NoScript Security Suite Version History

927 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.2.4rc3 519.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.4rc3
==========================================================================
x Fixed regression in SWFObject emulation for plugin placeholders
x Fixed top-level surrogates broken by ECMAv5 version specification

v 2.2.4rc2
==========================================================================
+ [ClearClick] Enhanced protection against same-window timing attacks
with moving pointer (thanks Michal Zalewski for PoC)
x SyntaxChecker's JavaScript version can be configured per-instance
(default "1.5")
x [Surrogate] JavaScript version set to "ECMAv5"
x [Surrogate] Use "ECMAv5" for early syntax checks

v 2.2.4rc1
==========================================================================
x Fixed reflected script inclusion false positive on redirections
- Removed "Forbid Web Bugs", which cannot be reliably enforced anymore
because of speculative parsing
x Restored wlxrs.com in the default whitelist (it had
accidentally changed back to two subdomains)
x Fixed resetting options doesn't erase the untrusted blacklist until
browser restart (thanks ddigas for reporting)

Version 2.2.4rc2 519.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.4rc2
==========================================================================
+ [ClearClick] Enhanced protection against same-window timing attacks
with moving pointer (thanks Michal Zalewski for PoC)
x SyntaxChecker's JavaScript version can be configured per-instance
(default "1.5")
x [Surrogate] JavaScript version set to "ECMAv5"
x [Surrogate] Use "ECMAv5" for early syntax checks

v 2.2.4rc1
==========================================================================
x Fixed reflected script inclusion false positive on redirections
- Removed "Forbid Web Bugs", which cannot be reliably enforced anymore
because of speculative parsing
x Restored wlxrs.com in the default whitelist (it had
accidentally changed back to two subdomains)
x Fixed resetting options doesn't erase the untrusted blacklist until
browser restart (thanks ddigas for reporting)

Version 2.2.4rc1 519.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.4rc1
==========================================================================
x Fixed reflected script inclusion false positive on redirections
- Removed "Forbid Web Bugs", which cannot be reliably enforced anymore
because of speculative parsing
x Restored wlxrs.com in the default whitelist (it had
accidentally changed back to two subdomains)
x Fixed resetting options not erases the untrusted blacklist until restart
(thanks ddigas for reporting)

Version 2.2.3.1-signed 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.3rc4
==========================================================================
+ Configuration import/export directory is persisted across sessions

v 2.2.3rc3
==========================================================================
+ Generalized checks on drag and drop payloads
+ [XSS] Tightened checks on reflected javascript: URIs

v 2.2.3rc2
==========================================================================
x [Surrogate] DOMContentLoad listeners on windows (thanks al_9x for RFE)

v 2.2.3rc1
==========================================================================
+ [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
+ [Surrogate] More homogeneous treatment for file-based surrogates (thanks
al_9x for RFE)

v 2.2.2rc5
==========================================================================
+ [Surrogate] Wrapped in lexical scoped blocks scripts also when debug
mode is on (thanks al_9x for RFE)
+ [Surrogate] Early one-time syntax checks on setup (thanks al_9x for RFE)
x [ClearClick] Better compatibility with some GMail embeddings
x [XSS] Better compatibility with Visual Studio in-browser documentation
x [ClearClick] Fixed Adblock Plus causing false positives on Fx 3.6
x Improved HTML 5 DnD XSS protection (thanks Soroush Dalili for reporting)
x [Locale] Latvian (thanks gymka)

v 2.2.2rc4
==========================================================================
x Protection against a new XSS technique based on HTML 5 DnD (thanks
Soroush Dalili for reporting)

v 2.2.2rc3
==========================================================================
x Better compatibility with credit card verification systems
x [ABE] Fixed ruleset disablement status not surviving browser restarts
(thanks ssj100 for reporting)

v 2.2.2rc2
==========================================================================
x Fixed escaped_fragment handling issue with proxies (thanks sourcejedi
for reporting)
x Turned remaining channel URI modification instances into
ChannelReplacement clients

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Version 2.2.3rc4 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.3rc4
==========================================================================
+ Configuration import/export directory is persisted across sessions

v 2.2.3rc3
==========================================================================
+ Generalized checks on drag and drop payloads
+ [XSS] Tightened checks on reflected javascript: URIs

v 2.2.3rc2
==========================================================================
x [Surrogate] DOMContentLoad listeners on windows (thanks al_9x for RFE)

v 2.2.3rc1
==========================================================================
+ [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
+ [Surrogate] More homogeneous treatment for file-based surrogates (thanks
al_9x for RFE)

Version 2.2.3rc3 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.3rc3
==========================================================================
+ Generalized checks on drag and drop payloads
+ [XSS] Tightened checks on reflected javascript: URIs

v 2.2.3rc2
==========================================================================
x [Surrogate] DOMContentLoad listeners on windows (thanks al_9x for RFE)

v 2.2.3rc1
==========================================================================
+ [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
+ [Surrogate] More homogeneous treatment for file-based surrogates (thanks
al_9x for RFE)

Version 2.2.3rc2 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.3rc2
==========================================================================
x [Surrogate] DOMContentLoad listeners on windows (thanks al_9x for RFE)

v 2.2.3rc1
==========================================================================
+ [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
+ [Surrogate] More homogeneous treatment for file-based surrogates (thanks
al_9x for RFE)

Version 2.2.3rc1 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.3rc1
==========================================================================
+ [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
+ [Surrogate] More homogeneous treatment for file-based surrogates (thanks
al_9x for RFE)

Version 2.2.2rc5 522.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

2.2.2rc5
==========================================================================
+ [Surrogate] Wrapped in lexical scoped blocks scripts also when debug
mode is on (thanks al_9x for RFE)
+ [Surrogate] Early one-time syntax checks on setup (thanks al_9x for RFE)
x [ClearClick] Better compatibility with some GMail embeddings
x [XSS] Better compatibility with Visual Studio in-browser documentation
x [ClearClick] Fixed Adblock Plus causing false positives on Fx 3.6
x Improved HTML 5 DnD XSS protection (thanks Soroush Dalili for reporting)

v 2.2.2rc4
==========================================================================
x Protection against a new XSS technique based on HTML 5 DnD (thanks
Soroush Dalili for reporting)

v 2.2.2rc3
==========================================================================
x Better compatibility with credit card verification systems
x [ABE] Fixed ruleset disablement status not surviving browser restarts
(thanks ssj100 for reporting)

v 2.2.2rc2
==========================================================================
x Fixed escaped_fragment handling issue with proxies (thanks sourcejedi
for reporting)
x Turned remaining channel URI modification instances into
ChannelReplacement clients

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Version 2.2.2rc4 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.2rc4
==========================================================================
x Protection against a new XSS technique based on HTML 5 DnD (thanks
Soroush Dalili for reporting)

v 2.2.2rc3
==========================================================================
x Better compatibility with credit card verification systems
x [ABE] Fixed ruleset disablement status not surviving browser restarts
(thanks ssj100 for reporting)

v 2.2.2rc2
==========================================================================
x Fixed escaped_fragment handling issue with proxies (thanks sourcejedi
for reporting)
x Turned remaining channel URI modification instances into
ChannelReplacement clients

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Version 2.2.2rc3 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.2rc3
==========================================================================
x Better compatibility with credit card verification systems
x [ABE] Fixed ruleset disablement status not surviving browser restarts
(thanks ssj100 for reporting)

v 2.2.2rc2
==========================================================================
x Fixed escaped_fragment handling issue with proxies (thanks sourcejedi
for reporting)
x Turned remaining channel URI modification instances into
ChannelReplacement clients

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against SVG-based keylogging, can be disabled through
noscript.removeSMILKeySniffer about:config preference (thanks .mario for
reporting)

Version 2.2.2rc2 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.2rc2
==========================================================================
x Fixed escaped_fragment handling issue with proxies (thanks sourcejedi
for reporting)
x Turned remaining channel URI modification instances into
ChannelReplacement clients

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Version 2.2.2rc1 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Version 2.2.1.1-signed 520.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.1
==========================================================================
+ [Locale] Updated he-il (thanks baryoni)
x [ClearClick] Fixed incompatibility with the FoxTab add-on

v 2.2.1rc2
==========================================================================
+ [XSS] Deeper decoding on sanitization (thanks .mario for reporting)

v 2.2.1rc1
==========================================================================
+ [XSS] More accurate recursive decoding (thanks .mario for reporting)

Version 2.2.1rc3 519.2 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.1rc3
==========================================================================
+ [Locale] Updated he-il (thanks baryoni)
x [ClearClick] Fixed incompatibility with the FoxTab add-on

v 2.2.1rc2
==========================================================================
+ [XSS] Deeper decoding on sanitization (thanks .mario for reporting)

v 2.2.1rc1
==========================================================================
+ [XSS] More accurate recursive decoding (thanks .mario for reporting)

Version 2.2.1rc2 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.1rc2
==========================================================================
+ [XSS] Deeper decoding on sanitization (thanks .mario for reporting)

v 2.2.1rc1
==========================================================================
+ [XSS] More accurate recursive decoding (thanks .mario for reporting)

Version 2.2.1rc1 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.1rc1
==========================================================================
+ [XSS] More accurate recursive decoding (thanks .mario for reporting)

Version 2.2.1-signed 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2
==========================================================================
+ [ClearClick] Improved protection against Clickjacking on nested windowed
Flash targets (thanks Sommerrain and Tom T for reporting)

Version 2.2rc1 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2rc1
==========================================================================
+ [ClearClick] Improved protection against Clickjacking on nested windowed
Flash targets (thanks Sommerrain and Tom T for reporting)

Version 2.1.9.1-signed 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.9
==========================================================================
x [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec
used instead of "1.8"

v 2.1.9rc3
==========================================================================
+ [Surrogate] JavaScript 1.8 support (thanks al_9x for RFE)
+ Better heuristic for XSSI detection
- Removed previous work-around XSSI exceptions
x Fixed some DOM traversal bugs (thanks al_9x for reporting)
x Refined Google search meta refresh blocking exception
x Added meta refresh blocking exception for t.co (Twitter URL shortener)

v 2.1.9rc2
==========================================================================
x Work-around for XSSI checks breaking some Yahoo! Mail features

v 2.1.9rc1
==========================================================================
+ New noscript.forbidMetaRefresh.exceptions url pattern preference
+ Meta refresh blocking exception for Google Search (blank page shown
otherwise if meta refresh blocking is enabled, cookies are disabled for
Google and Google Search scripting is forbidden)

Version 2.1.9rc4 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.9rc4
==========================================================================
x [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec
used instead of "1.8"

v 2.1.9rc3
==========================================================================
+ [Surrogate] JavaScript 1.8 support (thanks al_9x for RFE)
+ Better heuristic for XSSI detection
- Removed previous work-around XSSI exceptions
x Fixed some DOM traversal bugs (thanks al_9x for reporting)
x Refined Google search meta refresh blocking exception
x Added meta refresh blocking exception for t.co (Twitter URL shortener)

v 2.1.9rc2
==========================================================================
x Work-around for XSSI checks breaking some Yahoo! Mail features

v 2.1.9rc1
==========================================================================
+ New noscript.forbidMetaRefresh.exceptions url pattern preference
+ Meta refresh blocking exception for Google Search (blank page shown
otherwise if meta refresh blocking is enabled, cookies are disabled for
Google and Google Search scripting is forbidden)

Version 2.1.9rc3 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Version 2.1.9rc2 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.9rc2
==========================================================================
x Work-around for XSSI checks breaking some Yahoo! Mail features

v 2.1.9rc1
==========================================================================
+ New noscript.forbidMetaRefresh.exceptions url pattern preference
+ Meta refresh blocking exception for Google Search (blank page shown
otherwise if meta refresh blocking is enabled, cookies are disabled for
Google and Google Search scripting is forbidden)

Version 2.1.9rc1 515.1 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.9rc1
==========================================================================
+ New noscript.forbidMetaRefresh.exceptions url pattern preference
+ Meta refresh blocking exception for Google Search (blank page shown
otherwise if meta refresh blocking is enabled, cookies are disabled for
Google and Google Search scripting is forbidden)

Version 2.1.8rc3 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.8rc3
==========================================================================
+ Improved anti-popunder built-in surrogate
x Fixed object autowiring upon placeholder activation regressed by recent
surrogate sandboxing changes

v 2.1.8rc2
==========================================================================
+ noscript.xss.checkInclusions about:config preference (default true)
controls whether the new protection against reflected cross-site script
inclusion (XSSI) is enabled or not (thanks al_9x for RFE)
+ noscript.xss.checkInclusions.exceptions about:confing preference to
disable XSSI checks for certain script sources (thanks al_9x for RFE)

v 2.1.8rc1
==========================================================================
+ Protection against reflected script inclusion (thanks tlu for reporting)
x Fixed logged error message on permissions change (thanks Archaeopteryx
for reporting)

Version 2.1.8rc1 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.8rc1
==========================================================================
+ Protection against reflected script inclusion (thanks tlu for reporting)
x Fixed logged error message on permissions change (thanks Archaeopteryx
for reporting)

Version 2.1.8.1-signed 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.8
==========================================================================
+ Improved anti-popunder built-in surrogate
x Fixed object autowiring upon placeholder activation regressed by recent
surrogate sandboxing changes

v 2.1.8rc2
==========================================================================
+ noscript.xss.checkInclusions about:config preference (default true)
controls whether the new protection against reflected cross-site script
inclusion (XSSI) is enabled or not (thanks al_9x for RFE)
+ noscript.xss.checkInclusions.exceptions about:confing preference to
disable XSSI checks for certain script sources (thanks al_9x for RFE)

v 2.1.8rc1
==========================================================================
+ Protection against reflected script inclusion (thanks tlu for reporting)
x Fixed logged error message on permissions change (thanks Archaeopteryx
for reporting)

Version 2.1.8rc2 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.8rc2
==========================================================================
+ noscript.xss.checkInclusions about:config preference (default true)
controls whether the new protection against reflected cross-site script
inclusion (XSSI) is enabled or not (thanks al_9x for RFE)
+ noscript.xss.checkInclusions.exceptions about:confing preference to
disable XSSI checks for certain script sources (thanks al_9x for RFE)

v 2.1.8rc1
==========================================================================
+ Protection against reflected script inclusion (thanks tlu for reporting)
x Fixed logged error message on permissions change (thanks Archaeopteryx
for reporting)

Version 2.1.7.1-signed 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.7
==========================================================================
x [ABE] Fixed subrequests matching an Anon action rule not being shown in
the logs if already anonymized by the browser

v 2.1.7rc1
==========================================================================
x Fixed error console noise regression from menu fixes (thanks al_9x and
Archaeopteryx for reporting)

v 2.1.6rc2
==========================================================================
+ noscript.keys.tempAllowPage about:config preference to configure a
keyboard shortcut for "Temporarily allow all this page"
+ noscript.keys.revokeTemp about:config preference to configure a keyboard
shortcut for "Revoke temporary permissions"
+ noscript.menuAccelerators about:config preference to switch keyboard
accelerators for "(Temporary) allow all this page" menu items on/off
x Fixed notifications get all shown on the top in a tab where one
notification has already been shown on the top
x Fixed quasi-leak (zombie compartment) after using the NoScript menu on
a page where embedded content is present, until the menu is opened on
another page (thanks Archaeopteryx for reporting)
x [ABE] Fixed Anonymize actions logged twice (thanks al_9x for reporting)

v 2.1.6rc1
==========================================================================
x [Surrogate] Fixed sandboxed surrogates unable to set global variables

Version 2.1.7rc2 514.0 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.7rc2
==========================================================================
x [ABE] Fixed subrequests matching an Anon action rule not being shown in
the logs if already anonymized by the browser

v 2.1.7rc1
==========================================================================
x Fixed error console noise regression from menu fixes (thanks al_9x and
Archaeopteryx for reporting)

v 2.1.6rc2
==========================================================================
+ noscript.keys.tempAllowPage about:config preference to configure a
keyboard shortcut for "Temporarily allow all this page"
+ noscript.keys.revokeTemp about:config preference to configure a keyboard
shortcut for "Revoke temporary permissions"
+ noscript.menuAccelerators about:config preference to switch keyboard
accelerators for "(Temporary) allow all this page" menu items on/off
x Fixed notifications get all shown on the top in a tab where one
notification has already been shown on the top
x Fixed quasi-leak (zombie compartment) after using the NoScript menu on
a page where embedded content is present, until the menu is opened on
another page (thanks Archaeopteryx for reporting)
x [ABE] Fixed Anonymize actions logged twice (thanks al_9x for reporting)

v 2.1.6rc1
==========================================================================
x [Surrogate] Fixed sandboxed surrogates unable to set global variables