NoScript Security Suite Version History

445 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 10.1.9.9 475.1 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.9
=============================================================
x Prevention of potential race condition in the new per-tab
configuration cookie-based hack
x Better cross-platfrom build script compatibility
x Per-tab configuration cookie-based hack, leaves window.name
alone
x Various build scripts fixes

Version 10.1.9.8 475.1 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.8
=============================================================
x Fixed preset customization UI showing inherited DEFAULT
permissions if a protocol-level preset exists
x Simplified CSP HTTP header injection, avoiding report-to
until actually supported by browsers
x [L10n] Updated ru (thanks fatboy)
+ [Tor] Better UX for overriding protocol-level permissions
+ [Build] Option to force TLD updates
+ [L10n] Updated (es, ru) and new (el, he, ms, nb) locales
from OTF's Localization Lab Transifex project
+ [L10n] no_BO translation by comradekingu
+ FTP directory UI emulation on script-disabled domains
x Include ftp:// URLs in non-secure domain matching (thanks
Rassilon for RFE)

Version 10.1.9.6 446.6 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.6
=============================================================
x [TB] Gracefully handle legacy external message recipients
x [XSS] Updated known HTML5 events
x Better IPV6 support
x UI support for protocol-only entries

Version 10.1.9.5 446.3 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.5
=============================================================
x Fix for various content script timing related issues
(thanks therube for reporting)

Version 10.1.9.4 446.4 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.4
=============================================================
x Prevent total breakages when policies accidentally map
to invalid match patterns
x Internal messaging dispatch better coping with multiple
option windows
x Avoid multiple CSP DOM insertions

Version 10.1.9.3 446.3 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.3
=============================================================
x Fixed message handling regression breaking embedders and
causing potential internal message loops

Version 10.1.9.2 446.1 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.2
=============================================================
x More efficient window.name-based tab-scoped permissions
persistence
x Fixed URL parsing bugs
x Fixed bug in requestKey generation
x [Build] Enhanced TLD data update subsystem
+ [UI] CUSTOM presets gets initialized with currently applied
preset, including temporary/permanent status
x Improved internal message dispatching, avoiding potential
race conditions
+ [L10n] Transifex integration
x Work-around for DOM-injected CSP not being honored when
appended to the root element, rather than HEAD
+ Transparent support for FQDNs
x Better file: protocol support
x Full-page placeholders for media/plugin documents

Version 10.1.9.1 443.7 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9.1
=============================================================
x Fixed NOSCRIPT emulation not running in contexts where
service workers are disabled, such as private windows
(thanks Peter Wu for patch)
x [Build] Fixed TLD regexp generation broken by CRLF
characters in input public suffix list

Version 10.1.9 443.7 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.9
=============================================================
+ Completely revamped CSP backend, enforcing policies both in
webRequest and in the DOM
+ Reload-less service worker busting
- removed obsoleted failsafes, including forced reloads
x Better timing for popup UI feedback on permissions changes
x [Tor] Reordered startup sequence to better cooperate with
embedders like the Tor Browser
x Send out a "started" message after initialization to help
embedders (like the Tor browser) interact with NoScript
x [Build] Better support for versions bumps
x Updated TLDs
x [Build] Improved TLD auto-updater

Version 10.1.8.23 440.2 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.23
=============================================================
x Hotfix for reload loops before CSP management refactoring

Version 10.1.8.22 440.3 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.22
=============================================================
x Fixed reload loop on unrestricted tabs (thanks random for
reporting)

Version 10.1.8.20 440.2 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.20
=============================================================
x Fixed Sites.domainImplies() misplaced optimization.
x build.sh support for quick stable release
x [L10n] Added Catalan (ca)

Version 10.1.8.19 434.7 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.19
=============================================================
x Fixed onResponseHeader failing on session restore because
of onBeforeRequest not having being called.
x Fixed regression: framed documents' URLs not being reported
in the UI (thanks xaex for report)

Version 10.1.8.18 434.7 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.18
=============================================================
x More resilient and optimized Sites.domainImplies()
x Update ChildPolicies when automatic temp TRUST for
top-level documents is enabled
x Fixed messages from content scripts being "eaten" by the
wrong dispatcher when UI is open (thanks skriptimaahinen)
x Fixed typo causing accidental permissions/status mismatches
being checked only while pages are still loading (thanks
skriptimaahinen)
x Fixed typo in XSS name sanitization script injection
(thanks skriptimaahinen)

Version 10.1.8.17 434.5 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.17
=============================================================
x Fix: Sites.domainImplies() should match subdomains
x More coherent wrapper around the webex messaging API
x Fixed inconsistencies affecting ChildPolicies content
script auto-generated matching rules.
x Fixed potential issues with cross-process messages
x Simpler and more reliable safety net to ensure CSP headers
are injected last among WebExtensions
x Fixed regression causing refresh loops on pages which use
type="object" requests to load images, css and other types
x [L10n] ru and de translations
+ [XSS] Updated HTML events auto-generate matching code to
use both latest Mozilla source code and archived data since
Firefox ESR 52
+ New dynamic scripts management strategy based on the
browser.contentScripts API, should fix some elusive, likely
requestFilter-induced, bugs
x Fixed no-dot domains threated as empty TLDs (thanks
Peter Wu for patch)
- Removed requestFilter hack for dynamic scripts management
+ [L10n] br and tr translations (thanks Transifex/OTF,
https://www.transifex.com/otf/noscript/)
x Best effort to have webRequest.onHeaderReceived listener
run last (issue #6, thanks kkapsner)
x [L10n] Localized "NoScript Options" title (thanks Diklabyte)
x Fixed inline scripts not being reported to UI (thanks
skriptimaahinen for patch)
x Skip non-content windows when deferring startup page loads
(thanks Rob Wu for reporting)
x Broader detection of UTF-8 encoding in responses (thanks
Rob Wu for reporting)
x Improved support for debugging code removal in releases
x Fixed startup race condition with pending request tracking
x Fixed updating NoScript reloads tabs with revoked temporary
permissions.

Version 10.1.8.16 413.8 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.16
=============================================================
x Fixed random stallings on page transitions (thanks sage11,
Brush and pbelleisle for reporting)

Version 10.1.8.15 413.8 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.15
=============================================================
x Fixed browser action icon not bein updated on BF cache
navigation (thanks therube for reporting)

Version 10.1.8.14 413.8 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.14
=============================================================
x Fixed regression in NOSCRIPT elements emulation.

Version 10.1.8.12 413.8 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.12
=============================================================
x Fixed some video streams not playing anymore.

Version 10.1.8.10 413.8 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.10rc1
=============================================================
x Fixed window.stop() being called on empty frames, causing
WYSIWYG editors to break (thanks Dave Allen for reporting)

Version 10.1.8.9 413.8 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.9
=============================================================
x Fixed externally handled resources opened in popups broken
by dynamic script injection (thanks rpr and paulmcg for
reporting)
x More edge case covered in dynamic script injection (thanks
skriptimaahinen for reporting)
x Fixed some resource loading feedback glitches
x [XSS] Updated HTML event attributes matching
x Updated TLDs
x Fixed stalling embedded objects load on dynamic script
injection (thanks therube for reporting)
x [L10n] Updated it (thanks Sebastiano Pistore)
x Work-around for serviceWorker loads bypassing webRequest
(thanks therube for reporting)
x More flexible CSS layout for preset buttons (thanks fatboy)
x Improved edge case script disablement detection
x More reliable handling of edge cases on startup (thanks
therube for reporting)
x Fixed dynamic script injection failing sometimes with
"No matching message handler" error (thanks skriptimaahinen
for reporting)
x [Tor Browser, Linux] Replaced unicode glyphs not being
rendered on some browsers / platforms
x Prevent multiple canScript content messages during the same
page load
x [Tor/ESR60] Removed useless work-around suggested in moz bug
1410755, which caused Tor Browser content process crashes

Version 10.1.8.8 411.6 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.8
=============================================================
x Prevent script injection from messing with
content-disposition=attachment responses.

Version 10.1.8.7 411.6 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.7
=============================================================
x Fixed regression breaking meta refresh with relative URLs

Version 10.1.8.5 411.6 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.5
=============================================================
x Completed fix for quoted URLs in meta refresh (thanks
Juozas for reporting)

Version 10.1.8.4 411.6 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.4
=============================================================
x [L10n] Fixed es translation (thanks Deckan)
x Cosmetic bug fixes
x Updated TLDs

Version 10.1.8.3 411.6 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.3
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x [ESR60] Fixed dynamic script injection issues with XML
feeds (thanks skriptimaahinen for report)
x [ESR60] Work-around for Moz Bug 1410755
x Autosize preset buttons to accomodater bigger localized
labels
x [L10n] Shortened de labels (thanks musonius)
x More graceful handling of internal and restricted URLs
(thanks skriptimaahinen for report)
+ [L10n] Added de, es, fr, it, nl, pt_BR and zh_CN locales
(courtesy of Mozilla's localization campaign)
x Switch to inline elements as "NOSCRIPT" HTML replacements
x Fixed subframe content changes producing ambiguous NoScript
icon feedback
x More meaningful/useful popup on (semi)privileged documents
x [Tor Browser] Work-around for crypto-based uiid function
failing on startup
x [Tor Browser] Backported new dynamic script injection to
ESR60
+ Included license files in the XPI
+ [XSS] In-depth protection against native ES6 modules abuse
x Fixed dynamic script injection issues (thanks
skriptimaahinen for help)
+ MSE media reporting and blocking (e.g. on Youtube)

Version 10.1.8.2 364.5 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.2
=============================================================
+ Popup toolbar buttons fully configurable via Drag'n'Drop
x Removed redundant leading "NoScript" in window titles
x Work-around for Firefox 60 bug breaking about:blank pages
when a WebExtension declares a "document_start" CSS (thanks
skriptimaahinen for report and fix)
x Fixed buttons in the "hide area" still responsive to clicks

Version 10.1.8.1 362.9 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.8.1
=============================================================
+ [UI] "Disable restrictions for this tab" button in popup
+ [UI] "Disable restrictions globally" button in popup
x Fixed some content blocking stats collection bugs (Thanks
Rob Wu and skriptimaahinen for reports)
x Fixed data: and blob: URIs could be loaded as object and
media sources independently from the parent page's
permissions (thanks skriptimaahinen for report)
x Several performance improvement in inter-process content
blocking stats synchronization (thanks Rob Wu for report)
x [UI] Improved in-popup messages
x [UI] Simplified URL management in "Allow object" prompt
x Fixed dynamic scripts URL matching inconsistencies

Version 10.1.7.5 366.5 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.7.5
=============================================================
x Fixed edge case CSP injection bug (thanks Rob Wu)
x Optimized dynamic script injection (thanks Rob Wu)
x Fixed potential leak on dynamic script injection (thanks
Rob Wu for report)
x Now NoScript's UI on privileged pages explains permissions
cannot be configured there, rather than bluntly opening the
Options page (thanks Rob Wu for suggestion)

Version 10.1.7.4 366.4 KiB Works with Firefox for Android 59.0 and later, Firefox 59.0 and later

v 10.1.7.4
=============================================================
x Fixed script enablement status not correctly detected on
some pages rolling their own CSP (causing NOSCRIPT element
and META refresh emulation not to be triggered)
x Fixed "Appearance" NoScript Options tab missing on Android
x [XSS] Fixed semicolon-separated JSON payloads DDOSing the
JSON-optimizer, e.g. with syndication.twitter.com subframes
(thanks KonomiKitten and pal1000 for reports)
x [UI] Renamed "Scripts globally allowed (dangerous)" option
to "No permissions enforcement (dangerous)" to better
reflect its actual effect
x [UI] Better feedback about "No permission enforcement" by
disabling the "Preset customization" section and and the
"Per-site Permissions" tab
x [UI] Moved XSS-related options to the "Advanced" tab
x Fixed disabled webgl breaking feeds on script-enabled sites
(thanks pal1000 for reporting)
x Enhanced dynamic script injection if browser.contentScripts
API is available
x Expanded support for webgl canvas placeholders