[Pkg-mozext-commits] [noscript] 04/05: Refresh upstream changelog
David Prévot
taffit at moszumanska.debian.org
Sat May 23 01:09:36 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository noscript.
commit 72e1d5afc2f5cac3a26fac4eacf257a8a9c0e799
Author: David Prévot <david at tilapin.org>
Date: Fri May 22 19:23:50 2015 -0400
Refresh upstream changelog
---
debian/upstream-changelog | 787 ++++++++++++++++++++++++----------------------
1 file changed, 406 insertions(+), 381 deletions(-)
diff --git a/debian/upstream-changelog b/debian/upstream-changelog
index ba010fd..858e229 100644
--- a/debian/upstream-changelog
+++ b/debian/upstream-changelog
@@ -1,5 +1,30 @@
[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change
+v 2.6.9.23
+=============================================================
+x Work-around for moz-bug 1167371
+x Fixed fatal regression on Firefox 34 and below
+x Improved backward compatibility
+x Work-around for anonymized plugin subrequests being vetoed
+ by channel event sink
+x Fixed backward compatibility PopupBoxObject shim
+x [E10s] Fixed cascading permissions broken when checks are
+ performed cross-process
+x [Surrogate] Removed deprecated "for each" constructs from
+ replacements
+x [L10n] Updated ru-RU (thanks negodnik)
+x Tentative fix for Bug 1153256 (thanks Dragana Damjanovic)
++ Added about:preferences to the mandatory whitelist
+- Removed legacy STS support
++ [Surrogate] 2mdn.net inclusion replacement (thanks barbaz)
++ [E10s] Restored inline JavaScript blocking
+
+v 2.6.9.23rc4
+=============================================================
+x Work-around for moz-bug 1167371
+x Fixed fatal regression on Firefox 34 and below
+x Improved backward compatibility
+
v 2.6.9.23rc3
=============================================================
x Work-around for anonymized plugin subrequests being vetoed
@@ -38,13 +63,13 @@ x [Surrogate] Updated googletagservices.com replacement
(thanks barbaz)
x Better compatibility with SDK-based add-ons using data:
URIs (thanks Mingyi Liu for report)
-
+
v 2.6.9.20rc2
=============================================================
x Improved "Recently blocked sites..." recording
x Fixed inconsistencies in data: URIs handling (thanks barbaz
for reporting)
-
+
v 2.6.9.20rc2
=============================================================
x Improved "Recently blocked sites..." recording
@@ -53,7 +78,7 @@ v 2.6.9.20rc1
=============================================================
x Fixed inconsistencies in data: URIs handling (thanks barbaz
for reporting)
-
+
v 2.6.9.19
=============================================================
+ [Surrogate] .gigya.com replacement provided by barbaz
@@ -67,14 +92,14 @@ v 2.6.9.19rc2
=============================================================
+ [Surrogate] .gigya.com replacement provided by barbaz
+ [Surrogate] js.stripe.com replacement provided by barbaz
-
+
v 2.6.9.19rc1
=============================================================
+ Improved usability of new Yahoo! video activation (thanks
Glenn for reporting)
+ Added googlevideo.com to the default whitelist because it's
now required to play Youtube movies (thanks barbaz for RFE)
-
+
v 2.6.9.18
=============================================================
x Fixed restrictSubdocScripts/globalHTTPSWhitelist
@@ -94,13 +119,13 @@ v 2.6.9.18rc2
=============================================================
x Fixed regression always disabling scripts whenever site's
host name is a IPv6 literal (thanks ipv6user for report)
-
+
v 2.6.9.18rc1
=============================================================
x Fixed menu automatic disappearance on mouse exit broken by
Firefox 36 changes (thanks randavis, cumdacon and barbaz
for report)
-
+
v 2.6.9.17
=============================================================
x Fixed cascadePermissions/globalHTTPSWhitelist interaction
@@ -112,12 +137,12 @@ x Fixed cascadePermissions being enforced also if the top
the top document is HTTPS (thanks Tor Project for report)
x [Surrogate] Update Google Analytics replacement (thanks
barbaz)
-
+
v 2.6.9.17rc2
=============================================================
x Fixed cascadePermissions/globalHTTPSWhitelist interaction
issue with IFRAMEs (thanks Tor Project for report)
-
+
v 2.6.9.17rc1
=============================================================
x Fixed cascadePermissions being enforced also if the top
@@ -127,7 +152,7 @@ x Fixed cascadePermissions being enforced also if the top
the top document is HTTPS (thanks Tor Project for report)
x [Surrogate] Update Google Analytics replacement (thanks
barbaz)
-
+
v 2.6.9.16
=============================================================
+ [Surrogate] Updated Gravatar surrogate (thanks barbaz)
@@ -141,7 +166,7 @@ v 2.6.9.15
=============================================================
+ Fixed regression in 2.6.9.12 causing data: URI documents
to be scripting-enabled (thanks GOF for tweet)
-
+
v 2.6.9.14
=============================================================
+ [Surrogate] OWASP legacy Javascript-based "antiClickjack"
@@ -149,7 +174,7 @@ v 2.6.9.14
scripting is disabled (thanks Thrawn)
+ Restored noscript.forbidXHR functionality trying to make it
more web-compatible (thanks barbaz for RFE)
-
+
v 2.6.9.14rc2
=============================================================
+ [Surrogate] OWASP legacy Javascript-based "antiClickjack"
@@ -160,7 +185,7 @@ v 2.6.9.14rc1
=============================================================
+ Restored noscript.forbidXHR functionality trying to make it
more web-compatible (thanks barbaz for RFE)
-
+
v 2.6.9.13
=============================================================
x [XSS] Fixed bugs in comment stripping optimization (thanks
@@ -170,12 +195,12 @@ x [XSS] Better protection against some ES6 attacks (thanks
- Removed support for XMLHttpRequest blocking
(noscript.forbidXHR preference). The same functionality,
if really needed, can still be achieved through ABE anyway.
-
+
v 2.6.9.13rc3
=============================================================
x [XSS] Fixed regression in stripping optimizations (thanks
Masato Kinugawa for reporting)
-
+
v 2.6.9.13rc2
=============================================================
x [XSS] Fixed bug in comment stripping optimization (thanks
@@ -188,19 +213,19 @@ x [XSS] Better protection against some ES6 attacks (thanks
- Removed support for XMLHttpRequest blocking
(noscript.forbidXHR preference). The same functionality,
if really needed, can still be achieved through ABE anyway.
-
+
v 2.6.9.12
=============================================================
x Fixed origin checking bug causing sandboxed IFRAMEs to have
scripting always disabled (thanks Ellad Tadmor for report)
-
+
v 2.6.9.11
=============================================================
x [Surrogate] microsoftSupport surrogate to force the content
to be shown if scripts are disabled (thanks thunderscript)
x Check private browsing against chrome rather than content
windows (prevents annoying warning console messages)
-
+
v 2.6.9.10
=============================================================
x Fixed regression: permanently allow a web site erasing
@@ -211,12 +236,12 @@ x Made the Permanent "allow" commands in private windows'
checkbox look and behave like the other options in the
"Appearance" tab, i.e. controlling the visibility of the
menu item by the same name
-
+
v 2.6.9.10rc2
=============================================================
x Fixed regression: permanently allow a web site erasing
temporary whitelist items (thanks smersh for reporting)
-
+
v 2.6.9.10rc1
=============================================================
x Fixed private windows detection for UI adaptation broken in
@@ -225,7 +250,7 @@ x Made the Permanent "allow" commands in private windows'
checkbox look and behave like the other options in the
"Appearance" tab, i.e. controlling the visibility of the
menu item by the same name
-
+
v 2.6.9.9
=============================================================
x Updated GPL.txt and NoScript_License.txt with current FSF
@@ -234,7 +259,7 @@ x Fixed regression causing "Revoke temporary permissions"
gitches (thanks barbaz for reporting)
x Moved the Permanent "allow" commands in private windows'
menu toggle next to the 'Options' command
-
+
v 2.6.9.8
=============================================================
+ 'Permanent "allow" commands in private windows' preference
@@ -249,7 +274,7 @@ x Fixed regression in Cascade Permissions mode (thanks Kitty
Palemoon)
+ Actually prevent temporary whitelist items from being saved
in prefs (thanks to Mike Perry)
-
+
v 2.6.9.8rc3
=============================================================
+ 'Permanent "allow" commands in private windows' preference
@@ -265,12 +290,12 @@ v 2.6.9.8rc2
=============================================================
+ Fixed whitelisting regression on Gecko 25 and below (e.g.
Palemoon)
-
+
v 2.6.9.8rc1
=============================================================
+ Actually prevent temporary whitelist items from being saved
in prefs (thanks to Mike Perry)
-
+
v 2.6.9.7
=============================================================
x Fixed inconsistencies in the globalHttpsWhitelist option
@@ -312,24 +337,24 @@ x Fixed bookmarklet execution regression in older Firefox
x Fixed subdocuments of a [System Principal] page not being
allowed when they should in cascade permission modes (
thanks hjkl for reporting)
-
+
v 2.6.9.6rc3
=============================================================
+ Built-in force HTTPS list, seeded with www.youtube.com
x Work-around for bogus Youtube embedded frame activation
patterns (thanks al_9x for reporting)
-
+
v 2.6.9.6rc2
=============================================================
x Fixed bookmarklet execution regression in older Firefox
versions (thanks 5keeve for reporting)
-
+
v 2.6.9.6rc1
=============================================================
x Fixed subdocuments of a [System Principal] page not being
allowed when they should in cascade permission modes (
thanks hjkl for reporting)
-
+
v 2.6.9.5
=============================================================
x Fixed memory leak when a top-level browser window is closed
@@ -399,7 +424,7 @@ x More accurate referrer checks for some edge cases (thanks
AlbertMTom for reporting)
x Fixed regression in LOCAL IP matching for 192.168.0.0/16
(thanks barbaz for reporting)
-
+
v 2.6.9.3rc2
=============================================================
x [ABE] More restrictive local IP checks (thanks AlbertMTom
@@ -413,14 +438,14 @@ v 2.6.9.3rc1
v 2.6.9.2
=============================================================
+ [XSS] Improved sensitivity (thanks Masato Kinugawa)
-
+
v 2.6.9.1
=============================================================
+ [XSS] focus-based exfiltration protection (thanks Masato
Kinugawa for reporting)
x [XSS] Fixed false positive in risky operators detection
(thanks Roman Vock for reporting)
-
+
v 2.6.9.1rc2
=============================================================
+ [XSS] Improved focus-based exfiltration protection
@@ -431,7 +456,7 @@ v 2.6.9.1rc1
Kinugawa for reporting)
x [XSS] Fixed false positive in risky operators detection
(thanks Roman Vock for reporting)
-
+
v 2.6.9
=============================================================
+ [XSS] Improved location-based exfiltration protection
@@ -443,7 +468,7 @@ x [XSS] Improved specificity for eval-like patterns
whitelists (thanks barbaz for patch)
x Tentative work-around for potential performance problems
reportedly related to Australis support
-
+
v 2.6.9rc4
=============================================================
+ [XSS] Fixed bug in location-based exfiltration protection
@@ -453,7 +478,7 @@ v 2.6.9rc3
=============================================================
+ [XSS] Improved location-based exfiltration protection
(thanks Masato Kinugawa for reporting)
-
+
v 2.6.9rc2
=============================================================
+ [Surrogate] login.person.org inclusion (thanks barbaz)
@@ -467,13 +492,13 @@ v 2.6.9rc1
x Tentative work-around for potential performance problems
reportedly related to Australis support
x [XSS] Fixed 2.6.8.43 regressions
-
+
v 2.6.8.43
=============================================================
x [XSS] Protection against some exfiltration attacks based on
arithmetic operators (thanks Masato Kinugawa and File
Descriptor AKA XSS Jigsaw for reporting)
-
+
v 2.6.8.42
=============================================================
+ User-facing "Reload the current tab only" option
@@ -521,7 +546,7 @@ v 2.6.8.41rc3
=============================================================
x Improved Australis toolbar compatibility (thanks Quicksaver
for help)
-
+
v 2.6.8.41rc2
=============================================================
x Added "Always ask" checkbox to the removal confirmation
@@ -597,7 +622,7 @@ x [HTTPS] Experimental "Allow HTTPS scripts globally on HTTPS documents"
x [Surrogate] Yahoo! "DARLA" ads loader post-execution surrogate prevents
the browser from stalling due to the many window.name-based XSSes
intentionally used by this ads delivery script
-
+
v 2.6.8.37rc3
=========================================================================
x Made the new additional script blocking policies more consistent with
@@ -612,13 +637,13 @@ x [XSS] Support for new insidious ES6 constructs introduced in Firefox 34
(thanks .mario for reporting)
x [HTTPS] Experimental "Allow HTTPS scripts globally on HTTPS documents"
mode
-
+
v 2.6.8.37rc1
=========================================================================
x [Surrogate] Yahoo! "DARLA" ads loader post-execution surrogate prevents
the browser from stalling due to the many window.name-based XSSes
intentionally used by this ads delivery script
-
+
v 2.6.8.36
=========================================================================
x [Surrogate] Updated adf.ly replacement (thanks kasper93 for coding)
@@ -627,18 +652,18 @@ x Fixed bookmarklet emulation compatibility issue breaking some add-ons
which rely on the new getShortcutOrURIAndPostData() function signature
x Fixed regression causing preventing the Blocked Objects list from being
manually reset
-
+
v 2.6.8.35
=========================================================================
-x Improved compatibility with browser built-in Click To Play
+x Improved compatibility with browser built-in Click To Play
+ Recently blocked sites are now recorded per-window (causing automatic
oblivion of data from Private Browsing windows when they're closed)
+ Recently blocked sites are not collected at all unless the menu item
is configured to be shown (thanks Barbaz for RFE and patch)
-
+
v 2.6.8.35rc2
=========================================================================
-x Improved compatibility with browser built-in Click To Play
+x Improved compatibility with browser built-in Click To Play
v 2.6.8.35rc1
=========================================================================
@@ -646,19 +671,19 @@ v 2.6.8.35rc1
oblivion of data from Private Browsing windows when they're closed)
+ Recently blocked sites are not collected at all unless the menu item
is configured to be shown (thanks Barbaz for RFE and patch)
-
+
v 2.6.8.34
=========================================================================
x Added "cdn.directvid.com/*.jsx" to inclusionTypeChecking.exceptions in
in order to let the directvid video player work
x Better compatibility with null principal origins created by the
Add-on SDK (thanks neilemon for reporting)
-
+
v 2.6.8.33
=========================================================================
x Fixed regression in smart reloading of just allowed HTML Media elements
(thanks barbaz for reporting)
-
+
v 2.6.8.32
=========================================================================
x Fixed regression: NOSCRIPT element not shown on non-whitelisted pages
@@ -667,7 +692,7 @@ x Replaced Ci.nsIDOMHTML(Video|Audio)Element (about to be removed) with
window.(Video|Audio)Element counterparts (see Moz Bug 1034304)
x Fixed jammed icon on the navigation bar when "left clicking on toolbar
icon toggles..." option is checked (thanks Larry for reporting)
-
+
v 2.6.8.32rc3
=========================================================================
x Fixed regression: NOSCRIPT element not shown on non-whitelisted pages
@@ -682,7 +707,7 @@ v 2.6.8.32rc1
=========================================================================
x Fixed jammed icon on the navigation bar when "left clicking on toolbar
icon toggles..." option is checked (thanks Larry for reporting)
-
+
v 2.6.8.31
=========================================================================
x Updated HTML5 and Gecko-specific markup elements list
@@ -703,7 +728,7 @@ x [CAPS] better compatibility with Firefox 30's restored checkloaduri
subdocuments of non-whitelisted pages" user-facing preference
+ Backported cascadePermissions and restrictSubdocScripting support to
ESR 24
-
+
v 2.6.8.30rc5
=========================================================================
x Updated HTML5 and Gecko-specific markup elements list
@@ -714,7 +739,7 @@ v 2.6.8.30rc4
=========================================================================
x Improved icons consistence with cascading permissions
x Fixed 2.6.8.30rc1 regression: broken local file loads
-
+
v 2.6.8.30rc3
=========================================================================
x Make "[Temporarily] Allow all this page" affect only the top-level
@@ -747,7 +772,7 @@ v 2.6.8.28
=========================================================================
x Fixed bookmarklet execution on non-whitelisted page causing scripts
to be globally allowed (thanks barbaz and therube for reporting)
-
+
v 2.6.8.27
=========================================================================
x Work-around for bug 1005552 (backport to ESR)
@@ -758,7 +783,7 @@ x [XSS] Worked around OpenID-related false positive (thanks Gunnar for
reporting)
x [XSS] Better work around for false positive in gmx.com new webmail,
designed to work across all its implementations
-
+
v 2.6.8.27rc3
=========================================================================
x [Surrogate] Better trigger timing
@@ -769,14 +794,14 @@ v 2.6.8.27rc2
+ [Surrogate] External script surrogates are now triggered whenever a
matching script fails to load, no matter the reason, e.g. NoScript
permissions, ABE, ABP or RequestPolicy (thanks bonanza for RFE)
-
+
v 2.6.8.27rc1
=========================================================================
x [XSS] Worked around OpenID-related false positive (thanks Gunnar for
reporting)
x [XSS] Better work around for false positive in gmx.com new webmail,
designed to work across all its implementations
-
+
v 2.6.8.26
=========================================================================
x [XSS] gmx.com false positive work-around extended to international
@@ -802,7 +827,7 @@ x [ABE] Fixed inability to discriminate loads inititated from the URL bar
on latest Nightlies (thanks Soothsayer for reporting)
x [XSS] Improved fix for false positive on new gmx.com login (thanks
Luigi and LeeB for reporting)
-
+
v 2.6.8.25rc1
=========================================================================
x [Surrogate] Fixed new google-analytics.com surrogate causing Google
@@ -810,7 +835,7 @@ x [Surrogate] Fixed new google-analytics.com surrogate causing Google
reporting)
x [XSS] Fixed false positive on new gmx.com login (thanks Luigi for
reporting)
-
+
v 2.6.8.24
=========================================================================
+ Synthetic load events are sent and error events are suppressed for
@@ -837,7 +862,7 @@ x [XSS] Fixed subtle bug in regular expression literals stripping
Masato Kinugawa for reporting)
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed
-
+
v 2.6.8.24rc5
=========================================================================
+ More flexible implementation of the fake script load events feature,
@@ -881,12 +906,12 @@ v 2.6.8.23rc1
=========================================================================
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed
-
+
v 2.6.8.23
=========================================================================
x Work-around for Firefox bug causing popup.hidePopup() to fail sometimes
and NoScript's on-hover menu needing a click to be closed
-
+
v 2.6.8.22
=========================================================================
x Better algorithm for menu items ordering
@@ -932,7 +957,7 @@ x [XSS] Removed OAuth-triggered false positive (thanks Gunnar Scherf for
reporting)
x [XSS] Stricter checks for HTTPS requests from a same domain origin with
different scheme (thanks LouiseRBaldwin for reporting)
-
+
v 2.6.8.20rc3
=========================================================================
x Partially restored "Allow local links" functionality (works for HTML
@@ -963,7 +988,7 @@ x [XSS] Removed OAuth-triggered false positive (thanks Gunnar Scherf for
reporting)
x [XSS] Stricter checks for HTTPS requests from a same domain origin with
different scheme (thanks LouiseRBaldwin for reporting)
-
+
v 2.6.8.19
=========================================================================
x Fixed CAPS initialization broken in Gecko 27 and below
@@ -995,13 +1020,13 @@ v 2.6.8.18rc1
=========================================================================
x Fixed XSLT blocking broken by recent Gecko changes (thanks Xenos for
reporting)
-
+
v 2.6.8.17
=========================================================================
x CSS tweak for Australis support (thanks Jared Wein)
x Fixed new bookmarklet execution module accidentally using X rays
wrappers and therefore failing to interact with expando variables
-
+
v 2.6.8.16
=========================================================================
x Closing a placeholder doesn't collapse its space anymore, unless the
@@ -1045,7 +1070,7 @@ x Fixed listeners and timers in sandboxed non-whitelisted scripts on
x Work-around for Firefox 27 and above preventing bookmarklets from
attaching event listeners on non-whitelisted pages (thanks porl for
reporting)
-
+
v 2.6.8.15rc6
=========================================================================
x [Surrogate] Fixed bug preventing local filesystem replacements
@@ -1079,18 +1104,18 @@ v 2.6.8.15rc1
x Work-around for Firefox 27 and above preventing bookmarklets from
attaching event listeners on non-whitelisted pages (thanks porl for
reporting)
-
+
v 2.6.8.14
=========================================================================
x Fixed bookmarklet execution disabling JavaScript on whitelisted pages
- (Firefox >= 29, thanks vsemozhetbyt for reporting mozbug 970445)
+ (Firefox >= 29, thanks vsemozhetbyt for reporting mozbug 970445)
x [ABE] Improved compatibility with .local domains (thanks func0der for
reporting)
-
+
v 2.6.8.14rc2
=========================================================================
x Fixed bookmarklet execution disabling JavaScript on whitelisted pages
- (Firefox >= 29, thanks vsemozhetbyt for reporting mozbug 970445)
+ (Firefox >= 29, thanks vsemozhetbyt for reporting mozbug 970445)
v 2.6.8.14rc1
=========================================================================
@@ -1134,7 +1159,7 @@ x Fixed one-time this.getSite() error on startup
x [Locale] Updated fr (thanks Jack Black)
x Fixed feed reader broken on non-whitelisted sites in non-stable Firefox
(thanks LouCypher for reporting)
-
+
v 2.6.8.12rc4
=========================================================================
x Improved work-around for
@@ -1156,7 +1181,7 @@ v 2.6.8.12rc1
=========================================================================
x Fixed feed reader broken on non-whitelisted sites in non-stable Firefox
(thanks LouCypher for reporting)
-
+
v 2.6.8.11
=========================================================================
x [XSS] Fixed nested URL parsing optimization bug (thanks Masato Kinugawa
@@ -1180,7 +1205,7 @@ x [XSS] Improved data URI checks (thanks Masato Kinugawa for reporting)
x [XSS] Enhanced recursive link checks (Thanks PK Cano for reporting)
x [XSS] Stricter HTML checks on second-order data URI injections exactly
fitting whole URL attributes (thanks Masato Kinugawa for reporting)
-
+
v 2.6.8.11rc10
=========================================================================
x [XSS] Fixed new inline script blocking approach (in Firefox Nightly)
@@ -1217,7 +1242,7 @@ v 2.6.8.11rc4
=========================================================================
x [XSS] Better checks for combined data/javascript URIs (thanks Masato
Kinugawa for reporting)
-
+
v 2.6.8.11rc3
=========================================================================
x [XSS] Restored fuzzy HTML sniffing in nested data URI (thanks Masato
@@ -1232,7 +1257,7 @@ v 2.6.8.11rc1
=========================================================================
x [XSS] Stricter HTML checks on second-order data URI injections exactly
fitting whole URL attributes (thanks Masato Kinugawa for reporting)
-
+
v 2.6.8.10
=========================================================================
x [XSS] Fixed regression causing Google Talk false positive (thanks
@@ -1315,7 +1340,7 @@ v 2.6.8.7rc1
=========================================================================
x Fixed noscript.allowedMimeRegExp ignoring the FONT pseudo-type (thanks
barbaz for reporting)
-
+
v 2.6.8.6
=========================================================================
x Fixed bugs in noscript.allowedMimeRegExp support (thanks barbaz for
@@ -1326,7 +1351,7 @@ x [Surrogate] Fixed bug in asynchronous Google Analytics API emulation
(thanks Lucas Malor for reporting)
x Fixed missing icon for blocked objects when no script is present in the
page and scrips are globally allowed
-
+
v 2.6.8.6rc2
=========================================================================
x Fixed bugs in noscript.allowedMimeRegExp support (thanks barbaz for
@@ -1340,7 +1365,7 @@ x [Surrogate] Fixed bug in asynchronous Google Analytics API emulation
(thanks Lucas Malor for reporting)
x Fixed missing icon for blocked objects when no script is present in the
page and scrips are globally allowed
-
+
v 2.6.8.5
=========================================================================
x [ClearClick] Fixed empty contentEditable elements cannot receive
@@ -1359,7 +1384,7 @@ x [XSS] Fixed false positive on redirected script inclusions (breaking
v 2.6.8.5rc1
=========================================================================
x [Surrogate] Better GA, GAPI, Twitter and Facebook compatibility
-
+
v 2.6.8.4
=========================================================================
x Fixed shortcut bookmarklet execution requiring noscript.allowURLBarJS
@@ -1370,7 +1395,7 @@ x [ClearClick] Fixed exception being thrown on Firefox 27 alpha (Nightly)
x Fixed URL bar enhancements broken by Firefox 25 beta
x Fixed SetVariable/GetVariable failing on dynamically created Flash
elements, e.g. with SFWObject (thanks longsleep for reporting)
-
+
v 2.6.8.4rc3
=========================================================================
x Fixed shortcut bookmarklet execution requiring noscript.allowURLBarJS
@@ -1387,7 +1412,7 @@ v 2.6.8.4rc1
=========================================================================
x Fixed SetVariable/GetVariable failing on dynamically created Flash
elements, e.g. with SFWObject (thanks longsleep for reporting)
-
+
v 2.6.8.3
=========================================================================
x Fixed complex bookmarklet execution requiring synchronous XHR in a
@@ -1409,14 +1434,14 @@ v 2.6.8.3rc1
=========================================================================
x Fixed full-page HTML5 media failing to play after activation until the
page is reloaded
-
+
v 2.6.8.2
=========================================================================
x Fixed request methods different than POST being turned into GET by
internal channel redirection when the DNS entry is not cached yet
x Fixed regression from CTP fix: some kinds of embedded objects being
displayed, even though in disabled state, along with placeholders
-
+
v 2.6.8.2rc2
=========================================================================
x Fixed request methods different than POST being turned into GET by
@@ -1426,7 +1451,7 @@ v 2.6.8.2rc1
=========================================================================
x Fixed regression from CTP fix: some kinds of embedded objects being
displayed, even though in disabled state, along with placeholders
-
+
v 2.6.8.1
=========================================================================
+ Added to the default whitelist some CDN subdomains dedicated to serve
@@ -1440,7 +1465,7 @@ v 2.6.7.1
=========================================================================
x [XSS] Fixed false positive on GMail when opening the Google Docs file
picker (thanks Harry for reporting)
-x [XSS] Fixed parameter elision bug
+x [XSS] Fixed parameter elision bug
+ Protection against another variant of error-based SQLXSSI (thanks Alex
Inführ for reporting)
@@ -1448,13 +1473,13 @@ v 2.6.7.1rc2
=========================================================================
x [XSS] Fixed false positive on GMail when opening the Google Docs file
picker (thanks Harry for reporting)
-x [XSS] Fixed parameter elision bug
+x [XSS] Fixed parameter elision bug
v 2.6.7.1rc1
=========================================================================
+ Protection against another variant of error-based SQLXSSI (thanks Alex
Inführ for reporting)
-
+
v 2.6.7
=========================================================================
x Fixed HTML 5 media content types not blocked when loaded as top-level
@@ -1476,7 +1501,7 @@ v 2.6.7rc2
=========================================================================
x Removed further "ReferenceError: PolicyState is not defined" messages
x [XSS] Fixed bug in SQLXSSI detection (thanks Alex Inführ for reporting)
-
+
v 2.6.7rc1
=========================================================================
x Fixed resources from resource: origin (such as PDF.js fonts) being
@@ -1491,12 +1516,12 @@ v 2.6.6.9
=========================================================================
+ [XSS] Added several experimental / unofficial markup atoms to the
build-time matcher generator (thanks .mario for reporting)
-
+
v 2.6.6.8
=========================================================================
x [XSS] Protection against filter evasion exploiting Adobe Flash URL
parsing and charset handling bugs (thanks Soroush Dalili for reporting)
-
+
v 2.6.6.7
=========================================================================
x Fixed ClearClick triggered by recently changed browser built-in Click
@@ -1525,7 +1550,7 @@ v 2.6.6.2
x Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
x Improved placeholder management for full-document plugin content, e.g.
makes Youtube embeddings more usable on Facebook
-
+
v 2.6.6.2rc2
=========================================================================
x Fixed regression in Tab Mix Plus compatibility due to Gecko 21 changes
@@ -1534,7 +1559,7 @@ v 2.6.6.2rc1
=========================================================================
x Improved placeholder management for full-document plugin content, e.g.
makes Youtube embeddings more usable on Facebook
-
+
v 2.6.6.1
=========================================================================
x Fixed backward compatibility issue with recent channel cloning changes
@@ -1571,7 +1596,7 @@ x Improved handling of some moz-null principal instances in ABE requests
(thanks Thrawn for reporting)
+ New 360Haven surrogate lets the site work with 1st party scripts
allowed and ads/tracker scripts forbidden
-
+
v 2.6.6rc5
=========================================================================
x Added per-window private browsing support to some background requests
@@ -1597,7 +1622,7 @@ v 2.6.6rc1
=========================================================================
+ New 360Haven surrogate lets the site work with 1st party scripts
allowed and ads/tracker scripts forbidden
-
+
v 2.6.5.9
=========================================================================
x Fixed outlook.com UI broken in Nightly by work-around for bug 677050
@@ -1607,7 +1632,7 @@ x Work around for multiple object creation causing UI inconsistencies
(thanks al_9x for reporting)
x [XSS] Work-around for false positives caused by Gecko >= 18 changes in
Function.prototype.toSource() (thanks yahoo mail user for report)
-
+
v 2.6.5.9rc3
=========================================================================
x Fixed outlook.com UI broken in Nightly by work-around for bug 677050
@@ -1623,7 +1648,7 @@ v 2.6.5.9rc1
=========================================================================
x [XSS] Work-around for false positives caused by Gecko >= 18 changes in
Function.prototype.toSource() (thanks yahoo mail user for report)
-
+
v 2.6.5.8
=========================================================================
+ Automatic Google Analytics web bugs blocking if google-analytics.com is
@@ -1635,12 +1660,12 @@ x Inclusion type checks exception for yandex.st
x [XSS] Exception for requests across *.photobucket.com subdomains, which
may legitimately contain syntactically valid Javascript fragments
(thanks RAJAH235 for reporting)
-
+
v 2.6.5.8rc4
=========================================================================
x Fixed "Mark as Untrusted" button on the "Site Info" page not working
properly (thanks SwissBIT for reporting)
-
+
v 2.6.5.8rc3
=========================================================================
x Fixed Google Analytics cross-site checks breaking GMail composition
@@ -1660,7 +1685,7 @@ v 2.6.5.8rc1
x [XSS] Exception for requests across *.photobucket.com subdomains, which
may legitimately contain syntactically valid Javascript fragments
(thanks RAJAH235 for reporting)
-
+
v 2.6.5.7
=========================================================================
x Made "Yes, remove all protections" the default button in the removal
@@ -1670,7 +1695,7 @@ x [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
x [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks
Masato Kinugawa for reporting)
-
+
v 2.6.5.7rc2
=========================================================================
x Made "Yes, remove all protections" the default button in the removal
@@ -1683,34 +1708,34 @@ x [XSS] Fixed post-response encoding checks applied to UTF-8 pages too
x [XSS] Removed host redirection chance on XSS-vulnerable pages (thanks
Masato Kinugawa for reporting)
-
+
v 2.6.5.6
=========================================================================
x [XSS] Smarter syntax check optimization, removes harmful side effect
(thanks Masato Kinugawa for reporting)
-
+
v 2.6.5.5
=========================================================================
x [XSS] Fixed bug in broken string literals balancing (thanks Masato
Kinugawa for reporting)
-
+
v 2.6.5.4
=========================================================================
+ [XSS] Obfuscated string literals detection (thanks Masato Kinugawa for
reporting)
-
+
v 2.6.5.3
=========================================================================
x [XSS] Improved parsing while decoding mixed-charset encoded URLs
(thanks Masato Kinugawa for reporting)
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
(thanks Masato Kinugawa for reporting)
-
+
v 2.6.5.3rc2
=========================================================================
x [XSS] Improved parsing while decoding mixed-charset encoded URLs
(thanks Masato Kinugawa for reporting)
-
+
v 2.6.5.3rc1
=========================================================================
+ [XSS] Better decoding of maliciously mixed-charset encoded strings
@@ -1726,7 +1751,7 @@ v 2.6.5.1
=========================================================================
+ [XSS] Forced unicode conversions more resilient to invalid input
(thanks Masato Kinugawa for reporting)
-
+
v 2.6.5
=========================================================================
+ [XSS] More exotic charset awareness added to script injection checks
@@ -1735,7 +1760,7 @@ x [XSS] Removed limited injection chance allowing redirection of XSS
vulnerable pages to an integral IP (thanks Masato Kinugawa for
reporting)
+ "Security Downgrade Warning" suggests blacklist mode as a better option
- than uninstalling, to retain scripting-unrelated protections
+ than uninstalling, to retain scripting-unrelated protections
- Removed legacy uninstall hooks and related localized strings
v 2.6.5rc2
@@ -1830,7 +1855,7 @@ x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)
-
+
v 2.6.4.2rc6
=========================================================================
x [ClearClick] Fixed miscalculations in screenshot comparison
@@ -1857,15 +1882,15 @@ v 2.6.4.2rc2
=========================================================================
x Fixed broken early HTTP observer on Firefox >= 18 (thanks aloishammer
for reporting)
-
+
v 2.6.4.2rc1
=========================================================================
x Fixed anti-popunder surrogate breaking BFCache (thanks whatever for
reporting)
-
+
v 2.6.4.1
=========================================================================
-x Fixed new placeholder close button being hidden on some Youtube pages
+x Fixed new placeholder close button being hidden on some Youtube pages
v 2.6.4
=========================================================================
@@ -1876,7 +1901,7 @@ x Fixed placeholders intercepting clicks from overlaid elements (thanks
al_9x)
x Fixed unbound embed enablement confirmation dialog size (thanks therube
for reporting)
-
+
v 2.6.4rc2
=========================================================================
x [XSS] Improved compatibility with Twitter's cross-site requests
@@ -1902,7 +1927,7 @@ x Work-around for some extensions (e.g. Adblock Plus, Tab Mix Plus)
breaking bookmarlets and URL bar Javascript support after being updated
for Firefox 17
x Removed some console noise
-+ [Surrogate] Updated adf.ly surrogate to work with new links
++ [Surrogate] Updated adf.ly surrogate to work with new links
v 2.6.3rc4
=========================================================================
@@ -1935,7 +1960,7 @@ x Fixed impossible to copy lines from Console² if opened by NoScript
(thanks therube for reporting and Phil Chee for suggestion)
x [XSS] Exception for wpcomwidgets.com safe inclusions
x Slightly reduced About box width (thanks GµårÐïåñ for RFE)
-
+
v 2.6.2rc2
=========================================================================
x Fixed Google links anonymizer surrogate interfering with the "Search
@@ -1947,7 +1972,7 @@ x Fixed impossible to copy lines from Console² if opened by NoScript
(thanks therube for reporting and Phil Chee for suggestion)
x [XSS] Exception for wpcomwidgets.com safe inclusions
x Slightly reduced About box width (thanks GµårÐïåñ for RFE)
-
+
v 2.6.1
=========================================================================
x [XSS] Better compatibility with Ebay's saved searches
@@ -2101,31 +2126,31 @@ x Fixed iframe placeholder positioning issue (thanks al_9x for report)
v 2.5.7rc2
=========================================================================
x Fixed regression in placeholder positioning (thanks al_9x for report)
-
+
v 2.5.7rc1
=========================================================================
x [ClearClick] Fixed false positive on cross-site SVG document embeddings
(thanks Steffen for reporting)
-
+
v 2.5.6
=========================================================================
x [XSS] Fixed slow regular expression causing some base64 request
payloads to trigger false positives (thanks Mirko Tasler for reporting)
-+ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
++ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
+ New icon for blocked embeddings on globally allowed pages (thanks
therube for RFE)
-
+
v 2.5.6rc2
=========================================================================
+ [XSS] Fixed slow regular expression causing some base64 request
payloads to trigger false positives (thanks Mirko Tasler for reporting)
-
+
v 2.5.6rc1
=========================================================================
-+ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
++ Force placeholders to frontmost position e.g. on HTML 5 Youtube content
+ New icon for blocked embeddings on globally allowed pages (thanks
therube for RFE)
-
+
v 2.5.5
=========================================================================
+ More reliable Java applet origin identification
@@ -2208,8 +2233,8 @@ x Fixed JavaScript URL non-void expression evaluation in the URL bar
v 2.5.3rc1
=========================================================================
x [XSS] Work-around for a Gecko URL parsing quirk (thanks .mario for
- reporting)
-
+ reporting)
+
v 2.5.2
=========================================================================
x [ClearClick] Improved protection against clickjacking timing attacks
@@ -2217,12 +2242,12 @@ x [ClearClick] Improved protection against clickjacking timing attacks
x Fine tuned floating div (in-page popup) removal by locking it to the
nearest positioned ancestor and swallowing the mouseup event if the
DEL key has been hit after last mousedown
-
+
v 2.5.2rc2
=========================================================================
x [ClearClick] Improved protection against clickjacking timing attacks
(thanks Nafeez Ahmed for reporting)
-
+
v 2.5.2rc1
=========================================================================
x Fine tuned floating div (in-page popup) removal by locking it to the
@@ -2310,7 +2335,7 @@ x [XSS] Fixed XML preprocessing breaking detection of some E4X
constructs (thanks Pepe Vila for reporting)
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
Ashar Javed for reporting, original disclosure by Keith Makan)
-
+
v 2.4.9rc2
=========================================================================
+ Added ability to replace obsolete default whitelist entries
@@ -2321,7 +2346,7 @@ x Better usability with some HTML5 Youtube videos (thanks Mike Perry
x Reverted to the ctrl+shift+S main keyboard shortcut
x [XSS] Fixed XML preprocessing breaking detection of some E4X
constructs (thanks Pepe Vila for reporting)
-
+
v 2.4.9rc1
=========================================================================
+ [XSS] Protection against error-based SQLI with a XSS payload (thanks
@@ -2335,8 +2360,8 @@ x Changed default UI shortcut to ctrl+shift+N because ctrl+shift+S is
x Fixed feed: and pcast: URLs not being unwrapped in some checks (thanks
Alex Inführ for reporting)
x Removed assumptions of a body element from some code paths which may
- handle generic XML documents
-
+ handle generic XML documents
+
v 2.4.8rc3
=========================================================================
x Work-around for Mozilla bug 771655 (broken debugger)
@@ -2366,12 +2391,12 @@ x Fixed regression, noscript.allowedMimeRegExp not working anymore for
x Auto-anchored multi-valued regexp preferences can now be separated by
regular spaces rather than just newlines (this behavior was documented
but not actually implemented for noscript.allowedMimeRegExp)
-
+
v 2.4.7rc3
=========================================================================
x [ClearClick] Fixed regression: caret cursor not shown on text content
(thanks Fanolian for reporting)
-
+
v 2.4.7rc2
=========================================================================
x [ClearClick] Fixed Tumblr widgets false positive (thanks @Raydere for
@@ -2413,13 +2438,13 @@ x [XSS] Improved data: URIs detection (thanks Masato Kinugawa for report)
+ [XSS] Improved "Maybe JS" heuristic (thanks Masato Kinugawa for report)
+ [XSS] More aggressive obsolete charsets filtering (thanks Masato
Kinugawa for report)
-
+
v 2.4.5rc7
=========================================================================
+ [XSS] Improved E4X handling (thanks Masato Kinugawa for report)
x [XSS] Fixed regression allowing some alert-only PoCs (thanks Soroush
Dalili and Ahamed Nafeez for reporting)
-
+
v 2.4.5rc6
=========================================================================
x [XSS] Improved unconventional assignments detection (thanks Masato
@@ -2461,7 +2486,7 @@ x Fixed early synthetic DNS notification causing blank stripe on the
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)
-
+
v 2.4.4rc2
=========================================================================
x [Locale] Updated he-IL (thanks baryoni)
@@ -2506,7 +2531,7 @@ v 2.4.3rc1
=========================================================================
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types
-
+
v 2.4.2
=========================================================================
x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
@@ -2529,18 +2554,18 @@ x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
(thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
because of redirection loops
-
+
v 2.4.2rc6
==========================================================================
x [XSS] Fixed query string parsing bug in the new ASP-specific HPP
protection (thanks Soroush Dalili for reporting)
-
+
v 2.4.2rc5
==========================================================================
x [XSS] Fixed recursion bug preventing ASP-specific unicode encodings from
being correctly handled in presence of simultaneous HPP (thanks Soroush
Dalili for reporting)
-
+
v 2.4.2rc4
==========================================================================
x [XSS] Fixed regression blocking any suspect HPP attack silently (thanks
@@ -2580,7 +2605,7 @@ v 2.4.1rc1
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
sequences (thanks Masato Kinugawa for reporting)
-
+
v 2.4.1
==========================================================================
+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
@@ -2595,7 +2620,7 @@ x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
repository, often used as a CDN
-
+
v 2.4.1rc3
==========================================================================
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
@@ -2635,7 +2660,7 @@ v 2.4rc8
==========================================================================
x [XSS] Improved global exception injection detection
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
- Dalili for reporting)
+ Dalili for reporting)
v 2.4rc7
==========================================================================
@@ -2645,7 +2670,7 @@ v 2.4rc7
global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
for reporting)
-
+
v 2.4rc6
==========================================================================
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)
@@ -2657,7 +2682,7 @@ x Improved temporary permissions management during bookmarklet execution
v 2.4rc4
==========================================================================
x Fixed 2.4rc3 regression in url bar JavaScript execution
-
+
v 2.4rc3
==========================================================================
x Fixed bookmarklet couldn't be executed on blacklisted sites in "Globally
@@ -2705,18 +2730,18 @@ v 2.3.9rc2
==========================================================================
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
obscuration by windowed plugins checks
-
+
v 2.3.9rc1
==========================================================================
+ [ClearClick] More tolerant snapshot comparation algorithm (partially
backported from NSA) to reduce false positives (tweaked by the
noscript.clearClick.threshold percentage value in about:config)
-- Removed about:credits from default whitelist
-
+- Removed about:credits from default whitelist
+
v 2.3.8
==========================================================================
+ Smart integration with the new browser-native click to play: if a plugin
- object is manually allowed from NoScript's UI, it gets also natively
+ object is manually allowed from NoScript's UI, it gets also natively
activated (noscript.smartClickToPlay about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
steps across reloads
@@ -2737,11 +2762,11 @@ x [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site
v 2.3.8rc1
==========================================================================
+ Smart integration with the new browser-native click to play: if a plugin
- object is manually allowed from NoScript's UI, it gets also natively
+ object is manually allowed from NoScript's UI, it gets also natively
activated (noscript.smartClickToPlay about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
steps across reloads
-
+
v 2.3.7
==========================================================================
x [ClearClick] Work-around for "rapid fire" protection interfering with
@@ -2751,34 +2776,34 @@ x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
Christopher A. M. Gerlach for reporting)
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
containing domain-names as parameter values (thanks gazer75 for report)
-
+
v 2.3.7rc5
==========================================================================
x [ClearClick] Further refinements in TrafficLight compatibility and
"rapid fire" sensitvity
-
+
v 2.3.7rc4
==========================================================================
x [ClearClick] Further "rapid fire" protection sensitivity tweaking
-
+
v 2.3.7rc3
==========================================================================
x [ClearClick] Work-around for "rapid fire" protection interfering with
some add-ons, such as 1Password (thanks Mike Tselikman for report)
-
+
v 2.3.7rc2
==========================================================================
x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
Christopher A. M. Gerlach for reporting)
-
+
v 2.3.7rc1
==========================================================================
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
containing domain-names as parameter values (thanks gazer75 for report)
-
+
v 2.3.6
==========================================================================
-x Restored Nightly compatibility, broken by bug 719154
+x Restored Nightly compatibility, broken by bug 719154
+ [ClearClick] improved compatibility with Disqus widgets (thanks El Cid
for reporting)
+ [AddressMatcher] Optimized trailing "*" in glob expressions
@@ -2786,10 +2811,10 @@ x Fixed origin URL detection flawed when certain wrapped URIs are loaded
(thanks Masato Kinugawa for reporting)
x [XSS] Fixed false positive with query string patterns mimicking array
access (thanks Aicke Schulz for reporting)
-
+
v 2.3.6rc4
==========================================================================
-x Restored Nightly compatibility, broken by bug 719154
+x Restored Nightly compatibility, broken by bug 719154
v 2.3.6rc3
==========================================================================
@@ -2801,7 +2826,7 @@ v 2.3.6rc2
==========================================================================
x Fixed origin URL detection flawed when certain wrapped URIs are loaded
(thanks Masato Kinugawa for reporting)
-
+
v 2.3.6rc1
==========================================================================
x [XSS] Fixed false positive with query string patterns mimicking array
@@ -2829,23 +2854,23 @@ x Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing
Google Music Player to fail (thanks DG42 for original report, Alan Baxter
for providing a test account, all the forum staff and many users for
their help in reproducing)
-
+
v 2.3.5rc5
==========================================================================
x [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and
meta refreshes on the affected tab even if document changes (thanks
Tom T. and Patrick E. for reporting)
-
+
v 2.3.5rc4
==========================================================================
x [ClearClick] Better special-casing for same-site embedded objects
-
+
v 2.3.5rc3
==========================================================================
x [Surrogate] Global variables introduced by sandboxed surrogates are
attached as window properties after execution to fix recently surfaced
scope-related bugs
-
+
v 2.3.5rc2
==========================================================================
x [XSS] Further refinements in the window.name protection features (thanks
@@ -2861,7 +2886,7 @@ v 2.3.4
==========================================================================
x [ClearClick] Fixed subtle bug which may lead to infinite loops in some
cases (thanks GµårÐïåñ for reporting)
-
+
v 2.3.3
==========================================================================
+ Improved InjectionChecker logging
@@ -2876,7 +2901,7 @@ x [XSS] Further sensitivity tweaks
x [XSS] Better compatibility with some 3rd party ads on Ebay
x [XSS] Fixed false positive on dotted name-value assignments chained with
semicolons (e.g. on some Yahoo-served ads)
-
+
v 2.3.3rc6
==========================================================================
+ Improved InjectionChecker logging
@@ -2909,7 +2934,7 @@ v 2.3.3rc1
==========================================================================
x [XSS] Fixed false positive on dotted name-value assignments chained with
semicolons (e.g. on some Yahoo-served ads)
-
+
v 2.3.2
==========================================================================
x [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
@@ -2931,7 +2956,7 @@ v 2.3.2rc5
==========================================================================
x [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
Masato Kinugawa for reporting)
-
+
v 2.3.2rc4
==========================================================================
x [XSS] Fixed regression from HTML detection changes in 2.3.2rc3 (thanks
@@ -2977,7 +3002,7 @@ v 2.3.1rc3
==========================================================================
x Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks
.mario for reporting)
-
+
v 2.3.1rc2
==========================================================================
+ adf.ly surrogate to automaticaly skip the interstitial page even if
@@ -2988,7 +3013,7 @@ v 2.3.1rc1
==========================================================================
+ New surrogate against Google's scriptless tracking of search results
navigation
-
+
v 2.3
==========================================================================
x Fixed about:newtab not considered as a local origin by ABE
@@ -3031,17 +3056,17 @@ v 2.2.8
==========================================================================
x [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested
documents
-
+
v 2.2.8rc1
==========================================================================
x [ClearClick] Protection against Koto's Cursorjacking technique disclosed
at http://blog.kotowicz.net/2012/01/cursorjacking-again.html
-
+
v 2.2.7
==========================================================================
x [ClearClick] Protection against two steps interaction attack based on
HTML5 DnD (thanks .mario for reporting)
-
+
v 2.2.6
==========================================================================
x [XSS] Fixed sanitization reporting bug
@@ -3050,7 +3075,7 @@ v 2.2.6rc1
==========================================================================
+ [XSS] Protection against new kind of response splitting + XSS combo
attack responsibly disclosed by Mike Brooks
-
+
v 2.2.5
==========================================================================
x [ClearClick] Better compatibility with recent Disqus widget versions
@@ -3104,7 +3129,7 @@ v 2.2.3
v 2.2.3rc3
==========================================================================
+ Generalized checks on drag and drop payloads
-+ [XSS] Tightened checks on reflected javascript: URIs
++ [XSS] Tightened checks on reflected javascript: URIs
v 2.2.3rc2
==========================================================================
@@ -3182,11 +3207,11 @@ v 2.1.9rc3
x Fixed some DOM traversal bugs (thanks al_9x for reporting)
x Refined Google search meta refresh blocking exception
x Added meta refresh blocking exception for t.co (Twitter URL shortener)
-
+
v 2.1.9rc2
==========================================================================
x Work-around for XSSI checks breaking some Yahoo! Mail features
-
+
v 2.1.9rc1
==========================================================================
+ New noscript.forbidMetaRefresh.exceptions url pattern preference
@@ -3207,7 +3232,7 @@ v 2.1.8rc2
inclusion (XSSI) is enabled or not (thanks al_9x for RFE)
+ noscript.xss.checkInclusions.exceptions about:confing preference to
disable XSSI checks for certain script sources (thanks al_9x for RFE)
-
+
v 2.1.8rc1
==========================================================================
+ Protection against reflected script inclusion (thanks tlu for reporting)
@@ -3223,7 +3248,7 @@ v 2.1.7rc1
==========================================================================
x Fixed error console noise regression from menu fixes (thanks al_9x and
Archaeopteryx for reporting)
-
+
v 2.1.6
==========================================================================
+ noscript.keys.tempAllowPage about:config preference to configure a
@@ -3265,7 +3290,7 @@ x [Surrogate] Surrogates triggered by content policy calls get executed in
x Moved SWFObject and Silverlight patching to early scripts
x Replaced every reference to XHR's "on..." event handler properties with
their addEventListener() counterparts, to cope with bug 687332 fallouts
-
+
v 2.1.4
==========================================================================
x Fixed speculative parsing causing inclusion surrogates to be executed
@@ -3382,7 +3407,7 @@ v 2.1.2.6rc4
==========================================================================
x Fixed Firefox's built-in feed renderer broken unless about:feeds is
whitelisted
-
+
v 2.1.2.6rc3
==========================================================================
x Plugin origin checks now account for multiple extra-codebase archives
@@ -3402,7 +3427,7 @@ v 2.1.2.6rc1
require JavaScript
+ USER ruleset conveniently pre-selected when ABE options are opened
x Improved invisible links detection approach
-
+
v 2.1.2.5
==========================================================================
x Fixed bookmarklets from sidebars not working on JS-disabled pages
@@ -3466,7 +3491,7 @@ v 2.1.2.1
==========================================================================
x Fixed rapid fire cross-site interaction protection interfering with
keyboard-based tab switching (thanks tikl for reporting)
-
+
v 2.1.2 (same as 2.1.2rc6)
==========================================================================
x Minor tweaks to the new rapid fire cross-site interaction protection
@@ -3501,7 +3526,7 @@ v 2.1.2rc1
==========================================================================
x Fixed startup error in Nightly due to the merge of event target
interfaces in bug 658714 (thanks Hydraxr for reporting)
-
+
v 2.1.1.2 (same as 2.1.2rc0)
==========================================================================
x Fixed conflict with Firebug console
@@ -3513,7 +3538,7 @@ x Fixed surrogates causing duplicate history entries for some sites on
Firefox 5
x Work around for bug 666371 breaking popunder surrogate and legitimate
popups on some sites
-
+
v 2.1.1.2rc8
==========================================================================
x Work-around for Mac OS X filepicker in Firefox 5 preventing exported
@@ -3572,7 +3597,7 @@ v 2.1.1.2rc1
==========================================================================
x Fixed onLocationChange2 missing in nsIWebProgressListener2 impl. causing
noise on trunk after bug 311007 landed (thanks Hydraxr for report)
-
+
v 2.1.1.1
==========================================================================
+ Improved embedded object activation on Javascript-enabled pages via
@@ -3613,9 +3638,9 @@ v 2.1.0.6rc12
v 2.1.0.6rc11
==========================================================================
-x Fixed broken toolbar button on first window opened during first run ever
+x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)
-
+
v 2.1.0.6rc10
==========================================================================
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
@@ -3639,7 +3664,7 @@ v 2.1.0.6rc7
==========================================================================
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)
-
+
v 2.1.0.6rc6
==========================================================================
x Fixed false positive in anti-exfiltration HTML injection checks
@@ -3670,7 +3695,7 @@ v 2.1.0.6rc1
==========================================================================
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)
-
+
v 2.1.0.5
==========================================================================
x Fixed recent memory optimizations breaking compatibility with some
@@ -3730,7 +3755,7 @@ v 2.1.0.4rc3
==========================================================================
x Fixed minimum placeholder size not applied when embeddings have "auto"
as their computed CSS width or height (thanks al_9x for reporting)
-
+
v 2.1.0.4rc2
==========================================================================
+ On scriptless pages, empty forms meant to be submitted via JavaScript
@@ -3743,7 +3768,7 @@ x Changed the noscript.forbidXBL default to 1 (OK for current Fx versions)
in order to avoid Lotus Mail issues (thanks Tina for reporting)
x [XSS] Fixed a false positive involving Amazon mp3 checkout (thanks Dan
Loomis for reporting)
-
+
v 2.1.0.3
==========================================================================
x [L10n] Updated ro
@@ -3799,7 +3824,7 @@ v 2.1.0.2rc2
==========================================================================
x Fixed AddressMatcher broken by RegExp changes in latest Minefield (
thanks linuser for reporting)
-
+
v 2.1.0.2rc1
==========================================================================
x Fixed ABE options panel regressions due to the changed storage (thanks
@@ -3809,7 +3834,7 @@ v 2.1.0.1
==========================================================================
x Removed googlesyndication.com from the default whitelist
x Added securecode.com ("Verified by VISA") to the default whitelist, in
- order to prevent surprise transaction failures
+ order to prevent surprise transaction failures
x [XSS] Exception for POST requests coming from a secure albeit not
whitelisted Verified by Visa (securecode.com) origin
x [ABE] Fixed bug causing excessive console noise from permissive rules
@@ -3831,14 +3856,14 @@ x Fixed additional toolbar buttons too wide when labels are shown
x Fixed some Script Surrogate regressions (thanks al_9x for reporting)
x Work around for alert on new windows due to Mozilla's bug 608628
x Fixed placeholder not shown for embed elements placed inside invalid
- object elements (thanks al_9x for reporting)
+ object elements (thanks al_9x for reporting)
v 2.1.0rc5
==========================================================================
+ Firefox Sync integration can be switched off through the
noscript.sync.enabled about:config preference
x [XSS] Fixed false positive regression from recent Firefox 4
- optimizations (thanks m_c for reporting)
+ optimizations (thanks m_c for reporting)
v 2.1.0rc4
==========================================================================
@@ -3849,7 +3874,7 @@ v 2.1.0rc3
+ First shot at Firefox Sync native integration, synchronizes everything
except custom ABE rules
x [ABE] Optimized origin tracing
-+ [ABE] INC(MEDIA) subtype matching HTML5 video and audio requests
++ [ABE] INC(MEDIA) subtype matching HTML5 video and audio requests
+ [ABE] INC(FONT) subtype matching font embedding requests
x Huge refactoring in regular expression usage to optimize for Fx 4
x Script Surrogate optimization
@@ -3904,7 +3929,7 @@ v 2.0.9.9rc1
+ New noscript.placeholderLongTip about:config preference to control
whether embedding placeholder tooltips should include query strings
and hash fragments or not (true by default)
-
+
v 2.0.9.8
==========================================================================
x Fixed empty tooltip for embedded placeholder on some RTL pages (thanks
@@ -3932,7 +3957,7 @@ x [UI] Fixed toolbar button being added on the right of the window resizer
dismisses NoScript's popup menu (thanks jso for RFE)
x [DNT] Restored header reordering after DNT header is added, in order to
match Firefox 4's header fingerprint
-
+
v 2.0.9.7
==========================================================================
x Fixed status label menu popping up in a wrong position
@@ -3985,7 +4010,7 @@ v 2.0.9.6
==========================================================================
x Fixed X-Do-Not-Track after a DNS cache miss causing some embedded
content requests to fail
-
+
v 2.0.9.5
==========================================================================
x Fixed NoScript toolbar buttons having wrong orientation in "icon and
@@ -4026,7 +4051,7 @@ x Fixed partial options dialog breakage (ClearClick and Import/Export)
v 2.0.9
==========================================================================
-- Removed JAR blocking (obsolete in supported browser versions)
+- Removed JAR blocking (obsolete in supported browser versions)
- Removed emulated TLD service
x Hidden status bar icon option on applications which have no status bar
x Fixed noscript.doNotTrack.* preferences not being honored
@@ -4113,7 +4138,7 @@ x LiveConnect interception time reduced by 10 on Firefox 3.6 and by 100 on
x Restored LiveConnect interception logging (LOG_CONTENT_INTERCEPT mask)
x Fixed bug in fake redirections code, causing it not to honor the
redirection limit settings (thanks Peter Eckersley)
-x [XSS] Improved SQLXSSI detection accuracy
+x [XSS] Improved SQLXSSI detection accuracy
x Updated revsci surrogate (thanks al_9x)
v 2.0.7
@@ -4136,7 +4161,7 @@ v 2.0.6rc3
==========================================================================
x [ABE] Work-around for Flash video playback and other HTTP subrequests
from plugins sometimes failing on latest Minefield builds
-
+
v 2.0.6rc2
==========================================================================
x [ABE] Fixed 2.0.6rc1 regression: broken internal redirections
@@ -4148,12 +4173,12 @@ v 2.0.6rc1
x [XSS] Better compatibility with 4shared embedded movies
x [ABE] Fixed regression: Anon action interfering with IFrame blocking
when DNS record for current request is cached (thanks al_9x for report)
-
+
v 2.0.5.1
==========================================================================
x Improved LoadGroup integration of the new internal redirection machinery
for better loading progress feedback.
-
+
v 2.0.5
==========================================================================
x Fixed stability issue when forcing HTTPS on images
@@ -4166,7 +4191,7 @@ v 2.0.5rc2
==========================================================================
x Experimental asynchronous channel replacement for ABE and HTTPS
enforcement, should prevent issues with image caching
-x Work-around for Google/Youtube bug, sending "Content-Type: text/plain"
+x Work-around for Google/Youtube bug, sending "Content-Type: text/plain"
header for script files even with "X-Content-Type-Options: nosniff" (see
http://forums.informaction.com/viewtopic.php?f=7&t=5304)
@@ -4289,7 +4314,7 @@ v 2.0.3.1rc1
==========================================================================
x [Surrogate] Restored the previous document.cookie patching order, since
it seems more compatible with some buggy sites
-
+
v 2.0.3
==========================================================================
x [Surrogate] Improved compatibility of the popunder surrogate
@@ -4311,14 +4336,14 @@ x [XSS] Fixed "Unsafe reload" not working under some circumstances (thanks
x Fixed "setting a property that has only a getter" warning in strict mode
x Better compatibility with CDNs improperly serving JavaScript files with
a CSS mime type
-
+
v 2.0.3rc2
==========================================================================
x Fixed "Partially allowed" message instead of "Forbidden" when everything
is blocked, including some embeddings (thanks jan for reporting)
x Fixed "No placeholder from untrusted" broken since 2.0.2.4 (thanks al_9x
for reporting)
-
+
v 2.0.3rc1
==========================================================================
+ [UI] Clickless "on over" opening of the status bar menu, can be disabled
@@ -4349,7 +4374,7 @@ v 2.0.2.3
==========================================================================
x [XSS] Fixed optimization bug which may lead to slower checks on specific
source patterns
-
+
v 2.0.2.2
==========================================================================
x [XSS] Huge InjectionChecker speed optimization, prevents most DOS false
@@ -4428,7 +4453,7 @@ x Tentative fix for UI sync regression reported by al_9x
v 2.0.1
==========================================================================
-+ [ABE] noscript.abe.localExtras about:config preference can specify net
++ [ABE] noscript.abe.localExtras about:config preference can specify net
resources (space separated IPs and/or subnets) to be considered as
LOCAL by ABE, in addition to the "regular" private subnetworks and the
auto-detected WAN IP (thanks ammdispose for suggestion)
@@ -4473,7 +4498,7 @@ x Fixed meta redirections being broken sometimes when a NOSCRIPT element
v 2.0
==========================================================================
x [Surrogate] Fixed Google thumbs surrogate broken by recent Gecko changes
-x [ClearClick] Work-around for client(Height|Width) miscalculation
+x [ClearClick] Work-around for client(Height|Width) miscalculation
v 2.0rc8
==========================================================================
@@ -4548,7 +4573,7 @@ x Better error handling in surrogates, prevents a failing scripts to abort
the others
x Improved AMO surrogates, allows right-click menu to work on install
buttons (thanks Mc for reporting)
-
+
v 1.9.9.98rc3
==========================================================================
x Fixed bug on edge case minimum placeholder size computation when object
@@ -4564,7 +4589,7 @@ x Improved placeholders for embeds nested in ActiveX OBJECT elements
v 1.9.9.98rc1
==========================================================================
-+ Surrogate for Google Search thumbnails when Google is not whitelisted
++ Surrogate for Google Search thumbnails when Google is not whitelisted
+ Automatic reload on permission change setting now affects pages
containing embeddings which change status too, whose reload can be also
forced through the noscript.autoReload.embedders preference:
@@ -4575,7 +4600,7 @@ v 1.9.9.98rc1
permissions status but the top-level is forbidden and unchanged
+ Surrogate to use InstallTrigger on AMO even if addons.mozilla.org is not
whitelisted
-
+
v 1.9.9.97
==========================================================================
x Fixed ClearClick false positives on Fx 3.5 and below (thanks Deniz Sofu
@@ -4635,7 +4660,7 @@ x Fixed Places-related bug on Minefield (thanks mpz for reporting)
x noscript.forbidIFrameContext=3 (allow same base domain) falls back to 2
(allow same domain) if either the parent or the frame is marked as
untrusted (thanks al_9x for suggestion)
-
+
v 1.9.9.91
==========================================================================
x More compatible docShell reaching, works around some buggy extensions
@@ -4791,7 +4816,7 @@ v 1.9.9.72
x Fixed configuration import/export/synchronization bug introduced by
"configuration presets" for Firefox Mobile
+ Finger-friendlier UI on Firefox Mobile
-
+
v 1.9.9.71
==========================================================================
+ Added "Allowed with untrusted sources and blocked objects" icon
@@ -4956,7 +4981,7 @@ v 1.9.9.50
+ Updated ABE grammar to use new AddressMatcher syntactic sugar
+ Alert about ABE syntax errors when option dialog gets focused after a
ruleset editing (thanks al_9x for suggestion)
-
+
v 1.9.9.49
==========================================================================
+ .x.y AddressMatcher syntactic sugar, matching both x.y and *.x.y (thanks
@@ -5018,7 +5043,7 @@ x Fixed XSS false positive on certain nested URL patterns (thanks
v 1.9.9.42
==========================================================================
-+ ClearClick: more efficient code paths specific to Fx 3.6 and above
++ ClearClick: more efficient code paths specific to Fx 3.6 and above
x Fixed zoom-related ClearClick false positives on Fx 3.6 and above
x Fixed fonts being reported as "unknown" type in Blocked Objects menu
@@ -5027,7 +5052,7 @@ v 1.9.9.41
+ Fix for newline-based double-reflection InjectionChecker bypass (thanks
Sirdarckcat for reporting)
x Surrogate scripts from local files: surrogate's replacement is treated
- as a file:// URL and resolved against current browser profile if it
+ as a file:// URL and resolved against current browser profile if it
starts with "file://", "./" or "../" (thanks Richard Stallman, Johan
Euphrosine and Sam Imtiaz)
@@ -5149,7 +5174,7 @@ v 1.9.9.20
+ New "imdb" script surrogate to watch IMDB trailers without allowing
doubleclick.com (thanks SeanM and Tom T for suggestion)
+ Improved Google Analytics surrogate
-+ Turned the "fap" surrogate into a generic "popunder" one
++ Turned the "fap" surrogate into a generic "popunder" one
x Fixed blocked embeddings info being wiped during bfcache lifecycle
(thanks al_9x for reporting)
@@ -5311,12 +5336,12 @@ x Fixed Flash activation bug on Gecko <= 1.9
v 1.9.8.87
==========================================================================
+ Quantserve surrogate script
-x Added en-GB locale to legacy Seamonkey install script
+x Added en-GB locale to legacy Seamonkey install script
v 1.9.8.86
==========================================================================
x Fixed kongregate.com incompatibility (thanks jthill for report)
-
+
v 1.9.8.85
==========================================================================
+ Updated MK locale
@@ -5411,7 +5436,7 @@ v 1.9.8.4
==========================================================================
x Fixed ABE internal redirection on DNS cache miss interfering with
injection checks under some circumstances
-
+
v 1.9.8.3
==========================================================================
+ Full HTML 5 event attributes InjectionChecker support
@@ -5441,7 +5466,7 @@ x Work around for breakages caused by the .NET Framework Assistant,
http://adblockplus.org/blog/the-return-of-net-framework-assistant
+ ABE grammar source (ABE.g) included in the distributed XPI (thanks
al_9x for noticing its absence)
-
+
v 1.9.7.9
==========================================================================
x Improved XSS filter compatibility with some decimal coordinates
@@ -5484,7 +5509,7 @@ x Fixed invisible links detection turning some links into absolutely
reporting)
x Improved specificity of data: URL injection detection (thanks Tom
for reporting)
-
+
v 1.9.7.7
==========================================================================
x Fixed DNS cache status interfering with HTTPS redirections
@@ -5603,7 +5628,7 @@ v 1.9.6.4
v 1.9.6.3
==========================================================================
-x Fixed XSS false positives when asynchronous activity must be
+x Fixed XSS false positives when asynchronous activity must be
performed in ABE
v 1.9.6.2
@@ -5637,7 +5662,7 @@ v 1.9.5.72
==========================================================================
x Fixed CSS bug preventing placeholders from being hidden with
Shift+click
-
+
v 1.9.5.71
==========================================================================
x Fixed Seamonkey 1.x breakage from 1.9.5.7 (thanks therube for
@@ -5645,8 +5670,8 @@ x Fixed Seamonkey 1.x breakage from 1.9.5.7 (thanks therube for
v 1.9.5.7
==========================================================================
-+ ABE Logout action strips query strings from potential authorization
- and session-related parameters and neutralizes non-idempotent
++ ABE Logout action strips query strings from potential authorization
+ and session-related parameters and neutralizes non-idempotent
requests by switching their method to GET and removing uploads
x Fixed DNS optimizations causing ABE's "Logout" action to abort the
request sometimes (Gecko <= 1.8 will abort on Logout anyway if DNS
@@ -5657,7 +5682,7 @@ x Fixed placeholder not clickable if overlayed with a transparent
absolutely positioned element
x Fixed bug preventing the audio feedback sample from being changed
(thanks Rodney Crnkovic for reporting)
-
+
v 1.9.5.6
==========================================================================
x Work around for Tab Mix Plus beta breaking bookmarklets and URL bar
@@ -5734,11 +5759,11 @@ v 1.9.4.4
==========================================================================
+ Origin tracing speed and accuracy improvements
+ Enhanced frame busting emulation
-+ Further DNS optimizations
++ Further DNS optimizations
v 1.9.4.3
==========================================================================
-x Optimized garbage collection in DNS 2nd level cache
+x Optimized garbage collection in DNS 2nd level cache
v 1.9.4.2
==========================================================================
@@ -5795,7 +5820,7 @@ v 1.9.3.8
+ Automatically include browser origins in Accept predicates
x Lighter XSS checks, relying on ABE for pre-screening when possible
(preventing some timeout-related false positives and random hangs)
-
+
v 1.9.3.7
==========================================================================
+ More accurate NOSCRIPT web-bugs blocking, skipping same origin
@@ -5842,7 +5867,7 @@ v 1.9.3.2
==========================================================================
x Fixed whitelist import/export broken by new global import/export (
thanks Tim Johnson for report)
-
+
v 1.9.3.1
==========================================================================
x Fixed automatic secure cookie management being enabled by default
@@ -5909,9 +5934,9 @@ v 1.9.2.6
v 1.9.2.5
==========================================================================
-+ One-time startup prompt to ask users *beforehand* if they want to
- install/keep or permanently delete the AdBlock Plus "NoScript
- Development Support Filterset" deployed with NoScript 1.9.2.3
++ One-time startup prompt to ask users *beforehand* if they want to
+ install/keep or permanently delete the AdBlock Plus "NoScript
+ Development Support Filterset" deployed with NoScript 1.9.2.3
and above
x Fixed filterset bug: it could be disabled but not removed.
x Fixed "Attempt to fix JS links" not working for drop-down lists on
@@ -5956,7 +5981,7 @@ v 1.9.2
synchronization" feature (enable it in "NoScript Options|General")
x Fixed potential DNS leak in some proxied setups when opening URLs
with FQDNs as their hostnames (thanks Rolf Wendolsky for report).
-
+
v 1.9.1.91
==========================================================================
x Fixed notifications reporting "Forbidden" on some partially allowed
@@ -6090,7 +6115,7 @@ x Fixed X-FRAME-OPTIONS not working inside OBJECT elements (thanks
Joris van der Wel for report)
x Restored broken compatibility with Seamonkey 1.0.x (thanks James
Andrewartha for report)
-
+
v 1.9.0.1
==========================================================================
x Work around for edge case false positive on plugins embedded in
@@ -6141,11 +6166,11 @@ v 1.8.9.4
==========================================================================
x Fixed minimum sized placeholder potentially exceeding smaller
frames (thanks greenhatch for report about BetFair's menu)
-x Fixed ClearClick form bounds miscalculation with negative coords
+x Fixed ClearClick form bounds miscalculation with negative coords
(thanks Zjakki Willems for report about BlogSpot's search feature)
x Fixed document loaded in a nested iframe when enabling a blocked
legacy frame
-
+
v 1.8.9.3
==========================================================================
+ Extensible script surrogate mechanism (surrogating Google Analytics
@@ -6173,7 +6198,7 @@ x *.ebay.com ClearClick exception to temporarily work-around a false
x Performance optimization of the JSON and E4X hijacking protection
x Compatibility with Amazon one-click
x Removed __count__ usage triggering a deprecated warning in Fx 3.0.x
-x Relaxed XSS checks from same-domain HTTPS<->HTTP requests
+x Relaxed XSS checks from same-domain HTTPS<->HTTP requests
x Improved E4X hijacking detection, skips leading XML comments in
scripts (http://forums.mozillazine.org/viewtopic.php?p=5488645)
x Updated Japanese translation
@@ -6360,7 +6385,7 @@ v 1.8.5.4
==========================================================================
+ Better algorithm to "single out" plugin content prevents edgy
ClearClick false positives with absolutely positioned elements
- overlaying transparent plugin content, like in NFL.com scores page
+ overlaying transparent plugin content, like in NFL.com scores page
+ Improved ClearClick plugin object snapshots
v 1.8.5.3
@@ -6480,7 +6505,7 @@ v 1.8.3.8
==========================================================================
x Fixed ClearClick false positive on semi-transparent Flash objects
overlapping other content elements (thanks txhawkeye for report)
-
+
v 1.8.3.7
==========================================================================
x Restored Silverlight blocking on trusted pages for Firefox 2.0.x
@@ -6550,7 +6575,7 @@ x Fixed broken clicks on some frames (1.8.2.91 regression)
v 1.8.2.91
==========================================================================
-x Fixed some "Opaque embedded objects" glitches
+x Fixed some "Opaque embedded objects" glitches
v 1.8.2.9
==========================================================================
@@ -6613,7 +6638,7 @@ v 1.8.2.1
==========================================================================
x ClearClick technology backported to Gecko 1.8.1 based browsers such
as Firefox 2.0.x and SeaMonkey 1.1.x
-
+
v 1.8.2
==========================================================================
+ New "ClearClick" protection, specifically addressing Clickjacking,
@@ -6689,7 +6714,7 @@ v 1.8.1.2
x Switched "HTTPS|Automatic Secure Cookie Management" off by default:
even if all the reported login issues (especially the ebay.com one)
have been fixed, it probably deserves more testing from opt-in
- volunteers before a general "default-on" release
+ volunteers before a general "default-on" release
+ Unsafe cookies can be handled either globally (default), or per tab
(noscript.secureCookies.perTab)
x Fixed "force HTTPS" not working across some redirection patterns
@@ -6741,14 +6766,14 @@ v 1.8.0.6
v 1.8.0.5
==========================================================================
-+ Experimental "Forced Secure Cookies" feature, mitigates HTTPS
++ Experimental "Forced Secure Cookies" feature, mitigates HTTPS
cookie hijacking attacks (http://tinyurl.com/cookiehijack).
- Enabled by default, it can be disabled either globally, by toggling
+ Enabled by default, it can be disabled either globally, by toggling
the noscript.secureCookies about:config preference, or for specific
domains only, by listing them (space or comma separated) in the
noscript.secureCookiesException about:config preference.
Ref: http://hackademix.net/2008/09/10/noscript-vs-insecure-cookies/
-
+
v 1.8.0.4
==========================================================================
@@ -6774,7 +6799,7 @@ v 1.8
==========================================================================
+ "Make page permissions permanent" command
+ Meaningful tooltip for "Allow all in this page" and "Temporarily
- allow all in this page", listing affected sites
+ allow all in this page", listing affected sites
+ More meaningful tooltip for Revoke Temporary Permission, listing
affected sites and counting affected objects (Gecko >= 1.9)
x Rationalized keyboard accelerators for English menu items
@@ -6996,7 +7021,7 @@ x Fixed Firefox preference window not showing with some Linux themes
(thanks tom1978 for reporting)
x Fixed micro-injection false positive with 1password.com logins
(thanks bwoodruff)
-
+
v 1.7.1
==========================================================================
x Fixed changing permissions on one tab reload all tabs issue (thanks
@@ -7067,7 +7092,7 @@ v 1.6.9.1
complex JSON URLs, e.g. for some Orkut widgets
x Critical work-around for
https://bugzilla.mozilla.org/show_bug.cgi?id=439276
-
+
v 1.6.9
==========================================================================
+ Firefox 3.1a1pre compatibility
@@ -7114,12 +7139,12 @@ x More effective cross-site POST blocking
v 1.6.3
==========================================================================
-x Work-around for Songbird 0.5 bug (nsIEffectiveTLDService present
+x Work-around for Songbird 0.5 bug (nsIEffectiveTLDService present
but not really working)
v 1.6.1
==========================================================================
-+ Better feedback for blacklisted items on the page, by appending
++ Better feedback for blacklisted items on the page, by appending
untrusted sites count to "Untrusted" menu label
x Fixed bogus "allowed.yu" label for partially allowed pages where
all forbidden sites are marked as untrusted
@@ -7140,9 +7165,9 @@ x Better Seamonkey installation algorithm (thanks therube)
v 1.5.9.1
==========================================================================
-x Fixed infinite loop on some pages if noscript.blockCssScanners is
+x Fixed infinite loop on some pages if noscript.blockCssScanners is
true (thanks tlu and Itsnow for report)
-x Placeholder compatibility with latest trunk
+x Placeholder compatibility with latest trunk
(https://bugzilla.mozilla.org/show_bug.cgi?id=292789)
x Better installer for Seamonkey classic
@@ -7159,9 +7184,9 @@ v 1.5.8
==========================================================================
x Optimization of Injection Checker for iGoogle Calendar Widget
(thanks JonCage for report)
-x Fixed edge-case false positives due to URL encoding mixed to
+x Fixed edge-case false positives due to URL encoding mixed to
symmetric brackets(thanks Lundholm for report)
-x Fixed legacy Seamonkey UI regression introduced by Songbird
+x Fixed legacy Seamonkey UI regression introduced by Songbird
compatibility (thanks therube for report)
v 1.5.7
@@ -7190,7 +7215,7 @@ x Fixed "allowURLBarJS" preference cannot be disabled (thanks Aerik)
v 1.5.2
==========================================================================
-x Fixed unwanted blocking of some trusted Java applets thanks Mick
+x Fixed unwanted blocking of some trusted Java applets thanks Mick
Bramhall for report)
1.5.1
@@ -7219,9 +7244,9 @@ x Fixed chrome "domain" showing in menus (thanks Aerik)
v 1.4.9.7
==========================================================================
-+ New noscript.allowURLBarJS about:config preference allows
- javascript: and data: URLs to be run interactively from the
- location bar, e.g. for bookmarklet testing, even if currently
++ New noscript.allowURLBarJS about:config preference allows
+ javascript: and data: URLs to be run interactively from the
+ location bar, e.g. for bookmarklet testing, even if currently
displayed site is not whitelisted (default true)
+ Improved overall bookmarklet compatibility on Firefox 3
x Adapted bookmarklet handling code to latest Places refactoring with
@@ -7264,21 +7289,21 @@ v 1.4.9
v 1.4.8
==========================================================================
-+ Better differentiation of Flash-based movie players and other
- general purpose plugin content instances by taking in account
++ Better differentiation of Flash-based movie players and other
+ general purpose plugin content instances by taking in account
flashvars attributes and param elements.
+ Improved Silverlight placeholders, now shown in real time and
supporting more activation schemes
v 1.4.7
==========================================================================
-+ Safe Silverlight placeholders restored by emulating the
++ Safe Silverlight placeholders restored by emulating the
IsVersionSupported() machinery (placeholders are usually delayed
by 3 secs or more)
v 1.4.6
==========================================================================
-x Silverlight plugin objects in content blocking mode made completely
+x Silverlight plugin objects in content blocking mode made completely
disabled (not just content-less) until they're allowed per-page
x Work around for a conflict with the PDF Download extension conflict
(thanks greenknight for report)
@@ -7290,7 +7315,7 @@ x Fixed Silverlight unblocking hooks not working if all kinds of
v 1.4.4
==========================================================================
-+ Content unblocking machinery made compatible with new Silverlight
++ Content unblocking machinery made compatible with new Silverlight
activation schemes (thanks al_9x and Alan Baxter for report)
v 1.4.3
@@ -7298,14 +7323,14 @@ v 1.4.3
+ Further fuzzification of injection checker patterns
x Slightly released window.name checks to allow some legitimate frame
tricks, e.g. in eBay Cross-promotions (thanks jlovie for report)
-x External URI validation decoding changed to accomodate ISO-8859 and
+x External URI validation decoding changed to accomodate ISO-8859 and
other encodings, rather than UTF-8 only (thanks Alf Buccheim)
-
+
v 1.4.2
==========================================================================
-+ Bookmarklet return values support on Mozilla trunk
++ Bookmarklet return values support on Mozilla trunk
x Fixed mailto: empty URL (new mail message) considered invalid
-
+
v 1.4.1
==========================================================================
x Fixed "onclick.match is not a function" issue when clicking on
@@ -7330,14 +7355,14 @@ x Fixed minor bugs in Blocked Objects menu early implementation
v 1.3.6
==========================================================================
-+ Descriptive icon for content types when possible on object
++ Descriptive icon for content types when possible on object
placeholders and menu items
x Improved CSS injection rules (thanks Azurite for report)
v 1.3.5
==========================================================================
-+ More consistent plugin content temporary permissions management:
- object permissions are granted per-session(not bound to the current
++ More consistent plugin content temporary permissions management:
+ object permissions are granted per-session(not bound to the current
tab anymore) and honor the "Revoke Temporary Permissions" command.
+ "Temporary allow content-type at http://site.com" commands in the
"Blocked Objects" menu temporary allows plugin content matching a
@@ -7358,7 +7383,7 @@ x Further XSS filter sensibility refinement
x Fixed double separators sometimes in menus (thanks niko322)
x Fixed "StumbleUpon Discovery" not compatible with "Forbid IFrames"
(thanks niko322)
-x Fixed URI protocol handler protection removing mailto: line breaks
+x Fixed URI protocol handler protection removing mailto: line breaks
(thanks Alf Buchheim)
v 1.3.3
@@ -7370,7 +7395,7 @@ x Fixed "a.getAttribute is not a function" issue (thanks wangyi6854
v 1.3.2
==========================================================================
-+ Scriptless support for history.go(x), history.forward() and
++ Scriptless support for history.go(x), history.forward() and
history.back() links/buttons (thanks timeless for suggestion)
+ resource: URI path traversal protection
+ New "noscript.allowedMimeRegExp" about:config option to whitelist
@@ -7378,7 +7403,7 @@ v 1.3.2
instance "application/pdf" or "image/.*"
+ Plugin content is always forbidden if coming from sites explicitely
marked as "Untrusted" (blacklisted). This behavior can be disabled
- by setting the "noscript.alwaysBlockUntrustedContent" about:config
+ by setting the "noscript.alwaysBlockUntrustedContent" about:config
option to false (thanks NakedStranger for suggestion).
x Fixed XSS false positive at mail.yahoo.com
x noscript.jsredirectFollow preference more effective on blank but
@@ -7398,7 +7423,7 @@ v 1.3
v 1.2.9.6
==========================================================================
+ Better plugin content placeholder management
-+ noscript.canonicalFQDN about:config preference to control
++ noscript.canonicalFQDN about:config preference to control
canonicalization of domains ending with a dot.
+ Updated translations
@@ -7408,12 +7433,12 @@ v 1.2.9.5
v 1.2.9.4
==========================================================================
-+ Tweaked preliminary URL screening optimizations to enhance
++ Tweaked preliminary URL screening optimizations to enhance
Injection Cheker sensibility (thanks Gareth Heyes)
v 1.2.9.3
==========================================================================
-+ Updated Injection Checker to take in account upper Unicode
++ Updated Injection Checker to take in account upper Unicode
JavaScript identifiers (thanks Gareth Heyes)
v 1.2.9.2
@@ -7440,8 +7465,8 @@ v 1.2.7
x Fixed Yahoo search XSS false positive by double checking valid JS
fragments for potential danger (10x firefoxisgreat2008 for report)
x Fixed the "form fields forgotten" issue by disabling the jsHack
- feature which caused it. If you need jsHack and you can afford this
- problem, just set the noscript.jsHackRegExp about:config preference
+ feature which caused it. If you need jsHack and you can afford this
+ problem, just set the noscript.jsHackRegExp about:config preference
to a regular expression matching the URLs where you want it enabled
x Fixed content placeholders not showing on some sites
x Fixed POST payload shouldn't stripped as a consequence of injection
@@ -7464,7 +7489,7 @@ x Fixed NOSCRIPT content shown in pages allowed on the fly with
v 1.2.3
==========================================================================
-+ Improved Injection Checker JSON compatibility, now recursively
++ Improved Injection Checker JSON compatibility, now recursively
checking content of string attributes
x Further JS syntax check optimizations
x Fixed potential XBL-based crash after successful -moz-binding
@@ -7473,7 +7498,7 @@ x More discreet XSS notification for subframes
v 1.2.2
==========================================================================
-x Changed noscript.filterXGetRx default to make single quote removal
+x Changed noscript.filterXGetRx default to make single quote removal
happen only after positive injection checks (thanks sirdarckcat for
suggestion)
@@ -7488,7 +7513,7 @@ v 1.2
==========================================================================
+ Better protection against Flash-based XSS and other plugin-related
cross-site attacks
-+ Better feedback for allowable sites from embedded redirections
++ Better feedback for allowable sites from embedded redirections
(thanks Leo Häfliger for report)
+ XSS filtering in subframes gets notified (was silent by default)
x Fixed temporary allowed site prevents parent from being allowed
@@ -7501,7 +7526,7 @@ v 1.1.9.9
==========================================================================
+ Hardened injection checker (thanks Gareth Heyes)
x Better compatibility with Wikimedia sites
-x Fixed rtsp: and mms: plugin content always considered untrusted
+x Fixed rtsp: and mms: plugin content always considered untrusted
(thanks Florian Gerstenlauer for report)
x Fixed one-click plugin activation (with no confirmation) sometimes
deferred to next page refresh (thanks Erwin J. Knöll for report)
@@ -7517,7 +7542,7 @@ v 1.1.9.7
==========================================================================
+ new "Revoke temporary permissions" command
+ new Plugins option: "Collapse blocked objects"
-+ new Plugins option: "No placeholder for object coming from sites
++ new Plugins option: "No placeholder for object coming from sites
marked as untrusted"
x Fixed OBJECT count bug when placholders are not shown
x Work-around for IETab incompatibility with noscript.contentBlocker
@@ -7602,11 +7627,11 @@ x Fixed installation issue on SeaMonkey (thanks R.N. Folsom)
v 1.1.8.3
==========================================================================
-+ The "noscript.tempGlobal" about:config preference causes the
- "Globally Allow" status to be revoked at the end of each session
++ The "noscript.tempGlobal" about:config preference causes the
+ "Globally Allow" status to be revoked at the end of each session
(thanks chconnor and Alan Baxter for suggestion)
+ The "noscript.lockPrivilegedUI" about:config preference blocks
- Error Console and DOM Inspector (useful in locked down setup to
+ Error Console and DOM Inspector (useful in locked down setup to
prevent preferences from being unlocked by user's chrome JS code)
+ More reliable base domain recognition
+ Switch to nsIEffectiveTLDService on Gecko >= 1.9 above (Firefox 3)
@@ -7627,7 +7652,7 @@ v 1.1.8.1
v 1.1.8
==========================================================================
+ Version bump for Firefox 3
-+ Temporarily allow sites matching the regular expression(s) in the
++ Temporarily allow sites matching the regular expression(s) in the
noscript.whitelistRegExp about:config preference (thanks MaZe)
x Further QA for release
x Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes)
@@ -7650,16 +7675,16 @@ x Various IFrame blocking refinements
v 1.1.7.7
==========================================================================
-x Fixed installation problems with addons.mozilla.org automatic
+x Fixed installation problems with addons.mozilla.org automatic
update
v 1.1.7.6
==========================================================================
+ srv.br "special" TLD (thanks Rodrigo Ristow Branco)
+ Better protection against "setter" based XSS vectors and encoded
- "name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see
+ "name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see
http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/ )
-+ Improved hidden links management, preserves original body CSS
++ Improved hidden links management, preserves original body CSS
attributes when possible (thanks mdots)
v 1.1.7.4
@@ -7688,7 +7713,7 @@ x Fixed IFRAME in place activation shouldn't reload parent page
v 1.1.7.1
==========================================================================
-+ New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's
++ New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's
request, see http://sla.ckers.org/forum/read.php?13,15701,15840
x Fixed logic inconsistency between "Plugins/Forbid xyx" and
"Plugins/Forbid other plugins" (thanks Kadeos);
@@ -7708,7 +7733,7 @@ x Fixed startup "sudden death" issue (thanks Alan Baxter)
v 1.1.6.26 (1.1.7RC1)
==========================================================================
+ Moved plugin content options to a new top-level "Plugins" tab
-+ New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by
++ New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by
default like "Plugins/Forbid Java™"
+ New "Plugins/Apply these restrictions to trusted sites too" option
+ Enchanced sensibility for the JS URL detection feature
@@ -7719,10 +7744,10 @@ v 1.1.6.26 (1.1.7RC1)
+ Arabic (thanks Nassim Dhaher)
+ Indonesian(thanks regfreak)
+ Experimental Intel MidBrowser support
-+ Experimental preference locking support (look at the mozilla.cfg
++ Experimental preference locking support (look at the mozilla.cfg
sample inside the XPI for details)
x Fixed meta-refresh notification failing to appear sometimes
-x Cleanup of the counter-measures against Sirdarckcat's redirected
+x Cleanup of the counter-measures against Sirdarckcat's redirected
script trick (available for Fx >= 2.0 only) with user feedback
x Fixed full address no more shown in allowing menu for numeric IP
or TCP-IP explicit port URLs (thanks blahhhy for report)
@@ -7757,14 +7782,14 @@ x Fixed inconsistent status icon feedback (thanks Alan Baxter)
v 1.1.6.19
==========================================================================
-x Fix for the massive breakage on Mozilla trunk caused by landing of
+x Fix for the massive breakage on Mozilla trunk caused by landing of
the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=377696
(thanks Quarantine and Peter(6) for reporting)
v 1.1.6.18
==========================================================================
-+ noscript.safeJSRx preference allows to specify a regular expression
- matching statements allowed in a top-level javascript: URL. Default
++ noscript.safeJSRx preference allows to specify a regular expression
+ matching statements allowed in a top-level javascript: URL. Default
value allows sessionstore prompt javascript:window.close() trick
(http://forums.mozillazine.org/viewtopic.php?p=3033780#3033780)
@@ -7780,10 +7805,10 @@ v 1.1.6.16
==========================================================================
x Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from
working: browser packages are whitelisted by default, extensions
- and other chrome packages can be optionally whitelisted adding a
+ and other chrome packages can be optionally whitelisted adding a
noscript.forbidChromeExceptions.packageName preference set to true,
and the noscript.forbidChromeScripts preference defaults to false
- now, since Bug 292789 couldn't do any harm unless some extension
+ now, since Bug 292789 couldn't do any harm unless some extension
does very stupid things.
x Fixed incompatibility with the BookmarksHome extension
@@ -7791,7 +7816,7 @@ v 1.1.6.15
==========================================================================
+ Support for keyword-driven bookmarklets on untrusted pages (thanks
Mike Rocker and therube for report/request)
-+ noscript.forbidChromeScripts preference (true by default), prevents
++ noscript.forbidChromeScripts preference (true by default), prevents
script tags in content (non chrome:/resource:/file:) documents from
referencing chrome: scripts, see
https://bugzilla.mozilla.org/show_bug.cgi?id=292789
@@ -7805,7 +7830,7 @@ x Version bump for Minefield
v 1.1.6.13
==========================================================================
+ Enhanced the "multi-port shorthand" feature to accept "*" wildcard
- for subdomains, e.g. "http://*.google.com:0" matches every http
+ for subdomains, e.g. "http://*.google.com:0" matches every http
google subdomain with any port number (thanks Dave Faraldo for RFE)
+ Added a "noscript.fixURI.exclude" about:config preference where
protocols which should not be escaped by NoScript can be specified
@@ -7817,7 +7842,7 @@ v 1.1.6.12
exploits. You can add your uri-validator anchored regular
expressions as an about:config preference named like
"noscript.urivalid.protocolname" to validate the URI substring
- immediately following scheme + colon (see the noscript.urivalid.aim
+ immediately following scheme + colon (see the noscript.urivalid.aim
pre-configured example entry)
x Minor change in query string parser, it doesn't drop "=" splitted
chunks exceeding the first two anymore
@@ -7830,7 +7855,7 @@ v 1.1.6.11
v 1.1.6.10
==========================================================================
-x Fixed configuration conflict preventing javascript: links from
+x Fixed configuration conflict preventing javascript: links from
opening in some circumstances (thanks england and haklin)
v 1.1.6.08
@@ -7841,7 +7866,7 @@ x Fix for popup content loaded in the opener window regression (from
v 1.1.6.07
==========================================================================
x Further refinement of URL protocol handler protection to cope with
- special configuration-depending cases with mail/news protocols
+ special configuration-depending cases with mail/news protocols
(not affecting SeaMonkey) - thanks Rios and McFeters for generic
PoC, thanks Darkdata for specific test case
@@ -7862,7 +7887,7 @@ v 1.1.6.04
+ Smarter Anti-XSS filters allowing non-latin characters
x Kill duplicates in "Partially allowed" statistics
x Switched to getDefaultBranch() for volatile CAPS preferences in
- order to grant a clean "Safe Mode" even after Firefox crashes
+ order to grant a clean "Safe Mode" even after Firefox crashes
(thanks Benjamin Smedberg for suggestion)
v 1.1.6.03
@@ -7885,8 +7910,8 @@ x Fixed "Clear private data" window not closing if you hit "OK" on
v 1.1.6
==========================================================================
+ "Light" injection checks are enabled also with "Scripts Globally
- allowed" (notice that allowing scripts globally is still a very bad
- idea, since POST injections and other XSS attacks launched using
+ allowed" (notice that allowing scripts globally is still a very bad
+ idea, since POST injections and other XSS attacks launched using
JavaScript, Java or Flash are virtually undetectable)
x Better XSS notification/UI feedback on partial loads
x Depth limit to URL decoding
@@ -7907,11 +7932,11 @@ v 1.1.5.05
==========================================================================
+ Smarter injection detector for trusted to trusted requests
x Fixed "this.docShell has no properties" issue (many thanks therube)
-x Fixed external URLs not opening in IETab (thanks chili1)
+x Fixed external URLs not opening in IETab (thanks chili1)
v 1.1.5.04
==========================================================================
-x Fixed traceback regression skipping checks on permissions change
+x Fixed traceback regression skipping checks on permissions change
v 1.1.5.03
==========================================================================
@@ -7936,7 +7961,7 @@ x Extra QA for public release
v 1.1.4.9.070627
==========================================================================
-+ Added "0" shorthand to match all *explicit* IP ports on the same
++ Added "0" shorthand to match all *explicit* IP ports on the same
protocol/host, e.g. http://acme.com:0 matches http://acme.com:8080
and http://acme.com:9999, but neither https://acme.com:8080 nor
http://acme.com
@@ -7984,13 +8009,13 @@ x Work-around for interference of some tab-related extension with
v 1.1.4.9.070620
==========================================================================
+ Protection against so called "Universal XSS" through JS URLs opened
- by external applications, as explained in
+ by external applications, as explained in
http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html
v 1.1.4.9
==========================================================================
-+ noscript.injectionCheck about:config option adds first-line
- detection for XSS injections in GET requests originated by
++ noscript.injectionCheck about:config option adds first-line
+ detection for XSS injections in GET requests originated by
whitelisted sites and landing on top level windows. Value can be:
0 - never check
1 - check cross-site requests from temporary allowed sites
@@ -8000,13 +8025,13 @@ v 1.1.4.9
the new "Detect and show JavaScript redirections" feature
+ noscript.jsredirectFollow about:config option enables/disables
auto-following if a single redirect is detected on a textless page
-x "Allow top level sites by default" won't affect sites that have
+x "Allow top level sites by default" won't affect sites that have
been manually forbidden during the current session (to make
this exception permanent, mark the site as untrusted)
v 1.1.4.8.070618
==========================================================================
-+ New placeholders for plugin content can be right clicked like any
++ New placeholders for plugin content can be right clicked like any
"regular" link, e.g. to "Save Link As..." or "Copy Link Location"
+ Placeholders for plugin content are rendered real-time during load
+ Experimental detection of JavaScript redirections (thanks timeless)
@@ -8019,7 +8044,7 @@ x Fixed untrusted blacklist import bug (thanks MZFuser)
v 1.1.4.8.070606
==========================================================================
+ edu.tw special TLD (thanks twocs)
-+ New noscript.autoReload.global about:config preference controls if
++ New noscript.autoReload.global about:config preference controls if
automatic reload affects global allow / forbid (thanks lulu135)
+ New noscript.autoReload.allTabs about:config preference controls if
automatic reload affacts all or just current tab (thanks lulu135)
@@ -8041,7 +8066,7 @@ x Fixed minor notification glitches in Fx 1.5 (thanks arete7)
v 1.1.4.8.070528
==========================================================================
-x Performance optimization of options dialog closure for long
+x Performance optimization of options dialog closure for long
whitelists used in conjunction with long blackists (thanks arete7)
x Automatic notification hiding for background tabs (thanks arete7)
v 1.1.4.8.070523
@@ -8055,8 +8080,8 @@ v 1.1.4.8.070522
+ "org.uy", "net.uy" and "edu.uy" special TLDs (thanks Mauricio)
x Nicer url randomization
x Improved notification on nested URL XSS sanitization
-x Fixed external load request detection failing "randomly" in some
- setups (regression from the IETab incompatibility work-around)
+x Fixed external load request detection failing "randomly" in some
+ setups (regression from the IETab incompatibility work-around)
v 1.1.4.8.070521
==========================================================================
@@ -8065,8 +8090,8 @@ x Fixed regression from bug 53901 work-around, "Mark as untrusted
v 1.1.4.8.070520
==========================================================================
-x Resolved 070509 conflict with IETab + Tab Mix Plus causing some
- tab-diverted links to open in new windows (thanks to Nuttysman,
+x Resolved 070509 conflict with IETab + Tab Mix Plus causing some
+ tab-diverted links to open in new windows (thanks to Nuttysman,
niko322, Alan Baxter)
v 1.1.4.8.070514
@@ -8076,8 +8101,8 @@ x *Fast* reload also with fragment URI (thanks Martin Focke)
v 1.1.4.8.070513
==========================================================================
-x Fixed last minute regression slipped in Anti-XSS GET filter (some
- suspicious query strings entirely removed, rather than sanitized)
+x Fixed last minute regression slipped in Anti-XSS GET filter (some
+ suspicious query strings entirely removed, rather than sanitized)
v 1.1.4.8.070512
==========================================================================
@@ -8089,19 +8114,19 @@ v 1.1.4.8.070511
x Fixed "black boxes" glitch on page unload (thanks jdopple)
x Fixed XSS exceptions must allow blank value (thanks Martin Focke)
x Fixed reloading URLs with hash(thanks Martin Focke)
-x Work-around for Minefield bug displaying wrong labels on cloned
+x Work-around for Minefield bug displaying wrong labels on cloned
menu items (thanks Itsnow)
-x Fixed regression, menu popup not shown by keyboard shortcut when
+x Fixed regression, menu popup not shown by keyboard shortcut when
both toolbar button and status bar element are hidden (thanks
niko322)
v 1.1.4.8.070509
==========================================================================
-+ noscript.xss.trustExternal about:config preference controls if
++ noscript.xss.trustExternal about:config preference controls if
anti-XSS filters should be bypassed for URLs opened from external
applications like email clients (default false)
+ noscript.xss.trustTemp about:config preference controls if anti-XSS
- should be bypassed if URLs are opened from "temporary allow"ed
+ should be bypassed if URLs are opened from "temporary allow"ed
sites (default true, thanks Salim for suggestion)
x Wikipedia default XSS exception tweaked to include apostrophes in
titles (thanks Alan Baxter for report)
@@ -8125,7 +8150,7 @@ v 1.1.4.8.070502
==========================================================================
x Fixed Linux Flash blocking crash when placeholders are active
(thanks mastro for report)
-x (Hopefully) ultimate fix in referrer XSS sanitization (thanks Alan
+x (Hopefully) ultimate fix in referrer XSS sanitization (thanks Alan
Baxter)
v 1.1.4.8.070501
@@ -8140,7 +8165,7 @@ v 1.1.4.8.070429
==========================================================================
+ Shortcut to show NoScript menu works even if status bar icon and
toolbar button are both hidden
-x Fixed "Options..." button not working if status bar was hidden
+x Fixed "Options..." button not working if status bar was hidden
(thanks napiertt and joymus)
x Fixed regression in XSS notifications due to 070427 fix (some XSS
suspicious requests were silently cancelled, rather than sanitized
@@ -8150,12 +8175,12 @@ x Fixed "empty Untrusted menu" (thanks niko322)
v 1.1.4.8.070428
==========================================================================
x Fixed using keyboard shortcut always shows status icon
-x Fixed closing toolbar button menu always shows status icon
+x Fixed closing toolbar button menu always shows status icon
v 1.1.4.8.070428
==========================================================================
x Fixed using keyboard shortcut always shows status icon
-x Fixed closing toolbar button menu always shows status icon
+x Fixed closing toolbar button menu always shows status icon
v 1.1.4.8.070427
==========================================================================
@@ -8163,7 +8188,7 @@ x Fixed referrer sanitization glitch (thanks Alan Baxter)
v 1.1.4.8.070426
==========================================================================
-x Fixed Refresh Blocker and Tab Mix plus redirection permissions
+x Fixed Refresh Blocker and Tab Mix plus redirection permissions
incompatibility (thanks tabasco.kfarmer and Mc)
x Fixed SeaMonkey "removed content" placeholder (thanks therube)
x Fixed Seamonkey "Reset" button placement (thanks Phil Chee)
@@ -8173,8 +8198,8 @@ v 1.1.4.8.070425
+ Experimental "noscript.contentBlocker" about:config preference
to block Java, Flash and other plugins in whitelisted sites as well
x Fixed bug in toolbar button Untrusted submenu (thanks Steve1000)
-x Better XSS management on whitelisting automatic reloads (XSS checks
- for whitelisting reloads can be disabled by toggling off the
+x Better XSS management on whitelisting automatic reloads (XSS checks
+ for whitelisting reloads can be disabled by toggling off the
"noscript.xss.trustReloads" preference in about:config)
v 1.1.4.8.070424
@@ -8196,16 +8221,16 @@ v 1.1.4.8.070422
+ XSS notifications for Fx 1.5 too
+ XSS status bar icon appears when XSS activity is detected:
left/right click opens XSS menu, middle click hides icon
-+ META redirection status bar icon appears when needed:
- click follows redirection once, shift+click remembers for session,
++ META redirection status bar icon appears when needed:
+ click follows redirection once, shift+click remembers for session,
middle click hides icon
x Fixed a regression (070420 only) with Import/Export buttons broken
x Fixed toolbar button removal messing with other NoScript menus
(thanks niko322 for report)
x Fixed file:// URL item not showing anymore regression
(thanks Shingoshi for report)
-x Fixed regression in Option Dialog: removing from whitelist didn't
- work if applied to just one site (multiple batch did work, though)
+x Fixed regression in Option Dialog: removing from whitelist didn't
+ work if applied to just one site (multiple batch did work, though)
- thanks Alan Baxter for report
v 1.1.4.8.070420
@@ -8232,12 +8257,12 @@ v 1.1.4.8RC1 (1.1.4.7.070419)
+ Option to block META refresh inside NOSCRIPT elements: a prompt
will be shown asking if you want to follow the redirect, and
choice will be remebered across the current session
- (noscript.forbidMetaRefresh.remember preference, dismissing the
+ (noscript.forbidMetaRefresh.remember preference, dismissing the
notification with its close button means "keep blocked")
thanks rsnake and Alan Baxter for suggestion (Firefox 2 only)
+ "XSS-Unsafe Reload" menu item in the XSS notification bar popup
+ "XSS FAQ" menu item in the XSS notification bar popup
-+ noscript.xss.notify.subframes about:config preference to control
++ noscript.xss.notify.subframes about:config preference to control
notification for XSS in subframes (default false, suppressed)
+ Option to toggle sites by (2nd level) domain, rather than full URL
x Default "Show NoScript menu" shortcut changed to Ctrl+Shift+S
@@ -8266,7 +8291,7 @@ x Improved Anti-XSS Protection compatibility with some message boards
v 1.1.4.7
==========================================================================
+ First "official" anti-XSS release
-+ New plugin content detection algorithm defeats latest aggressive
++ New plugin content detection algorithm defeats latest aggressive
Flash cloaking strategies (e.g. http://www.hardocp.com/ )
+ Improved subframe detection, includes object elements (e.g.
http://www.operamini.com/demo/ )
@@ -8275,8 +8300,8 @@ v 1.1.4.7
v 1.1.4.6.070409
==========================================================================
-x Fixed weird intermittent interference with dynamic JavaScript
- inclusion via document.write() used by some JavaScript libraries
+x Fixed weird intermittent interference with dynamic JavaScript
+ inclusion via document.write() used by some JavaScript libraries
(e.g. Prototype, Dojo or Tiny-MCE)
v 1.1.4.6.070404
@@ -8296,9 +8321,9 @@ v 1.1.4.6.070321
==========================================================================
+ XSS sanitization of the whole request URL
+ XSS sanitization of the referrer URL
-+ XSS filters exceptions for some "trusted" addresses requiring
++ XSS filters exceptions for some "trusted" addresses requiring
cross-site complex query strings (controlled by a regexp in the
- noscript.filterXExceptions hidden preference, defaults to Google
+ noscript.filterXExceptions hidden preference, defaults to Google
search and Yahoo search)
+ Better general search engine compatibility with anti-XSS filters
x Several performance optimizations
@@ -8306,7 +8331,7 @@ x Several performance optimizations
v 1.1.4.6.070318
==========================================================================
+ First anti-XSS countermeasures round: "default deny" sanitization
- is applied to every request coming from an unknown (restricted)
+ is applied to every request coming from an unknown (restricted)
site and landing on a trusted (scripting allowed) site:
1. GET requests with a query string get all the matches for the
noscript.filterXGetRx regular expression replaced with space
@@ -8318,8 +8343,8 @@ v 1.1.4.6.070318
v 1.1.4.6.070317
==========================================================================
-x Customizable keyboard shortcuts (about:config - noscript.keys.*)
-x Quick toggle (by shortcut or toolbar) behaviour changed to
+x Customizable keyboard shortcuts (about:config - noscript.keys.*)
+x Quick toggle (by shortcut or toolbar) behaviour changed to
*Temporarily* Allow / Forbid (old behaviour can be restored by
setting the about:config noscript.toggle.temp pref to false)
@@ -8327,7 +8352,7 @@ v 1.1.4.6.070316
==========================================================================
+ Super fast reloading after toggling permissions
+ Hebrew (thanks to Asaf Bartov)
-x removed mozillazine.org and mozilla.org from the default list
+x removed mozillazine.org and mozilla.org from the default list
(thanks Wladimir Palant)
x Fixed a resource deallocation issue (thanks Higmmer)
x Fixed a potential slowdown on startup
@@ -8336,16 +8361,16 @@ x Removed logging code slipped in a release
v 1.1.4.6.070304
==========================================================================
+ Added many ".id" special TLDs (thanks FatMan)
-x Fixed localization-related bugs (e.g. untrusted menu showing just
+x Fixed localization-related bugs (e.g. untrusted menu showing just
the first character for each site)
x Other minor bug fixes
v 1.1.4.6.070302
==========================================================================
+ SeaMonkey compatible keyboard shortcuts
-+ Added a couple of about:config options (noscript.keys.*) to disable
++ Added a couple of about:config options (noscript.keys.*) to disable
keyboard shortcuts: just blank their values. Notice: changing the
- option value to a different key is possible, but it doesn't
+ option value to a different key is possible, but it doesn't
actually work (yet?)
x Fixed a regression in the "Export" functionality
@@ -8378,7 +8403,7 @@ v 1.1.4.5.070127
+ "Link Local Files" optional permission for trusted sites
+ "noscript.excaps" hidden pref for CAPS conflicts resolution (e.g.
with Google Toolbar and other Google extensions)
-+ "Temporarily allow top-level sites by default" new preference
++ "Temporarily allow top-level sites by default" new preference
(not advised and disabled by default)
+ Menu items referring to current location are hilighted in bold
+ New preference in Options|General controls toolbar button reaction
@@ -8417,7 +8442,7 @@ x Fixed a timing bug in stand-alone plugin interception
v 1.1.4.4
==========================================================================
-+ be-BY (Belarusian) thanks to DRKA
++ be-BY (Belarusian) thanks to DRKA
+ JavaScript links fixing made compatible with AllPeers
+ Better interception of plugin content
x Fixed a plugin placeholder bug (thanks to tanstaafl for reporting)
@@ -8445,7 +8470,7 @@ x Fixed "removeLinkFixer" warning (thanks to Pablo)
v 1.1.4.1
==========================================================================
-+ Left clicking on NoScript toolbar button toggles permissions for
++ Left clicking on NoScript toolbar button toggles permissions for
current top-level site
+ Shift+Click on a Java/Flash/Object placeholder temporarily hides it
+ "Attempt to fix JavaScript links" now skips "real" hash URLs
@@ -8476,7 +8501,7 @@ v 1.1.3.8
==========================================================================
x Another emergency release to fix Babelzilla bugs with Asian
languages (mass-reverting to 1.1.3.5 properties files to be sure).
-- Removed permanent whitelist (all the web sites can can
+- Removed permanent whitelist (all the web sites can can
be forbidden from the UI, no more about:config need)
v 1.1.3.7
@@ -8488,10 +8513,10 @@ v 1.1.3.6
+ "Fix JavaScript links" option: enabled by default, attempts to
automatically turn JavaScript links into regulars anchors on load
+ Advanced options "Allow <a ping...>" on trusted sites (defaults to
- the browser settings) and "Forbid <a ping...>" on untrusted sites
- (default yes) give user control on the new, debated "ping" anchor
+ the browser settings) and "Forbid <a ping...>" on untrusted sites
+ (default yes) give user control on the new, debated "ping" anchor
attribute
-
+
+ New hidden (about:config) boolean preference "noscript.consoleDump"
controls if blocked contents must be logged to the console (false
by default)
@@ -8519,7 +8544,7 @@ v 1.1.3.4
v 1.1.3.3
==========================================================================
+ Placeholder icon can be hidden (NoScript Options|Advanced)
-+ Message bar notifications can be set to go away automatically after
++ Message bar notifications can be set to go away automatically after
5 seconds
+ Bulgarian (thanks to Georgi Marchev)
+ Simplified Chinese (thanks to George C. Tsoi)
@@ -8543,13 +8568,13 @@ v 1.1.3.1
+ Optional status bar label (with Firefox-only context menu)
+ Support for Unicode domains
x Work-around for Firefox bug #307678 (dialogs freeze)
-x Handle about:neterror and about: (help) "always allowed" exception
+x Handle about:neterror and about: (help) "always allowed" exception
v 1.1.3
==========================================================================
+ Toolbar button
+ Java/Flash/Plugin content can be temporarily allowed (for the
- current tab) with a left click on its placeholder
+ current tab) with a left click on its placeholder
+ Further optimizations in site matching
+ Japanese (thanks to beerboy)
+ Polish (thanks to Lukasz Biegaj)
@@ -8580,9 +8605,9 @@ x Fixed little Spanish locale issue
v 1.1.0
==========================================================================
-+ Customizable message position, top or bottom (new default)
++ Customizable message position, top or bottom (new default)
+ Customizable audio sample for feedback
-+ (Firefox only) Advanced options to forbid Java™, Flash® and other
++ (Firefox only) Advanced options to forbid Java™, Flash® and other
plugins (Java™ forbidden by default, since many users don't
know the difference between Java and JavaScript)
+ Advanced options to allow rich-text clipboard on trusted sites
@@ -8628,19 +8653,19 @@ x Audio feedback with more discreet sound effect :-)
v 1.0.6
==========================================================================
+ Whitelist import/export (thanks hsmwrv for suggestion)
-+ Only 2nd level (base) domains shown by default in the "Allow" menu
++ Only 2nd level (base) domains shown by default in the "Allow" menu
items (easier operation for non-geeks; geeks can still revert to
the old fine grained interface using the "Appearance" options)
+ Blocked scripts audio feedback (thanks to Markus for suggestion)
+ about:config/noscript.permanent can be changed live (no FF restart)
x chrome content URL are properly whitelisted (XUL error pages OK)
-x Fixed empty permanent list problem (thanks to Patrick and Oremina
+x Fixed empty permanent list problem (thanks to Patrick and Oremina
for report)
v 1.0.5
==========================================================================
+ "Appearance" option to hide/show popup menu and status bar icon; if
- you decide to hide both, options are still reachable through the
+ you decide to hide both, options are still reachable through the
Extension Manager context menu (thanks Dick Minor for suggestion)
+ 2nd level domain trick doesn't clutter Options Dialog anymore
(http[s]:// auto-prefixed domains are hidden in whitelist)
@@ -8649,7 +8674,7 @@ x Fixed menu layout (thanks to TheOneKEA for report)
v 1.0.4
==========================================================================
+ Automatically creates http:// and https:// prefixed URLs when a 2nd
- level domain (xyz.com) is allowed, as a workaround for Firefox not
+ level domain (xyz.com) is allowed, as a workaround for Firefox not
matching URLs with a raw 2nd level domain if no protocol is listed
(thanks to Laura for report)
+ "Allowed" status feedback for chrome:// URLs (pacanukeha)
@@ -8658,8 +8683,8 @@ x Core functionality refactored in a XPCOM service
v 1.0.3
==========================================================================
+ Feedback about actual presence of script elements in current page
- (white "S" icons if no script tag is found, while number of found
- tags is shown in the tooltip - thanks to Volker for suggestion)
+ (white "S" icons if no script tag is found, while number of found
+ tags is shown in the tooltip - thanks to Volker for suggestion)
+ Feedback about partial permissions in pages containing subframes
(a broken red "stop" sign means only some frames are forbidden)
+ Events are coalesced for better performance and stability
@@ -8668,8 +8693,8 @@ v 1.0.3
+ Added hotmail/msn/passport domains to default whitelist (thanks to
Swann for suggestion)
+ Added googlesyndication.com and noscript.net to permanent list ;)
-x Fixed whitelist options dialog sometimes "forgetting" recently
- added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for
+x Fixed whitelist options dialog sometimes "forgetting" recently
+ added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for
their reports)
v 1.0.2
@@ -8682,12 +8707,12 @@ x moved "Options" and "About" items to the top of status bar menu
x added mozillazine.org and gmail.google.com to default allow list
x no duplicates in menu when multiple frames share the same
ancestor domain (e.g. mozillazine.org)
-
+
v 1.0.1
==========================================================================
+ Contextual menu for easy operation in statusbar-less windows
+ Current page is automatically reloaded when permissions are changed
-+ Support for implicit subdomain inclusion (e.g. if you add
++ Support for implicit subdomain inclusion (e.g. if you add
mozilla.org, you allow www.mozilla.org, addons.mozilla.org etc.)
+ German translation (thanks to my friend Thomas Weber)
x Fixed localization issue
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/noscript.git
More information about the Pkg-mozext-commits
mailing list