v 10.1.9.9
=============================================================
x Prevention of potential race condition in the new per-tab
configuration cookie-based hack
x Better cross-platfrom build script compatibility
x Per-tab configuration cookie-based hack, leaves window.name
alone
x Various build scripts fixes

v 10.1.9.8
=============================================================
x Fixed preset customization UI showing inherited DEFAULT
permissions if a protocol-level preset exists
x Simplified CSP HTTP header injection, avoiding report-to
until actually supported by browsers
x [L10n] Updated ru (thanks fatboy)
+ [Tor] Better UX for overriding protocol-level permissions
+ [Build] Option to force TLD updates
+ [L10n] Updated (es, ru) and new (el, he, ms, nb) locales
from OTF's Localization Lab Transifex project
+ [L10n] no_BO translation by comradekingu
+ FTP directory UI emulation on script-disabled domains
x Include ftp:// URLs in non-secure domain matching (thanks
Rassilon for RFE)

v 10.1.9.6
=============================================================
x [TB] Gracefully handle legacy external message recipients
x [XSS] Updated known HTML5 events
x Better IPV6 support
x UI support for protocol-only entries

v 10.1.9.5
=============================================================
x Fix for various content script timing related issues
(thanks therube for reporting)

v 10.1.9.4
=============================================================
x Prevent total breakages when policies accidentally map
to invalid match patterns
x Internal messaging dispatch better coping with multiple
option windows
x Avoid multiple CSP DOM insertions

v 10.1.9.3
=============================================================
x Fixed message handling regression breaking embedders and
causing potential internal message loops

v 10.1.9.2
=============================================================
x More efficient window.name-based tab-scoped permissions
persistence
x Fixed URL parsing bugs
x Fixed bug in requestKey generation
x [Build] Enhanced TLD data update subsystem
+ [UI] CUSTOM presets gets initialized with currently applied
preset, including temporary/permanent status
x Improved internal message dispatching, avoiding potential
race conditions
+ [L10n] Transifex integration
x Work-around for DOM-injected CSP not being honored when
appended to the root element, rather than HEAD
+ Transparent support for FQDNs
x Better file: protocol support
x Full-page placeholders for media/plugin documents

v 10.1.9.1
=============================================================
x Fixed NOSCRIPT emulation not running in contexts where
service workers are disabled, such as private windows
(thanks Peter Wu for patch)
x [Build] Fixed TLD regexp generation broken by CRLF
characters in input public suffix list

v 10.1.9
=============================================================
+ Completely revamped CSP backend, enforcing policies both in
webRequest and in the DOM
+ Reload-less service worker busting
- removed obsoleted failsafes, including forced reloads
x Better timing for popup UI feedback on permissions changes
x [Tor] Reordered startup sequence to better cooperate with
embedders like the Tor Browser
x Send out a "started" message after initialization to help
embedders (like the Tor browser) interact with NoScript
x [Build] Better support for versions bumps
x Updated TLDs
x [Build] Improved TLD auto-updater

v 10.1.8.23
=============================================================
x Hotfix for reload loops before CSP management refactoring

v 10.1.8.22
=============================================================
x Fixed reload loop on unrestricted tabs (thanks random for
reporting)

v 10.1.8.20
=============================================================
x Fixed Sites.domainImplies() misplaced optimization.
x build.sh support for quick stable release
x [L10n] Added Catalan (ca)

v 10.1.8.19
=============================================================
x Fixed onResponseHeader failing on session restore because
of onBeforeRequest not having being called.
x Fixed regression: framed documents' URLs not being reported
in the UI (thanks xaex for report)

v 10.1.8.18
=============================================================
x More resilient and optimized Sites.domainImplies()
x Update ChildPolicies when automatic temp TRUST for
top-level documents is enabled
x Fixed messages from content scripts being "eaten" by the
wrong dispatcher when UI is open (thanks skriptimaahinen)
x Fixed typo causing accidental permissions/status mismatches
being checked only while pages are still loading (thanks
skriptimaahinen)
x Fixed typo in XSS name sanitization script injection
(thanks skriptimaahinen)

v 10.1.8.17
=============================================================
x Fix: Sites.domainImplies() should match subdomains
x More coherent wrapper around the webex messaging API
x Fixed inconsistencies affecting ChildPolicies content
script auto-generated matching rules.
x Fixed potential issues with cross-process messages
x Simpler and more reliable safety net to ensure CSP headers
are injected last among WebExtensions
x Fixed regression causing refresh loops on pages which use
type="object" requests to load images, css and other types
x [L10n] ru and de translations
+ [XSS] Updated HTML events auto-generate matching code to
use both latest Mozilla source code and archived data since
Firefox ESR 52
+ New dynamic scripts management strategy based on the
browser.contentScripts API, should fix some elusive, likely
requestFilter-induced, bugs
x Fixed no-dot domains threated as empty TLDs (thanks
Peter Wu for patch)
- Removed requestFilter hack for dynamic scripts management
+ [L10n] br and tr translations (thanks Transifex/OTF,
https://www.transifex.com/otf/noscript/)
x Best effort to have webRequest.onHeaderReceived listener
run last (issue #6, thanks kkapsner)
x [L10n] Localized "NoScript Options" title (thanks Diklabyte)
x Fixed inline scripts not being reported to UI (thanks
skriptimaahinen for patch)
x Skip non-content windows when deferring startup page loads
(thanks Rob Wu for reporting)
x Broader detection of UTF-8 encoding in responses (thanks
Rob Wu for reporting)
x Improved support for debugging code removal in releases
x Fixed startup race condition with pending request tracking
x Fixed updating NoScript reloads tabs with revoked temporary
permissions.

v 10.1.8.16
=============================================================
x Fixed random stallings on page transitions (thanks sage11,
Brush and pbelleisle for reporting)

v 10.1.8.15
=============================================================
x Fixed browser action icon not bein updated on BF cache
navigation (thanks therube for reporting)

v 10.1.8.14
=============================================================
x Fixed regression in NOSCRIPT elements emulation.

v 10.1.8.12
=============================================================
x Fixed some video streams not playing anymore.

v 10.1.8.10rc1
=============================================================
x Fixed window.stop() being called on empty frames, causing
WYSIWYG editors to break (thanks Dave Allen for reporting)

v 10.1.8.9
=============================================================
x Fixed externally handled resources opened in popups broken
by dynamic script injection (thanks rpr and paulmcg for
reporting)
x More edge case covered in dynamic script injection (thanks
skriptimaahinen for reporting)
x Fixed some resource loading feedback glitches
x [XSS] Updated HTML event attributes matching
x Updated TLDs
x Fixed stalling embedded objects load on dynamic script
injection (thanks therube for reporting)
x [L10n] Updated it (thanks Sebastiano Pistore)
x Work-around for serviceWorker loads bypassing webRequest
(thanks therube for reporting)
x More flexible CSS layout for preset buttons (thanks fatboy)
x Improved edge case script disablement detection
x More reliable handling of edge cases on startup (thanks
therube for reporting)
x Fixed dynamic script injection failing sometimes with
"No matching message handler" error (thanks skriptimaahinen
for reporting)
x [Tor Browser, Linux] Replaced unicode glyphs not being
rendered on some browsers / platforms
x Prevent multiple canScript content messages during the same
page load
x [Tor/ESR60] Removed useless work-around suggested in moz bug
1410755, which caused Tor Browser content process crashes

v 10.1.8.8
=============================================================
x Prevent script injection from messing with
content-disposition=attachment responses.

v 10.1.8.7
=============================================================
x Fixed regression breaking meta refresh with relative URLs

v 10.1.8.5
=============================================================
x Completed fix for quoted URLs in meta refresh (thanks
Juozas for reporting)

v 10.1.8.4
=============================================================
x [L10n] Fixed es translation (thanks Deckan)
x Cosmetic bug fixes
x Updated TLDs

v 10.1.8.3
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x [ESR60] Fixed dynamic script injection issues with XML
feeds (thanks skriptimaahinen for report)
x [ESR60] Work-around for Moz Bug 1410755
x Autosize preset buttons to accomodater bigger localized
labels
x [L10n] Shortened de labels (thanks musonius)
x More graceful handling of internal and restricted URLs
(thanks skriptimaahinen for report)
+ [L10n] Added de, es, fr, it, nl, pt_BR and zh_CN locales
(courtesy of Mozilla's localization campaign)
x Switch to inline elements as "NOSCRIPT" HTML replacements
x Fixed subframe content changes producing ambiguous NoScript
icon feedback
x More meaningful/useful popup on (semi)privileged documents
x [Tor Browser] Work-around for crypto-based uiid function
failing on startup
x [Tor Browser] Backported new dynamic script injection to
ESR60
+ Included license files in the XPI
+ [XSS] In-depth protection against native ES6 modules abuse
x Fixed dynamic script injection issues (thanks
skriptimaahinen for help)
+ MSE media reporting and blocking (e.g. on Youtube)

v 10.1.8.2
=============================================================
+ Popup toolbar buttons fully configurable via Drag'n'Drop
x Removed redundant leading "NoScript" in window titles
x Work-around for Firefox 60 bug breaking about:blank pages
when a WebExtension declares a "document_start" CSS (thanks
skriptimaahinen for report and fix)
x Fixed buttons in the "hide area" still responsive to clicks

v 10.1.8.1
=============================================================
+ [UI] "Disable restrictions for this tab" button in popup
+ [UI] "Disable restrictions globally" button in popup
x Fixed some content blocking stats collection bugs (Thanks
Rob Wu and skriptimaahinen for reports)
x Fixed data: and blob: URIs could be loaded as object and
media sources independently from the parent page's
permissions (thanks skriptimaahinen for report)
x Several performance improvement in inter-process content
blocking stats synchronization (thanks Rob Wu for report)
x [UI] Improved in-popup messages
x [UI] Simplified URL management in "Allow object" prompt
x Fixed dynamic scripts URL matching inconsistencies

v 10.1.7.5
=============================================================
x Fixed edge case CSP injection bug (thanks Rob Wu)
x Optimized dynamic script injection (thanks Rob Wu)
x Fixed potential leak on dynamic script injection (thanks
Rob Wu for report)
x Now NoScript's UI on privileged pages explains permissions
cannot be configured there, rather than bluntly opening the
Options page (thanks Rob Wu for suggestion)

v 10.1.7.4
=============================================================
x Fixed script enablement status not correctly detected on
some pages rolling their own CSP (causing NOSCRIPT element
and META refresh emulation not to be triggered)
x Fixed "Appearance" NoScript Options tab missing on Android
x [XSS] Fixed semicolon-separated JSON payloads DDOSing the
JSON-optimizer, e.g. with syndication.twitter.com subframes
(thanks KonomiKitten and pal1000 for reports)
x [UI] Renamed "Scripts globally allowed (dangerous)" option
to "No permissions enforcement (dangerous)" to better
reflect its actual effect
x [UI] Better feedback about "No permission enforcement" by
disabling the "Preset customization" section and and the
"Per-site Permissions" tab
x [UI] Moved XSS-related options to the "Advanced" tab
x Fixed disabled webgl breaking feeds on script-enabled sites
(thanks pal1000 for reporting)
x Enhanced dynamic script injection if browser.contentScripts
API is available
x Expanded support for webgl canvas placeholders