Jump to content


Photo

NoScript 1.9.x - 'Your Friendly Web Cop'


  • This topic is locked This topic is locked
64 replies to this topic

#16 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 13 May 2009 - 10:21 PM

NoScript v 1.9.2.8
+ 100x speedup of bookmark-based configuration persistence
+ NoScript tries to synchronize its configuration with foreign
bookmarks when the "Backup configuration in bookmarks" gets enabled
in order to ease adding new "slaves"
x Excluded temporary permissions from bookmark-based synchronization
x Fixed XMark synchronization failing because of XMark's 4KB limit on
bookmark URIs
x Fixed opening the [NoScript] configuration bookmark hanging the
AutoPager extension
+ Disqus ClearClick exception
+ Feedly ClearClick exception

v 1.9.2.7
+ "NoScript Options|Notification|Display release notes on update"
checkbox
x Fixed XSLT blocking regression

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change


#17 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 21 May 2009 - 01:44 AM

NoScript v 1.9.3.1 is out!
x Fixed automatic secure cookie management being enabled by default
(thanks therube for report)
get it!

v 1.9.3
+ Redirect loops caused by HTTPS enforcement now trigger the standard
redirect loop error page (thanks Matt McCutchen for RFE)
x Fixed https-forced embedded objects not being loaded unless already
cached (thanks Matt McCutchen for report)

v 1.9.2.93
x Fixed 1.9.2.92 regression breaking "Revoke temporary permissions"

v 1.9.2.92
+ Improved bookmarklet support, trying to turn setTimeout calls into
synchronous ones and to execute trusted imported scripts (e.g.
in the Readability bookmarklet)
+ Slighty "beautifyed" JSON export format (one preference per line)
x Fixed 1.9.2.91 regression, preventing permissions changes made in
NoScript Options from being saved under some random circumstances
(thanks G??r???? for reporting)

v 1.9.2.91
+ Import and Export buttons in NoScript Options to backup and restore
the whole NoScript configuration (preferences and permissions) to
and from a text file.

v 1.9.2.9
+ Native media (audio/video HTML 5 elements) blocking
x Huge refactoring modularizing XSS, ABE, ClearClick, HTTPS extras
and utility classes


#18 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 23 May 2009 - 06:44 PM

NoScript v 1.9.3.3
x Fixed fatal exception on JSON XSS checks (thanks HeikoAdams for
report)

v 1.9.3.2
x Fixed whitelist import/export broken by new global import/export (
thanks Tim Johnson for report)


#19 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 29 June 2009 - 11:13 PM

NoScript updated v 1.9.5
x Fixed forbidden objects in allowed documents not causing partially
allowed icon on first load in Gecko < 1.9 (thanks al9_x for report)
x Fixed forbidden objects in mixed trusted/blacklisted pages not
causing partially allowed icon (thanks al9_x for report)

v 1.9.4.91
x Fixed late request cancelation of scripts preventing page from
complete loading
x Fixed refreshing ABE rulesets enabling back disabled local rulesets

v 1.9.4.9
x Fixed DNS cache purging bug (thanks therube for reporting)

V 1.9.4.8
x Parallelization of DNS activity bringing huge ABE performance gain
x Minor fixes in LOCAL policies enforcing

V 1.9.4.7
x Fixed possible deadlock introduced in 1.9.4.6
x Fixed DNS cache purging bug

v 1.9.4.6
x Refactoring of content policy related code
x Another memory optimization iteration
x Restored automatic Seamonkey profile install cleaner

v 1.9.4.5
x Further memory footprint and performance ABE optimizations

v 1.9.4.4
+ Origin tracing speed and accuracy improvements
+ Enhanced frame busting emulation
+ Further DNS optimizations

v 1.9.4.3
x Optimized garbage collection in DNS 2nd level cache

v 1.9.4.2
x Fixed mixed content SSL false positives when ABE enabled
x Fixed file:// entry added to whitelist everytime a 2nd level
domain gets allowed on Gecko >= 1.9 (thanks G??r???? for reporting)

v 1.9.4.1
+ Implemented 2nd level DNS cache fixing some artifacts/crashes on
Google Maps and some latency issues in Gecko < 1.9 (thanks therube
and Alan Baxter for reporting)

v 1.9.4 RC2
x Fixed page content getting randomly scrambled during heavily
concurrent loads when ABE's asynchronous networking is enabled
x Fixed password manager autofill failing sometimes (thanks Tommy Coe
for reporting)

v 1.9.4 RC1
+ First stable ABE (Application Boundaries Enforcer) release
+ Improved JavaScript form submission emulation (thanks aladin235 for
reporting about Twitter logout button)
+ Asyncrhonous networking in Gecko >= 1.9 for ABE preflight requests
and DNS checks (can be turned off by noscript.asyncNetworking
about:config preference)
+ noscript.ABE.legacySupport about:config preference to enable ABE
on older, less supported platforms (Gecko < 1.9)
+ Modularized SeaMonkey uninstaller
+ Bookmarklet emulation made compatible with latest Fx 3.5 builds
x Better UI feedback about CAPS parsing artifacts

v 1.9.3.92
x Fixed missing site rules being repeatedly fetched after 12 hours
timeout

v 1.9.3.91
+ Added gstatic.com (Google Maps and other services) to the default
whitelist
x Fixed broken embeddings from file:// URLs (thanks Endor for report)

v 1.9.3.9
x Fixed import/export buttons for whitelist and full configuration
overriding each other (thanks Alan Baxter for reporting)

v 1.9.3.8
+ Precise reporting of ABE DNS failures
+ Automatically include browser origins in Accept predicates
x Lighter XSS checks, relying on ABE for pre-screening when possible
(preventing some timeout-related false positives and random hangs)

v 1.9.3.7
+ More accurate NOSCRIPT web-bugs blocking, skipping same origin
images and scripted pages (thanks Jorgo for suggestion)
x Working link to ABE documentation in NoScript Options|Advanced|ABE
x Fixed ABE external editor failing to open on Mac OS X (thanks David
Bass for reporting)

v 1.9.3.6
+ Improved Google Analytics script surrogates
+ New Imagefap anti-popup script surrogates
+ Seamonkey 1.x streamlined installation process (profile local
installations are not supported anymore, but switching to
browser-wide is automatic on update)
+ Seamonkey 1.x automatic uninstall procedure (button provided in
NoScript Options)

v 1.9.3.5
+ Better placeholder management with weird plugin content nesting
(thanks nagan for request)
+ Faster and more streamlined cross-origin request tracking
x Fixed single aster ("*") glob pattern not compiling in URI pattern
lists (thanks Sirdarckcat for reporting)
x Fixed Fx 2 (Gecko < 1.9) non-secure requests for HTTPS-forced
resources being aborted rather than redirected (thanks al_9x for
reporting)

v 1.9.3.4
+ First public Application Boundaries Enforcer (ABE) prototype, see
NoScript Options|Advanced|ABE
+ SYSTEM built-in ABE ruleset including one rule emulating LocalRodeo
(check http://databasement....abs/localrodeo/ and
http://databasement....o/testcases.php )

NoScript is Free Software (GPL), but if you find it useful, you can support its development :)

#20 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 29 June 2009 - 11:29 PM

Attached File  ABEx50.png   4.47KB   0 downloadsWhat's ABE?
Application Boundaries Enforcer

by Giorgio Maone

The NoScript browser extension improves web client security by applying a Default Deny policy to JavaScript, Java, Flash and other active content and providing users with an one-click interface to easily whitelist sites they trust for active content execution. It also implements the most effective Cross-Site Scripting (XSS) filters available on the client side, covering Type-0 and Type-1 XSS attacks; ClearClick, the only specific browser countermeasure currently available against ClickJacking/UI redressing attacks, and many other security enhancements, including a limited form of protection against Cross-Site Request Forgery (CSRF) attacks: POST requests from non-whitelisted (unknown or untrusted) sites are stripped out of their payload and turned into idempotent GET requests.

Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level. Since the web has not been originally conceived as an application platform, it misses some key features required for ensuring application security. Actually, it cannot even define what a ?web application? is, or declare its boundaries especially if they span across multiple domains, a scenario becoming more common and common in these ?mashups? and ?social media? days.

The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser.

This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted 3rd party.

ABE rules, whose syntax is defined in this specification (pdf), are quite simple and intuitive, especially if you ever looked at a firewall policy file: [see website]

Living inside the browser, the ABE component can take advantage of its privileged placement for enforcing web application boundaries, because it always knows the real origin of each HTTP request, rather than a possibly missing or forged (even for privacy reasons) HTTP Referer header, and can learn from user?s feedback.

A preliminary ABE implementation is provided with NoScript 1.9.3.6 and above, and local rulesets can be configured from NoScript Options|Advanced|ABE. Rules for the most popular web applications will be made downloadable and/or available via automatic updates for opt-in subscribers, and UI front-ends will be provided to edit them manually or through a transparent auto-learning process, while browsing. Additionally, web developers or administrators can declare policies for their own web applications: if user enabled the Allow sites to push their own rulesets option, ABE will honor them, unless they conflict with more restrictive user-defined rules.
As soon as browser support for the Origin HTTP header becomes widespread and reliable, an external version of ABE might be developed as a filtering proxy.

? Copyright 2009 Giorgio Maone - some rights reserved.
http://noscript.net/abe/index.html
http://noscript.net/


#21 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 19 July 2009 - 08:53 PM

NoScript v 1.9.6.1
x Fixed session restore broken by some 1.9.6 ABE optimizations
x Fixed XMarks compatibility issue (thanks Matt Perkins for report)

V 1.9.6
+ Support for raw IP and subnets with address prefix/mask syntax in
ABE rulesets
x Improved UTF-8 XSS protection (thanks Sirdarckcat for discussion)
x Fixed ABE resource lists parsing glitches
x Improved "Anonymous" (formerly "Logout") ABE action behavior
x Fixed IP display in Allow/Forbid menu items on Gecko >= 1.9
x Added ABE local rulesets to configuration import/export dataset
x Fixed multibyte domain names couldn't be temporarily allowed nor
marked as untrusted (thanks fujita for reporting)

v 1.9.5.73
x Fixed "live" plugin unblocking broken on some sites (thanks therube
for reporting)

v 1.9.5.72
x Fixed CSS bug preventing placeholders from being hidden with
Shift+click

v 1.9.5.71
x Fixed Seamonkey 1.x breakage from 1.9.5.7 (thanks therube for
reporting)

v 1.9.5.7
+ ABE Logout action strips query strings from potential authorization
and session-related parameters and neutralizes non-idempotent
requests by switching their method to GET and removing uploads
x Fixed DNS optimizations causing ABE's "Logout" action to abort the
request sometimes (Gecko <= 1.8 will abort on Logout anyway if DNS
record is not cached)
x Improved usability with sites providing their own JS-based UI for
HTML5 VIDEO element
x Fixed placeholder not clickable if overlayed with a transparent
absolutely positioned element
x Fixed bug preventing the audio feedback sample from being changed
(thanks Rodney Crnkovic for reporting)

v 1.9.5.6
x Work around for Tab Mix Plus beta breaking bookmarklets and URL bar
JavaScript one liners on untrusted sites (Fx 3.5)

v 1.9.5.5
+ New Notifications|ABE option to disable ABE notifications
+ External requests on default ports to domain names different than
"localhost" resolving to 127.0.0.1 don't generate notifications, in
order to reduce spam from misconfigured hosts files (activity gets
still logged to the Error Console and notifications can be restored
by toggling the noscript.ABE.notify.namedLoopback preference)

v 1.9.5.4
x Fixed incompatibility with back-forward gestures in Mouse Gesture
Redux (thanks Kevin Schneider and Andrea Rodofili for reporting)
x Fixed "Open all tabs" glitches

v 1.9.5.3
x Fixed Google Analytics surrogates causing some sites to open
"undefined" URLs (thanks sanityvoid for reporting)

v 1.9.5.2
x Fixed ABE RFC 3330 support bug (thanks SkyBeam for reporting)

v 1.9.5.1
x Work around for NewTabUrl incompatibility
x Fixed undisclosed yet parsing bug (credits will be given where due
in a later release)




#22 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 19 July 2009 - 10:20 PM

NoScript v 1.9.6.2
x Fixed missing plugin placeholder when IFrames are forbidden
(thanks Grumpy Old Lady for reporting)


#23 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 20 July 2009 - 06:32 PM

NoScript v 1.9.6.5
+ New layer of inclusion protection, checks if 3rd party script and
CSS files are served with proper content type (it can be disabled
via noscript.checkInclusionType preference; exception patterns can
be listed in the noscript.checkInclusionType.exceptions preference)
x Fixed subdomain matching glitch with 1 char subdomain prefixes

Attached File  Noscript.png   3.51KB   0 downloads

Get It!


v 1.9.6.4

+ "Block JAR remote resources being loaded as documents" now blocks
also script and CSS cross-site inclusions (thanks .mario for RFE)

v 1.9.6.3
x Fixed XSS false positives when asynchronous activity must be
performed in ABE





#24 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 21 July 2009 - 08:13 PM

NoScript v 1.9.6.7
x Fixed inclusion content type checks blocking Twitter JSON feeds
loaded via SCRIPT elements (thanks Mel Reyes for reporting)

v 1.9.6.6
x Inclusion content type checks made more tolerant to dynamically
generated scripts and stylesheets (thanks therube for reporting)

http://noscript.net/getit


#25 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 24 July 2009 - 08:34 PM

NoScript v 1.9.6.9
x Fixed default whitelist not being installed on first run anymore
since 1.9.6's fix for multibyte temporary allow / mark as untrusted

v 1.9.6.8
x Inclusion content type checking now graces default file extensions
x Improved XSS filter pre-screening efficiency
x Prefixed content type based inclusion blocking message

get it!


#26 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 25 July 2009 - 08:19 PM

NoScript v 1.9.7
x Fixed "Send to" context menu item broken Google Toolbar 5 (thanks
Juan Ignacio Gaviria for reporting)
x Fixed cache issues in non-ABE blocking context on Gecko < 1.9
caused by alternate blocking method for ABE "Deny" action (thanks
al9_x and Tom T for reporting)

get it!

x 1.9.6.95
+ Signed XPI
x Fixed JS redirect detection overzelous on pages containing CSS
content-less links (thanks zaxy for reporting)
x Fixed issue with plugin content activation (thanks Mel Reyes for
reporting)

v 1.9.6.94
x More informative error messages on failed XSS filter DOS attempt

v 1.9.6.93
x Inclusion type checks play smoother on script dynamically served
with a wrong Content-type header
x Fixed temporarily allowing a class of objects from the Blocked
Objects menu not working sometimes (thanks Chad Morse for report)
x Fixed placeholders not working (invalid host name) on Gecko 1.8
(thanks hewee for report)

v 1.9.6.92
x More accurate (and lenient towards misconfigured servers) inclusion
type checks (thanks makini and Sheilaq for reports)

v 1.9.6.91
x Fixed HTTP Referer header being omitted when a DNS cached record is
not found for the request


#27 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 30 July 2009 - 07:19 PM

NoScript CHANGELOG
Get it! : http://noscript.net/

NoScript 1.9.7.4 released!
x Decoupled legacy frame blocking from "Forbid IFrames" (thanks
Grumpy Old Lady for reporting)

1.9.7.3
x Fixed IFrame blocking being delayed to DNS resolution when ABE is
active (thanks Mike A. for reporting)
x Fixed Frame blocking leading to extra history entries on unblocking

1.9.7.2

x Content serviced with the "Content-disposition: attachment" header
(forced downloads) should not be subject to plugin blocking
policies (thanks nagan for reporting)
x ABE checks should be skipped for XHR requests made from chrome

v 1.9.7.1

x Inclusion type checks accomodating hosting errors in AOL gadgets,
outbrain.com widgets and E-junkie libraries
x Fixed es-CL locale metadata

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change


#28 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 31 July 2009 - 11:52 PM

NoScript v 1.9.7.7
x Fixed DNS cache status interfering with HTTPS redirections

v 1.9.7.6
+ Fixed HTTPS-bound active content restrictions preferences not being
honored sometimes (thanks Peter Meier for reporting)

v 1.9.7.5
+ HTML 5 video and audio are blocked also when loaded as documents
in a frame or in a top-level window



#29 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 04 August 2009 - 05:58 PM

NoScript v 1.9.7.9
x Improved XSS filter compatibility with some decimal coordinates
patterns
x Fixed JavaScript IFrame manipulation causes documents to be loaded
in a new window sometimes (thanks Derek Greentree for reporting)

v 1.9.7.86
x Improved XSS filter compatibility with MySpace modules (thanks
Dixie for reporting)

v 1.9.7.85
x Improved permission change speed for very long lists / very slow
CPUs (thanks Boyd Noorda for reporting)

v 1.9.7.84
x Fixed HTTPS-forced subrequests being cancelled sometimes

v 1.9.7.83
x Fixed plugin content could not be navigated through legacy frames

v 1.9.7.82
x Fixed URL classifier not being called for hosts whose DNS record is
not cached yet by ABE (thanks "Fellow Noscripter" for reporting)

v 1.9.7.81
x Fixed domain name resolution delayed for cached failed responses
after a network reconnection (thanks foxicat for reporting)

v 1.9.7.8
x Fixed invisible links detection turning some links into absolutely
positioned if they have no layout on load (thanks dpmccabe for
reporting)
x Improved specificity of data: URL injection detection (thanks Tom
for reporting)


#30 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 36,503 posts

Posted 11 August 2009 - 08:49 PM

NoScript v 1.9.8.1
x Fixed Mac OS X specific hang bug triggered by STATUS_RESOLVING DNS
notifications for some sub-requests

v 1.9.8
+ ABE's caching DNS requests now send STATUS_RESOLVING notifications
(thanks al9_x for RFE)
x Improved injection checks (thanks Sirdarckcat for reporting)
x Fixed invalid chars in host names causing loads to fail without any
visible error feedback
x Work around for breakages caused by the .NET Framework Assistant,
http://adblockplus.o...ework-assistant
+ ABE grammar source (ABE.g) included in the distributed XPI (thanks
al9_x for noticing its absence)

Get It!

[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change