NoScript Security Suite Version History

373 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.6.9.30 535.4 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.30
=============================================================
x Fixed noscript.allowWhitelistUpdates preference being
ignored
+ Filtering out whitelist additions not required by the
the specific current browser type and version
+ Added about:pocket-save and about:pocket-signup to the
default whitelist
x More restrictive and accurate INCLUSION type check (thanks
Meee for reporting)
x [XSS] Further invalid characters optimization refinement
(thanks Mathias Karlsson for reporting)
x [XSS] Fixed XML stripping optimization to prevent inline
injections (thanks Mathias Karlsson for reporting)
x Default whitelist maintenance: removed prototypejs.org,
cdnjs.cloudflare.com; restored maps.googleapis.com
x [XSS] Updated inline event handlers related code preventing
potential 2nd order injections on very badly coded websites
(thanks Mathias Karlsson for reporting)

Version 2.6.9.29 536.1 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.29
=============================================================
x [XSS] Improved specificity of invalid characters
optimization to remove a string literal breaking detection
bypass (thanks Mathias Karlsson for reporting)

Version 2.6.9.28 536.1 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.28
=============================================================
x Narrowed googleapis.com default whitelist entry to
ajax.googleapis.com
x [Surrogate] Updated gigya.com and 2mdn.net replacements
(thanks saaib)

Version 2.6.9.27 536.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.27
=============================================================
x Fixed media elements being blocked on first (uncached)
request (thanks RobertDrew for reporting)
+ noscript.middlemouse_temp_allow_main_site about:config
preference to control whether middle-clicking the toolbar
button should allow current top document's site (thanks
barbaz)
x [L10n] Updated Belarusian (thanks Dzmitry Drazdou)
+ Default whitelist retroactive removal ability
x Removed vjs.zendcdn.net from the default whitelist

Version 2.6.9.26 536.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.26
=============================================================
x Extended the redirectTo() safety net for to all the internal
redirections
x Work-around for redirectTo() breaking Flash plugin
subrequests
x Got ChannelReplacement backed by HTTPChannel.redirectTo()
whenever possible (should fix moz-bug 1153256 for good)
x Fixed double redirection in HTTPS enforcing

Version 2.6.9.25.1-signed 533.8 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.25
=============================================================
x Fixed regression preventing HTTPS enforcing exceptions from
being honored

v 2.6.9.24
=============================================================
x Fix for intermittent crashes on older Gecko versions

Version 2.6.9.23.1-signed 533.8 KiB Works with Firefox 31.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.31 and later

v 2.6.9.23
=============================================================
x Work-around for moz-bug 1167371
x Fixed fatal regression on Firefox 34 and below
x Improved backward compatibility
x Work-around for anonymized plugin subrequests being vetoed
by channel event sink
x Fixed backward compatibility PopupBoxObject shim
x [E10s] Fixed cascading permissions broken when checks are
performed cross-process
x [Surrogate] Removed deprecated "for each" constructs from
replacements
x [L10n] Updated ru-RU (thanks negodnik)
x Tentative fix for Bug 1153256 (thanks Dragana Damjanovic)
+ Added about:preferences to the mandatory whitelist
- Removed legacy STS support
+ [Surrogate] 2mdn.net inclusion replacement (thanks barbaz)
+ [E10s] Restored inline JavaScript blocking

Version 2.6.9.22.1-signed 534.2 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.22
=============================================================
+ [Surrogate] Generalized OWASP antiClickjacking replacement
(thanks barbaz for RFE)
+ [Surrogate] Wordpress scriptless site auto-show replacement
+ bootstrapcdn.com in default whitelist

Version 2.6.9.21.1-signed 534.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.21
=============================================================
+ Added "mediasource:" to the mandatory whitelist (Moz-Bug
1151638)
x [Surrogate] Updated googletagservices.com replacement
(thanks barbaz)
x Better compatibility with SDK-based add-ons using data:
URIs (thanks Mingyi Liu for report)

Version 2.6.9.20.1-signed 533.9 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.20rc2
=============================================================
x Improved "Recently blocked sites..." recording
x Fixed inconsistencies in data: URIs handling (thanks barbaz
for reporting)

Version 2.6.9.19.1-signed 533.8 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.19
=============================================================
+ [Surrogate] .gigya.com replacement provided by barbaz
+ [Surrogate] js.stripe.com replacement provided by barbaz
+ Improved usability of new Yahoo! video activation (thanks
Glenn for reporting)
+ Added googlevideo.com to the default whitelist because it's
now required to play Youtube movies (thanks barbaz for RFE)

Version 2.6.9.18.1-signed 533.5 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.18
=============================================================
x Fixed restrictSubdocScripts/globalHTTPSWhitelist
interaction issue (thanks Tor Project for report)
x Fixed regression always disabling scripts whenever site's
host name is a IPv6 literal (thanks ipv6user for report)
x Fixed menu automatic disappearance on mouse exit broken by
Firefox 36 changes (thanks randavis, cumdacon and barbaz
for report)

Version 2.6.9.17.1-signed 533.3 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.17
=============================================================
x Fixed cascadePermissions/globalHTTPSWhitelist interaction
issue with IFRAMEs (thanks Tor Project for report)
x Fixed cascadePermissions being enforced also if the top
document is implicitly allowed by the globalHTTPSWhitelist
policy, rather than explicitly whitelisted, causing HTTP
subdocument and scripts to be unintendendly allowed when
the top document is HTTPS (thanks Tor Project for report)
x [Surrogate] Update Google Analytics replacement (thanks
barbaz)

Version 2.6.9.16.1-signed 533.1 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.16
=============================================================
+ [Surrogate] Updated Gravatar surrogate (thanks barbaz)
+ Additional HTML sanitization when pasting rich text into
content-editable elements (thanks .mario for RFE)
+ Introduced framework for E10s migration, starting with new
features and fixes
x Removed deprecated let () expressions from the code base

Version 2.6.9.15.1-signed 531.7 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.15
=============================================================
+ Fixed regression in 2.6.9.12 causing data: URI documents
to be scripting-enabled (thanks GOF for tweet)

Version 2.6.9.14.1-signed 531.7 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.14
=============================================================
+ [Surrogate] OWASP legacy Javascript-based "antiClickjack"
protection surrogate to unhide "protected" pages when
scripting is disabled (thanks barbaz)
+ Restored noscript.forbidXHR functionality trying to make it
more web-compatible (thanks barbaz for RFE)

Version 2.6.9.13.1-signed 531.5 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.13
=============================================================
x [XSS] Fixed bugs in comment stripping optimization (thanks
Masato Kinugawa for reporting)
x [XSS] Better protection against some ES6 attacks (thanks
Masato Kinugawa for reporting)
- Removed support for XMLHttpRequest blocking
(noscript.forbidXHR preference). The same functionality,
if really needed, can still be achieved through ABE anyway.

Version 2.6.9.12.1-signed 531.6 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.12
=============================================================
x Fixed origin checking bug causing sandboxed IFRAMEs to have
scripting always disabled (thanks Ellad Tadmor for report)

Version 2.6.9.11.1-signed 531.5 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.11
=============================================================
x [Surrogate] microsoftSupport surrogate to force the content
to be shown if scripts are disabled (thanks thunderscript)
x Check private browsing against chrome rather than content
windows (prevents annoying warning console messages)

Version 2.6.9.10.1-signed 531.5 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.10
=============================================================
x Fixed regression: permanently allow a web site erasing
temporary whitelist items (thanks smersh for reporting)
x Fixed private windows detection for UI adaptation broken in
SeaMonkey (thanks barbaz for reporting)
x Made the Permanent "allow" commands in private windows'
checkbox look and behave like the other options in the
"Appearance" tab, i.e. controlling the visibility of the
menu item by the same name

Version 2.6.9.9.1-signed 531.5 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.9
=============================================================
x Updated GPL.txt and NoScript_License.txt with current FSF
information (thanks Thomas Spura for reporting)
x Fixed regression causing "Revoke temporary permissions"
gitches (thanks barbaz for reporting)
x Moved the Permanent "allow" commands in private windows'
menu toggle next to the 'Options' command

Version 2.6.9.8.1-signed 531.5 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.8
=============================================================
+ 'Permanent "allow" commands in private windows' preference
in NoScript Options|Appearance (inverse of
noscript.volatilePrivatePermissions)
+ 'Permanent "allow" commands in private windows' toggle
in NoScript menu while in Private Browsing mode, controlled
by noscript.showVolatilePrivatePermissionsToggle
x Fixed regression in Cascade Permissions mode (thanks Kitty
Box for reporting)
+ Fixed whitelisting regression on Gecko 25 and below (e.g.
Palemoon)
+ Actually prevent temporary whitelist items from being saved
in prefs (thanks to Mike Perry)

Version 2.6.9.7.1-signed 531.2 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.7
=============================================================
x Fixed inconsistencies in the globalHttpsWhitelist option
implementation (thanks Mike Perry for reporting)
+ Volatile temporary whitelist, never gets saved to disk
(thanks to Tor Project for sponsorship)
+ Never show permanent whitelist modifying commands when in
private mode, unless the noscript.volatilePrivatePermissions
preference is false (thanks to Tor Project for sponsorship)
+ noscript.allowWhitelistUpdate preference to control whether
NoScript should be able to tweak the whitelist on version
updates when the 3rd party requirements for an already
whitelisted website change (thanks Thencent for RFE)

Version 2.6.9.6.1-signed 530.9 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.6
=============================================================
+ Built-in force HTTPS list, seeded with www.youtube.com
x Work-around for bogus Youtube embedded frame activation
patterns (thanks al_9x for reporting)
x Fixed bookmarklet execution regression in older Firefox
versions (thanks 5keeve for reporting)
x Fixed subdocuments of a [System Principal] page not being
allowed when they should in cascade permission modes (
thanks hjkl for reporting)

Version 2.6.9.5.1-signed 530.6 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.5
=============================================================
x Fixed memory leak when a top-level browser window is closed
(thanks cks for reporting)
x [XSS] compatibility tweak for swisspost.ch
x Miscellaneous HTTPS URLs lockdown
+ Support for full-encrypted https://noscript.net
x Updated Twitter surrogate (thanks ozjuggler and barbaz)
x Work-around for thumbnail generation protection being
broken by some add-ons
x Fully disable background processed thumbnail generation
unless noscript.bgThumbs.allowed about:config preference
is set to true
x Control JavaScript enabled in background thumbail
generation through the noscript.bgThumbs.disableJS
about:config preference
+ Forcing remote browsers used for thumbnail generation to
disable JavaScript (thanks vpoint for reporting)
+ [Surrogate] Invodo dummy replacement (thanks barbaz)

Version 2.6.9.4.1-signed 530.2 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.4
=============================================================
+ Added vimeocdn.com as a vimeo.com dependency if already
whitelisted
+ [Surrogate] Enabling imgserve.com age verification button
even if JavaScript is disabled
x Fixed IP6 to IP4 mapping bug (thanks stack / inventati)

Version 2.6.9.3.1-signed 530.2 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.3
=============================================================
x More accurate referrer checks for some edge cases (thanks
AlbertMTom for reporting)
x [ABE] More restrictive local IP checks (thanks AlbertMTom
for reporting)
+ More permissive AddressMatcher IP parser
+ [XSS] Improved sensitivity (thanks Masato Kinugawa)

Version 2.6.9.2.1-signed 530.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.2
=============================================================
+ [XSS] Improved sensitivity (thanks Masato Kinugawa)

Version 2.6.9.1.1-signed 530.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9.1
=============================================================
+ [XSS] focus-based exfiltration protection (thanks Masato
Kinugawa for reporting)
x [XSS] Fixed false positive in risky operators detection
(thanks Roman Vock for reporting)

Version 2.6.9.1-signed 529.9 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.6.9
=============================================================
+ [XSS] Improved location-based exfiltration protection
(thanks Masato Kinugawa for reporting)
+ [Surrogate] login.person.org inclusion (thanks barbaz)
x [XSS] Fixed 2.6.8.43 regressions
x [XSS] Improved specificity for eval-like patterns
+ Switched to a treeview for faster management of very long
whitelists (thanks barbaz for patch)
x Tentative work-around for potential performance problems
reportedly related to Australis support

v 2.6.9rc4
=============================================================
+ [XSS] Fixed bug in location-based exfiltration protection
(thanks Masato Kinugawa for reporting)

v 2.6.9rc3
=============================================================
+ [XSS] Improved location-based exfiltration protection
(thanks Masato Kinugawa for reporting)

v 2.6.9rc2
=============================================================
+ [Surrogate] login.person.org inclusion (thanks barbaz)
x [XSS] Fixed 2.6.8.43 regressions
x [XSS] Improved specificity for eval-like patterns

v 2.6.9rc1
=============================================================
+ Switched to a treeview for faster management of very long
whitelists (thanks barbaz for patch)
x Tentative work-around for potential performance problems
reportedly related to Australis support
x [XSS] Fixed 2.6.8.43 regressions