Update 11.4.38.

hackademix · hackademix · commit da25e0757813 · 2024-09-18T07:14:44.000+02:00
diff --git a/content/_data/ver.json b/content/_data/ver.json
@@ -1,4 +1,4 @@
 {
-  "stable": "11.4.29",
-  "dev": "11.4.30rc1"
+  "stable": "11.4.37",
+  "dev": "11.4.39rc2"
 }
diff --git a/content/changelog.md b/content/changelog.md
@@ -1,8 +1,194 @@
 ---
 title: Changelog
 ---
-[+] new feature, [x] bug fix, [-] removed feature, [=] repackaging or cosmetic change
+[+] new feature, [x] bug fix/maintenance, [-] removed feature, [=] repackaging or cosmetic change
 ```{.changelog}
+v 11.4.38
+============================================================
+x [nscl] Reuse uuid() in SyncMessage
+x [nscl] Simpler and safer SyncMessage logic on
+  Chromium-based browsers (thanks NDevTK for reporting)
+x Fixed missing frameId on interception reporting
+x Updated file exclusions on packaging
+
+v 11.4.38rc2
+============================================================
+x [nscl] Reuse uuid() in SyncMessage
+
+v 11.4.38rc1
+============================================================
+x Updated file exclusions on packaging
+x [nscl] Simpler and safer SyncMessage logic on
+  Chromium-based browsers (thanks NDevTK for reporting)
+x Fixed missing frameId on interception reporting
+
+v 11.4.37
+============================================================
+x [nscl] Do not patch windows with WebGLHook if webgl is
+  globally disabled
+x [nscl] Do not patch workers if webgl is globally disabled
+x [L10n] Updated uk
+x [nscl] Workers-aware WebGL Hook
+
+v 11.4.37rc3
+============================================================
+x [nscl] Do not patch windows with WebGLHook if webgl is
+  globally disabled
+
+v 11.4.37rc2
+============================================================
+x [nscl] Do not patch workers if webgl is globally disabled
+
+v 11.4.37rc1
+============================================================
+x [L10n] Updated uk
+x [nscl] Workers-aware WebGL Hook
+
+v 11.4.36
+============================================================
+x [nscl] Merged MV3-compatible branch
+x [XSS] Take in account the whole redirection chain (thanks
+  NDevTK for reporting)
+
+v 11.4.35
+============================================================
+x Improved lazy_load capability (optimization and
+  notification)
+x [nscl] Slight optimization of NOSCRIPT element emulation
+  loop
+x Automatically add extra capabilities to policyTypesMap
+x Gracefully handle new capabilities still unknown to the
+  settings host (e.g. Tor/Mullvad browser), if any
+x Configurable "lazy_load" capability (see
+  https://github.com/whatwg/html/issues/5250)
+x Prefetch all CSS subresources (1st party included) in
+  private contexts where both unchecked_css and scripting
+  capabilities are disabled
+x Forcibly neutralize lazy loading attributes when scripting
+  is disabled
+x [nscl] Restored SyncMessage compatibility with Firefox 78
+  and below
+x Lock nscl version on stable releases
+x [L10n] Updated de, fr, tr, ru, uk, zh_CN
+
+v 11.4.35rc4
+============================================================
+x Improved lazy_load capability (optimization and
+  notification)
+x [nscl] Slight optimization of NOSCRIPT element emulation
+  loop
+x Automatically add extra capabilities to policyTypesMap
+x [L10n] Updated de, fr, tr, ru, zh_CN
+
+v 11.4.35rc3
+============================================================
+x Gracefully handle new capabilities still unknown to the
+  settings host (e.g. Tor/Mullvad browser), if any
+x Configurable "lazy_load" capability (see
+  https://github.com/whatwg/html/issues/5250)
+x [L10n] Updated fr
+
+v 11.4.35rc2
+============================================================
+x Prefetch all CSS subresources (1st party included) in
+  private contexts where both unchecked_css and scripting
+  capabilities are disabled
+x Forcibly neutralize lazy loading attributes when scripting
+  is disabled
+
+v 11.4.35rc1
+============================================================
+x [nscl] Restored SyncMessage compatibility with Firefox 78
+  and below
+x [L10n] Updated uk
+x Lock nscl version on stable releases
+
+v 11.4.34
+============================================================
+x [nscl] Work around for
+  https://bugzilla.mozilla.org/show_bug.cgi?id=1899786
+  (issue #372)
+x [L10n] Updated de, ru, tr
+x Synchronize nscl git commits as needed before tagging new
+  versions
+
+v 11.4.34rc2
+============================================================
+x [L10n] Updated ru, tr
+x [nscl] Work around for
+  https://bugzilla.mozilla.org/show_bug.cgi?id=1899786
+  (issue #372)
+
+v 11.4.34rc1
+============================================================
+x Fix fallback noscript meta-refresh broken by sandbox CSP
+  directive
+
+v 11.4.33
+============================================================
+= (placeholder Chrome Store version for 11.4.31 rollback)
+
+v 11.4.32
+============================================================
+x [L10n] Updated de
+x [nscl] Use the sandbox directive in addition to script-src
+  for CSP-based script blocking
+x Syncrhonize nscl git commits as needed before tagging new
+  versions
+
+v 11.4.31
+============================================================
+x [L10n] Updated fr, is, ru, zh_CN
+x Improved release tooling
+x [nscl] Updated to latest NoScript Commons Library
+x NoScript Options/Appearance/Show synthetic placeholders
+  for invisible capability probes (issue #369)
+x [nscl] Make placeholders easier to style per type
+x Prevent duplicate synthetic placeholders for invisible
+  capability probes (issue #369)
+
+v 11.4.31rc3
+============================================================
+x [L10n] Updated zh_CN
+x Improved release tooling
+x [nscl] Updated to latest NoScript Commons Library
+x [L10n] Updated ru
+x [L10n] Updated fr, is
+
+v 11.4.31rc2
+============================================================
+x NoScript Options/Appearance/Show synthetic placeholders
+  for invisible capability probes (issue #369)
+x [nscl] Make placeholders easier to style per type
+
+v 11.4.31rc1
+============================================================
+x Prevent duplicate synthetic placeholders for invisible
+  capability probes (issue #369)
+
+v 11.4.30
+============================================================
+x [nscl] Best effort WebGL placeholders for offscreen
+  capability detection
+x Improved blocked but required capability reporting from
+  subframes (issue #367)
+x [nscl] Include SVG among embedding document types (fixes
+  issue #366)
+x Removed obsolete "applications" manifest.json key
+
+v 11.4.30rc2
+============================================================
+x [nscl] Best effort WebGL placeholders for offscreen
+  capability detection
+x Improved blocked but required capability reporting from
+  subframes (issue #367)
+x [nscl] Include SVG among embedding document types (fixes
+  issue #366)
+
+v 11.4.30rc1
+============================================================
+x Removed obsolete "applications" manifest.json key
+
 v 11.4.29
 ============================================================
 x [nscl] Updated TLDs
diff --git a/content/community.md b/content/community.md
@@ -54,4 +54,4 @@ Specific  NoScript development efforts have been generously supported by the [__
 
 #### Donations
 Nevertheless NoScript couldn't keep up with its continuous and strenuous fight against emerging web threats with no help from you, dear user. So, if you find NoScript useful, __please consider a donation__, either via __Paypal__ ([USD]({{links.donate}}?c=USD) / [EUR]({{links.donate}}?c=EUR)) or [by other means]({{ "/faq#faq-donate" | url }}).
-You will feel proud of your contribution to a safer web, and prouder your gorgeous [dark NoScript wallpaper](/img/noscript-wallpaper-dark.png).
+You will feel proud of your contribution to a safer web, and even prouder of your gorgeous [dark NoScript wallpaper](/img/noscript-wallpaper-dark.png).
diff --git a/content/getit.md b/content/getit.md
@@ -25,21 +25,19 @@ nav: 2
 You can get the latest stable version __for Firefox desktop only__ also using this [__direct NoScript {{ ver.stable }} download link__](https://noscript.net/download/releases/noscript-{{ ver.stable }}.xpi).
 To install, just drag and drop it onto your address bar.
 ````{.changelog}
-v 11.4.29
+v 11.4.37
 ============================================================
-x [nscl] Updated TLDs
-x [nscl] Improved reliability of TLD updater
-x Removed theme.js console noise
-x Fix beta channel updates breakage due to
-  browser_specific_settings override
-x [nscl] Several content-side performance improvements
-x Reduce synchronous policy retrieval impact on file: and
-  ftp: document loading performance
-x More commands for which a keyboard shortcut can be
-  configured
-x [L10n] Updated de, fi, mk, nl, pl, ru, sq, tr, uk,
-  pt_BR, zh_CN, zh_TW
-x Explicit Android compatibility declaration
+x [nscl] Do not patch windows with WebGLHook if webgl is
+  globally disabled
+x [nscl] Do not patch workers if webgl is globally disabled
+x [L10n] Updated uk
+x [nscl] Workers-aware WebGL Hook
+
+v 11.4.36
+============================================================
+x [nscl] Merged MV3-compatible branch
+x [XSS] Take in account the whole redirection chain (thanks
+  NDevTK for reporting)
 ````
 ### __Development build__{#devel}
 
@@ -72,57 +70,95 @@ You're done. Happy testing!
 
 #### Recent development history
 ````{.changelog}
-v 11.4.30rc1
+v 11.4.39rc2
+============================================================
+x [nscl] Prevent patchWindow from throwing on SOP violations
+
+v 11.4.39rc1
+============================================================
+x [nscl] Correctly propagate extra arguments to shadowed
+  worker constructors
+
+v 11.4.38rc2
+============================================================
+x [nscl] Reuse uuid() in SyncMessage
+
+v 11.4.38rc1
+============================================================
+x Updated file exclusions on packaging
+x [nscl] Simpler and safer SyncMessage logic on
+  Chromium-based browsers (thanks NDevTK for reporting)
+x Fixed missing frameId on interception reporting
+
+v 11.4.37rc3
 ============================================================
-x Removed obsolete "applications" manifest.json key
+x [nscl] Do not patch windows with WebGLHook if webgl is
+  globally disabled
 
-v 11.4.29rc5
+v 11.4.37rc2
 ============================================================
-x [nscl] Improved reliability of TLD updater
+x [nscl] Do not patch workers if webgl is globally disabled
 
-v 11.4.29rc4
+v 11.4.37rc1
 ============================================================
-x [nscl] Updated TLDs
-x Removed theme.js console noise
+x [L10n] Updated uk
+x [nscl] Workers-aware WebGL Hook
 
-v 11.4.29rc3
+v 11.4.36rc1
 ============================================================
-x Fix beta channel updates breakage due to
-  browser_specific_settings override
+x [nscl] Merged MV3-compatible branch
+x [XSS] Take in account the whole redirection chain (thanks
+  NDevTK for reporting)
 
-v 11.4.29rc2
+v 11.4.35rc4
+============================================================
+x Improved lazy_load capability (optimization and
+  notification)
+x [nscl] Slight optimization of NOSCRIPT element emulation
+  loop
+x Automatically add extra capabilities to policyTypesMap
+x [L10n] Updated de, fr, tr, ru, zh_CN
+
+v 11.4.35rc3
 ============================================================
-x [L10n] Updated fi, pt_BR
-x [nscl] Several content-side performance improvements
-x Reduce synchronous policy retrieval impact on file: and
-  ftp: document loading performance
-x More commands for which a keyboard shortcut can be
-  configured
-
-v 11.4.29rc1
+x Gracefully handle new capabilities still unknown to the
+  settings host (e.g. Tor/Mullvad browser), if any
+x Configurable "lazy_load" capability (see
+  https://github.com/whatwg/html/issues/5250)
+x [L10n] Updated fr
+
+v 11.4.35rc2
+============================================================
+x Prefetch all CSS subresources (1st party included) in
+  private contexts where both unchecked_css and scripting
+  capabilities are disabled
+x Forcibly neutralize lazy loading attributes when scripting
+  is disabled
+
+v 11.4.35rc1
 ============================================================
-x [nscl] Updated TLDs
-x [L10n] Updated de, mk, nl, pl, ru, sq, tr, uk, zh_CN,
-  zh_TW
-x Explicit Android compatibility declaration
+x [nscl] Restored SyncMessage compatibility with Firefox 78
+  and below
+x [L10n] Updated uk
+x Lock nscl version on stable releases
 ````
 
 ### Deprecated, obsolete and unsupported "Classic" versions
 
 [![NoScript Classic Logo](https://classic.noscript.net/noscript/logo.png){.left}](https://classic.noscript.net/)
 
-You can still download [**NoScript "Classic"** (5.1.9)](https://noscript.net/download/releases/noscript-5.1.9.xpi) ([SHA256](releases/noscript-5.1.9.xpi.sha256)) for Seamonkey, Palemoon, Waterfox Classic and possibly other "vintage" (pre-Gecko 57) Firefox forks [here](https://noscript.net/download/releases/noscript-5.1.9.xpi).
+You can still download [**NoScript "Classic"** (5.1.9)](https://noscript.net/download/releases/noscript-5.1.9.xpi) ([SHA256](https://noscript.net/download/releases/noscript-5.1.9.xpi.sha256)) for Seamonkey, Palemoon, Waterfox Classic and possibly other "vintage" (pre-Gecko 57) Firefox forks [here](https://noscript.net/download/releases/noscript-5.1.9.xpi).
 
 **Notice:** _you may need to open about:config and set your **xpinstall.signatures.required** preference to **false** in order to install NoScript 5.x, since Mozilla doesn't support signatures for legacy add-ons anymore. If you're [using a non ESR Firefox, you may also need this hack](https://forums.informaction.com/viewtopic.php?p=98662#p98662)._
 
 
 Users of Firefox 58 and below are urged to upgrade their very unsafe browser. For those few who can't,
 
 *   [latest NoScript version compatible with Gecko 57 - Gecko 58 is 10.1.7.3](https://noscript.net/download/releases/noscript-10.1.7.3.xpi);
-*   [latest NoScript version compatible with Gecko 46 - Gecko 56 is 5.1.9](https://noscript.net/download/releases/noscript-5.1.9.xpi) ([SHA256](releases/noscript-5.1.9.xpi.sha256));
-*   [latest NoScript version compatible with Gecko 13 - Gecko 45 is 2.9.0.14](https://noscript.net/download/releases/noscript-2.9.0.14.xpi) ([SHA256](releases/noscript-2.9.0.14.xpi.sha256));
-*   [latest NoScript version compatible with Gecko 1.9 - Gecko 12 is 2.9.0.1rc1](https://noscript.net/download/betas/noscript-2.9.0.1rc1.xpi) ([SHA256](betas/noscript-2.9.0.1rc1.xpi.sha256));
-*   [latest NoScript version compatible with Gecko < 1.9 is 1.10](https://noscript.net/download/releases/noscript-1.10.xpi) ([SHA256](releases/noscript-1.10.xpi.sha256)).
+*   [latest NoScript version compatible with Gecko 46 - Gecko 56 is 5.1.9](https://noscript.net/download/releases/noscript-5.1.9.xpi) ([SHA256](https://noscript.net/download/releases/noscript-5.1.9.xpi.sha256));
+*   [latest NoScript version compatible with Gecko 13 - Gecko 45 is 2.9.0.14](https://noscript.net/download/releases/noscript-2.9.0.14.xpi) ([SHA256](https://noscript.net/download/releases/noscript-2.9.0.14.xpi.sha256));
+*   [latest NoScript version compatible with Gecko 1.9 - Gecko 12 is 2.9.0.1rc1](https://noscript.net/download/betas/noscript-2.9.0.1rc1.xpi) ([SHA256](https://noscript.net/download/betas/noscript-2.9.0.1rc1.xpi.sha256));
+*   [latest NoScript version compatible with Gecko < 1.9 is 1.10](https://noscript.net/download/releases/noscript-1.10.xpi) ([SHA256](https://noscript.net/download/releases/noscript-1.10.xpi.sha256)).
 
 #### Disclaimer
 We cannot update nor support NoScript 5.x and below anymore, because it was based on a completely different and now obsolete technology. However you can still find usage information and a FAQ section for those ancient versions in the [NoScript Classic archived website](https://classic.noscript.net/).
diff --git a/content/usage.md b/content/usage.md
@@ -60,7 +60,7 @@ Even though this is not recommended, power users may customize also the built-in
 #### LAN Protection{.subh}
 
 Simply put, the LAN capability lets documents coming from the public Internet (AKA World Area Network / WAN) to link / send requests to hosts inside your Local Area Network (LAN), which is pretty much what they can do now, allowing so called cross-zone CSRF/XSS attacks.
-By keeping it disabled (the factory setting in the DEFAULT and UNTRUSTED presets), you're replicating this feature from "Classic" NoScript, without the hassle of going through ABE's firewall-like rules when you need to set an exception, which now is just a matter of checking the LAN capability box.
+By keeping it disabled (the factory setting in the DEFAULT and UNTRUSTED presets), you're replicating [the Application Boundaries Enforcer feature](https://classic.noscript.net/abe/index.html) from "Classic" NoScript, without the hassle of going through ABE's firewall-like rules when you need to set an exception, which now is just a matter of checking the LAN capability box.
 
 ### Per-site preferences editor
 {% screenshot "per-site-prefs", "Configuring per-site permissions (light scheme)" %}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "stable": "11.4.29",`
`3`		`- "dev": "11.4.30rc1"`
	`2`	`+ "stable": "11.4.37",`
	`3`	`+ "dev": "11.4.39rc2"`
`4`	`4`	`}`