v 13.0.8

x Reduce annoyances and false positives from sidebar content
detection (issue #444)
x Fix automatic top level trust conflict with existing
contextual policies (issue #441)

v 13.0.6

x Use frameAncestors whenever possible for top URL
retrieving

v 12.6

x Make contextual policies override restriction cascading
(tor-browser#43397)
x [Chromium] Fix 12.5.9xx prompt closure regression
x [Chromium] Full x-load checks Chromium support
x Better offscreen placeholders for x-load
x [l10n] [Chromium] Make x-load capability localization
Chromium-compatible
x [L10n] Updated de, fr, he, ru, tr zh_CN
x [UX] Honor non-contextual x-load capability granted from
NoScript Options (thanks barbaz for RFE)
x Prevent data: URIs from messing with srcset parsing
(thanks fatboy for reporting)
x Regard as "mutually safe" for x-load directories sharing a
common ancestor
x [UX] Make x-load capability visible for CUSTOM file:
entries in NoScript Options (thanks barbaz for RFE)
x [UX] Fixed prompt window leaks (tor-browser#43281)
x [UX] Make object unblocking temporary and contextual by
default, with choices in the prompt
x [nscl] Option to clone Permissions without context
x Always honor the "Collapse blocked objects" option
x Refactor top-level auto-trust and make it contextual
(issue #417)
x [nscl] Remove noisy debug statement
x [UX] UI support for extra floating capabilities (x-load)
x Integrate event handlers suppression with blocking if
needed (thanks Adithya Suresh Kumar for reporting)
x [nscl] Refactor xray proxification
x Fix incorrect assumptions about some DOM element
properties reflecting URLs (thanks Adithya Suresh Kumar
for reporting)
x [nscl] Fix race condition between multiple extensions
using MV3/DNR SyncMessage (JShelter#146, thanks polcak for
reporting)
x Suppress some event handlers (tor-browser#43491, thanks
Adithya Suresh Kumar for reporting)
x [build] Publish XPIs only after their signed
x [build] Improved version bump commit logic

v 12.1.1
============================================================
x Fix automatic reloading broken if the background script /
service worker is not already initialized on UI load
x Re-enable signing logging

v 12.1
============================================================
x [nscl] Improved work-around for Youtube placeholder
displacement (tor-browser#43296)
x [L10n] Updated pl
x Avoid synchronous policy fetching if document is already
complete (e.g. on extension updates)
x Remove more MV3-only entries from MV2 manifest
x Remove pre-release version check on signing
x More informative debug logging
x Fixed misplaced update_url in development builds (thanks
DJ-Leith for reporting)
x Switch Firefox development build version format to *.9xx
(like Chromium)
x Cross-browser and cross-manifest compatibility down to
Gecko 115
x Improved cross-browser and cross-manifest development and
build ergonomics
x Fixed RequestGuard on Firefox still using CSP.blocks() as
an instance method
x Improved cross-browser and cross-manifest support
x Do not reload affected tabs before saving XSS user
choices, if any
x [nscl] Several performance and reliability enhancements
from NSCL
x [nscl] Updated to latest NoScript Commons Library
x Fixed offscreen placeholder container preventing user
interaction on the left of placeholders
(tor-browser#43282)
x Fix localization-related console spam when opening options
panel (tor-browser#43269)
x Fixed offscreen placeholder container preventing user
interaction on the left of placeholders
(tor-browser#43282)
x Fix localization-related console spam when opening options
panel (tor-browser#43269)

v 11.5.2
============================================================
x [tor-browser#43257] More efficient, flexible and
race-resistant placeholder styling

v 11.5.0
============================================================
x [tor-browser#32668] Use the Security Level as the default
policy for Options Reset on Tor Browser
x [tor] Stateless-compatible Tor Browser integration
x [L10n] Updated pt_BR
x Stateless-compatible temporary permissions
x Switch from deferWebTraffic to Wakening
x Stateless-compatibile TabGuard
x Switch to non-persistent background page
x [xss] Refactor for non-persistence
x Removed Fennec-specific code
x Bump min Gecko compatibility to 115.0 (stateless
background script support)

v 11.4.42
============================================================
x [nscl] Further SyncMessage simplification
x Mitigate race conditions on startup

v 11.4.41
============================================================
x [nscl] Fixed Chromium worker patching regression caused by
failSafe scope
x [nscl] Force service workers to be patched bypassing cache
x [nscl] More robust SyncMessage implementation
x [nscl] Enhanced remote worker patching
x [nscl] Remove missing source map warning for
browser-polyfill.js
x [nscl] Better console handling in execution context
patches
x Reduce console spam on non-debugging instances
x [nscl] Avoid patched workers breakage if console API is
disabled (thanks ayi for reporting)

11.4.40
============================================================
x [nscl] Fix patched workers failures caused by Firefox
webRequest filters disconnect() breaking on large files
(thanks barbaz for reporting)

v 11.4.39
============================================================
x [nscl] Improved WebGL-hooking and worker patching
stability
x [L10n] Lower to 90% the threshold for including a new
translation
x [L10n] Updated he, pt_PT
x [nscl] Prevent patchWindow from throwing on SOP violations
x [nscl] Correctly propagate extra arguments to shadowed
worker constructors

v 11.4.37
============================================================
x [nscl] Do not patch windows with WebGLHook if webgl is
globally disabled
x [nscl] Do not patch workers if webgl is globally disabled
x [L10n] Updated uk
x [nscl] Workers-aware WebGL Hook

v 11.4.35
============================================================
x Improved lazy_load capability (optimization and
notification)
x [nscl] Slight optimization of NOSCRIPT element emulation
loop
x Automatically add extra capabilities to policyTypesMap
x Gracefully handle new capabilities still unknown to the
settings host (e.g. Tor/Mullvad browser), if any
x Configurable "lazy_load" capability (see
https://github.com/whatwg/html/issues/5250)
x Prefetch all CSS subresources (1st party included) in
private contexts where both unchecked_css and scripting
capabilities are disabled
x Forcibly neutralize lazy loading attributes when scripting
is disabled
x [nscl] Restored SyncMessage compatibility with Firefox 78
and below
x Lock nscl version on stable releases
x [L10n] Updated de, fr, tr, ru, uk, zh_CN

v 11.4.34
============================================================
x [nscl] Work around for
https://bugzilla.mozilla.org/show_bug.cgi?id=1899786
(issue #372)
x [L10n] Updated de, ru, tr
x Synchronize nscl git commits as needed before tagging new
versions

v 11.4.31
============================================================
x [L10n] Updated fr, is, ru, zh_CN
x Improved release tooling
x [nscl] Updated to latest NoScript Commons Library
x NoScript Options/Appearance/Show synthetic placeholders
for invisible capability probes (issue #369)
x [nscl] Make placeholders easier to style per type
x Prevent duplicate synthetic placeholders for invisible
capability probes (issue #369)

v 11.4.30
============================================================
x [nscl] Best effort WebGL placeholders for offscreen
capability detection
x Improved blocked but required capability reporting from
subframes (issue #367)
x [nscl] Include SVG among embedding document types (fixes
issue #366)
x Removed obsolete "applications" manifest.json key

v 11.4.29
============================================================
x [nscl] Updated TLDs
x [nscl] Improved reliability of TLD updater
x Removed theme.js console noise
x Fix beta channel updates breakage due to
browser_specific_settings override
x [nscl] Several content-side performance improvements
x Reduce synchronous policy retrieval impact on file: and
ftp: document loading performance
x More commands for which a keyboard shortcut can be
configured
x [L10n] Updated de, fi, mk, nl, pl, ru, sq, tr, uk,
pt_BR, zh_CN, zh_TW
x Explicit Android compatibility declaration

v 11.4.28
============================================================
x Prevent URL leaks from media placeholders (thanks NDevTK
for report)
x [nscl] Support for in-tree TLDs updates

v 11.4.27
============================================================
x [XSS] Better specificity of HTML elements preliminary
checks
x [XSS] Better specificity of potential fragmented injection
through framework syntax detection (thanks Rom623, barbaz
et al)
x [nscl] RegExp.combo(): RegExp creation by combination for
better readability and comments
x [nscl] Replaced lib/sha256.js with web platform native
implementation (thanks Martin for suggested patch)
x [nscl] Fixed property/function mismatch (thanks Alex)
x Fixed operators precedence issue #312 (thanks Alex)
x [nscl] Prevent dead object access on BF cache (thanks
jamhubub and mriehm)

v 11.4.26
============================================================
x [Android] Fixed regression preventing NoScript prompts
from being shown
x [XSS] Fallback to execute most demanding regular
expressions asynchronously
x [XSS] Removed obsolete Flash-related checks
x [XSS] Make InjectionChecker's regular expressions easier
to debug
x [XSS] Updated OpenID regexp

v 11.4.25
============================================================
x Reload extension on fatal failures
x [Android] Fixed UI styling regression
x Fixed UI inconsistencies when finer-grained contextual
policies are created/imported by other means (thanks
barbaz for reporting)

v 11.4.24
============================================================
x [XSS] Fix Base64 hash checks interfering with query string
checks (thanks barbaz for reporting)
x [TabGuard] Stop exempting domains bidirectionally by
default
x [TabGuard] Fix destination domain being reported as the
trigger of a warning prompt when all the other tab-tied
domains have been exempted (thanks barbaz for report)

v 11.4.22
============================================================
x [L10n] Updated uk
x Consistently apply DEFAULT policy to top-level data: URLs

v 11.4.21
============================================================
x Fixed mislabeled Tor Browser settings override option
x [L10n] Updated mk

v 11.4.20
============================================================
x Generalized prompt safety hooks
x Better blob: URL support
x [nscl] Improved cross-window patch cascading
x [nscl] Avoid unneeded side effects when checking for
zombie patched objects
x [nscl] Prompt safety hooks
x [L10n] Updated fr, fi
x Fix font family typo (!283, thanks alex-kinokon)

v 11.4.18
============================================================
x [Firefox on Linux] Fixed detached window UI gets closed
when its decoration is clicked (thanks richard for
reporting)

v 11.4.17
============================================================
x [nscl] Settings persistence made more reliable and
resilient against sync storage unavailability
x [Windows] Changed the tab enforcement toggling shortcut to
"Alt+Shift+Comma" (still "Alt+Shift+Space" on desktop OSes
other than Windows) - issue #281
x Updated copyright year
x Removed unused files from the source tree
x Fixed "Firefox" being shown instead of "Tor Browser" in
the Security Level override option label
x [L10n] Updated pl, tr

v 11.4.16
============================================================
x [L10n] Updated de, nl, pl, ru, sq, zh_CN
x Always open the windowed standalone UI when invoked from
the Alt+Shift+N shortcut
x Alt+Shift+Space shortcut to toggle restrictions
enforcement for current tab (issue #129, thanks PF4Public
for RFE)

v 11.4.15
============================================================
x Use the actual browser's brand name for Tor Browser
derivatives
x Always open the windowed standalone UI when invoked from
the contextual menu (thanks ZeroUnderscoreOu for
reporting)