73 replies to this topic

[Chachazz]

 post_7183_1233429776.png   3.98K   0 downloadsNoScript 2 - Unparalleled Web Security!
by Giorgio Maone

Main good news

• Further anti-XSS enhancements (thanks Soroush Dalili, Masato Kinugawa and Phil Purviance)
• Better compatibility with some misbehaving websites.
• Several InjectionChecker improvements especially in double injections detection (thanks Soroush Dalili, Krzysztof Kotowicz, Gareth Heyes and others).
• Fixed Surrogate Scripts, which had been broken by a Nightly change.
• Vastly improved ClearClick algorithms increase accuracy and reduces false positives.

• Smart integration with the new (Firefox 14) browser-native click to play : if a plugin object is manually allowed from NoScript's UI, it gets also natively activated.
• Improved active content identity tracking, to avoid redundant blocking steps across reloads, e.g. on Youtube.
• ClearClick compatibility with add-ons which mix their UI with content, such as FloatNotes (thanks endofmiles and Tom T. for reports), 1Password, Bitdefender TrafficLight (thanks Christopher A. M. Gerlach for reporting) and others.
• Better InjectionChecker tolerance to certain URL patterns containing domain-names as parameter values (thanks gazer75 for report)
  
  
  
• Work-around for 32-bit Flash player bug causing incompatibilities on certain sites (e.g. Google Music).
• Improved XSS protection against window.name attacks (thanks Masato Kinugawa for reports).
  
  
  
• ClearClick protection against partial obscuration attacks via Flash objects with OS-native wmode values (thanks David Lin-Shung Huang for reporting).
• Improved >XSS filtercompatibility with some complex Yahoo and Ebay URLs.
  
  
  
• Enhanced accuracy of the InjectionChecker XSS filter (thanks Masato Kinugawa for reports).
• Improved surrogate against Google's scriptless tracking of search results navigation
• Better compatibility with Facebook, Digg and other websites.
• Increased ClearClick protection (thanks .mario for reporting).
• adf.ly surrogate to automaticaly skip the interstitial page even if scripts are disabled
• Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
• Browserid.org has been added to the default whitelist.
• Protection against Koto's Cursorjacking attack.
• Protection against new kind of response splitting + XSS combo attack disclosed by Mike Brooks (still bypassing Google Chrome's XSS Auditor and MSIE's XSS Filter).
• Protection against new Clickjacking technique based on HTML5 drag and drop (thanks .mario for reporting).
  
  
  
• Enhanced compatibility of XSS filter with recent "Verified by VISA" changes.
• Restored ClearClick compatibility with the Disqus comments system.
• Updated Firefox Aurora and Nightly compatibility.
• ClearClick protection against timing attacks demonstrated by Michal Zalewski.
  
  
  
• Defense against a new kind of XSS attack based on HTML5 features and discovered by Soroush Dalili and .mario.
• More reliable and manageable Script Surrogates.
• Protection against a scriptless keylogging attack reported by .mario.
• XSS filter now explicitly checks for potentially dangerous SMIL elements (thanks .mario for suggestion)
• Improved XSS filter decoding and sanitization accuracy (thanks .mario for reporting).
• ClearClick compatibility with some add-ons (e.g. FoxTab).
• Updated Hebrew translation (thanks baryoni).
• Enhanced protection against Clickjacking on nested windowed Flash targets (thanks Sommerrain and Tom T for reporting)
• Improved heuristic for Cross-Site Script Inclusion (XSSI) detection, fixes some issues with chat widgets on Yahoo! Mail and Hotmail.
• Protection against reflected Cross-Site Script Inclusion (XSSI).
• noscript.keys.tempAllowPage- about:config preference to configure a keyboard shortcut for "Temporarily allow all this page"
• noscript.keys.revokeTemp - about:config preference to configure a keyboard shortcut for "Revoke temporary permissions"
• noscript.menuAccelerators - about:config preference to switch keyboard accelerators for "(Temporary) allow all this page" menu items on/off
• Smoother placeholder activation when a page reload is not required.
• Better compatibility with latest and upcoming changes in Firefox internals.
• "Before" and "After" new kinds of script surrogates (whose sources are prefixed with '<' and '>' respectively) get executed immediately before and after the matching external script runs (thanks al_9x for RFE).
• Enhanced HTML 5 video/audio compatibility.
• Disqus surrogate prevents blocked Disqus placeholders to overlap the content(thanks al_9x).
• Facebook Connect surrogate prevents many sites from breaking even if connect.facebook.net is forbidden (thanks al_9x).
• New Google Plus One surrogate prevents many sites from breaking even if Plus One is blocked (thanks al_9x).
• Enhanced Google Analytics surrogate.
• NoScript now prevents view-source URIs from being embedded by web pages in frames: this disables a class of information leakage attacks while preserving web-compatibility.
• Compatibility with Firefox 9.0a1 (Nightly).
• Better out-of-the-box compatibility with Twitter and related services, such as the t.co URL shortener
  (NoScript emulates its script-based redirections with no need to allow JavaScript).
• Improved Java blocking usability.
• Increased performance boost on non-whitelisted pages.
• Enhanced Surrogate Scripts.
• Halved startup time impact (< 50ms).
• Various compatibility improvements.
• Specific protection against so called Double-clickjacking, independent from JavaScript permissions.
• Protection against against view-source content extraction attacks.
• Forbid <AUDIO>/<VIDEO> now prevents also Mozilla's Audio API from being abused when embedding restrictions are extended to whitelisted sites.
• Improved compatibility with Hotmail, Amazon and other popular services.
• Fixed Firebug conflict.
• Enhanced dynamic activation of blocked embedded objects when JavaScript is allowed (e.g. Yahoo videos).
• More compatible anti-XSS filters.
• "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
• Enhanced anti-XSS filters.
• Better Firefox 4 UI integration.
• Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
• Middle clicking NoScript's toolbar button temporarily allows all on current page.
• More reliable WAN IP detection for router protection.
• Better out-of-the-box compatibility with Paypal buttons on non whitelisted sites.
• StrictX-Content-Type-Options: nosniff support, to prevent "upsniffing" of script, image and stylesheet content, in addition to the inclusion type checks already enforced by NoScript on cross-site requests.
  This features lets Firefox 4 + NoScript (in "Allow Scripts Globally" mode!) achieve a 14/16 score on Browserscope's Security Test
• More compliant HSTS implementation.
• java script: and data: URIs typed or pasted in the address bar are not executed anymore by default, in order to prevent social engineering attacks which are quite common now on Facebook and similar sites. Bookmarklets still works as expected, and power users can re-enable address bar execution by setting the noscript.allowURLBarJS about:config preference to true.
• Boosted performance and memory efficiency in cross-site checks.
• Several site and extensions compatibility improvements.
• Better Firefox 4 UI integration.
• Enhanced Google Analytics Surrogate Script.
• Fixed Yahoo! Toolbar incompatibility.
• Several performance optimiziations, with halved startup time.
• Transparent Firefox Sync support, to share all your NoScript settings across multiple workstations.
• Several optimizationsfor Firefox 4.
• Transparent Firefox Sync support, to share all your NoScript settings across multiple workstations (disabled by default, can be activated by setting the noscript.sync.enabled about:config preference to true.
• Major performance enhancements.
• Improved anti-XSS protection against potential risks from new HTML 5 features.
• Automatic fallback for some types of AJAX-rendered web pages (e.g. on Gawker's sites) via Google's _escaped_fragment_ recommendation.
• More reliable WAN IP detection for router protection.
• Improved IPv6 ABE  Abe.png   1.24K   0 downloadscompatibility.
• Enhanced embedding placeholder tooltips.
• Better out-of-the-box compatibility with Paypal buttons on non whitelisted sites.
• Do Not Track feature updated to the new "official" DNT HTTP header.
• Restored status bar label by popular demand.
• Update localizations.
• More web-compatible X-Content-Type-Options: nosniff implementation, compensates for JSON and JavaScript cross-site resources served by Google some sites with both nosniff and a wrong content-type.
• Work around for buggy routers having their web console login broken by Do Not Track tracking opt-out support
• Middle clicking NoScript's toolbar button temporarily allows all on current page.
• Finer grained embedded content control.
• Improved integration with Firefox 4's "add-on bar".
• Removed vestigial/obsolete components and features (TLD service emulation, SeaMonkey uninstaller, embedding opacization, JAR blocking).
• Several performance optimizations.
• LiveConnect interception and blocking without any noticeable overhead.

• Protection against hexadecimal and binary encoded reflected XSS through SQL injection (SQLXSSI), partially found and disclosed (raw hexadecimal variant only) by Aditya K Sood.

• Configurable interception and disablement of LiveConnect Java VM scripting.
• Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
• Fixed Flash video issues due to recent Firefox changes.
• Improved HTTPS enforcement engine.
• Work-around for a bug in Google's X-Contet-Type-Options: nosniff support, affecting several Google properties, including Webmaster Tools and Youtube.
• Strict X-Content-Type-Options: nosniff support, to prevent "upsniffing" of script, image and stylesheet content, in addition to the inclusion type checks already enforced by NoScript on cross-site requests. This features lets Firefox 4 + NoScript (in "Allow Scripts Globally" mode!) achieve a 14/16 score on Browserscope's Security Test.
• The Recently blocked sites submenu is now rendered in bold when one or more of its subitems (in bold, too) had been requested from the current top-level website (thanks therube for RFE).
  Optimized ClearClick anti-clickjacking protection.
• Improved  ABE_Icon.png   1.24K   0 downloads ABE address-matching engine.
• Several web compatibility enhancements.
• Improved - Optimal calibration for the "one click" permission switching:
  NoScript's menu gets opened as soon as you point the status bar icon or the toolbar button. This behavior can be turned off by unchecking NoScript Options|Appearance|Open permissions menu when mouse hovers over NoScript's icon.
• Improved compatibility with Firefox 4 development builds and with web sites which handle cookies in buggy ways.
• "One click" permission switching behavior made smoother and extended to the toolbar button.

• True "one click" permission switching: NoScript's menu gets automatically opened as soon as you hover over the status bar icon. This behavior can be turned off by unchecking NoScript Options|Appearance|Open permissions menu when mouse hovers over NoScript's icon.
• Enhanced anti-XSS protection usability.
• Improved Surrogate Scripts.
• Better ClearClick compatibility with Flash movies inside frames when Adblock Plus is installed.
• More compliant HSTS implementation.
• Protection against XSS attacks exploiting Microsoft ASP's homographic unicode translation misfeature.
• Faster and more compatible Surrogate Script support.
• Improved UI accessibility (thanks Jonathan Ely for his help).
• More administrators-friendly protection against protection against DNS-rebinding attacks targeted to routers: device fingerprinting can be turned off by sending a "X-ABE-Fingerprint: Off" HTTP header, and fingerprinting requests (sent every 15 minutes instead of 5 now) are identified by a "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" User-Agent header. Furthermore, custom local subnets or IPs can be configured as a space-separated list in the noscript.abe.localExtras about:config preference.
• Restored compatibility with latest SeaMonkey and Firefox trunk builds.
• Better ClearClick accuracy on very tiny iframes.
• Faster and more compatible anti-XSS protection.
• Exclusive protection against DNS-rebinding attacks targeted to routers, including WAN IP variants.
• Several new Anti-anti-adblocker Surrogate Scripts to prevent pages from breaking when ads are disabled.
• NoScript 1.10.x is the last serie supporting Firefox 2.0 and older browsers.
• It will be updated only if affected by serious security vulnerabilities (very unlikely). This will allow the upcoming NoScript 2.x series to be developed faster and better, by removing legacy compatibility code and fully leveraging the latest APIs and language features.
• Built-in ABE  Abe.png   1.24K   0 downloads ruleset editor.

 post_7183_1274931037.png   917bytes   0 downloads Get it!

View the extensive development in NoScript v. 1.9.x here: NoScript 1.9.x - 'Your Friendly Web Cop'

[Chachazz]

X-Do-Not-Track support in NoScript
Posted by: Giorgio - 28 12 2010

Latest NoScript (2.0.9) supports the Do Not Track tracking opt-out proposal, joining AdBlock Plus in this experiment.

From now on, a web browser with NoScript installed warns every HTTP server it contacts that its user does not want to be tracked, i.e. that his data must not be collected for profiling and persistent identification purposes. I believe this is a safe assumption about the feelings of most if not all NoScript users.

Read the full article @ Giorgio Maone's blog - Hackademix.net

[Chachazz]

 logox60.png   9.84K   0 downloadsNoScript v 2.0.9.8
x Fixed empty tooltip for embedded placeholder on some RTL pages (thanks
Saad for reporting)
x Truncate URLs in placeholders tooltips at the the query string or hash,
to increase readability (thanks anystupidassname for RFE)
x Increased WAN IP checks interval to 1 hour reducing log spam on routers
- Removed some obsolete code

v 2.0.9.8rc2
x Fixed all IPv6 addresses in fc80::/24 subnet being erronously treated
like link-local addresses (thanks Jojo999 for reporting)
x Fixed "Unsafe Reload" not working for sanitized POST requests from
untrusted to trusted sites (thanks Lucas Malor for reporting)
+ Better compatibility with Paypal button hosted on non-whitelisted sites

v 2.0.9.8rc1
x [UI] Fixed toolbar button being added on the right of the window resizer
when Fx 4 is run for the first time with NoScript and the add-on bar is
visible
+ [UI] Hitting the "show UI" shortcut (ctrl+shift+S) a second time
dismisses NoScript's popup menu (thanks jso for RFE)
x [DNT] Restored header reordering after DNT header is added, in order to
match Firefox 4's header fingerprint

 post_7183_1282023403.png   917bytes   0 downloads Get it!

[Chachazz]

NoScript v 2.0.9.9
x Fixed spaces in ipecho response breaking WAN IP detection with one of
the mirrors
+ Experimental built-in profiler for debugging purposes

v 2.0.9.9rc5
+ Compatibility with Fire.fm
+ [XSS] Compatibility with latest Readability
x Tentative work-around for a WAN IP detection issue after sleep/wakeup

v 2.0.9.9rc4
+ Forced text-plain on documents which miss a content-type header but send
"X-Content-Type-Options: nosniff"
+ Increased compatibility of the X-Content-Options implementation

v 2.0.9.9rc3
x Work-around for surrogates not being executed on latest Fx 4 builds
x X-Content-Options implementation more compatible with Browserscope

v 2.0.9.9rc2
x Fixed AJAX fallback last-minute breakage (thanks dhouwn for report)

v 2.0.9.9rc1
+ Improved XSS filter to protect against potential risks from new HTML 5
features
+ AJAX fallback support via Google's _escaped_fragment_ recommendation,
can be disabled by toggling the noscript.ajaxFallback.enabled preference
(see https://code.google....b/ajaxcrawling/, thanks alexbobp for RFE)
+ New noscript.placeholderLongTip about:config preference to control
whether embedding placeholder tooltips should include query strings
and hash fragments or not (true by default)

http://noscript.net/

[Terryala]

NoScript 2.1.0.1

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

v 2.1.0.1
==========================================================================
x Removed googlesyndication.com from the default whitelist
x Added securecode.com ("Verified by VISA") to the default whitelist, in
order to prevent surprise transaction failures
x [XSS] Exception for POST requests coming from a secure albeit not
whitelisted Verified by Visa (securecode.com) origin
x [ABE] Fixed bug causing excessive console noise from permissive rules
x Updated locales

v 2.1
==========================================================================
x Fixed various Script Surrogate inconsistencies

v 2.1.0rc6
==========================================================================
+ [ABE] Rulesets now are stored as preferences rather than files for
faster startup (less I/O) and more consistent settings management
+ [ABE/Sync] Rulesets are integrated into Firefox Sync for preferences too
x On first Firefox 4 run toolbar icon now gets added to the add-on bar
instead of the navigation bar if the latter is invisible, even if the
former is invisible as well (many users seem to expect it there)
x Fixed additional toolbar buttons too wide when labels are shown
x Fixed some Script Surrogate regressions (thanks al_9x for reporting)
x Work around for alert on new windows due to Mozilla's bug 608628
x Fixed placeholder not shown for embed elements placed inside invalid
object elements (thanks al_9x for reporting)

v 2.1.0rc5
==========================================================================
+ Firefox Sync integration can be switched off through the
noscript.sync.enabled about:config preference
x [XSS] Fixed false positive regression from recent Firefox 4
optimizations (thanks m_c for reporting)

v 2.1.0rc4
==========================================================================
x Further version-specific Script Surrogate optimizations

v 2.1.0rc3
==========================================================================
+ First shot at Firefox Sync native integration, synchronizes everything
except custom ABE rules
x [ABE] Optimized origin tracing
+ [ABE] INC(MEDIA) subtype matching HTML5 video and audio requests
+ [ABE] INC(FONT) subtype matching font embedding requests
x Huge refactoring in regular expression usage to optimize for Fx 4
x Script Surrogate optimization

v 2.1.0rc2
==========================================================================
x [ABE] Work-around for some Java plugin requests bypassing HTTP observers
(thanks tlu for reporting)
+ [ABE] Media HTML elements and plugin sub-requests are matched by the OBJ
inclusion subtype
+ [ABE] Font requests are matched by the OTHER inclusion subtype

v 2.1.0rc1
==========================================================================
x Fixed iframe content being sometimes opened in new tabs on Fx 4 when ABE
is enabled and DNS cache is missed

http://noscript.net/

[Chachazz]

 logox60.png   9.84K   0 downloads NoScript v 2.1.0.2
x [XSS] Improved XML prescreening

v 2.1.0.2rc5
x Halved startup time

v 2.1.0.2rc4
x More robust surrogate execution

v 2.1.0.2rc3
+ Label automatically hidden when NoScript's toolbar buttons are added to
the add-ons bar

v 2.1.0.2rc2
x Fixed AddressMatcher broken by RegExp changes in latest Minefield (
thanks linuser for reporting)

v 2.1.0.2rc1
x Fixed ABE options panel regressions due to the changed storage (thanks
al_9x for reporting)

 NoScript_Site_Icon.png   917bytes   0 downloads Get it!

[Chachazz]

 logox60.png   9.84K   0 downloadsNoScript v 2.1.0.3
x [L10n] Updated ro
x Restored some locales gone missing in previous dev build

v 2.1.0.3rc5
x Improved Google Analytics surrogate
x Experimental built-in Firefox Sync turned off by default (can be enabled
through the noscript.sync.enabled about:config preference)
x Tentative fix for some synchronization annoyances

v 2.1.0.3rc4
x Suppress any dump() logging when in Private Browsing mode, in order to
avoid X session log leakages on Linux
x Tentative fix for a RequestWatchdog lazy initialization race condition
(thanks Daniel Holbert for reporting)

v 2.1.0.3rc3
+ Warning when user closes the options dialog leaving broken ABE ruleset
behind (thanks al_9x for report)

v 2.1.0.3rc2
x Fixed Yahoo Toolbar breaking first browser window if NoScript 2.1.0.2 is
installed
x Various additional startup optimizations

v 2.1.0.3rc1
x Added some null checks to prevent Venkman noise (thanks timeless)

 post_7183_1282023403.png   917bytes   0 downloads Get it!

[Chachazz]

NoScript v 2.1.0.5
x Fixed recent memory optimizations breaking compatibility with some
extensions (thanks Alan Baxter for reporting)

v 2.1.0.5rc1
x Work-around for a Seamonkey initialization timing issue

v 2.1.0.4rc11
+ Improved performance and memory efficiency of cross-site checks
x Removed redundant primary origin from ABE messages
x More verbose initialization error reporting

v 2.1.0.4rc10
x Fixed memory leak on Nightly when watching the movie at http://ro.me
(thanks _nil and therube for reporting)

v 2.1.0.4rc9
x Fixed Script Surrogate execution breaking some framesets
x Fixed executing an interactive bookmarklet and closing current tab
during execution keeps scripts globally allowed
+ Disabled execution of java script: and data: URLs typed or
pasted in the address bar (noscript.allowURLBarJS preference)
+ Disabled execution of non-whitelisted scripts imported during execution
of java script: and data: URLs typed or pasted in the address bar
(noscript.allowURLBarImports preference)
+ Work around for Verizon's cache serving scripts with wrong media type

v 2.1.0.4rc8
x Fixed NoScript icon disappearing from add-on bar when mode == "text"

v 2.1.0.4rc7
x Better work-around for bit.ly sidebar triggering ClearClick warnings
(thanks Markus387 for reporting)

v 2.1.0.4rc6
x Work-around for bit.ly sidebar triggering ClearClick warnings
x Fixed placeholders with undersized type icon regression

v 2.1.0.4rc5
x Fixed Seamonkey hanging on some pages (thanks therube for reporting)

v 2.1.0.4rc4
x Fixed labels being shown for NoScript buttons on the add-on bar in some
configurations (thanks baciok for reporting)

v 2.1.0.4rc3
x Fixed minimum placeholder size not applied when embeddings have "auto"
as their computed CSS width or height (thanks al_9x for reporting)

v 2.1.0.4rc2
+ On scriptless pages, empty forms meant to be submitted via JavaScript
are automatically augmented with a submit button labeled after the
destination URL (thanks timeless for RFE)

2.1.0.4rc1
x Changed the noscript.forbidXBL default to 1 (OK for current Fx versions)
in order to avoid Lotus Mail issues (thanks Tina for reporting)
x [XSS] Fixed a false positive involving Amazon mp3 checkout (thanks Dan
Loomis for reporting)

[Chachazz]

NoScript v 2.1.1
x Fixed toolbar button hidden in popup windows (thanks Steven Roddis for
reporting)

v 2.1.0.6rc14
x Fixed double HTTP requests sent sometimes for document requests just
after DNS cache invalidation (thanks Lekensteyn and SLED for reporting)
x Removed NoScript and FlashGot download pages and added Yahoo! Mail as a
ClearClick exception, in order to prevent false positives in the message
panel (thanks be and sabret00the for reporting)
x Fixed conflict with IE Tab 2 causing new tab not to open URLs entered
in the address bar (thanks mc for reporting)

v 2.1.0.6rc13
x Fixed placeholders broken on trunk after fix for Gecko's bug 308590

v 2.1.0.6rc12
+ Added paypal.com and paypalobjects.com to the default whitelist, to cope
with the new in-page contribution setup at AMO and reduce XSS risks
+ Improved toStaticHTML() emulation (thanks .mario for reporting)

v 2.1.0.6rc11
x Fixed broken toolbar button on first window opened during first run ever
on Firefox 4.x (thanks al_9x for reporting)

v 2.1.0.6rc10
x Tentative fix for double HTTP requests sent sometimes upon DNS refresh
x Fixed XSS false positive on Google's Talk Gadget loading

v 2.1.0.6rc9
+ Improved bookmarklet execution handling (thanks @nomaded for reporting)
= Compatibility bump for Fx 7.0a1

v 2.1.0.6rc8
+ Further and less likely ASP-related tricks in InjectionChecker (thanks
Seroush Dalili for reporting)
x Fixed bookmarklets and JavaScript URLs broken in about:blank unless
imports are allowed (thanks Nick Ang for reporting)
+ JavaScript URL bar shortcuts are now treated as bookmarklet and executed
by default (thanks @nomaded for reporting)

v 2.1.0.6rc7
x More ASP idiosyncrasies taken in account by InjectionChecker (thanks
Soroush Dalili for reporting)

v 2.1.0.6rc6
x Fixed false positive in anti-exfiltration HTML injection checks

v 2.1.0.6rc5
x Fixed rc2 frame blocking regression (thanks milithruldur for report)

v 2.1.0.6rc4
+ Per-site WebGL blocking support (WebGL is implicitly disabled wherever
JavaScript is not allowed; it can be blocked on any other site by
checking "NoScript Options|Embedding|Forbid WebGL", and allowed per-site
by clicking on a placeholder of the blocked canvas or by using the
"Blocked objects..." menu if no canvas had been inserted in the page)

v 2.1.0.6rc3
x Work-around for Cocoon add-on being broken by NoScript's early usage
of the IO Service (thanks Dan Staudigel for reporting)

v 2.1.0.6rc2
x Fixed plugin documents can't be opened in NewsFox if embedding
restrictions are in place (thanks Mc for reporting)

v 2.1.0.6rc1
x Fixed broken anti image exfiltration rules in HTML injection checks on
noscripted pages (thanks Gareth Heyes for reporting)

[Chachazz]

NoScript v 2.1.1.1
+ Improved embedded object activation on Javascript-enabled pages via
dynamic method proxies (thanks al_9x for RFE)

v 2.1.1.1rc2
x [XSS] removed false positive at Well Fargo's login

v 2.1.1.1rc1
x Reduced request garbage collection frequency

 NoScript_Site_Icon.png   917bytes   0 downloads Get it!

[Chachazz]

NoScript v 2.1.1.2 (same as 2.1.2rc0)

See the changelog - very extensive list of changes
http://noscript.net/changelog

Download: http://noscript.net/getit

[Chachazz]

 logox60.png   9.84K   0 downloadsNoScript v 2.1.2.1
x Fixed rapid fire cross-site interaction protection interfering with
keyboard-based tab switching (thanks tikl for reporting)

v 2.1.2 (same as 2.1.2rc6)
x Minor tweaks to the new rapid fire cross-site interaction protection

v 2.1.2rc5
+ ClearClick protection against rapid fire cross-site interaction (AKA
double-clickjacking, thanks Colline Jackson for RFE)

v 2.1.2rc4
+ ClearClick protection against view-source content extraction attacks
(thanks Steven Roddis for RFE)
+ Current version number shown directly in all the "About NoScript" menu
items (thanks therube for RFE)
x Fixed NoScript icon status not updated when a tab is moved to a new
window (thanks dhouwn for reporting)

v 2.1.2rc3
x Fixed work around for Bug 668690 breaking feed viewer (thanks Jim Too
for reporting)

v 2.1.2rc2
x Disabled NoScript's X-Frame-Options support on Firefox 3.6.10 and above,
where it is built-in
x Work around for Bug 668690 affecting Gecko 2.0 and above (thanks Nemoar
and al_9x for reporting)

v 2.1.2rc1
x Fixed startup error in Nightly due to the merge of event target
interfaces in bug 658714 (thanks Hydraxr for reporting)

new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

[Chachazz]

NoScript v 2.1.2.2
x [ClearClick] Fixed false positives due to backwards incompatibilities
with Fx 3.5 and below (thanks chas35 for reporting)
x [Nightly compat] Fixed import/export broken by nsIJSON interface changes
in recent nightly builds (thanks happy-dude for reporting)

[Chachazz]

v 2.1.2.4rc1
x [ClearClick] Restored compatibility with bit.ly (now bitly.com)

v 2.1.2.3rc3
x [ClearClick] Refactoring and isolation of the rapid fire protection

v 2.1.2.3rc2
x [ClearClick] Further refinement of rapid fire detection on tab switching

v 2.1.2.3rc1
x [ClearClick] Fixed delay on first event response after some kinds of tab
switching

Get it!

[Terryala]

NoScript 2.1.2.3

Latest stable version

http://noscript.net/getit