Path to this page:
Subject: CVS commit: pkgsrc/security/tor-browser-noscript
From: Thomas Klausner
Date: 2021-04-01 00:00:06
Message id: 20210331220006.BD6B8FA95@cvs.NetBSD.org
Log Message:
tor-browser-noscript: update to 11.2.4.
v 11.2.4
============================================================
x CSS resources prefetching as a mitigation against CSS PP0
(https://github.com/Yossioren/pp0)
x [L10n] Updated br, de, el, es, fr, he, is, nl, pl, pt_BR,
ru, sq, tr, zh_CN
x [nscl] Inteception of webgl context creation in
OffscreenCanvas too
x Fixed configuration upgrades not applied on manual updates
(thanks Nan for reporting)
x Mitigation for misbehaving pages repeating failed requests
in a tight loop
x [UI] More understandable label for the cascading
restrictions option
x [nscl] More refactoring out in NoScript Commons Library
x [nscl] patchWindow improvements
v 11.2.4rc5
============================================================
x [nscl] Inteception of webgl context creation in
OffscreenCanvas too
x Fixed regression: Site Info broken by NSCL refactoring
v 11.2.4rc4
============================================================
x [nscl] Fixed unmerged NetCSP "extra" headers always
undefined
x HTML event atoms reorder in Mozilla sources
v 11.2.4rc3
============================================================
x Avoid stack trace generation for debugging purposes on
release builds
x More selective CSS PP0 protection, excluded on the Tor
Browser where it's unneeded and easier to test/debug on
dev builds
x Make isTorBrowser information available in child policy
x Prevent console noise on startup with privileged tabs
x [nscl] More refactoring out in NoScript Commons Library
v 11.2.4rc2
============================================================
x [nscl] Switch to NSCL for messaging
x [nscl] Rollback unneded window.opener patching (thanks
skriptimaahinen for insight)
x CSS PP0 mitigation: cross-site stylesheets on scriptless
pages, one resource per host
x Limit CSS PP0 mitigation to scriptless pages and prefetch
only cross-site resources
v 11.2.4rc1
============================================================
x CSS resources prefetching as a mitigation against CSS PP0
(https://github.com/Yossioren/pp0)
x [L10n] Updated br, de, el, es, fr, he, is, nl, pl, pt_BR,
ru, sq, tr, zh_CN
x Fixed configuration upgrades not applied on manual updates
(thanks Nan for reporting)
x Mitigation for misbehaving pages repeating failed requests
in a tight loop
x [UI] More understandable label for the cascading
restrictions option
x [nscl] patchWindow improvements
x [nscl] Switch to NSCL's generic inclusion shell script
v 11.2.3
============================================================
x [L10n] Purged non-inclusive terms from obsolete messages
x Added red halo feedback in CUSTOM preset for noscript
element capability
x Fixed missing red halo feedback in CUSTOM preset for
inline scripts and other capabilities sometimes
x Fixed race condition causing noscript elements not to be
rendered sometimes
v 11.2.2
============================================================
x Fixed typo in version checked on noscript capability update.
x [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,
ja, lt, mk, ms, nb, nl, pt_BR, ru, sq, sv_SE, tr, zh_CN,
zh_TW.
v 11.2.1
============================================================
x Configurable capability to show noscript elements on
script-disabled pages
x [UI] Minor CSS Chromium compatibility fix
x [nscl] Refactoring to use Policy and its dependencies from
the NoScript Commons Library
x Switch to faster and easier to maintain tld.js from nscl
x [UI] Fix punycode inconsistencies
x [UI] Improve preset and site controls alignment
x Provide feedback in the CUSTOM tab for WebGL usage
attempts even if the canvas element is not attached to the
DOM
x [L10n] Updated de, ja
x Updated HTML events
x Prevent double script on trusted file:// pages in some
edge cases
x Prevent detection of wrapped functions (e.g. in WebGL
interception) on Chromium
v 11.2.1rc4
============================================================
x [UI] Minor CSS Chromium compatibility fix
x Configurable capability to show noscript elements on
script-disabled pages
x [L10n] Updated de
v 11.2.1rc3
============================================================
x [nscl] Improved integration of the NoScript Commons
Library
x Moved nscl submodule into src
x [nscl] Update (restructured tree)
x Removed nscl cache directory from src
x [nscl] Refactoring to use Policy and its dependencies from
the NoScript Commons Library
v 11.2.1rc2
============================================================
x Remove ||= operator which makes AMO's validator explode
x Switch to faster and easier to maintain tld.js from nscl
x [nscl] Updated with TLD_CACHE removal after usage
x [nscl] Updated NoScript Common Library inclusions
x Added the NoScript Commons Library (nscl) as a submodule
x [UI] Fix punycode inconsistencies
x [UI] improve preset and site controls alignment
x Updated TLDs
x Provide feedback in the CUSTOM tab for WebGL usage
attempts even if the canvas element is not attached to the
DOM
x [L10n] Updated de, ja
x Updated HTML events
v 11.2.1rc1
============================================================
x Prevent double script on trusted file:// pages in some
edge cases
x Updated events archive
x Prevent detection of wrapped functions (e.g. in WebGL
interception) on Chromium
x Updated TLDs
x Merge German language update
v 11.2
============================================================
x [XSS] New UI to reveal and selectively remove permanent
user choices
x [L10n] Updated de
x Webgl hook refactored on nscl/content/patchWindow.js and
made Chromium-compatibile
x Updated TLDs
v 11.2rc3
============================================================
x [XSS] Fixed choice manager UI bug (thanks barbaz for
report)
v 11.2rc2
============================================================
x Updated TLDs
x [XSS] New UI to reveal and selectively remove permanent
user choices
v 11.2rc1
============================================================
x [L10n] Updated de
x Webgl hook refactored on nscl/content/patchWindow.js and
made Chromium-compatibile
x Updated TLDs
v 11.1.9
============================================================
x Return null when webgl is not allowed (thanks Matthew
Finkel for patch)
x [XSS] Fixed memoization bug resulting in performance
degradation on some payloads
x [XSS] Include call stack in debugging log output
x [XSS] Skip naps when InjectionChecker runs in its own
worker
x Shortcut for easier XSS filter testing
x More lenient filter to add a new entry to per-site
permissions
x [L10n] Updated de
x Replace script-embedded bitmap with css-embedded SVG as
the placeholder logo
x Updated TLDs
x Remove source map reference causing console noise
x Fix per-site permissions UI glitches when base domain is
added to existing subdomain (thanks barbaz for reporting)
v 11.1.9rc5
============================================================
x Return null when webgl is not allowed (thanks Matthew
Finkel for patch)
v 11.1.9rc4
============================================================
x Updated TLDs
x [XSS] Fixed memoization bug resulting in performance
degradation on some payloads
x [XSS] Include call stack in debugging log output
x [XSS] Skip naps when InjectionChecker runs in its own
worker
x Shortcut for easier XSS filter testing
v 11.1.9rc3
============================================================
x More lenient filter to add a new entry to per-site
permissions
v 11.1.9rc2
============================================================
x [L10n] Updated de
x Better fix for per-site permissions UI glitches (thanks
barbaz for reporting)
v 11.1.9rc1
============================================================
x Replace script-embedded bitmap with css-embedded SVG as
the placeholder logo
x Updated TLDs
x Remove source map reference causing console noise
x Fix per-site permissions UI glitches when base domain is
added to existing subdomain (thanks barbaz for reporting)
v 11.1.8
============================================================
x [XSS] Fix for old pre-screening optimization exploitable
to bypass the filter in recent browsers - thanks Tsubasa
FUJII (@reinforchu) for reporting
x Replace DOM-based entity decoding with the he.js pure JS
library
x Updated copyright statement
x Updated browser-polyfill.js
x Removed obsolete fastclick.js dependency
x [l10n] Updated de (thanks ib and Musonius)
x Updated TLDs
Files: