Jump to content


Photo

NoScript 2.x - Friendly Security


  • Please log in to reply
97 replies to this topic

#31 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 13 January 2012 - 08:37 PM

NoScript v 2.2.6
x [XSS] Fixed sanitization reporting bug

v 2.2.6rc1
+ [XSS] Protection against new kind of response splitting + XSS combo
attack responsibly disclosed by Mike Brooks


#32 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 27 January 2012 - 06:11 AM

NoScript v 2.2.8
x [ClearClick] Fixed regression, 2.2.8rc1 swallowing clicks on some nested
documents

2.2.8rc1
x [ClearClick] Protection against Koto's Cursorjacking technique disclosed
at http://blog.kotowicz...king-again.html

2.2.7
x [ClearClick] Protection against two steps interaction attack based on
HTML5 DnD (thanks .mario for reporting)


#33 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 11 February 2012 - 05:47 PM

NoScript v 2.3
x Fixed about:newtab not considered as a local origin by ABE
+ Added blob:, about:memory and about:support to the automatic whitelist
x Added reflected script inclusion check exception for intensedebate.com
x Fixed CSS issues on Gecko 1.8

v 2.3rc2
x Fixed about:newtab not considered as a local origin by ABE

v 2.3rc1
+ Added blob:, about:memory and about:support to the automatic whitelist
x Added reflected script inclusion check exception for intensedebate.com
x Fixed CSS issues on Gecko 1.8

Get it!


#34 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 23 February 2012 - 08:41 AM

NoScript 2.3.1
+ Surrogate to let news pages escape Digg's frame
+ [ClearClick] Improved compatibility with cross-frame overlapping shadows
x Removed ClearClick bypass based on a Firefox SVG CSS filter bug (thanks
.mario for reporting)
+ adf.ly surrogate to automaticaly skip the interstitial page even if
scripts are disabled
x Improved Google search surrogates
+ New surrogate against Google's scriptless tracking of search results
navigation

Get it!


#35 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 27 February 2012 - 03:08 AM

NoScript v 2.3.2
x [XSS] Fixed regression in 2.3.2rc5 preventing some URLs from loading
x [XSS] Removed issue on Chinese pages using HZ-GB-2312 encoding (thanks
Masato Kinugawa for reporting)
+ [XSS] Added event injection checks for scriptless pages too, in order to
prevent edge-case execution on permissions change
x [XSS] Fixed InjectionChecker JavaScript scanning bug (thanks Masato
Kinugawa for reporting)
x [XSS] Improved HTML detection accuracy
+ Better tagging of surrogate sandboxes for about:memory debugging
x Improved glinks surrogate

Get it!


#36 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 09 March 2012 - 01:14 AM

NoScript v 2.3.4
x [ClearClick] Fixed subtle bug which may lead to infinite loops in some cases
(thanks G��r���� for reporting)

v 2.3.3
+ Improved InjectionChecker logging
x Reduced false positive rate on HTML injection checks (thanks therube for
reporting)
x [ClearClick] Fixed clicking on some plugin content causing elements of
the parent page to become white (thanks Markus Wienand for report)
x [ClearClick] Fixed minor bugs triggered by ABP placeholders
+ [ClearClick] Protection against partial obscuration via Flash objects
with OS-native wmode values (thanks David Lin-Shung Huang for reporting)
x [XSS] Further sensitivity tweaks
x [XSS] Better compatibility with some 3rd party ads on Ebay
x [XSS] Fixed false positive on dotted name-value assignments chained with
semicolons (e.g. on some Yahoo-served ads)

Get it!


#37 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 17 March 2012 - 07:32 AM

Attached File  NoScript_Logo.png   9.84KB   0 downloads NoScript v 2.3.5

x Work-around for a Flash 32-bit issue (64-bit Firefox unaffected) causing Google Music Player to fail (thanks DG42 for original report, Alan Baxter for providing a test account, all the forum staff and many users fortheir help in reproducing)
x [ABE] Fixed "Sandbox" action permanently disabling plugins, frames and meta refreshes on the affected tab even if document changes (thanks Tom T. and Patrick E. for reporting)
x [ClearClick] Better special-casing for same-site embedded objects
x [Surrogate] Global variables introduced by sandboxed surrogates are attached as window properties after execution to fix recently surfaced scope-related bugs
x [XSS] Better window.name protection (thanks Masato Kinugawa for report)
x [XSS] Improved detection of java script: URL injections

Get it!


#38 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 27 March 2012 - 12:27 AM

NoScript v 2.3.6
x Restored Nightly compatibility, broken by bug 719154
+ [ClearClick] improved compatibility with Disqus widgets (thanks El Cid
for reporting)
+ [AddressMatcher] Optimized trailing "*" in glob expressions
x Fixed origin URL detection flawed when certain wrapped URIs are loaded
(thanks Masato Kinugawa for reporting)
x [XSS] Fixed false positive with query string patterns mimicking array
access (thanks Aicke Schulz for reporting)

Get it!


#39 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 08 April 2012 - 06:11 PM

NoScript v 2.3.7
x [ClearClick] Work-around for "rapid fire" protection interfering with
some add-ons, such as 1Password (thanks Mike Tselikman for report) and
FloatNotes (thanks endofmiles and Tom T. for reports)
x [ClearClick] Compatibility with Bitdefender TrafficLight (thanks
Christopher A. M. Gerlach for reporting)
x [XSS] Enhanced InjectionChecker tolerance to certain URL patterns
containing domain-names as parameter values (thanks gazer75 for report)

Get it !


#40 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 20 April 2012 - 04:09 AM

NoScript v 2.3.8
+ Smart integration with the new browser-native click to play: if a plugin
object is manually allowed from NoScript's UI, it gets also natively
activated (noscript.smartClickToPlay <a href="http://kb.mozillazine.org/About:config" target="_blank">about:config preference)
+ Improved active content identity tracking, to avoid redundant blocking
steps across reloads
x Fixed redirections in legacy frames not being blocked (thanks "utente"
for reporting)
x [Surrogate] Surrogate to fix broken buttons at Uniblue e-commerce site

Get it !


#41 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 02 May 2012 - 04:35 AM

NoScript v 2.3.9
+ [ClearClick] More tolerant snapshot comparation algorithm (partially
backported from NSA) to reduce false positives (tweaked by the
noscript.clearClick.threshold percentage value in about:config)
- Removed about:credits from default whitelist
x [ClearClick] Fixed false positives (e.g. on embedded Vimeo movies) in
obscuration by windowed plugins checks
x Fixed compatibility regressions on Firefox 3.x
x Following links from the About dialog now closes it (thanks Guardian for
suggestions)
x Fixed NOSCRIPT META refreshes blocking not working when scripts are
globally allowed (thanks and Ken and Tom T. for reporting)
x [ClearClick] Fixed false positives caused by accelerated graphics with
some plugin content

Get it !


#42 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 04 May 2012 - 06:14 PM

NoScript v 2.4

x Improved temporary permissions management during bookmarklet execution
+ [Surrogate] Skimlinks surrogate script (thanks Drewett for reporting)
+ [XSS] Improved InjectionChecker detection of in-code multiple insertions
(thanks Krzysztof Kotowicz)
+ [XSS] InjectionChecker detection of single assignment evaluation through
global exception handling (thanks Gareth Heyes)
x [Locale] Fixed broken overlay on Basque localized browsers (thanks afa
for reporting)
x [XSS] Fixed bug in late window.name payload checking (thanks Soroush
Dalili for reporting)

Get it !


#43 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 11 May 2012 - 03:14 AM

NoScript 2.4.1
+ [XSS] Protection against exploitation of classic MS ASP's coalescing of
same-name query parameters (thanks Soroush Dalili for reporting)
+ [XSS] Protection against URL injections in in window.name
x [XSS] Fixed case-sensitivity bug in detection of unicode escape
sequences (thanks Masato Kinugawa for reporting)
+ [Surrogate] adagionet.com inclusion surrogate
x Fixed "Allow sites open through bookmarks" regression (thanks jerryi and
therube for reporting)
x [XSS] Fixed bug in the InjectionChecker tokenization (thanks Phil
Purviance for reporting)
+ Added inclusion type check exception to the lesscss Google Code file
repository, often used as a CDN

Get it !


#44 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 20 May 2012 - 04:01 AM

NoScript v 2.4.2
x [ABE] IPv6 link-local addresses (fe80:/10) are not considered belonging
to the LAN anymore for the purpose of cross-zone request forgery checks
in order to safely work-around DNS misconfiguration issues in the wild
(thanks siu and ralf for reporting)
x [ABE] Fixed router WEB UI fingerprinting failing on some devices
because of redirection loops
x [XSS] Protection against HPP attacks exploiting URL parsing quirks
specific to ASP Classic (thanks Soroush Dalili for reporting)
x Fixed first application updates check failing on Nightly (bug 754393)
x [XSS] Fixed false positive regression on some file hosting sites (thanks
Janne Maekelae for reporting)

Get it !


#45 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,485 posts

Posted 05 June 2012 - 11:44 PM

NoScript v 2.4.4
x [Locale] Updated he-IL (thanks baryoni)
x Fixed early synthetic DNS notification causing blank stripe on the
bottom of the first browser window if started maximized or fullscreen
- Removed Firefox 2.x compatibility code
x Fixed regression from 2.4.3rc3 causing same-site stylesheets to be
checked for mime type mismatches and XSLT inclusions to be incorrectly
blocked (thanks hanfi for reporting)

v 2.4.3
x Fixed JS links detection not resolving JS string escapes (thanks vyznev
for reporting)
x Fixed HTML 5 parser detection in META refresh processing being broken
by a removed browser preference
x Fixed exception raised by inclusion type checks when parent document's
URI has no host
+ [XSS] Better detection of free inline script injections (without string
literal evasion) inside function calls
+ The noscript.allowedMimeRegExp preference now applies also to Java,
Flash and Silverlight mime types

Get it !



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users