Click to view attachmentNoScript 1.9 - Your Friendly Web Cop
by Giorgio Maone

Main good news:

• Improved compatibility with Facebook Connect and Lycos Mail.
• Enhanced bookmarklet support.
  
  
  
• Better compatibility with Google Translate, Abine and Travelocity.
• Improved embedding reload policies.
  
  
• Revamped Embedding (previously known as "Plugins") features, including WebFont blocking and smarter reloadig policies.
• NoScript Options|Embeddings|Forbid <VIDEO> / <AUDIO> preference to control HTML 5 media blocking.
• NoScript Options|Embeddings|Forbid @font-face preference to control WebFont blocking.
• Improved Google Analytics surrogate script, handling form submissions.
• X-Frame-Options default exception for https://mail.google.com/* as a parent, to allow GreaseMonkey scripts and extensions like Integrated GMail to embed Google Calendar inside the GMail inbox.
  
  
  
• Improved bookmarklet emulation, supporting complex asynchronous remote imports.
• Better control over X-Frame-Options: now it can be disabled either globally or per-site, by setting the noscript.frameOptions.enabled and the noscript.frameOptions.parentWhitelist about:config preferences, e.g. for allowing seamless Google Calendar integration.
• Several XSS injection checker enhancements.
• Strict Transport Security support.
  
  
• First public Strict Transport Security implementation.
• Surrogate script for Quantserve.
  
  
• Improved XSS injection checker algorithms.
• Better compatibility with most recent Flash activation frameworks.
• Enhanced bookmarklet support.
  
  
  
• New: Recently blocked sites menu helps detecting active content sources which have been blocked but don't belong to the current page (e.g. those imported by extensions such as Ubiquity or Cooliris).
  
• Better integration with the "Private Browsing" Firefox features: when exiting private browsing, both recently blocked sites and temporary permissions are "forgotten".
  
• Improved protection against DOS attacks.
  
• Several accuracy and speed optimizations in the XSS injection checker engine.
  
• Complete HTML 5 media (audio and video) blocking on untrusted sites.
• New layer of inclusion protection, checks whether 3rd party script and CSS files are served with proper content type.
• Enhanced JAR abuse protection (thanks .mario for RFE).
  
  
• Improved ABE Click to view attachment rules syntax, now supporting raw IPs and subnets in address prefix/mask form.
• New option to turn off ABE notifications (in NoScript Options|Notifications).
  
  
• Click to view attachmentABE (Application Boundary Enforcer) module providing protection against CSRF attacks.
• Protection against internet to intranet attacks (e.g. router hacking from the web) thanks to the built-in SYSTEM ABE rule.
• Improved JavaScript form submission emulation.
• Enhanced and augmented Surrogate Scripts.
  
  
• New Import/Export buttons in the NoScript Options dialog, backup the whole NoScript configuration in a single JSON file, as a disconnected alternative to the Weave/XMark synchronization functionality(Fx 3 and above).
  
  
• NoScript now blocks by default also HTML 5 <video> and <audio> content from untrusted origins like it does for plugins, to prevent malicious sites from exploiting media codec vulnerabilities.
  
  
• Greatly improved bookmarklet support on untrusted pages, trying to turn setTimeout() calls into synchronous ones and to execute trusted imported scripts (e.g. in the Readability bookmarklet).
  
  
• Enhanced HTTPS enforcement engine, correctly loading redirected images no matter their caching status and displaying a meaningful error message when causing a redirect loop.
  
  
• Several speed, usability and stability improvements in the new NoScript preferences synchronization feature.
• ClearClick ClickJacking protection compatibility with Feedly, Disqus and Sharethis.
• Better Firefox 3.5 beta and Firefox 3.6 alpha support.
• Experimental Backup NoScript configuration in a bookmark for easy synchronization feature, to be enabled in NoScript Options|General.
  It allows replicating NoScript preferences and permissions across multiple computers using a bookmark syncrhonization service such as Mozilla Weave or the XMarks extension.
  
• New "partially allowed subcontent" icon Click to view attachment to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled.
• NoScript now reports "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed, unless they can actually run because their hosting document is allowed as well.
• ClearClick ClickJacking protection compatibility with the ShareThis extension.
• Protection against exploitation of XSLT vulnerabilities like the one fixed in Firefox 3.0.8
• Better compatibility with the Google Notebook extension and with the new Flash-based GMail attachment system.
• New dedicated support forum.
• Fixed Amazon glitch with blocked IFrame placeholders.
• Improved HTTPS forcing engine, now capable of forcing HTTPS on background subrequests as well.
• Fennec 1.0b1 compatibility.
• Yieldmanager script surrogate (makes imageshack.us and other sites work with no need for whitelisting yieldmanager.com).
• Performance boost of ClearClick ClickJacking protection on very crowded documents.
• ClearClick incident reporting tool.
• Improved script blocking and scriptless pages management.
• Improved X-FRAME-OPTIONS compatibility support.
• New exclusive protection against JSON and E4X hijacking.
• Improved compatibility with some Amazon, Smugmug and Ebay features.
• Anti-XSS filters performance optimizations.
• Support for the Fennec Alpha 2 mobile browser.
• Several improvements in blacklisting mode: even if whitelisting is still the recommended safest mode, you can use Allow scripts globally and still block sites you mark as untrusted. More important, you can still enjoy full Anti-XSS protection or be protected against ClickJacking and JSON hijacking even while you're keeping JavaScript allowed everywhere.

More in the changelog...

Supported browsers: Firefox 1.5.0.6 and above, SeaMonkey 1.0.5 and above, Flock, IceWeasel, Minefield
Other browsers based on Gecko 1.8.0.6 and above might work, but are not tested.

NoScript: get it!

New! Dedicated Support Forum.

NoScript 1.9
+ Improved ClearClick sensitivity (thanks Eric Lawrence for report)

NoScript CHANGELOG

NoScript v 1.9.0.4
x Fixed XHTML namespacing issues (thanks dhouwn for report)

v 1.9.0.3
x Fixed E4X hijacking false positive with scripts delimited by XML
comments and containing XML (thanks Jim Mattfield for report)

v 1.9.0.2
x Fixed X-FRAME-OPTIONS not working inside OBJECT elements (thanks
Joris van der Wel for report)
x Restored broken compatibility with Seamonkey 1.0.x (thanks James
Andrewartha for report)

v 1.9.0.1
x Work around for edge case false positive on plugins embedded in
cross-site framesets (thanks therube for report)

NoScript v 1.9.0.5
+ Upper limits for JS link detection loop (thanks Wladimir Palant)
+ about:certerror added to the intrinsic whitelist
+ ClearClick compatibility with the Link Alert extension
+ 3rd party script blocking improvements
x Updated Slovak translation

get it!

NoScript v 1.9.0.6
x Fixed page-level surrogates in subframes being executed too much
early to be effective (thanks GossamerGremlin for report)
x Work-around for bug 4066046 (thanks Alice0755)
x Fixed incompatibility with the wfx_Versions extension (thanks
Archaeopteryx for report)
x Fixed double activation for nested OBJECT elements, e.g. apple.com
QuickTime movies (thanks al_9 for report)
x Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20
(thanks al_9x for report)

get it!

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

NoScript v 1.9.0.8
x Work around for Mozilla bug 453825

v 1.9.0.7
x Work around for SimpleViewer and other Flash movies replaced with
innerHTML breaking on nsIContentPolicy presence (thanks Steffen
Zahn for reporting).

get it!

NoScript v 1.9.1
x ClearClick performance boost on crowded documents
x Updated French translation
x Reduced log spam on content blocking

v 1.9.0.92
+ Yieldmanager script surrogate (thanks orngjce223 for suggestion)
x Fixed "Attempt to fix JavaScript links" causing middle-clicks to
open JS link targets twice on Gecko 1.8 (thanks therube for report)

v 1.9.0.91
+ ClearClick incident reporting tool

v 1.9.0.9
x Fixed 20 seconds hang in injection checker on URLs containing long
sequences of the "<" character

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

get it!

NoScript v 1.9.1.2
+ HTTPS forced on background requests (images, stylesheets,
scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE)
+ Fennec 1.0b1 compatibility

v 1.9.1.1
x Fixeds XSS false positive on SAMLP payloads (thanks MysticOrchid
for reporting)

get it!

NoScript v 1.9.1.4
x Fixed placeholder size miscalculation for hidden blocked objects
(thanks al9_x for report)
x Fixed HTTPS enforcing on documents causing an initial aborted
HTTP documents request on Gecko < 1.9 (thanks al_9x for report)

v 1.9.1.3
x Fixed URIPatternList glob compiling bug (thanks mattmcutchen)

get it!

NoScript v 1.9.1.6
+ Improved ClearClick specificity on zoomed pages (fixes a false
positive on GMail's Flash-based attach link when zoom is active)
x Temporarily disabled ClearClick on 3.6a1pre because of bug 486200

v 1.9.1.5
+ XSLT stylesheets are regarded as active content and blocked by
default on untrusted documents and/or from untrusted origins
+ "Forbid IFrame" compatibility with the Google Notebook extension
(thanks chojrak11 for RFE)
x Fixed HTTP not enforced on redirected background requests (thanks
al_9x for report)
x Fixed work-around for bug 453825 work-around causing unhandled
error messages visible in Firebug (thanks Pavol Goga for report)

get it!

NoScript v 1.9.1.91
x Fixed notifications reporting "Forbidden" on some partially allowed
pages

v 1.9.1.9
x Fixed notifications reporting "Partially allowed" on fully allowed
pages (thanks Grant Parris for report)
x Fixed source code (view-source: originated) POST requests being
turned into GET requests

v 1.9.1.8
+ New "partially allowed subcontent" icon to indicate that the top
site is blocked but some active sub-content (e.g. plugin objects
or frames) is enabled
+ New script sources inventory behavior reporting "Scripts Forbidden"
instead of "Scripts Partially Forbidden" even if 3rd party script
sources are allowed unless their hosting document is allowed too
+ New "noscript.clearClick.subexceptions" preference to list sources
of embedded content which don't need to be protected by ClearClick
x ClearClick compatibility with the "ShareThis" extension

v 1.9.1.7
x Fixed multiple placeholder regression on Gecko < 1.9 (Firefox 2.x)

get it!

NoScript v 1.9.2
+ Experimental "Backup NoScript configuration in a bookmark for easy
synchronization" feature (enable it in "NoScript Options|General")
x Fixed potential DNS leak in some proxied setups when opening URLs
with FQDNs as their hostnames (thanks Rolf Wendolsky for report).

get it!

NoScript v 1.9.2.2
+ Performance optimization of preferences bookmark-based persistence
x Fied residual object blocking glitches (thanks Aerik, Pirlouy and Endor)

Noscript v 1.9.2.1
x Changed the bookmark format so that you don't get an error message when you open it, even though it's not meant to be opened.
x Fixed bookmark synchronization skipped when using the sticky menu commands.
x Fixed various glitches related to object blocking and recent Gecko builds

http://noscript.net/getit

NoScript 1.9.2.4
+ Improved Gecko >= 1.9.1 support
x Updated nl-NL translation
x Fixed notification icons broken on Minefield (Fx 3.6a1pre)
x Fixed blocked objects in "restrictions on trusted sites" mode not
being counted for "partially allowed" reporting

v 1.9.2.3
+ Localization-agnostic title for configuration sync bookmark
+ Localizable info page when opening the configuration sync bookmark
x Fixed external XSLT sources not being reported in NoScript menus
even if blocked unless a different type of active content comes
from the same origin
+ A "NoScript development support filterset" gets added to AdBlock
Plus, whitelisting the noscript.net, flashgot.net, informaction.com
and hackademix.net web sites recently broken by an aggressive
EasyList campaign against sites sponsoring NoScript development.
ABP users are informed both on the install and on the release notes
pages, so they can easily disable the filterset if they whish to.

http://noscript.net/getit

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

No Script v 1.9.2.6
+ NoScript now automatically removes the controversial "NoScript
Development Support Filterset" deployed with NoScript 1.9.2.3 and
above on startup, permanently and with no questions asked.

v 1.9.2.5
+ One-time startup prompt to ask users *beforehand* if they want to
install/keep or permanently delete the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above
x Fixed filterset bug: it could be disabled but not removed.
x Fixed "Attempt to fix JS links" not working for drop-down lists on Gecko < 1.9 (thanks therube for report)
x Updated zh-CN translation
x Updated el-GR translation

http://noscript.net/

NoScript v 1.9.2.8
+ 100x speedup of bookmark-based configuration persistence
+ NoScript tries to synchronize its configuration with foreign
bookmarks when the "Backup configuration in bookmarks" gets enabled
in order to ease adding new "slaves"
x Excluded temporary permissions from bookmark-based synchronization
x Fixed XMark synchronization failing because of XMark's 4KB limit on
bookmark URIs
x Fixed opening the [NoScript] configuration bookmark hanging the
AutoPager extension
+ Disqus ClearClick exception
+ Feedly ClearClick exception

v 1.9.2.7
+ "NoScript Options|Notification|Display release notes on update"
checkbox
x Fixed XSLT blocking regression

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

NoScript v 1.9.3.1 is out!
x Fixed automatic secure cookie management being enabled by default
(thanks therube for report)
get it!

v 1.9.3
+ Redirect loops caused by HTTPS enforcement now trigger the standard
redirect loop error page (thanks Matt McCutchen for RFE)
x Fixed https-forced embedded objects not being loaded unless already
cached (thanks Matt McCutchen for report)

v 1.9.2.93
x Fixed 1.9.2.92 regression breaking "Revoke temporary permissions"

v 1.9.2.92
+ Improved bookmarklet support, trying to turn setTimeout calls into
synchronous ones and to execute trusted imported scripts (e.g.
in the Readability bookmarklet)
+ Slighty "beautifyed" JSON export format (one preference per line)
x Fixed 1.9.2.91 regression, preventing permissions changes made in
NoScript Options from being saved under some random circumstances
(thanks GµårÐïåñ for reporting)

v 1.9.2.91
+ Import and Export buttons in NoScript Options to backup and restore
the whole NoScript configuration (preferences and permissions) to
and from a text file.

v 1.9.2.9
+ Native media (audio/video HTML 5 elements) blocking
x Huge refactoring modularizing XSS, ABE, ClearClick, HTTPS extras
and utility classes

NoScript v 1.9.3.3
x Fixed fatal exception on JSON XSS checks (thanks HeikoAdams for
report)

v 1.9.3.2
x Fixed whitelist import/export broken by new global import/export (
thanks Tim Johnson for report)

NoScript updated v 1.9.5
x Fixed forbidden objects in allowed documents not causing partially
allowed icon on first load in Gecko < 1.9 (thanks al9_x for report)
x Fixed forbidden objects in mixed trusted/blacklisted pages not
causing partially allowed icon (thanks al9_x for report)

v 1.9.4.91
x Fixed late request cancelation of scripts preventing page from
complete loading
x Fixed refreshing ABE rulesets enabling back disabled local rulesets

v 1.9.4.9
x Fixed DNS cache purging bug (thanks therube for reporting)

V 1.9.4.8
x Parallelization of DNS activity bringing huge ABE performance gain
x Minor fixes in LOCAL policies enforcing

V 1.9.4.7
x Fixed possible deadlock introduced in 1.9.4.6
x Fixed DNS cache purging bug

v 1.9.4.6
x Refactoring of content policy related code
x Another memory optimization iteration
x Restored automatic Seamonkey profile install cleaner

v 1.9.4.5
x Further memory footprint and performance ABE optimizations

v 1.9.4.4
+ Origin tracing speed and accuracy improvements
+ Enhanced frame busting emulation
+ Further DNS optimizations

v 1.9.4.3
x Optimized garbage collection in DNS 2nd level cache

v 1.9.4.2
x Fixed mixed content SSL false positives when ABE enabled
x Fixed file:// entry added to whitelist everytime a 2nd level
domain gets allowed on Gecko >= 1.9 (thanks GµårÐïåñ for reporting)

v 1.9.4.1
+ Implemented 2nd level DNS cache fixing some artifacts/crashes on
Google Maps and some latency issues in Gecko < 1.9 (thanks therube
and Alan Baxter for reporting)

v 1.9.4 RC2
x Fixed page content getting randomly scrambled during heavily
concurrent loads when ABE's asynchronous networking is enabled
x Fixed password manager autofill failing sometimes (thanks Tommy Coe
for reporting)

v 1.9.4 RC1
+ First stable ABE (Application Boundaries Enforcer) release
+ Improved JavaScript form submission emulation (thanks aladin235 for
reporting about Twitter logout button)
+ Asyncrhonous networking in Gecko >= 1.9 for ABE preflight requests
and DNS checks (can be turned off by noscript.asyncNetworking
about:config preference)
+ noscript.ABE.legacySupport about:config preference to enable ABE
on older, less supported platforms (Gecko < 1.9)
+ Modularized SeaMonkey uninstaller
+ Bookmarklet emulation made compatible with latest Fx 3.5 builds
x Better UI feedback about CAPS parsing artifacts

v 1.9.3.92
x Fixed missing site rules being repeatedly fetched after 12 hours
timeout

v 1.9.3.91
+ Added gstatic.com (Google Maps and other services) to the default
whitelist
x Fixed broken embeddings from file:// URLs (thanks Endor for report)

v 1.9.3.9
x Fixed import/export buttons for whitelist and full configuration
overriding each other (thanks Alan Baxter for reporting)

v 1.9.3.8
+ Precise reporting of ABE DNS failures
+ Automatically include browser origins in Accept predicates
x Lighter XSS checks, relying on ABE for pre-screening when possible
(preventing some timeout-related false positives and random hangs)

v 1.9.3.7
+ More accurate NOSCRIPT web-bugs blocking, skipping same origin
images and scripted pages (thanks Jorgo for suggestion)
x Working link to ABE documentation in NoScript Options|Advanced|ABE
x Fixed ABE external editor failing to open on Mac OS X (thanks David
Bass for reporting)

v 1.9.3.6
+ Improved Google Analytics script surrogates
+ New Imagefap anti-popup script surrogates
+ Seamonkey 1.x streamlined installation process (profile local
installations are not supported anymore, but switching to
browser-wide is automatic on update)
+ Seamonkey 1.x automatic uninstall procedure (button provided in
NoScript Options)

v 1.9.3.5
+ Better placeholder management with weird plugin content nesting
(thanks nagan for request)
+ Faster and more streamlined cross-origin request tracking
x Fixed single aster ("*") glob pattern not compiling in URI pattern
lists (thanks Sirdarckcat for reporting)
x Fixed Fx 2 (Gecko < 1.9) non-secure requests for HTTPS-forced
resources being aborted rather than redirected (thanks al_9x for
reporting)

v 1.9.3.4
+ First public Application Boundaries Enforcer (ABE) prototype, see
NoScript Options|Advanced|ABE
+ SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
(check http://databasement.net/labs/localrodeo/ and
http://databasement.net/labs/localrodeo/testcases.php )

NoScript is Free Software (GPL), but if you find it useful, you can support its development :)

Click to view attachmentWhat's ABE?
Application Boundaries Enforcer
by Giorgio Maone

The NoScript browser extension improves web client security by applying a Default Deny policy to JavaScript, Java, Flash and other active content and providing users with an one-click interface to easily whitelist sites they trust for active content execution. It also implements the most effective Cross-Site Scripting (XSS) filters available on the client side, covering Type-0 and Type-1 XSS attacks; ClearClick, the only specific browser countermeasure currently available against ClickJacking/UI redressing attacks, and many other security enhancements, including a limited form of protection against Cross-Site Request Forgery (CSRF) attacks: POST requests from non-whitelisted (unknown or untrusted) sites are stripped out of their payload and turned into idempotent GET requests.

Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level. Since the web has not been originally conceived as an application platform, it misses some key features required for ensuring application security. Actually, it cannot even define what a “web application” is, or declare its boundaries especially if they span across multiple domains, a scenario becoming more common and common in these “mashups” and “social media” days.

The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser.

This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted 3rd party.

ABE rules, whose syntax is defined in this specification (pdf), are quite simple and intuitive, especially if you ever looked at a firewall policy file: [see website]

Living inside the browser, the ABE component can take advantage of its privileged placement for enforcing web application boundaries, because it always knows the real origin of each HTTP request, rather than a possibly missing or forged (even for privacy reasons) HTTP Referer header, and can learn from user’s feedback.

A preliminary ABE implementation is provided with NoScript 1.9.3.6 and above, and local rulesets can be configured from NoScript Options|Advanced|ABE. Rules for the most popular web applications will be made downloadable and/or available via automatic updates for opt-in subscribers, and UI front-ends will be provided to edit them manually or through a transparent auto-learning process, while browsing. Additionally, web developers or administrators can declare policies for their own web applications: if user enabled the Allow sites to push their own rulesets option, ABE will honor them, unless they conflict with more restrictive user-defined rules.
As soon as browser support for the Origin HTTP header becomes widespread and reliable, an external version of ABE might be developed as a filtering proxy.

© Copyright 2009 Giorgio Maone - some rights reserved.
http://noscript.net/abe/index.html
http://noscript.net/

NoScript v 1.9.6.1
x Fixed session restore broken by some 1.9.6 ABE optimizations
x Fixed XMarks compatibility issue (thanks Matt Perkins for report)

V 1.9.6
+ Support for raw IP and subnets with address prefix/mask syntax in
ABE rulesets
x Improved UTF-8 XSS protection (thanks Sirdarckcat for discussion)
x Fixed ABE resource lists parsing glitches
x Improved "Anonymous" (formerly "Logout") ABE action behavior
x Fixed IP display in Allow/Forbid menu items on Gecko >= 1.9
x Added ABE local rulesets to configuration import/export dataset
x Fixed multibyte domain names couldn't be temporarily allowed nor
marked as untrusted (thanks fujita for reporting)

v 1.9.5.73
x Fixed "live" plugin unblocking broken on some sites (thanks therube
for reporting)

v 1.9.5.72
x Fixed CSS bug preventing placeholders from being hidden with
Shift+click

v 1.9.5.71
x Fixed Seamonkey 1.x breakage from 1.9.5.7 (thanks therube for
reporting)

v 1.9.5.7
+ ABE Logout action strips query strings from potential authorization
and session-related parameters and neutralizes non-idempotent
requests by switching their method to GET and removing uploads
x Fixed DNS optimizations causing ABE's "Logout" action to abort the
request sometimes (Gecko <= 1.8 will abort on Logout anyway if DNS
record is not cached)
x Improved usability with sites providing their own JS-based UI for
HTML5 VIDEO element
x Fixed placeholder not clickable if overlayed with a transparent
absolutely positioned element
x Fixed bug preventing the audio feedback sample from being changed
(thanks Rodney Crnkovic for reporting)

v 1.9.5.6
x Work around for Tab Mix Plus beta breaking bookmarklets and URL bar
JavaScript one liners on untrusted sites (Fx 3.5)

v 1.9.5.5
+ New Notifications|ABE option to disable ABE notifications
+ External requests on default ports to domain names different than
"localhost" resolving to 127.0.0.1 don't generate notifications, in
order to reduce spam from misconfigured hosts files (activity gets
still logged to the Error Console and notifications can be restored
by toggling the noscript.ABE.notify.namedLoopback preference)

v 1.9.5.4
x Fixed incompatibility with back-forward gestures in Mouse Gesture
Redux (thanks Kevin Schneider and Andrea Rodofili for reporting)
x Fixed "Open all tabs" glitches

v 1.9.5.3
x Fixed Google Analytics surrogates causing some sites to open
"undefined" URLs (thanks sanityvoid for reporting)

v 1.9.5.2
x Fixed ABE RFC 3330 support bug (thanks SkyBeam for reporting)

v 1.9.5.1
x Work around for NewTabUrl incompatibility
x Fixed undisclosed yet parsing bug (credits will be given where due
in a later release)

NoScript v 1.9.6.2
x Fixed missing plugin placeholder when IFrames are forbidden
(thanks Grumpy Old Lady for reporting)

NoScript v 1.9.6.5
+ New layer of inclusion protection, checks if 3rd party script and
CSS files are served with proper content type (it can be disabled
via noscript.checkInclusionType preference; exception patterns can
be listed in the noscript.checkInclusionType.exceptions preference)
x Fixed subdomain matching glitch with 1 char subdomain prefixes

Click to view attachment

Get It!


v 1.9.6.4
+ "Block JAR remote resources being loaded as documents" now blocks
also script and CSS cross-site inclusions (thanks .mario for RFE)

v 1.9.6.3
x Fixed XSS false positives when asynchronous activity must be
performed in ABE

NoScript v 1.9.6.7
x Fixed inclusion content type checks blocking Twitter JSON feeds
loaded via SCRIPT elements (thanks Mel Reyes for reporting)

v 1.9.6.6
x Inclusion content type checks made more tolerant to dynamically
generated scripts and stylesheets (thanks therube for reporting)

http://noscript.net/getit

NoScript v 1.9.6.9
x Fixed default whitelist not being installed on first run anymore
since 1.9.6's fix for multibyte temporary allow / mark as untrusted

v 1.9.6.8
x Inclusion content type checking now graces default file extensions
x Improved XSS filter pre-screening efficiency
x Prefixed content type based inclusion blocking message

get it!

NoScript v 1.9.7
x Fixed "Send to" context menu item broken Google Toolbar 5 (thanks
Juan Ignacio Gaviria for reporting)
x Fixed cache issues in non-ABE blocking context on Gecko < 1.9
caused by alternate blocking method for ABE "Deny" action (thanks
al9_x and Tom T for reporting)

get it!

x 1.9.6.95
+ Signed XPI
x Fixed JS redirect detection overzelous on pages containing CSS
content-less links (thanks zaxy for reporting)
x Fixed issue with plugin content activation (thanks Mel Reyes for
reporting)

v 1.9.6.94
x More informative error messages on failed XSS filter DOS attempt

v 1.9.6.93
x Inclusion type checks play smoother on script dynamically served
with a wrong Content-type header
x Fixed temporarily allowing a class of objects from the Blocked
Objects menu not working sometimes (thanks Chad Morse for report)
x Fixed placeholders not working (invalid host name) on Gecko 1.8
(thanks hewee for report)

v 1.9.6.92
x More accurate (and lenient towards misconfigured servers) inclusion
type checks (thanks makini and Sheilaq for reports)

v 1.9.6.91
x Fixed HTTP Referer header being omitted when a DNS cached record is
not found for the request

NoScript CHANGELOG
Get it! : http://noscript.net/

NoScript 1.9.7.4 released!
x Decoupled legacy frame blocking from "Forbid IFrames" (thanks
Grumpy Old Lady for reporting)

1.9.7.3
x Fixed IFrame blocking being delayed to DNS resolution when ABE is
active (thanks Mike A. for reporting)
x Fixed Frame blocking leading to extra history entries on unblocking

1.9.7.2
x Content serviced with the "Content-disposition: attachment" header
(forced downloads) should not be subject to plugin blocking
policies (thanks nagan for reporting)
x ABE checks should be skipped for XHR requests made from chrome

v 1.9.7.1
x Inclusion type checks accomodating hosting errors in AOL gadgets,
outbrain.com widgets and E-junkie libraries
x Fixed es-CL locale metadata

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

NoScript v 1.9.7.7
x Fixed DNS cache status interfering with HTTPS redirections

v 1.9.7.6
+ Fixed HTTPS-bound active content restrictions preferences not being
honored sometimes (thanks Peter Meier for reporting)

v 1.9.7.5
+ HTML 5 video and audio are blocked also when loaded as documents
in a frame or in a top-level window

NoScript v 1.9.7.9
x Improved XSS filter compatibility with some decimal coordinates
patterns
x Fixed JavaScript IFrame manipulation causes documents to be loaded
in a new window sometimes (thanks Derek Greentree for reporting)

v 1.9.7.86
x Improved XSS filter compatibility with MySpace modules (thanks
Dixie for reporting)

v 1.9.7.85
x Improved permission change speed for very long lists / very slow
CPUs (thanks Boyd Noorda for reporting)

v 1.9.7.84
x Fixed HTTPS-forced subrequests being cancelled sometimes

v 1.9.7.83
x Fixed plugin content could not be navigated through legacy frames

v 1.9.7.82
x Fixed URL classifier not being called for hosts whose DNS record is
not cached yet by ABE (thanks "Fellow Noscripter" for reporting)

v 1.9.7.81
x Fixed domain name resolution delayed for cached failed responses
after a network reconnection (thanks foxicat for reporting)

v 1.9.7.8
x Fixed invisible links detection turning some links into absolutely
positioned if they have no layout on load (thanks dpmccabe for
reporting)
x Improved specificity of data: URL injection detection (thanks Tom
for reporting)

NoScript v 1.9.8.1
x Fixed Mac OS X specific hang bug triggered by STATUS_RESOLVING DNS
notifications for some sub-requests

v 1.9.8
+ ABE's caching DNS requests now send STATUS_RESOLVING notifications
(thanks al9_x for RFE)
x Improved injection checks (thanks Sirdarckcat for reporting)
x Fixed invalid chars in host names causing loads to fail without any
visible error feedback
x Work around for breakages caused by the .NET Framework Assistant,
http://adblockplus.org/blog/the-return-of-...ework-assistant
+ ABE grammar source (ABE.g) included in the distributed XPI (thanks
al9_x for noticing its absence)

Get It!

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

NoScript v 1.9.8.4
x Fixed ABE internal redirection on DNS cache miss interfering with
injection checks under some circumstances

v 1.9.8.3
+ Full HTML 5 event attributes InjectionChecker support
x Fixed DNS resolution notification causing event loop spinning and
perceived slowness of "Open all in tabs" command
x Removed InjectionChecker bypass (thanks Sirdarckcat for reporting)
+ Updated locales

v 1.9.8.2
x Improved protection against DOS attacks (thanks Gereth Heyes for
testbed)

NoScript v 1.9.8.7
x Fixed minor bugs in "Recent blocked sites" implementation
x Updated Rumenian
x Fixed encoding issue with configuration import/export/sync (thanks
m_c for reporting)

v 1.9.8.61
+ Optimization of multiple regexp preferences
x Fixed XSS filter exceptions not being honored if URL contains
percent-encoded character which are invalid UTF-8 code points
(thanks Bueller007 for reporting)
x Fixed UTF8 overdecoding checks interfering with some Japanese sites
(thanks Bueller007 for reporting)

v 1.9.8.6
+ Reset command in "Recently blocked sites" menu (thanks Fred for
suggestion)
+ For privacy reasons "Recently blocked sites" are erased everytime
user purges history
+ Temporary permissions are revoked and "Recently blocked sites" are
erased everytime user exits the "Private Browsing" mode
x Fixed DNS-sensitive frame blocking bug

v 1.9.8.5
+ New "Recently blocked sites" menu to allow active content origins
which have been recently blocked but are unrelated with current
page (e.g. loaded in custom frames provided by extensions)
x Fixed some glitch in temporary permissions handling (thanks
computerfreaker for reporting)
x Simplified bookmarklet permissions granting
x Simplified ABERequest lifecycle management
x Prevented potential memory leak

Get It!

Click to view attachmentNoScript v 1.9.8.8
x Improved bookmarklet setTimeout() emulation (delay ordering is
honored and pseudo-recursion is supported)
x Update locales

v 1.9.8.72
x Moved the NoScript status label to the left of the status icon,
in order to avoid "jumps" when using the sticky menu (thanks nagan
and frsch for suggestions)
x Improved management of HTTPS forcing during HTTP redirections
x Fixed incompatibility with Minefield/3.7a1pre build 20090827
(thanks Itsnow for reporting)

v 1.9.8.71
+ "Recently blocked sites" now shows the object icon for trusted
sites which are listed because some content has ben blocked
x Fixed sites shown in "Recently blocked sites" if content-blocking
restrictions are applied even when no content has been blocked yet
(thanks Alan Baxter for reporting)

NoScript v 1.9.8.86
x Fixed kongregate.com incompatibility (thanks jthill for report)

v 1.9.8.85
+ Updated MK locale
x QA for release

v 1.9.8.84
x Flash object emulation to fool SWFObject 2.2 version detection
without instantiating a real Flash object (thanks al9_x for test)

v 1.9.8.83
x Fixed bug in the new Flash early instantiation management (thanks
al9_x for reporting)

v 1.9.8.82
x Upper limit to bookmarklet setTimeout() emulation, in order to
prevent infinite pseudo-loops
x Improved InjectionChecker algorithms (thanks Sirdarckcat for
suggestions)
x Early URL-less Flash objects are instantiated only if Flash
permissions have been already granted to the origin site

v 1.9.8.81
x Fixed issue with early manipulation of Flash objects whose source
URL has not been set yet (thanks al9_x for reporting and Grump
Old Lady for proxy/VPN testing infrastructure)

Click to view attachmentv 1.9.8.9
+ First public Strict Transport Security implementation, see
http://hackademix.net/2009/09/23/strict-tr...ty-in-noscript/
x Fixed Javascript disabled in about:neterror pages if the broken
destination page is marked as untrusted (thanks al_9x for report)
x Improved HTTPS enforcement, honoring original referer
x Fixed a potential "unresponsive script" InjectionChecker condition
(thanks Sirdarckcat for reporting)
x Fixed help links not opening from NoScript's UI on Minefield
x Fixed ABE LOCAL symbol matching 172.16.0.0/16 rather than the
whole 172.16.0.0/12 (thanks Antal for reporting)

v 1.9.8.89
x InjectionChecker optimization on long Base64 sequences (thanks skl
for report)

v 1.9.8.88
x X-Frame-Options applied only to ultimate load, after redirection
(compatibility with IE8's and Chrome's implementation)
x Fixed Flash activation bug on Gecko <= 1.9

v 1.9.8.87
+ Quantserve surrogate script
x Added en-GB locale to legacy Seamonkey install script

Get it!

NoScript v 1.9.9.01
x Fixed InjectionChecker micro-injecion scanning bug (thanks Sirdarckcat
for reporting)

v 1.9.9 (FKA 1.9.8.9)
+ First public Strict Transport Security implementation, see
http://hackademix.net/2009/09/23/strict-tr...ty-in-noscript/
x Fixed Javascript disabled in about:neterror pages if the broken
destination page is marked as untrusted (thanks al_9x for report)
x Improved HTTPS enforcement, honoring original referer
x Fixed a potential "unresponsive script" InjectionChecker condition
(thanks Sirdarckcat for reporting)
x Fixed help links not opening from NoScript's UI on Minefield
x Fixed ABE LOCAL symbol matching 172.16.0.0/16 rather than the
whole 172.16.0.0/12 (thanks Antal for reporting)

Get it!

Click to view attachmentGet it!

NoScript v 1.9.9.05
+ Improved emulation of complex bookmarklet import sequences
x Fixed potential issue in new InjectionChecker C++ style comments code

v 1.9.9.04
x Fixed header cloning bug in internal redirections
x Better management of C++ style comments in InjectionChecker
x Fixed legacy frames retargeting bug (thanks Andrew Fisher for reporting)

v 1.9.9.03
+ noscript.frameOptions.enabled about:config preference to control if the
X-Frame-Options header must be honored
x noscript.frameOptions.parentWhitelist preference to exclude some parent
window from X-Frame-Options checks on their embedded frames
x Enhanced internal redirection mechanism
x Fixed Weave 0.7pre log window incompatibility

v 1.9.9.02
x Improved InjectionChecker's heuristic (thanks Sirdarckcat for reporting)

NoScript v 1.9.9.07
+ Improved Google Analytics surrogate, handling form submissions (thanks
Alan Baxter for report)

v 1.9.9.06
+ Added https://mail.google.com/* to X-Frame-Options parent whitelist, in
order to allow GMail/Calendar mashups via extensions and GreaseMonkey
x Fixed noscript.forbidIFrameContext set to 0 blocking top-level web pages
loading (thanks al_9x for report)
x Fixed Yahoo! Mail login persistence issue (thanks Ronnie for report)

Click to view attachmentNoScript v 1.9.9.11
+ Reorganization of the "Embeddings" (FKA "Plugins") options panel
+ "Forbid <VIDEO> / <AUDIO>" option in the "Embeddings" panel
+ "Forbid @font-face" option in the "Embeddings" panel
+ ClearClick report id made selectable (thanks therube for RFE)

get it!

v 1.9.9.10
+ Webfonts blocking from untrusted sources and on untrusted pages,
controlled by the noscript.forbidFonts about:config preference (UI
planned for later, thanks Mike Perry for RFE)
+ noscript.forbidMedia about:config preference controlling HTML 5 media
blocking independently from the "Forbid other plugins" setting (UI
planned for later)
+ Improved live object allowing/forbidding
x Fixed potential false positives generated by Spidermonkey's decompiler
artifacts

v 1.9.9.09
x Fixed noscript.forbidData not being honored (thanks Chris for report)
x Fixed Trillian to Yahoo Mail! XSS false positive (thanks maryadavies and
Thomas for reports)

v 1.9.9.08
x Fixed potential cache issues due by header cloning on internal redirects
(thanks GregThomas for report)

NoScript 1.9.9.12
Get it!

+ Allowing a plugin object which size is not set causes a page reload,
assuming that scripts would be used to size it
+ Google Translate XSS exception
+ abine:* ClearClick subexception
+ Updated localizations
x Removed current URL leaking into RegExp properties if invisible link
detection is enabled
x Hijack checks must skip error pages (thanks luntrus for report)
x Fixed XSS false positive at travelocity.com (thanks Chris Lonsberry)

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

NoScript v 1.9.9.14
x Fixed page loading issues (hard to reproduce but reported by many)


NoScript v 1.9.9.13
x Fixed page loading regression from "Hijack checks skip error pages"
optimization in 1.9.9.12 (hard to reproduce but reported by many)
x Fixed attribution of Romanian translation

Get it!

NoScript v 1.9.9.15
x Fixed HTTPS enforcement for embedded images breaking HTTP authentication
(thanks polie for report)
x Fixed XHR breakage when called from a Worker (thanks Apeiron for report)
x Skip link fixing on right click
x Improved bookmarklet execution mechanism
x Improved compatibility of InjectionChecker with Facebook Connect
x Improved compatibility of InjectionChecker with Lycos Mail

Get it!