NoScript Security Suite Version History

414 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.6.9.10.1-signed 531.5 KiB Works with Firefox 3.0.9 - 38.0, SeaMonkey 2.0 - 2.35

v 2.6.9.10
=============================================================
x Fixed regression: permanently allow a web site erasing
temporary whitelist items (thanks smersh for reporting)
x Fixed private windows detection for UI adaptation broken in
SeaMonkey (thanks barbaz for reporting)
x Made the Permanent "allow" commands in private windows'
checkbox look and behave like the other options in the
"Appearance" tab, i.e. controlling the visibility of the
menu item by the same name

Version 2.6.9.9.1-signed 531.5 KiB Works with Firefox 3.0.9 - 38.0, SeaMonkey 2.0 - 2.35

v 2.6.9.9
=============================================================
x Updated GPL.txt and NoScript_License.txt with current FSF
information (thanks Thomas Spura for reporting)
x Fixed regression causing "Revoke temporary permissions"
gitches (thanks barbaz for reporting)
x Moved the Permanent "allow" commands in private windows'
menu toggle next to the 'Options' command

Version 2.6.9.8.1-signed 531.5 KiB Works with Firefox 3.0.9 - 38.0, SeaMonkey 2.0 - 2.35

v 2.6.9.8
=============================================================
+ 'Permanent "allow" commands in private windows' preference
in NoScript Options|Appearance (inverse of
noscript.volatilePrivatePermissions)
+ 'Permanent "allow" commands in private windows' toggle
in NoScript menu while in Private Browsing mode, controlled
by noscript.showVolatilePrivatePermissionsToggle
x Fixed regression in Cascade Permissions mode (thanks Kitty
Box for reporting)
+ Fixed whitelisting regression on Gecko 25 and below (e.g.
Palemoon)
+ Actually prevent temporary whitelist items from being saved
in prefs (thanks to Mike Perry)

Version 2.6.9.7.1-signed 531.2 KiB Works with Firefox 3.0.9 - 37.0, SeaMonkey 2.0 - 2.34

v 2.6.9.7
=============================================================
x Fixed inconsistencies in the globalHttpsWhitelist option
implementation (thanks Mike Perry for reporting)
+ Volatile temporary whitelist, never gets saved to disk
(thanks to Tor Project for sponsorship)
+ Never show permanent whitelist modifying commands when in
private mode, unless the noscript.volatilePrivatePermissions
preference is false (thanks to Tor Project for sponsorship)
+ noscript.allowWhitelistUpdate preference to control whether
NoScript should be able to tweak the whitelist on version
updates when the 3rd party requirements for an already
whitelisted website change (thanks Thencent for RFE)

Version 2.6.9.6.1-signed 530.9 KiB Works with Firefox 3.0.9 - 37.0, SeaMonkey 2.0 - 2.34

v 2.6.9.6
=============================================================
+ Built-in force HTTPS list, seeded with www.youtube.com
x Work-around for bogus Youtube embedded frame activation
patterns (thanks al_9x for reporting)
x Fixed bookmarklet execution regression in older Firefox
versions (thanks 5keeve for reporting)
x Fixed subdocuments of a [System Principal] page not being
allowed when they should in cascade permission modes (
thanks hjkl for reporting)

Version 2.6.9.5.1-signed 530.6 KiB Works with Firefox 3.0.9 - 37.0, SeaMonkey 2.0 - 2.34

v 2.6.9.5
=============================================================
x Fixed memory leak when a top-level browser window is closed
(thanks cks for reporting)
x [XSS] compatibility tweak for swisspost.ch
x Miscellaneous HTTPS URLs lockdown
+ Support for full-encrypted https://noscript.net
x Updated Twitter surrogate (thanks ozjuggler and barbaz)
x Work-around for thumbnail generation protection being
broken by some add-ons
x Fully disable background processed thumbnail generation
unless noscript.bgThumbs.allowed about:config preference
is set to true
x Control JavaScript enabled in background thumbail
generation through the noscript.bgThumbs.disableJS
about:config preference
+ Forcing remote browsers used for thumbnail generation to
disable JavaScript (thanks vpoint for reporting)
+ [Surrogate] Invodo dummy replacement (thanks barbaz)

Version 2.6.9.4.1-signed 530.2 KiB Works with Firefox 3.0.9 - 37.0, SeaMonkey 2.0 - 2.34

v 2.6.9.4
=============================================================
+ Added vimeocdn.com as a vimeo.com dependency if already
whitelisted
+ [Surrogate] Enabling imgserve.com age verification button
even if JavaScript is disabled
x Fixed IP6 to IP4 mapping bug (thanks stack / inventati)

Version 2.6.9.3.1-signed 530.2 KiB Works with Firefox 3.0.9 - 36.0, SeaMonkey 2.0 - 2.33

v 2.6.9.3
=============================================================
x More accurate referrer checks for some edge cases (thanks
AlbertMTom for reporting)
x [ABE] More restrictive local IP checks (thanks AlbertMTom
for reporting)
+ More permissive AddressMatcher IP parser
+ [XSS] Improved sensitivity (thanks Masato Kinugawa)

Version 2.6.9.2.1-signed 530.0 KiB Works with Firefox 3.0.9 - 36.0, SeaMonkey 2.0 - 2.33

v 2.6.9.2
=============================================================
+ [XSS] Improved sensitivity (thanks Masato Kinugawa)

Version 2.6.9.1.1-signed 530.0 KiB Works with Firefox 3.0.9 - 36.0, SeaMonkey 2.0 - 2.32

v 2.6.9.1
=============================================================
+ [XSS] focus-based exfiltration protection (thanks Masato
Kinugawa for reporting)
x [XSS] Fixed false positive in risky operators detection
(thanks Roman Vock for reporting)

Version 2.6.9.1-signed 529.9 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.9
=============================================================
+ [XSS] Improved location-based exfiltration protection
(thanks Masato Kinugawa for reporting)
+ [Surrogate] login.person.org inclusion (thanks barbaz)
x [XSS] Fixed 2.6.8.43 regressions
x [XSS] Improved specificity for eval-like patterns
+ Switched to a treeview for faster management of very long
whitelists (thanks barbaz for patch)
x Tentative work-around for potential performance problems
reportedly related to Australis support

v 2.6.9rc4
=============================================================
+ [XSS] Fixed bug in location-based exfiltration protection
(thanks Masato Kinugawa for reporting)

v 2.6.9rc3
=============================================================
+ [XSS] Improved location-based exfiltration protection
(thanks Masato Kinugawa for reporting)

v 2.6.9rc2
=============================================================
+ [Surrogate] login.person.org inclusion (thanks barbaz)
x [XSS] Fixed 2.6.8.43 regressions
x [XSS] Improved specificity for eval-like patterns

v 2.6.9rc1
=============================================================
+ Switched to a treeview for faster management of very long
whitelists (thanks barbaz for patch)
x Tentative work-around for potential performance problems
reportedly related to Australis support
x [XSS] Fixed 2.6.8.43 regressions

Version 2.6.8.43.1-signed 528.4 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.8.43
=============================================================
x [XSS] Protection against some exfiltration attacks based on
arithmetic operators (thanks Masato Kinugawa and File
Descriptor AKA XSS Jigsaw for reporting)

Version 2.6.8.42.1-signed 528.3 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.8.42rc3
=============================================================
+ User-facing "Reload the current tab only" option
x Fixed subtle bug in ScriptSurrogate.replaceScript()
x Fixed HTTPS and cascading permission policies not applying
to XHR and XBL checks
x [XSS] Fixed ES6-based bypasses (thanks Masato Kinugava for
reporting)
+ [XSS] window.name exfiltration protection (thanks Masato
Kinugava for reporting)
x Fixed script sources enumeration breakage in Firefox 35
(Moz Bug 1068508, thanks Octoploid for reporting)

v 2.6.8.42rc3
=============================================================
+ User-facing "Reload the current tab only" option
x [XSS] Improved window.name exfiltration protection
(thanks Masato Kinugava for reporting)

v 2.6.8.42rc2
=============================================================
x Fixed subtle bug in ScriptSurrogate.replaceScript()
x Fixed HTTPS and cascading permission policies not applying
to XHR and XBL checks
x [XSS] Fixed ES6-based bypasses (thanks Masato Kinugava for
reporting)
+ [XSS] window.name exfiltration protection (thanks Masato
Kinugava for reporting)

v 2.6.8.42rc1
=============================================================
x Fixed script sources enumeration breakage in Firefox 35
(Moz Bug 1068508, thanks Octoploid for reporting)

Version 2.6.8.41.1-signed 527.7 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.8.41
=============================================================
x Improved Australis toolbar compatibility (thanks Quicksaver
for help)
x Added "Always ask" checkbox to the removal confirmation
dialog (thanks agaxwtmp for RFE)
x Fixed Options dialog broken on ancient Firefox versions
x [XSS] Fixed false positive within *.adxns.com

Version 2.6.8.40.1-signed 529.0 KiB Works with Firefox 4.0 - 35.0, SeaMonkey 2.12 - 2.32

v 2.6.8.40
=========================================================================
x Fixed regression causing script inclusions with non-standard ports to
be always blocked
x [ABE] Improved ruleset editing UI (thanks barbaz for patch)

Version 2.6.8.39.1-signed 527.2 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.8.39
=========================================================================
x [Surrogate] Removed DARLA surrogate and reimplemented its work-around
as a XSS filter exception
x [Bookmarklets] Fixed bookmarklets broken when JavaScript is enabled
(thanks therube for reporting)
x [Surrogate] Work-around for DARLA surrogate breaking Yahoo! Mail

Version 2.6.8.38.1-signed 527.1 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.8.38
=========================================================================
x Fixed regression preventing Youtube movies from playing
x Completed work-around for Firefox's Bug 1044351
x [Surrogate] Improved Yahoo! DARLA source matching

Version 2.6.8.37.1-signed 527.0 KiB Works with Firefox 3.0.9 - 35.0, SeaMonkey 2.0 - 2.32

v 2.6.8.37
=========================================================================
x Made the new additional script blocking policies more consistent with
other features (e.g. the XSS filter)
x NoScript's toolbar button is now friendlier to other Australis-enabled
add-ons
x Work-around for Firefox's Bug 1044351 (thanks al_9x for RFE)
x [XSS] Support for new insidious ES6 constructs introduced in Firefox 34
(thanks .mario for reporting)
x [HTTPS] Experimental "Allow HTTPS scripts globally on HTTPS documents"
mode
x [Surrogate] Yahoo! "DARLA" ads loader post-execution surrogate prevents
the browser from stalling due to the many window.name-based XSSes
intentionally used by this ads delivery script

Version 2.6.8.36.1-signed 526.0 KiB Works with Firefox 3.0.9 - 34.0, SeaMonkey 2.0 - 2.31

v 2.6.8.36
=========================================================================
x [Surrogate] Updated adf.ly replacement (thanks kasper93 for coding)
x [Surrogate] Updated connect.facebook.net replacement
x Fixed bookmarklet emulation compatibility issue breaking some add-ons
which rely on the new getShortcutOrURIAndPostData() function signature
x Fixed regression causing preventing the Blocked Objects list from being
manually reset

Version 2.6.8.35.1-signed 526.0 KiB Works with Firefox 3.0.9 - 34.0, SeaMonkey 2.0 - 2.31

v 2.6.8.35
=========================================================================
x Improved compatibility with browser built-in Click To Play
+ Recently blocked sites are now recorded per-window (causing automatic
oblivion of data from Private Browsing windows when they're closed)
+ Recently blocked sites are not collected at all unless the menu item
is configured to be shown (thanks Barbaz for RFE and patch)

Version 2.6.8.33.1-signed 525.8 KiB Works with Firefox 3.0.9 - 34.0, SeaMonkey 2.0 - 2.31

v 2.6.8.33
=========================================================================
x Fixed regression in smart reloading of just allowed HTML Media elements
(thanks barbaz for reporting)

v 2.6.8.32rc3
=========================================================================
x Fixed regression: NOSCRIPT element not shown on non-whitelisted pages
(thanks Germán Ponte and Michael Kehrein for reporting)

v 2.6.8.32rc2
=========================================================================
x Replaced Ci.nsIDOMHTML(Video|Audio)Element (about to be removed) with
window.(Video|Audio)Element counterparts (see Moz Bug 1034304)

v 2.6.8.32rc1
=========================================================================
x Fixed jammed icon on the navigation bar when "left clicking on toolbar
icon toggles..." option is checked (thanks Larry for reporting)

Version 2.6.8.31.1-signed 525.8 KiB Works with Firefox 3.0.9 - 34.0, SeaMonkey 2.0 - 2.31a2

v 2.6.8.31
=========================================================================
x Updated HTML5 and Gecko-specific markup elements list
x Fixed "too much recursion" book in bookmarklet emulation when executing
window.open(..., "_self") (thanks al_9x)
x Improved icons consistence with cascading permissions
x Fixed 2.6.8.30rc1 regression: broken local file loads
x Make "[Temporarily] Allow all this page" affect only the top-level
document's origin when cascading permissions mode is enabled
x [Surrogate] Fixed regression about a small change in sandbox principal
management breaking some surrogates, including Google Analytics
x [CAPS] better compatibility with Firefox 30's restored checkloaduri
prefs hack
+ UI support for cascadePermissions and restrictSubdocScripting
+ "NoScript Options|Advanced|Trusted|Cascade top document's permissions
to 3rd party scripts" user-facing preference
+ "NoScript Options|Advanced|Untrusted|Block scripting in whitelisted
subdocuments of non-whitelisted pages" user-facing preference
+ Backported cascadePermissions and restrictSubdocScripting support to
ESR 24

Version 2.6.8.29.1-signed 504.0 KiB Works with Firefox 3.0.9 - 33.0, SeaMonkey 2.0 - 2.30

v 2.6.8.29
=========================================================================
x [Surrogate] googletagservices.com replacement (thanks Guest and barbaz)
x Fixed bookmarklet emulation "Object.getPrototypeOf(...).open is
undefined" failure on Nightly (thanks Ria and barbaz for reporting)

Version 2.6.8.28.1-signed 521.1 KiB Works with Firefox 3.0.9 - 33.0, SeaMonkey 2.0 - 2.30

v 2.6.8.28
=========================================================================
x Fixed bookmarklet execution on non-whitelisted page causing scripts
to be globally allowed (thanks barbaz and therube for reporting)

Version 2.6.8.27.1-signed 520.9 KiB Works with Firefox 3.0.9 - 33.0, SeaMonkey 2.0 - 2.30

v 2.6.8.27
=========================================================================
x Work-around for bug 1005552 (backport to ESR)
+ [Surrogate] External script surrogates are now triggered whenever a
matching script fails to load, no matter the reason, e.g. NoScript
permissions, ABE, ABP or RequestPolicy (thanks bonanza for RFE)
x [XSS] Worked around OpenID-related false positive (thanks Gunnar for
reporting)
x [XSS] Better work around for false positive in gmx.com new webmail,
designed to work across all its implementations

Version 2.6.8.26.1-signed 520.8 KiB Works with Firefox 3.0.9 - 33.0, SeaMonkey 2.0 - 2.30

v 2.6.8.26
=========================================================================
x [XSS] gmx.com false positive work-around extended to international
domains (thanks dood_97 for reporting)
x [XSS] gmx.com false positive work-around extended to mail.com (thanks
boris for reporting)
+ noscript.cascadePermissions preliminary backend implementation
+ noscript.restrictSubdocScripting preliminary backend implementation

Version 2.6.8.25.1-signed 520.8 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.25
=========================================================================
x [ABE] Fixed inability to discriminate loads inititated from the URL bar
on latest Nightlies (thanks Soothsayer for reporting)
x [XSS] Fixed false positive on new gmx.com login (thanks Luigi and LeeB
for reporting)
x [Surrogate] Fixed new google-analytics.com surrogate causing Google
Spreadsheet's columns not to be resizable (thanks bobbybrown for
reporting)

Version 2.6.8.24.1-signed 520.6 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.24
=========================================================================
+ Synthetic load events are sent and error events are suppressed for
blocked script elements, in order to work around strict script
inclusion enforcers. This feature is triggered by default only by
Require.js module imports, but can be fully configured by
noscript.fakeScriptLoadEvents.* about:config preferences:
* .enabled: switches this feature on/off
* .onlyRequireJS: if true (default) applies the feature only to script
inclusions initiated by Require.js
* .exceptions: AddressMatcher pattern matching the source URLs of
script elements which should not cause fake load events when blocked
* .docExceptions: AddressMatcher pattern matching the URLs of documents
where no fake load event must be raised
x Improved toStaticHTML() implementation (thanks .mario for reporting)
x Removed useless ICC profiles from some icons (thanks taffit for RFE)
x [Surrogate] Improved google-analytics.com (ga) surrogate
x [XSS] Fixed characters redundancy reduction bug (thanks Masato Kinugawa
for reporting)
x [XSS] Fixed typo in the new regular expression literals stripping
routine implementation (thanks Masato Kinugawa for reporting)
x [XSS] Fixed subtle bug in regular expression literals stripping
optimization, potentially causing false negatives in edge cases (thanks
Masato Kinugawa for reporting)
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed

Version 2.6.8.23.1-signed 525.5 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.23
=========================================================================
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed

v 2.6.8.22
=========================================================================
x Better algorithm for menu items ordering

Version 2.6.8.22.1-signed 525.7 KiB Works with Firefox 3.0.9 - 32.0, SeaMonkey 2.0 - 2.29

v 2.6.8.22
=========================================================================
x Better algorithm for menu items ordering