NoScript Security Suite Version History

373 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.5.8.1-signed 517.3 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.8
=========================================================================
x Work-around for unique origins being assigned to URL bar loads by Gecko
16 and above interfering with some ABE rules
x Work-around for bug 797684 patch causing ABE's Sandbox action to fail
x Work-around for regression from Mozilla bug 797684 fix causing frames
not to be blocked correctly in recent >= 18 builds
x Slightly revised About box to make more room for contributors

Version 2.5.7.1-signed 517.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.7
=========================================================================
x Fixed synchronous timeout emulation ordering bug in bookmarklet
execution on scriptless pages (thanks Infocatcher for reporting)
x [XSS] Fixed comment preprocessing optimization affecting free
JavaScript detection, thanks Masato Kinugawa for reporting
x [XSS] Fixed second order data: URLs sanitization issue, thanks Masato
Kinugawa for reporting
x Fixed meta refresh blocker notification bar broken on Gecko < 4 (thanks
nitou for reporting)
x Fixed iframe placeholder positioning issue (thanks al_9x for report)
x Fixed regression in placeholder positioning (thanks al_9x for report)
x [ClearClick] Fixed false positive on cross-site SVG document embeddings
(thanks Steffen for reporting)

Version 2.5.6.1-signed 516.9 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.6
=========================================================================
x [XSS] Fixed slow regular expression causing some base64 request
payloads to trigger false positives (thanks Mirko Tasler for reporting)
+ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
+ New icon for blocked embeddings on globally allowed pages (thanks
therube for RFE)

Version 2.5.5.1-signed 515.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.5
=========================================================================
+ More reliable Java applet origin identification
x Cross-browser work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=789773

Version 2.5.4.1-signed 515.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.4
=========================================================================
x Fixed HTTP checks not being skipped anymore for some chrome-generated
XMLHttpRequest requests because of a Gecko 15 change
x Work-around for cloned DOM nodes not retaining additional
chrome-attached information anymore, thus breaking placeholders in some
cases (thanks al_9x for reporting)
x Fixed placeholder post-enablement event channeling broken by Sandbox
changes
x Fixed placeholder sizes messed up by changes in Gecko 17
x Work-around for broken content policy call for Java plugin on Gecko 17
and above (thanks marty60 for reporting)

Version 2.5.3.1-signed 514.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.3
=========================================================================
x [XSS] Fixed false positives on URLs containing an ASP.NET cookieless
session identifier (thanks Trupti Chaudhari for reporting)
+ noscript.eraseFloatingElements about:config preference to switch the
mousedown + del key floating popup erasing feature off and on
x Limited the mousedown + del key floating popup erasing feature to pages
where scripts are forbidden and to absolute or fixed position elements
x Fixed JavaScript URL non-void expression evaluation in the URL bar
causing scripts to get globally allowed (thanks al_9x for reporting)
x [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for
reporting)

Version 2.5.2.1-signed 514.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.2
=========================================================================
x [ClearClick] Improved protection against clickjacking timing attacks
(thanks Nafeez Ahmed for reporting)
x Fine tuned floating div (in-page popup) removal by locking it to the
nearest positioned ancestor and swallowing the mouseup event if the
DEL key has been hit after last mousedown

Version 2.5.1.1-signed 514.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

+ Holding the left mouse button down on a page element and hitting the
DEL key will remove it (useful to forcibly kill in-page popups when
scripts are disabled)
x Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking
protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java
globals have been removed from the DOM
x [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for
reporting)
x Fixed Silverlight and Flash scripted initialization patches being
broken by recent JavaScript interpreter changes
x Work-around for hp-ww.com misconfiguration (JavaScript files served
with bogus content-type header)

Version 2.5.1-signed 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.4.9.1-signed 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.9
=========================================================================
+ Added ability to replace obsolete default whitelist entries
x Replaced browserid.org with persona.org in the default whitelist
x Improved anti-DOS protection
x Better usability with some HTML5 Youtube videos (thanks Mike Perry
for reporting)
x Reverted to the ctrl+shift+S main keyboard shortcut
x [XSS] Fixed XML preprocessing breaking detection of some E4X
constructs (thanks Pepe Vila for reporting)
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
Ashar Javed for reporting, original disclosure by Keith Makan)

Version 2.4.8.1-signed 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.8
=========================================================================
x Work-around for Mozilla bug 771655 (broken debugger)
x Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is
taken by the debugger
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
handle generic XML documents

Version 2.4.7.1-signed 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.7
=========================================================================
x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
report)
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)

Version 2.4.6.1-signed 512.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.6
=========================================================================
x [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
x [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
x [XSS] Fixed document.cookie minimal assignment false negative (thanks
Masato Kinugawa for report)
x [XSS] Fixed dotted query parameter names false positives, affecting
OpenID, Hotmail and other services (thanks Gavin H for report)
x Fixed some messages being dumped to the console even if logging is
turned off (thanks marbler for report)

Version 2.4.5.1-signed 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5
=========================================================================
+ [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
x [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
Dalili and Ahamed Nafeez for reporting)
x [XSS] Improved unconventional assignments detection (thanks Masato
Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.4.1-signed 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.4
=========================================================================
x [Locale] Updated he-IL (thanks baryoni)
x Fixed early synthetic DNS notification causing blank stripe on the
bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)

Version 2.4.3.1-signed 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.3
=========================================================================
x Fixed JS links detection not resolving JS string escapes (thanks vyznev
for reporting)
x Fixed HTML 5 parser detection in META refresh processing being broken
by a removed browser preference
x Fixed exception raised by inclusion type checks when parent document's
URI has no host
+ [XSS] Better detection of free inline script injections (without string
literal evasion) inside function calls
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Version 2.4.2.1-signed 511.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.2rc7
=========================================================================
x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
to the LAN anymore for the purpose of cross-zone request forgery checks
in order to safely work-around DNS misconfiguration issues in the wild
(thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
because of redirection loops
x [XSS] Protection against HPP attacks exploiting URL parsing quirks
specific to ASP Classic (thanks Soroush Dalili for reporting)
x Fixed first application updates check failing on Nightly (bug 754393)
x [XSS] Fixed false positive regression on some file hosting sites (thanks
Janne Maekelae for reporting)

Version 2.4.1.1-signed 511.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.1
==========================================================================
+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
same-name query parameters (thanks Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
sequences (thanks Masato Kinugawa for reporting)
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
therube for reporting)
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
repository, often used as a CDN

Version 2.4.1-signed 511.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4rc8
==========================================================================
x [XSS] Improved global exception injection detection
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
Dalili for reporting)
x [Locale] Fixed broken overlay on Basque localized browsers (for real
this time, thanks afa for reporting)

v 2.4rc7
==========================================================================
+ [XSS] Improved InjectionChecker detection of in-code multiple insertions
(thanks Krzysztof Kotowicz)
+ [XSS] InjectionChecker detection of single assignment evaluation through
global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
for reporting)

v 2.4rc6
==========================================================================
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)

v 2.4rc5
==========================================================================
x Improved temporary permissions management during bookmarklet execution

v 2.4rc4
==========================================================================
x Fixed 2.4rc3 regression in url bar JavaScript execution

v 2.4rc3
==========================================================================
x Fixed bookmarklet couldn't be executed on blacklisted sites in "Globally
Allow" mode (thanks tharpa for reporting)

v 2.4rc2
==========================================================================
x [ClearClick] Fixed cross-site clicks blocked on Firefox < 3.6 (thanks
Janet Whipple for reporting)

v 2.4rc1
==========================================================================
x [Surrogate] Fixed surrogates broken on Nightly

Version 2.3.9.1-signed 511.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.9
==========================================================================
+ [ClearClick] More tolerant snapshot comparation algorithm (partially
backported from NSA) to reduce false positives (tweaked by the
noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
obscuration by windowed plugins checks
x Fixed compatibility regressions on Firefox 3.x
x Following links from the About dialog now closes it (thanks Guardian for
suggestions)
x Fixed NOSCRIPT META refreshes blocking not working when scripts are
globally allowed (thanks and Ken and Tom T. for reporting)
x [ClearClick] Fixed false positives caused by accelerated graphics with
some plugin content

Version 2.3.8.1-signed 510.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1, SeaMonkey 2.0 and later

v 2.3.8
==========================================================================
+ Smart integration with the new browser-native click to play: if a plugin
object is manually allowed from NoScript's UI, it gets also natively
activated (noscript.smartClickToPlay about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
steps across reloads
x Fixed redirections in legacy frames not being blocked (thanks "utente"
for reporting)
x [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site

Version 2.3.7.1-signed 509.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.7
==========================================================================
x [ClearClick] Work-around for "rapid fire" protection interfering with
some add-ons, such as 1Password (thanks Mike Tselikman for report) and
FloatNotes (thanks endofmiles and Tom T. for reports)
x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
Christopher A. M. Gerlach for reporting)
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
containing domain-names as parameter values (thanks gazer75 for report)

Version 2.3.6.1-signed 508.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.6
==========================================================================
x Restored Nightly compatibility, broken by bug 719154
+ [ClearClick] improved compatibility with Disqus widgets (thanks El Cid
for reporting)
+ [AddressMatcher] Optimized trailing "*" in glob expressions
x Fixed origin URL detection flawed when certain wrapped URIs are loaded
(thanks Masato Kinugawa for reporting)
x [XSS] Fixed false positive with query string patterns mimicking array
access (thanks Aicke Schulz for reporting)

Version 2.3.5.1-signed 508.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.5
==========================================================================
x Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing
Google Music Player to fail (thanks DG42 for original report, Alan Baxter
for providing a test account, all the forum staff and many users for
their help in reproducing)
x [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and
meta refreshes on the affected tab even if document changes (thanks
Tom T. and Patrick E. for reporting)
x [ClearClick] Better special-casing for same-site embedded objects
x [Surrogate] Global variables introduced by sandboxed surrogates are
attached as window properties after execution to fix recently surfaced
scope-related bugs
x [XSS] Better window.name protection (thanks Masato Kinugawa for report)
x [XSS] Improved detection of javascript: URL injections

Version 2.3.4.1-signed 508.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.4
==========================================================================
x [ClearClick] Fixed subtle bug which may lead to infinite loops in some
cases (thanks GµårÐïåñ for reporting)

v 2.3.3
==========================================================================
+ Improved InjectionChecker logging
x Reduced false positive rate on HTML injection checks (thanks therube for
reporting)
x [ClearClick] Fixed clicking on some plugin content causing elements of
the parent page to become white (thanks Markus Wienand for report)
x [ClearClick] Fixed minor bugs triggered by ABP placeholders
+ [ClearClick] Protection against partial obscuration via Flash objects
with OS-native wmode values (thanks David Lin-Shung Huang for reporting)
x [XSS] Further sensitivity tweaks
x [XSS] Better compatibility with some 3rd party ads on Ebay
x [XSS] Fixed false positive on dotted name-value assignments chained with
semicolons (e.g. on some Yahoo-served ads)

Version 2.3.2.1-signed 508.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.2
==========================================================================
x [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
x [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
Masato Kinugawa for reporting)
+ [XSS] Added event injection checks for scriptless pages too, in order to
prevent edge-case execution on permissions change
x [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
Kinugawa for reporting)
x [XSS] Improved HTML detection accuracy
+ Better tagging of surrogate sandboxes for about:memory debugging
x Improved glinks surrogate

Version 2.3.1.1-signed 508.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3.1
==========================================================================
+ Surrogate to let news pages escape Digg's frame
+ [ClearClick] Improved compatibility with cross-frame overlapping shadows
x Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks
.mario for reporting)
+ adf.ly surrogate to automaticaly skip the interstitial page even if
scripts are disabled
x Improved Google search surrogates
+ New surrogate against Google's scriptless tracking of search results
navigation

Version 2.3.1-signed 507.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.3
==========================================================================
x Fixed about:newtab not considered as a local origin by ABE
+ Added blob:, about:memory and about:support to the automatic whitelist
x Added reflected script inclusion check exception for intensedebate.com
x Fixed CSS issues on Gecko 1.8

Version 2.2.9.1-signed 507.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.9
==========================================================================
+ Right click on NoScript menu items copies the site to the clipboard, if
any under the pointer, or all the page-related script sources prepended
with a status mark: + for whitelisted, - for default, ! for untrusted (
thanks Tom T. for RFE)
+ Added browserid.org to the default whitelist
x Improved default whitelist update mechanism
x Fixed some Flash movies failing to load on Nightly (thanks Nova6K0 for
reporting)
x Fixed incompatibility between surrogates / content augmentations (e.g.
toStaticHTML) and CSP (Content Security Policy), thanks Bruce Berry for
reporting
x NoScript won't attempt to load the release notes page if the site is
unreachable
v 2.2.9rc1
==========================================================================
x Fixed ABE failing to recognize some FE80:* IPv6 addresses as local ones
(thanks Mitchum Owen for report)

Version 2.2.8.1-signed 507.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.2.8
==========================================================================
x [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested
documents

v 2.2.8rc1
==========================================================================
x [ClearClick] Protection against Koto's Cursorjacking technique disclosed
at http://blog.kotowicz.net/2012/01/cursorjacking-again.html