AMO is getting a new look. Would you like to see it?

Visit the new site

Close

NoScript Security Suite Version History

388 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.9.0.5 536.7 KiB Works with Firefox 38.0 - 48.0, SeaMonkey 2.35 - 2.45

v 2.9.0.5
=============================================================
x [XSS] Improved detection of computed property accessors
(thanks Emanuel Bronshtein @e3amn2l for report)
x [HTTPS] Fixed httpsDefWhitelist breaking OCSP (thanks al_9x
for reporting)
x [HTTPS] Fixed httpsDefWhitelist breaking yui.yahooapis.com
(thanks Rob Greenberg for reporting
x [XSS] Fixed OpenID-related false positive
x Restored Nightly compatibility broken by bug 1253016
x Fixed regression in HTTPS enforcing exceptions
x [Surrogate] Updated googletag replacement (thanks barbaz)
x [Surrogate] Updated ga replacement (thanks barbaz)
x [XSS] Improved replacement for dangerous keywords/built-in
properties (thanks Emanuel Bronshtein @e3amn2l for report)
x [HTTPS] noscript.httpsDefWhitelist option to automatically
upgrade to HTTPS sites found in the default whitelist
(enabled by default, thanks Mazin Amhed for reporting)

Version 2.9.0.4 536.3 KiB Works with Firefox 13.0 - 48.0, SeaMonkey 2.10 - 2.45

v 2.9.0.4
=============================================================
x Fixed InjectionChecker over-optimization bug (thanks Maxim
Rupp for reporting)
x [l10n] Updated ar (thanks Nassim Dhaher)

Version 2.9.0.3 536.3 KiB Works with Firefox 13.0 - 47.0, SeaMonkey 2.10 - 2.43

v 2.9.0.3rc2
=============================================================
x Fixed NoScript blocking WebExtensions by default
x Fixed XSS filter JSON sanitization bug (thanks Maxim Rupp
for reporting)

Version 2.9.0.2 537.3 KiB Works with Firefox 13.0 - 46.0, SeaMonkey 2.10 - 2.42

v 2.9.0.2
=============================================================
x Version bump to work around AMO's 404 when serving 2.9.0.1

v 2.9.0.1
=============================================================
x Replaced "for each ()" with "for (... of ...)"
x Removed array comprehension usage
- Removed compatibility with Gecko lt 13
x Fixed conflict w/ KeeFox + CTR (thanks amloessb for report)
https://forums.informaction.com/viewtopic.php?p=80581

Version 2.9 537.5 KiB Works with Firefox 3.0.9 - 46.0, SeaMonkey 2.0 - 2.42

v 2.9rc1
=============================================================
x [e10s] Fixed "Temporarily allow top-level sites by default"
broken by Electrolysis
x Fixed "key.revokeTemp" preference management bug (thanks
palme for patch)

Version 2.7 537.3 KiB Works with Firefox 3.0.9 - 46.0, SeaMonkey 2.0 - 2.42

v 2.7
=============================================================
- Removed informaction.com, flashgot.net and maone.net from
the default whitelist to reduce the potential attack
surface
- Removed vestigial noscript.forbidData preference
x Fixed shorthands not checked for ftp(s) sites (thanks
Leon Winter for patch)
x [Surrogate] Fixed googletag replacement (thanks barbaz)
x Fixed incompatibility with importScript() from workers
breaking new reCaptcha implementation (thanks Mr_KrzYch00
for reporting)

Version 2.6.9.39 536.3 KiB Works with Firefox 3.0.9 - 45.0, SeaMonkey 2.0 - 2.41

v 2.6.9.39
=============================================================
x Work-around for a XSS "false positive" caused by nwolb.com
passing Javascript code across subdomains in window.name
(thanks Sagiv Masvari for reporting)

Version 2.6.9.38 729.2 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.38
=============================================================
x Fixed breakage due to const declarations behavior changes
in latest Firefox nightlies (thanks to all the people in
https://bugzilla.mozilla.org/show_bug.cgi?id=1212707)

Version 2.6.9.37 536.4 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.37
=============================================================
x Fixed bug: launching a bookmarklet on about:newTab caused
allow scripts globally for that tab (thanks James Strange
for reporting)
x [L10n] Updated French translation (thanks Syl)
x Fixed NOSCRIPT element hidden on Javascript-disabled pages
(moz bug 1208818)
x [Surrogate] enhanced gogletags.com replacement (thanks
therube)
x Fixed subtle bug in load context association causing an
origin mismatch in one corner case (thanks Gareth Heyes
for reporting)

Version 2.6.9.36 536.0 KiB Works with Firefox 3.0.9 - 44.0, SeaMonkey 2.0 - 2.39

v 2.6.9.36
=============================================================
x [L10n] Fixed typo in nb-NO (thanks Mikkel H.)
x [e10s] Fixed top-level site auto-whitelisting broken
x [e10s] Fixed MozBug 1196477 (crash with allowLocalLinks)
x Shorthands reliability improvements
x [ClearClick] fixed console spam due to missing XPCOM
interfaces for HTML elements
x In order to help Netflix users with the new video delivery
system, users who have netflix.com already in their
whitelist get https://*.nflxvideo.net whitelisted as
well on upgrade

Version 2.6.9.35 536.0 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.35
=============================================================
x [Surrogate] googletagservices.com replacement now supports
custom googletag objects (thanks barbaz)
x [Surrogate] fixed surrogates stopped working on older
Gecko versions (thanks barbaz)
x [XSS] Work-around for false positive on some Yahoo! URLs
x Corrected mistyped about:pocket-saved whitelist entry
x Fixed race condition in ABE options observer causing
l.getRowCount() console spam

Version 2.6.9.34 536.0 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.34
=============================================================
x [Surrogate] Fixed a bug preventing some replacements from
running
x [XSS] Fixed over-optimized JSON and dots erasure allowing
for a filter bypass in specific (and likely rare)
circumstances (thanks Gareth Heyes for reporting)

Version 2.6.9.33 536.0 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.33
=============================================================
x [XSS] Fixed bug in minimal inline JavaScript fragment
detection (thanks Frederik Braun for reporting)
x [L10n] Updated Russian (thanks fatboy).
x [Surrogate] fixed scope conflicts caused by the $S() object
replacement wrapper (e.g. with some EA games)

Version 2.6.9.32 536.0 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.32
=============================================================
+ Added domains required for Netflix playback to the default
whitelist
x Fixed inline script blocking broken by latest Nightlies
x Fixed NOSCRIPT elements not being shown in script-blocked
pages on Firefox betas
x [Surrogate] shimmed or replaced code causing deprecations
x [Surrogate] updated googletag replacement (thanks barbaz)
x [XSS] Fixed regression in minimal inline JavaScript
fragment detection (thanks Gareth Heyes for reporting)
x Fixed edge case causing JavaScript redirections detection
to fail on http://qklnk.co/ (thanks Jess Hampshire for RFE)

Version 2.6.9.31 535.4 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.31
=============================================================
x [XSS] Fixed attribute injection checks regression (thanks
Maxim Rupp and .mario of Cure53 for reporting)

Version 2.6.9.30 535.4 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.30
=============================================================
x Fixed noscript.allowWhitelistUpdates preference being
ignored
+ Filtering out whitelist additions not required by the
the specific current browser type and version
+ Added about:pocket-save and about:pocket-signup to the
default whitelist
x More restrictive and accurate INCLUSION type check (thanks
Meee for reporting)
x [XSS] Further invalid characters optimization refinement
(thanks Mathias Karlsson for reporting)
x [XSS] Fixed XML stripping optimization to prevent inline
injections (thanks Mathias Karlsson for reporting)
x Default whitelist maintenance: removed prototypejs.org,
cdnjs.cloudflare.com; restored maps.googleapis.com
x [XSS] Updated inline event handlers related code preventing
potential 2nd order injections on very badly coded websites
(thanks Mathias Karlsson for reporting)

Version 2.6.9.29 536.1 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.29
=============================================================
x [XSS] Improved specificity of invalid characters
optimization to remove a string literal breaking detection
bypass (thanks Mathias Karlsson for reporting)

Version 2.6.9.28 536.1 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.28
=============================================================
x Narrowed googleapis.com default whitelist entry to
ajax.googleapis.com
x [Surrogate] Updated gigya.com and 2mdn.net replacements
(thanks saaib)

Version 2.6.9.27 536.0 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.27
=============================================================
x Fixed media elements being blocked on first (uncached)
request (thanks RobertDrew for reporting)
+ noscript.middlemouse_temp_allow_main_site about:config
preference to control whether middle-clicking the toolbar
button should allow current top document's site (thanks
barbaz)
x [L10n] Updated Belarusian (thanks Dzmitry Drazdou)
+ Default whitelist retroactive removal ability
x Removed vjs.zendcdn.net from the default whitelist

Version 2.6.9.26 536.0 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.26
=============================================================
x Extended the redirectTo() safety net for to all the internal
redirections
x Work-around for redirectTo() breaking Flash plugin
subrequests
x Got ChannelReplacement backed by HTTPChannel.redirectTo()
whenever possible (should fix moz-bug 1153256 for good)
x Fixed double redirection in HTTPS enforcing

Version 2.6.9.25.1-signed 533.8 KiB Works with Firefox 3.0.9 - 41.0, SeaMonkey 2.0 - 2.37

v 2.6.9.25
=============================================================
x Fixed regression preventing HTTPS enforcing exceptions from
being honored

v 2.6.9.24
=============================================================
x Fix for intermittent crashes on older Gecko versions

Version 2.6.9.23.1-signed 533.8 KiB Works with Firefox 31.0 - 41.0, SeaMonkey 2.31 - 2.37

v 2.6.9.23
=============================================================
x Work-around for moz-bug 1167371
x Fixed fatal regression on Firefox 34 and below
x Improved backward compatibility
x Work-around for anonymized plugin subrequests being vetoed
by channel event sink
x Fixed backward compatibility PopupBoxObject shim
x [E10s] Fixed cascading permissions broken when checks are
performed cross-process
x [Surrogate] Removed deprecated "for each" constructs from
replacements
x [L10n] Updated ru-RU (thanks negodnik)
x Tentative fix for Bug 1153256 (thanks Dragana Damjanovic)
+ Added about:preferences to the mandatory whitelist
- Removed legacy STS support
+ [Surrogate] 2mdn.net inclusion replacement (thanks barbaz)
+ [E10s] Restored inline JavaScript blocking

Version 2.6.9.22.1-signed 534.2 KiB Works with Firefox 3.0.9 - 40.0, SeaMonkey 2.0 - 2.37

v 2.6.9.22
=============================================================
+ [Surrogate] Generalized OWASP antiClickjacking replacement
(thanks barbaz for RFE)
+ [Surrogate] Wordpress scriptless site auto-show replacement
+ bootstrapcdn.com in default whitelist

Version 2.6.9.21.1-signed 534.0 KiB Works with Firefox 3.0.9 - 40.0, SeaMonkey 2.0 - 2.37

v 2.6.9.21
=============================================================
+ Added "mediasource:" to the mandatory whitelist (Moz-Bug
1151638)
x [Surrogate] Updated googletagservices.com replacement
(thanks barbaz)
x Better compatibility with SDK-based add-ons using data:
URIs (thanks Mingyi Liu for report)

Version 2.6.9.20.1-signed 533.9 KiB Works with Firefox 3.0.9 - 40.0, SeaMonkey 2.0 - 2.37

v 2.6.9.20rc2
=============================================================
x Improved "Recently blocked sites..." recording
x Fixed inconsistencies in data: URIs handling (thanks barbaz
for reporting)

Version 2.6.9.19.1-signed 533.8 KiB Works with Firefox 3.0.9 - 40.0, SeaMonkey 2.0 - 2.37

v 2.6.9.19
=============================================================
+ [Surrogate] .gigya.com replacement provided by barbaz
+ [Surrogate] js.stripe.com replacement provided by barbaz
+ Improved usability of new Yahoo! video activation (thanks
Glenn for reporting)
+ Added googlevideo.com to the default whitelist because it's
now required to play Youtube movies (thanks barbaz for RFE)

Version 2.6.9.18.1-signed 533.5 KiB Works with Firefox 3.0.9 - 40.0, SeaMonkey 2.0 - 2.37

v 2.6.9.18
=============================================================
x Fixed restrictSubdocScripts/globalHTTPSWhitelist
interaction issue (thanks Tor Project for report)
x Fixed regression always disabling scripts whenever site's
host name is a IPv6 literal (thanks ipv6user for report)
x Fixed menu automatic disappearance on mouse exit broken by
Firefox 36 changes (thanks randavis, cumdacon and barbaz
for report)

Version 2.6.9.17.1-signed 533.3 KiB Works with Firefox 3.0.9 - 40.0, SeaMonkey 2.0 - 2.37

v 2.6.9.17
=============================================================
x Fixed cascadePermissions/globalHTTPSWhitelist interaction
issue with IFRAMEs (thanks Tor Project for report)
x Fixed cascadePermissions being enforced also if the top
document is implicitly allowed by the globalHTTPSWhitelist
policy, rather than explicitly whitelisted, causing HTTP
subdocument and scripts to be unintendendly allowed when
the top document is HTTPS (thanks Tor Project for report)
x [Surrogate] Update Google Analytics replacement (thanks
barbaz)

Version 2.6.9.16.1-signed 533.1 KiB Works with Firefox 3.0.9 - 39.0, SeaMonkey 2.0 - 2.36

v 2.6.9.16
=============================================================
+ [Surrogate] Updated Gravatar surrogate (thanks barbaz)
+ Additional HTML sanitization when pasting rich text into
content-editable elements (thanks .mario for RFE)
+ Introduced framework for E10s migration, starting with new
features and fixes
x Removed deprecated let () expressions from the code base

Version 2.6.9.15.1-signed 531.7 KiB Works with Firefox 3.0.9 - 39.0, SeaMonkey 2.0 - 2.36

v 2.6.9.15
=============================================================
+ Fixed regression in 2.6.9.12 causing data: URI documents
to be scripting-enabled (thanks GOF for tweet)