NoScript Script Surrogates explained

[Batu69]

This guide looks at NoScript's Script Surrogates functionality, explains how you can add or remove surrogates from the popular Firefox add-on, and explains what the feature is being used for.

Most Internet users who heard about NoScript associate it with the blocking of scripts on sites that the user visits in the browser. That's correct, but NoScript is more powerful than that as it offers several other security features and settings worth taking a look at.

Did you know for instance that you can force https connections on sites using the software?

One of those features is called Script Surrogates. What it does, basically, is replace existing scripts loaded on websites with a surrogate.

If you use NoScript, you may have noticed sites that refuse to work properly if certain scripts are not loaded. Sometimes, you can tell with absolute certainty that these scripts are not required. If a site requires the Google Analytics script for instance to show any content, you can be sure that this is one of those cases.

Script Surrogates in NoScript

NoScript ships with a selection of surrogates for various sites and scripts. If you have the add-on installed in Firefox, do the following to check the existing surrogates:

1. Type about:config in the address bar and hit enter.
2. Confirm that you will be careful if the warning appears.
3. Search for noscript.surrogate.

You get a long list of surrogate instructions. As a general rule, NoScript links a source and replacement preference for each instruction. The following example highlights the Google Analytics surrogate:

noscript.surrogate.ga.sources - *.google-analytics.com

noscript.surrogate.ga.replacement - (function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);with(window)urchinTracker=_u,_gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0}),_gat=$S({__noSuchMethod__:function(){return _gaq}})})()

When you visit a site in Firefox that loads the Google Analytics script on page load, NoScript intercepts that request and replaces it automatically with the replacement instructions (which basically tell the site that the Analytics script was loaded fine but does nothing in regards to user recording).

This means that the site will work even if it has been designed specifically to block content or functionality if certain scripts are blocked by the user connecting to it.

Turning off surrogates

You can turn off the surrogate functionality of NoScript in the following way:

1. Load about:config again in the address bar and hit enter.
2. Search for noscript.surrogate.enabled.
3. Double-click the preference.

A value of false means the functionality is disabled, while true means it is enabled and being used by NoScript.

Add your own Script Surrogates

You can add custom surrogates to NoScript in the following way. First thing you do is add a new source preference to Firefox. This is done in the following way:

1. Load about:config again.
2. Right-click on the page afterwards and select New > String from the context menu.
3. Name the preference noscript.surrogate.pickacustomname.sources.
4. Replace "pickacustomname" with a descriptive name, e.g. jqueryMin if you want to create a surrogate for jqueryMin.
5. Double-click on the newly created preference and add a source to it, e.g. ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js
6. You may add more than one source, simply add a space after the source and add a new one.
7. Right-click again and select New > String.
8. Name the second preference noscript.surrogate.pickacustomname.replacement.
9. Make sure pickacustomname is identical to the source.
10. Add JavaScript or reference to a file as the replacement value.

Several prefixes exist that you can add to the source or sources that define when and how they run.

You have two main options when creating replacements. Either add direct JavaScript instructions or reference a file instead that you want the site to load.

The first option makes sense in situations where a script should not be mandatory on a site, the second to replace remote copies with local ones to improve privacy and speed.

To use the jquery example from above once more. To replace the Google hosted version with a local one, you'd do the following:

1. Create noscript.surrogate.jqueryMin.sources
2. Give it the value ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js
3. Create noscript.surrogate.jqueryMin.replacement
4. Give it the value file://c:/scripts/jquery-2.1.4.min.js

You may need to adjust the preference regularly or add new ones depending on updates.

Credit to

[thunderpants]

Excellent info Batu69 .

I never knew you could do that with Noscript.