NoScript Security Suite Version History

869 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.1.2.4rc1 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.2.4rc1
==========================================================================
x [ClearClick] Restored compatibility with bit.ly (now bitly.com)

v 2.1.2.3rc3
==========================================================================
x [ClearClick] Refactoring and isolation of the rapid fire protection

v 2.1.2.3rc2
==========================================================================
x [ClearClick] Further refinement of rapid fire detection on tab switching

v 2.1.2.3rc1
==========================================================================
x [ClearClick] Fixed delay on first event response after some kinds of tab
switching

v 2.1.2.2rc1
==========================================================================
x [ClearClick] Fixed false positives due to backwards incompatibilities
with Fx 3.5 and below (thanks chas35 for reporting)
x [Nightly compat] Fixed import/export broken by nsIJSON interface changes
in recent nightly builds (thanks happy-dude for reporting)

v 2.1.2.1rc1
==========================================================================
x Fixed rapid fire cross-site interaction protection interfering with
keyboard-based tab switching (thanks tikl for reporting)

Version 2.1.2.3.1-signed 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.2.3
==========================================================================
x [ClearClick] Refactoring and isolation of the rapid fire protection

v 2.1.2.3rc2
==========================================================================
x [ClearClick] Further refinement of rapid fire detection on tab switching

v 2.1.2.3rc1
==========================================================================
x [ClearClick] Fixed delay on first event response after some kinds of tab
switching

v 2.1.2.2
==========================================================================
x [ClearClick] Fixed false positives due to backwards incompatibilities
with Fx 3.5 and below (thanks chas35 for reporting)
x [Nightly compat] Fixed import/export broken by nsIJSON interface changes
in recent nightly builds (thanks happy-dude for reporting)

v 2.1.2.1
==========================================================================
x Fixed rapid fire cross-site interaction protection interfering with
keyboard-based tab switching (thanks tikl for reporting)

Version 2.1.2.1rc1 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.2.1rc1
==========================================================================
x Fixed rapid fire cross-site interaction protection interfering with
keyboard-based tab switching (thanks tikl for reporting)

Version 2.1.2rc6 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.2rc6
==========================================================================
x Minor tweaks to the new rapid fire cross-site interaction protection

v 2.1.2rc5
==========================================================================
+ ClearClick protection against rapid fire cross-site interaction AKA
"double-clickjacking" (thanks Collin Jackson for RFE), see
http://mayscript.com/blog/david/clickjacking-attacks-unresolved

v 2.1.2rc4
==========================================================================
+ ClearClick protection against view-source content extraction attacks
(thanks Steven Roddis for RFE)
+ Current version number shown directly in all the "About NoScript" menu
items (thanks therube for RFE)
x Fixed NoScript icon status not updated when a tab is moved to a new
window (thanks dhouwn for reporting)

v 2.1.2rc3
==========================================================================
x Fixed work around for Bug 668690 breaking feed viewer (thanks Jim Too
for reporting)

v 2.1.2rc2
==========================================================================
x Disabled NoScript's X-Frame-Options support on Firefox 3.6.10 and above,
where it is built-in
x Work around for Bug 668690 affecting Gecko 2.0 and above (thanks Nemoar
and al_9x for reporting)

v 2.1.2rc1
==========================================================================
x Fixed startup error in Nightly due to the merge of event target
interfaces in bug 658714 (thanks Hydraxr for reporting)

Version 2.1.2rc4 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Version 2.1.2rc3 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.2rc3
==========================================================================
x Fixed work around for Bug 668690 breaking feed viewer (thanks Jim Too
for reporting)

v 2.1.2rc2
==========================================================================
x Disabled NoScript's X-Frame-Options support on Firefox 3.6.10 and above,
where it is built-in
x Work around for Bug 668690 affecting Gecko 2.0 and above (thanks Nemoar
and al_9x for reporting)

v 2.1.2rc1
==========================================================================
x Fixed startup error in Nightly due to the merge of event target
interfaces in bug 658714 (thanks Hydraxr for reporting)

Version 2.1.2rc2 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Version 2.1.2rc0 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.2rc0
==========================================================================
x Fixed conflict with Firebug console
x Removed legacy code in content policy and ClearClick

v 2.1.1.2rc9
==========================================================================
x Fixed surrogates causing duplicate history entries for some sites on
Firefox 5
x Work around for bug 666371 breaking popunder surrogate and legitimate
popups on some sites

v 2.1.1.2rc8
==========================================================================
x Work-around for Mac OS X filepicker in Firefox 5 preventing exported
configuration files from being reimported

v 2.1.1.2rc7
==========================================================================
x Work-around for Nightly bug breaking the "View image" command
x Improved Google Analytics surrogate

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2.1-signed 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2 (same as 2.1.2rc0)
==========================================================================
x Fixed conflict with Firebug console
x Removed legacy code in content policy and ClearClick

v 2.1.1.2rc9
==========================================================================
x Fixed surrogates causing duplicate history entries for some sites on
Firefox 5
x Work around for bug 666371 breaking popunder surrogate and legitimate
popups on some sites

v 2.1.1.2rc8
==========================================================================
x Work-around for Mac OS X filepicker in Firefox 5 preventing exported
configuration files from being reimported

v 2.1.1.2rc7
==========================================================================
x Work-around for Nightly bug breaking the "View image" command
x Improved Google Analytics surrogate

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc9 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2rc9
==========================================================================
x Fixed surrogates causing duplicate history entries for some sites on
Firefox 5
x Work around for bug 666371 breaking popunder surrogate and legitimate
popups on some sites

v 2.1.1.2rc8
==========================================================================
x Work-around for Mac OS X filepicker in Firefox 5 preventing exported
configuration files from being reimported

v 2.1.1.2rc7
==========================================================================
x Work-around for Nightly bug breaking the "View image" command
x Improved Google Analytics surrogate

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc8 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

==========================================================================
x Work-around for Mac OS X filepicker in Firefox 5 preventing exported
configuration files from being reimported

v 2.1.1.2rc7
==========================================================================
x Work-around for Nightly bug breaking the "View image" command
x Improved Google Analytics surrogate

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc7 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2rc7
==========================================================================
x Work-around for Nightly bug breaking the "View image" command
x Improved Google Analytics surrogate

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc6 506.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2rc6
==========================================================================
+ HTML 5 media blocking extended to Mozilla's audio API extension (thanks
al_9x for RFE)
x Improved handling of resource prefetching through object elements
x Removed msc.wlxrs.com and js.wlxrs.com, adding just wlxrs.com to the
default whitelist and to the whitelists of Hotmail users, after Microsoft
explained that this is the future-proof permission needed to ensure
compatibility with the Live webmail

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc5 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2rc5
==========================================================================
x Full page reload is not triggered anymore when invisible plugin objects
are activated if the parent page has been loaded by a POST HTTP request
(thanks al_9x for RFE)
x Full page reload is not triggered anymore on invisible frame activation
(thanks al_9x for RFE)
x Fixed "Blocked Objects" menu missing on Hotmail inbox (thanks therube
for reporting)
x Object elements used to prefetch JavaScript and CSS content are not
blocked anymore, provided that the parent is whitelisted, This behavior
can be disabled in about:config, noscript.allowCachingObjects (thanks
al_9x for RFE)

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc4 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2rc4
==========================================================================
+ Added msc.wlxrs.com to the default whitelist as requested by the Hotmail
team (new domain required for Hotmail to work)
+ One-time merge of the default whitelist to integrate services already
whitelisted as needed (e.g. hotmail.com to imply msc.wlxrs.com)
x Work-around for scripts served from amazonaws.com having wrong media
type sometimes

v 2.1.1.2rc3
==========================================================================
x Fixed frame in-place activation causing the content to be loaded inside
a nested iframe (thanks al_9x for reporting)

v 2.1.1.2rc2
==========================================================================
x [XSS] Work-around for an unfixable (JavaScript fragments get actually
uploaded cross-site) false positive on Verizon login (thanks John Dwyer
for reportng)

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.2rc1 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)

Version 2.1.1.1.1-signed 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.1
==========================================================================
+ Improved embedded object activation on Javascript-enabled pages via
dynamic method proxies (thanks al_9x for RFE)

v 2.1.1.1rc2
==========================================================================
x [XSS] removed false positive at Well Fargo's login

v 2.1.1.1rc1
==========================================================================
x Reduced request garbage collection frequency

Version 2.1.1.1rc3 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.1rc3
==========================================================================
+ Improved embedded object activation on Javascript-enabled pages via
dynamic method proxies (thanks al_9x for RFE)

v 2.1.1.1rc2
==========================================================================
x [XSS] removed false positive at Well Fargo's login

v 2.1.1.1rc1
==========================================================================
x Reduced request garbage collection frequency

Version 2.1.1.1rc1 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1.1rc1
==========================================================================
x Reduced request garbage collection frequency

Version 2.1.1.1-signed 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.1
==========================================================================
x Fixed toolbar button hidden in popup windows (thanks Steven Roddis for
reporting)

v 2.1.0.6rc14
==========================================================================
x Fixed double HTTP requests sent sometimes for document requests just
after DNS cache invalidation (thanks Lekensteyn and SLED for reporting)
x Removed NoScript and FlashGot download pages and added Yahoo! Mail as
ClearClick exception, in order to prevent false positives in the message
panel (thanks be and sabret00the for reporting)
x Fixed conflict with IE Tab 2 causing new tab not to open URLs entered
in the address bar (thanks mc for reporting)

v 2.1.0.6rc13
==========================================================================
x Fixed placeholders broken on trunk after fix for Gecko's bug 308590

v 2.1.0.6rc12
==========================================================================
+ Added paypal.com and paypalobjects.com to the default whitelist, to cope
with the new in-page contribution setup at AMO and reduce XSS risks
+ Improved toStaticHTML() emulation (thanks .mario for reporting)

v 2.1.0.6rc11
==========================================================================
x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)

v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
==========================================================================
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
==========================================================================
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.6rc15 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.6rc15
==========================================================================
x Fixed toolbar button hidden in popup windows (thanks Steven Roddis for
reporting)

v 2.1.0.6rc14
==========================================================================
x Fixed double HTTP requests sent sometimes for document requests just
after DNS cache invalidation (thanks Lekensteyn and SLED for reporting)
x Removed NoScript and FlashGot download pages and added Yahoo! Mail as
ClearClick exception, in order to prevent false positives in the message
panel (thanks be and sabret00the for reporting)
x Fixed conflict with IE Tab 2 causing new tab not to open URLs entered
in the address bar (thanks m_c for reporting)

v 2.1.0.6rc13
==========================================================================
x Fixed placeholders broken on trunk after fix for Gecko's bug 308590

v 2.1.0.6rc12
==========================================================================
+ Added paypal.com and paypalobjects.com to the default whitelist, to cope
with the new in-page contribution setup at AMO and reduce XSS risks
+ Improved toStaticHTML() emulation (thanks .mario for reporting)

v 2.1.0.6rc11
==========================================================================
x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)

v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
==========================================================================
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
==========================================================================
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.6rc14 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.6rc14
==========================================================================
x Fixed double HTTP requests sent sometimes for document requests just
after DNS cache invalidation (thanks Lekensteyn and SLED for reporting)
x Removed NoScript and FlashGot download pages and added Yahoo! Mail as
ClearClick exception, in order to prevent false positives in the message
panel (thanks be and sabret00the for reporting)
x Fixed conflict with IE Tab 2 causing new tab not to open URLs entered
in the address bar (thanks m_c for reporting)

v 2.1.0.6rc13
==========================================================================
x Fixed placeholders broken on trunk after fix for Gecko's bug 308590

v 2.1.0.6rc12
==========================================================================
+ Added paypal.com and paypalobjects.com to the default whitelist, to cope
with the new in-page contribution setup at AMO and reduce XSS risks
+ Improved toStaticHTML() emulation (thanks .mario for reporting)

v 2.1.0.6rc11
==========================================================================
x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)

v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
==========================================================================
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
==========================================================================
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.6rc13 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.6rc13
==========================================================================
x Fixed placeholders broken on trunk after fix for Gecko's bug 308590

v 2.1.0.6rc12
==========================================================================
+ Added paypal.com and paypalobjects.com to the default whitelist, to cope
with the new in-page contribution setup at AMO and reduce XSS risks
+ Improved toStaticHTML() emulation (thanks .mario for reporting)

v 2.1.0.6rc11
==========================================================================
x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)

v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
==========================================================================
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
==========================================================================
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.6rc10 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
==========================================================================
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
==========================================================================
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.6rc9 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

Version 2.1.0.6rc6 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.6rc5 505.9 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.6rc5
==========================================================================
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
==========================================================================
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
==========================================================================
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
==========================================================================
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

Version 2.1.0.5.1-signed 500.7 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.5
==========================================================================
x Fixed recent memory optimizations breaking compatibility with some
extensions (thanks Alan Baxter for reporting)

v 2.1.0.5rc1
==========================================================================
x Work-around for a Seamonkey initialization timing issue

v 2.1.0.4
==========================================================================
+ Improved performance and memory efficiency of cross-site checks
x Removed redundant primary origin from ABE messages
x More verbose initialization error reporting

v 2.1.0.4rc10
==========================================================================
x Fixed memory leak on Nightly when watching the movie at http://ro.me
(thanks _nil and therube for reporting)

v 2.1.0.4rc9
==========================================================================
x Fixed Script Surrogate execution breaking some framesets
x Fixed executing an interactive bookmarklet and closing current tab
during execution keeps scripts globally allowed
+ Disabled execution of javascript: and data: URLs typed or
pasted in the address bar (noscript.allowURLBarJS preference)
+ Disabled execution of non-whitelisted scripts imported during execution
of javascript: and data: URLs typed or pasted in the address bar
(noscript.allowURLBarImports preference)
+ Work around for Verizon's cache serving scripts with wrong media type

v 2.1.0.4rc8
==========================================================================
x Fixed NoScript icon disappearing from add-on bar when mode == "text"

v 2.1.0.4rc7
==========================================================================
x Better work-around for bit.ly sidebar triggering ClearClick warnings
(thanks Markus387 for reporting)

v 2.1.0.4rc6
==========================================================================
x Work-around for bit.ly sidebar triggering ClearClick warnings
x Fixed placeholders with undersized type icon regression

v 2.1.0.4rc5
==========================================================================
x Fixed Seamonkey hanging on some pages (thanks therube for reporting)

v 2.1.0.4rc4
==========================================================================
x Fixed labels being shown for NoScript buttons on the add-on bar in some
configurations (thanks baciok for reporting)

v 2.1.0.4rc3
==========================================================================
x Fixed minimum placeholder size not applied when embeddings have "auto"
as their computed CSS width or height (thanks al_9x for reporting)

v 2.1.0.4rc2
==========================================================================
+ On scriptless pages, empty forms meant to be submitted via JavaScript
are automatically augmented with a submit button labeled after the
destination URL (thanks timeless for RFE)

2.1.0.4rc1
==========================================================================
x Changed the noscript.forbidXBL default to 1 (OK for current Fx versions)
in order to avoid Lotus Mail issues (thanks Tina for reporting)
x [XSS] Fixed a false positive involving Amazon mp3 checkout (thanks Dan
Loomis for reporting)

Version 2.1.0.5rc2 501.8 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.5rc2
==========================================================================
x Fixed recent memory optimizations breaking compatibility with some
extensions (thanks Alan Baxter for reporting)

v 2.1.0.5rc1
==========================================================================
x Work-around for a Seamonkey initialization timing issue

v 2.1.0.4
==========================================================================
+ Improved performance and memory efficiency of cross-site checks
x Removed redundant primary origin from ABE messages
x More verbose initialization error reporting

v 2.1.0.4rc10
==========================================================================
x Fixed memory leak on Nightly when watching the movie at http://ro.me
(thanks _nil and therube for reporting)

v 2.1.0.4rc9
==========================================================================
x Fixed Script Surrogate execution breaking some framesets
x Fixed executing an interactive bookmarklet and closing current tab
during execution keeps scripts globally allowed
+ Disabled execution of javascript: and data: URLs typed or
pasted in the address bar (noscript.allowURLBarJS preference)
+ Disabled execution of non-whitelisted scripts imported during execution
of javascript: and data: URLs typed or pasted in the address bar
(noscript.allowURLBarImports preference)
+ Work around for Verizon's cache serving scripts with wrong media type

v 2.1.0.4rc8
==========================================================================
x Fixed NoScript icon disappearing from add-on bar when mode == "text"

v 2.1.0.4rc7
==========================================================================
x Better work-around for bit.ly sidebar triggering ClearClick warnings
(thanks Markus387 for reporting)

v 2.1.0.4rc6
==========================================================================
x Work-around for bit.ly sidebar triggering ClearClick warnings
x Fixed placeholders with undersized type icon regression

v 2.1.0.4rc5
==========================================================================
x Fixed Seamonkey hanging on some pages (thanks therube for reporting)

v 2.1.0.4rc4
==========================================================================
x Fixed labels being shown for NoScript buttons on the add-on bar in some
configurations (thanks baciok for reporting)

v 2.1.0.4rc3
==========================================================================
x Fixed minimum placeholder size not applied when embeddings have "auto"
as their computed CSS width or height (thanks al_9x for reporting)

v 2.1.0.4rc2
==========================================================================
+ On scriptless pages, empty forms meant to be submitted via JavaScript
are automatically augmented with a submit button labeled after the
destination URL (thanks timeless for RFE)

2.1.0.4rc1
==========================================================================
x Changed the noscript.forbidXBL default to 1 (OK for current Fx versions)
in order to avoid Lotus Mail issues (thanks Tina for reporting)
x [XSS] Fixed a false positive involving Amazon mp3 checkout (thanks Dan
Loomis for reporting)

Version 2.1.0.4rc11 500.7 kB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.1.0.4rc11 (same as 2.1.0.4 final)
==========================================================================
+ Improved performance and memory efficience of cross-site checks
x Removed redundant primary origin from ABE messages
x More verbose initialization error reporting

v 2.1.0.4rc10
==========================================================================
x Fixed memory leak on Nightly when watching the movie at http://ro.me
(thanks _nil and therube for reporting)

v 2.1.0.4rc9
==========================================================================
x Fixed Script Surrogate execution breaking some framesets
x Fixed executing an interactive bookmarklet and closing current tab
during execution keeps scripts globally allowed
+ Disabled execution of javascript: and data: URLs typed or
pasted in the address bar (noscript.allowURLBarJS preference)
+ Disabled execution of non-whitelisted scripts imported during execution
of javascript: and data: URLs typed or pasted in the address bar
(noscript.allowURLBarImports preference)
+ Work around for Verizon's cache serving scripts with wrong media type

v 2.1.0.4rc8
==========================================================================
x Fixed NoScript icon disappearing from add-on bar when mode == "text"

v 2.1.0.4rc7
==========================================================================
x Better work-around for bit.ly sidebar triggering ClearClick warnings
(thanks Markus387 for reporting)

v 2.1.0.4rc6
==========================================================================
x Work-around for bit.ly sidebar triggering ClearClick warnings
x Fixed placeholders with undersized type icon regression

v 2.1.0.4rc5
==========================================================================
x Fixed Seamonkey hanging on some pages (thanks therube for reporting)

v 2.1.0.4rc4
==========================================================================
x Fixed labels being shown for NoScript buttons on the add-on bar in some
configurations (thanks baciok for reporting)

v 2.1.0.4rc3
==========================================================================
x Fixed minimum placeholder size not applied when embeddings have "auto"
as their computed CSS width or height (thanks al_9x for reporting)

v 2.1.0.4rc2
==========================================================================
+ On scriptless pages, empty forms meant to be submitted via JavaScript
are automatically augmented with a submit button labeled after the
destination URL (thanks timeless for RFE)

2.1.0.4rc1
==========================================================================
x Changed the noscript.forbidXBL default to 1 (OK for current Fx versions)
in order to avoid Lotus Mail issues (thanks Tina for reporting)
x [XSS] Fixed a false positive involving Amazon mp3 checkout (thanks Dan
Loomis for reporting)