NoScript Security Suite Version History

383 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.6.5.7.1-signed 518.5 KiB Works with Firefox 3.0.9 - 22.0, SeaMonkey 2.0 - 2.19

v 2.6.5.7
=========================================================================
x Made "Yes, remove all protections" the default button in the removal
warning dialog
x [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
(thanks Masato Kinugawa for reporting)
x [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks
Masato Kinugawa for reporting)

v 2.6.5.6
=========================================================================
x [XSS] Smarter syntax check optimization, removes harmful side effect
(thanks Masato Kinugawa for reporting)

v 2.6.5.5
=========================================================================
x [XSS] Fixed bug in broken string literals balancing (thanks Masato
Kinugawa for reporting)

v 2.6.5.4
=========================================================================
+ [XSS] Obfuscated string literals detection (thanks Masato Kinugawa for
reporting)

v 2.6.5.3
=========================================================================
x [XSS] Improved parsing while decoding mixed-charset encoded URLs
(thanks Masato Kinugawa for reporting)
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
(thanks Masato Kinugawa for reporting)

v 2.6.5.2
=========================================================================
x [XSS] Work-around for a Gecko race condition allowing some
script-enabled attackers to make the charset-mismatch checks abort
prematurely (thanks Masato Kinugawa for reporting)

v 2.6.5.1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)

v 2.6.5
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
(thanks Masato Kinugawa for reporting)
x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ "Security Downgrade Warning" suggests blacklist mode as a better option
than uninstalling, to retain scripting-unrelated protections
- Removed legacy uninstall hooks and related localized strings

Version 2.6.4.4.1-signed 521.0 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.4
=========================================================================
x Fixed plugin placeholders not shown for plugin documents on Gecko >= 19
(thanks therube for reporting)
+ [Surrogate] Support for callbacks in Google Analytics' _gaq.push()
method (thanks Paola Moro for reporting)
+ Allow/Forbid button on the site info page (thanks Edward Huff for RFE)

Version 2.6.4.3.1-signed 520.7 KiB Works with Firefox 3.0.9 - 21.0a1, SeaMonkey 2.0 - 2.18a1

v 2.6.4.3
=========================================================================
x [Surrogate] Less aggressive but more compatible adf.ly surrogate (it
automatically skips ad but requires scripts enabled on adf.ly)
x Fixed whitelist listbox couldn't be fully selected by CTRL+A in recent
Firefox versions (thanks Guardian for reporting)
+ [Surrogate] dimtus.com scriptless automatic image revelation
+ [Surrogate] imageteam.org scriptless automatic image revelation
x [External Filters] Fixed cache API compatibility issue

Version 2.6.4.2.1-signed 520.5 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.2
=========================================================================
x [ClearClick] Fixed miscalculations in screenshot comparison
x Fixed wrong placeholder position for standalone HTML 5 video content
(thanks mjh563 for reporting)
+ "Appearance" option to hide the "About NoScript" menu item
x Deny loading of any empty Flash object
x Fixed HSB locale (thanks Michael Wolf)
x Fixed forced HTTPS breaks redirects on Firefox >= 18 (thanks mjh563 for
reporting)
x Work-around for Gecko calling nsIContentPolicy::shouldProcess() with
null location for Flash objects sometimes (thanks al_9x for report)
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)

Version 2.6.4.1.1-signed 520.5 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.4.1
=========================================================================
x Fixed new placeholder close button being hidden on some Youtube pages

v 2.6.4
=========================================================================
x [XSS] Improved compatibility with Twitter's cross-site requests
+ Close button on embedding placeholder (like using shift+click on the
placeholder itself). Shift clicking the close button bypasses it.
x Fixed placeholders intercepting clicks from overlaid elements (thanks
al_9x)
x Fixed unbound embed enablement confirmation dialog size (thanks therube
for reporting)

Version 2.6.3.1-signed 518.6 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.3
=========================================================================
x [XSS] Further tweaks to reduce false positives (thanks Edward C. Kim
for reporting)
x [XSS] The "maybe JS" step now removes leading parens, reducing false
positives e.g. on Picasa (thanks jerriy for reporting)
x [Surrogate] Work-around for anti-popunder surrogate causing Ebay to
recreate phantom cookies on page unload (thanks mjh563 for reporting)
x Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus)
breaking bookmarlets and URL bar Javascript support after being updated
for Firefox 17
x Removed some console noise
+ [Surrogate] Updated adf.ly surrogate to work with new links

Version 2.6.2.1-signed 518.1 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.2
=========================================================================
x Fixed Google links anonymizer surrogate interfering with the "Search
tools" button (thanks Sledge Fox and Brian Admire for reporting)
x Fixed impossible to copy lines from Console² if opened by NoScript
(thanks therube for reporting and Phil Chee for suggestion)
x [XSS] Exception for wpcomwidgets.com safe inclusions
x Slightly reduced About box width (thanks GµårÐïåñ for RFE)

Version 2.6.1.1-signed 518.2 KiB Works with Firefox 3.0.9 - 20.0a1, SeaMonkey 2.0 - 2.17a1

v 2.6.1
=========================================================================
x [XSS] Better compatibility with Ebay's saved searches
+ [Surrogate] Imagebax.com scriptless ads skipping redirection
x Fixed first non-cached page load in a session from about:newtab failing
- Removed legacy XUL script blocking code
+ Added optional diagnostic to centralized channel aborting
x Fixed bug in Java URLs resolution

Version 2.6.1-signed 518.0 KiB Works with Firefox 3.0.9 - 19.0a1, SeaMonkey 2.0 - 2.15.*

v 2.6
=========================================================================
x Improved long URL wrapping for more manageable plugin placeholder
tooltips
x Fixed ABE notifications bleeding out of the viewport when very long
URLs are involved
+ [Surrogate] More efficient deferred script loading and syntax check,
saves memory and startup time from unused surrogates
+ [Surrogate] Picbucks.com scriptless ads skipping redirection
+ [Surrogate] Imagebunk.com scriptless image revealing
+ [Surrogate] Picsee.net scriptless image revealing
+ Added navigator.doNotTrack property support

Version 2.5.9.1-signed 517.6 KiB Works with Firefox 3.0.9 - 19.0a1, SeaMonkey 2.0 - 2.15.*

v 2.5.9
=========================================================================
+ Added afx.ms and gfx.ms (fully controlled by Microsoft, no user content
allowed) to the default whitelist (required by MS mail services)
+ [XSS] Removed false positive on some Google Gadgets; the work-around
can be disabled by setting the noscript.filterXExceptions.ggadgets
about:config preference to false (thanks Silvana for reporting)
+ Added new fake mimetype placeholder "FRAME" to match FRAMEs and IFRAMES
with the noscript.allowedMimeRegExp preference
+ Made mimetype whitelisting through the noscript.allowedMimeRegExp
preference work with FRAMEs and IFRAMEs as well
x Fixed redirections involving sites marked as untrusted causing
inconsistencies in page permissions, with JavaScript being blocked even
if the site is whitelisted (thanks al_9x for reporting)
x Fixed regression on older Gecko versions causing NoScript to believe
the browser is proxied when it's not

Version 2.5.8.1-signed 517.3 KiB Works with Firefox 3.0.9 - 19.0a1, SeaMonkey 2.0 - 2.15.*

v 2.5.8
=========================================================================
x Work-around for unique origins being assigned to URL bar loads by Gecko
16 and above interfering with some ABE rules
x Work-around for bug 797684 patch causing ABE's Sandbox action to fail
x Work-around for regression from Mozilla bug 797684 fix causing frames
not to be blocked correctly in recent >= 18 builds
x Slightly revised About box to make more room for contributors

Version 2.5.7.1-signed 517.0 KiB Works with Firefox 3.0.9 - 19.0a1, SeaMonkey 2.0 - 2.15.*

v 2.5.7
=========================================================================
x Fixed synchronous timeout emulation ordering bug in bookmarklet
execution on scriptless pages (thanks Infocatcher for reporting)
x [XSS] Fixed comment preprocessing optimization affecting free
JavaScript detection, thanks Masato Kinugawa for reporting
x [XSS] Fixed second order data: URLs sanitization issue, thanks Masato
Kinugawa for reporting
x Fixed meta refresh blocker notification bar broken on Gecko < 4 (thanks
nitou for reporting)
x Fixed iframe placeholder positioning issue (thanks al_9x for report)
x Fixed regression in placeholder positioning (thanks al_9x for report)
x [ClearClick] Fixed false positive on cross-site SVG document embeddings
(thanks Steffen for reporting)

Version 2.5.6.1-signed 516.9 KiB Works with Firefox 3.0.9 - 18.0a1, SeaMonkey 2.0 - 2.15a1

v 2.5.6
=========================================================================
x [XSS] Fixed slow regular expression causing some base64 request
payloads to trigger false positives (thanks Mirko Tasler for reporting)
+ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
+ New icon for blocked embeddings on globally allowed pages (thanks
therube for RFE)

Version 2.5.5.1-signed 515.0 KiB Works with Firefox 3.0.9 - 18.0a1, SeaMonkey 2.0 - 2.15a1

v 2.5.5
=========================================================================
+ More reliable Java applet origin identification
x Cross-browser work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=789773

Version 2.5.4.1-signed 515.0 KiB Works with Firefox 3.0.9 - 18.0a1, SeaMonkey 2.0 - 2.15a1

v 2.5.4
=========================================================================
x Fixed HTTP checks not being skipped anymore for some chrome-generated
XMLHttpRequest requests because of a Gecko 15 change
x Work-around for cloned DOM nodes not retaining additional
chrome-attached information anymore, thus breaking placeholders in some
cases (thanks al_9x for reporting)
x Fixed placeholder post-enablement event channeling broken by Sandbox
changes
x Fixed placeholder sizes messed up by changes in Gecko 17
x Work-around for broken content policy call for Java plugin on Gecko 17
and above (thanks marty60 for reporting)

Version 2.5.3.1-signed 514.0 KiB Works with Firefox 3.0.9 - 18.0a1, SeaMonkey 2.0 - 2.15a1

v 2.5.3
=========================================================================
x [XSS] Fixed false positives on URLs containing an ASP.NET cookieless
session identifier (thanks Trupti Chaudhari for reporting)
+ noscript.eraseFloatingElements about:config preference to switch the
mousedown + del key floating popup erasing feature off and on
x Limited the mousedown + del key floating popup erasing feature to pages
where scripts are forbidden and to absolute or fixed position elements
x Fixed JavaScript URL non-void expression evaluation in the URL bar
causing scripts to get globally allowed (thanks al_9x for reporting)
x [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for
reporting)

Version 2.5.2.1-signed 514.0 KiB Works with Firefox 3.0.9 - 17.0a1, SeaMonkey 2.0 - 2.14a1

v 2.5.2
=========================================================================
x [ClearClick] Improved protection against clickjacking timing attacks
(thanks Nafeez Ahmed for reporting)
x Fine tuned floating div (in-page popup) removal by locking it to the
nearest positioned ancestor and swallowing the mouseup event if the
DEL key has been hit after last mousedown

Version 2.5.1.1-signed 514.0 KiB Works with Firefox 3.0.9 - 17.0a1, SeaMonkey 2.0 - 2.14a1

+ Holding the left mouse button down on a page element and hitting the
DEL key will remove it (useful to forcibly kill in-page popups when
scripts are disabled)
x Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking
protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java
globals have been removed from the DOM
x [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for
reporting)
x Fixed Silverlight and Flash scripted initialization patches being
broken by recent JavaScript interpreter changes
x Work-around for hp-ww.com misconfiguration (JavaScript files served
with bogus content-type header)

Version 2.5.1-signed 513.0 KiB Works with Firefox 3.0.9 - 17.0a1, SeaMonkey 2.0 - 2.14a1

v 2.5
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.4.9.1-signed 513.0 KiB Works with Firefox 3.0.9 - 17.0a1, SeaMonkey 2.0 - 2.14a1

v 2.4.9
=========================================================================
+ Added ability to replace obsolete default whitelist entries
x Replaced browserid.org with persona.org in the default whitelist
x Improved anti-DOS protection
x Better usability with some HTML5 Youtube videos (thanks Mike Perry
for reporting)
x Reverted to the ctrl+shift+S main keyboard shortcut
x [XSS] Fixed XML preprocessing breaking detection of some E4X
constructs (thanks Pepe Vila for reporting)
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
Ashar Javed for reporting, original disclosure by Keith Makan)

Version 2.4.8.1-signed 513.0 KiB Works with Firefox 3.0.9 - 17.0a1, SeaMonkey 2.0 - 2.14a1

v 2.4.8
=========================================================================
x Work-around for Mozilla bug 771655 (broken debugger)
x Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is
taken by the debugger
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
handle generic XML documents

Version 2.4.7.1-signed 513.0 KiB Works with Firefox 3.0.9 - 16.0a1, SeaMonkey 2.0 - 2.13a1

v 2.4.7
=========================================================================
x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
report)
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)

Version 2.4.6.1-signed 512.0 KiB Works with Firefox 3.0.9 - 16.0a1, SeaMonkey 2.0 - 2.13a1

v 2.4.6
=========================================================================
x [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
x [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
x [XSS] Fixed document.cookie minimal assignment false negative (thanks
Masato Kinugawa for report)
x [XSS] Fixed dotted query parameter names false positives, affecting
OpenID, Hotmail and other services (thanks Gavin H for report)
x Fixed some messages being dumped to the console even if logging is
turned off (thanks marbler for report)

Version 2.4.5.1-signed 512.0 KiB Works with Firefox 3.0 - 16.0a1, SeaMonkey 2.0 - 2.13a1

v 2.4.5
=========================================================================
+ [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
x [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
Dalili and Ahamed Nafeez for reporting)
x [XSS] Improved unconventional assignments detection (thanks Masato
Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.4.1-signed 512.0 KiB Works with Firefox 3.0 - 16.0a1, SeaMonkey 2.0 - 2.13a1

v 2.4.4
=========================================================================
x [Locale] Updated he-IL (thanks baryoni)
x Fixed early synthetic DNS notification causing blank stripe on the
bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)

Version 2.4.3.1-signed 512.0 KiB Works with Firefox 3.0 - 15.0a1, SeaMonkey 2.0 - 2.12a1

v 2.4.3
=========================================================================
x Fixed JS links detection not resolving JS string escapes (thanks vyznev
for reporting)
x Fixed HTML 5 parser detection in META refresh processing being broken
by a removed browser preference
x Fixed exception raised by inclusion type checks when parent document's
URI has no host
+ [XSS] Better detection of free inline script injections (without string
literal evasion) inside function calls
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Version 2.4.2.1-signed 511.0 KiB Works with Firefox 3.0 - 15.0a1, SeaMonkey 2.0 - 2.12a1

v 2.4.2rc7
=========================================================================
x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
to the LAN anymore for the purpose of cross-zone request forgery checks
in order to safely work-around DNS misconfiguration issues in the wild
(thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
because of redirection loops
x [XSS] Protection against HPP attacks exploiting URL parsing quirks
specific to ASP Classic (thanks Soroush Dalili for reporting)
x Fixed first application updates check failing on Nightly (bug 754393)
x [XSS] Fixed false positive regression on some file hosting sites (thanks
Janne Maekelae for reporting)

Version 2.4.1.1-signed 511.0 KiB Works with Firefox 3.0 - 15.0a1, SeaMonkey 2.0 - 2.12a1

v 2.4.1
==========================================================================
+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
same-name query parameters (thanks Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
sequences (thanks Masato Kinugawa for reporting)
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
therube for reporting)
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
repository, often used as a CDN

Version 2.4.1-signed 511.0 KiB Works with Firefox 3.0 - 15.0a1, SeaMonkey 2.0 - 2.12a1

v 2.4rc8
==========================================================================
x [XSS] Improved global exception injection detection
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
Dalili for reporting)
x [Locale] Fixed broken overlay on Basque localized browsers (for real
this time, thanks afa for reporting)

v 2.4rc7
==========================================================================
+ [XSS] Improved InjectionChecker detection of in-code multiple insertions
(thanks Krzysztof Kotowicz)
+ [XSS] InjectionChecker detection of single assignment evaluation through
global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
for reporting)

v 2.4rc6
==========================================================================
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)

v 2.4rc5
==========================================================================
x Improved temporary permissions management during bookmarklet execution

v 2.4rc4
==========================================================================
x Fixed 2.4rc3 regression in url bar JavaScript execution

v 2.4rc3
==========================================================================
x Fixed bookmarklet couldn't be executed on blacklisted sites in "Globally
Allow" mode (thanks tharpa for reporting)

v 2.4rc2
==========================================================================
x [ClearClick] Fixed cross-site clicks blocked on Firefox < 3.6 (thanks
Janet Whipple for reporting)

v 2.4rc1
==========================================================================
x [Surrogate] Fixed surrogates broken on Nightly

Version 2.3.9.1-signed 511.0 KiB Works with Firefox 3.0 - 15.0a1, SeaMonkey 2.0 - 2.12a1

v 2.3.9
==========================================================================
+ [ClearClick] More tolerant snapshot comparation algorithm (partially
backported from NSA) to reduce false positives (tweaked by the
noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
obscuration by windowed plugins checks
x Fixed compatibility regressions on Firefox 3.x
x Following links from the About dialog now closes it (thanks Guardian for
suggestions)
x Fixed NOSCRIPT META refreshes blocking not working when scripts are
globally allowed (thanks and Ken and Tom T. for reporting)
x [ClearClick] Fixed false positives caused by accelerated graphics with
some plugin content