NoScript Security Suite Version History

377 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.3.1.1-signed 508.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.3.1
==========================================================================
+ Surrogate to let news pages escape Digg's frame
+ [ClearClick] Improved compatibility with cross-frame overlapping shadows
x Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks
.mario for reporting)
+ adf.ly surrogate to automaticaly skip the interstitial page even if
scripts are disabled
x Improved Google search surrogates
+ New surrogate against Google's scriptless tracking of search results
navigation

Version 2.3.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.3
==========================================================================
x Fixed about:newtab not considered as a local origin by ABE
+ Added blob:, about:memory and about:support to the automatic whitelist
x Added reflected script inclusion check exception for intensedebate.com
x Fixed CSS issues on Gecko 1.8

Version 2.2.9.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.9
==========================================================================
+ Right click on NoScript menu items copies the site to the clipboard, if
any under the pointer, or all the page-related script sources prepended
with a status mark: + for whitelisted, - for default, ! for untrusted (
thanks Tom T. for RFE)
+ Added browserid.org to the default whitelist
x Improved default whitelist update mechanism
x Fixed some Flash movies failing to load on Nightly (thanks Nova6K0 for
reporting)
x Fixed incompatibility between surrogates / content augmentations (e.g.
toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for
reporting
x NoScript won't attempt to load the release notes page if the site is
unreachable
v 2.2.9rc1
==========================================================================
x Fixed ABE failing to recognize some FE80:* IPv6 addresses as local ones
(thanks Mitchum Owen for report)

Version 2.2.8.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.8
==========================================================================
x [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested
documents

v 2.2.8rc1
==========================================================================
x [ClearClick] Protection against Koto's Cursorjacking technique disclosed
at http://blog.kotowicz.net/2012/01/cursorjacking-again.html

Version 2.2.7.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.7
==========================================================================
x [ClearClick] Protection against two steps interaction attack based on
HTML5 DnD (thanks .mario for reporting)

Version 2.2.6.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.6
==========================================================================
x [XSS] Fixed sanitization reporting bug

v 2.2.6rc1
==========================================================================
+ [XSS] Protection against new kind of response splitting + XSS combo
attack responsibly disclosed by Mike Brooks

Version 2.2.5.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.5
==========================================================================
x [ClearClick] Better compatibility with recent Disqus widget versions

v 2.2.5rc3
==========================================================================
x [XSS] Better compatibility with Verified by VISA (www.securesuite.net)
x Tentative work-around for bug 710170

v 2.2.5rc2
==========================================================================
x Work around for Linux tooltips obstructing the embedding unblocking
confirmation dialog

v 2.2.5rc1
==========================================================================
x Work around for Mozilla bug 712649

Version 2.2.4.1-signed 507.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.4
==========================================================================
x Fixed some localizations having newlines replaced with 'n' characters

v 2.2.4rc3
==========================================================================
x Fixed regression in SWFObject emulation for plugin placeholders
x Fixed top-level surrogates broken by ECMAv5 version specification

v 2.2.4rc2
==========================================================================
+ [ClearClick] Enhanced protection against same-window timing attacks
with moving pointer (thanks Michal Zalewski for PoC)
x SyntaxChecker's JavaScript version can be configured per-instance
(default "1.5")
x [Surrogate] JavaScript version set to "ECMAv5"
x [Surrogate] Use "ECMAv5" for early syntax checks

v 2.2.4rc1
==========================================================================
x Fixed reflected script inclusion false positive on redirections
- Removed "Forbid Web Bugs", which cannot be reliably enforced anymore
because of speculative parsing
x Restored wlxrs.com in the default whitelist (it had
accidentally changed back to two subdomains)
x Fixed resetting options doesn't erase the untrusted blacklist until
browser restart (thanks ddigas for reporting)

Version 2.2.3.1-signed 508.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.3rc4
==========================================================================
+ Configuration import/export directory is persisted across sessions

v 2.2.3rc3
==========================================================================
+ Generalized checks on drag and drop payloads
+ [XSS] Tightened checks on reflected javascript: URIs

v 2.2.3rc2
==========================================================================
x [Surrogate] DOMContentLoad listeners on windows (thanks al_9x for RFE)

v 2.2.3rc1
==========================================================================
+ [Surrogate] Capturing DOMContentLoad listeners (thanks al_9x for RFE)
+ [Surrogate] More homogeneous treatment for file-based surrogates (thanks
al_9x for RFE)

v 2.2.2rc5
==========================================================================
+ [Surrogate] Wrapped in lexical scoped blocks scripts also when debug
mode is on (thanks al_9x for RFE)
+ [Surrogate] Early one-time syntax checks on setup (thanks al_9x for RFE)
x [ClearClick] Better compatibility with some GMail embeddings
x [XSS] Better compatibility with Visual Studio in-browser documentation
x [ClearClick] Fixed Adblock Plus causing false positives on Fx 3.6
x Improved HTML 5 DnD XSS protection (thanks Soroush Dalili for reporting)
x [Locale] Latvian (thanks gymka)

v 2.2.2rc4
==========================================================================
x Protection against a new XSS technique based on HTML 5 DnD (thanks
Soroush Dalili for reporting)

v 2.2.2rc3
==========================================================================
x Better compatibility with credit card verification systems
x [ABE] Fixed ruleset disablement status not surviving browser restarts
(thanks ssj100 for reporting)

v 2.2.2rc2
==========================================================================
x Fixed escaped_fragment handling issue with proxies (thanks sourcejedi
for reporting)
x Turned remaining channel URI modification instances into
ChannelReplacement clients

v 2.2.2rc1
==========================================================================
+ [XSS] Explicit check for potentially dangerous SMIL elements (thanks
.mario for suggestion)
+ Protection against scriptless keylogging (thanks .mario for reporting)

Version 2.2.1.1-signed 508.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2.1
==========================================================================
+ [Locale] Updated he-il (thanks baryoni)
x [ClearClick] Fixed incompatibility with the FoxTab add-on

v 2.2.1rc2
==========================================================================
+ [XSS] Deeper decoding on sanitization (thanks .mario for reporting)

v 2.2.1rc1
==========================================================================
+ [XSS] More accurate recursive decoding (thanks .mario for reporting)

Version 2.2.1-signed 503.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.2
==========================================================================
+ [ClearClick] Improved protection against Clickjacking on nested windowed
Flash targets (thanks Sommerrain and Tom T for reporting)

Version 2.1.9.1-signed 503.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.9
==========================================================================
x [Surrogate] fixed breakage caused by "1.8.1" JavaScript version spec
used instead of "1.8"

v 2.1.9rc3
==========================================================================
+ [Surrogate] JavaScript 1.8 support (thanks al_9x for RFE)
+ Better heuristic for XSSI detection
- Removed previous work-around XSSI exceptions
x Fixed some DOM traversal bugs (thanks al_9x for reporting)
x Refined Google search meta refresh blocking exception
x Added meta refresh blocking exception for t.co (Twitter URL shortener)

v 2.1.9rc2
==========================================================================
x Work-around for XSSI checks breaking some Yahoo! Mail features

v 2.1.9rc1
==========================================================================
+ New noscript.forbidMetaRefresh.exceptions url pattern preference
+ Meta refresh blocking exception for Google Search (blank page shown
otherwise if meta refresh blocking is enabled, cookies are disabled for
Google and Google Search scripting is forbidden)

Version 2.1.8.1-signed 502.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.8
==========================================================================
+ Improved anti-popunder built-in surrogate
x Fixed object autowiring upon placeholder activation regressed by recent
surrogate sandboxing changes

v 2.1.8rc2
==========================================================================
+ noscript.xss.checkInclusions about:config preference (default true)
controls whether the new protection against reflected cross-site script
inclusion (XSSI) is enabled or not (thanks al_9x for RFE)
+ noscript.xss.checkInclusions.exceptions about:confing preference to
disable XSSI checks for certain script sources (thanks al_9x for RFE)

v 2.1.8rc1
==========================================================================
+ Protection against reflected script inclusion (thanks tlu for reporting)
x Fixed logged error message on permissions change (thanks Archaeopteryx
for reporting)

Version 2.1.7.1-signed 502.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.7
==========================================================================
x [ABE] Fixed subrequests matching an Anon action rule not being shown in
the logs if already anonymized by the browser

v 2.1.7rc1
==========================================================================
x Fixed error console noise regression from menu fixes (thanks al_9x and
Archaeopteryx for reporting)

v 2.1.6rc2
==========================================================================
+ noscript.keys.tempAllowPage about:config preference to configure a
keyboard shortcut for "Temporarily allow all this page"
+ noscript.keys.revokeTemp about:config preference to configure a keyboard
shortcut for "Revoke temporary permissions"
+ noscript.menuAccelerators about:config preference to switch keyboard
accelerators for "(Temporary) allow all this page" menu items on/off
x Fixed notifications get all shown on the top in a tab where one
notification has already been shown on the top
x Fixed quasi-leak (zombie compartment) after using the NoScript menu on
a page where embedded content is present, until the menu is opened on
another page (thanks Archaeopteryx for reporting)
x [ABE] Fixed Anonymize actions logged twice (thanks al_9x for reporting)

v 2.1.6rc1
==========================================================================
x [Surrogate] Fixed sandboxed surrogates unable to set global variables

Version 2.1.5.1-signed 502.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.5
==========================================================================
x Improved object wiring emulation on placeholder activation (thanks al_9x
for report and code)

v 2.1.5rc3
==========================================================================
+ [Surrogate] noscript.surrogate.sandbox preference to control the
execution method for inclusion surrogates

v 2.1.5rc2
==========================================================================
x Work-around for CORS incompatibility with internal redirects
- Removed legacy threading management support

v 2.1.5rc1
==========================================================================
x [Surrogate] Surrogates triggered by content policy calls get executed in
a sandbox
x Moved SWFObject and Silverlight patching to early scripts
x Replaced every reference to XHR's "on..." event handler properties with
their addEventListener() counterparts, to cope with bug 687332 fallouts

Version 2.1.4.1-signed 502.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.4
==========================================================================
x Fixed speculative parsing causing inclusion surrogates to be executed
twice (thanks al_9x for reporting)

v 2.1.4rc1
==========================================================================
x More efficient and Gecko-friendly HTTPS enforcing method

Version 2.1.2.8.1-signed 496.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.2.8
==========================================================================
x Fixed placeholders hard to activate on HTML 5 Youtube videos

v 2.1.2.8rc2
==========================================================================
x [XSS] Improved out-of-the-box compatibility with some Facebook games
x Fixed plugin blocking not working sometimes on file:// pages
loadeded before any network activity (thanks nagan for reporting)

v 2.1.2.8rc1
==========================================================================
+ Google Plus One surrogate (thanks al_9x for code)
- Removed t.co surrogate, since Twitter implemented a NOSCRIPT fallback

Version 2.1.2.7.1-signed 496.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.2.7
==========================================================================
x Better load progress feedback for hosts which are not DNS-cached yet
(thanks al_9x for reporting)

v 2.1.2.7rc3
==========================================================================
x Improved Google Analytics surrogate (thanks al_9x for code)
x More intuitive handling of the "live" behavior of the ABE ruleset editor
when syntax errors are introducd (thanks al_9x for reporting)

v 2.1.2.7rc2
==========================================================================
x Fixed OBJECT document inclusions failing under some circumstances

v 2.1.2.7rc1
==========================================================================
+ Prevent any website from embedding view-source URIs inside frames
x Firefox 9.0a1 compatibility

Version 2.1.2.6.1-signed 496.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.2.6
==========================================================================
x Temporarily disabled anti-anti-adblocker surrogate on any site except
those explicitly added to noscript.surrogate.ab.sources preference, as a
work-around for bug 677652
x Lazy initialization is deferred also when a file:// URL is loaded as the
home page

v 2.1.2.6rc7
==========================================================================
x More accurate work around for bug 677050

v 2.1.2.6rc6
==========================================================================
x Work around for Nightly bug 677050

v 2.1.2.6rc5
==========================================================================
x Fixed rapid-fire cross-site interaction protection interfering with some
keyboard-based UI patterns

v 2.1.2.6rc4
==========================================================================
x Fixed Firefox's built-in feed renderer broken unless about:feeds is
whitelisted

v 2.1.2.6rc3
==========================================================================
x Plugin origin checks now account for multiple extra-codebase archives
x Work around for HTTPS script inclusions on JavaScript-disabled pages
being loaded, albeit not executed (thanks al_9x for reporting)
x [ClearClick] Tentative work-around for ABP's "Block..." tab causing
false positives on nested documents (thanks GµårÐïåñ for reporting)

v 2.1.2.6rc2
==========================================================================
x Work-around for content policy inconsistencies in Java applet origins
handling (thanks al_9x for reporting)

v 2.1.2.6rc1
==========================================================================
+ Surrogate for the t.co Twitter URL shortener, which would otherwise
require JavaScript
+ USER ruleset conveniently pre-selected when ABE options are opened
x Improved invisible links detection approach

Version 2.1.2.5.1-signed 495.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.2.5
==========================================================================
x Fixed bookmarklets from sidebars not working on JS-disabled pages
+ Improved Twitter surrogate for Fx 3.x

v 2.1.2.4
==========================================================================
+ Ubuntu-specific startup optimization

v 2.1.2.4rc5
==========================================================================
+ Halved startup time (< 50ms) by deferring costly initialitations to
first remote request and fastloading the rest
x Minor tweaks to Twitter surrogate

v 2.1.2.4rc4
==========================================================================
+ Script Surrogate execution also for ABE-denied script requests (
thanks al_9x for RFE)
+ Script Surrogate for Twitter inclusions (thanks al_9x)
x Improved compatibility with Readability
x Fixed switching from one rule to another in the Rulesets box looses
changes in the current rule (thanks al_9x for reporting)

v 2.1.2.4rc3
==========================================================================
x Fixed url bar regression from rc2

v 2.1.2.4rc2
==========================================================================
x [ClearClick] noscript.clearClick.rapidFireCheck about:config preference
to control whether rapid fire event checking should be enabled or not
x [Bookmarks] Fixed javascript-based keyword bookmarklet not being ran on
Fx 6 and above (thanks al_9x for reporting)

v 2.1.2.4rc1
==========================================================================
x [ClearClick] Restored compatibility with bit.ly (now bitly.com)

Version 2.1.2.3.1-signed 495.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.2.3
==========================================================================
x [ClearClick] Refactoring and isolation of the rapid fire protection

v 2.1.2.3rc2
==========================================================================
x [ClearClick] Further refinement of rapid fire detection on tab switching

v 2.1.2.3rc1
==========================================================================
x [ClearClick] Fixed delay on first event response after some kinds of tab
switching

v 2.1.2.2
==========================================================================
x [ClearClick] Fixed false positives due to backwards incompatibilities
with Fx 3.5 and below (thanks chas35 for reporting)
x [Nightly compat] Fixed import/export broken by nsIJSON interface changes
in recent nightly builds (thanks happy-dude for reporting)

v 2.1.2.1
==========================================================================
x Fixed rapid fire cross-site interaction protection interfering with
keyboard-based tab switching (thanks tikl for reporting)

Version 2.1.1.2.1-signed 495.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.1.2 (same as 2.1.2rc0)
==========================================================================
x Fixed conflict with Firebug console
x Removed legacy code in content policy and ClearClick

v 2.1.1.2rc9
==========================================================================
x Fixed surrogates causing duplicate history entries for some sites on
Firefox 5
x Work around for bug 666371 breaking popunder surrogate and legitimate
popups on some sites

v 2.1.1.2rc8
==========================================================================
x Work-around for Mac OS X filepicker in Firefox 5 preventing exported
configuration files from being reimported

v 2.1.1.2rc7
==========================================================================
x Work-around for Nightly bug breaking the "View image" command
x Improved Google Analytics surrogate

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.1.1-signed 494.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.1.1
==========================================================================
+ Improved embedded object activation on Javascript-enabled pages via
dynamic method proxies (thanks al_9x for RFE)

v 2.1.1.1rc2
==========================================================================
x [XSS] removed false positive at Well Fargo's login

v 2.1.1.1rc1
==========================================================================
x Reduced request garbage collection frequency

Version 2.1.1.1-signed 494.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.1
==========================================================================
x Fixed toolbar button hidden in popup windows (thanks Steven Roddis for
reporting)

v 2.1.0.6rc14
==========================================================================
x Fixed double HTTP requests sent sometimes for document requests just
after DNS cache invalidation (thanks Lekensteyn and SLED for reporting)
x Removed NoScript and FlashGot download pages and added Yahoo! Mail as
ClearClick exception, in order to prevent false positives in the message
panel (thanks be and sabret00the for reporting)
x Fixed conflict with IE Tab 2 causing new tab not to open URLs entered
in the address bar (thanks mc for reporting)

v 2.1.0.6rc13
==========================================================================
x Fixed placeholders broken on trunk after fix for Gecko's bug 308590

v 2.1.0.6rc12
==========================================================================
+ Added paypal.com and paypalobjects.com to the default whitelist, to cope
with the new in-page contribution setup at AMO and reduce XSS risks
+ Improved toStaticHTML() emulation (thanks .mario for reporting)

v 2.1.0.6rc11
==========================================================================
x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)

v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
==========================================================================
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
==========================================================================
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.5.1-signed 489.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.0.5
==========================================================================
x Fixed recent memory optimizations breaking compatibility with some
extensions (thanks Alan Baxter for reporting)

v 2.1.0.5rc1
==========================================================================
x Work-around for a Seamonkey initialization timing issue

v 2.1.0.4
==========================================================================
+ Improved performance and memory efficiency of cross-site checks
x Removed redundant primary origin from ABE messages
x More verbose initialization error reporting

v 2.1.0.4rc10
==========================================================================
x Fixed memory leak on Nightly when watching the movie at http://ro.me
(thanks _nil and therube for reporting)

v 2.1.0.4rc9
==========================================================================
x Fixed Script Surrogate execution breaking some framesets
x Fixed executing an interactive bookmarklet and closing current tab
during execution keeps scripts globally allowed
+ Disabled execution of javascript: and data: URLs typed or
pasted in the address bar (noscript.allowURLBarJS preference)
+ Disabled execution of non-whitelisted scripts imported during execution
of javascript: and data: URLs typed or pasted in the address bar
(noscript.allowURLBarImports preference)
+ Work around for Verizon's cache serving scripts with wrong media type

v 2.1.0.4rc8
==========================================================================
x Fixed NoScript icon disappearing from add-on bar when mode == "text"

v 2.1.0.4rc7
==========================================================================
x Better work-around for bit.ly sidebar triggering ClearClick warnings
(thanks Markus387 for reporting)

v 2.1.0.4rc6
==========================================================================
x Work-around for bit.ly sidebar triggering ClearClick warnings
x Fixed placeholders with undersized type icon regression

v 2.1.0.4rc5
==========================================================================
x Fixed Seamonkey hanging on some pages (thanks therube for reporting)

v 2.1.0.4rc4
==========================================================================
x Fixed labels being shown for NoScript buttons on the add-on bar in some
configurations (thanks baciok for reporting)

v 2.1.0.4rc3
==========================================================================
x Fixed minimum placeholder size not applied when embeddings have "auto"
as their computed CSS width or height (thanks al_9x for reporting)

v 2.1.0.4rc2
==========================================================================
+ On scriptless pages, empty forms meant to be submitted via JavaScript
are automatically augmented with a submit button labeled after the
destination URL (thanks timeless for RFE)

2.1.0.4rc1
==========================================================================
x Changed the noscript.forbidXBL default to 1 (OK for current Fx versions)
in order to avoid Lotus Mail issues (thanks Tina for reporting)
x [XSS] Fixed a false positive involving Amazon mp3 checkout (thanks Dan
Loomis for reporting)

Version 2.1.0.3.1-signed 488.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.0.3
==========================================================================
x [L10n] Updated ro
x Restored some locales gone missing in previous dev build

v 2.1.0.3rc5
==========================================================================
x Improved Google Analytics surrogate
x Experimental built-in Firefox Sync turned off by default (can be enabled
through the noscript.sync.enabled about:config preference)
x Tentative fix for some synchronization annoyances

v 2.1.0.3rc4
==========================================================================
x Suppress any dump() logging when in Private Browsing mode, in order to
avoid X session log leakages on Linux
x Tentative fix for a RequestWatchdog lazy initialization race condition
(thanks Daniel Holbert for reporting)

v 2.1.0.3rc3
==========================================================================
+ Warning when user closes the options dialog leaving broken ABE ruleset
behind (thanks al_9x for report)

v 2.1.0.3rc2
==========================================================================
x Fixed Yahoo Toolbar breaking first browser window if NoScript 2.1.0.2 is
installed
x Various additional startup optimizations

v 2.1.0.3rc1
==========================================================================
x Added some null checks to prevent Venkman noise (thanks timeless)

Version 2.1.0.2.1-signed 483.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

2.1.0.2
==========================================================================
x [XSS] Improved XML prescreening

v 2.1.0.2rc5
==========================================================================
x Halved startup time

v 2.1.0.2rc4
==========================================================================
x More robust surrogate execution

v 2.1.0.2rc3
==========================================================================
+ Label automatically hidden when NoScript's toolbar buttons are added to
the add-ons bar

v 2.1.0.2rc2
==========================================================================
x Fixed AddressMatcher broken by RegExp changes in latest Minefield (
thanks linuser for reporting)

v 2.1.0.2rc1
==========================================================================
x Fixed ABE options panel regressions due to the changed storage (thanks
al_9x for reporting)

Version 2.1.0.1.1-signed 490.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 and later

v 2.1.0.1
==========================================================================
x Removed googlesyndication.com from the default whitelist
x Added securecode.com ("Verified by VISA") to the default whitelist, in
order to prevent surprise transaction failures
x [XSS] Exception for POST requests coming from a secure albeit not
whitelisted Verified by Visa (securecode.com) origin
x [ABE] Fixed bug causing excessive console noise from permissive rules
x Updated locales

v 2.1
==========================================================================
x Fixed various Script Surrogate inconsistencies

v 2.1.0rc6
==========================================================================
+ [ABE] Rulesets now are stored as preferences rather than files for
faster startup (less I/O) and more consistent settings management
+ [ABE/Sync] Rulesets are integrated into Firefox Sync for preferences too
x On first Firefox 4 run toolbar icon now gets added to the add-on bar
instead of the navigation bar if the latter is invisible, even if the
former is invisible as well (many users seem to expect it there)
x Fixed additional toolbar buttons too wide when labels are shown
x Fixed some Script Surrogate regressions (thanks al_9x for reporting)
x Work around for alert on new windows due to Mozilla's bug 608628
x Fixed placeholder not shown for embed elements placed inside invalid
object elements (thanks al_9x for reporting)

v 2.1.0rc5
==========================================================================
+ Firefox Sync integration can be switched off through the
noscript.sync.enabled about:config preference
x [XSS] Fixed false positive regression from recent Firefox 4
optimizations (thanks m_c for reporting)

v 2.1.0rc4
==========================================================================
x Further version-specific Script Surrogate optimizations

v 2.1.0rc3
==========================================================================
+ First shot at Firefox Sync native integration, synchronizes everything
except custom ABE rules
x [ABE] Optimized origin tracing
+ [ABE] INC(MEDIA) subtype matching HTML5 video and audio requests
+ [ABE] INC(FONT) subtype matching font embedding requests
x Huge refactoring in regular expression usage to optimize for Fx 4
x Script Surrogate optimization

v 2.1.0rc2
==========================================================================
x [ABE] Work-around for some Java plugin requests bypassing HTTP observers
(thanks tlu for reporting)
+ [ABE] Media HTML elements and plugin sub-requests are matched by the OBJ
inclusion subtype
+ [ABE] Font requests are matched by the OTHER inclusion subtype

v 2.1.0rc1
==========================================================================
x Fixed iframe content being sometimes opened in new tabs on Fx 4 when ABE
is enabled and DNS cache is missed

Version 2.0.9.9.1-signed 487.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 - 2.1b3

v 2.0.9.9
==========================================================================
x Fixed spaces in ipecho response breaking WAN IP detection with one of
the mirrors
+ Experimental built-in profiler for debugging purposes

v 2.0.9.9rc5
==========================================================================
+ Compatibility with Fire.fm
+ [XSS] Compatibility with latest Readability
x Tentative work-around for a WAN IP detection issue after sleep/wakeup

v 2.0.9.9rc4
==========================================================================
+ Forced text-plain on documents which miss a content-type header but send
"X-Content-Type-Options: nosniff"
+ Increased compatibility of the X-Content-Options implementation

v 2.0.9.9rc3
==========================================================================
x Work-around for surrogates not being executed on latest Fx 4 builds
x X-Content-Options implementation more compatible with Browserscope

v 2.0.9.9rc2
==========================================================================
x Fixed AJAX fallback last-minute breakage (thanks dhouwn for report)

v 2.0.9.9rc1
==========================================================================
+ Improved XSS filter to protect against potential risks from new HTML 5
features
+ AJAX fallback support via Google's _escaped_fragment_ recommendation,
can be disabled by toggling the noscript.ajaxFallback.enabled preference
(see https://code.google.com/web/ajaxcrawling/, thanks alexbobp for RFE)
+ New noscript.placeholderLongTip about:config preference to control
whether embedding placeholder tooltips should include query strings
and hash fragments or not (true by default)

Version 2.0.9.8.1-signed 485.0 KiB Works with Firefox 3.0 and later, SeaMonkey 2.0 - 2.1b3

v 2.0.9.8
==========================================================================
x Fixed empty tooltip for embedded placeholder on some RTL pages (thanks
Saad for reporting)
x Truncate URLs in placeholders tooltips at the the query string or hash,
to increase readability (thanks anystupidassname for RFE)
x Increased WAN IP checks interval to 1 hour reducing log spam on routers
- Removed some obsolete code

v 2.0.9.8rc2
==========================================================================
x Fixed all IPv6 addresses in fc80::/24 subnet being erronously treated
like link-local addresses (thanks Jojo999 for reporting)
x Fixed "Unsafe Reload" not working for sanitized POST requests from
untrusted to trusted sites (thanks Lucas Malor for reporting)
+ Better compatibility with Paypal button hosted on non-whitelisted sites
+ Added mozilla.net to the default whitelist for AMO compatibility

v 2.0.9.8rc1
==========================================================================
x [UI] Fixed toolbar button being added on the right of the window resizer
when Fx 4 is run for the first time with NoScript and the add-on bar is
visible
+ [UI] Hitting the "show UI" shortcut (ctrl+shift+S) a second time
dismisses NoScript's popup menu (thanks jso for RFE)
x [DNT] Restored header reordering after DNT header is added, in order to
match Firefox 4's header fingerprint