NoScript Security Suite Version History

595 versions

Be careful with old versions!

These versions are displayed for reference and testing purposes. You should always use the latest version of an add-on.

Version 2.5.1rc2 514.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.1rc2
=========================================================================
+ Holding the left mouse button down on a page element and hitting the
DEL key will remove it (useful to forcibly kill in-page popups when
scripts are disabled)
x Fixed Acid3 test scoring 99 instead of 100 because of a Cursorjacking
protection implementation detail
- Disabled LiveConnect interception on Gecko 16 or better, since Java
globals have been removed from the DOM
x [XSS] Work-around for Mozilla TBPL DOS (thanks Daniel Holbert for
reporting)
x Fixed Silverlight and Flash scripted initialization patches being
broken by recent JavaScript interpreter changes

Version 2.5.1rc1 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5.1rc1
=========================================================================
x Work-around for hp-ww.com misconfiguration (JavaScript files served
with bogus content-type header)

Version 2.5rc6 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5rc6
=========================================================================
+ [XSS] Further reduction in false positives triggered by XML payloads

v 2.5rc5
=========================================================================
x Further hack to remove the height attribute automatically set on the
notification stack by browser tools (thanks therube for reporting)

v 2.5rc4
=========================================================================
x Hack to automatically restore the notification bar position as the last
of its sibling DOM nodes, as a better work-around for browser tools
messing with its height
- Removed ineffective CSS-based work-around for the browser tools
splitter messing with NoScript notification's height

v 2.5rc3
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)

v 2.5rc2
=========================================================================
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)

v 2.5rc1
=========================================================================
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.5rc5 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5rc5
=========================================================================
x Further hack to remove the height attribute automatically set on the
notification stack by browser tools (thanks therube for reporting)

v 2.5rc4
=========================================================================
x Hack to automatically restore the notification bar position as the last
of its sibling DOM nodes, as a better work-around for browser tools
messing with its height
- Removed ineffective CSS-based work-around for the browser tools
splitter messing with NoScript notification's height

v 2.5rc3
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)

v 2.5rc2
=========================================================================
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)

v 2.5rc1
=========================================================================
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.5rc4 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5rc4
=========================================================================
+ Hack to automatically restore the notification bar position as the last
of its sibling DOM nodes, as a better work-around for browser tools
messing with its height
- Removed ineffective CSS-based work-around for the browser tools
splitter messing with NoScript notification's height

v 2.5rc3
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)

v 2.5rc2
=========================================================================
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)

v 2.5rc1
=========================================================================
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.5rc3 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.5rc3
=========================================================================
+ [XSS] Improved XML handling algorithm preserves E4X detection accuracy
while removing false positives, e.g. against OAUTH payloads
x [XSS] Added exception for self-injecting yahoo.com/yimg.com frames (can
be disabled by setting the noscript.filterXExceptions.yahoo
about:config preference to false)

v 2.5rc2
=========================================================================
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)

v 2.5rc1
=========================================================================
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.5rc2 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

2.5rc2
=========================================================================
x Work-around for additional browser tools placed on the bottom of the
content messing with NoScript's notification height (thanks ochristi
for report)
x Fixed placeholders for absolutely positioned elements may cause layout
glitches (thanks al_9x for reporting)

2.5rc1
=========================================================================
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.5rc1 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

2.5rc1
=========================================================================
x Fixed interaction with built-in Firefox's click-to-play causing
infinite object activation loop (thanks al_9x for reporting)

Version 2.4.9rc2 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.9rc2
=========================================================================
+ Added ability to replace obsolete default whitelist entries
x Replaced browserid.org with persona.org in the default whitelist
x Improved anti-DOS protection
x Better usability with some HTML5 Youtube videos (thanks Mike Perry
for reporting)
x Reverted to the ctrl+shift+S main keyboard shortcut
x [XSS] Fixed XML preprocessing breaking detection of some E4X
constructs (thanks Pepe Vila for reporting)

v 2.4.9rc1
=========================================================================
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
Ashar Javed for reporting, original disclosure by Keith Makan)

Version 2.4.9rc1 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.9rc1
=========================================================================
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
Ashar Javed for reporting, original disclosure by Keith Makan)

Version 2.4.8rc3 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.8rc3
=========================================================================
x Work-around for Mozilla bug 771655 (broken debugger)
x Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is
taken by the debugger

v 2.4.8rc2
=========================================================================
x Fixed regression from 2.4.8rc1: new URL unwrapping code causing a XSS
filter bypass (thanks Masato Kinugawa for report)

v 2.4.8rc1
=========================================================================
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
handle generic XML documents

Version 2.4.8rc2 513.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.8rc2
=========================================================================
x Fixed regression from 2.4.8rc1: new URL unwrapping code causing a XSS
filter bypass (thanks Masato Kinugawa for report)

v 2.4.8rc1
=========================================================================
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element

Version 2.4.8rc1 512.0 KiB Works with Firefox 3.0.9 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.8rc1
=========================================================================
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
handle generic XML documents

Version 2.4.7rc3 513.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.7rc3
=========================================================================
x [ClearClick] Fixed regression: caret cursor not shown on text content
(thanks Fanolian for reporting)

v 2.4.7rc2
=========================================================================
x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
report)

v 2.4.7rc1
=========================================================================
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)

Version 2.4.7rc2 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.7rc2
=========================================================================
x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
report)

v 2.4.7rc1
=========================================================================
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)

Version 2.4.7rc1 513.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.7rc1
=========================================================================
x [XSS] Fixed false positive with some Base64-encoded Yahoo News
subrequests
x Fixed regression, noscript.allowedMimeRegExp not working anymore for
plugins other than Java, Flash and Silverlight
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)

Version 2.4.6rc1 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.6rc1
=========================================================================
x [XSS] Updated execution sink checks (thanks Masato Kinugawa for report)
x [XSS] Fixed newline parsing bug (thanks Masato Kinugawa for report)
x [XSS] Fixed document.cookie minimal assignment false negative (thanks
Masato Kinugawa for report)
x [XSS] Fixed dotted query parameter names false positives, affecting
OpenID, Hotmail and other services (thanks Gavin H for report)
x Fixed some messages being dumped to the console even if logging is
turned off (thanks marbler for report)

Version 2.4.5rc7 513.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5rc7
=========================================================================
+ [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
x [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
Dalili and Ahamed Nafeez for reporting)

v 2.4.5rc6
=========================================================================
x [XSS] Improved unconventional assignments detection (thanks Masato
Kinugawa for report)

v 2.4.5rc5
=========================================================================
x [XSS] Work-around for Gecko ignoring spaces inside data: URIs (thanks
Masato Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
v 2.4.5rc4
=========================================================================
x [XSS] Further "Maybe JS" heuristic refinement (thanks Masato Kinugawa
for report)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)

v 2.4.5rc3
=========================================================================
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)

v 2.4.5rc2
=========================================================================
+ [XSS] Improved E4X compatibility (thanks Masato Kinugawa for report)

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.5rc6 513.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

2.4.5rc6
=========================================================================
x [XSS] Improved unconventional assignments detection (thanks Masato
Kinugawa for report)

v 2.4.5rc5
=========================================================================
x [XSS] Work-around for Gecko ignoring spaces inside data: URIs (thanks
Masato Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
v 2.4.5rc4
=========================================================================
x [XSS] Further "Maybe JS" heuristic refinement (thanks Masato Kinugawa
for report)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)

v 2.4.5rc3
=========================================================================
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)

v 2.4.5rc2
=========================================================================
+ [XSS] Improved E4X compatibility (thanks Masato Kinugawa for report)

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.5rc5 513.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5rc5
=========================================================================
x [XSS] Work-around for Gecko ignoring spaces inside data: URIs (thanks
Masato Kinugawa for report)
x [Locale] Corrected he-IL merge (thanks baryoni)
v 2.4.5rc4
=========================================================================
x [XSS] Further "Maybe JS" heuristic refinement (thanks Masato Kinugawa
for report)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)

v 2.4.5rc3
=========================================================================
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)

v 2.4.5rc2
=========================================================================
+ [XSS] Improved E4X compatibility (thanks Masato Kinugawa for report)

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.5rc4 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5rc4
=========================================================================
x [XSS] Further "Maybe JS" heuristic refinement (thanks Masato Kinugawa
for report)
x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)

v 2.4.5rc3
=========================================================================
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)

v 2.4.5rc2
=========================================================================
+ [XSS] Improved E4X compatibility (thanks Masato Kinugawa for report)

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.5rc3 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5rc3
=========================================================================
+ [XSS] More regular expression objects caching as a speed optimization
- [XSS] Removed optimization shortcut causing false negatives on some
kind of concatenated assignments (thanks Masato Kinugawa for report)

v 2.4.5rc2
=========================================================================
+ [XSS] Improved E4X compatibility (thanks Masato Kinugawa for report)

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.5rc2 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5rc2
=========================================================================
+ [XSS] Improved E4X compatibility (thanks Masato Kinugawa for report)

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.5rc1 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.5rc1
=========================================================================
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)

Version 2.4.4rc2 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.4rc2
=========================================================================
x [Locale] Updated he-IL (thanks baryoni)
x Fixed early synthetic DNS notification causing blank stripe on the
bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code

v 2.4.4rc1
=========================================================================
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)

Version 2.4.4rc1 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.4rc1
=========================================================================
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)

Version 2.4.3rc3 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.3rc3
=========================================================================
x Fixed JS links detection not resolving JS string escapes (thanks vyznev
for reporting)
x Fixed HTML 5 parser detection in META refresh processing being broken
by a removed browser preference
x Fixed exception raised by inclusion type checks when parent document's
URI has no host

v 2.4.3rc2
=========================================================================
+ [XSS] Better detection of free inline script injections (without string
literal evasion) inside function calls

v 2.4.3rc1
=========================================================================
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Version 2.4.3rc2 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.3rc2
=========================================================================
+ [XSS] Better detection of free inline script injections (without string
literal evasion) inside function calls

v 2.4.3rc1
=========================================================================
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Version 2.4.3rc1 512.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.3rc1
=========================================================================
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Version 2.4.2rc7 511.0 KiB Works with Firefox 3.0 and later, Mobile 1.0 - 2.0a1pre, SeaMonkey 2.0 and later

v 2.4.2rc7
=========================================================================
x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
to the LAN anymore for the purpose of cross-zone request forgery checks
in order to safely work-around DNS misconfiguration issues in the wild
(thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
because of redirection loops

v 2.4.2rc6
==========================================================================
x [XSS] Fixed query string parsing bug in the new ASP-specific HPP
protection (thanks Soroush Dalili for reporting)

v 2.4.2rc5
==========================================================================
x [XSS] Fixed recursion bug preventing ASP-specific unicode encodings from
being correctly handled in presence of simultaneous HPP (thanks Soroush
Dalili for reporting)

v 2.4.2rc4
==========================================================================
x [XSS] Fixed regression blocking any suspect HPP attack silently (thanks
Soroush Dalili for reporting)

v 2.4.2rc3
==========================================================================
x [XSS] Protection against HPP attacks exploiting URL parsing quirks
specific to ASP Classic (thanks Soroush Dalili for reporting)

v 2.4.2rc2
==========================================================================
x Fixed first application updates check failing on Nightly (bug 754393)

v 2.4.2rc1
==========================================================================
x [XSS] Fixed false positive regression on some file hosting sites (thanks
Janne Maekelae for reporting)

v 2.4.1rc3
==========================================================================
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
repository, often used as a CDN

v 2.4.1rc2
==========================================================================
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
therube for reporting)

v 2.4.1rc1
==========================================================================
+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
same-name query parameters (thanks Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
sequences (thanks Masato Kinugawa for reporting)