PK PS7content/PK QS7content/noscript/PK QS7content/noscript/en-US/PK QS7locale/PK QS7 locale/ar/PK QS7locale/ar/noscript/PK PS7 locale/be-BY/PK QS7locale/be-BY/noscript/PK PS7 locale/bg-BG/PK QS7locale/bg-BG/noscript/PK PS7 locale/ca-AD/PK QS7locale/ca-AD/noscript/PK QS7 locale/cs-CZ/PK QS7locale/cs-CZ/noscript/PK PS7 locale/da-DK/PK QS7locale/da-DK/noscript/PK PS7 locale/de-AT/PK QS7locale/de-AT/noscript/PK PS7 locale/de-DE/PK QS7locale/de-DE/noscript/PK PS7 locale/el-GR/PK QS7locale/el-GR/noscript/PK PS7 locale/en-GB/PK QS7locale/en-GB/noscript/PK PS7 locale/en-US/PK QS7locale/en-US/noscript/PK PS7 locale/es-ES/PK QS7locale/es-ES/noscript/PK PS7 locale/fa-IR/PK QS7locale/fa-IR/noscript/PK PS7 locale/fi-FI/PK QS7locale/fi-FI/noscript/PK PS7 locale/fr-FR/PK QS7locale/fr-FR/noscript/PK PS7 locale/gl-ES/PK QS7locale/gl-ES/noscript/PK PS7 locale/he-IL/PK QS7locale/he-IL/noscript/PK PS7 locale/hr-HR/PK QS7locale/hr-HR/noscript/PK PS7 locale/hu-HU/PK QS7locale/hu-HU/noscript/PK PS7 locale/id-ID/PK QS7locale/id-ID/noscript/PK PS7 locale/it-IT/PK QS7locale/it-IT/noscript/PK PS7 locale/ja-JP/PK QS7locale/ja-JP/noscript/PK PS7 locale/km-KH/PK QS7locale/km-KH/noscript/PK QS7 locale/lt-LT/PK QS7locale/lt-LT/noscript/PK PS7 locale/mk-MK/PK QS7locale/mk-MK/noscript/PK PS7 locale/nb-NO/PK QS7locale/nb-NO/noscript/PK PS7 locale/nl-NL/PK QS7locale/nl-NL/noscript/PK QS7 locale/pl-PL/PK QS7locale/pl-PL/noscript/PK PS7 locale/pt-BR/PK QS7locale/pt-BR/noscript/PK PS7 locale/pt-PT/PK QS7locale/pt-PT/noscript/PK PS7 locale/ro-RO/PK QS7locale/ro-RO/noscript/PK PS7 locale/ru-RU/PK QS7locale/ru-RU/noscript/PK PS7 locale/sk-SK/PK QS7locale/sk-SK/noscript/PK QS7 locale/sr-YU/PK QS7locale/sr-YU/noscript/PK PS7 locale/sv-SE/PK QS7locale/sv-SE/noscript/PK QS7 locale/th-TH/PK QS7locale/th-TH/noscript/PK PS7 locale/tr-TR/PK QS7locale/tr-TR/noscript/PK PS7 locale/uk-UA/PK QS7locale/uk-UA/noscript/PK QS7 locale/vi-VN/PK QS7locale/vi-VN/noscript/PK PS7 locale/zh-CN/PK QS7locale/zh-CN/noscript/PK QS7 locale/zh-TW/PK QS7locale/zh-TW/noscript/PK PS7skin/PK PS7 skin/classic/PK QS7skin/classic/noscript/PK QS7+SScontent/noscript/CHANGELOGNoScript ChangeLog v 1.1.9.6 ===================================================================== x Object placeholder rendering optimization x Extra QA for release v 1.1.9.5 ===================================================================== + Plugins disabled by default on unknown sites x References to "Macromedia Flash" changed into "Adobe Flash" x Fixed wrong OBJECT count reported after 1st notification v 1.1.9.4 ===================================================================== + XBL protection compatible with extensions using XMLHttpRequest from a content-triggered event handler (e.g. Book Burro or PriceDrop) v 1.1.9.3 ===================================================================== + non-destructive cross-site XBL protection (handles the same case as https://bugzilla.mozilla.org/show_bug.cgi?id=387971) x Better edge-case handling in invisible links detection (thanks Alexander Nikkta) v 1.1.9.2 ===================================================================== + Pre-scan optimization for unicode-escaped ASCII in InjectionChecker + Better compatibility with URLs containing HTML entities v 1.1.9.1 ===================================================================== x Work-around for Minefield content policy / DOM interaction regression (thanks mmortal03) v 1.1.9 ===================================================================== x Extra QA for release + Menu rendering speed optimizations + Emulated TLD Effective service up to 100x speedup + InjectionChecker performance up to 50x speedup (thanks therube) + Fixed leak regression from 1.1.8.3 redirection handling refinements (thanks L. David Baron) x Fixed Firefox notifications not shown if NoScript notifications were suppressed (thanks gecco) v 1.1.8.9 ===================================================================== x Fixed content-blocking regression (thanks L.A.R. Grizzly) v 1.1.8.8 ===================================================================== x Better Google Toolbar compatibility (thanks brandonksu) v 1.1.8.7 ===================================================================== + More consistent and compatible bottom notification bar v 1.1.8.6 ===================================================================== + "Notifications" option to change message bar automatic hiding delay x Fixed multiple profile problems on SeaMonkey (thanks therube) x Fixed incompatibility with Translation Panel and other extensions (regression from 1.1.8.5 beta) v 1.1.8.5 ===================================================================== + Improved HTML attribute injection checks (thanks Gareth Heyes) + More flexible noscript.forbidXBL about:config preference: 0 - allow all XBL 1 - allow trusted and data: (Fx 3) XBL on any site 2 - allow trusted and data: (Fx 3) XBL on trusted sites 3 - allow only trusted XBL on trusted sites 4 - allow only trusted XBL from the same site or chrome (default) 5 - allow only chrome XBL v 1.1.8.4 ===================================================================== x Fixed installation issue on SeaMonkey v 1.1.8.3 ===================================================================== + The "noscript.tempGlobal" about:config preference causes the "Globally Allow" status to be revoked at the end of each session (thanks chconnor and Alan Baxter for suggestion) + The "noscript.lockPrivilegedUI" about:config preference blocks Error Console and DOM Inspector (useful in locked down setup to prevent preferences from being unlocked by user's chrome JS code) + More reliable base domain recognition + Switch to nsIEffectiveTLDService on Gecko >= 1.9 (Firefox 3) + nsIEffectiveTLDService emulation on Gecko < 1.9 (Firefox 2) x Updated translations x Additional QA for release v 1.1.8.2 ===================================================================== + Friendlier IFrame handling (thanks war59312 and A. Baxter) x Fixed Silverlight new detection scheme broken by IFrame blocking x Fixed compatibility issue with Cooliris send link (thanks Tschua) v 1.1.8.1 ===================================================================== + More flexible and reliable redirection management v 1.1.8 ===================================================================== + Version bump for Firefox 3 + Temporarily allow sites matching the regular expression(s) in the noscript.whitelistRegExp about:config preference (thanks MaZe) x Further QA for release x Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes) x Fixed shorthands broken when XSS protection was off (thanks MaZe) v 1.1.7.9 ===================================================================== + Notify bar for jar document blocking x Fixed GreaseMonkey's XMLHttpRequest compatibility regression x Fixed confusing option, "Forbid other plugins" shouldn't imply forbidding Java, Flash and Silverlight. v 1.1.7.8 ===================================================================== + JAR uris are forbidden from loading as documents by default, see http://noscript.net/faq#jar for details + Block untrusted XBL (thanks Sirdarckcat for inspiration) x Various IFrame blocking refinements v 1.1.7.7 ===================================================================== x Fixed installation problems with addons.mozilla.org automatic update v 1.1.7.6 ===================================================================== + srv.br "special" TLD (thanks Rodrigo Ristow Branco) + Better protection against "setter" based XSS vectors and encoded "name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/ ) + Improved hidden links management, preserves original body CSS attributes when possible (thanks mdots) v 1.1.7.5 ===================================================================== x wyciwyg support for IFRAMEs v 1.1.7.4 ===================================================================== + new noscript.forbidIFramesContext about:config option controls if actually enforcing IFRAME blocking depending on the parent page: 0 -- block always 1 -- block if parent is in a different site (default) 2 -- block if parent is in a different domain 3 -- block if parent is in a different 2nd level domain + Minefield version bump (0.3.0a9pre) x XSideBar keyboard shortcut compatibility (thanks Philip Chee) v 1.1.7.3 ===================================================================== x Work-around for hidden link detection being triggered by some CSS reporting offsetHeight 0 for anchors (thanks Gerrit Heeres) v 1.1.7.2 ===================================================================== + Object placeholders' minimum size set to 32x32 for visibility + Object placeholder override for Microsoft® Silverlight™ x Fixed "Forbid IFRAME" blocking also Flash (thanks niko322) x Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans) x Fixed IFRAME in place activation shouldn't reload parent page v 1.1.7.1 ===================================================================== + New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's request, see http://sla.ckers.org/forum/read.php?13,15701,15840 x Fixed logic inconsistency between "Plugins/Forbid xyx" and "Plugins/Forbid other plugins" (thanks Kadeos); x Fixed overzealous behaviour of JS link detection (thanks Kadeos and plu for reporting) v 1.1.7 ===================================================================== + Further QA for release + Improvements in script redirection management v 1.1.6.27 (1.1.7RC2) ===================================================================== + New "Forbid Web Bugs" option in the Advanced/Untrusted panel x Fixed startup "sudden death" issue (thanks Alan Baxter) v 1.1.6.26 (1.1.7RC1) ===================================================================== + Moved plugin content options to a new top-level "Plugins" tab + New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by default like "Plugins/Forbid Java™" + New "Plugins/Apply these restrictions to trusted sites too" option + Enchanced sensibility for the JS URL detection feature + New "jsredirectForceShow" option to always display JavaScript-only navigation URLs at the bottom of pages, no matter what the visible content is (per timeless' RFE) + UTF-8 escaping awareness for InjectionChecker pre-syntax evaluator + Arabic (thanks Nassim Dhaher) + Indonesian(thanks regfreak) + Experimental Intel MidBrowser support + Experimental preference locking support (look at the mozilla.cfg sample inside the XPI for details) x Fixed meta-refresh notification failing to appear sometimes x Cleanup of the counter-measures against Sirdarckcat's redirected script trick (available for Fx >= 2.0 only) with user feedback x Fixed full address no more shown in allowing menu for numeric IP or TCP-IP explicit port URLs (thanks blahhhy for report) x noscriptOptionsWidth entity to localize option dialog size v 1.1.6.25 ===================================================================== + Fix for Sirdarckcat's JS redirection trick v 1.1.6.24 ===================================================================== + Fixed XSS notification infobar not showing v 1.1.6.23 ===================================================================== + Work-around for Daily Dilbert extension's CSS bug hijacking status bar icons (thanks gumble and Archaeopterix for reporting) v 1.1.6.22 ===================================================================== x Fixed toolbar icon breaking when "Scripts Globally Allowed" and no script found in page (thanks Claus Valca and Gecco for reporting) v 1.1.6.21 ===================================================================== x Fixed infobar icon not always properly updated upon tab-switching (regression from 1.1.6.20 feedback fix) v 1.1.6.20 ===================================================================== x Fixed inconsistent status icon feedback (thanks Alan Baxter) v 1.1.6.19 ===================================================================== x Fix for the massive breakage on Mozilla trunk caused by landing of the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=377696 (thanks Quarantine and Peter(6) for reporting) v 1.1.6.18 ===================================================================== + noscript.safeJSRx preference allows to specify a regular expression matching statements allowed in a top-level javascript: URL. Default value allows sessionstore prompt javascript:window.close() trick (http://forums.mozillazine.org/viewtopic.php?p=3033780#3033780) v 1.1.6.17 ===================================================================== + Smarter JS link fixing on untrusted sites (thanks timeless) + Smarter allowable sites detection/reporting if domain tricks are being used. x Fixed CTRL+Enter address bar SeaMonkey feature (thanks blindtrust) x Fixed conflict with SiteAdvisor tooltips v 1.1.6.16 ===================================================================== x Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from working: browser packages are whitelisted by default, extensions and other chrome packages can be optionally whitelisted adding a noscript.forbidChromeExceptions.packageName preference set to true, and the noscript.forbidChromeScripts preference defaults to false now, since Bug 292789 couldn't do any harm unless some extension does very stupid things. x Fixed incompatibility with the BookmarksHome extension v 1.1.6.15 ===================================================================== + Support for keyword-driven bookmarklets on untrusted pages (thanks Mike Rocker and therube for report/request) + noscript.forbidChromeScripts preference (true by default), prevents script tags in content (non chrome:/resource:/file:) documents from referencing chrome: scripts, see https://bugzilla.mozilla.org/show_bug.cgi?id=292789 x Fix for fast reload not working on Minefield v 1.1.6.14 ===================================================================== x Work-around for a reload problem caused by Firekeeper 0.2.11 x Version bump for Minefield v 1.1.6.13 ===================================================================== + Enhanced the "multi-port shorthand" feature to accept "*" wildcard for subdomains, e.g. "http://*.google.com:0" matches every http google subdomain with any port number (thanks Dave Faraldo for RFE) + Added a "noscript.fixURI.exclude" about:config preference where protocols which should not be escaped by NoScript can be specified as a space-separated list (thanks therube for inspiration) v 1.1.6.12 ===================================================================== + URI Validator facility for on-demand protection against URI-based exploits. You can add your uri-validator anchored regular expressions as an about:config preference named like "noscript.urivalid.protocolname" to validate the URI substring immediately following scheme + colon (see the noscript.urivalid.aim pre-configured example entry) x Minor change in query string parser, it doesn't drop "=" splitted chunks exceeding the first two anymore v 1.1.6.11 ===================================================================== + Optional blocking of tracking images (also known as "Web Bugs") embedded inside NOSCRIPT tags: it can be enable through the noscript.blockNSWB about:config property (thanks lakrids/Arimfe) v 1.1.6.10 ===================================================================== x Fixed extension conflict leading to javascript: links not opening under some circumstances (thanks england and haklin) v 1.1.6.08 ===================================================================== x Fix for popup content loaded in the opener window regression (from mail/news exploitation protection) v 1.1.6.07 ===================================================================== x Further refinement of URL protocol handler protection to cope with special configuration-depending cases with mail/news protocols (not affecting SeaMonkey) - thanks Rios and McFeters for generic PoC, thanks Darkdata for specific test case v 1.1.6.06 ===================================================================== x Early protection against URL protocol handling exploitation (see http://tinyurl.com/37o23j and Mozilla bug 389106) x Fix to ampersand being sometimes escaped by anti-XSS filters v 1.1.6.05 ===================================================================== + Protection against UTF-7 encoded XSS attacks x Improved plugin content blocking in background tabs x Better XSS query string processing preserves "exotic" patterns v 1.1.6.04 ===================================================================== + Smarter Anti-XSS filters allowing non-latin characters x Kill duplicates in "Partially allowed" statistics x Switched to getDefaultBranch() for volatile CAPS preferences in order to grant a clean "Safe Mode" even after Firefox crashes (thanks Benjamin Smedberg for suggestion) v 1.1.6.03 ===================================================================== + Allowed sites and partial counts in the infobar when scripts are "Partially allowed" (timeless suggestion) + Window.name payload attacks neutralization x Fixed over-optimization of JS detection relying on syntax errors x Fixed "Allow" button shortcut not working in NoScript Options v 1.1.6.02 ===================================================================== x Fixed "Unresponsive Script" on specific complex URL patterns (many thanks to Sue Petersen) v 1.1.6.01 ===================================================================== x Fixed "Clear private data" window not closing if you hit "OK" on browser exit with Firefox < 3.0 (thanks VT for first report) v 1.1.6 ===================================================================== + "Light" injection checks are enabled also with "Scripts Globally allowed" (notice that allowing scripts globally is still a very bad idea, since POST injections and other XSS attacks launched using JavaScript, Java or Flash are virtually undetectable) x Better XSS notification/UI feedback on partial loads x Depth limit to URL decoding x Extra QA for public release x Work-around for JS Development Environment scoped evaluation being blocked by noscript.safeToplevel feature v 1.1.5.07 ===================================================================== x Extra QA and optimization for very complex URLs v 1.1.5.06 ===================================================================== x Huge performance and accuracy enhancement in injection detector x Bookmarklet bypass for Minefield Places (thanks Hwasung Kim) v 1.1.5.05 ===================================================================== + Smarter injection detector for trusted to trusted requests x Fixed "this.docShell has no properties" issue (many thanks therube) x Fixed external URLs not opening in IETab (thanks chili1) v 1.1.5.04 ===================================================================== x Fixed traceback regression skipping checks on permissions change v 1.1.5.03 ===================================================================== x Fixed XSS notification message bar not showing sometimes v 1.1.5.02 ===================================================================== x More accurate origin detection on META refresh v 1.1.5.01 ===================================================================== + XSS character-level filter enhancements + Notifications for Flash-based XSS too v 1.1.5 ===================================================================== x Removed about:neterror from the permanent non-deletable whitelist (for the super-paranoids, thanks Aerik) x Minor bug fix, anti-XSS notification bar skipped when an URL nested in a query string gets sanitized x Extra QA for public release v 1.1.4.9.070627 ===================================================================== + Added "0" shorthand to match all *explicit* IP ports on the same protocol/host, e.g. http://acme.com:0 matches http://acme.com:8080 and http://acme.com:9999, but neither https://acme.com:8080 nor http://acme.com + Partial numeric IPv4 are matched up to the 2nd leftmost byte, e.g. "192.168" matches 192.168.0.22 and "10.0.0" matches 10.0.0.33 x Minor cosmetic tweaks to XSS notifications threshold x Improved reload on permissions change v 1.1.4.9.070624 ===================================================================== + Optimization of active counter-measures x Additional QA for public bug fixing automatic update v 1.1.4.9.070623 ===================================================================== + More lenient yet the safest XSS filters x Fixed a leak happening when a secondary browser window is closed v 1.1.4.9.070622r3 ===================================================================== x Fixed some popup not closing issue (thanks Angelo Dicerni) v 1.1.4.9.070622r2 ===================================================================== x Fixed issue with usernames embedded in home page (thanks england) v 1.1.4.9.070622r1 ===================================================================== x Fixed incompatibility with certain malformed Ebay search URIs (thanks to Marc Van Buggenhout for reporting) v 1.1.4.9.070622 ===================================================================== + Full Anti-XSS protection for every trusted URL opened from external applications + Protection against all the currently known cross-browser exploits targeting Firefox v 1.1.4.9.070621 ===================================================================== + Additional checks for toplevel windows (thanks dveditz) x Work-around for interference of some tab-related extension with external URL interception v 1.1.4.9.070620 ===================================================================== + Protection against so called "Universal XSS" through JS URLs opened by external applications, as explained in http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html v 1.1.4.9 ===================================================================== + noscript.injectionCheck about:config option adds first-line detection for XSS injections in GET requests originated by whitelisted sites and landing on top level windows. Value can be: 0 - never check 1 - check cross-site requests from temporary allowed sites 2 - check every cross-site request (default) 3 - check every request + noscript.jsredirectIgnore about:config option enables/disables the new "Detect and show JavaScript redirections" feature + noscript.jsredirectFollow about:config option enables/disables auto-following if a single redirect is detected on a textless page x "Allow top level sites by default" won't affect sites that have been manually forbidden during the current session (to make this exception permanent, mark the site as untrusted) v 1.1.4.8.070618 ===================================================================== + New placeholders for plugin content can be right clicked as any "regular" link, e.g. to "Save Link As..." or "Copy Link Location" + Placeholders for plugin content are rendered real-time during load + Experimental detection of JavaScript redirections (thanks timeless) x Fixed glitch in plugin replacement with JS enabled (thanks lulu135) v 1.1.4.8.070617 ===================================================================== x Fixed untrusted blacklist import bug (thanks MZFuser) v 1.1.4.8.070606 ===================================================================== + edu.tw special TLD (thanks twocs) + New noscript.autoReload.global about:config preference controls if automatic reload affects global allow / forbid (thanks lulu135) + New noscript.autoReload.allTabs about:config preference controls if automatic reload affacts all or just current tab (thanks lulu135) v 1.1.4.8.070602 ===================================================================== x Removed console error message on document unload in SeaMonkey v 1.1.4.8.070530 ===================================================================== x Fixed toggle shortcut regression (thanks therube) v 1.1.4.8.070529 ===================================================================== x Automatic fixup of trailing dot domains, replacing them on the fly with their canonical name (thanks fartron and timeless) + "in.th" special TLD (thanks Kridsada) x Fixed minor notification glitches in Fx 1.5 (thanks arete7) v 1.1.4.8.070528 ===================================================================== x Performance optimization of options dialog closure for long whitelists used in conjunction with long blackists (thanks arete7) x Automatic notification hiding for background tabs (thanks arete7) v 1.1.4.8.070523 ===================================================================== x Improved notification consistency with back-forward navigation x Better compatibility with Google Desktop Search and Paypal email notifications v 1.1.4.8.070522 ===================================================================== + "org.uy", "net.uy" and "edu.uy" special TLDs (thanks Mauricio) x Nicer url randomization x Improved notification on nested URL XSS sanitization x Fixed external load request detection failing "randomly" in some setups (regression from the IETab incompatibility work-around) v 1.1.4.8.070521 ===================================================================== x Fixed regression from bug 53901 work-around, "Mark as untrusted menu" not working anymore (thanks Ricky Ridgdill) v 1.1.4.8.070520 ===================================================================== x Resolved 070509 conflict with IETab + Tab Mix Plus causing some tab-diverted links to open in new windows (thanks to Nuttysman, niko322, Alan Baxter) v 1.1.4.8.070514 ===================================================================== x Sanitized URI randomization (thanks kuza55 for inspiration) x *Fast* reload also with fragment URI (thanks Martin Focke) v 1.1.4.8.070513 ===================================================================== x Fixed last minute regression slipped in Anti-XSS GET filter (some suspicious query strings entirely removed, rather than sanitized) v 1.1.4.8.070512 ===================================================================== + Appearence Option to show/hide "Allow" menu items(thanks mamas6667) x Updated locales (cs-CZ, en-GB, pl-PL) v 1.1.4.8.070511 ===================================================================== x Fixed "black boxes" glitch on page unload (thanks jdopple) x Fixed XSS exceptions must allow blank value (thanks Martin Focke) x Fixed reloading URLs with hash(thanks Martin Focke) x Work-around for Minefield bug displaying wrong labels on cloned menu items (thanks Itsnow) x Fixed regression, menu popup not shown by keyboard shortcut when both toolbar button and status bar element are hidden (thanks niko322) v 1.1.4.8.070509 ===================================================================== + noscript.xss.trustExternal about:config preference controls if anti-XSS filters should be bypassed for URLs opened from external applications like email clients (default false) + noscript.xss.trustTemp about:config preference controls if anti-XSS should be bypassed if URLs are opened from "temporary allow"ed sites (default true, thanks Salim for suggestion) x Wikipedia default XSS exception tweaked to include apostrophes in titles (thanks Alan Baxter for report) v 1.1.4.8.070505 ===================================================================== x Better compatibility with Google Toolbar's translation service v 1.1.4.8.070502 ===================================================================== x Fixed Linux Flash blocking crash when placeholders are active (thanks mastro for report) x (Hopefully) Last bug fix in referrer XSS sanitization (thanks Alan Baxter) v 1.1.4.8.070501 ===================================================================== x Further bug fix in referrer XSS notification template v 1.1.4.8.070430 ===================================================================== x Localization updates and release QA v 1.1.4.8.070429 ===================================================================== + Shortcut to show NoScript menu works even if status bar icon and toolbar button are both hidden x Fixed "Options..." button not working if status bar hidden (thanks napiertt and joymus) x Fixed regression in XSS notifications due to 070427 fix (some XSS suspicious requests were silently cancelled, rather than sanitized and notified) x Fixed "empty Untrusted menu" (thanks niko322) v 1.1.4.8.070428 ===================================================================== x Fixed using keyboard shortcut always shows status icon x Fixed closing toolbar button menu always shows status icon v 1.1.4.8.070427 ===================================================================== x Fixed referrer sanitization glitch (thanks Alan Baxter) v 1.1.4.8.070426 ===================================================================== x Fixed Refresh Blocker and Tab Mix plus redirection permissions incompatibility (thanks tabasco.kfarmer and Mc) x Fixed SeaMonkey "removed content" placeholder (thanks therube) x Fixed Seamonkey "Reset" button placement (thanks Phil Chee) v 1.1.4.8.070425 ===================================================================== + Experimental "noscript.contentBlocker" about:config preference to block Java, Flash and other plugins in whitelisted sites as well x Fixed bug in toolbar button Untrusted submenu (thanks Steve1000) x Better XSS management on whitelisting automatic reloads (XSS checks for whitelisting reloads can be disabled by toggling off the "noscript.xss.trustReloads" preference in about:config) v 1.1.4.8.070424 ===================================================================== + "Reset" command in Options Dialog resets options to their default values (thanks Frank Myers) + Always bypass cache on XSS Unsafe Reload (thanks Jussi Lahtinen) + Serbian translation (thanks Ivan Pesic) x Improved Wikipedia XSS exception v 1.1.4.8.070423 ===================================================================== + Lithuanian (thanks Mindaugas Jakutis) x Additional localization updates and minor fixes v 1.1.4.8.070422 ===================================================================== + Forbid META redirection inside NOSCRIPT element in Seamonkey too + XSS notifications for Fx 1.5 too + XSS status bar icon appears when XSS activity is detected: left/right click opens XSS menu, middle click hides icon + META redirection bar icon appears when needed: click follows redirection once, shift+click remembers for session, middle click hides icon x Fixed a regression (070420 only) with Import/Export buttons broken x Fixed toolbar button removal messing with other NoScript menus (thanks niko322 for report) x Fixed file:// URL item not showing anymore regression (thanks Shingoshi for report) x Fixed regression in Option Dialog: removing from whitelist didn't work if you applied to just one site (multiple batch did work) - thanks Alan Baxter for report v 1.1.4.8.070420 ===================================================================== x Fixed "Forbid other plugins implies Forbid Flash" - thanks Dwedit x Fixed Options dialog issues with Fx 1.5 v 1.1.4.8 ===================================================================== x Minor improvements in XSS exceptions regular expression parsing x Fixed last-minute Seamonkey breakage (many thanks therube!!!) v 1.1.4.8RC3 (1.1.4.7.070420.1) ===================================================================== x Further refinement in XSS filters (thanks niko322) v 1.1.4.8RC2 (1.1.4.7.070420) ===================================================================== x Fixed 2nd level domain toggle option (thanks therube) x Fixed multi-window feedback synchronization (thanks lakrids) v 1.1.4.8RC1 (1.1.4.7.070419) ===================================================================== + Option to block META refresh inside NOSCRIPT elements: a prompt will be shown asking if you want to follow the redirect, and choice will be remebered across the current session (noscript.forbidMetaRefresh.remember preference, dismissing the notification with its close button means "keep blocked") thanks rsnake and Alan Baxter for suggestion (Firefox 2 only) + "XSS-Unsafe Reload" menu item in the XSS notification bar popup + "XSS FAQ" menu item in the XSS notification bar popup + noscript.xss.notify.subframes about:config preference to control notification for XSS in subframes (default false, suppressed) + Option to toggle sites by (2nd level) domain, rather than full URL x Default "Show NoScript menu" shortcut changed to Ctrl+Shift+S (Ctrl+Shift+X conflicting with "change direction" Firefox command) x moved "Show Console" from XSS notify button to an "Options" popup x Options Dialog reorganization x Right click on toolbar button and status bar elements opens menu x Mass-removal speedup of in Options Dialog|Whitelist v 1.1.4.7.070414 ===================================================================== + Finer grained treatment for data: and javascript: urls in frames, whose domain is considered the one of the nearest window ancestor having a meaningful web address (thanks to Vectorspace for his suggestion) v 1.1.4.7.070413 ===================================================================== + "noscript.globalwarning" about:config hidden preference controls wether a warning prompt should be issued or not whenever user switches on scripts globally (true by default) x Improved Anti-XSS Protection compatibility with some message boards (special thanks to Aerik and Olaf Schweppe) v 1.1.4.7 ===================================================================== + First "official" anti-XSS release + New plugin content detection algorithm defeats latest aggressive Flash cloaking strategies (e.g. http://www.hardocp.com/ ) + Improved subframe detection, includes object elements (e.g. http://www.operamini.com/demo/ ) + Improved fast reload, preserving form input data. + Minefield full compatibility v 1.1.4.6.070409 ===================================================================== x Fixed weird intermittent interference with dynamic JavaScript inclusion via document.write() used by some JavaScript libraries (e.g. Prototype, Dojo or Tiny-MCE) v 1.1.4.6.070404 ===================================================================== x Drastic reduction of XSS redirection-related false positives v 1.1.4.6.070325 ===================================================================== x Fixed regression, leak happening on window closure (10x pirlouy) x Fixed regression, file:// entries missing from menus (10x therube) v 1.1.4.6.070322 ===================================================================== + Safer behaviour on reloading/whitelisting a XSSed page v 1.1.4.6.070321 ===================================================================== + XSS sanitization of the whole request URL + XSS sanitization of the referrer URL + XSS filters exceptions for some "trusted" addresses requiring cross-site complex query strings (controlled by a regexp in the noscript.filterXExceptions hidden preference, defaults to Google search and Yahoo search) + Better general search engine compatibility with anti-XSS filters x Several performance optimizations v 1.1.4.6.070318 ===================================================================== + First anti-XSS countermeasures round: "default deny" sanitization is applied to every request coming from an unknown (restricted) site and landing on a trusted (scripting allowed) site: 1. GET requests with a query string get all the matches for the noscript.filterXGetRx regular expression replaced with space 2. POST requests are turned into no-data GET 3. Every request filtering action is logged to the Console, while a short notification is issued through the info-bar* (if enabled) *Info-bar notifications require Fx 2.0 or above Behaviours 1 and 2 can be controlled from NoScript Options|Advanced v 1.1.4.6.070317 ===================================================================== x Customizable keyboard shortcuts (about:config - noscript.keys.*) x Quick toggle (by shortcut or toolbar) behaviour changed to *Temporarily* Allow / Forbid (old behaviour can be restored by setting the about:config noscript.toggle.temp pref to false) v 1.1.4.6.070316 ===================================================================== + Super fast reloading after toggling permissions + Hebrew (thanks to Asaf Bartov) x removed mozillazine.org and mozilla.org from the default list (thanks Wladimir Palant) v 1.1.4.6.070307 ===================================================================== x Further improvement in Higmmer patch v 1.1.4.6.070305 ===================================================================== x Fixed a resource deallocation issue (thanks Higmmer) x Fixed a potential slowdown on startup v 1.1.4.6.070304 ===================================================================== + Added many ".id" special TLDs (thanks FatMan) x Fixed localization-related bugs x Other minor bug fixes v 1.1.4.6.070302 ===================================================================== x Fixed a regression in the "Export" functionality x Added a couple of about:config options (noscript.keys.*) to disable keyboard shortcuts: just blank their values. Notice: changing the option value to a different key is possible, but it doesn't actually work (yet?) v 1.1.4.6 ===================================================================== x Stable "blacklist" release + Vietnamese (thanks tonynguyen) + Galician (thanks roebek) v 1.1.4.5.070222 ===================================================================== x Fixed a "Mark as untrusted" menu item bug v 1.1.4.5.070210 ===================================================================== x Fixed a bug affecting some locales on Mozilla/SeaMonkey/Fx 1.0 v 1.1.4.5.070207 ===================================================================== x "Forbid" doesn't mark the site as untrusted by default anymore (old behaviour can be restored via "noscript.forbidImpliesUntrust" pref) v 1.1.4.5.070127 ===================================================================== + Experimental blacklist ("Mark as untrusted" + "Untrusted|Allow") + Global shortcut toggling top level status: "CTRL + SHIFT + \" + Global shortcut to NoScript menu: "CTRL + SHIFT + X" + Extra control on NOSCRIPT elements rendering + "Allow Globally" menu item is optional now (shown by default) + "Link Local Files" optional permission for trusted sites + "noscript.excaps" hidden pref for CAPS conflicts resolution (e.g. with Google Toolbar and other Google extensions) + "Temporarily allow top-level sites by default" new preference (not advised and disabled by default) + Menu items referring to current location are hilighted in bold + New preference in Options|General controls toolbar button reaction to left click (default none, optional toggles top level status) + net.uk, com.uk and org.uk pseudo TLDs v 1.1.4.5.061231 ===================================================================== x Fixed "cancel with non-failure status code" assertion v 1.1.4.5.061221 ===================================================================== + Minefield (3.0a2) support + Fixed plugin placeholder trunk issue (thanks timeless for report) + *.ua "special" TLDs (thanks Devan Chetty) v 1.1.4.5.061206 ===================================================================== + Added org.in and co.sy to the "special" TLDs list x Fixed some bookmarklet quirks (not in trunk, though) x Fixed a bug in "uk.xyz" special TLDs management v 1.1.4.5.061030 ===================================================================== x Minefield fix: feedback during/after document loading (bug 335251) x Minefield fix: bookmarklet on the fly enablement (bug 351633) v 1.1.4.5.061021 ===================================================================== x Fixed title changes lost on some pages x Restored Flock compatibility v 1.1.4.5 ===================================================================== + Some user interface tweakings in the Options UI + Several optimizations x Fixed XML issue x Fixed BFCache side-effects on certain pages x Fixed a timing bug in stand-alone plugin interception v 1.1.4.4 ===================================================================== + be-BY (Belarusian) thanks to DRKA + JavaScript links fixing made compatible with AllPeers + Better interception of plugin content x Fixed interception of xml and xhtml content x Fixed some strict warnings (thanks to timeless) v 1.1.4.3 ===================================================================== + Emulated Firefox 1.0.x top-level plugin content blocking behaviour + uk-UA (Ukrainian) thanks to MozUA + th-TH (Thai) thanks to Qen + fa-IR (Persian) thanks to Pedram Veisi + el-GR (Greek) thanks to Sonickydon + en-GB (English GB) thanks to Ian Moody + hr-HR (Croatian) thanks to Krcko x Other updated translations x Fixed plugin content reloading bug v 1.1.4.2 ===================================================================== + Notifications Firefox 2+ compatible x Fixed whitelist import bug (phantom resource:xyz entry) x Fixed "removeLinkFixer" warning (thanks to Pablo) v 1.1.4.1 ===================================================================== + Left clicking on NoScript toolbar button toggles permissions for current top-level site + Shift+Click on a Java/Flash/Object placeholder temporarily hides it + "Attempt to fix JavaScript links" now skips "real" hash URLs + Added live.com to the default whitelist (for MS webmails) x Removed a leak caused by "Attempt to fix JavaScript links" option x Fixed Macedonian translation v 1.1.4 ===================================================================== + "Allow sites opened through bookmarks" option + Notification delay in seconds can be changed through the "noscript.notify.hideDelay" about:config preference x Removed bogus JS messages on SeaMonkey startup x Fixed bookmarklet support to work with the new "Places" code, the bookmark sidebar and the bookmark manager x Added mozilla.com to the default whitelist x Always honour "Attempt to fix JavaScript links" option (links were processed anyway if "Forbid " was enabled) v 1.1.3.9 ===================================================================== x Fixed temporary memory leak when loading pages containing plugins (many thanks to Steve England) x JavaScript links should not be "fixed" when scripts are globally allowed v 1.1.3.8 ===================================================================== x Another emergency release to fix Babelzilla bugs with Asian languages (mass-reverting to 1.1.3.5 properties files to be sure). - Removed permanent whitelist (all the web sites can can be forbidden from the UI, no more about:config need) v 1.1.3.7 ===================================================================== x Fixed some localization bugs v 1.1.3.6 ===================================================================== + "Fix JavaScript links" option: enabled by default, attempts to automatically turn JavaScript links into regulars anchors on load + Advanced options "Allow " on trusted sites (defaults to the browser settings) and "Forbid " on untrusted sites (default yes) give user control on the new, debated "ping" anchor attribute + New hidden (about:config) boolean preference "noscript.consoleDump" controls if blocked contents must be logged to the console (false by default) + Slovak (thanks to Slovak Soft) + Romanian (thanks to Ultravioletu) + Hungarian (thanks to LocaLiceR) + Chinese Traditional (thanks to Chiu Po-Jung) v 1.1.3.5 ===================================================================== + "Truncate title" option: enabled by default, even on whitelisted sites, is a quick & dirty work around for Firefox DOS bug 319004 + "com.xy" 2nd level domains are always considered special TLDs + Other special TLDs added x Fixed "Forbid other plugins" semantics: Java and Flash should remain allowed unless their specific "Forbid" option is flagged. x Fixed portuguese locale bug v 1.1.3.4 ===================================================================== + Flock support + Finnish (thanks to Mika Pirinen) + Norwegian bokmål (thanks to Håvard Mork) v 1.1.3.3 ===================================================================== + Placeholder icon can be hidden (NoScript Options|Advanced) + Message bar notifications can be set to go away automatically after 5 seconds + Bulgarian (thanks to Georgi Marchev) + Simplified Chinese (thanks to George C. Tsoi) + Russian (thanks to Alexander Sokolov) + Turkish (thanks to Engin Yazılan) x Best effort XPCOM auto registration on Mozilla Suite installation x Minor menu formatting glitches removed x Some about:xxx URLs added to the default whitelist v 1.1.3.2 ===================================================================== + Bookmarklet support. It allows JS on current page just for the bookmarklet execution lifespan. If you don't want or don't need it, turn on "NoScript Options|Advanced|Forbid Bookmarklets" x Fixed right-click status label crash affecting pre-1.8 browser.Now status label context menu works on Mozilla and Firefox 1.0.x too. v 1.1.3.1 ===================================================================== + Option to skip confirmation when temporarily unblocking objects + Optional status bar label (with Firefox-only context menu) + Support for Unicode domains x Work-around for Firefox bug #307678 (dialogs freeze) x Handle about:neterror and about: (help) "always allowed" exception v 1.1.3 ===================================================================== + Toolbar button + Java/Flash/Plugin content can be temporarily allowed (for the current tab) with a left click on its placeholder + Further optimizations in site matching + Japanese (thanks to beerboy) + Polish (thanks to Lukasz Biegaj) + Catalan (thanks to Joan-Josep Bargues) + Czech (thanks to Petr Jirsa) x Bug fix: "Allow JavaScript Globally" didn't affect Java, Flash and Plugin immediately v 1.1.2.20050901 ===================================================================== x Bug fix: temporarily allowed sites were not removed if no permission change happened in the following session v 1.1.2 ===================================================================== + Java/Flash/Plugins blocking works in Mozilla Suite / SeaMonkey too + Huge performance (up to 100x) improvements in policy matching + More consistent temporary sites handling (allowing a temporary domain while subdomains are allowed, now forbids ancestors of that domain but not its subdomains anymore on restart) + Added "ar.com" to the list of "special" TLDs x No more "phantom" http:// and https:// entries in whitelist v 1.1.1 ===================================================================== x Fixed sites list update synchronization bug x Fixed Spanish locale bug v 1.1.0 ===================================================================== + Customizable message position, top or bottom (new default) + Customizable audio sample for feedback + (Firefox only) Advanced options to forbid Java™, Flash® and other plugins (Java™ forbidden by default, since many users don't know the difference between Java and JavaScript) + Advanced options to allow rich-text clipboard on trusted sites + Portoguese translation (thanks to Dario Ornelas) x New (less ambiguous) "partially allowed" icon x Audio feedback off by default x Statusbar icon hidden status persists across sessions x Proper jar: scheme handling (will allow per-domain selection when Firefox bug preventing it is patched - see https://bugzilla.mozilla.org/show_bug.cgi?id=298823) x jar: scheme can be allowed only temporarily (see above) x No more browser activity stop after permission changes v 1.0.9 ===================================================================== + Temporarily allow URLs (for current session only): temporary items are shown in italics font + Clean uninstall in Deer Park + Added jar: to the default white-list, to allow about:plugin and other "special" URLs to work out-of-the-box x Better work-arounds for Firefox synchronization bugs x Fixed conflict when a "View Source" window was open v 1.0.8 ===================================================================== + Whole addresses are shown when a port number is specified, no matter which the Appearance options are, since enabling a domain doesn't enable it for non-standard ports (thanks to jayvdb for suggestion) + Stop every browser activity before changing policies (this should be a workaround for most crashes dued to Firefox CAPS bugs) v 1.0.7 ===================================================================== + Notification message "popup blocker" style (Firefox only) + Autoreload synchronizes every view whose permissions have changed + Spanish translation (thanks to Alberto Martínez) x Improved subframes management in the contextual menu x Better UI support for "special" TLDS like co.uk, co.nz and others x Improved support for numeric addresses x Audio feedback with more discreet sound effect :-) v 1.0.6 ===================================================================== + Whitelist import/export (thanks hsmwrv for suggestion) + Only 2nd level (base) domains shown by default in the "Allow" menu items (easier operation for non-geeks; geeks can still revert to the old fine grained interface using the "Appearance" options) + Blocked scripts audio feedback (thanks to Markus for suggestion) + about:config/noscript.permanent can be changed live (no FF restart) x chrome content URL are properly whitelisted (XUL error pages OK) x Fixed empty permanent list problem (thanks to Patrick and Oremina for report) v 1.0.5 ===================================================================== + "Appearance" option to hide/show popup menu and status bar icon; if you decide to hide both, options are still reachable through the Extension Manager context menu (thanks Dick Minor for suggestion) + 2nd level domain trick don't clutters Options Dialog anymore (http[s]:// auto-prefixed domains are hidden in whitelist) x Fixed menu layout (thanks to TheOneKEA for report) v 1.0.4 ===================================================================== + Automatically creates http:// and https:// prefixed URLs when a 2nd level domain (xyz.com) is allowed, as a workaround for Firefox not matching URLs with a raw 2nd level domain if no protocol is listed (thanks to Laura for report) + "Allowed" status feedback for chrome:// URLs (pacanukeha) x Core functionality refactored in a XPCOM service v 1.0.3 ===================================================================== + Feedback about actual presence of script elements in current page (white "S" icons if no script tag is found, while number of found tags is shown in the tooltip - thanks to Volker for suggestion) + Feedback about partial permissions in pages containing subframes (a broken red "stop" sign means only some frames are forbidden) + Events are coalesced for better performance and stability + Improved options dialog usability (new items are ensured visible and "delete" key performs mouse-less site removal) + Added hotmail/msn/passport domains to default whitelist (thanks to Swann for suggestion) + Added googlesyndication.com and noscript.net to permanent list ;) x Fixed whitelist options dialog sometimes "forgetting" recently added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for their reports) v 1.0.2 ===================================================================== + Option dialog shortcuts (thanks to Ulysses for suggestion) + French translation (thanks to Xavier Robin) x NoScript doesn't ignore port number in URLs anymore x Moved "Options" and "About" items to the top of status bar menu (thanks to Filipp0s for suggestion and for the smaller icons too) x Added mozillazine.org and gmail.google.com to default allow list x No duplicates in menu when multiple frames share the same ancestor domain (e.g. mozillazine.org) v 1.0.1 ===================================================================== + Contextual menu for easy operation in statusbar-less windows + Current page is automatically reloaded when permissions are changed + Support for implicit subdomain inclusion (e.g. if you add mozilla.org, you allow www.mozilla.org, addons.mozilla.org etc.) + German translation (thanks to my friend Thomas Weber) x Fixed localization issue x Work around for Firefox occasional crashes v 1.0.0 ===================================================================== First public release PK QS7M{?DD%content/noscript/NoScript_License.txtNoScript - a Firefox extension for whitelist driven safe JavaScript execution Copyright (C) 2004-2007 Giorgio Maone - g.maone@informaction.com This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA PK RS7tKcontent/noscript/about.xul Extra protection for your Firefox: NoScript allows JavaScript, Java (and other plugins) only for trusted domains of your choice (e.g. your home-banking web site). This whitelist based pre-emptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts will agree: Firefox is really safer with NoScript :-)PK QS7[  content/noscript/contents.rdf chrome://noscript/content/noscriptOverlay.xul chrome://noscript/content/noscriptBMOverlay.xul chrome://noscript/content/noscriptBMOverlay.xul chrome://noscript/content/noscriptBMOverlay.xul chrome://noscript/content/noscriptBMOverlay.xul chrome://noscript/content/prefContent.xul chrome://noscript/content/noscriptOverlay.xul PK QS7mM'content/noscript/en-US/about.propertiesextensions.{73a6fe31-595d-460b-a920-fcc0f8843232}.description=Extra protection for your Firefox: NoScript allows JavaScript, Java (and other plugins) only for trusted domains of your choice (e.g. your home-banking web site). This whitelist based pre-emptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality... Experts will agree: Firefox is really safer with NoScript :-) aboutTitle=About %S extensionContributors=Contributors: extensionContributors.tip=People you should thank for this extension extensionCreatorLabel=Author: changelog=Changelog changelog.tip=Show changelog license=License license.tip=Read end-user license logo.tip=Visit extension home page sponsor.tip=Visit sponsor home page informaction.tip=Visit InformAction home page extensionHomepage.tip=Visit extension home page extensionCreator.tip=Visit author home page version=Version %S PK QS75 UHH#content/noscript/en-US/contents.rdf PK QS7k{#content/noscript/en-US/noscript.dtd PK QS75  *content/noscript/en-US/noscript.propertiesallowGlobal=Allow scripts Globally (dangerous) forbidGlobal=Forbid scripts Globally (advised) allowLocal=Allow %S allowTemp=Temporarily allow %S forbidLocal=Forbid %S allowed.glb=Danger! Scripts Globally Allowed allowed.yes=Scripts Currently Allowed allowed.prt=Scripts Partially Allowed allowed.no=Scripts Currently Forbidden global.warning.title=Warning! global.warning.text=Scripts are going to be allowed globally (for every site).\n This is a potentially dangerous action.\nDo you really want to proceed? uninstall.alert.title=NoScript out of service uninstall.alert.text=[%S]\nYou've choosen to uninstall or disable NoScript, hence you can't change scripting permissions anymore.\nIf you want to change them, you have to install or enable NoScript again. audio.samples=Audio samples confirm=Are you sure? alwaysAsk=Always ask for confirmation notifyHide=Hide after %S seconds trust=Trust %S distrust=Mark %S as Untrusted untrustedOrigin=an untrusted origin xss.notify.generic=NoScript filtered a potential cross-site scripting (XSS) attempt from %S. Technical details have been logged to the Console. xss.notify.showConsole=Show Console... xss.notify.showConsole.accessKey=S xss.reason.filterXGet=Sanitized suspicious request. Original URL [%1$S] requested from [%2$S]. Sanitized URL: [%3$S]. xss.reason.filterXGetRef=Sanitized suspicious request referer. URL [%1$S] requested from [%2$S]. Sanitized Referrer: [%3$S]. xss.reason.filterXPost=Sanitized suspicious upload to [%1$S] from [%2$S]: transformed into a download-only GET request. unsafeReload.warning=UNSAFELY reloading a suspicious\n\n%1$S [%2$S]\n\nFROM [%3$S]\n\nNoScript will NOT protect this request!\n metaRefresh.notify=NoScript blocked a redirection inside a