NoScript ChangeLog

v 1.3.2
=====================================================================
+ Scriptless support for history.go(x), history.forward() and 
  history.back() links/buttons (thanks timeless for suggestion)
+ resource: URI path traversal protection
+ New "noscript.allowedMimeRegExp" about:config option to whitelist
  some content types not to be blocked by "Forbid other plugins", for
  instance "application/pdf" or "image/.*"
+ Plugin content is always forbidden if coming from sites explicitely
  marked as "Untrusted" (blacklisted). This behavior can be disabled
  by setting the "noscript.alwaysBlockUntrustedContent" about:config 
  option to false (thanks NakedStranger for suggestion).
x Fixed XSS false positive at mail.yahoo.com
x noscript.jsredirectFollow preference more effective on blank but
  not empty (i.e. space only) body (thanks timeless for suggestion)

v 1.3.1
=====================================================================
x Fixed missing plugin content placeholder regression on some gaming
  sites (thanks Aerik and hewee for report)

v 1.3
=====================================================================
+ "Revoke temporary permissions" command in NoScript floating menus
+ Fixed plugin content placeholder sometime missing on background
  tabs Linux issue (thanks WAPCE for report)

v 1.2.9.6
=====================================================================
+ Better plugin content placeholder management
+ noscript.canonicalFQDN about:config preference to control 
  canonicalization of domains ending with a dot.
+ Updated translations

v 1.2.9.5
=====================================================================
+ Transparent blocking of non-text frames (thanks sam41177878)

v 1.2.9.4
=====================================================================
+ Tweaked preliminary URL screening optimizations to enhance 
  Injection Cheker sensibility (thanks Gareth Heyes)

v 1.2.9.3
=====================================================================
+ Updated Injection Checker to take in account upper Unicode 
  JavaScript identifiers (thanks Gareth Heyes)

v 1.2.9.2
=====================================================================
x Further reduced false positives with post-syntax danger checks

v 1.2.9.1
=====================================================================
x Fixed issues with trans-domain redirections, stacking entries in
  the previously viewed site's menu (thanks Hanspeter Spalinger)

v 1.2.9
=====================================================================
x Set noscript.jsredirectFollow default to false
x Extra QA for release

v 1.2.8
=====================================================================
+ Injection Checker optimization on very long query strings
x Fixed OpenId XSS false positive on blogger.com (thanks dondado)

v 1.2.7
=====================================================================
x Fixed Yahoo search XSS false positive by double checking valid JS
  fragments for potential danger (10x firefoxisgreat2008 for report)
x Fixed the "form fields forgotten" issue by disabling the jsHack
  feature which caused it. If you need jsHack and you can afford this 
  problem, just set the noscript.jsHackRegExp about:config preference 
  to a regular expression matching the URLs where you want it enabled
x Fixed content placeholders not showing on some sites
x Fixed POST payload shouldn't stripped as a consequence of injection
  checking (thanks theiago for report)

v 1.2.6
=====================================================================
x Updated localizations
x Extra QA for release

v 1.2.5
=====================================================================
x Work-around for conflict with Tab Mix Plus dev. in Fx 3's Places
  (http://tmp.garyr.net/forum/viewtopic.php?t=8052)

v 1.2.4
=====================================================================
x Fixed NOSCRIPT content shown in pages allowed on the fly with
  "Temporarily allow top-level sites" (thanks Pirlouy for report)

v 1.2.3
=====================================================================
+ Improved Injection Checker JSON compatibility, now recursively 
  checking content of string attributes
x Further JS syntax check optimizations
x Fixed potential XBL-based crash after successful -moz-binding
  injection (thanks Gareth Heyes for reporting)
x More discreet XSS notification for subframes

v 1.2.2
=====================================================================
x Changed noscript.filterXGetRx default to make single quote removal 
  happen only after positive injection checks (thanks sirdarckcat for
  suggestion)

v 1.2.1
=====================================================================
x Fixed placeholder not shown for plugin content loaded in frames
  (thanks Apoc2400)
x Revised InjectionChecker made compatible with JSON GET parameters
  (thanks "Wilderness Of Mirrors")

v 1.2
=====================================================================
+ Better protection against Flash-based XSS and other plugin-related
  cross-site attacks
+ Better feedback for allowable sites from embedded redirections 
  (thanks Leo Häfliger for report)
+ XSS filtering in subframes gets notified (was silent by default)
x Fixed temporary allowed site prevents parent from being allowed
  permanently (e.g. in auto-allow mode)
x Fixed stand-alone WM plugin pages delayed blocking (thanks therube)
x Extra QA for release
x Updated localizations

v 1.1.9.9
=====================================================================
+ Hardened injection checker (thanks Gareth Heyes)
x Better compatibility with Wikimedia sites
x Fixed rtsp: and mms: plugin content always considered untrusted 
  (thanks Florian Gerstenlauer for report)
x Fixed one-click plugin activation (with no confirmation) sometimes
  deferred to next page refresh (thanks Erwin J. Knöll for report)

v 1.1.9.8
=====================================================================
+ Experimental noscript.jsHack about:config preference containing JS
  code to be executed before page loads in order to accomodate for
  missing features (default implants a fake urchinTracker, see
  http://forums.mozillazine.org/viewtopic.php?p=3183986#3183986)

v 1.1.9.7
=====================================================================
+ new "Revoke temporary permissions" command
+ new Plugins option: "Collapse blocked objects"
+ new Plugins option: "No placeholder for object coming from sites 
  marked as untrusted"
x Fixed OBJECT count bug when placholders are not shown
x Work-around for IETab incompatibility with noscript.contentBlocker

v 1.1.9.6
=====================================================================
x Object placeholder rendering optimization
x Extra QA for release

v 1.1.9.5
=====================================================================
+ Plugins disabled by default on unknown sites
x References to "Macromedia Flash" changed into "Adobe Flash"
x Fixed wrong OBJECT count reported after 1st notification

v 1.1.9.4
=====================================================================
+ XBL protection compatible with extensions using XMLHttpRequest from
  a content-triggered event handler (e.g. Book Burro or PriceDrop)

v 1.1.9.3
=====================================================================
+ non-destructive cross-site XBL protection (handles the same case as
  https://bugzilla.mozilla.org/show_bug.cgi?id=387971)
x Better edge-case handling in invisible links detection (thanks
  Alexander Nikkta)

v 1.1.9.2
=====================================================================
+ Pre-scan optimization for unicode-escaped ASCII in InjectionChecker
+ Better compatibility with URLs containing HTML entities

v 1.1.9.1
=====================================================================
x Work-around for Minefield content policy / DOM interaction
  regression (thanks mmortal03)

v 1.1.9
=====================================================================
x Extra QA for release
+ Menu rendering speed optimizations
+ Emulated TLD Effective service up to 100x speedup
+ InjectionChecker performance up to 50x speedup (thanks therube)
+ Fixed leak regression from 1.1.8.3 redirection handling refinements
  (thanks L. David Baron)
x Fixed Firefox notifications not shown if NoScript notifications
  were suppressed (thanks gecco)

v 1.1.8.9
=====================================================================
x Fixed content-blocking regression (thanks L.A.R. Grizzly)

v 1.1.8.8
=====================================================================
x Better Google Toolbar compatibility (thanks brandonksu)

v 1.1.8.7
=====================================================================
+ More consistent and compatible bottom notification bar

v 1.1.8.6
=====================================================================
+ "Notifications" option to change message bar automatic hiding delay
x Fixed multiple profile problems on SeaMonkey (thanks therube)
x Fixed incompatibility with Translation Panel and other extensions
  (regression from 1.1.8.5 beta)

v 1.1.8.5
=====================================================================
+ Improved HTML attribute injection checks (thanks Gareth Heyes)
+ More flexible noscript.forbidXBL about:config preference:
  0 - allow all XBL
  1 - allow trusted and data: (Fx 3) XBL on any site
  2 - allow trusted and data: (Fx 3) XBL on trusted sites
  3 - allow only trusted XBL on trusted sites
  4 - allow only trusted XBL from the same site or chrome (default)
  5 - allow only chrome XBL

v 1.1.8.4
=====================================================================
x Fixed installation issue on SeaMonkey 

v 1.1.8.3
=====================================================================
+ The "noscript.tempGlobal" about:config preference causes the 
  "Globally Allow" status to be revoked at the end of each session 
  (thanks chconnor and Alan Baxter for suggestion)
+ The "noscript.lockPrivilegedUI" about:config preference blocks
  Error Console and DOM Inspector (useful in locked down setup to 
  prevent preferences from being unlocked by user's chrome JS code)
+ More reliable base domain recognition
+ Switch to nsIEffectiveTLDService on Gecko >= 1.9 (Firefox 3)
+ nsIEffectiveTLDService emulation on Gecko < 1.9 (Firefox 2)
x Updated translations
x Additional QA for release

v 1.1.8.2
=====================================================================
+ Friendlier IFrame handling (thanks war59312 and A. Baxter)
x Fixed Silverlight new detection scheme broken by IFrame blocking
x Fixed compatibility issue with Cooliris send link (thanks Tschua)

v 1.1.8.1
=====================================================================
+ More flexible and reliable redirection management

v 1.1.8
=====================================================================
+ Version bump for Firefox 3
+ Temporarily allow sites matching the regular expression(s) in the 
  noscript.whitelistRegExp about:config preference (thanks MaZe)
x Further QA for release
x Fixed chrome.manifest for eMusic Remote (thanks Mel Reyes)
x Fixed shorthands broken when XSS protection was off (thanks MaZe)


v 1.1.7.9
=====================================================================
+ Notify bar for jar document blocking
x Fixed GreaseMonkey's XMLHttpRequest compatibility regression
x Fixed confusing option, "Forbid other plugins" shouldn't imply
  forbidding Java, Flash and Silverlight.


v 1.1.7.8
=====================================================================
+ JAR uris are forbidden from loading as documents by default, see
  http://noscript.net/faq#jar for details
+ Block untrusted XBL (thanks Sirdarckcat for inspiration)
x Various IFrame blocking refinements

v 1.1.7.7
=====================================================================
x Fixed installation problems with addons.mozilla.org automatic 
  update

v 1.1.7.6
=====================================================================
+ srv.br "special" TLD (thanks Rodrigo Ristow Branco)
+ Better protection against "setter" based XSS vectors and encoded
  "name" payloads (thanks RSnake, Sirdarckcat and Kuza55, see 
  http://ha.ckers.org/blog/20071104/owning-hackersorg-or-not/ )
+ Improved hidden links management, preserves original body CSS 
  attributes when possible (thanks mdots)

v 1.1.7.5
=====================================================================
x wyciwyg support for IFRAMEs

v 1.1.7.4
=====================================================================
+ new noscript.forbidIFramesContext about:config option controls
  if actually enforcing IFRAME blocking depending on the parent page:
  0 -- block always
  1 -- block if parent is in a different site (default)
  2 -- block if parent is in a different domain
  3 -- block if parent is in a different 2nd level domain
+ Minefield version bump (0.3.0a9pre)
x XSideBar keyboard shortcut compatibility (thanks Philip Chee)

v 1.1.7.3
=====================================================================
x Work-around for hidden link detection being triggered by some CSS
  reporting offsetHeight 0 for anchors (thanks Gerrit Heeres)

v 1.1.7.2
=====================================================================
+ Object placeholders' minimum size set to 32x32 for visibility
+ Object placeholder override for Microsoft® Silverlight™
x Fixed "Forbid IFRAME" blocking also Flash (thanks niko322)
x Fixed "Forbid IFRAME" blocking also regular frames (thanks ievans)
x Fixed IFRAME in place activation shouldn't reload parent page

v 1.1.7.1
=====================================================================
+ New "Plugins/Forbid IFRAME" option per Gareth Hayes' and Om's 
  request, see http://sla.ckers.org/forum/read.php?13,15701,15840
x Fixed logic inconsistency between "Plugins/Forbid xyx" and
  "Plugins/Forbid other plugins" (thanks Kadeos);
x Fixed overzealous behaviour of JS link detection (thanks Kadeos and
  plu for reporting)

v 1.1.7
=====================================================================
+ Further QA for release
+ Improvements in script redirection management

v 1.1.6.27 (1.1.7RC2)
=====================================================================
+ New "Forbid Web Bugs" option in the Advanced/Untrusted panel
x Fixed startup "sudden death" issue (thanks Alan Baxter)

v 1.1.6.26 (1.1.7RC1)
=====================================================================
+ Moved plugin content options to a new top-level "Plugins" tab
+ New "Plugins/Forbid Microsoft® Silverlight™" option, enabled by 
  default like "Plugins/Forbid Java™"
+ New "Plugins/Apply these restrictions to trusted sites too" option
+ Enchanced sensibility for the JS URL detection feature
+ New "jsredirectForceShow" option to always display JavaScript-only
  navigation URLs at the bottom of pages, no matter what the visible
  content is (per timeless' RFE)
+ UTF-8 escaping awareness for InjectionChecker pre-syntax evaluator
+ Arabic (thanks Nassim Dhaher)
+ Indonesian(thanks regfreak)
+ Experimental Intel MidBrowser support
+ Experimental preference locking support (look at the mozilla.cfg 
  sample inside the XPI for details)
x Fixed meta-refresh notification failing to appear sometimes
x Cleanup of the counter-measures against Sirdarckcat's redirected 
  script trick (available for Fx >= 2.0 only) with user feedback
x Fixed full address no more shown in allowing menu for numeric IP
  or TCP-IP explicit port URLs (thanks blahhhy for report)
x noscriptOptionsWidth entity to localize option dialog size

v 1.1.6.25
=====================================================================
+ Fix for Sirdarckcat's JS redirection trick

v 1.1.6.24
=====================================================================
+ Fixed XSS notification infobar not showing

v 1.1.6.23
=====================================================================
+ Work-around for Daily Dilbert extension's CSS bug hijacking status
  bar icons (thanks gumble and Archaeopterix for reporting)

v 1.1.6.22
=====================================================================
x Fixed toolbar icon breaking when "Scripts Globally Allowed" and no
  script found in page (thanks Claus Valca and Gecco for reporting)

v 1.1.6.21
=====================================================================
x Fixed infobar icon not always properly updated upon tab-switching
  (regression from 1.1.6.20 feedback fix)

v 1.1.6.20
=====================================================================
x Fixed inconsistent status icon feedback (thanks Alan Baxter)

v 1.1.6.19
=====================================================================
x Fix for the massive breakage on Mozilla trunk caused by landing of 
  the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=377696
  (thanks Quarantine and Peter(6) for reporting)

v 1.1.6.18
=====================================================================
+ noscript.safeJSRx preference allows to specify a regular expression 
  matching statements allowed in a top-level javascript: URL. Default 
  value allows sessionstore prompt javascript:window.close() trick
  (http://forums.mozillazine.org/viewtopic.php?p=3033780#3033780)

v 1.1.6.17
=====================================================================
+ Smarter JS link fixing on untrusted sites (thanks timeless)
+ Smarter allowable sites detection/reporting if domain tricks are
  being used.
x Fixed CTRL+Enter address bar SeaMonkey feature (thanks blindtrust)
x Fixed conflict with SiteAdvisor tooltips

v 1.1.6.16
=====================================================================
x Fixed noscript.forbidChromeScripts preventing RSS subscribe UI from
  working: browser packages are whitelisted by default, extensions
  and other chrome packages can be optionally whitelisted adding a 
  noscript.forbidChromeExceptions.packageName preference set to true,
  and the noscript.forbidChromeScripts preference defaults to false
  now, since Bug 292789 couldn't do any harm unless some extension 
  does very stupid things.
x Fixed incompatibility with the BookmarksHome extension

v 1.1.6.15
=====================================================================
+ Support for keyword-driven bookmarklets on untrusted pages (thanks
  Mike Rocker and therube for report/request)
+ noscript.forbidChromeScripts preference (true by default), prevents 
  script tags in content (non chrome:/resource:/file:) documents from
  referencing chrome: scripts, see
  https://bugzilla.mozilla.org/show_bug.cgi?id=292789
x Fix for fast reload not working on Minefield

v 1.1.6.14
=====================================================================
x Work-around for a reload problem caused by Firekeeper 0.2.11
x Version bump for Minefield

v 1.1.6.13
=====================================================================
+ Enhanced the "multi-port shorthand" feature to accept "*" wildcard
  for subdomains, e.g. "http://*.google.com:0" matches every http 
  google subdomain with any port number (thanks Dave Faraldo for RFE)
+ Added a "noscript.fixURI.exclude" about:config preference where
  protocols which should not be escaped by NoScript can be specified
  as a space-separated list (thanks therube for inspiration)

v 1.1.6.12
=====================================================================
+ URI Validator facility for on-demand protection against URI-based
  exploits. You can add your uri-validator anchored regular
  expressions as an about:config preference named like
  "noscript.urivalid.protocolname" to validate the URI substring
  immediately following scheme + colon (see the noscript.urivalid.aim 
  pre-configured example entry)
x Minor change in query string parser, it doesn't drop "=" splitted
  chunks exceeding the first two anymore

v 1.1.6.11
=====================================================================
+ Optional blocking of tracking images (also known as "Web Bugs")
  embedded inside NOSCRIPT tags: it can be enable through the
  noscript.blockNSWB about:config property (thanks lakrids/Arimfe)

v 1.1.6.10
=====================================================================
x Fixed extension conflict leading to javascript: links not opening 
  under some circumstances (thanks england and haklin)

v 1.1.6.08
=====================================================================
x Fix for popup content loaded in the opener window regression (from
  mail/news exploitation protection)

v 1.1.6.07
=====================================================================
x Further refinement of URL protocol handler protection to cope with
  special configuration-depending cases with mail/news protocols 
  (not affecting SeaMonkey) - thanks Rios and McFeters for generic
  PoC, thanks Darkdata for specific test case

v 1.1.6.06
=====================================================================
x Early protection against URL protocol handling exploitation (see
  http://tinyurl.com/37o23j and Mozilla bug 389106)
x Fix to ampersand being sometimes escaped by anti-XSS filters

v 1.1.6.05
=====================================================================
+ Protection against UTF-7 encoded XSS attacks
x Improved plugin content blocking in background tabs
x Better XSS query string processing preserves "exotic" patterns

v 1.1.6.04
=====================================================================
+ Smarter Anti-XSS filters allowing non-latin characters
x Kill duplicates in "Partially allowed" statistics
x Switched to getDefaultBranch() for volatile CAPS preferences in
  order to grant a clean "Safe Mode" even after Firefox crashes 
  (thanks Benjamin Smedberg for suggestion)

v 1.1.6.03
=====================================================================
+ Allowed sites and partial counts in the infobar when scripts are
  "Partially allowed" (timeless suggestion)
+ Window.name payload attacks neutralization
x Fixed over-optimization of JS detection relying on syntax errors
x Fixed "Allow" button shortcut not working in NoScript Options

v 1.1.6.02
=====================================================================
x Fixed "Unresponsive Script" on specific complex URL patterns
  (many thanks to Sue Petersen)

v 1.1.6.01
=====================================================================
x Fixed "Clear private data" window not closing if you hit "OK" on
  browser exit with Firefox < 3.0 (thanks VT for first report)

v 1.1.6
=====================================================================
+ "Light" injection checks are enabled also with "Scripts Globally
  allowed" (notice that allowing scripts globally is still a very bad 
  idea, since POST injections and other XSS attacks launched using 
  JavaScript, Java or Flash are virtually undetectable)
x Better XSS notification/UI feedback on partial loads
x Depth limit to URL decoding
x Extra QA for public release
x Work-around for JS Development Environment scoped evaluation being
  blocked by noscript.safeToplevel feature

v 1.1.5.07
=====================================================================
x Extra QA and optimization for very complex URLs

v 1.1.5.06
=====================================================================
x Huge performance and accuracy enhancement in injection detector
x Bookmarklet bypass for Minefield Places (thanks Hwasung Kim)

v 1.1.5.05
=====================================================================
+ Smarter injection detector for trusted to trusted requests
x Fixed "this.docShell has no properties" issue (many thanks therube)
x Fixed external URLs not opening in IETab (thanks chili1)

v 1.1.5.04
=====================================================================
x Fixed traceback regression skipping checks on permissions change 

v 1.1.5.03
=====================================================================
x Fixed XSS notification message bar not showing sometimes

v 1.1.5.02
=====================================================================
x More accurate origin detection on META refresh

v 1.1.5.01
=====================================================================
+ XSS character-level filter enhancements
+ Notifications for Flash-based XSS too 

v 1.1.5
=====================================================================
x Removed about:neterror from the permanent non-deletable whitelist
  (for the super-paranoids, thanks Aerik)
x Minor bug fix, anti-XSS notification bar skipped when an URL nested
  in a query string gets sanitized
x Extra QA for public release

v 1.1.4.9.070627
=====================================================================
+ Added "0" shorthand to match all *explicit* IP ports on the same 
  protocol/host, e.g. http://acme.com:0 matches http://acme.com:8080
  and http://acme.com:9999, but neither https://acme.com:8080 nor
  http://acme.com
+ Partial numeric IPv4 are matched up to the 2nd leftmost byte, e.g.
  "192.168" matches 192.168.0.22 and "10.0.0" matches 10.0.0.33
x Minor cosmetic tweaks to XSS notifications threshold
x Improved reload on permissions change

v 1.1.4.9.070624
=====================================================================
+ Optimization of active counter-measures
x Additional QA for public bug fixing automatic update

v 1.1.4.9.070623
=====================================================================
+ More lenient yet the safest XSS filters
x Fixed a leak happening when a secondary browser window is closed

v 1.1.4.9.070622r3
=====================================================================
x Fixed some popup not closing issue (thanks Angelo Dicerni)

v 1.1.4.9.070622r2
=====================================================================
x Fixed issue with usernames embedded in home page (thanks england)

v 1.1.4.9.070622r1
=====================================================================
x Fixed incompatibility with certain malformed Ebay search URIs
  (thanks to Marc Van Buggenhout for reporting)
  
v 1.1.4.9.070622
=====================================================================
+ Full Anti-XSS protection for every trusted URL opened from external
  applications
+ Protection against all the currently known cross-browser exploits
  targeting Firefox

v 1.1.4.9.070621
=====================================================================
+ Additional checks for toplevel windows (thanks dveditz)
x Work-around for interference of some tab-related extension with
  external URL interception

v 1.1.4.9.070620
=====================================================================
+ Protection against so called "Universal XSS" through JS URLs opened
  by external applications, as explained in 
  http://www.xs-sniper.com/sniperscope/IE-Pwns-Firefox.html 

v 1.1.4.9
=====================================================================
+ noscript.injectionCheck about:config option adds first-line 
  detection for XSS injections in GET requests originated by 
  whitelisted sites and landing on top level windows. Value can be:
    0 - never check
    1 - check cross-site requests from temporary allowed sites
    2 - check every cross-site request (default)
    3 - check every request
+ noscript.jsredirectIgnore about:config option enables/disables
  the new "Detect and show JavaScript redirections" feature
+ noscript.jsredirectFollow about:config option enables/disables
  auto-following if a single redirect is detected on a textless page
x "Allow top level sites by default" won't affect sites that have 
  been manually forbidden during the current session (to make
  this exception permanent, mark the site as untrusted)

v 1.1.4.8.070618
=====================================================================
+ New placeholders for plugin content can be right clicked as any 
  "regular" link, e.g. to "Save Link As..." or "Copy Link Location"
+ Placeholders for plugin content are rendered real-time during load
+ Experimental detection of JavaScript redirections (thanks timeless)
x Fixed glitch in plugin replacement with JS enabled (thanks lulu135)

v 1.1.4.8.070617
=====================================================================
x Fixed untrusted blacklist import bug (thanks MZFuser)

v 1.1.4.8.070606
=====================================================================
+ edu.tw special TLD (thanks twocs)
+ New noscript.autoReload.global about:config preference controls if 
  automatic reload affects global allow / forbid (thanks lulu135)
+ New noscript.autoReload.allTabs about:config preference controls if
  automatic reload affacts all or just current tab (thanks lulu135)

v 1.1.4.8.070602
=====================================================================
x Removed console error message on document unload in SeaMonkey

v 1.1.4.8.070530
=====================================================================
x Fixed toggle shortcut regression (thanks therube)

v 1.1.4.8.070529
=====================================================================
x Automatic fixup of trailing dot domains, replacing them on the
  fly with their canonical name (thanks fartron and timeless)
+ "in.th" special TLD (thanks Kridsada)
x Fixed minor notification glitches in Fx 1.5 (thanks arete7)

v 1.1.4.8.070528
=====================================================================
x Performance optimization of options dialog closure for long 
  whitelists used in conjunction with long blackists (thanks arete7)
x Automatic notification hiding for background tabs (thanks arete7)

v 1.1.4.8.070523
=====================================================================
x Improved notification consistency with back-forward navigation
x Better compatibility with Google Desktop Search and Paypal email
  notifications

v 1.1.4.8.070522
=====================================================================
+ "org.uy", "net.uy" and "edu.uy" special TLDs (thanks Mauricio)
x Nicer url randomization
x Improved notification on nested URL XSS sanitization
x Fixed external load request detection failing "randomly" in some 
  setups (regression from the IETab incompatibility work-around) 

v 1.1.4.8.070521
=====================================================================
x Fixed regression from bug 53901 work-around, "Mark as untrusted
  menu" not working anymore (thanks Ricky Ridgdill)

v 1.1.4.8.070520
=====================================================================
x Resolved 070509 conflict with IETab + Tab Mix Plus causing some 
  tab-diverted links to open in new windows (thanks to Nuttysman, 
  niko322, Alan Baxter)

v 1.1.4.8.070514
=====================================================================
x Sanitized URI randomization (thanks kuza55 for inspiration)
x *Fast* reload also with fragment URI (thanks Martin Focke)

v 1.1.4.8.070513
=====================================================================
x Fixed last minute regression slipped in Anti-XSS GET filter (some 
  suspicious query strings entirely removed, rather than sanitized) 

v 1.1.4.8.070512
=====================================================================
+ Appearence Option to show/hide "Allow" menu items(thanks mamas6667)
x Updated locales (cs-CZ, en-GB, pl-PL)

v 1.1.4.8.070511
=====================================================================
x Fixed "black boxes" glitch on page unload (thanks jdopple)
x Fixed XSS exceptions must allow blank value (thanks Martin Focke)
x Fixed reloading URLs with hash(thanks Martin Focke)
x Work-around for Minefield bug displaying wrong labels on cloned 
  menu items (thanks Itsnow)
x Fixed regression, menu popup not shown by keyboard shortcut when 
  both toolbar button and status bar element are hidden (thanks
  niko322)

v 1.1.4.8.070509
=====================================================================
+ noscript.xss.trustExternal about:config preference controls if  
  anti-XSS filters should be bypassed for URLs opened from external
  applications like email clients (default false)
+ noscript.xss.trustTemp about:config preference controls if anti-XSS
  should be bypassed if URLs are opened from "temporary allow"ed 
  sites (default true, thanks Salim for suggestion)
x Wikipedia default XSS exception tweaked to include apostrophes in
  titles (thanks Alan Baxter for report)

v 1.1.4.8.070505
=====================================================================
x Better compatibility with Google Toolbar's translation service

v 1.1.4.8.070502
=====================================================================
x Fixed Linux Flash blocking crash when placeholders are active
  (thanks mastro for report)
x (Hopefully) Last  bug fix in referrer XSS sanitization (thanks
  Alan Baxter)

v 1.1.4.8.070501
=====================================================================
x Further bug fix in referrer XSS notification template

v 1.1.4.8.070430
=====================================================================
x Localization updates and release QA

v 1.1.4.8.070429
=====================================================================
+ Shortcut to show NoScript menu works even if status bar icon and
  toolbar button are both hidden
x Fixed "Options..." button not working if status bar hidden (thanks
  napiertt and joymus)
x Fixed regression in XSS notifications due to 070427 fix (some XSS
  suspicious requests were silently cancelled, rather than sanitized
  and notified)
x Fixed "empty Untrusted menu" (thanks niko322)

v 1.1.4.8.070428
=====================================================================
x Fixed using keyboard shortcut always shows status icon
x Fixed closing toolbar button menu always shows status icon 

v 1.1.4.8.070427
=====================================================================
x Fixed referrer sanitization glitch (thanks Alan Baxter)

v 1.1.4.8.070426
=====================================================================
x Fixed Refresh Blocker and Tab Mix plus redirection permissions 
  incompatibility (thanks tabasco.kfarmer and Mc)
x Fixed SeaMonkey "removed content" placeholder (thanks therube)
x Fixed Seamonkey "Reset" button placement (thanks Phil Chee)

v 1.1.4.8.070425
=====================================================================
+ Experimental "noscript.contentBlocker" about:config preference
  to block Java, Flash and other plugins in whitelisted sites as well
x Fixed bug in toolbar button Untrusted submenu (thanks Steve1000)
x Better XSS management on whitelisting automatic reloads (XSS checks 
  for whitelisting reloads can be disabled by toggling off the 
  "noscript.xss.trustReloads" preference in about:config)

v 1.1.4.8.070424
=====================================================================
+ "Reset" command in Options Dialog resets options to their default
  values (thanks Frank Myers)
+ Always bypass cache on XSS Unsafe Reload (thanks Jussi Lahtinen)
+ Serbian translation (thanks Ivan Pesic)
x Improved Wikipedia XSS exception

v 1.1.4.8.070423
=====================================================================
+ Lithuanian (thanks Mindaugas Jakutis)
x Additional localization updates and minor fixes

v 1.1.4.8.070422
=====================================================================
+ Forbid META redirection inside NOSCRIPT element in Seamonkey too
+ XSS notifications for Fx 1.5 too
+ XSS status bar icon appears when XSS activity is detected:
  left/right click opens XSS menu, middle click hides icon
+ META redirection bar icon appears when needed: 
  click follows redirection once, shift+click remembers for session, 
  middle click hides icon
x Fixed a regression (070420 only) with Import/Export buttons broken
x Fixed toolbar button removal messing with other NoScript menus
  (thanks niko322 for report)
x Fixed file:// URL item not showing anymore regression
  (thanks Shingoshi for report)
x Fixed regression in Option Dialog: removing from whitelist didn't 
  work if you applied to just one site (multiple batch did work) -
  thanks Alan Baxter for report

v 1.1.4.8.070420
=====================================================================
x Fixed "Forbid other plugins implies Forbid Flash" - thanks Dwedit
x Fixed Options dialog issues with Fx 1.5

v 1.1.4.8
=====================================================================
x Minor improvements in XSS exceptions regular expression parsing
x Fixed last-minute Seamonkey breakage (many thanks therube!!!)

v 1.1.4.8RC3 (1.1.4.7.070420.1)
=====================================================================
x Further refinement in XSS filters (thanks niko322)

v 1.1.4.8RC2 (1.1.4.7.070420)
=====================================================================
x Fixed 2nd level domain toggle option (thanks therube)
x Fixed multi-window feedback synchronization (thanks lakrids)

v 1.1.4.8RC1 (1.1.4.7.070419)
=====================================================================
+ Option to block META refresh inside NOSCRIPT elements: a prompt
  will be shown asking if you want to follow the redirect, and
  choice will be remebered across the current session
  (noscript.forbidMetaRefresh.remember preference, dismissing the 
  notification with its close button means "keep blocked")
  thanks rsnake and Alan Baxter for suggestion (Firefox 2 only)
+ "XSS-Unsafe Reload" menu item in the XSS notification bar popup
+ "XSS FAQ" menu item in the XSS notification bar popup
+ noscript.xss.notify.subframes about:config preference to control 
  notification for XSS in subframes (default false, suppressed)
+ Option to toggle sites by (2nd level) domain, rather than full URL
x Default "Show NoScript menu" shortcut changed to Ctrl+Shift+S
  (Ctrl+Shift+X conflicting with "change direction" Firefox command)
x moved "Show Console" from XSS notify button to an "Options" popup
x Options Dialog reorganization
x Right click on toolbar button and status bar elements opens menu
x Mass-removal speedup of in Options Dialog|Whitelist

v 1.1.4.7.070414
=====================================================================
+ Finer grained treatment for data: and javascript: urls in frames,
  whose domain is considered the one of the nearest window ancestor
  having a meaningful web address (thanks to Vectorspace for his
  suggestion)

v 1.1.4.7.070413
=====================================================================
+ "noscript.globalwarning" about:config hidden preference controls
  wether a warning prompt should be issued or not whenever user
  switches on scripts globally (true by default)
x Improved Anti-XSS Protection compatibility with some message boards
  (special thanks to Aerik and Olaf Schweppe)

v 1.1.4.7
=====================================================================
+ First "official" anti-XSS release
+ New plugin content detection algorithm defeats latest aggressive 
  Flash cloaking strategies (e.g. http://www.hardocp.com/ )
+ Improved subframe detection, includes object elements (e.g.
  http://www.operamini.com/demo/ )
+ Improved fast reload, preserving form input data.
+ Minefield full compatibility

v 1.1.4.6.070409
=====================================================================
x Fixed weird intermittent interference with dynamic JavaScript 
  inclusion via document.write() used by some JavaScript libraries 
  (e.g. Prototype, Dojo or Tiny-MCE)

v 1.1.4.6.070404
=====================================================================
x Drastic reduction of XSS redirection-related false positives

v 1.1.4.6.070325
=====================================================================
x Fixed regression, leak happening on window closure (10x pirlouy)
x Fixed regression, file:// entries missing from menus (10x therube)

v 1.1.4.6.070322
=====================================================================
+ Safer behaviour on reloading/whitelisting a XSSed page

v 1.1.4.6.070321
=====================================================================
+ XSS sanitization of the whole request URL
+ XSS sanitization of the referrer URL
+ XSS filters exceptions for some "trusted" addresses requiring 
  cross-site complex query strings (controlled by a regexp in the
  noscript.filterXExceptions hidden preference, defaults to Google 
  search and Yahoo search)
+ Better general search engine compatibility with anti-XSS filters
x Several performance optimizations

v 1.1.4.6.070318
=====================================================================
+ First anti-XSS countermeasures round: "default deny" sanitization
  is applied to every request coming from an unknown (restricted) 
  site and landing on a trusted (scripting allowed) site:
  1. GET requests with a query string get all the matches for the
     noscript.filterXGetRx regular expression replaced with space
  2. POST requests are turned into no-data GET
  3. Every request filtering action is logged to the Console, while a
     short notification is issued through the info-bar* (if enabled)
     *Info-bar notifications require Fx 2.0 or above
  Behaviours 1 and 2 can be controlled from NoScript Options|Advanced

v 1.1.4.6.070317
=====================================================================
x Customizable keyboard shortcuts (about:config - noscript.keys.*) 
x Quick toggle (by shortcut or toolbar) behaviour changed to 
  *Temporarily* Allow / Forbid (old behaviour can be restored by
  setting the about:config noscript.toggle.temp pref to false) 

v 1.1.4.6.070316
=====================================================================
+ Super fast reloading after toggling permissions
+ Hebrew (thanks to Asaf Bartov)
x removed mozillazine.org and mozilla.org from the default list 
  (thanks Wladimir Palant)

v 1.1.4.6.070307
=====================================================================
x Further improvement in Higmmer patch

v 1.1.4.6.070305
=====================================================================
x Fixed a resource deallocation issue (thanks Higmmer)
x Fixed a potential slowdown on startup

v 1.1.4.6.070304
=====================================================================
+ Added many ".id" special TLDs (thanks FatMan)
x Fixed localization-related bugs
x Other minor bug fixes

v 1.1.4.6.070302
=====================================================================
x Fixed a regression in the "Export" functionality
x Added a couple of about:config options (noscript.keys.*) to disable 
  keyboard shortcuts: just blank their values. Notice: changing the
  option value to a different key is possible, but it  doesn't 
  actually work (yet?)

v 1.1.4.6
=====================================================================
x Stable "blacklist" release
+ Vietnamese (thanks tonynguyen)
+ Galician (thanks roebek)

v 1.1.4.5.070222
=====================================================================
x Fixed a "Mark as untrusted" menu item bug

v 1.1.4.5.070210
=====================================================================
x Fixed a bug affecting some locales on Mozilla/SeaMonkey/Fx 1.0

v 1.1.4.5.070207
=====================================================================
x "Forbid" doesn't mark the site as untrusted by default anymore (old
  behaviour can be restored via "noscript.forbidImpliesUntrust" pref)

v 1.1.4.5.070127
=====================================================================
+ Experimental blacklist ("Mark as untrusted" + "Untrusted|Allow")
+ Global shortcut toggling top level status: "CTRL + SHIFT + \"
+ Global shortcut to NoScript menu: "CTRL + SHIFT + X"
+ Extra control on NOSCRIPT elements rendering
+ "Allow Globally" menu item is optional now (shown by default)
+ "Link Local Files" optional permission for trusted sites
+ "noscript.excaps" hidden pref for CAPS conflicts resolution (e.g.
  with Google Toolbar and other Google extensions)
+ "Temporarily allow top-level sites by default" new preference 
  (not advised and disabled by default)
+ Menu items referring to current location are hilighted in bold
+ New preference in Options|General controls toolbar button reaction
  to left click (default none, optional toggles top level status)
+ net.uk, com.uk and org.uk pseudo TLDs

v 1.1.4.5.061231
=====================================================================
x Fixed "cancel with non-failure status code" assertion

v 1.1.4.5.061221
=====================================================================
+ Minefield (3.0a2) support
+ Fixed plugin placeholder trunk issue (thanks timeless for report)
+ *.ua "special" TLDs (thanks Devan Chetty)

v 1.1.4.5.061206
=====================================================================
+ Added org.in and co.sy to the "special" TLDs list
x Fixed some bookmarklet quirks (not in trunk, though)
x Fixed a bug in "uk.xyz" special TLDs management

v 1.1.4.5.061030
=====================================================================
x Minefield fix: feedback during/after document loading (bug 335251)
x Minefield fix: bookmarklet on the fly enablement (bug 351633)

v 1.1.4.5.061021
=====================================================================
x Fixed title changes lost on some pages
x Restored Flock compatibility

v 1.1.4.5
=====================================================================
+ Some user interface tweakings in the Options UI
+ Several optimizations
x Fixed XML issue
x Fixed BFCache side-effects on certain pages
x Fixed a timing bug in stand-alone plugin interception

v 1.1.4.4
=====================================================================
+ be-BY (Belarusian) thanks to DRKA 
+ JavaScript links fixing made compatible with AllPeers
+ Better interception of plugin content
x Fixed interception of xml and xhtml content
x Fixed some strict warnings (thanks to timeless)

v 1.1.4.3
=====================================================================
+ Emulated Firefox 1.0.x top-level plugin content blocking behaviour
+ uk-UA (Ukrainian) thanks to MozUA
+ th-TH (Thai) thanks to Qen
+ fa-IR (Persian) thanks to Pedram Veisi
+ el-GR (Greek) thanks to Sonickydon
+ en-GB (English GB) thanks to Ian Moody
+ hr-HR (Croatian) thanks to Krcko
x Other updated translations
x Fixed plugin content reloading bug

v 1.1.4.2
=====================================================================
+ Notifications Firefox 2+ compatible
x Fixed whitelist import bug (phantom resource:xyz entry)
x Fixed "removeLinkFixer" warning (thanks to Pablo)

v 1.1.4.1
=====================================================================
+ Left clicking on NoScript toolbar button toggles permissions for 
  current top-level site
+ Shift+Click on a Java/Flash/Object placeholder temporarily hides it
+ "Attempt to fix JavaScript links" now skips "real" hash URLs
+ Added live.com to the default whitelist (for MS webmails)
x Removed a leak caused by "Attempt to fix JavaScript links" option
x Fixed Macedonian translation

v 1.1.4
=====================================================================
+ "Allow sites opened through bookmarks" option
+ Notification delay in seconds can be changed through the
  "noscript.notify.hideDelay" about:config preference
x Removed bogus JS messages on SeaMonkey startup
x Fixed bookmarklet support to work with the new "Places" code,
  the bookmark sidebar and the bookmark manager
x Added mozilla.com to the default whitelist
x Always honour "Attempt to fix JavaScript links" option (links
  were processed anyway if "Forbid <a...ping>" was enabled)

v 1.1.3.9
=====================================================================
x Fixed temporary memory leak when loading pages containing plugins
  (many thanks to Steve England)
x JavaScript links should not be "fixed" when scripts are globally
  allowed

v 1.1.3.8
=====================================================================
x Another emergency release to fix Babelzilla bugs with Asian
  languages (mass-reverting to 1.1.3.5 properties files to be sure).
- Removed permanent whitelist (all the web sites can can 
  be forbidden from the UI, no more about:config need)

v 1.1.3.7
=====================================================================
x Fixed some localization bugs

v 1.1.3.6
=====================================================================
+ "Fix JavaScript links" option: enabled by default, attempts to
  automatically turn JavaScript links into regulars anchors on load
+ Advanced options "Allow <a ping...>" on trusted sites (defaults to
  the browser settings) and  "Forbid <a ping...>" on untrusted sites 
  (default yes) give user control on the new, debated "ping" anchor 
  attribute
+ New hidden (about:config) boolean preference "noscript.consoleDump"
  controls if blocked contents must be logged to the console (false
  by default)
+ Slovak (thanks to Slovak Soft)
+ Romanian (thanks to Ultravioletu)
+ Hungarian (thanks to LocaLiceR)
+ Chinese Traditional (thanks to Chiu Po-Jung)

v 1.1.3.5
=====================================================================
+ "Truncate title" option: enabled by default, even on whitelisted
  sites, is a quick & dirty work around for Firefox DOS bug 319004
+ "com.xy" 2nd level domains are always considered special TLDs
+ Other special TLDs added
x Fixed "Forbid other plugins" semantics: Java and Flash should
  remain allowed unless their specific "Forbid" option is flagged.
x Fixed portuguese locale bug

v 1.1.3.4
=====================================================================
+ Flock support
+ Finnish (thanks to Mika Pirinen)
+ Norwegian bokmål (thanks to Håvard Mork)

v 1.1.3.3
=====================================================================
+ Placeholder icon can be hidden (NoScript Options|Advanced)
+ Message bar notifications can be set to go away automatically after 
  5 seconds
+ Bulgarian (thanks to Georgi Marchev)
+ Simplified Chinese (thanks to George C. Tsoi)
+ Russian (thanks to Alexander Sokolov)
+ Turkish (thanks to Engin Yazılan)
x Best effort XPCOM auto registration on Mozilla Suite installation
x Minor menu formatting glitches removed
x Some about:xxx URLs added to the default whitelist

v 1.1.3.2
=====================================================================
+ Bookmarklet support. It allows JS on current page just for the
  bookmarklet execution lifespan. If you don't want or don't need it,
  turn on "NoScript Options|Advanced|Forbid Bookmarklets"
x Fixed right-click status label crash affecting pre-1.8 browser.Now
  status label context menu works on Mozilla and Firefox 1.0.x too.

v 1.1.3.1
=====================================================================
+ Option to skip confirmation when temporarily unblocking objects
+ Optional status bar label (with Firefox-only context menu)
+ Support for Unicode domains
x Work-around for Firefox bug #307678 (dialogs freeze)
x Handle about:neterror and about: (help) "always allowed" exception 

v 1.1.3
=====================================================================
+ Toolbar button
+ Java/Flash/Plugin content can be temporarily allowed (for the
  current tab) with a left click on its placeholder 
+ Further optimizations in site matching
+ Japanese (thanks to beerboy)
+ Polish (thanks to Lukasz Biegaj)
+ Catalan (thanks to Joan-Josep Bargues)
+ Czech (thanks to Petr Jirsa)
x Bug fix: "Allow JavaScript Globally" didn't affect Java, Flash and
  Plugin immediately

v 1.1.2.20050901
=====================================================================
x Bug fix: temporarily allowed sites were not removed if no
  permission change happened in the following session

v 1.1.2
=====================================================================
+ Java/Flash/Plugins blocking works in Mozilla Suite / SeaMonkey too
+ Huge performance (up to 100x) improvements in policy matching
+ More consistent temporary sites handling (allowing a temporary
  domain while subdomains are allowed, now forbids ancestors of that
  domain but not its subdomains anymore on restart)
+ Added "ar.com" to the list of "special" TLDs
x No more "phantom" http:// and https:// entries in whitelist

v 1.1.1
=====================================================================
x Fixed sites list update synchronization bug
x Fixed Spanish locale bug


v 1.1.0
=====================================================================
+ Customizable message position, top or bottom (new default) 
+ Customizable audio sample for feedback
+ (Firefox only) Advanced options to forbid Java™, Flash® and other 
  plugins (Java™ forbidden by default, since many users don't
  know the difference between Java and JavaScript)
+ Advanced options to allow rich-text clipboard on trusted sites
+ Portoguese translation (thanks to Dario Ornelas)
x New (less ambiguous) "partially allowed" icon
x Audio feedback off by default
x Statusbar icon hidden status persists across sessions
x Proper jar: scheme handling (will allow per-domain selection when
  Firefox bug preventing it is patched -
  see https://bugzilla.mozilla.org/show_bug.cgi?id=298823)
x jar: scheme can be allowed only temporarily (see above)
x No more browser activity stop after permission changes

v 1.0.9
=====================================================================
+ Temporarily allow URLs (for current session only): temporary items
  are shown in italics font
+ Clean uninstall in Deer Park
+ Added jar: to the default white-list, to allow about:plugin
  and other "special" URLs to work out-of-the-box
x Better work-arounds for Firefox synchronization bugs
x Fixed conflict when a "View Source" window was open

v 1.0.8
=====================================================================
+ Whole addresses are shown when a port number is specified, no
  matter which the Appearance options are, since enabling a domain
  doesn't enable it for non-standard ports (thanks to jayvdb for
  suggestion)
+ Stop every browser activity before changing policies (this should
  be a workaround for most crashes dued to Firefox CAPS bugs)

v 1.0.7
=====================================================================
+ Notification message "popup blocker" style (Firefox only)
+ Autoreload synchronizes every view whose permissions have changed
+ Spanish translation (thanks to Alberto Martínez)
x Improved subframes management in the contextual menu
x Better UI support for "special" TLDS like co.uk, co.nz and others
x Improved support for numeric addresses
x Audio feedback with more discreet sound effect :-)

v 1.0.6
=====================================================================
+ Whitelist import/export (thanks hsmwrv for suggestion)
+ Only 2nd level (base) domains shown by default in the "Allow" menu 
  items (easier operation for non-geeks; geeks can still revert to
  the old fine grained interface using the "Appearance" options)
+ Blocked scripts audio feedback (thanks to Markus for suggestion)
+ about:config/noscript.permanent can be changed live (no FF restart)
x chrome content URL are properly whitelisted (XUL error pages OK)
x Fixed empty permanent list problem (thanks to Patrick and Oremina 
  for report)

v 1.0.5
=====================================================================
+ "Appearance" option to hide/show popup menu and status bar icon; if
  you decide to hide both, options are still reachable through the 
  Extension Manager context menu (thanks Dick Minor for suggestion)
+ 2nd level domain trick don't clutters Options Dialog anymore
  (http[s]:// auto-prefixed domains are hidden in whitelist)
x Fixed menu layout (thanks to TheOneKEA for report)

v 1.0.4
=====================================================================
+ Automatically creates http:// and https:// prefixed URLs when a 2nd
  level domain (xyz.com) is allowed, as a workaround for Firefox not 
  matching URLs with a raw 2nd level domain if no protocol is listed
  (thanks to Laura for report)
+ "Allowed" status feedback for chrome:// URLs (pacanukeha)
x Core functionality refactored in a XPCOM service

v 1.0.3
=====================================================================
+ Feedback about actual presence of script elements in current page
  (white "S" icons if no script tag is found, while number of found 
  tags is shown in the tooltip - thanks to Volker for suggestion)  
+ Feedback about partial permissions in pages containing subframes
  (a broken red "stop" sign means only some frames are forbidden)
+ Events are coalesced for better performance and stability
+ Improved options dialog usability (new items are ensured visible
  and "delete" key performs mouse-less site removal)
+ Added hotmail/msn/passport domains to default whitelist (thanks to
  Swann for suggestion)
+ Added googlesyndication.com and noscript.net to permanent list ;)
x Fixed whitelist options dialog sometimes "forgetting" recently 
  added items (thanks to TheOneKEA, Bill Mayer and Bill Selden for 
  their reports)

v 1.0.2
=====================================================================
+ Option dialog shortcuts (thanks to Ulysses for suggestion)
+ French translation (thanks to Xavier Robin)
x NoScript doesn't ignore port number in URLs anymore
x Moved "Options" and "About" items to the top of status bar menu
  (thanks to Filipp0s for suggestion and for the smaller icons too)
x Added mozillazine.org and gmail.google.com to default allow list
x No duplicates in menu when multiple frames share the same
  ancestor domain (e.g. mozillazine.org)

v 1.0.1
=====================================================================
+ Contextual menu for easy operation in statusbar-less windows
+ Current page is automatically reloaded when permissions are changed
+ Support for implicit subdomain inclusion (e.g. if you add 
  mozilla.org, you allow www.mozilla.org, addons.mozilla.org etc.)
+ German translation (thanks to my friend Thomas Weber)
x Fixed localization issue
x Work around for Firefox occasional crashes

v 1.0.0
=====================================================================
First public release
