NoScript Security Suite Version History

657 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.6.5.8rc2 518.9 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.8rc2
=========================================================================
+ Automatic Google Analytics web bugs blocking if google-analytics.com is
not whitelisted
+ "Mark as untrusted" button on the site info page (thanks SwissBIT for
RFE)
+ "Allow"/"Forbid"/"Mark as untrusted" icons on the site info buttons
x Inclusion type checks exception for yandex.st

v 2.6.5.8rc1
=========================================================================
x [XSS] Exception for requests across *.photobucket.com subdomains, which
may legitimately contain syntactically valid Javascript fragments
(thanks RAJAH235 for reporting)

Version 2.6.5.8rc1 518.7 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.8rc1
=========================================================================
x [XSS] Exception for requests across *.photobucket.com subdomains, which
may legitimately contain syntactically valid Javascript fragments
(thanks RAJAH235 for reporting)

Version 2.6.5.7rc2 518.6 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.7rc2
=========================================================================
x Made "Yes, remove all protections" the default button in the removal
warning dialog

v 2.6.5.7rc1
=========================================================================
x [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
(thanks Masato Kinugawa for reporting)
x [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks
Masato Kinugawa for reporting)

Version 2.6.5.7rc1 518.6 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.7rc1
=========================================================================
x [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
(thanks Masato Kinugawa for reporting)
x [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks
Masato Kinugawa for reporting)

Version 2.6.5.6rc1 518.6 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.6rc1
=========================================================================
x [XSS] Smarter syntax check optimization, removes harmful side effect
(thanks Masato Kinugawa for reporting)

v 2.6.5.5rc1
=========================================================================
x [XSS] Fixed bug in broken string literals balancing (thanks Masato
Kinugawa for reporting)

v 2.6.5.4rc1
=========================================================================
+ [XSS] Obfuscated string literals detection (thanks Masato Kinugawa for
reporting)

v 2.6.5.3rc2
=========================================================================
x [XSS] Improved parsing while decoding mixed-charset encoded URLs
(thanks Masato Kinugawa for reporting)

v 2.6.5.3rc1
=========================================================================
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
(thanks Masato Kinugawa for reporting)

v 2.6.5.2rc1
=========================================================================
x [XSS] Work-around for a Gecko race condition allowing some
script-enabled attackers to make the charset-mismatch checks abort
prematurely (thanks Masato Kinugawa for reporting)

v 2.6.5.1rc1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5.5rc1 518.7 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.5rc1
=========================================================================
x [XSS] Fixed bug in broken string literals balancing (thanks Masato
Kinugawa for reporting)

Version 2.6.5.4rc1 518.6 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.4rc1
=========================================================================
+ [XSS] Obfuscated string literals detection (thanks Masato Kinugawa for
reporting)

v 2.6.5.3rc2
=========================================================================
x [XSS] Improved parsing while decoding mixed-charset encoded URLs
(thanks Masato Kinugawa for reporting)

v 2.6.5.3rc1
=========================================================================
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
(thanks Masato Kinugawa for reporting)

v 2.6.5.2rc1
=========================================================================
x [XSS] Work-around for a Gecko race condition allowing some
script-enabled attackers to make the charset-mismatch checks abort
prematurely (thanks Masato Kinugawa for reporting)

v 2.6.5.1rc1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5.3rc2 518.5 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.3rc2
=========================================================================
x [XSS] Improved parsing while decoding mixed-charset encoded URLs
(thanks Masato Kinugawa for reporting)

v 2.6.5.3rc1
=========================================================================
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
(thanks Masato Kinugawa for reporting)

v 2.6.5.2rc1
=========================================================================
x [XSS] Work-around for a Gecko race condition allowing some
script-enabled attackers to make the charset-mismatch checks abort
prematurely (thanks Masato Kinugawa for reporting)

v 2.6.5.1rc1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5.3rc1 518.4 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.3rc1
=========================================================================
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
(thanks Masato Kinugawa for reporting)

v 2.6.5.2rc1
=========================================================================
x [XSS] Work-around for a Gecko race condition allowing some
script-enabled attackers to make the charset-mismatch checks abort
prematurely (thanks Masato Kinugawa for reporting)

v 2.6.5.1rc1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5.2rc1 518.3 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.2rc1
=========================================================================
x [XSS] Work-around for a Gecko race condition allowing some
script-enabled attackers to make the charset-mismatch checks abort
prematurely (thanks Masato Kinugawa for reporting)

v 2.6.5.1rc1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5.1rc1 518.1 KiB Works with Firefox 3.0.9 - 21.0, SeaMonkey 2.0 - 2.18

v 2.6.5.1rc1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5rc2 517.8 KiB Works with Firefox 3.0.9 - 21.0, SeaMonkey 2.0 - 2.18

v 2.6.5rc2
=========================================================================
x Better wording for the "Security Downgrade Warning" options

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.5rc1 517.8 KiB Works with Firefox 3.0.9 - 21.0, SeaMonkey 2.0 - 2.18

v 2.6.5rc1
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ Suggestion of blacklist mode as a viable alternative to disablement or
uninstall which retains protections unrelated to script blocking
- Removed legacy uninstall hooks and related localized strings

Version 2.6.4.4rc3 521.1 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.4rc3
=========================================================================
x Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
(thanks therube for reporting)

v 2.6.4.4rc2
=========================================================================
+ [Surrogate] Support for callbacks in Google Analytics' _gaq.push()
method (thanks Paola Moro for reporting)

v 2.6.4.4rc1
=========================================================================
+ Allow/Forbid button on the site info page (thanks Edward Huff for RFE)

Version 2.6.4.4rc2 521.0 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.4rc2
=========================================================================
+ [Surrogate] Support for callbacks in Google Analytics' _gaq.push()
method (thanks Paola Moro for reporting)

v 2.6.4.4rc1
=========================================================================
+ Allow/Forbid button on the site info page (thanks Edward Huff for RFE)

Version 2.6.4.4rc1 521.1 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.4rc1
=========================================================================
+ Allow/Forbid button on the site info page (thanks Edward Huff for RFE)

Version 2.6.4.3rc2 520.9 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.3rc2
=========================================================================
x [Surrogate] Less aggressive but more compatible adf.ly surrogate (it
automatically skips ad but requires scripts enabled on adf.ly)
x Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent
Firefox versions (thanks Guardian for reporting)

v 2.6.4.3rc1
=========================================================================
+ [Surrogate] dimtus.com scriptless automatic image revelation
+ [Surrogate] imageteam.org scriptless automatic image revelation
x [External Filters] Fixed cache API compatibility issue

Version 2.6.4.3rc1 520.6 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.3rc1
=========================================================================
+ [Surrogate] dimtus.com scriptless automatic image revelation
+ [Surrogate] imageteam.org scriptless automatic image revelation
x [External Filters] Fixed cache API compatibility issue

Version 2.6.4.2rc6 520.6 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2rc6
=========================================================================
x [ClearClick] Fixed miscalculations in screenshot comparison

v 2.6.4.2rc5
=========================================================================
x Fixed wrong placeholder position for standalone HTML 5 video content
(thanks mjh563 for reporting)

v 2.6.4.2rc4
=========================================================================
+ "Appearance" option to hide the "About NoScript" menu item
x Deny loading of any empty Flash object
x Fixed HSB locale (thanks Michael Wolf)

v 2.6.4.2rc3
=========================================================================
x Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for
reporting)
x Work-around for Gecko calling nsIContentPolicy::shouldProcess() with
null location for Flash objects sometimes (thanks al_9x for report)

v 2.6.4.2rc2
=========================================================================
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)

v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.2rc5 520.6 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2rc5
=========================================================================
x Fixed wrong plaecholder position for standalone HTML 5 video content
(thanks mjh563 for reporting)

v 2.6.4.2rc4
=========================================================================
+ "Appearance" option to hide the "About NoScript" menu item
x Deny loading of any empty Flash object
x Fixed HSB locale (thanks )

v 2.6.4.2rc3
=========================================================================
x Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for
reporting)
x Work-around for Gecko calling nsIContentPolicy::shouldProcess() with
null location for Flash objects sometimes (thanks al_9x for report)

v 2.6.4.2rc2
=========================================================================
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)

v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.2rc4 520.6 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2rc4
=========================================================================
+ "Appearance" option to hide the "About NoScript" menu item
x Deny loading of any empty Flash object
x Fixed HSB locale (thanks )

v 2.6.4.2rc3
=========================================================================
x Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for
reporting)
x Work-around for Gecko calling nsIContentPolicy::shouldProcess() with
null location for Flash objects sometimes (thanks al_9x for report)

v 2.6.4.2rc2
=========================================================================
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)

v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.2rc3 520.5 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2rc3
=========================================================================
x Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for
reporting)
x Work-around for Gecko calling nsIContentPolicy::shouldProcess() with
null location for Flash objects sometimes (thanks al_9x for report)

v 2.6.4.2rc2
=========================================================================
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)

v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.2rc2 520.5 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2rc2
=========================================================================
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)

v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.2rc1 520.6 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.1rc1 520.5 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.1rc1
=========================================================================
x Fixed new placeholder close button being hidden on some Youtube pages

Version 2.6.4rc2 520.4 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4rc2
=========================================================================
x [XSS] Improved compatibility with Twitter's cross-site requests
+ Close button on embedding placeholder (like using shift+click on the
placeholder itself). Shift clicking the close button bypasses it.
x Fixed placeholders intercepting clicks from overlayed elements (thanks
al_9x)

v 2.6.4rc1
=========================================================================
x Fixed unbound embed enablement confirmation dialog size (thanks therube
for reporting)

Version 2.6.4rc1 518.5 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4rc1
=========================================================================
x Fixed unbound embed enablement confirmation dialog size (thanks therube
for reporting)

Version 2.6.3rc4 518.4 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.3rc4
=========================================================================
x [XSS] Further tweaks to reduce false positives (thanks Edward C. Kim
for reporting)

v 2.6.3rc3
=========================================================================
x [XSS] The "maybe JS" step now removes leading parens, reducing false
positives e.g. on Picasa (thanks jerriy for reporting)

v 2.6.3rc2
=========================================================================
x [Surrogate] Work-around for anti-popunder surrogate causing Ebay to
recreate phantom cookies on page unload (thanks mjh563 for reporting)

v 2.6.3rc1
=========================================================================
x Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus)
breaking bookmarlets and URL bar Javascript support after being updated
for Firefox 17
x Removed some console noise
+ [Surrogate] Updated adf.ly surrogate to work with new links

Version 2.6.3rc3 518.3 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.3rc3
=========================================================================
x [XSS] The "maybe JS" step now removes leading parens, reducing false
positives e.g. on Picasa (thanks jerriy for reporting)

v 2.6.3rc2
=========================================================================
x [Surrogate] Work-around for anti-popunder surrogate causing Ebay to
recreate phantom cookies on page unload (thanks mjh563 for reporting)

v 2.6.3rc1
=========================================================================
x Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus)
breaking bookmarklets and URL bar Javascript support after being updated
for Firefox 17
x Removed some console noise
+ [Surrogate] Updated adf.ly surrogate to work with new links

Version 2.6.3rc2 518.3 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.3rc2
=========================================================================
x [Surrogate] Work-around for anti-popunder surrogate causing Ebay to
recreate phantom cookies on page unload (thanks mjh563 for reporting)

v 2.6.3rc1
=========================================================================
x Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus)
breaking bookmarklets and URL bar Javascript support after being updated
for Firefox 17
x Removed some console noise
+ [Surrogate] Updated adf.ly surrogate to work with new links