Versionsgeschichte von NoScript

372 Versionen

Seien Sie vorsichtig mit alten Versionen!

Diese Versionen werden zu Referenz- und Testzwecken angezeigt. Sie sollten immer die letzte Version eines Add-ons verwenden.

Version 2.5.7.1-signed 517.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5.7
=========================================================================
x Fixed synchronous timeout emulation ordering bug in bookmarklet
execution on scriptless pages (thanks Infocatcher for reporting)
x [XSS] Fixed comment preprocessing optimization affecting free
JavaScript detection, thanks Masato Kinugawa for reporting
x [XSS] Fixed second order data: URLs sanitization issue, thanks Masato
Kinugawa for reporting
x Fixed meta refresh blocker notification bar broken on Gecko < 4 (thanks
nitou for reporting)
x Fixed iframe placeholder positioning issue (thanks al_9x for report)
x Fixed regression in placeholder positioning (thanks al_9x for report)
x [ClearClick] Fixed false positive on cross-site SVG document embeddings
(thanks Steffen for reporting)

Version 2.5.6.1-signed 516.9 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5.6
=========================================================================
x [XSS] Fixed slow regular expression causing some base64 request
payloads to trigger false positives (thanks Mirko Tasler for reporting)
+ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
+ New icon for blocked embeddings on globally allowed pages (thanks
therube for RFE)

Version 2.5.5.1-signed 515.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5.5
=========================================================================
+ More reliable Java applet origin identification
x Cross-browser work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=789773

Version 2.5.4.1-signed 515.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5.4
=========================================================================
x Fixed HTTP checks not being skipped anymore for some chrome-generated
XMLHttpRequest requests because of a Gecko 15 change
x Work-around for cloned DOM nodes not retaining additional
chrome-attached information anymore, thus breaking placeholders in some
cases (thanks al_9x for reporting)
x Fixed placeholder post-enablement event channeling broken by Sandbox
changes
x Fixed placeholder sizes messed up by changes in Gecko 17
x Work-around for broken content policy call for Java plugin on Gecko 17
and above (thanks marty60 for reporting)

Version 2.5.3.1-signed 514.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5.3
=========================================================================
x [XSS] Fixed false positives on URLs containing an ASP.NET cookieless
session identifier (thanks Trupti Chaudhari for reporting)
+ noscript.eraseFloatingElements about:config preference to switch the
mousedown + del key floating popup erasing feature off and on
x Limited the mousedown + del key floating popup erasing feature to pages
where scripts are forbidden and to absolute or fixed position elements
x Fixed JavaScript URL non-void expression evaluation in the URL bar
causing scripts to get globally allowed (thanks al_9x for reporting)
x [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for
reporting)

Version 2.5.2.1-signed 514.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5.2
=========================================================================
x [ClearClick] Improved protection against clickjacking timing attacks
(thanks Nafeez Ahmed for reporting)
x Fine tuned floating div (in-page popup) removal by locking it to the
nearest positioned ancestor and swallowing the mouseup event if the
DEL key has been hit after last mousedown

Version 2.5.1.1-signed 514.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

+ Holding the left mouse button down on a page element and hitting the
DEL key will remove it (useful to forcibly kill in-page popups when
scripts are disabled)
x Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking
protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java
globals have been removed from the DOM
x [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for
reporting)
x Fixed Silverlight and Flash scripted initialization patches being
broken by recent JavaScript interpreter changes
x Work-around for hp-ww.com misconfiguration (JavaScript files served
with bogus content-type header)

Version 2.5.1-signed 513.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.5
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.4.9.1-signed 513.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.9
=========================================================================
+ Added ability to replace obsolete default whitelist entries
x Replaced browserid.org with persona.org in the default whitelist
x Improved anti-DOS protection
x Better usability with some HTML5 Youtube videos (thanks Mike Perry
for reporting)
x Reverted to the ctrl+shift+S main keyboard shortcut
x [XSS] Fixed XML preprocessing breaking detection of some E4X
constructs (thanks Pepe Vila for reporting)
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
Ashar Javed for reporting, original disclosure by Keith Makan)

Version 2.4.8.1-signed 513.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.8
=========================================================================
x Work-around for Mozilla bug 771655 (broken debugger)
x Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is
taken by the debugger
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
handle generic XML documents

Version 2.4.7.1-signed 513.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.7
=========================================================================
x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
report)
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)

Version 2.4.6.1-signed 512.0 KiB Funktioniert mit Firefox 3.0.9 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.6
=========================================================================
x [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
x [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
x [XSS] Fixed document.cookie minimal assignment false negative (thanks
Masato Kinugawa for report)
x [XSS] Fixed dotted query parameter names false positives, affecting
OpenID, Hotmail and other services (thanks Gavin H for report)
x Fixed some messages being dumped to the console even if logging is
turned off (thanks marbler for report)

Version 2.4.5.1-signed 512.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.5
=========================================================================
+ [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
x [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
Dalili and Ahamed Nafeez for reporting)
x [XSS] Improved unconventional assignments detection (thanks Masato
Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.4.1-signed 512.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.4
=========================================================================
x [Locale] Updated he-IL (thanks baryoni)
x Fixed early synthetic DNS notification causing blank stripe on the
bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)

Version 2.4.3.1-signed 512.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.3
=========================================================================
x Fixed JS links detection not resolving JS string escapes (thanks vyznev
for reporting)
x Fixed HTML 5 parser detection in META refresh processing being broken
by a removed browser preference
x Fixed exception raised by inclusion type checks when parent document's
URI has no host
+ [XSS] Better detection of free inline script injections (without string
literal evasion) inside function calls
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Version 2.4.2.1-signed 511.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.2rc7
=========================================================================
x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
to the LAN anymore for the purpose of cross-zone request forgery checks
in order to safely work-around DNS misconfiguration issues in the wild
(thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
because of redirection loops
x [XSS] Protection against HPP attacks exploiting URL parsing quirks
specific to ASP Classic (thanks Soroush Dalili for reporting)
x Fixed first application updates check failing on Nightly (bug 754393)
x [XSS] Fixed false positive regression on some file hosting sites (thanks
Janne Maekelae for reporting)

Version 2.4.1.1-signed 511.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4.1
==========================================================================
+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
same-name query parameters (thanks Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
sequences (thanks Masato Kinugawa for reporting)
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
therube for reporting)
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
repository, often used as a CDN

Version 2.4.1-signed 511.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.4rc8
==========================================================================
x [XSS] Improved global exception injection detection
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
Dalili for reporting)
x [Locale] Fixed broken overlay on Basque localized browsers (for real
this time, thanks afa for reporting)

v 2.4rc7
==========================================================================
+ [XSS] Improved InjectionChecker detection of in-code multiple insertions
(thanks Krzysztof Kotowicz)
+ [XSS] InjectionChecker detection of single assignment evaluation through
global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
for reporting)

v 2.4rc6
==========================================================================
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)

v 2.4rc5
==========================================================================
x Improved temporary permissions management during bookmarklet execution

v 2.4rc4
==========================================================================
x Fixed 2.4rc3 regression in url bar JavaScript execution

v 2.4rc3
==========================================================================
x Fixed bookmarklet couldn't be executed on blacklisted sites in "Globally
Allow" mode (thanks tharpa for reporting)

v 2.4rc2
==========================================================================
x [ClearClick] Fixed cross-site clicks blocked on Firefox < 3.6 (thanks
Janet Whipple for reporting)

v 2.4rc1
==========================================================================
x [Surrogate] Fixed surrogates broken on Nightly

Version 2.3.9.1-signed 511.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.9
==========================================================================
+ [ClearClick] More tolerant snapshot comparation algorithm (partially
backported from NSA) to reduce false positives (tweaked by the
noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
obscuration by windowed plugins checks
x Fixed compatibility regressions on Firefox 3.x
x Following links from the About dialog now closes it (thanks Guardian for
suggestions)
x Fixed NOSCRIPT META refreshes blocking not working when scripts are
globally allowed (thanks and Ken and Tom T. for reporting)
x [ClearClick] Fixed false positives caused by accelerated graphics with
some plugin content

Version 2.3.8.1-signed 510.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1, SeaMonkey 2.0 und neuer

v 2.3.8
==========================================================================
+ Smart integration with the new browser-native click to play: if a plugin
object is manually allowed from NoScript's UI, it gets also natively
activated (noscript.smartClickToPlay about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
steps across reloads
x Fixed redirections in legacy frames not being blocked (thanks "utente"
for reporting)
x [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site

Version 2.3.7.1-signed 509.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.7
==========================================================================
x [ClearClick] Work-around for "rapid fire" protection interfering with
some add-ons, such as 1Password (thanks Mike Tselikman for report) and
FloatNotes (thanks endofmiles and Tom T. for reports)
x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
Christopher A. M. Gerlach for reporting)
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
containing domain-names as parameter values (thanks gazer75 for report)

Version 2.3.6.1-signed 508.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.6
==========================================================================
x Restored Nightly compatibility, broken by bug 719154
+ [ClearClick] improved compatibility with Disqus widgets (thanks El Cid
for reporting)
+ [AddressMatcher] Optimized trailing "*" in glob expressions
x Fixed origin URL detection flawed when certain wrapped URIs are loaded
(thanks Masato Kinugawa for reporting)
x [XSS] Fixed false positive with query string patterns mimicking array
access (thanks Aicke Schulz for reporting)

Version 2.3.5.1-signed 508.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.5
==========================================================================
x Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing
Google Music Player to fail (thanks DG42 for original report, Alan Baxter
for providing a test account, all the forum staff and many users for
their help in reproducing)
x [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and
meta refreshes on the affected tab even if document changes (thanks
Tom T. and Patrick E. for reporting)
x [ClearClick] Better special-casing for same-site embedded objects
x [Surrogate] Global variables introduced by sandboxed surrogates are
attached as window properties after execution to fix recently surfaced
scope-related bugs
x [XSS] Better window.name protection (thanks Masato Kinugawa for report)
x [XSS] Improved detection of javascript: URL injections

Version 2.3.4.1-signed 508.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.4
==========================================================================
x [ClearClick] Fixed subtle bug which may lead to infinite loops in some
cases (thanks GµårÐïåñ for reporting)

v 2.3.3
==========================================================================
+ Improved InjectionChecker logging
x Reduced false positive rate on HTML injection checks (thanks therube for
reporting)
x [ClearClick] Fixed clicking on some plugin content causing elements of
the parent page to become white (thanks Markus Wienand for report)
x [ClearClick] Fixed minor bugs triggered by ABP placeholders
+ [ClearClick] Protection against partial obscuration via Flash objects
with OS-native wmode values (thanks David Lin-Shung Huang for reporting)
x [XSS] Further sensitivity tweaks
x [XSS] Better compatibility with some 3rd party ads on Ebay
x [XSS] Fixed false positive on dotted name-value assignments chained with
semicolons (e.g. on some Yahoo-served ads)

Version 2.3.2.1-signed 508.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.2
==========================================================================
x [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
x [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
Masato Kinugawa for reporting)
+ [XSS] Added event injection checks for scriptless pages too, in order to
prevent edge-case execution on permissions change
x [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
Kinugawa for reporting)
x [XSS] Improved HTML detection accuracy
+ Better tagging of surrogate sandboxes for about:memory debugging
x Improved glinks surrogate

Version 2.3.1.1-signed 508.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3.1
==========================================================================
+ Surrogate to let news pages escape Digg's frame
+ [ClearClick] Improved compatibility with cross-frame overlapping shadows
x Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks
.mario for reporting)
+ adf.ly surrogate to automaticaly skip the interstitial page even if
scripts are disabled
x Improved Google search surrogates
+ New surrogate against Google's scriptless tracking of search results
navigation

Version 2.3.1-signed 507.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.3
==========================================================================
x Fixed about:newtab not considered as a local origin by ABE
+ Added blob:, about:memory and about:support to the automatic whitelist
x Added reflected script inclusion check exception for intensedebate.com
x Fixed CSS issues on Gecko 1.8

Version 2.2.9.1-signed 507.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.2.9
==========================================================================
+ Right click on NoScript menu items copies the site to the clipboard, if
any under the pointer, or all the page-related script sources prepended
with a status mark: + for whitelisted, - for default, ! for untrusted (
thanks Tom T. for RFE)
+ Added browserid.org to the default whitelist
x Improved default whitelist update mechanism
x Fixed some Flash movies failing to load on Nightly (thanks Nova6K0 for
reporting)
x Fixed incompatibility between surrogates / content augmentations (e.g.
toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for
reporting
x NoScript won't attempt to load the release notes page if the site is
unreachable
v 2.2.9rc1
==========================================================================
x Fixed ABE failing to recognize some FE80:* IPv6 addresses as local ones
(thanks Mitchum Owen for report)

Version 2.2.8.1-signed 507.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.2.8
==========================================================================
x [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested
documents

v 2.2.8rc1
==========================================================================
x [ClearClick] Protection against Koto's Cursorjacking technique disclosed
at http://blog.kotowicz.net/2012/01/cursorjacking-again.html

Version 2.2.7.1-signed 507.0 KiB Funktioniert mit Firefox 3.0 und neuer, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 und neuer

v 2.2.7
==========================================================================
x [ClearClick] Protection against two steps interaction attack based on
HTML5 DnD (thanks .mario for reporting)