Jump to content


Photo

NoScript 1.9.x - 'Your Friendly Web Cop'


  • This topic is locked This topic is locked
64 replies to this topic

#1 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 31 January 2009 - 07:35 PM

Please retain this topic :-)

Attached File  NoScriptLogo.png   3.98KB   2 downloadsNoScript 1.9 - Your Friendly Web Cop
by Giorgio Maone


Main good news:
    • Better Surrogate Scripts error management and new built-in surrogates to securify AMO add-ons installation against MITM attacks and improve Google search experience when scripts are disabled.
    • window.toStaticHTML() implementation.
    • Compatibility with latest Firefox 4 preview builds.
    • Increased ClearClick accuracy on very complex nested pages.
    • Optimized reload on permission change heuristic.
    • New ad-hoc Surrogate Scripts allow scriptless image viewing on imagebam.com, imagevenue.com and imagehaven.net, also preventing popups, popunders and interstitials if you allow scripts there.


  • Faster and more compatible anti-XSS protection.
  • Better error reporting during the execution of location bar scriptlets.
  • Improved protection against Aviv Raff's scriptless tabnabbing variant, by blocking refreshes triggered on unfocused untrusted tabs. See the changelog for more details.


  • Improved compatibility with some GreaseMonkey scripts and some web applications.
  • New Surrogate Script type: when a "sources" preference for a surrogate starts with "!", it is treated as a page-level surrogate which runs on pages where scripts are disabled as soon as the DOM is completed (useful as a GreaseMonkey-like enhancer of non-whitelisted pages).

  • Important ABE Attached File  ABE128.Tiny.png   1.24KB   0 downloads enhancements: same domain origin matching (SELF+), same base domain origin matching (SELF++) and INCLUSION pseudo-method for fine-grained subrequests matching, see the updated ABE rules specification for details.
  • Improved XSS checks and ClearClick compatibility.
  • Restored Minefield compatibility.

  • Increased UI responsiveness, especially on mobile devices.
  • Experimental external filters for plugin content (e.g. Blitzableiter to sanitize Flash applets). It requires Firefox 3.5 and above, and it can be configured from the new NoScript Options|Advanced|External Filters panel. To activate the built-in Blitzableiter support you need to enable filters, download Blitzableiter binaries and tell NoScript where the executable is. Please notice that Blitzableiter is in its early development stages, and it breaks a lot of Flash content.
  • Improved and updated Firefox Mobile (Fennec) support: NoScript's UI has been moved inside the location bar, and options have been simplified down to 4 preset configurations (you can still perform fine-grained cofiguration in about:config or via Weave Sync).
  • More specific status icons for mixed permissions.
  • More accurate detection of certain 2nd order XSS attacks.

  • The long awaited pluggable site info page, can be opened by middle-click or shift+click on any site entry in NoScript's menus.
  • More user friendly handling of sites with non-standard TCP ports.
  • Improved Facebook compatibility.
  • Experimental trusted/untrusted list subscriptions.
  • Better compatibility with complex bookmarklets.
  • Enhanced usability of universal Flash blocking.
  • Improved X-Frame-Options implementation.
  • Several XSS Injection Checker performance and accuracy enhancements.
  • Improved AddressMatcher syntax (used by (ABE Attached File  ABE128.Tiny.png   1.24KB   0 downloads, HTTPS enforcement and other features), introducing .x.y syntactic sugar, matching both x.y and *.x.y (thanks al_9x for suggestion)
  • Better ClearClick compatibility and performance boost on Firefox 3.6 and above.
  • Surrogate Scripts from local files: surrogate's replacement is treated as a file:// URL and resolved against current browser profile if it starts with "file://", "./" or "../" (thanks Richard Stallman, Johan Euphrosine and Sam Imtiaz)

  • Important stability and performance improvements in the DNS module.
  • Anti-Popunder surrogate script enabled by default on HTTP web sites.
  • Several XSS Injection Checker performance and compatibility enhancements.
  • Improved HTTPS enforcing.

  • Improved and generalized Anti-Popunder surrogate script.
  • Updated Firefox Mobile (Fennec) compatibility.

  • Improved XSS Injection Checker compatibility with Livejournal comment posting.
  • Improved ClearClick compatibility with Facebook applications.

  • Improved ClearClick, made faster and compatible with Firefox 3.6.
  • Many enhancements in Surrogate Scripts.

  • Stability fixes for HTTPS enforcing (manual and STS).
  • Better object unblocking behavior (increasing usability of embedding restrictions e.g. with VMWare Server).
  • Improved compatibility with Ebay and Photobucket.
  • Enhanced bookmarklet support.

  • Improved compatibility with Facebook Connect and Lycos Mail.
  • Enhanced bookmarklet support.
  • Better compatibility with Google Translate, Abine and Travelocity.
  • Improved embedding reload policies.

  • Revamped Embedding (previously known as "Plugins") features, including WebFont blocking and smarter reloadig policies.
  • NoScript Options|Embeddings|Forbid <VIDEO> / <AUDIO> preference to control HTML 5 media blocking.
  • NoScript Options|Embeddings|Forbid @font-face preference to control WebFont blocking.
  • Improved Google Analytics surrogate script, handling form submissions.
  • X-Frame-Options default exception for https://mail.google.com/* as a parent, to allow GreaseMonkey scripts and extensions like Integrated GMail to embed Google Calendar inside the GMail inbox.


  • Improved bookmarklet emulation, supporting complex asynchronous remote imports.
  • Better control over X-Frame-Options: now it can be disabled either globally or per-site, by setting the noscript.frameOptions.enabled and the noscript.frameOptions.parentWhitelist about:config preferences, e.g. for allowing seamless Google Calendar integration.
  • Several XSS injection checker enhancements.
  • Strict Transport Security support.


  • First public Strict Transport Security implementation.
  • Surrogate script for Quantserve.


  • Improved XSS injection checker algorithms.
  • Better compatibility with most recent Flash activation frameworks.
  • Enhanced bookmarklet support.


  • New: Recently blocked sites menu helps detecting active content sources which have been blocked but don't belong to the current page (e.g. those imported by extensions such as Ubiquity or Cooliris).
  • Better integration with the "Private Browsing" Firefox features: when exiting private browsing, both recently blocked sites and temporary permissions are "forgotten".
  • Improved protection against DOS attacks.
  • Several accuracy and speed optimizations in the XSS injection checker engine.

  • Complete HTML 5 media (audio and video) blocking on untrusted sites.
  • New layer of inclusion protection, checks whether 3rd party script and CSS files are served with proper content type.
  • Enhanced JAR abuse protection (thanks .mario for RFE).


  • Improved ABE Attached File  ABE128.Tiny.png   1.24KB   0 downloads rules syntax, now supporting raw IPs and subnets in address prefix/mask form.
  • New option to turn off ABE notifications (in NoScript Options|Notifications).


  • Attached File  ABE128.Tiny.png   1.24KB   0 downloadsABE (Application Boundary Enforcer) module providing protection against CSRF attacks.
  • Protection against internet to intranet attacks (e.g. router hacking from the web) thanks to the built-in SYSTEM ABE rule.
  • Improved JavaScript form submission emulation.
  • Enhanced and augmented Surrogate Scripts.


  • New Import/Export buttons in the NoScript Options dialog, backup the whole NoScript configuration in a single JSON file, as a disconnected alternative to the Weave/XMark synchronization functionality(Fx 3 and above).


  • NoScript now blocks by default also HTML 5 <video> and <audio> content from untrusted origins like it does for plugins, to prevent malicious sites from exploiting media codec vulnerabilities.


  • Greatly improved bookmarklet support on untrusted pages, trying to turn setTimeout() calls into synchronous ones and to execute trusted imported scripts (e.g. in the Readability bookmarklet).


  • Enhanced HTTPS enforcement engine, correctly loading redirected images no matter their caching status and displaying a meaningful error message when causing a redirect loop.


  • Several speed, usability and stability improvements in the new NoScript preferences synchronization feature.
  • ClearClick ClickJacking protection compatibility with Feedly, Disqus and Sharethis.
  • Better Firefox 3.5 beta and Firefox 3.6 alpha support.
  • Experimental Backup NoScript configuration in a bookmark for easy synchronization feature, to be enabled in NoScript Options|General.
    It allows replicating NoScript preferences and permissions across multiple computers using a bookmark syncrhonization service such as Mozilla Weave or the XMarks extension.
  • New "partially allowed subcontent" icon Attached File  PartiallyAllowed.png   845bytes   1 downloads to indicate that the top site is blocked but some active sub-content (e.g. plugin objects or frames) is enabled.
  • NoScript now reports "Scripts Forbidden" instead of "Scripts Partially Forbidden" even if 3rd party script sources are allowed, unless they can actually run because their hosting document is allowed as well.
  • ClearClick ClickJacking protection compatibility with the ShareThis extension.
  • Protection against exploitation of XSLT vulnerabilities like the one fixed in Firefox 3.0.8
  • Better compatibility with the Google Notebook extension and with the new Flash-based GMail attachment system.
  • New dedicated support forum.
  • Fixed Amazon glitch with blocked IFrame placeholders.
  • Improved HTTPS forcing engine, now capable of forcing HTTPS on background subrequests as well.
  • Fennec 1.0b1 compatibility.
  • Yieldmanager script surrogate (makes imageshack.us and other sites work with no need for whitelisting yieldmanager.com).
  • Performance boost of ClearClick ClickJacking protection on very crowded documents.
  • ClearClick incident reporting tool.
  • Improved script blocking and scriptless pages management.
  • Improved X-FRAME-OPTIONS compatibility support.
  • New exclusive protection against JSON and E4X hijacking.
  • Improved compatibility with some Amazon, Smugmug and Ebay features.
  • Anti-XSS filters performance optimizations.
  • Support for the Fennec Alpha 2 mobile browser.
  • Several improvements in blacklisting mode: even if whitelisting is still the recommended safest mode, you can use Allow scripts globally and still block sites you mark as untrusted. More important, you can still enjoy full Anti-XSS protection or be protected against ClickJacking and JSON hijacking even while you're keeping JavaScript allowed everywhere.
More in the changelog...

Supported browsers: Firefox 1.5.0.6 and above, SeaMonkey 1.0.5 and above, Flock, IceWeasel, Minefield
Other browsers based on Gecko 1.8.0.6 and above might work, but are not tested.

NoScript: get it!

New! Dedicated Support Forum.

#2 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 31 January 2009 - 07:37 PM

NoScript 1.9
+ Improved ClearClick sensitivity (thanks Eric Lawrence for report)

NoScript CHANGELOG


#3 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 07 February 2009 - 07:10 AM

NoScript v 1.9.0.4
x Fixed XHTML namespacing issues (thanks dhouwn for report)

v 1.9.0.3
x Fixed E4X hijacking false positive with scripts delimited by XML
comments and containing XML (thanks Jim Mattfield for report)

v 1.9.0.2

x Fixed X-FRAME-OPTIONS not working inside OBJECT elements (thanks
Joris van der Wel for report)
x Restored broken compatibility with Seamonkey 1.0.x (thanks James
Andrewartha for report)

v 1.9.0.1

x Work around for edge case false positive on plugins embedded in
cross-site framesets (thanks therube for report)



#4 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 16 February 2009 - 04:36 PM

NoScript v 1.9.0.5
+ Upper limits for JS link detection loop (thanks Wladimir Palant)
+ about:certerror added to the intrinsic whitelist
+ ClearClick compatibility with the Link Alert extension
+ 3rd party script blocking improvements
x Updated Slovak translation

get it!




#5 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 22 February 2009 - 09:32 PM

NoScript v 1.9.0.6
x Fixed page-level surrogates in subframes being executed too much
early to be effective (thanks GossamerGremlin for report)
x Work-around for bug 4066046 (thanks Alice0755)
x Fixed incompatibility with the wfx_Versions extension (thanks
Archaeopteryx for report)
x Fixed double activation for nested OBJECT elements, e.g. apple.com
QuickTime movies (thanks al_9 for report)
x Fixed Silverlight applets not intercepted in Gecko 1.8.1.19-20
(thanks al_9x for report)

get it!

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change


#6 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 04 March 2009 - 05:08 PM

NoScript v 1.9.0.8
x Work around for Mozilla bug 453825

v 1.9.0.7
x Work around for SimpleViewer and other Flash movies replaced with
innerHTML breaking on nsIContentPolicy presence (thanks Steffen
Zahn for reporting).

get it!


#7 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 11 March 2009 - 10:29 PM

NoScript v 1.9.1
x ClearClick performance boost on crowded documents
x Updated French translation
x Reduced log spam on content blocking

v 1.9.0.92
+ Yieldmanager script surrogate (thanks orngjce223 for suggestion)
x Fixed "Attempt to fix JavaScript links" causing middle-clicks to
open JS link targets twice on Gecko 1.8 (thanks therube for report)

v 1.9.0.91
+ ClearClick incident reporting tool

v 1.9.0.9
x Fixed 20 seconds hang in injection checker on URLs containing long
sequences of the "<" character

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change

get it!



#8 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 18 March 2009 - 06:55 PM

NoScript v 1.9.1.2
+ HTTPS forced on background requests (images, stylesheets,
scripts, embeddings, AJAX...) as well (thanks mattmccutchen's RFE)
+ Fennec 1.0b1 compatibility

v 1.9.1.1
x Fixeds XSS false positive on SAMLP payloads (thanks MysticOrchid
for reporting)

get it!


#9 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 26 March 2009 - 10:00 PM

NoScript v 1.9.1.4
x Fixed placeholder size miscalculation for hidden blocked objects
(thanks al9_x for report)
x Fixed HTTPS enforcing on documents causing an initial aborted
HTTP documents request on Gecko < 1.9 (thanks al_9x for report)

v 1.9.1.3
x Fixed URIPatternList glob compiling bug (thanks mattmcutchen)

get it!





#10 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 04 April 2009 - 03:34 AM

NoScript v 1.9.1.6
+ Improved ClearClick specificity on zoomed pages (fixes a false
positive on GMail's Flash-based attach link when zoom is active)
x Temporarily disabled ClearClick on 3.6a1pre because of bug 486200

v 1.9.1.5
+ XSLT stylesheets are regarded as active content and blocked by
default on untrusted documents and/or from untrusted origins
+ "Forbid IFrame" compatibility with the Google Notebook extension
(thanks chojrak11 for RFE)
x Fixed HTTP not enforced on redirected background requests (thanks
al_9x for report)
x Fixed work-around for bug 453825 work-around causing unhandled
error messages visible in Firebug (thanks Pavol Goga for report)

get it!


#11 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 14 April 2009 - 02:26 AM

NoScript v 1.9.1.91
x Fixed notifications reporting "Forbidden" on some partially allowed
pages

v 1.9.1.9
x Fixed notifications reporting "Partially allowed" on fully allowed
pages (thanks Grant Parris for report)
x Fixed source code (view-source: originated) POST requests being
turned into GET requests

v 1.9.1.8
+ New "partially allowed subcontent" icon to indicate that the top
site is blocked but some active sub-content (e.g. plugin objects
or frames) is enabled
+ New script sources inventory behavior reporting "Scripts Forbidden"
instead of "Scripts Partially Forbidden" even if 3rd party script
sources are allowed unless their hosting document is allowed too
+ New "noscript.clearClick.subexceptions" preference to list sources
of embedded content which don't need to be protected by ClearClick
x ClearClick compatibility with the "ShareThis" extension

v 1.9.1.7
x Fixed multiple placeholder regression on Gecko < 1.9 (Firefox 2.x)

get it!



#12 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 24 April 2009 - 03:36 AM

NoScript v 1.9.2
+ Experimental "Backup NoScript configuration in a bookmark for easy
synchronization" feature (enable it in "NoScript Options|General")
x Fixed potential DNS leak in some proxied setups when opening URLs
with FQDNs as their hostnames (thanks Rolf Wendolsky for report).

get it!


#13 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 27 April 2009 - 02:51 AM

NoScript v 1.9.2.2
+ Performance optimization of preferences bookmark-based persistence
x Fied residual object blocking glitches (thanks Aerik, Pirlouy and Endor)

Noscript v 1.9.2.1
x Changed the bookmark format so that you don't get an error message when you open it, even though it's not meant to be opened.
x Fixed bookmark synchronization skipped when using the sticky menu commands.
x Fixed various glitches related to object blocking and recent Gecko builds

http://noscript.net/getit



#14 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 30 April 2009 - 06:46 PM

NoScript 1.9.2.4
+ Improved Gecko >= 1.9.1 support
x Updated nl-NL translation
x Fixed notification icons broken on Minefield (Fx 3.6a1pre)
x Fixed blocked objects in "restrictions on trusted sites" mode not
being counted for "partially allowed" reporting

v 1.9.2.3
+ Localization-agnostic title for configuration sync bookmark
+ Localizable info page when opening the configuration sync bookmark
x Fixed external XSLT sources not being reported in NoScript menus
even if blocked unless a different type of active content comes
from the same origin
+ A "NoScript development support filterset" gets added to AdBlock
Plus, whitelisting the noscript.net, flashgot.net, informaction.com
and hackademix.net web sites recently broken by an aggressive
EasyList campaign against sites sponsoring NoScript development.
ABP users are informed both on the install and on the release notes
pages, so they can easily disable the filterset if they whish to.

http://noscript.net/getit

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change


#15 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 02 May 2009 - 05:15 PM

No Script v 1.9.2.6
+ NoScript now automatically removes the controversial "NoScript
Development Support Filterset" deployed with NoScript 1.9.2.3 and
above on startup, permanently and with no questions asked.

v 1.9.2.5
+ One-time startup prompt to ask users *beforehand* if they want to
install/keep or permanently delete the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above
x Fixed filterset bug: it could be disabled but not removed.
x Fixed "Attempt to fix JS links" not working for drop-down lists on Gecko < 1.9 (thanks therube for report)
x Updated zh-CN translation
x Updated el-GR translation

http://noscript.net/