NoScript extension icon and main menu
|Stable release||188.8.131.52 (July 28, 2017)|
5.0.10rc3 (September 5, 2017))
|Repository||Not publicly available|
|Available in||45 languages|
Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content, as well, helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat, and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.
NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.
NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) which are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run. With complex webpages, users may be faced with a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.
However, the names of certain URLs often give indications of the purposes of these scripts, for example scripts from online-advertising and tracking firms. This gives users the ability to very specifically weed out scripts that they do not have the desire to run. This is a trial-and-error process. Upon unblocking a script the entire webpage is reloaded, and the weeding-out process must then be repeated.
NoScript also may provide additional defenses against web-based attacks such as XSS, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding, with specific countermeasures that work independently from script blocking.
Scripts (and other blockable elements) are allowed or blocked based on the source from where the script is fetched. Very often, this source is not identical to the URL displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.
No scripts are executed, if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.
The possibility to allow scripts coming from a certain source only for specific main page locations has been requested frequently, but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.
For each source, the exact address, exact domain, or parent domain may be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g. https://mozilla.org), its subdirectories are enabled (e.g. https://mozilla.org/firefox and https://mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.
Sites can also be blacklisted with NoScript. This, coupled with the "Allow Scripts Globally" option, lets users who deem NoScript's "Default Deny" policy too restrictive, to turn it into a "Default Allow" policy. Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding.
The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. plugins, webmail, online banking and so on), according to policies defined either directly by the user, by the web developer/administrator, or by a trusted third party. In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications.
NoScript's ClearClick feature, released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based). This makes NoScript "the only freely available product which offers a reasonable degree of protection" against clickjacking attacks.
NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites which don't support Strict Transport Security yet. NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.
NoScript is able to run user-provided scripts instead of, or in addition to, website-provided scripts, in a similar manner to the Greasemonkey addon. This feature was originally designed to fix pages that make use of third-party scripts (such as Google Analytics) in a way that causes the pages to break when the third-party scripts are blocked, but is not required for the actual functionality of the page. The list of built-in surrogate scripts is actively maintained and included 48 sites as of version 184.108.40.206.
In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension Adblock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter. The code implementing this workaround was "camouflaged" to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism, and a declaration by the administrators of the Mozilla Add-ons site that the site would change its guidelines regarding add-on modifications, Maone removed the code and issued a full apology.
Also in May 2009, shortly after the Adblock Plus incident, a spat arose between Maone and the developers of the Ghostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software. This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites". In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.
The conflict was resolved when Maone changed his site's CSS to move--rather than disable--the Ghostery notification.
Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.