Jump to content

The Firefox NoScript guide you have all been waiting for


Reefa

Recommended Posts

One of the core reasons why I'm using the Firefox web browser on my desktop PC and not another browser is that the NoScript extension is only available for that browser.

NoScript does what the name implies, it blocks scripts from running automatically on all most websites. This boosts security significantly, as most attacks run on websites require scripts to be effective. It will also improve page loading times on average, as less contents need to be loaded when NoScript is enabled.

The downside here is that site functionality may also not work properly on select sites. Since scripts are blocked by default, a site may simply not work at all, or only partially with NoScript installed.

The extension offers controls to resolve those issue though, as you can allow scripts to run temporarily or permanently on sites.

Another issue is that script are blocked on the domain level. Most websites load scripts from various sources. First from its own domain, but also from third-party servers, for instance to display ads, use tracking scripts, or to make use of a hosted version of jquery.

It is often difficult to tell which scripts are required for a site's core functionality, and which are not. This is especially true for Internet users who have little experience when it comes to domains, website technologies and scripts.

The NoScript configuration

The NoScript out of the box experience is quite good. You can use it without modifications, but if you want to get the most out of the add-on, you may want to go through the options at least once to make sure everything is configured in an optimal fashion.

As I mentioned earlier, NoScript blocks scripts on most websites by default. The extension ships with a domain whitelist, which means that the sites that you find here are allowed to run scripts they host on their own domain.

Side Tip: NoScript distinguishes between root domains and subdomains. Domains like addons.mozilla.org and mozilla.org are handled as different domains by the extension.

Among the list of domains that are whitelisted are addons.mozilla.org, google.com, googleapis.com, live.com, hotmail.com, outlook.com or paypal.com.

You can remove any of the whitelisted sites under Whitelist in the NoScript options.

noscript-whitelist.png

My suggestion would be to remove domains that you do not want listed here. I recommend leaving Firefox's internal pages on the list though, as you will run into issues otherwise.

Here you can also import or export the selection, useful if you use Firefox on multiple devices and want to use the same whitelist.

The second configuration change that you may want to do concerns the NoScript icon. You may want to place it in a location that you can easily access.

I have placed mine in the add-on bar, but with the removal of the bar in Firefox Australis (version 29 is the target) you may also place it on the main toolbar of the browser.

Another option that you have is to use the context menu instead exclusively for that. NoScript adds an entry to Firefox's right-click context menu which you can use to allow or disallow sites, or to open the options and other features of the extension.

If you use the icon, you can make use of a couple of smart features the developer has built-into the extension. To allow all scripts on the current site, middle-click the icon. You can furthermore enable a left-click toggle to allow or block the top-level site under General in the options.

You may notice that a message about blocked scripts is displayed on the screen in a notification. This can be useful if you use the context menu exclusively, but if you use an icon, that is also highlighted by the icon itself.

I prefer to remove the notification as it blocks part of the screen without telling me anything that I don't know already.

You can disable the notification under the notifications tab in the options.

noscript-notifications.png

Instead of displaying a message, you can also enable audio feedback instead. I do not recommend you do so, especially if you load many sites during a browsing session.

Going back to the sites listing that NoScript displays when you left-click or right-click on the icon.

noscript-permissions.png

The menu highlights all scripts that the site tries to run. The root domain is always listed at the bottom of the listing, while all other domains are listed on top of it.

Tip: To ensure a site's full functionality, it is usually enough to allow the root domain. I'd recommend you load sites without whitelisting first to see if it works out of the box or not. If it does not, it is likely caused by a script that needs to be loaded. There are exceptions to the rule. You may find that some sites use content distribution networks, e.g. cdn.ghacks.net that you need to allow as well, and that some sites load libraries from third party sites such as jquery.

As I have mentioned in my 6 NoScript tips guide, you can middle-click on any domain here to run a security check on it. When you middle-click, you are taken to a page on the NoScript website that links to several popular site security services such as Web of Trust, McAfee Site Advisor, or hpHost.

Use those to check a domain that you do not know anything about before you allow it. An alternative to that is to manually check a domain on Virustotal.

Tip: Right-click any domain name to copy it to the clipboard.

Digging deeper

Lets dig in a little bit deeper. NoScript offers more than just script blocking. It can be used to handle embedded contents as well.

While those contents are blocked by default for sites that are not whitelist, they are not for sites that you have temporarily or permanently whitelisted.

This means that contents such as Java, Flash, Silverlight or other plugins are loaded on whitelisted sites by default. If you do not want that to happen, you have to make the following configuration change under NoScript Options > Embeddings.

whitelisted-sites.png

Here is an example where this may be useful. Say you need to whitelist a site to make use of all of its functionality. By doing so, you may inadvertently also allow it to play Flash ads, videos, or other contents that require the use of plug-ins.

While it may make sense to allow these contents to play on whitelisted sites sites such as YouTube, as you visit the site for videos, it improves security and privacy if you apple these restrictions to whitelisted sites as well.

It means more clicking though to enable those contents, but it is a trade-off.

If you enable that feature, you will get a confirmation message every time you click on blocked contents. You can disable that by disabling "Ask for confirmation before temporarily unblocking an object".

Note: you can configure the forbidden items on the same page. So, it is theoretically possible to allow some of the contents while disallowing others. One possible option is to allow Flash, and to disallow all other contents.

Advanced options

The advanced options may look scary at first, as you find many technical terms such as XSLT, XSS, ABE, or even ping, mentioned here.

Generally speaking, those options are best left alone unless you require specific features.

One feature that may be of interest here is the handling of secure cookies. You can configure NoScript to force encryption for cookies set over HTTPS for select sites.

Some web services set cookies over a secure connection but fail to mark those cookies as secure. The result is that requests for that cookie from the same domain are allowed even if they come from non-HTTPS pages.

You may however run into issues on some sites, so that you may not be able to log in on those sites anymore, or are logged out automatically when you switch pages.

You find information about those issues by opening Firefox's Web Console using the shortcut Ctrl-Shift-i. Use the information to add exceptions to the rule.

Other features that you may want to take a closer look at are options to forbid bookmarklets on untrusted sites, allow local links for trusted sites, or to disallow the attempt to fix JavaScript links.

Further reading

Probably the best location for additional information about NoScript is the FAQ that the author maintains. Several of the technological terms are explained here, and there is a tips and tricks section as well that you may find handy.

Source

Link to comment
Share on other sites


  • Replies 7
  • Views 2.1k
  • Created
  • Last Reply

Top Posters In This Topic

  • rach

    1

  • Reefa

    1

  • kacali

    1

  • derty2

    1

Top Posters In This Topic

I was quite frustrated with it, maybe this guide could help :read:

thanks, you have become a good news hunter :) :cheers:

Edited by rach
Link to comment
Share on other sites


Personally, I find NoScript too intrusive and lacking in fine-grain control.

If you prefer a more manual approach, then you can achieve the same thing (or better) using these two addons:

RequestPolicy

YesScript

I have a love-hate relationship with the modern internet...Javascript is completely over-used and a security nightmare for userland.

A properly coded web site should never "NOT LOAD OR CRASH" your browser; it should fall back gracefully to a basic HTML view at the very least.

Any website which posts a message saying to me "Your browser is not supported, please update to a modern browser" CAN GO AND GET FUCKED !! ....it is an excuse only used by lazy rapid-development hipsters masquerading as web developers, or it is a trap by some asshole with a lot of clever "$$$$$" ideas.

I think webmasters who hide links in Javascript wrappers CAN FUCK OFF AND DIE !! ...I cannot see a web address at the staus bar when mouse-hovering.

I think dynamic web pages (using Jscript) which adjust their layout by querying your browsers User Agent at every page load is a STUPID AND ANNOYING IDEA; the better and more user-friendly way is to have buttons on the page which, if clicked, will set the cookie for the rest of the session...AND STOP QUERYING MY USER AGENT !!

I think webmasters who create popup messages (using Jscript) like "Are you sure you want to leave this page" + disabling my context menu + disabling my back button + disabling tab closing CAN FUCK OFF AND DIE !! ....any site which does this to me gets instantly added to my HOSTS FILE as a loopback address ...AND I do a network lookup using "WHOIS" and "TRACERT" and get more addresses related to this asshole site and also add them to HOSTS.

Link to comment
Share on other sites


Good post. Title of this thread is dumb though. ;) I know how to use Noscript and haven't been waiting for a guide.

Edited by Paft
Link to comment
Share on other sites


Personally, I find NoScript too intrusive and lacking in fine-grain control.

If you prefer a more manual approach, then you can achieve the same thing (or better) using these two addons:

RequestPolicy

YesScript

I have a love-hate relationship with the modern internet...Javascript is completely over-used and a security nightmare for userland.

A properly coded web site should never "NOT LOAD OR CRASH" your browser; it should fall back gracefully to a basic HTML view at the very least.

Any website which posts a message saying to me "Your browser is not supported, please update to a modern browser" CAN GO AND GET FUCKED !! ....it is an excuse only used by lazy rapid-development hipsters masquerading as web developers, or it is a trap by some asshole with a lot of clever "$$$$$" ideas.

I think webmasters who hide links in Javascript wrappers CAN FUCK OFF AND DIE !! ...I cannot see a web address at the staus bar when mouse-hovering.

I think dynamic web pages (using Jscript) which adjust their layout by querying your browsers User Agent at every page load is a STUPID AND ANNOYING IDEA; the better and more user-friendly way is to have buttons on the page which, if clicked, will set the cookie for the rest of the session...AND STOP QUERYING MY USER AGENT !!

I think webmasters who create popup messages (using Jscript) like "Are you sure you want to leave this page" + disabling my context menu + disabling my back button + disabling tab closing CAN FUCK OFF AND DIE !! ....any site which does this to me gets instantly added to my HOSTS FILE as a loopback address ...AND I do a network lookup using "WHOIS" and "TRACERT" and get more addresses related to this asshole site and also add them to HOSTS.

LOOOOOL

Link to comment
Share on other sites


I think webmasters who create popup messages (using Jscript) like "Are you sure you want to leave this page" + disabling my context menu + disabling my back button + disabling tab closing CAN FUCK OFF AND DIE !!

rotflmao! Couldn't have said it better! :showoff:

Link to comment
Share on other sites


Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...