTTPS enforcing on documents causing an initial aborted HTTP documents request on Gecko < 1.9 (thanks al_9x for report) v 1.9.1.3 ===================================================================== x Fixed URIPatternList glob compiling bug (thanks mattmcutchen) v 1.9.1.2 ===================================================================== + HTTPS forced on background requests (images, stylesheets, scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE) + Fennec 1.0b1 compatibility v 1.9.1.1 ===================================================================== x Fixeds XSS false positive on SAMLP payloads (thanks MysticOrchid for reporting) v 1.9.1 ===================================================================== x ClearClick performance boost on crowded documents x Updated French translation x Reduced log spam on content blocking v 1.9.0.92 ===================================================================== + Yieldmanager script surrogate (thanks orngjce223 for suggestion) x Fixed "Attempt to fix JavaScript links" causing middle-clicks to open JS link targets twice on Gecko 1.8 (thanks therube for report) v 1.9.0.91 ===================================================================== + ClearClick incident reporting tool v 1.9.0.9 ===================================================================== x Fixed 20 seconds hang in injection checker on URLs containing long sequences of the "<" character v 1.9.0.8 ===================================================================== x Work around for Mozilla bug 453825 v 1.9.0.7 ===================================================================== x Work around for SimpleViewer and other Flash movies replaced with innerHTML breaking on nsIContentPolicy presence (thanks Steffen Zahn for reporting). v 1.9.0.6 ===================================================================== x Fixed page-level surrogates in subframes being executed too much early to be effective (thanks GossamerGremlin for report) x Work-around for bug 4066046 (thanks Alice0755) x Fixed incompatibility with the wfx_Versions extension (thanks Archaeopteryx for report) x Fixed double activation for nested OBJECT elements, e.g. apple.com QuickTime movies (thanks al_9 for report) x Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20 (thanks al_9x for report) v 1.9.0.5 ===================================================================== + Upper limits for JS link detection loop (thanks Wladimir Palant) + about:certerror added to the intrinsic whitelist + ClearClick compatibility with the Link Alert extension + 3rd party script blocking improvements x Updated Slovak translation v 1.9.0.4 ===================================================================== x Fixed XHTML namespacing issues (thanks dhouwn for report) v 1.9.0.3 ===================================================================== x Fixed E4X hijacking false positive with scripts delimited by XML comments and containing XML (thanks Jim Mattfield for report) v 1.9.0.2 ===================================================================== x Fixed X-FRAME-OPTIONS not working inside OBJECT elements (thanks Joris van der Wel for report) x Restored broken compatibility with Seamonkey 1.0.x (thanks James Andrewartha for report) v 1.9.0.1 ===================================================================== x Work around for edge case false positive on plugins embedded in cross-site framesets (thanks therube for report) v 1.9 ===================================================================== + Improved ClearClick sensitivity (thanks Eric Lawrence for report) v 1.8.9.9 ===================================================================== + Experimental X-FRAME-OPTIONS compatibility support (see http://hackademix.net/2009/01/29/x-frame-options-in-firefox/ and http://evil.hackademix.net/frameopts/ ) x Updated pt-BR translation x Fixed freeze on Poken URLs (thanks ksdz for report) x Fixed URIs nested in query string being normalized with trailing slash (thanks Benny Brostrup and Carsten for reporting about login.service.csc.dk) v 1.8.9.8 ===================================================================== + Support for page-level surrogate scripts, executed before pages whose URL matches sources patterns starting with "@" start loading x Enhanced "catch all" Google Analytics surrogate (thanks Jesse Andrew for reporting) x Refactored the Silverlight IsVersionSupported() patch to use ScriptSurrogate.execute() x Streamlined Silverlight support + Instant placeholders, being shown before page finishes loading v 1.8.9.7 ===================================================================== x Improved script surrogation reliability x Fixed URIValidator preferences not being updated at runtime x Updated Sweden locale v 1.8.9.6 ===================================================================== + Evernote compatibility hacks v 1.8.9.5 ===================================================================== + Stricter checks for the "Attempt to fix JavaScript link" feature and emulation of form submission links (thanks Jah for report) v 1.8.9.4 ===================================================================== x Fixed minimum sized placeholder potentially exceeding smaller frames (thanks greenhatch for report about BetFair's menu) x Fixed ClearClick form bounds miscalculation with negative coords (thanks Zjakki Willems for report about BlogSpot's search feature) x Fixed document loaded in a nested iframe when enabling a blocked legacy frame v 1.8.9.3 ===================================================================== + Extensible script surrogate mechanism (surrogating Google Analytics by default, look at noscript.surrogate.* in about:config) + noscript.placeholderMinSize (default 32) forces a minimum pixel size on object placeholders x Cleaned up noscript.jsHack for custom usages v 1.8.9.2 ===================================================================== x Fixed page loading stalled sometimes when the final destination of a redirected script inclusion gets blocked by NoScript v 1.8.9.1 ===================================================================== x Fixed 3rd party script files starting with an XML comment being "swallowed" (breaking myway.com, netaddress.com and others) v 1.8.9 ===================================================================== + New noscript.clearclick.exceptions preference to specify URL patterns of page where clickjacking shouldn't be checked x *.ebay.com ClearClick exception to temporarily work-around a false positive on one-click bids too difficult to reproduce x Performance optimization of the JSON and E4X hijacking protection x Compatibility with Amazon one-click x Removed __count__ usage triggering a deprecated warning in Fx 3.0.x x Relaxed XSS checks from same-domain HTTPSHTTP requests x Improved E4X hijacking detection, skips leading XML comments in scripts (http://forums.mozillazine.org/viewtopic.php?p=5488645) x Updated Japanese translation v 1.8.8.95 ===================================================================== + JSON and E4X hijacking protection (Gecko >= 1.9.0.4 required) v 1.8.8.94 ===================================================================== x Removed a potential document leak v 1.8.8.93 ===================================================================== x Improved accuracy of the new simulated onchange event handler v 1.8.8.92 ===================================================================== x Work-around for 1.9.2a1 Components.utils.lookupMethod() breakage x Restored placeholder outline on 1.9.2a1 v 1.8.8.91 ===================================================================== + Added browser-built-in about:xyz URLs to the permanent whitelist + Simulated onchange event handling for simple HTML select drop-down with URL-like options x Work-around for bug 453825 triggered by hack for bug 472495 and breaking smugmug.com Flash-based fullscreen slideshows (thanks Daniel Dorau for reporting) v 1.8.8.9 ===================================================================== + New zoom-guessing algorithm, giving more accurate results than nsIMarkupDocumentViewer.fullZoom built-in property, to fix ClearClick false positives at some fractional zoom levels v 1.8.8.8 ===================================================================== + Kazakh translation (thanks Baurzhan Muftakhidinov) x ClearClick optimization by canvas recycling x Work-around for bug 472495 v 1.8.8.7 ===================================================================== x Work-around for Windows Media Player embedded objects missing video streams under some circumstances (thanks AteUte52 for reporting) v 1.8.8.6 ===================================================================== x Fixed ClearClick false positive on very narrow frames (e.g. on http://horseracing.betfair.com - thanks greenhatch for reporting) x Fixed XSS false positive on very long indexed CGI parameters lists (e.g. on http://pingoat.com - thanks Daethian for reporting) v 1.8.8.5 ===================================================================== x Further optimization of Base64 injection checks x More accurate clipping of scrolling frames in ClearClick v 1.8.8.4 ===================================================================== x Performance optimization of Base64 injection checks (thanks Dave Griffiths for reporting an Ebay chatroom issue) v 1.8.8.3 ===================================================================== + More specific injection checks for scriptless targets + Compatibility with the Fire.fm extension x Fixed sporadic swallowed clicks on Google Street View v 1.8.8.2 ===================================================================== x Fixed file:/// not showing anymore in NoScript menus v 1.8.8.1 ===================================================================== x Fixed possible long-running loop on complex JSON-like requests v 1.8.8 ===================================================================== x Fixed rare ClearClick false positives on the bottom edge of scrolling frames x Fixed ClearClick false positive on some cnbc.com videos v 1.8.7.8 ===================================================================== + Compatibility with Fennec Alpha 2 v 1.8.7.7 ===================================================================== + InjectionChecker checks HTML injections on untrusted targets too + Chained and nested JSON support (necessary to graceufully handle some Facebook APIs) x Fixed too much aggressive data: URL sanitization x Fixed sites whose URL doesn't support host not showing in menu (thanks timeless for report) v 1.8.7.6 ===================================================================== x Improved specificity for "location=code" injection checks x Compatibility with Facebook Connect JSON patterns v 1.8.7.5 ===================================================================== x Heavy optimization of JSON reduction routine (up to 100x speedup), thanks Brian Krebs and Amy Buzby for reports and samples x Fixed top-level plugin content difficult to allow by clicking its placeholder when other plugin-interacting extensions are active v 1.8.7.4 ===================================================================== + Contextual disablement with visual feedback for "Revoke temporary permissions" and "Temporarily allow all on this page" toolbar buttons (thanks WAPCE for suggestion). x Improved early detection of event attribute XSS x Updated Arabic translation by Khaled Hosny v 1.8.7.3 ===================================================================== x Better viewport framing when scrollbars are present (thanks timeless for report) x Compatibility with Firefox 3.2a1pre 1.8.7.2 ===================================================================== x Work-around for Google Toolbar 5 Beta conflict x Work-around for newTabURL incompatibility x Adaptation to bug 464754 1.8.7.1 ===================================================================== x Fixed issues with noscript.forbidIFrameContext = 0 (thanks Aerik for report) v 1.8.7 ===================================================================== + Updated zh-CN locale + Enhanced interaction with AdBlock Plus tabs appearing over NoScript placeholders + Flash-specific placeholder icon + Java-specific placeholder icon + Silverlight-specific placeholder icon + Improved ClearClick compatibility with Google Street View (thanks natron for report) + Finer grained object reload algorithm for mass permission changes from the "Blocked objects" menu (thanks Cinthya Wells for report) v 1.8.6.4 ===================================================================== + Improved compatibility with AdBlock Plus, by ensuring NoScript is always the latest content policy to run v 1.8.6.3 ===================================================================== x Fixed automatically hidden notification bar make open menu disappear sometimes (thanks w-sky for report) v 1.8.6.2 ===================================================================== x More consistent menu items with non-standard port sites v 1.8.6.1 ===================================================================== x NoScript doesn't attempt to force placeholders visibility or size anymore, in order to minimize layout alteration (use the "Blocked objects" menu to enable less visible objects) x Improved frame/iframe placeholder accuracy x Fixed ClearClick false positive on http://www.st-audio.de v 1.8.6 ===================================================================== + Greatly increased sticky menu / Fennec UI responsiveness + Refactoring of ClearClick's document patching code - Removed translucency transition from sticky menu x Extra QA for release x Updated localizations v 1.8.5.5 ===================================================================== + Better algorithm to handle semi-transparent elements, preventing edgy ClearClick false positives (e.g. sign-in menu on try.soup.io) v 1.8.5.4 ===================================================================== + Better algorithm to "single out" plugin content prevents edgy ClearClick false positives with absolutely positioned elements overlaying transparent plugin content, like in NFL.com scores page + Improved ClearClick plugin object snapshots v 1.8.5.3 ===================================================================== x Fixed ClearClick false positives on absolutely positioned elements exceeding document size (thanks Apoc2400) v 1.8.5.2 ===================================================================== x Improved ClearClick panning algorithm reducing false positives on partially hidden benign plugin content v 1.8.5.1 ===================================================================== x Fixed minor CSS error breaking the "Forbid scripts globally" icon v 1.8.5 ===================================================================== + ClearClick enablement options on the ClearClick warning dialog + ClearClick session whitelist x Forced non-sticky behavior when there's just one site to allow and noscript.sticky.liveReload is unset x Fixed placeholders not working on Fx 3.1 v 1.8.4.93 ===================================================================== x Fixed mp3.walmart.com crash v 1.8.4.92 ===================================================================== x Tweaked keyboard-triggered popup position x Fixed "Allow global" menuitem not working x Fixed "About" dialog's links not working x Base64 XSS decoding tweaks x Notification bar tweaks v 1.8.4.91 ===================================================================== + Support for XSS origin anchored exceptions, starting with "^@" x Improved accuracy of ClearClick subframe management near borders v 1.8.4.9 ===================================================================== x ClearClick false positives on large "guillotined" Flash applets reduced by trimming a 20% border (thanks Scott Gale for report) v 1.8.4.8 ===================================================================== x Fixed about:xyz URLs matched literally without dropping search and fragment (thanks Daniel Holbert for report) x Fixed parts of the sticky menu staying persistently translucent (thanks Aerik for report) v 1.8.4.7 ===================================================================== x Restored old positioning algorithms for context menus v 1.8.4.6 ===================================================================== x Fixed top-level automatic allow not working with non-standard port numbers (thanks Ulobor for report) v 1.8.4.5 ===================================================================== x Fixed clicking on icon not hiding menu on Fx 2 x Fixed Entrecard ClearClick false positive x Fixed AntiXSS filter false positive on some forum ads v 1.8.4.4 ===================================================================== x Fixed menu usability issues on Fx 2 v 1.8.4.3 ===================================================================== + Sticky UI enabled by default for all left click popups except the one on the notification bar x Fixed off-screen status icon context menu on Fx 2 x Further tweaks in menu positioning and sticky UI usability x Fixed ClearClick checks causing changes in framed form appearance v 1.8.4.2 ===================================================================== + Click-driven scroll buttons for sticky menu on Fennec + Several accessibility and appearance sticky menu improvements x Fixed keyboard-triggered sticky menu unusable on maximized browser windows (thanks Alan Baxter for report) v 1.8.4.1 ===================================================================== x Fixed incompatibility causing Tor Button to endlessy reload the page when disabled. v 1.8.4 ===================================================================== + Official Fennec support + Enabled ClearClick on trusted sites by default + Improved ClearClick internal whitelisting + Port numbers (mostly) ignored in site matching by default + Exprimental "sticky" menu UI (default for Fennec toolbar button, attached to ctrl+shift+S shortcut on other browsers) + noscript.sticky.liveReload about:config preference can be used to turn on automatic reload during operation on the new sticky menu + noscript.sticky about:config preference turns on sticky menu for left-click on the status bar icon v 1.8.3.9.1 ===================================================================== x Fixed regression from experimental Fennec support, placeholder not working sometimes (thanks Alan Baxter for report) v 1.8.3.9 ===================================================================== + First experimental Fennec-compatible build x Fixed Torbutton global Javascript-disablement issue v 1.8.3.8 ===================================================================== x Fixed ClearClick false positive on semi-transparent Flash objects overlapping other content elements (thanks txhawkeye for report) v 1.8.3.7 ===================================================================== x Restored Silverlight blocking on trusted pages for Firefox 2.0.x (thanks al_9x for report) v 1.8.3.6 ===================================================================== + Malay translation (thanks Joshua Issac) + Croatian translation (thanks Stiepan A. Kovac) v 1.8.3.5 ===================================================================== x Fx 3.1 compatibility for JavaScript keyword bookmarklets and JS URLs entered in the location bar v 1.8.3.4 ===================================================================== x Fixed Blocked Objects menu ordering issue (thanks Andy R.) x Fixed forced visibility issue with ClearClick-checked embeddings x Fixed inter-confessional "Make temporary permissions permanent" bug (thanks Alan Baxter for reports) v 1.8.3.3 ===================================================================== x Fixed redirection issue (thanks pumaro for report) v 1.8.3.2 ===================================================================== x Fixed problem with tab navigation on forms inside frames (thanks vivek for report) v 1.8.3.1 ===================================================================== x Fixed notification bar not disappearing after allowing everything x Fixed edge ClearClick cases with FullZoomed pages (thanks Sirdarckcat for report) v 1.8.3 ===================================================================== x ClearClick work-around for misleading snapshot artifacts with justified text (thanks tmr250z for report) x Fixed redirection blocking issue causing to some pages to hang in "loading..." status for a long time (thanks Mel Reyes for report) v 1.8.2.95 ===================================================================== x Fixed click swallowing issues with scaled images (thanks Alan Baxter for reporting) x Fixed about:blank invisible frames shouldn't be opaqued (thanks Mc for reporting) v 1.8.2.94 ===================================================================== x Fixed ClearClick false positive when transparent plugin content has a visible HTML background (thanks therube for reporting) x Fixed rendering glitch at the bottom of pages where notification bar is removed (thanks Bill Peavy for reporting) v 1.8.2.93 ===================================================================== x Fixed random internal class name generation issue x Enhanced "opaque embed" style v 1.8.2.92 ===================================================================== x Fixed broken clicks on some frames (1.8.2.91 regression) v 1.8.2.91 ===================================================================== x Fixed some "Opaque embedded objects" glitches v 1.8.2.9 ===================================================================== x Improved viewport bounds matching x Fixed incompatibility with iMacros (thanks OneMen) x Fixed redirected frames 404 issue (thanks pumaro) v 1.8.2.8 ===================================================================== x More aggressive bound trimming (for elements sized 24x24 or more) fixes false positives on Yahoo! Movies x Semantic containers being ignored by ClearClick fixes issues with Yahoo! Mail v 1.8.2.7 ===================================================================== x Better algorithm for ClearClick form expansion x Work-around for scaled images causing broken screenshots x Automatic scrollbars are not considered while taking screenshots v 1.8.2.6 ===================================================================== x Bounds trimming for elements with size greater than 64x64 to take in account fancy CSS overlay borders (like on last.fm player,thanks tmr250z for report) x Fixed Gecko 1.8.x complaints about missing getElementsByClassName (thanks therube for report) v 1.8.2.5 ===================================================================== x Fixed external protocols (mailto:, e2k:...) not working outside frames (thanks Robert Janc for reporting) v 1.8.2.4 ===================================================================== x Fixed late breaking POST injection checker regression, causing problems on some forms v 1.8.2.3 ===================================================================== x Fixed minor horizontal offset miscalculation regression, causing weird snapshots under some scrolling conditions (incidentally, also on NoScript's install button - thanks Chuck Linart for report) v 1.8.2.2 ===================================================================== + Adapted Frame Break Emulation to alternate framebusting idioms + Several localization updates + Added a separate "Forbid FRAME" option for legacy FRAME elements (thanks Office Angel, al_9x and Chaosas for request and discussion) + Legacy FRAMEs nested inside IFRAMEs are forbidden by default if IFRAME blocking is on (about:config noscript.forbidMixedFrames) x Fixed some ClearClick false positives when enabled for trusted sites or with some extensions mixing content and chrome x Fixed mailto: URIs not working inside frames x Fixed various typos in English localization of new features x Restored compatibility with Fx 1.5.0.x (thanks Kevin for help) v 1.8.2.1 ===================================================================== x ClearClick technology backported to Gecko 1.8.1 based browsers such as Firefox 2.0.x and SeaMonkey 1.1.x v 1.8.2 ===================================================================== + New "ClearClick" protection, specifically addressing Clickjacking, Clickjacket and other UI-redressing vulnerabilities: UI interaction with embedded objects is disabled if they're obstructed or not clearly visible (thanks Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for inspiration and discussion) + "ClearClick protection" and "Opacize embedded objects" controls in "NoScript Options|Plugins", to enable/disable them on untrusted and/or trusted pages + Frame breaker emulation for frames where JS is disabled, controlled by the noscript.emulateFrameBreak about:config preference x Fixed recursion problem with new legacy frame management x Changed noscript.forbidIFrameContext default to 2 (allow same domain) unless "forbid non-HTTPS active content" is enforced: if this is the case, scheme must be the same as well. v 1.8.1.9 ===================================================================== + Opacized objects are forced to a minimum size of 50x50 pixels + Opacized iframes get automatic scrollbars when content overflows (thanks RSnake for discussion) + Enhanced legacy frames management (thanks RSnake for report) x OBJECT elements embedding documents are treated like IFRAMEs + Improved Allow Page commands on pages changing document.domain v 1.8.1.8 ===================================================================== x Refined anti-clickjacking opacization triggers to defeat malicious delay attempts (thanks Sirdarckcat for discussion) x Ignore port number when checking permissions for script inclusion (thanks Vito Delre for zshare.net upload report) v 1.8.1.7 ===================================================================== + Specific "clickjacking" countermeasure working on non-whitelisted pages by default even if "Forbid IFRAME" is not checked: all plugin objects and frames are forcibly rendered opaque when embedding page is not in your whitelist. If you want to protect whitelisted pages, the best protection is still checking "Forbid IFRAME" together with "Apply these restrictions to trusted site as well" in the Plugins options panel (thanks Sirdarckcat for brainstorming) v 1.8.1.6 ===================================================================== x Lowered sensibility to javascript: URLs (thanks C@rb0n for report) x Fixed HTTP redirections from sites marked as untrusted sites forbidding JavaScript on the landing page even if whitelisted (thanks Willsee for reporting) v 1.8.1.5 ===================================================================== x Fixed HTTPS cookie downgrading regression introduced in 1.8.1.4 v 1.8.1.4 ===================================================================== + Leading regexp-like patterns reduction in InjectionChecker (thanks Nick Fnord for issue reporting) x Fixed conflict with some extensions authenticating to web sites, like Google Reader Notifier (thanks naviretlav for report) v 1.8.1.3 ===================================================================== x Fixed further "HTTPS|Automatic Secure Cookie Management" glitches affecting lwn.net and DNN (thanks Matthew Hile and LWN for reports) x Localization updates x Fixed http://*.sub.domain:1234 site matching working only with "0" (wildcard) port (thanks t3chnomanc3r for report). x Fixed Torbutton JS status reporting v 1.8.1.2 ===================================================================== x Switched "HTTPS|Automatic Secure Cookie Management" off by default: even if all the reported login issues (especially the ebay.com one) have been fixed, it probably deserves more testing from opt-in volunteers before a general "default-on" release + Unsafe cookies can be handled either globally (default), or per tab (noscript.secureCookies.perTab) x Fixed "force HTTPS" not working across some redirection patterns v 1.8.1.1 ===================================================================== + On the fly patching of bookmarklets using setTimeout() executed on untrusted pages x Fixed Automatic Secure Cookie Management preventing log in on ebay.com and other complex multi-domain sites v 1.8.1 ===================================================================== x Fixed minor bugs in automatic fall-back for insecure cookies x Updated localizations v 1.8.0.7 ===================================================================== + Panel for HTTPS-related options in the "Advanced" section + New Tor-friendly whitelist behaviours configurable in NoScript Options|Advanced|HTTPS: you can choose to apply the active content whitelist on HTTPS sites only, either always or just when a proxy is in use. x Better "automatic" behavior for securing cookies: we check HTTPS response setting cookies and 1) if host is in the noscript.secureCookiesExceptions list we let it pass through 2) if host is in the noscript.secureCookiesForced list we append a ";Secure" flag to every non-secure cookie set by this response 3) otherwise, we just log unsafe cookies BUT if no secure cookie is set, we patch all these cookies with ";Secure" like in #2. However, if a navigation from an encrypted to a non-encrypted part of the same site happens in the same tab, NoScript removes its ";Secure" patch to ensure compatibility. When it happens, this event is logged to the Error Console with an advice to try forcing HTTPS for this site. v 1.8.0.6 ===================================================================== + Changed "Forced Secure Cookies" enablement policy to per domain opt-in, controlled by the noscript.secureCookiesForced about:config preference. HTTPS sites listed in this preference get their Set-Cookie headers patched with the Secure flag, sites listed in noscript.secureCookiesException are ignored and the others have their non-secure cookies logged in the Error Console. + Experimental noscript.httpsForced about:config preference listing domains where HTTPS should be forced (HTTP requests are forcibly redirected to their HTTPS version by NoScript) v 1.8.0.5 ===================================================================== + Experimental "Forced Secure Cookies" feature, mitigates HTTPS cookie hijacking attacks (http://tinyurl.com/cookiehijack). Enabled by default, it can be disabled either globally, by toggling the noscript.secureCookies about:config preference, or for specific domains only, by listing them (space or comma separated) in the noscript.secureCookiesException about:config preference. Ref: http://hackademix.net/2008/09/10/noscript-vs-insecure-cookies/ v 1.8.0.4 ===================================================================== x Fixed GMail external login and GToolbar activation issues (thanks mldgr and Dan Virkler for reporting) v 1.8.0.3 ===================================================================== x Work around for weird meez.com object "code" attribute usage with java: prefix (thanks sarai18 for reporting) v 1.8.0.2 ===================================================================== x Improved InjectionChecker.reduceXML() method to work with whole documents rather than just fragments, removing a XSS false positive on outsourced GMail logins (thanks PrinceofWeasels for report) v 1.8.0.1 ===================================================================== x Tweaked bracket balancing algorithm (thanks Buherátor for report) v 1.8 ===================================================================== + "Make page permissions permanent" command + Meaningful tooltip for "Allow all in this page" and "Temporarily allow all in this page", listing affected sites + More meaningful tooltip for Revoke Temporary Permission, listing affected sites and counting affected objects (Gecko >= 1.9) x Rationalized keyboard accelerators for English menu items v 1.7.9.3 ===================================================================== x Fixed excessive substitutions in nested query string sanitization (thanks David Lubertozzi for reporting) x Fixed POST data removal in cross-site requests from null origins causing Google Gear not to work (thanks obatron for report). v 1.7.9.2 ===================================================================== x DOS checks in InjectionChecker base64 decoding routines (thanks WHK and Sirdarckcat for PoC and reporting) v 1.7.9.1 ===================================================================== x Various localization fixes (thanks Francesco Lodolo) x InjectionChecker optimization over complex XML fragments v 1.7.9 ===================================================================== x Fixed JS button auto-navigation problem with relative URLs + JavaScript redirections detected also in the onload attribute of the body element (thanks timeless) v 1.7.8.5 ===================================================================== x Partially restored Untrusted menu behavior to allow blacklisting subdomains of a trusted domain v 1.7.8.4 ===================================================================== x Fixed very large uploads (250MB and above) causing XSS false positives (thanks sharpie) v 1.7.8.3 ===================================================================== x Fixed XPC error during certain uploads causing XSS false positive (thanks sharpie) v 1.7.8.2 ===================================================================== x Fixed wrong "Allow all this page" label in Appearance options panel x Fixed tab character in mailto: URLs triggering sanitization and all new line characters being turned into spaces (thanks Claudio Salazar Moyano for reporting) v 1.7.8.1 ===================================================================== + "Allow all this page" menu item + "Temporarily allow all this page" toolbar button + "Revoke temporary permissions" toolbar button x Removed "Mark as untrusted" menu items for explicitly whitelisted sites (thanks BigRedBrent for suggestion) v 1.7.8 ===================================================================== x InjectionChecker optimization to skip neutral dotted patterns ( thanks Sirdarckcat for reporting) + JS link fixing works also with JS buttons x Fixed IFrame always blocked if port number differs from parent and noscript.forbidIFramesContext is 3 (thanks al_9x for reporting) x Fixed reload inconsistencies in blacklist mode (thanks therube) x Changed noscript.autoReload.global default back to true, but global permission changes will cause reload only for the current tab, unless noscript.autoReload.allTabsOnGlobal is set to true v 1.7.7.6 ===================================================================== + Improved bracket balancing in syntax checks for short expressions + New "partially untrusted" and "untrusted" status icons for Globally Allow (GA) mode + Less confusing "Mark as untrusted" commands are shown in GA mode instead of "Forbid" x Fixed sticky "Revoke temporary permission" command after operating temporary permissions for the same site both in GA and GF mode (thanks Alan Baxter for reporting) x Fixed status bar icon disappearing when forbidding a site in GA mode x Other minor bug fixes in GA blacklisting mode (thanks Alan Baxter and therube for reporting) x Fixed Silverlight issues (thanks Urbane.Tiger) x Changed noscript.autoReload.global default to false (global permission changes won't cause an automatic reload) v 1.7.7.5 ===================================================================== x Separate temporary whitelists for normal and Globally Allow modes v 1.7.7.4 ===================================================================== x Better behaved Seamonkey classic installer on Linux v 1.7.7.3 ===================================================================== x Temporary whitelist is automatically revoked if user switches to "Allow scripts globally": this way temporarily allowed sites can't be accidentally marked as untrusted by manually revoking or restarting while still in global mode (thanks lakrids for report) v 1.7.7.2 ===================================================================== x Fixed over-zealous sanitization on untrusted requests when URL is not UTF-8 encoded (thanks Sven Schoderboeck for report) x Improved KMeleon compatibility (thanks jk-) v 1.7.7.1 ===================================================================== + InjectionChecker tests also POST data uploaded from trusted sources x Tweaked URL checking to recognize and bypass bracketed session IDs (thanks benizi for report) x Double overlay of bookmark code prevented (thanks stansmith) x Fixed resetting preferences does not affect Global Allow mode ( thanks Alan Baxter for report) x Fixed XSS false positive on some bracketed Ebay search queries (thanks Lucas Malor for report) x Better cache handling on plugin document reload (thanks Alan Baxter for report) v 1.7.7 ===================================================================== x QA for release x Localization updates x Moved changelog online and removed full GPL text to reduce XPI size v 1.7.6.4 ===================================================================== x Dramatic (100:1) InjectionChecker performance boost on very long strings (thanks Lucas Malor for reporting) v 1.7.6.3 ===================================================================== x InjectionChecker speed optimization for over-complex Bugzilla search queries (thanks Lucas Malor for reporting) v 1.7.6.2 ===================================================================== x Main site always on the bottom of the menu even if subdomains are present x "Revoke Temporary Permissions" honors the noscript.autoReload.allTabsOnPageAction preference x Further InjectionChecker optimization for gmodules URLs v 1.7.6.1 ===================================================================== x Fixed bookmarklets which navigate to a new location (e.g. del.icio.us) disabling Javascript in the current tab when invoked from a non-whitelisted site (thanks dingaling for reporting) v 1.7.6 ===================================================================== x QA for release v 1.7.5.4 ===================================================================== + "Temporary allow all this page" will affect the most specific targets listed in NoScript's menu among "2nd level base domains", "full domains" or "full addresses", unless it's overridden by the noscript.allowPageLevel about:config preference (1 = full address, 2 = full domain, 3 = 2nd level base domain) x noscript.autoReload.allTabsOnPageAction about:config preference set to false by default, to prevent confusion among untrained users v 1.7.5.3 ===================================================================== + "Temporary allow all this page" will reload the current tab only, behavior controlled by noscript.autoReload.allTabsOnPageAction about:config preference (thanks robertmarley for hinting) + Whitelisting sites from NoScript Options|Whitelist obeys to the noscript.untrustedGranularity preference x Fixed "about:" DocShell being JavaScript-disabled (thanks therube for reporting) x Fixed "about:cache" becoming unresponsive if JS link detection is enabled (thanks Martin Focke for reporting) v 1.7.5.2 ===================================================================== + Work-around for NewTabURL buggy detection of a new tab x Optimization of InjectionChecker for long nested URLs, e.g. those used by some gmodules widgets v 1.7.5.1 ===================================================================== + noscript.requireReloadRegExp about:config preference to force quick page reload on allowing for selected plugin mime types + Moveplayer plugin page reloading for one-click enablement v 1.7.4 ===================================================================== + Force top level site to be always the most reachable in the menu (on the bottom) x Fixed import issue with edited lists using DOS newlines x Minor cascading permissions bug fixes (sometimes a subdomain was not removed from the blacklist when its parent was whitelisted, leading to usability confusion because blacklist always prevails) x Experimental work-around for a WMP crash when a page containing an embedded movie is opened in the same window where another movie is already playing (thanks SledgeFox for reporting) v 1.7.3 ===================================================================== x Minor refinements to the docShell JS blocking machinery to make it play nice with other docShell-based permission handlers, such as Tab Mix Plus v 1.7.2 ===================================================================== + New values for the noscript.docShellJSBlocking preference: 0 - no docShell JS blocking 1 - (default) docShell JS blocking for untrusted sites (enables effective blacklists for defalut-deny modes) 2 - docShell JS blocking for every non-whitelisted site (enables cross-frame inheritance of JS blocking) x Fixed JavaScript enablement failing on some framed pages until the site is opened in a new tab (thanks rukia for reporting) x Fixed Firefox preference window not showing with some Linux themes (thanks tom1978 for reporting) x Fixed micro-injection false positive with 1password.com logins (thanks bwoodruff) v 1.7.1 ===================================================================== x Fixed changing permissions on one tab reload all tabs issue (thanks redhat71 for reporting) 1.7 ===================================================================== + JS redirect detector sensibility enhancement (thanks timeless) + "Temporarily allow all this page" command made visible by default v 1.6.9.9 ===================================================================== + More consistent UI in blacklist mode x Fixed "Allow Scripts Gloabally" not working anymore v 1.6.9.8 ===================================================================== x Restored the noscript.forbidData preference to its orginal "true" default value (thanks Sirdarckcat for reporting an issue in the about:blank context prevented by this change) v 1.6.9.7 ===================================================================== x Fixed malfunctioning XUL error pages issue caused by the new docShell-level JavaScript blocking x Fixed visualization issue on the toolbar in blacklist mode when all scripts of a page are untrusted x Hide "Revoke temporary permissions" menu item in blacklist mode v 1.6.9.6 ===================================================================== + New "Temporarily allow all this page" command (hidden by default, to be enabled in NoScript Options|Appearance) + noscript.docShellJSBlocking about:config preference controlling the new additional docShell-level JavaScript permission enforcement + Separators in Untrusted menu v 1.6.9.5 ===================================================================== + Micro event-based DOS injections detection (thanks thornmaker) + (EXPERIMENTAL) More consistent blacklist behavior, blocking objects even if "Scripts globally allowed" is checked, unless "Plugins|Block every object coming from an untrusted site" is off v 1.6.9.4 ===================================================================== x Base64 decoded invalid characters handling optimization x Regression fix: XSS exceptions not being honored (thanks hi_RAM) v 1.6.9.3 ===================================================================== x Fixed Injection Checker false positive regression on URIs which contain encoded newline characters (thanks Kostas) v 1.6.9.2 ===================================================================== x Fixed Injection Checker checking ASCII 43 as a "plus" sign but not as a www-form-encoded space (thanks Sirdarckcat for report) x Google search anti-XSS exception now checks for real TLDs, rather than short 2nd level domains (thanks Sirdarckcat for report) + Refactored unescaping flow, allowing for easier extension + Ebay-style unescaping v 1.6.9.1 ===================================================================== + Improved XSS JavaScript unicode escape handling + Recursive JSON reduction, dramatically cutting analysis time on complex JSON URLs, e.g. for some Orkut widgets x Critical work-around for https://bugzilla.mozilla.org/show_bug.cgi?id=439276 v 1.6.9 ===================================================================== + Firefox 3.1a1pre compatibility x Faster Base64 injection checks v 1.6.8.2 ===================================================================== + Better reporting of dynamically included external scripts, e.g. ajax.googleapis.com on goosh.org v 1.6.8.1 ===================================================================== x Fixed regression: right-click on the status bar and "open UI" keyboard shortcut broken. v 1.6.8 ===================================================================== x Fixed false positives in new Base64 decoding Injection Checker v 1.6.7 ===================================================================== + Base64 decoding in URI Injection Checker, thanks Zoiz for Yahoo PoC -- see http://zoiz.web.id/xss-corner/base64-encoded-xss.html x Extra NOSCRIPT element showing won't add SCRIPT elements on buggy pages like evite.com (thanks zgendron and other reporters) v 1.6.6 ===================================================================== x Fixed two bytes subnet shorthands broken if protocol is specified x Fixed subnet shorthands not matching URLs with non-standard ports x Firefox 3.0.* version bump x Fixed XSS false positive on block.opendns.com v 1.6.5 ===================================================================== x Fixed XSS URL sanitization issue with some proxy configurations (thanks Philipp Gühring for reporting and testing) x Fixed false positives caused by Image(...).jpg file names v 1.6.4 ===================================================================== x More effective cross-site POST blocking + Estonian translation (thanks aivo) v 1.6.3 ===================================================================== x Work-around for Songbird 0.5 bug (nsIEffectiveTLDService present but not really working) v 1.6.1 ===================================================================== + Better feedback for blacklisted items on the page, by appending untrusted sites count to "Untrusted" menu label x Fixed bogus "allowed.yu" label for partially allowed pages where all forbidden sites are marked as untrusted v 1.6 ===================================================================== + Specific shadowed status icon for pages where some origins are allowed and all the remaining have been marked as untrusted + Reviewed Russian translation (Alexander Sokolov and Sergei Smirnov) x Dropped blockCssScanners code (SafeHistory and SafeCache extensions provide better prevention against navigation history sniffing) + Further QA for release v 1.5.9.2 ===================================================================== x Fixed some Error Console noise (thanks timeless) x Better Seamonkey installation algorithm (thanks therube) v 1.5.9.1 ===================================================================== x Fixed infinite loop on some pages if noscript.blockCssScanners is true (thanks tlu and Itsnow for report) x Placeholder compatibility with latest trunk (https://bugzilla.mozilla.org/show_bug.cgi?id=292789) x Better installer for Seamonkey classic v 1.5.9 ===================================================================== x Fixed regression from Songbird compatibility, making the Options button on the notification bar unusable when status bar was hidden x Turned default for noscript.xss.trustExternal value to true x Experimental protection against getComputedStyle() history sniffing attacks (you can enable it switching the noscript.blockCssScanners about:config preference to true) v 1.5.8 ===================================================================== x Optimization of Injection Checker for iGoogle Calendar Widget (thanks JonCage for report) x Fixed edge-case false positives due to URL encoding mixed to symmetric brackets(thanks Lundholm for report) x Fixed legacy Seamonkey UI regression introduced by Songbird compatibility (thanks therube for report) v 1.5.7 ===================================================================== + Tweaked for Songbird compatibility x Version bump for Firefox 3.0pre v 1.5.6 ===================================================================== x Minor enhancements to IFRAME blocking 1.5.5 ===================================================================== + Bracket balancing for inline JS literal-breaking micro injections v 1.5.4 ===================================================================== + InjectionChecker speed optimizations, preventing timeout on overly complex JSON requests (thanks John Danfort for report) v 1.5.3 ===================================================================== + Forbid toplevel site command in bold (thanks therube) x Fixed rare XSS false positives on iGoogle x Fixed "allowURLBarJS" preference cannot be disabled (thanks Aerik) v 1.5.2 ===================================================================== x Fixed unwanted blocking of some trusted Java applets thanks Mick Bramhall for report) 1.5.1 ===================================================================== x Slightly revised icon set (thanks Karlosak and WAPCE for hints) x Fixed bookmarklets invoked twice on untrusted sites (thanks al_9x) v 1.5 ===================================================================== + Slovenian translation (thanks Tomaž Mačus) x Special bookmark management made compatible with Suiterunner's sidebar (thanks therube for reporting) x Extra QA for release v 1.4.9.9 ===================================================================== x Bookmarklet handling code adapted again to cope with methods moved from PlacesUtils to PlacesUIUtils after Fx 3 beta 4 v 1.4.9.8 ===================================================================== + Prevention of Java applet same origin policy bypass via malformed class name (see http://tinyurl.com/2u387t) + Improved icons x Fixed chrome "domain" showing in menus (thanks Aerik) v 1.4.9.7 ===================================================================== + New noscript.allowURLBarJS about:config preference allows javascript: and data: URLs to be run interactively from the location bar, e.g. for bookmarklet testing, even if currently displayed site is not whitelisted (default true) + Improved overall bookmarklet compatibility on Firefox 3 x Adapted bookmarklet handling code to latest Places refactoring with openXXX() methods in PlaceUtils (thanks Tobu for report) v 1.4.9.6 ===================================================================== x Fixed "Forbid chrome:" menu items on some pages (thanks niko322) v 1.4.9.5 ===================================================================== x Version bump for Firefox 3.0b5pre v 1.4.9.4 ===================================================================== + Added client-side policy control for new Firefox 3 cross-site XHR, configurable via noscript.forbidXHR about:config preference: 0 - Allow any XHR 1 - Allow cross-site XHR across trusted sites only (default) 2 - Allow same-site XHR only (like Firefox 2) 3 - Forbid all XHR v 1.4.9.3 ===================================================================== x Fixed Firebug JS injection causing blocked IFrame x Fixed plugin document detection making Acrobat Reader plugin hang v 1.4.9.2 ===================================================================== x Minor InjectionChecker enhancements v 1.4.9.1 ===================================================================== x Reduced vertical size of NoScript options panel for better usage on constrained devices (thanks pstepper for report) v 1.4.9 ===================================================================== + Improved Silverlight object identity based on "source" param v 1.4.8 ===================================================================== + Better differentiation of Flash-based movie players and other general purpose plugin content instances by taking in account flashvars attributes and param elements. + Improved Silverlight placeholders, now shown in real time and supporting more activation schemes v 1.4.7 ===================================================================== + Safe Silverlight placeholders restored by emulating the IsVersionSupported() machinery (placeholders are usually delayed by 3 secs or more) v 1.4.6 ===================================================================== x Silverlight plugin objects in content blocking mode made completely disabled (not just content-less) until they're allowed per-page x Work around for a conflict with the PDF Download extension conflict (thanks greenknight for report) v 1.4.5 ===================================================================== x Fixed Silverlight unblocking hooks not working if all kinds of plugin content and IFrames are blocked (thanks al_9x for report) v 1.4.4 ===================================================================== + Content unblocking machinery made compatible with new Silverlight activation schemes (thanks al_9x and Alan Baxter for report) v 1.4.3 ===================================================================== + Further fuzzification of injection checker patterns x Slightly released window.name checks to allow some legitimate frame tricks, e.g. in eBay Cross-promotions (thanks jlovie for report) x External URI validation decoding changed to accomodate ISO-8859 and other encodings, rather than UTF-8 only (thanks Alf Buccheim) v 1.4.2 ===================================================================== + Bookmarklet return values support on Mozilla trunk x Fixed mailto: empty URL (new mail message) considered invalid v 1.4.1 ===================================================================== x Fixed "onclick.match is not a function" issue when clicking on named anchors with no href (thanks wangyi6854 for report) v 1.4 ===================================================================== + Updated translations x Revised window.name injection checks to be more lenient on GModules x Extra QA for release x Fixed about dialog size to correctly show contributor list in any language v 1.3.8 ===================================================================== x Fixed eMusic incompatibilities (thanks Mel Reyes) v 1.3.7 ===================================================================== + Added wildcard type entry in Blocked Objects temporary allow menu x Fixed minor bugs in Blocked Objects menu early implementation v 1.3.6 ===================================================================== + Descriptive icon for content types when possible on object placeholders and menu items x Improved CSS injection rules (thanks Azurite for report) v 1.3.5 ===================================================================== + More consistent plugin content temporary permissions management: object permissions are granted per-session(not bound to the current tab anymore) and honor the "Revoke Temporary Permissions" command. + "Temporary allow content-type@http://site.com" commands in the "Blocked Objects" menu temporary allows plugin content matching a certain mime type (e.g. shockwave-flash) on the whole site. x Increased readability of the "Blocked Objects" menu by using plain font style instead of italics even if permissions are temporary x Reduced console pollution on Linux x Work-around for XPathResult not working in sandboxed bookmarklets v 1.3.4 ===================================================================== + "Blocked Objects" menu to temporarily allow plugin content even when placeholder is hidden or not easy to see + "Block every object coming from a site marked as untrusted" option in Plugins tab (checked by default) x Further XSS filter sensibility refinement x Fixed double separators sometimes in menus (thanks niko322) x Fixed "StumbleUpon Discovery" not compatible with "Forbid IFrames" (thanks niko322) x Fixed URI protocol handler protection removing mailto: line breaks (thanks Alf Buchheim) v 1.3.3 ===================================================================== x Allow data: URIs in script src attributes on trusted sites (thanks Kravvitz for report) x Fixed "a.getAttribute is not a function" issue (thanks wangyi6854 for report) v 1.3.2 ===================================================================== + Scriptless support for history.go(x), history.forward() and history.back() links/buttons (thanks timeless for suggestion) + resource: URI path traversal protection + New "noscript.allowedMimeRegExp" about:config option to whitelist some content types not to be blocked by "Forbid other plugins", for instance "application/pdf" or "image/.*" + Plugin content is always forbidden if coming from sites explicitely marked as "Untrusted" (blacklisted). This behavior can be disabled by setting the "noscript.alwaysBlockUntrustedContent" about:config option to false (thanks NakedStranger for suggestion). x Fixed XSS false positive at mail.yahoo.com x noscript.jsredirectFollow preference more effective on blank but not empty (i.e. space only) body (thanks timeless for suggestion) v 1.3.1 ===================================================================== x Fixed missing plugin content placeholder regression on some gaming sites (thanks Aerik and hewee for report) v 1.3 ===================================================================== + "Revoke temporary permissions" command in NoScript floating menus + Fixed plugin content placeholder sometime missing on background tabs Linux issue (thanks WAPCE for report) v 1.2.9.6 ===================================================================== + Better plugin content placeholder management + noscript.canonicalFQDN about:config preference to control canonicalization of domains ending with a dot. + Updated translations v 1.2.9.5 ===================================================================== + Transparent blocking of non-text frames (thanks sam41177878)) v 1.2.9.4 ===================================================================== + Tweaked preliminary URL screening optimizations to enhance Injection Cheker sensibility (thanks Gareth Heyes) v 1.2.9.3 ===================================================================== + Updated Injection Checker to take in account upper Unicode JavaScript identifiers (thanks Gareth Heyes) v 1.2.9.2 ===================================================================== x Further reduced false positives with post-syntax danger checks v 1.2.9.1 ===================================================================== x Fixed issues with trans-domain redirections, stacking entries in the previously viewed site's menu (thanks Hanspeter Spalinger) v 1.2.9 ===================================================================== x Set noscript.jsredirectFollow default to false x Extra QA for release v 1.2.8 ===================================================================== + Injection Checker optimization on very long query strings x Fixed OpenId XSS false positive on blogger.com (thanks dondado) v 1.2.7 ===================================================================== x Fixed Yahoo search XSS false positive by double checking valid JS fragments for potential danger (10x firefoxisgreat2008 for report) x Fixed the "form fields forgotten" issue by disabling the jsHack feature which caused it. If you need jsHack and you can afford this problem, just set the noscript.jsHackRegExp about:config preference to a regular expression matching the URLs where you want it enabled x Fixed content placeholders not showing on some sites x Fixed POST payload shouldn't stripped as a consequence of injection checking (thanks theiago for report) v 1.2.6 ===================================================================== x Updated localizations x Extra QA for release v 1.2.5 ===================================================================== x Work-around for conflict with Tab Mix Plus dev. in Fx 3's Places (http://tmp.garyr.net/forum/viewtopic.php?t=8052) v 1.2.4 ===================================================================== x Fixed NOSCRIPT content shown in pages allowed on the fly with "Temporarily allow top-level sites" (thanks Pirlouy for report) v 1.2.3 ===================================================================== + Improved Injection Checker JSON compatibility, now recursively checking content of string attributes x Further JS syntax check optimizations x Fixed potential XBL-based crash after successful -moz-binding injection (thanks Gareth Heyes for reporting) x More discreet XSS notification for subframes v 1.2.2 ===================================================================== x Changed noscript.filterXGetRx default to make single quote removal happen only after positive injection checks (thanks sirdarckcat for suggestion) v 1.2.1 ===================================================================== x Fixed placeholder not shown for plugin content loaded in frames (thanks Apoc2400) x Revised InjectionChecker made compatible with JSON GET parameters (thanks "Wilderness Of Mirrors") v 1.2 ===================================================================== + Better protection against Flash-based XSS and other plugin-related cross-site attacks + Better feedback for allowable sites from embedded redirections (thanks Leo Häfliger for report) + XSS filtering in subframes gets notified (was silent by default) x Fixed temporary allowed site prevents parent from being allowed permanently (e.g. in auto-allow mode) x Fixed stand-alone WM plugin pages delayed blocking (thanks therube) x Extra QA for release x Updated localizations v 1.1.9.9 ===================================================================== + Hardened injection checker (thanks Gareth Heyes) x Better compatibility with Wikimedia sites x Fixed rtsp: and mms: plugin content always considered untrusted (thanks Florian Gerstenlauer for report) x Fixed one-click plugin activation (with no confirmation) sometimes deferred to next page refresh (thanks Erwin J. Knöll for report) v 1.1.9.8 ===================================================================== + Experimental noscript.jsHack about:config preference containing JS code to be executed before page loads in order to accomodate for missing features (default implants a fake urchinTracker, see http://forums.mozillazine.org/viewtopic.php?p=3183986#3183986) v 1.1.9.7 ===================================================================== + new "Revoke temporary permissions" command + new Plugins option: "Collapse blocked objects" + new Plugins option: "No placeholder for object coming from sites marked as untrusted" x Fixed OBJECT count bug when placholders are not shown x Work-around for IETab incompatibility with noscript.contentBlocker v 1.1.9.6 ===================================================================== x Object placeholder rendering optimization x Extra QA for release v 1.1.9.5 ===================================================================== + Plugins disabled by default on unknown sites x References to "Macromedia Flash" changed into "Adobe Flash" x Fixed wrong OBJECT count reported after 1st notification v 1.1.9.4 ===================================================================== + XBL protection compatible with extensions using XMLHttpRequest from a content-triggered event handler (e.g. Book Burro or PriceDrop) v 1.1.9.3 ===================================================================== + non-destructive cross-site XBL protection (handles the same case as https://bugzilla.mozilla.org/show_bug.cgi?id=387971) x Better edge-case handling in invisible links detection (thanks Alexander Nikkta) v 1.1.9.2 ===================================================================== + Pre-scan optimization for unicode-escaped ASCII in InjectionChecker + Better compatibility with URLs containing HTML entities v 1.1.9.1 ===================================================================== x Work-around for Minefield content policy / DOM interaction regression (thanks mmortal03) v 1.1.9 ===================================================================== x Extra QA for release + Menu rendering speed optimizations + Emulated TLD Effective service up to 100x speedup + InjectionChecker performance up to 50x speedup (thanks therube) + Fixed leak regression from 1.1.8.3 redirection handling refinements (thanks L. David Baron) x Fixed Firefox notifications not shown if NoScript notifications were suppressed (thanks gecco) v 1.1.8.9 ===================================================================== x Fixed content-blocking regression (thanks L.A.R. Grizzly) v 1.1.8.8 ===================================================================== x Better Google Toolbar compatibility (thanks brandonksu) v 1.1.8.7 ===================================================================== + More consistent and compatible bottom notification bar v 1.1.8.6 ===================================================================== + "Notifications" option to change message bar automatic hiding delay x Fixed multiple profile problems on SeaMonkey (thanks therube) x Fixed incompatibility with Translation Panel and other extensions (regression from 1.1.8.5 beta) v 1.1.8.5 ===================================================================== + Improved HTML attribute injection checks (thanks Gareth Heyes) + More flexible noscript.forbidXBL about:config preference: 0 - allow all XBL 1 - allow trusted and data: (Fx 3) XBL on any site 2 - allow trusted and data: (Fx 3) XBL on trusted sites 3 - allow only trusted XBL on trusted sites 4 - allow only trusted XBL from the same site or chrome (default) 5 - allow only chrome XBL v 1.1.8.4 ===================================================================== x Fixed installation issue on SeaMonkey (thanks R.N. Folsom) v 1.1.8.3 ===================================================================== + The "noscript.tempGlobal" about:config preference causes the "Globally Allow" status to be revoked at the end of each session (thanks chconnor and Alan Baxter for suggestion) + The "noscript.lockPrivilegedUI" about:config preference blocks Error Console and DOM Inspector (useful in locked down setup to prevent preferences from being unlocked by user's chrome JS code) + More reliable base domain recognition + Switch to nsIEffectiveTLDService on Gecko >= 1.9 above (Firefox 3) + nsIEffectiveTLDService emulation on Gecko < 1.9 (Firefox 2) x Updated translations x Additional QA for release v 1.1.8.2 ===================================================================== + Friendlier IFrame handling (thanks war59312 and A. Baxter) x Fixed Silverlight new detection scheme broken by IFrame blocking x Fixed compatibility issue with Cooliris send link (thanks Tschua) v 1.1.8.1 ===================================================================== + More flexible and reliable redirection management v 1.1.8 ===================================================================== + Version bump for Firefox 3 + Temporarily allow sites matching the regular expression(s) in the noscript.whitelistRegExp about:config preference (thanks MaZe) x Further QA for release x Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes) x Fixed shorthands broken when XSS protection was off (thanks MaZe) v 1.1.7.9 ===================================================================== + Notify bar for jar document blocking x Fixed GreaseMonkey's XMLHttpRequest compatibility regression x Fixed confusing option, "Forbid other plugins" shouldn't imply forbidding Java, Flash and Silverlight. v 1.1.7.8 ===================================================================== + JAR uris are forbidden from loading as documents by default, see http://noscript.net/faq#jar for details + Block untrusted XBL (thanks Sirdarckcat for inspiration) x Various IFrame blocking refinements v 1.1.7.7 ===================================================================== x Fixed installation problems with addons.mozilla.org automatic update v 1.1.7.6 ===================================================================== + srv.br "special" TLD (thanks Rodrigo Ristow Branco) + Better protection against "setter" based XSS vectors and encoded "name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/ ) + Improved hidden links management, preserves original body CSS attributes when possible (thanks mdots) v 1.1.7.4 ===================================================================== + new noscript.forbidIFramesContext about:config option controls if actually enforcing IFRAME blocking depending on the parent page: 0 -- block always 1 -- block if parent is in a different site (default) 2 -- block if parent is in a different domain 3 -- block if parent is in a different 2nd level domain + Minefield version bump (0.3.0a9pre) x XSideBar keyboard shortcut compatibility (thanks Philip Chee) v 1.1.7.3 ===================================================================== x Work-around for hidden link detection being triggered by some CSS reporting offsetHeight 0 for anchors (thanks Gerrit Heeres) v 1.1.7.2 ===================================================================== + Object placeholders' minimum size set to 32x32 for visibility + Object placeholder override for Microsoft® Silverlight™ x Fixed "Forbid IFRAME" blocking also Flash (thanks niko322) x Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans) x Fixed IFRAME in place activation shouldn't reload parent page v 1.1.7.1 ===================================================================== + New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's request, see http://sla.ckers.org/forum/read.php?13,15701,15840 x Fixed logic inconsistency between "Plugins/Forbid xyx" and "Plugins/Forbid other plugins" (thanks Kadeos); x Fixed overzealous behaviour of JS link detection (thanks Kadeos and plu for reporting) v 1.1.7 ===================================================================== + Further QA for release + Improvements in script redirection management v 1.1.6.27 (1.1.7RC2) ===================================================================== + New "Forbid Web Bugs" option in the Advanced/Untrusted panel x Fixed startup "sudden death" issue (thanks Alan Baxter) v 1.1.6.26 (1.1.7RC1) ===================================================================== + Moved plugin content options to a new top-level "Plugins" tab + New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by default like "Plugins/Forbid Java™" + New "Plugins/Apply these restrictions to trusted sites too" option + Enchanced sensibility for the JS URL detection feature + New "jsredirectForceShow" option to always display JavaScript-only navigation URLs at the bottom of pages, no matter what the visible content is (per timeless' RFE) + UTF-8 escaping awareness for InjectionChecker pre-syntax evaluator + Arabic (thanks Nassim Dhaher) + Indonesian(thanks regfreak) + Experimental Intel MidBrowser support + Experimental preference locking support (look at the mozilla.cfg sample inside the XPI for details) x Fixed meta-refresh notification failing to appear sometimes x Cleanup of the counter-measures against Sirdarckcat's redirected script trick (available for Fx >= 2.0 only) with user feedback x Fixed full address no more shown in allowing menu for numeric IP or TCP-IP explicit port URLs (thanks blahhhy for report) x noscriptOptionsWidth entity to localize option dialog size v 1.1.6.25 ===================================================================== + Fix for Sirdarckcat's JS redirection trick v 1.1.6.24 ===================================================================== + Fixed XSS notification infobar not showing v 1.1.6.23 ===================================================================== + Work-around for Daily Dilbert extension's CSS bug hijacking status bar icons (thanks gumble and Archaeopterix for reporting) v 1.1.6.22 ===================================================================== x Fixed toolbar icon breaking when "Scripts Globally Allowed" and no script found in page (thanks Claus Valca and Gecco for reporting) v 1.1.6.21 ===================================================================== x Fixed infobar icon not always properly updated upon tab-switching (regression from 1.1.6.20 feedback fix) v 1.1.6.20 ===================================================================== x Fixed inconsistent status icon feedback (thanks Alan Baxter) v 1.1.6.19 ===================================================================== x Fix for the massive breakage on Mozilla trunk caused by landing of the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=377696 (thanks Quarantine and Peter(6) for reporting) v 1.1.6.18 ===================================================================== + noscript.safeJSRx preference allows to specify a regular expression matching statements allowed in a top-level javascript: URL. Default value allows sessionstore prompt javascript:window.close() trick (http://forums.mozillazine.org/viewtopic.php?p=3033780#3033780) v 1.1.6.17 ===================================================================== + Smarter JS link fixing on untrusted sites (thanks timeless) + Smarter allowable sites detection/reporting if domain tricks are being used. x Fixed CTRL+Enter address bar SeaMonkey feature (thanks blindtrust) x Fixed conflict with SiteAdvisor tooltips v 1.1.6.16 ===================================================================== x Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from working: browser packages are whitelisted by default, extensions and other chrome packages can be optionally whitelisted adding a noscript.forbidChromeExceptions.packageName preference set to true, and the noscript.forbidChromeScripts preference defaults to false now, since Bug 292789 couldn't do any harm unless some extension does very stupid things. x Fixed incompatibility with the BookmarksHome extension v 1.1.6.15 ===================================================================== + Support for keyword-driven bookmarklets on untrusted pages (thanks Mike Rocker and therube for report/request) + noscript.forbidChromeScripts preference (true by default), prevents script tags in content (non chrome:/resource:/file:) documents from referencing chrome: scripts, see https://bugzilla.mozilla.org/show_bug.cgi?id=292789 x Fix for fast reload not working on Minefield v 1.1.6.14 ===================================================================== x Work-around for a reload problem caused by Firekeeper 0.2.11 x Version bump for Minefield v 1.1.6.13 ===================================================================== + Enhanced the "multi-port shorthand" feature to accept "*" wildcard for subdomains, e.g. "http://*.google.com:0" matches every http google subdomain with any port number (thanks Dave Faraldo for RFE) + Added a "noscript.fixURI.exclude" about:config preference where protocols which should not be escaped by NoScript can be specified as a space-separated list (thanks therube for inspiration) v 1.1.6.12 ===================================================================== + URI Validator facility for on-demand protection against URI-based exploits. You can add your uri-validator anchored regular expressions as an about:config preference named like "noscript.urivalid.protocolname" to validate the URI substring immediately following scheme + colon (see the noscript.urivalid.aim pre-configured example entry) x Minor change in query string parser, it doesn't drop "=" splitted chunks exceeding the first two anymore v 1.1.6.11 ===================================================================== + Optional blocking of tracking images (also known as "Web Bugs") embedded inside NOSCRIPT tags: it can be enable through the noscript.blockNSWB about:config property (thanks lakrids/Arimfe) v 1.1.6.10 ===================================================================== x Fixed configuration conflict preventing javascript: links from opening in some circumstances (thanks england and haklin) v 1.1.6.08 ===================================================================== x Fix for popup content loaded in the opener window regression (from mail/news exploitation protection) v 1.1.6.07 ===================================================================== x Further refinement of URL protocol handler protection to cope with special configuration-depending cases with mail/news protocols (not affecting SeaMonkey) - thanks Rios and McFeters for generic PoC, thanks Darkdata for specific test case v 1.1.6.06 ===================================================================== x Early protection against URL protocol handling exploitation (see http://tinyurl.com/37o23j and Mozilla bug 389106) x Fix to ampersand being sometimes escaped by anti-XSS filters v 1.1.6.05 ===================================================================== + Protection against UTF-7 encoded XSS attacks x Improved plugin content blocking in background tabs x Better XSS query string processing preserves "exotic" patterns v 1.1.6.04 ===================================================================== + Smarter Anti-XSS filters allowing non-latin characters x Kill duplicates in "Partially allowed" statistics x Switched to getDefaultBranch() for volatile CAPS preferences in order to grant a clean "Safe Mode" even after Firefox crashes (thanks Benjamin Smedberg for suggestion) v 1.1.6.03 ===================================================================== + Allowed sites and partial counts in the infobar when scripts are "Partially allowed" (timeless suggestion) + Window.name payload attacks neutralization x Fixed over-optimization of JS detection relying on syntax errors v 1.1.6.02 ===================================================================== x Fixed "Unresponsive Script" on specific complex URL patterns (many thanks to Sue Petersen) v 1.1.6.01 ===================================================================== x Fixed "Clear private data" window not closing if you hit "OK" on browser exit with Firefox < 3.0 (thanks VT for first report) v 1.1.6 ===================================================================== + "Light" injection checks are enabled also with "Scripts Globally allowed" (notice that allowing scripts globally is still a very bad idea, since POST injections and other XSS attacks launched using JavaScript, Java or Flash are virtually undetectable) x Better XSS notification/UI feedback on partial loads x Depth limit to URL decoding x Work-around for JS Development Environment scoped evaluation being blocked by noscript.safeToplevel feature x Extra QA for public release v 1.1.5.07 ===================================================================== x Extra QA and optimization for very complex URLs v 1.1.5.06 ===================================================================== x Huge performance and accuracy enhancement in injection detector x Bookmarklet bypass for Minefield Places (thanks Hwasung Kim) v 1.1.5.05 ===================================================================== + Smarter injection detector for trusted to trusted requests x Fixed "this.docShell has no properties" issue (many thanks therube) x Fixed external URLs not opening in IETab (thanks chili1) v 1.1.5.04 ===================================================================== x Fixed traceback regression skipping checks on permissions change v 1.1.5.03 ===================================================================== x Fixed XSS notification message bar not showing sometimes v 1.1.5.02 ===================================================================== x More accurate origin detection on META refresh v 1.1.5.01 ===================================================================== + XSS filter sensibility enhancement + Notifications for Flash-based XSS too v 1.1.5 ===================================================================== x Removed about:neterror from the permanent non-deletable whitelist (for the super-paranoids, thanks Aerik) x Minor bug fix, anti-XSS notification bar skipped when an URL nested in a query string gets sanitized x Extra QA for public release v 1.1.4.9.070627 ===================================================================== + Added "0" shorthand to match all *explicit* IP ports on the same protocol/host, e.g. http://acme.com:0 matches http://acme.com:8080 and http://acme.com:9999, but neither https://acme.com:8080 nor http://acme.com + Partial numeric IPv4 are matched up to the 2nd leftmost byte, e.g. "192.168" matches 192.168.0.22 and "10.0.0" matches 10.0.0.33 x Minor cosmetic tweaks to XSS notifications threshold x Improved reload on permissions change v 1.1.4.9.070624 ===================================================================== + Optimization of active counter-measures x Additional QA for public bug fixing automatic update v 1.1.4.9.070623 ===================================================================== + More lenient yet the safest XSS filters x Fixed a leak happening when a secondary browser window is closed v 1.1.4.9.070622r3 ===================================================================== x Fixed some popup not closing issue (thanks Angelo Dicerni) v 1.1.4.9.070622r2 ===================================================================== x Fixed issue with usernames embedded in home page (thanks england) v 1.1.4.9.070622r1 ===================================================================== x Fixed incompatibility with certain malformed Ebay search URIs (thanks to Marc Van Buggenhout for reporting) v 1.1.4.9.070622 ===================================================================== + Full anti-XSS protection for every trusted URL opened from external applications + Protection against all the currently known cross-browser exploits targeting Firefox (Larholm, Rios, MacManus...) v 1.1.4.9.070621 ===================================================================== + Additional checks for toplevel windows (thanks dveditz) x Work-around for interference of some tab-related extension with external URL interception v 1.1.4.9.070620 ===================================================================== + Protection against so called "Universal XSS" through JS URLs opened by external applications, as explained in http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html v 1.1.4.9 ===================================================================== + noscript.injectionCheck about:config option adds first-line detection for XSS injections in GET requests originated by whitelisted sites and landing on top level windows. Value can be: 0 - never check 1 - check cross-site requests from temporary allowed sites 2 - check every cross-site request (default) 3 - check every request + noscript.jsredirectIgnore about:config option enables/disables the new "Detect and show JavaScript redirections" feature + noscript.jsredirectFollow about:config option enables/disables auto-following if a single redirect is detected on a textless page x "Allow top level sites by default" won't affect sites that have been manually forbidden during the current session (to make this exception permanent, mark the site as untrusted) v 1.1.4.8.070618 ===================================================================== + New placeholders for plugin content can be right clicked like any "regular" link, e.g. to "Save Link As..." or "Copy Link Location" + Placeholders for plugin content are rendered real-time during load + Experimental detection of JavaScript redirections (thanks timeless) x Fixed glitch in plugin replacement with JS enabled (thanks lulu135) v 1.1.4.8.070617 ===================================================================== x Fixed untrusted blacklist import bug (thanks MZFuser) v 1.1.4.8.070606 ===================================================================== + edu.tw special TLD (thanks twocs) + New noscript.autoReload.global about:config preference controls if automatic reload affects global allow / forbid (thanks lulu135) + New noscript.autoReload.allTabs about:config preference controls if automatic reload affacts all or just current tab (thanks lulu135) v 1.1.4.8.070602 ===================================================================== x Removed console error message on document unload in SeaMonkey v 1.1.4.8.070530 ===================================================================== x Fixed toggle shortcut regression (thanks therube) v 1.1.4.8.070529 ===================================================================== x Automatic fixup of trailing dot domains, replacing them on the fly with their canonical name (thanks fartron and timeless) + "in.th" special TLD (thanks Kridsada) x Fixed minor notification glitches in Fx 1.5 (thanks arete7) v 1.1.4.8.070528 ===================================================================== x Performance optimization of options dialog closure for long whitelists used in conjunction with long blackists (thanks arete7) x Automatic notification hiding for background tabs (thanks arete7) v 1.1.4.8.070523 ===================================================================== x Improved notification consistency with back-forward navigation x Better compatibility with Google Desktop Search and Paypal email notifications v 1.1.4.8.070522 ===================================================================== + "org.uy", "net.uy" and "edu.uy" special TLDs (thanks Mauricio) x Nicer url randomization x Improved notification on nested URL XSS sanitization x Fixed external load request detection failing "randomly" in some setups (regression from the IETab incompatibility work-around) v 1.1.4.8.070521 ===================================================================== x Fixed regression from bug 53901 work-around, "Mark as untrusted menu" not working anymore (thanks Ricky Ridgdill) v 1.1.4.8.070520 ===================================================================== x Resolved 070509 conflict with IETab + Tab Mix Plus causing some tab-diverted links to open in new windows (thanks to Nuttysman, niko322, Alan Baxter) v 1.1.4.8.070514 ===================================================================== x Sanitized URI randomization (thanks kuza55 for inspiration) x *Fast* reload also with fragment URI (thanks Martin Focke) v 1.1.4.8.070513 ===================================================================== x Fixed last minute regression slipped in Anti-XSS GET filter (some suspicious query strings entirely removed, rather than sanitized) v 1.1.4.8.070512 ===================================================================== + Appearence Option to show/hide "Allow" menu items(thanks mamas6667) x Updated locales (cs-CZ, en-GB, pl-PL) v 1.1.4.8.070511 ===================================================================== x Fixed "black boxes" glitch on page unload (thanks jdopple) x Fixed XSS exceptions must allow blank value (thanks Martin Focke) x Fixed reloading URLs with hash(thanks Martin Focke) x Work-around for Minefield bug displaying wrong labels on cloned menu items (thanks Itsnow) x Fixed regression, menu popup not shown by keyboard shortcut when both toolbar button and status bar element are hidden (thanks niko322) v 1.1.4.8.070509 ===================================================================== + noscript.xss.trustExternal about:config preference controls if anti-XSS filters should be bypassed for URLs opened from external applications like email clients (default false) + noscript.xss.trustTemp about:config preference controls if anti-XSS should be bypassed if URLs are opened from "temporary allow"ed sites (default true, thanks Salim for suggestion) x Wikipedia default XSS exception tweaked to include apostrophes in titles (thanks Alan Baxter for report) v 1.1.4.8.070505 ===================================================================== x Better compatibility with Google Toolbar's translation service v 1.1.4.8.070502 ===================================================================== x Fixed Linux Flash blocking crash when placeholders are active (thanks mastro for report) x (Hopefully) Last bug fix in referrer XSS sanitization (thanks Alan Baxter) v 1.1.4.8.070501 ===================================================================== x Further bug fix in referrer XSS notification template v 1.1.4.8.070502 ===================================================================== x Fixed Linux Flash blocking crash when placeholders are active (thanks mastro for report) x (Hopefully) ultimate fix in referrer XSS sanitization (thanks Alan Baxter) v 1.1.4.8.070501 ===================================================================== x Further cosmetic bug fix in referrer XSS notification template v 1.1.4.8.070430 ===================================================================== x Localization updates and release QA v 1.1.4.8.070429 ===================================================================== + Shortcut to show NoScript menu works even if status bar icon and toolbar button are both hidden x Fixed "Options..." button not working if status bar was hidden (thanks napiertt and joymus) x Fixed regression in XSS notifications due to 070427 fix (some XSS suspicious requests were silently cancelled, rather than sanitized and notified) x Fixed "empty Untrusted menu" (thanks niko322) v 1.1.4.8.070428 ===================================================================== x Fixed using keyboard shortcut always shows status icon x Fixed closing toolbar button menu always shows status icon v 1.1.4.8.070428 ===================================================================== x Fixed using keyboard shortcut always shows status icon x Fixed closing toolbar button menu always shows status icon v 1.1.4.8.070427 ===================================================================== x Fixed referrer sanitization glitch (thanks Alan Baxter) v 1.1.4.8.070426 ===================================================================== x Fixed Refresh Blocker and Tab Mix plus redirection permissions incompatibility (thanks tabasco.kfarmer and Mc) x Fixed SeaMonkey "removed content" placeholder (thanks therube) x Fixed Seamonkey "Reset" button placement (thanks Phil Chee) v 1.1.4.8.070425 ===================================================================== + Experimental "noscript.contentBlocker" about:config preference to block Java, Flash and other plugins in whitelisted sites as well x Fixed bug in toolbar button Untrusted submenu (thanks Steve1000) x Better XSS management on whitelisting automatic reloads (XSS checks for whitelisting reloads can be disabled by toggling off the "noscript.xss.trustReloads" preference in about:config) v 1.1.4.8.070424 ===================================================================== + "Reset" command in Options Dialog resets options to their default values (thanks Frank Myers) + Always bypass cache on XSS Unsafe Reload (thanks Jussi Lahtinen) + Serbian translation (thanks Ivan Pesic) x Improved Wikipedia XSS exception v 1.1.4.8.070423 ===================================================================== + Lituanian (thanks to Mindaugas Jakutis) x Additional localization updates and minor fixes v 1.1.4.8.070422 ===================================================================== + Forbid META redirection inside NOSCRIPT element in Seamonkey too + XSS notifications for Fx 1.5 too + XSS status bar icon appears when XSS activity is detected: left/right click opens XSS menu, middle click hides icon + META redirection status bar icon appears when needed: click follows redirection once, shift+click remembers for session, middle click hides icon x Fixed a regression (070420 only) with Import/Export buttons broken x Fixed toolbar button removal messing with other NoScript menus (thanks niko322 for report) x Fixed file:// URL item not showing anymore regression (thanks Shingoshi for report) x Fixed regression in Option Dialog: removing from whitelist didn't work if applied to just one site (multiple batch did work, though) - thanks Alan Baxter for report v 1.1.4.8.070420 ===================================================================== x Fixed "Forbid other plugins implies Forbid Flash" - thanks Dwedit x Fixed Options dialog issues with Fx 1.5 v 1.1.4.8 ===================================================================== x Minor improvements in XSS exceptions regular expression parsing x Fixed last-minute Seamonkey breakage (many thanks therube!!!) v 1.1.4.8RC3 (1.1.4.7.070420.1) ===================================================================== x Further refinement in XSS filters (thanks niko322) v 1.1.4.8RC2 (1.1.4.7.070420) ===================================================================== x Fixed 2nd level domain toggle option (thanks therube) x Fixed multi-window feedback synchronization (thanks lakrids) v 1.1.4.8RC1 (1.1.4.7.070419) ===================================================================== + Option to block META refresh inside NOSCRIPT elements: a prompt will be shown asking if you want to follow the redirect, and choice will be remebered across the current session (noscript.forbidMetaRefresh.remember preference, dismissing the notification with its close button means "keep blocked") thanks rsnake and Alan Baxter for suggestion (Firefox 2 only) + "XSS-Unsafe Reload" menu item in the XSS notification bar popup + "XSS FAQ" menu item in the XSS notification bar popup + noscript.xss.notify.subframes about:config preference to control notification for XSS in subframes (default false, suppressed) + Option to toggle sites by (2nd level) domain, rather than full URL x Default "Show NoScript menu" shortcut changed to Ctrl+Shift+S (Ctrl+Shift+X conflicting with "change direction" Firefox command) x moved "Show Console" from XSS notify button to an "Options" popup x Options Dialog reorganization x Right click on toolbar button and status bar elements opens menu x Mass-removal speedup in Options Dialog|Whitelist v 1.1.4.7.070414 ===================================================================== + Finer grained treatment for data: and javascript: urls in frames, whose domain is considered the one of the nearest window ancestor having a meaningful web address (thanks to Vectorspace for his suggestion) v 1.1.4.7.070413 ===================================================================== + "noscript.globalwarning" about:config hidden preference controls wether a warning prompt should be issued or not whenever user switches on scripts globally (true by default) x Improved Anti-XSS Protection compatibility with some message boards (special thanks to Aerik and Olaf Schweppe) v 1.1.4.7 ===================================================================== + First "official" anti-XSS release + New plugin content detection algorithm defeats latest aggressive Flash cloaking strategies (e.g. http://www.hardocp.com/ ) + Improved subframe detection, includes object elements (e.g. http://www.operamini.com/demo/ ) + Improved fast reload, preserving form input data. + Minefield full compatibility v 1.1.4.6.070409 ===================================================================== x Fixed weird intermittent interference with dynamic JavaScript inclusion via document.write() used by some JavaScript libraries (e.g. Prototype, Dojo or Tiny-MCE) v 1.1.4.6.070404 ===================================================================== x Drastic reduction of XSS redirection-related false positives v 1.1.4.6.070325 ===================================================================== x Fixed regression, leak happening on window closure (10x pirlouy) x Fixed regression, file:// entries missing from menus (10x therube) v 1.1.4.6.070322 ===================================================================== + Safer behaviour on reloading/whitelisting a XSSed page v 1.1.4.6.070321 ===================================================================== + XSS sanitization of the whole request URL + XSS sanitization of the referrer URL + XSS filters exceptions for some "trusted" addresses requiring cross-site complex query strings (controlled by a regexp in the noscript.filterXExceptions hidden preference, defaults to Google search and Yahoo search) + Better general search engine compatibility with anti-XSS filters x Several performance optimizations v 1.1.4.6.070318 ===================================================================== + First anti-XSS countermeasures round: "default deny" sanitization is applied to every request coming from an unknown (restricted) site and landing on a trusted (scripting allowed) site: 1. GET requests with a query string get all the matches for the noscript.filterXGetRx regular expression replaced with space 2. POST requests are turned into no-data GET 3. Every request filtering action is logged to the Console, while a short notification is issued through the info-bar* (if enabled) *Info-bar notifications require Fx 2.0 or above Behaviours 1 and 2 can be controlled from NoScript Options|Advanced v 1.1.4.6.070317 ===================================================================== x Customizable keyboard shortcuts (about:config - noscript.keys.*) x Quick toggle (by shortcut or toolbar) behaviour changed to *Temporarily* Allow / Forbid (old behaviour can be restored by setting the about:config noscript.toggle.temp pref to false) v 1.1.4.6.070316 ===================================================================== + Super fast reloading after toggling permissions + Hebrew (thanks to Asaf Bartov) x removed mozillazine.org and mozilla.org from the default list (thanks Wladimir Palant) x Fixed a resource deallocation issue (thanks Higmmer) x Fixed a potential slowdown on startup x Removed logging code slipped in a release v 1.1.4.6.070304 ===================================================================== + Added many ".id" special TLDs (thanks FatMan) x Fixed localization-related bugs (e.g. untrusted menu showing just the first character for each site) x Other minor bug fixes v 1.1.4.6.070302 ===================================================================== + SeaMonkey compatible keyboard shortcuts + Added a couple of about:config options (noscript.keys.*) to disable keyboard shortcuts: just blank their values. Notice: changing the option value to a different key is possible, but it doesn't actually work (yet?) x Fixed a regression in the "Export" functionality v 1.1.4.6 ===================================================================== x Stable "blacklist" release + Vietnamese (thanks tonynguyen) + Galician (thanks roebek) v 1.1.4.5.070222 ===================================================================== x Fixed a "Mark as untrusted" menu item bug v 1.1.4.5.070210 ===================================================================== x Fixed a bug affecting some locales on Mozilla/SeaMonkey/Fx 1.0 v 1.1.4.5.070207 ===================================================================== x "Forbid" doesn't mark the site as untrusted by default anymore (old behaviour can be restored via "noscript.forbidImpliesUntrust" pref) v 1.1.4.5.070127 ===================================================================== + Experimental blacklist ("Mark as untrusted" + "Untrusted|Allow") + Global shortcut toggling top level status: "CTRL + SHIFT + \" + Global shortcut to NoScript menu: "CTRL + SHIFT + X" + Extra control on NOSCRIPT elements rendering + "Allow Globally" menu item is optional now (shown by default) + "Link Local Files" optional permission for trusted sites + "noscript.excaps" hidden pref for CAPS conflicts resolution (e.g. with Google Toolbar and other Google extensions) + "Temporarily allow top-level sites by default" new preference (not advised and disabled by default) + Menu items referring to current location are hilighted in bold + New preference in Options|General controls toolbar button reaction to left click (default none, optional toggles top level status) + net.uk, com.uk and org.uk pseudo TLDs v 1.1.4.5.061231 ===================================================================== x Fixed "cancel with non-failure status code" assertion v 1.1.4.5.061221 ===================================================================== + Minefield (3.0a2) support + Fixed plugin placeholder trunk issue (thanks timeless for report) + added *.ua "special" TLDs (thanks Devan Chetty) v 1.1.4.5.061206 ===================================================================== + Added org.in and co.sy to the "special" TLDs list x Fixed some bookmarklet quirks (not in trunk, though) x Fixed a bug in "uk.xyz" special TLDs management v 1.1.4.5.061030 ===================================================================== x Minefield fix: feedback during/after document loading (bug 335251) x Minefield fix: bookmarklet on the fly enablement (bug 351633) x Restored Flock compatibility v 1.1.4.5 ===================================================================== + Some user interface tweakings in the Options UI + Several optimizations x Fixed XML issue x Fixed BFCache side-effects on certain pages x Fixed a timing bug in stand-alone plugin interception v 1.1.4.4 ===================================================================== + be-BY (Belarusian) thanks to DRKA + JavaScript links fixing made compatible with AllPeers + Better interception of plugin content x Fixed a plugin placeholder bug (thanks to tanstaafl for reporting) x Fixed interception of xml and xhtml content (thanks to Poly Peptide, hrikjsen, Redoute and johnnydrinkwater for reporting) x Fixed some strict warnings (thanks to timeless for reporting) v 1.1.4.3 ===================================================================== + Emulated Firefox 1.0.x top-level plugin content blocking behaviour + uk-UA (Ukrainian) thanks to MozUA + th-TH (Thai) thanks to Qen + fa-IR (Persian) thanks to Pedram Veisi + el-GR (Greek) thanks to Sonickydon + en-GB (English GB) thanks to Ian Moody + hr-HR (Croatian) thanks to Krcko x Other updated translations x Fixed plugin content reloading bug v 1.1.4.2 ===================================================================== + Notifications Firefox 2+ compatible x Fixed whitelist import bug (phantom resource:xyz entry) x Fixed "removeLinkFixer" warning (thanks to Pablo) v 1.1.4.1 ===================================================================== + Left clicking on NoScript toolbar button toggles permissions for current top-level site + Shift+Click on a Java/Flash/Object placeholder temporarily hides it + "Attempt to fix JavaScript links" now skips "real" hash URLs + Added live.com to the default whitelist (for MS webmails) x Removed a leak caused by "Attempt to fix JavaScript links" option x Fixed Macedonian translation v 1.1.4 ===================================================================== + "Allow sites opened through bookmarks" option + Notification delay in seconds can be changed through the "noscript.notify.hideDelay" about:config preference x Removed bogus JS messages on SeaMonkey startup x Fixed bookmarklet support to work with the new "Places" code, the bookmark sidebar and the bookmark manager x Added mozilla.com to the default whitelist x Always honour "Attempt to fix JavaScript links" option (links were processed anyway if "Forbid " was enabled) v 1.1.3.9 ===================================================================== x Fixed temporary memory leak when loading pages containing plugins (many thanks to Steve England) x JavaScript links should not be "fixed" when scripts are globally allowed (thanks Lt. Worf) v 1.1.3.8 ===================================================================== x Another emergency release to fix Babelzilla bugs with Asian languages (mass-reverting to 1.1.3.5 properties files to be sure). - Removed permanent whitelist (all the web sites can can be forbidden from the UI, no more about:config need) v 1.1.3.7 ===================================================================== x Fixed some localization bugs with Hungarian and other languages v 1.1.3.6 ===================================================================== + "Fix JavaScript links" option: enabled by default, attempts to automatically turn JavaScript links into regulars anchors on load + Advanced options "Allow " on trusted sites (defaults to the browser settings) and "Forbid " on untrusted sites (default yes) give user control on the new, debated "ping" anchor attribute + New hidden (about:config) boolean preference "noscript.consoleDump" controls if blocked contents must be logged to the console (false by default) + Slovak (thanks to Slovak Soft) + Romanian (thanks to Ultravioletu) + Hungarian (thanks to LocaLiceR) + Chinese Traditional (thanks to Chiu Po-Jung) v 1.1.3.5 ===================================================================== + "Truncate title" option: enabled by default, even on whitelisted sites, is a quick & dirty work around for Firefox DOS bug 319004 + "com.xy" 2nd level domains are always considered special TLDs + Other special TLDs added x Fixed "Forbid other plugins" semantics: Java and Flash should remain allowed unless their specific "Forbid" option is flagged. x Fixed portuguese locale bug v 1.1.3.4 ===================================================================== + Flock support + Finnish (thanks to Mika Pirinen) + Norwegian bokmål (thanks to Håvard Mork) v 1.1.3.3 ===================================================================== + Placeholder icon can be hidden (NoScript Options|Advanced) + Message bar notifications can be set to go away automatically after 5 seconds + Bulgarian (thanks to Georgi Marchev) + Simplified Chinese (thanks to George C. Tsoi) + Russian (thanks to Alexander Sokolov) + Turkish (thanks to Engin Yazılan) x Best effort XPCOM auto registration on Mozilla Suite installation x Minor menu formatting glitches removed x Some about:xxx URLs added to the default whitelist v 1.1.3.2 ===================================================================== + Bookmarklet support. It allows JS on current page just for the bookmarklet execution lifespan. If you don't want or don't need it, turn on "NoScript Options|Advanced|Forbid Bookmarklets" x Fixed right-click status label crash affecting pre-1.8 browser. Now status label context menu works on Mozilla and Firefox 1.0.x too. v 1.1.3.1 ===================================================================== + Option to skip confirmation when temporarily unblocking objects + Optional status bar label (with Firefox-only context menu) + Support for Unicode domains x Work-around for Firefox bug #307678 (dialogs freeze) x Handle about:neterror and about: (help) "always allowed" exception v 1.1.3 ===================================================================== + Toolbar button + Java/Flash/Plugin content can be temporarily allowed (for the current tab) with a left click on its placeholder + Further optimizations in site matching + Japanese (thanks to beerboy) + Polish (thanks to Lukasz Biegaj) + Catalan (thanks to Joan-Josep Bargues) + Czech (thanks to Petr Jirsa) x Bug fix: "Allow JavaScript Globally" didn't affect Java, Flash and Plugin immediately v 1.1.2.20050901 ===================================================================== x Bug fix: temporarily allowed sites were not removed if no permission change happened in the following session v 1.1.2 ===================================================================== + Java/Flash/Plugins blocking works in Mozilla Suite / SeaMonkey too + Huge performance (up to 100x) improvements in policy matching + More consistent temporary sites handling (allowing a temporary domain while subdomains are allowed, now forbids ancestors of that domain but not its subdomains anymore on restart) + Added "ar.com" to the list of "special" TLDs x No more "phantom" http:// and https:// entries in whitelist v 1.1.1 ===================================================================== x Fixed a bug with whitelist synchronization from the Options window x Fixed little Spanish locale issue v 1.1.0 ===================================================================== + Customizable message position, top or bottom (new default) + Customizable audio sample for feedback + (Firefox only) Advanced options to forbid Java™, Flash® and other plugins (Java™ forbidden by default, since many users don't know the difference between Java and JavaScript) + Advanced options to allow rich-text clipboard on trusted sites + Portoguese translation (thanks to Dario Ornelas) x New (less ambiguous) "partially allowed" icon x Audio feedback off by default x Statusbar icon hidden status persists across sessions x Proper jar: scheme handling (will allow per-domain selection when Firefox bug preventing it is patched - see https://bugzilla.mozilla.org/show_bug.cgi?id=298823) x jar: scheme can be allowed only temporarily (see above) x No more browser activity stop after permission changes v 1.0.9 ===================================================================== + Temporarily allow URLs (for current session only): temporary items are shown in italics font + Clean uninstall in Deer Park + Added jar: to the default white-list, to allow about:plugin and other "special" URLs to work out-of-the-box x Better work-arounds for Firefox synchronization bugs x Fixed conflict when a "View Source" window was open v 1.0.8 ===================================================================== + Whole addresses are shown when a port number is specified, no matter which the Appearance options are, since enabling a domain doesn't enable it for non-standard ports (thanks to jayvdb for suggestion) + Stop every browser activity before changing policies (this should be a workaround for most crashes dued to Firefox CAPS bugs) v 1.0.7 ===================================================================== + "Popup blocker" style notification message (Firefox only) + Autoreload synchronizes every view whose permissions have changed + Spanish translation (thanks to Alberto Martínez) x Improved subframes management in the contextual menu x Better UI support for "special" TLDS like co.uk, co.nz and others x Improved support for numeric addresses x Audio feedback with more discreet sound effect :-) v 1.0.6 ===================================================================== + Whitelist import/export (thanks hsmwrv for suggestion) + Only 2nd level (base) domains shown by default in the "Allow" menu items (easier operation for non-geeks; geeks can still revert to the old fine grained interface using the "Appearance" options) + Blocked scripts audio feedback (thanks to Markus for suggestion) + about:config/noscript.permanent can be changed live (no FF restart) x chrome content URL are properly whitelisted (XUL error pages OK) x Fixed empty permanent list problem (thanks to Patrick and Oremina for report) v 1.0.5 ===================================================================== + "Appearance" option to hide/show popup menu and status bar icon; if you decide to hide both, options are still reachable through the Extension Manager context menu (thanks Dick Minor for suggestion) + 2nd level domain trick doesn't clutter Options Dialog anymore (http[s]:// auto-prefixed domains are hidden in whitelist) x Fixed menu layout (thanks to TheOneKEA for report) v 1.0.4 ===================================================================== + Automatically creates http:// and https:// prefixed URLs when a 2nd level domain (xyz.com) is allowed, as a workaround for Firefox not matching URLs with a raw 2nd level domain if no protocol is listed (thanks to Laura for report) + "Allowed" status feedback for chrome:// URLs (pacanukeha) x Core functionality refactored in a XPCOM service v 1.0.3 ===================================================================== + Feedback about actual presence of script elements in current page (white "S" icons if no script tag is found, while number of found tags is shown in the tooltip - thanks to Volker for suggestion) + Feedback about partial permissions in pages containing subframes (a broken red "stop" sign means only some frames are forbidden) + Events are coalesced for better performance and stability + Improved options dialog usability (new items are ensured visible and "delete" key performs mouse-less site removal) + Added hotmail/msn/passport domains to default whitelist (thanks to Swann for suggestion) + Added googlesyndication.com and noscript.net to permanent list ;) x Fixed whitelist options dialog sometimes "forgetting" recently added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for their reports) v 1.0.2 ===================================================================== + Option dialog shortcuts (thanks to Ulysses for suggestion) + French translation (thanks to Xavier Robin) x NoScript doesn't ignore port number in URLs anymore x moved "Options" and "About" items to the top of status bar menu (thanks to Filipp0s for suggestion and for the smaller icons too) x added mozillazine.org and gmail.google.com to default allow list x no duplicates in menu when multiple frames share the same ancestor domain (e.g. mozillazine.org) v 1.0.1 ===================================================================== + Contextual menu for easy operation in statusbar-less windows + Current page is automatically reloaded when permissions are changed + Support for implicit subdomain inclusion (e.g. if you add mozilla.org, you allow www.mozilla.org, addons.mozilla.org etc.) + German translation (thanks to my friend Thomas Weber) x Fixed localization issue x Work around for Firefox occasional crashes v 1.0 ===================================================================== First public release [18]what is it?  [19]features  [20]changelog  [21]screenshots  [22]forum  [23]faq  [24]get it! [25]Get Firefox [26]GetJava Download Button [27]Valid XHTML 1.0! [28]Valid CSS! Copyright © 2004-2009 InformAction - All rights reserved [29]hackademix.net [30]Download in a Flash... with FlashGot! References Visible links 1. http://noscript.net/feed 2. http://pagead2.googlesyndication.com/pagead/show_ads.js 3. http://www.informaction.com/ 4. http://www.informaction.com/ 5. http://software.informaction.com/catalog 6. http://www.informaction.com/index.php?page=contacts 7. http://www.gnu.org/copyleft/gpl.html 9. http://noscript.net/whats 10. http://noscript.net/features 11. http://noscript.net/changelog 12. http://noscript.net/screenshots 13. http://forums.informaction.com/viewforum.php?f=3 14. http://noscript.net/faq 15. http://noscript.net/getit 16. http://noscript.net/ 17. Download NoScript, it's Free and Open Source http://noscript.net/getit 18. http://noscript.net/whats 19. http://noscript.net/features 20. http://noscript.net/changelog 21. http://noscript.net/screenshots 22. http://noscript.net/forum 23. http://noscript.net/faq 24. http://noscript.net/getit 25. http://getfirefox.com/ 26. GetJava http://java.com/java/download/index.jsp?cid=jdp77867 27. http://validator.w3.org/check?uri=referer 28. http://jigsaw.w3.org/css-validator/check/referer?profile=css3 29. http://hackademix.net/ 30. http://flashgot.net/