Changes since 10.1.8.16:

v 10.1.9.6

  • [TB] Gracefully handle legacy external message recipients
  • [XSS] Updated known HTML5 events
  • Better IPV6 support
  • UI support for protocol-only entries

v 10.1.9.5

  • Fix for various content script timing related issues (thanks therube for reporting)

v 10.1.9.4

  • Prevent total breakages when policies accidentally map to invalid match patterns
  • Internal messaging dispatch better coping with multiple option windows
  • Avoid multiple CSP DOM insertions

v 10.1.9.3

  • Fixed message handling regression breaking embedders and causing potential internal message loops

v 10.1.9.2

  • More efficient window.name-based tab-scoped permissions persistence
  • Fixed URL parsing bugs
  • Fixed bug in requestKey generation
  • [Build] Enhanced TLD data update subsystem
  • [UI] CUSTOM presets gets initialized with currently applied preset, including temporary/permanent status
  • Improved internal message dispatching, avoiding potential race conditions
  • [L10n] Transifex integration
  • Work-around for DOM-injected CSP not being honored when appended to the root element, rather than HEAD
  • Transparent support for FQDNs
  • Better file: protocol support
  • Full-page placeholders for media/plugin documents

v 10.1.9.1

  • Fixed NOSCRIPT emulation not running in contexts where service workers are disabled, such as private windows (thanks Peter Wu for patch)

v 10.1.9

  • Completely revamped CSP backend, enforcing policies both in webRequest and in the DOM
  • Reload-less service worker busting
  • removed obsoleted failsafes, including forced reloads
  • Better timing for popup UI feedback on permissions changes
  • Send out a "started" message after initialization to help embedders (like the Tor browser) interact with NoScript
  • Updated TLDs

v 10.1.8.23

  • Hotfix for reload loops before CSP management refactoring

v 10.1.8.22

  • Fixed reload loop on unrestricted tabs (thanks random for reporting)

v 10.1.8.20

  • Fixed Sites.domainImplies() misplaced optimization.
  • [L10n] Added Catalan (ca)

v 10.1.8.19

  • Fixed onResponseHeader failing on session restore because of onBeforeRequest not having being called.
  • Fixed regression: framed documents' URLs not being reported in the UI (thanks xaex for report)

v 10.1.8.18

  • More resilient and optimized Sites.domainImplies()
  • Update ChildPolicies when automatic temp TRUST for top-level documents is enabled
  • Fixed messages from content scripts being "eaten" by the wrong dispatcher when UI is open (thanks skriptimaahinen)
  • Fixed typo causing accidental permissions/status mismatches being checked only while pages are still loading (thanks skriptimaahinen)
  • Fixed typo in XSS name sanitization script injection (thanks skriptimaahinen)

v 10.1.8.17

  • Fix: Sites.domainImplies() should match subdomains
  • More coherent wrapper around the webex messaging API
  • Fixed inconsistencies affecting ChildPolicies content script auto-generated matching rules.
  • Fixed potential issues with cross-process messages
  • Simpler and more reliable safety net to ensure CSP headers are injected last among WebExtensions
  • Fixed regression causing refresh loops on pages which use type="object" requests to load images, css and other types
  • [L10n] ru and de translations
  • [XSS] Updated HTML events auto-generate matching code to use both latest Mozilla source code and archived data since Firefox ESR 52
  • New dynamic scripts management strategy based on the browser.contentScripts API, should fix some elusive, likely requestFilter-induced, bugs
  • Fixed no-dot domains threated as empty TLDs (thanks Peter Wu for patch)
  • Removed requestFilter hack for dynamic scripts management
  • [L10n] br and tr translations (thanks Transifex/OTF, https://www.transifex.com/otf/noscript/)
  • Best effort to have webRequest.onHeaderReceived listener run last (issue #6, thanks kkapsner)
  • [L10n] Localized "NoScript Options" title (thanks Diklabyte)
  • Fixed inline scripts not being reported to UI (thanks skriptimaahinen for patch)
  • Skip non-content windows when deferring startup page loads (thanks Rob Wu for reporting)
  • Broader detection of UTF-8 encoding in responses (thanks Rob Wu for reporting)
  • Improved support for debugging code removal in releases
  • Fixed startup race condition with pending request tracking
  • Fixed updating NoScript reloads tabs with revoked temporary permissions.

Legacy version:

v 5.1.8.7

  • [Security] Fixed script blocking bypass zero-day (thanks Zerodium for unresponsible disclosure, https://twitter.com/Zerodium/status/1039127214602641409)
  • [Surrogate] Fixed typo in 2mdn replacement (thansk barbaz)
  • [XSS] Fixed InjectionChecker choking at some big JSON payloads sents as POST form data
  • [XSS] In-depth protection against native ES6 modules abuse
  • Fixed classic beta channel users being accidentally migrated to stable (thanks barbaz)

How to install

sudo dnf upgrade --advisory=FEDORA-2018-e9821afbca

This update has been submitted for testing by rathann.

2 years ago

rathann edited this update.

2 years ago

rathann edited this update.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon robatino provided feedback 2 years ago
karma
BZ#1629661 mozilla-noscript-10.1.9.6 is available

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by rathann.

2 years ago

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-2
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1629212 CVE-2018-16983 mozilla-noscript: NoScript Bypass via the text/html;/json Content-Type value
0
0
BZ#1629661 mozilla-noscript-10.1.9.6 is available
0
1

Automated Test Results