AMO is getting a new look. Would you like to see it?

Visit the new site

Close

NoScript Security Suite Version History

389 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.6.8.26.1-signed 520.8 KiB Works with Firefox 3.0.9 - 33.0, SeaMonkey 2.0 - 2.30

v 2.6.8.26
=========================================================================
x [XSS] gmx.com false positive work-around extended to international
domains (thanks dood_97 for reporting)
x [XSS] gmx.com false positive work-around extended to mail.com (thanks
boris for reporting)
+ noscript.cascadePermissions preliminary backend implementation
+ noscript.restrictSubdocScripting preliminary backend implementation

Version 2.6.8.25.1-signed 520.8 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.25
=========================================================================
x [ABE] Fixed inability to discriminate loads inititated from the URL bar
on latest Nightlies (thanks Soothsayer for reporting)
x [XSS] Fixed false positive on new gmx.com login (thanks Luigi and LeeB
for reporting)
x [Surrogate] Fixed new google-analytics.com surrogate causing Google
Spreadsheet's columns not to be resizable (thanks bobbybrown for
reporting)

Version 2.6.8.24.1-signed 520.6 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.24
=========================================================================
+ Synthetic load events are sent and error events are suppressed for
blocked script elements, in order to work around strict script
inclusion enforcers. This feature is triggered by default only by
Require.js module imports, but can be fully configured by
noscript.fakeScriptLoadEvents.* about:config preferences:
* .enabled: switches this feature on/off
* .onlyRequireJS: if true (default) applies the feature only to script
inclusions initiated by Require.js
* .exceptions: AddressMatcher pattern matching the source URLs of
script elements which should not cause fake load events when blocked
* .docExceptions: AddressMatcher pattern matching the URLs of documents
where no fake load event must be raised
x Improved toStaticHTML() implementation (thanks .mario for reporting)
x Removed useless ICC profiles from some icons (thanks taffit for RFE)
x [Surrogate] Improved google-analytics.com (ga) surrogate
x [XSS] Fixed characters redundancy reduction bug (thanks Masato Kinugawa
for reporting)
x [XSS] Fixed typo in the new regular expression literals stripping
routine implementation (thanks Masato Kinugawa for reporting)
x [XSS] Fixed subtle bug in regular expression literals stripping
optimization, potentially causing false negatives in edge cases (thanks
Masato Kinugawa for reporting)
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed

Version 2.6.8.23.1-signed 525.5 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.23
=========================================================================
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed

v 2.6.8.22
=========================================================================
x Better algorithm for menu items ordering

Version 2.6.8.22.1-signed 525.7 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.22
=========================================================================
x Better algorithm for menu items ordering

Version 2.6.8.21.1-signed 525.5 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.21
=========================================================================
x Fixed XSL check regression (thanks barbaz for reporting)
x Work-around for bug 1005552
+ [Surrogate] Gravatar dummy replacement
x [Australis] Support for reversed menu on surrogate status/addon bars

Version 2.6.8.20.1-signed 525.3 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.20
=========================================================================
x Partially restored "Allow local links" functionality (works for HTML
file:// links but not for embedded resources and scripted loads)
+ "allowLocalLinks.from" about:config preference to define a whitelist
(in ABE URL pattern list syntax) which, if valid and not empty,
overrides the JavaScript whitelist which is reused by legacy default
for pages allowed to open file:// links (Gecko 28 and above)
+ "allowLocalLinks.to" about:config preference to define a whitelist
(in ABE URL pattern list syntax) which, if valid and not empty,
limits the file:// links which can be opened by allowed pages
(Gecko 28 and above)
- Removed "Allow rich text copy and paste from external clipboard" option
from the UI if the browser doesn't support CAPS (Gecko 28 and above)
x Implemented early permission changes enforcement on not yet reloaded
pages, to better match the old CAPS-based behavior (thanks therube
for reporting)
x [Surrogates] Fixed Google Analytics surrogate breaking some javascript:
links (thanks Will for reporting)
x [L18n] Fixed Finnish typo (thanks Kalle Niemitalo for reporting)
x [XSS] Removed OAuth-triggered false positive (thanks Gunnar Scherf for
reporting)
x [XSS] Stricter checks for HTTPS requests from a same domain origin with
different scheme (thanks LouiseRBaldwin for reporting)

Version 2.6.8.19.1-signed 524.7 KiB Works with Firefox 3.0.9 - 31.0, SeaMonkey 2.0 - 2.28

v 2.6.8.19
=========================================================================
x Fixed CAPS initialization broken in Gecko 27 and below
x Fixed wildcard port matching broken in Gecko 28 and below
ing broken in Gecko 28 and below

Version 2.6.8.18.1-signed 524.7 KiB Works with Firefox 28.0 - 31.0, SeaMonkey 2.26 - 2.28

v 2.6.8.18
=========================================================================
x Fixed some bookmarklets being broken by Gecko 28
x [Surrogate] Fixed some surrogates being broken by Gecko 28
- Disabled CAPS-based script blocking for Gecko 28 and above
x Fixed XSLT blocking broken by recent Gecko changes (thanks Xenos for
reporting)

Version 2.6.8.17.1-signed 524.5 KiB Works with Firefox 3.0.9 - 31.0, SeaMonkey 2.0 - 2.28

v 2.6.8.17
=========================================================================
x CSS tweak for Australis support (thanks Jared Wein)
x Fixed new bookmarklet execution module accidentally using X rays
wrappers and therefore failing to interact

Version 2.6.8.16.1-signed 524.5 KiB Works with Firefox 3.0.9 - 31.0, SeaMonkey 2.0 - 2.28

v 2.6.8.16
=========================================================================
x Closing a placeholder doesn't collapse its space anymore, unless the
noscript.placeholderCollapseOnClose is set to true or the "Collapse
blocked objects" Embeddings option is checked (thanks Elmart for RFE)
x Further bookmarklet emulation improvements yet (thanks porl for RFEs)

Version 2.6.8.14.1-signed 523.7 KiB Works with Firefox 3.0.9 - 30.0, SeaMonkey 2.0 - 2.27

v 2.6.8.14
=========================================================================
x Fixed bookmarklet execution disabling JavaScript on whitelisted pages
(Firefox >= 29, thanks vsemozhetbyt for reporting mozbug 970445)
x [ABE] Improved compatibility with .local domains (thanks func0der for
reporting)

Version 2.6.8.13.1-signed 523.6 KiB Works with Firefox 3.0.9 - 30.0, SeaMonkey 2.0 - 2.27

v 2.6.8.13
=========================================================================
x Restored z-order mobility for options dialog on Linux (thanks barbaz
for RFE)
x Moved ClearClick options into their own "Advanced" sub-tab (thanks
Thrawn for RFE)
x Minor options dialog tweakings
- Removed External Filters options panel
x The option dialog is non-modal and recycled now (thanks barbaz for RFE)

Version 2.6.8.12.1-signed 524.1 KiB Works with Firefox 3.0.9 - 30.0, SeaMonkey 2.0 - 2.27

v 2.6.8.12
=========================================================================
x Improved work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=958962
+ [Surrogate] Prevent blank ModPagespeed-patched pages when meta refresh
inside NOSCRIPT elements is blocked (thanks thunderscript and barbaz)
x Fixed one-time this.getSite() error on startup
+ Browser Console support
x [Locale] Updated fr (thanks Jack Black)
x Fixed feed reader broken on non-whitelisted sites in non-stable Firefox
(thanks LouCypher for reporting)

Version 2.6.8.11.1-signed 523.4 KiB Works with Firefox 3.0.9 - 29.0, SeaMonkey 2.0 - 2.26

v 2.6.8.11
=========================================================================
x [XSS] Fixed nested URL parsing optimization bug (thanks Masato Kinugawa
for reporting)
x [XSS] Abort, rather than filter, potential charset-based attacks (
thanks Masato Kinugawa for reporting)
x [XSS] Improved Ebay compatibility (thanks Markus Wienand for reporting)

x [XSS] Fixed bad charset check regression from rc6 (thanks Masato
Kinugawa for reporting)
x [XSS] Fixed bad charset checks not honoring exceptions (thanks Masato
Kinugawa for reporting)
x Adopted the Components.utils.blockScriptForGlobal() API where possible
x [XSS] Further improvements in recursive link checks (thanks Masato
Kinugawa for reporting)
x [XSS] Better checks for combined data/javascript URIs (thanks Masato
Kinugawa for reporting)
x [XSS] Restored fuzzy HTML sniffing in nested data URI (thanks Masato
Kinugawa for reporting)
x [XSS] Improved data URI checks (thanks Masato Kinugawa for reporting)
x [XSS] Enhanced recursive link checks (Thanks PK Cano for reporting)
x [XSS] Stricter HTML checks on second-order data URI injections exactly
fitting whole URL attributes (thanks Masato Kinugawa for reporting)

Version 2.6.8.10.1-signed 523.0 KiB Works with Firefox 3.0.9 - 29.0, SeaMonkey 2.0 - 2.26

v 2.6.8.10
=========================================================================
x [XSS] Fixed regression causing Google Talk false positive (thanks
Stuart Young for report)
x Made about:srcdoc placeholder URL for seamless iframes "mandatory"
to reflect its actual permissions status (thanks barbaz for RFE)

Version 2.6.8.9.1-signed 522.7 KiB Works with Firefox 3.0.9 - 29.0, SeaMonkey 2.0 - 2.26

v 2.6.8.9
=========================================================================
x [XSS] Stricter HTML checks (thanks Masato Kinugawa for reporting)
x [ClearClick] Exception to cope with Youtube's Google+ comments
x [XSS] Better data: URI detection (thanks Masato Kinugawa for reporting)
x [XSS] Improved pure HTML checks (thanks Masato Kinugawa for reporting)
x [XSS] Fixed InjectionChecker tolerance bug (thanks Masato Kinugawa for
reporting)
x [XSS] Improved sanitization

Version 2.6.8.8.1-signed 522.9 KiB Works with Firefox 3.0.9 - 29.0, SeaMonkey 2.0 - 2.26

v 2.6.8.8
=========================================================================
+ Enforce docShell-based script blocking for Gecko > 28
+ [Surrogate] addthis.com widget emulation (thanks Mathnerd314)

Version 2.6.8.7.1-signed 522.6 KiB Works with Firefox 3.0.9 - 29.0, SeaMonkey 2.0 - 2.26

v 2.6.8.7
=========================================================================
x Fixed performance regression in request identity tracking (thanks
cumdacon and nospamboz for reporting)
+ Protection against new SQLXSSI obfuscation techinques (thanks Alex
Inführ for reporting)
x Fixed noscript.allowedMimeRegExp ignoring the FONT pseudo-type (thanks
barbaz for reporting)

Version 2.6.8.6.1-signed 522.3 KiB Works with Firefox 3.0.9 - 29.0, SeaMonkey 2.0 - 2.26

v 2.6.8.6
=========================================================================
x Fixed bugs in noscript.allowedMimeRegExp support (thanks barbaz for
reporting)
x [ABE] Fixed increased asynchronicity in Gecko's network processing
causing intermittent failures (thanks barbaz and al_9x for reporting)
x [Surrogate] Fixed bug in asynchronous Google Analytics API emulation
(thanks Lucas Malor for reporting)
x Fixed missing icon for blocked objects when no script is present in the
page and scrips are globally allowed

Version 2.6.8.5.1-signed 522.2 KiB Works with Firefox 3.0.9 - 28.0, SeaMonkey 2.0 - 2.25

v 2.6.8.5
=========================================================================
x [ClearClick] Fixed empty contentEditable elements cannot receive
keyboard events in cross-site frames (breaking latest Youtube comments)
x [XSS] Fixed false positive on redirected script inclusions (breaking
Stripe payments on Humblebundle, thanks ableeker for reporting)
x [Surrogate] Better GA, GAPI, Twitter and Facebook compatibility

Version 2.6.8.4.1-signed 522.2 KiB Works with Firefox 3.0.9 - 28.0, SeaMonkey 2.0 - 2.25

v 2.6.8.4
=========================================================================
x Fixed shortcut bookmarklet execution requiring noscript.allowURLBarJS
preference to be true on Firefox 25 beta (thanks ivank for report)
x [Surrogate] Better emulation of for Google Analytics asynchronous
tracking (for instance, fixes GMail's "Sign in" link)
x [ClearClick] Fixed exception being thrown on Firefox 27 alpha (Nightly)
x Fixed URL bar enhancements broken by Firefox 25 beta
x Fixed SetVariable/GetVariable failing on dynamically created Flash
elements, e.g. with SFWObject (thanks longsleep for reporting)

Version 2.6.8.3.1-signed 522.3 KiB Works with Firefox 3.0.9 - 27.0, SeaMonkey 2.0 - 2.24

v 2.6.8.3
=========================================================================
x Fixed complex bookmarklet execution requiring synchronous XHR in a
content policy callback
x Fixed full-page plugins failed activation until the page is reloaded
x Fixed full-page HTML5 media failing to play after activation until the
page is reloaded

Version 2.6.8.2.1-signed 522.3 KiB Works with Firefox 3.0.9 - 27.0, SeaMonkey 2.0 - 2.24

v 2.6.8.2rc2
=========================================================================
x Fixed request methods different than POST being turned into GET by
internal channel redirection when the DNS entry is not cached yet

v 2.6.8.2rc1
=========================================================================
x Fixed regression from CTP fix: some kinds of embedded objects being
displayed, even though in disabled state, along with placeholders

Version 2.6.8.1.1-signed 522.2 KiB Works with Firefox 3.0.9 - 27.0, SeaMonkey 2.0 - 2.24

v 2.6.8.1
=========================================================================
+ Added to the default whitelist some CDN subdomains dedicated to serve
popular open source JS libraries (thanks t3g for RFE)
x Fixed notification box issues with Seamonkey (thanks barbaz)
x Work-around for broken CTP notifications (bug 903675)
x Work-around for Youtube comments XSS false (?) positive
x [Locale] Updated fr (thanks Jack Black)

Version 2.6.7.1.1-signed 521.7 KiB Works with Firefox 3.0.9 - 27.0, SeaMonkey 2.0 - 2.24

v 2.6.7.1
=========================================================================
x [XSS] Fixed false positive on GMail when opening the Google Docs file
picker (thanks Harry for reporting)
x [XSS] Fixed parameter elision bug
+ Protection against another variant of error-based SQLXSSI (thanks Alex
Inführ for reporting)

Version 2.6.7.1-signed 521.7 KiB Works with Firefox 3.0.9 - 26.0, SeaMonkey 2.0 - 2.23

v 2.6.7
=========================================================================
x Fixed HTML 5 media content types not blocked when loaded as top-level
documents (thanks al_9x for reporting)
x [XSS] Fixed bug in SQLXSSI detection (thanks Alex Inführ for reporting)
x Fixed resources from resource: origin (such as PDF.js fonts) being
unnecessarily blocked in restrictive embed blocking mode
x Removed "ReferenceError: PolicyState is not defined" message appearing
sometimes in the console dump on startup
x Fixed scrollbars removed in frames activated from placeholder (thanks
al_9x for reporting)

Version 2.6.6.9.1-signed 521.5 KiB Works with Firefox 3.0.9 - 25.0, SeaMonkey 2.0 - 2.22

v 2.6.6.9
=========================================================================
+ [XSS] Added several experimental / unofficial markup atoms to the
build-time matcher generator (thanks .mario for reporting)

Version 2.6.6.8.1-signed 523.2 KiB Works with Firefox 3.0.9 - 25.0, SeaMonkey 2.0 - 2.22

v 2.6.6.8
=========================================================================
x [XSS] Protection against filter evasion exploiting Adobe Flash URL
parsing and charset handling bugs (thanks Soroush Dalili for reporting)

Version 2.6.6.7.1-signed 521.8 KiB Works with Firefox 3.0.9 - 25.0, SeaMonkey 2.0 - 2.22

v 2.6.6.7
=========================================================================
x Fixed ClearClick triggered by recently changed browser built-in Click
To Play placeholders (bug 889228)
x [Locale] Updated Czech (thanks Karel)