v 5.0.10
=============================================================
x Fixed some moz-webextension: subrequests blocked in content
blocking mode
- Removed whitelist and surrogate references to persona.org
x [Seamonkey] Fixed status bar visibility regression (thanks
Mc for reporting)
x [Nightly] Fixed various XSS filter UI breakages
x [Nightly] Patched deprecated usages of nsIURI.path
x [XSS] Fixed false positive on amazonaws.com (thanks Robby
Stokoe for reporting)
x [Surrogate] New ampush.io tracker surrogate (thanks barbaz)

v 5.0.9
=============================================================
x [WebExt] Make sure the embedded WebExtension cannot
interfere with the legacy side beside preference migration
x [Nightly] Fixed breakage from bug 1390106
x [Nightly] Work-around for HTMLEmbedElement removal
x [Nightly] Fixed first run UI visibility check
x [XSS] Work-around for Google notifications false positive
x [Nightly] Fixed startup breakage
x [Surrogates] Fixed noisy google-analytics replacement
x [Nightly] Fixed view-source: breakage

v 5.0.8.1
=============================================================
x [ABE] XHR matches both TYPE_XMLHTTPREQUEST and TYPE_FETCH
x [ABE] Updated INCLUSION types to match newest specific
types from nsIContentType constants. OTHER still matches
any type except "historically supported" ones (SCRIPT, CSS,
IMAGE, OBJ, OBJSUB, MEDIA, FONT, SUBDOC, XBL, PING, XHR,
DTD) for backward compatibility: please use
UNKNOWN to match just TYPE_OTHER (i.e. request whose type
is not specifically mapped yet by the nsIContentType API).
x [e10s] Fixed INCLUSION type marked as OTHER for any request
when Electrolysis is enabled (thanks barbaz for reporting)
x [XSS] Fixed excessive recursion causing GC-related hangs on
some ads-intensive websites (like der-postillion.de)

v 5.0.7.1
=============================================================
x [WebExt] Fixed incompatibility with Firefox 54
x [WebExt] Initiated preference migration via embedded
WebExtension
x [e10s] Fixed HTTP redirection issues with e10s enabled
(thanks PLD for reporting)
x [Surrogate] Updated googletag replacement (thanks barbaz)
x Fixed HTML5 Media documents blockage delay if no other
embedded content is forbidden (thanks Georg Koppen for
reporting)
x [XSS] Fixed bug causing false positives (thanks Georg
Koppen for reporting)

v 5.0.6
=============================================================
x [XSS] Fixed performance regression in handling of big JSON
payloads causing the browser to freeze on loading pages
with Facebook tracking subframes
x [Surrogates] Updated ga replacement (thanks barbaz)
x [L10n] Updated tr (thanks Volkan Gezer)
x [L10n] Updated de (thanks milupo)
x [XSS] Fixed regression in window.name sanitization
(thanks Gareth Heyes for reporting)
x [XSS] Work-around for Mavo-script operator translation side
effects (thanks Gareth Heyes for reporting)

v 5.0.5
=============================================================
x [XSS] Updated XSS filter with latest Gecko Atoms and ES
features (thanks Maxim Rupp for reporting)
+ [XSS] Added countermeasures against XSS vectors exploiting
Mavo-script template expressions (thanks Krzysztof Kotowicz
and Gareth Heyes for reporting)

v 5.0.4
=============================================================
+ [XSS] Added countermeasures against several vectors
exploiting client-side JavaScript templating frameworks
(thanks Krzysztof Kotowicz and Sebastian Lekies for their
research)
x [XSS] Fixed e10s-related regression in window.name
sanitization (thanks Krzysztof Kotowicz for reporting)
x Fixed "Allow local links" breaking file:/// URL loading in
Gecko 53 and above
x Fixed JSON viewer working only on JavaScript-enabled URLs

v 5.0.3
=============================================================
x Fixed global JavaScript enablement for HTTPS sites breaking
the UI (Tor ticket #21923)
+ noscript.webext.enabled preference to control embedded
WebExtension startup
x Fixed XHR regression (thanks Oleksandr Popov for reporting)
x Fixed compatibility issues with some WebExtensions (thanks
Oleksandr Popov for reporting)

v 5.0.2
=============================================================
x Fixed thumbnails broken even if noscript.bgThumbs.allowed
is true (thanks rick for reporting)
x [e10s] Restored absolutely positioned elements removal by
mousedown + DEL key (broken by e10s)
x Absolutely positioned elements removal by mousedown + DEL
key now working also on whitelisted pages (controlled by
noscript.eraseFloatingElements about:config preference,
thanks MegaWolf for RFE)
x Fixed blocked XHR requests in frames not reflected in the
menu UI (thanks aocab and barbaz for reporting)
x [Locale] Improved nl translation (thanks Kris)

v 5.0.1
=============================================================
x Fixed regression, some sites not being shown in UI
x Fixed recently blocked menu not working on e10s

v 5.0
=============================================================
+ Embedded WebExtension
x Dramatically Improved UI synchronization performance impact
on load-intensive web pages (thanks Rob Wu)
x [e10s] Fixed permissions out of sync when content processes
are more than one (thanks Ian Fennel for report)
x [Surrogates] Update google-analytics replacement (thanks
ng4never for reporting and barbaz for implementation)

v 2.9.5.2
=============================================================
x Fixed Stylish editor breakage (thanks JustAnotherGuy for
reporting
x Fixed media blocking delayed with Tor Browser's "Medium"
Security Sider preset
x Fixed frame blocking issues
x Fixed top-level media loads issues
x Fixed apparent delay in menu UI feedback (thanks mechadon
for reporting)
x Fixed some XSS filter over-sensitivity regressions
x Fixed "Allow local links" causing file:// URLs to fail
x [Locale] Updated nl (thanks Ton)

2.9.5.1
=============================================================
x Fixed some pages not loading on 1st attempt when e10s is
enabled (thanks Semtex for reporting)

2.9.5
=============================================================
+ Full e10s compatibility
x Fixed big whitelists being reset to default permissions on
e10s-enabled browsers (thanks sabret00the and Internet User
for reporting)
x Better fix for some embedding permissions issues (thanks
barbaz for reporting)
x MediaSource blocking support (Tor Project)
x Better handling of media types loaded as top-level
documents
x Declared (but untested) Palemoon support (thanks barbaz)
x [System Principal] included in the mandatory allowed list
x Fixed allow scripts globally requiring a restart (thanks
FFreestyleRR for reporting
x Fixed embeddings autoreload on e10s-disabled browsers
^ TODO: MediaSource blocking support
x Improved autoreload responsiveness and precision
x Fixed IFrame over-blocking bug (thanks G113 for report)
x Fixed sites involved in background requests being not
reported in the UI, even if intercepted and/or blocked (
thanks GH113 for reporting)
x Fixed typo in PasteHandler (thanks barbaz for reporting)
x Fixed embedding-related automatic reload issues (thanks
barbaz and tmeader for reporting)
x Fixed compatibility regression with Firefox 45
x [Surrogate] Fixed file:// replacements broken (thanks
barbaz for reporting)
^ TODO: MediaSource blocking support
x Fixed typo in XSS filter breaking JSON cross-site requests
x Fixed automatic reload issues (thanks GH113 for reporting)
x Fixed UI not always synchronized on startup (thanks GH113
for reporting)
x Fixed incompatibilities with older Firefox down to 45
(thanks barbaz for reporting)
x Fixed automatic reload impossible to be disabled (thanks
GH113 for reporting)
x Fixed UI initially not synced on new windows (thanks GH113
for reporting)
x Fixed bug in secure cookie enforcement upgrading all the
unsecure cookies on secure connections even if a secure
cookie for the domain existed, increasing chances of
incompatibilities (thanks PDL for reporting)
x Fixed escaping issues in the noscript.js preference file
(thanks PDL for reporting)

v 2.9.0.14
=============================================================
x Fixed live bookmarks in Firefox 48 or above

v 2.9.0.13
=============================================================
x Added missing "s" in noscript.mandatory/about:feeds

v 2.9.0.12
=============================================================
x Updated DNT implementation to match the most recent spec
about navigator.doNotTrack values (thanks Francois Merier)
x [XSS] Better compatibility with Unionbank's website (thanks
Brent for reporting)
x Fixed bug 1278735 (JavaScript disabled in private windows)
x Fixed JSON viewer not working
x about:feed in the mandatory whitelist to fix bug 1272139
x [XSS] Disable JavaScript on FTP-served pages when a
potential DOM XSS threat is detected (thanks Emanuel
Bronshtein @e3amn2l for reporting)
x Fixed DOS through script-triggered ClickToPlay confirmation
dialogs in a loop (thanks Emanuel Bronshtein @e3amn2l for
reporting)
x Fixed placeholder links might be potentially used as XSS
vectors if stars were properly aligned(thanks Emanuel
Bronshtein @e3amn2l for reporting)
x [Surrogate] Updated google-analytics.com replacement (
thanks noscriptsplox)
x [XSS] Fixed regression (thanks Masato Kinugawa for report)

v 2.9.0.11
=============================================================
x [XSS] Fixed infrastructure issue preventing one filter from
being automatically synchronized with Mozilla's source code
as designed (thanks .mario and Maxim Rupp for reporting)
x [XSS] Added filtering for a potential CSRF vector (thanks
Masato Kinugawa for reporting)

v 2.9.0.10
=============================================================
x Fixed placeholder activation in Gecko 45 and above

v 2.9.0.9
=============================================================
x [XSS] Compatibility exception for the Printfriendly add-on
x Removed msn.com from the default whitelist, since it seems
to be unable to support HTTPS consistently

v 2.9.0.7
=============================================================
x [HTTPS] Removed legacy redirection methods when redirectTo()
is available in HTTP channels, fixing YouTube embedding
problem
x Replaced newChannel() with newChannel2() on Gecko 48

v 2.9.0.6
=============================================================
x [HTTPS] Limit httpsDefWhitelist effect to document loads
x [XSS] Reduced eval aliasing checks false positives

v 2.9.0.5
=============================================================
x [XSS] Improved detection of computed property accessors
(thanks Emanuel Bronshtein @e3amn2l for report)
x [HTTPS] Fixed httpsDefWhitelist breaking OCSP (thanks al_9x
for reporting)
x [HTTPS] Fixed httpsDefWhitelist breaking yui.yahooapis.com
(thanks Rob Greenberg for reporting
x [XSS] Fixed OpenID-related false positive
x Restored Nightly compatibility broken by bug 1253016
x Fixed regression in HTTPS enforcing exceptions
x [Surrogate] Updated googletag replacement (thanks barbaz)
x [Surrogate] Updated ga replacement (thanks barbaz)
x [XSS] Improved replacement for dangerous keywords/built-in
properties (thanks Emanuel Bronshtein @e3amn2l for report)
x [HTTPS] noscript.httpsDefWhitelist option to automatically
upgrade to HTTPS sites found in the default whitelist
(enabled by default, thanks Mazin Amhed for reporting)

v 2.9.0.4
=============================================================
x Fixed InjectionChecker over-optimization bug (thanks Maxim
Rupp for reporting)
x [l10n] Updated ar (thanks Nassim Dhaher)

v 2.9.0.3rc2
=============================================================
x Fixed NoScript blocking WebExtensions by default
x Fixed XSS filter JSON sanitization bug (thanks Maxim Rupp
for reporting)

v 2.9.0.2
=============================================================
x Version bump to work around AMO's 404 when serving 2.9.0.1

v 2.9.0.1
=============================================================
x Replaced "for each ()" with "for (... of ...)"
x Removed array comprehension usage
- Removed compatibility with Gecko lt 13
x Fixed conflict w/ KeeFox + CTR (thanks amloessb for report)
https://forums.informaction.com/viewtopic.php?p=80581

v 2.9rc1
=============================================================
x [e10s] Fixed "Temporarily allow top-level sites by default"
broken by Electrolysis
x Fixed "key.revokeTemp" preference management bug (thanks
palme for patch)

v 2.7
=============================================================
- Removed informaction.com, flashgot.net and maone.net from
the default whitelist to reduce the potential attack
surface
- Removed vestigial noscript.forbidData preference
x Fixed shorthands not checked for ftp(s) sites (thanks
Leon Winter for patch)
x [Surrogate] Fixed googletag replacement (thanks barbaz)
x Fixed incompatibility with importScript() from workers
breaking new reCaptcha implementation (thanks Mr_KrzYch00
for reporting)

v 2.6.9.39
=============================================================
x Work-around for a XSS "false positive" caused by nwolb.com
passing Javascript code across subdomains in window.name
(thanks Sagiv Masvari for reporting)

v 2.6.9.38
=============================================================
x Fixed breakage due to const declarations behavior changes
in latest Firefox nightlies (thanks to all the people in
https://bugzilla.mozilla.org/show_bug.cgi?id=1212707)