36 responses

  1. Nathan Gotch
    February 10, 2014

    Awesome feature and I love Mozilla because its browser is built around protecting its USERS, not spying on them. Thanks for the great tutorial!

  2. Carol
    February 10, 2014

    But, but Javascript is everywhere on the web now.

    • Martin Brinkmann
      February 10, 2014

      Sure, but many sites do not require it for core functionality. Plus, if you trust a site, you can temporarily allow it.

  3. fokka
    February 10, 2014

    as a somewhat “advanced” user i’d love to say that i use noscript, but the times i tried it, it was just too much of a hassle with seemingly little benefit.

    don’t get me wrong, i’d of course prefer it to have more control about what runs in my browser and what not, improving both privacy and security, but having to configure many sites i visit for the first time would just take too much joy out of browsing the internet.

    maybe i’ll give it another try someday, but for now i’m ok without noscript.

    • RG
      February 10, 2014

      This. Exactly what I would have commented but since fokka did it I will just say +1

    • DrDrB
      February 18, 2014

      Either you use it, or you do not – there is no “in between”; to get things done usually takes some effort, but perhaps you are somewhat “lazy”.

  4. exrelayman
    February 10, 2014

    Eliminate the hassle. Leave it activated. If a site you trust doesn’t work, just click ‘allow all this site’. All done! No figuring your way through the myriad of NoScript options.

    This trades off some of the protection for the sake of convenience, but still protects you better than not having it at all. Coming cold into a new site you are protected. Of course using Web of Trust in conjunction with NoScript is a bit better still.

  5. kalmly
    February 10, 2014

    Doesn’t NoScript work with SeaMonkey? My friend suggested I try SeaMonkey for just that reason.

    • Martin Brinkmann
      February 10, 2014

      It is compatible according to this page, provided you use SeaMonkey 2.0 or up.


  6. Jay
    February 10, 2014

    Great article. Thanks! I didn’t know you could middle-click on the domain and get a report.

  7. sumt
    February 10, 2014

    How I have configured NoScipt:

    Check “Temporarily allow top-level sites by default” and “Base 2nd level domains”
    from the general options.

    This will allow all the scripts on the visited site (+2nd level domains) but still disallows all 3rd party scripts.

    • Euphorion
      February 10, 2014

      That’s what I do too and, combined with the whitelist, 95% of the websites works properly while the 3rd party scripts still blocked by default. This is a good compromise :)

  8. Gonzo
    February 10, 2014

    I haven’t run NoScript in years. It’s a “block all and whitelist what breaks” solution. It can take weeks to set up and it’s a constantly moving target. Too much trouble IMO.

    I use Adblock Plus in the exact opposite way by blocking based on a blacklist and building rules for sites that have extra annoyances. All plugins are set to “Ask to Activate”. Sites are rarely if ever broken and I retain my sanity this way ;-)

    Martin, would you mind sharing your reasons for using NoScript?

    • Martin Brinkmann
      February 10, 2014

      Well I have three core reasons for running NoScript: security, privacy and speed.

      Security because it blocks the execution of scripts that would otherwise run. If you run a blacklist approach, they will run until you blacklist them.

      Privacy because it blocks the majority of tracking scripts (including social media). The only exception to the rule is server-side analytics.

      Speed because you load less, and therefore things load faster on average.

      You can achieve part of what NoScript does with an adblocker. If you block ads, sites will load faster, and it may also improve your privacy and security. But adblockers only go that far.

      • Gonzo
        February 11, 2014

        Security – I agree with the argument that NoScript doesn’t offer protection. If you allow ANY server side script to run then you are at risk. If a script is needed at a site you frequent then you whitelist it – you’re now at risk. You have no control over that site so you can’t claim “trust”.

        Privacy – Most tracking scripts are blocked with the right lists in ADP. There are other ways besides scripting to track someone (you’ve written about many of them). I have my browser icon set to a batch file that executes CCleaner automatically after I close my browser. Assuring that all (except fingerprinting) forms of tracking are wiped before a new session is started.

        Speed – It’s much less of an issue these days. JS engines, ISP speeds and hw are no longer huge bottlenecks. ADP is also excellent here.

        Despite being open source I and many others lost faith in NoScript when the dev was constantly pushing updates driving traffic to his whitelisted home page that served up lots of ads. I don’t know if this is still the default?

        I like it’s inclusion in TorBrowser but I still can’t find a good argument for everyday use. Thanks for the insight though!

      • Martin Brinkmann
        February 11, 2014

        About security, you have to see understand that NoScript’s approach is still better than not running it. Yes, if you whitelist a site it can run scripts, that is why this is reserved to sites that you trust. Whitelisting essential means that you go back to how Firefox handles all of these connections in first place.

        Plus, even if you whitelist, you can still prevent the automatic execution of select plugins and benefit from other protection features the extension provides you with.

    • fgsdfsdfg
      February 10, 2014

      Isnt it obvious? Protection? Nah, just for the fun of using it?

  9. InterestedBystander
    February 10, 2014

    Excellent guide. Thanks. I’ve gotten happily used to NOT having auto-play ads and popovers appearing. It seems to me that web advertisers have soiled their own sheets by making advertisements intrusive and obnoxious. But that’s another discussion.

    Usually rather than mess with whitelisting, I copy the website address, open Chromium in another workspace, and use it for just that site. Everyone develops their own way of doing things.

  10. anstromm
    February 10, 2014

    I find it useful to set noscript.sync.enabled to true in about:config, so that all your NoScript settings get synchronized.

    • Martin Brinkmann
      February 10, 2014

      Good point, thanks for the tip!

  11. Temp
    February 10, 2014

    Thank you for the NoScript guide i agree with you Martin

    if a website cant be viewed without javascript i probably wont visited it

  12. Intelligence
    February 11, 2014

    NoScript… overkill for the overly paranoid. More trouble than it’s worth and it breaks websites far too much.

  13. Karl J. Gephart
    February 11, 2014

    One of my fave addons! Too bad the dev doesn’t have a built-in inspection tool so you can quickly find the visually-offending Javascript effect/animation and kill it all within the addon’s GUI (picky, aren’t I?! LOL!).

  14. Dwight Stegall
    February 11, 2014

    For you poor misguided souls that love the Addon Bar you can get it back with Classic Theme Restorer addon. It is activated by default.

    I hate so i put my most often used buttons on the Nav Bar and the left-side of the Bookmarks Toolbar. I put my lesser used buttons in the Customize Dropdown menu.

    You can also put buttons on the Menu Bar To the right of Help and toggle that bar with the Alt key.

  15. 江3如此多娇
    February 11, 2014

    I am so glad to Martin Brinkmann`s quick action,
    i read the article, and looking for more^^

  16. Mystique
    February 11, 2014

    What this and other addons like this (Request Policy) needs is some sort of user shared easylist so we do not have to be constantly defining rules our entire life, collectively we can improve our experience.

  17. Alhaitham
    February 11, 2014

    never disabled or uninstalled NoScript since installing it. that shows how good it is


    if you want to run scripts of a site on one site only

    1- go to NoScrript options, Advanced, ABE, User

    add this

    Site .site1.com
    Accept from .site2.com

    2- add site1 and site2 to the NoScrript whitelist

    this will allow scripts from site1.com to run only on site2.com

    note that site1 can be the same as site2. this can be useful for example if you want youtube scripts to run only on youtube not on any other site

    more here


  18. Sila Mahmud
    February 11, 2014

    Great tutorials. Simple and straightforward. I’ve been looking for something like this for a while. Many thanks!

  19. Glenn
    February 11, 2014

    NoScript is effective. However, it becomes a bit of nuisance when it prevents every site from running and you don’t know exactly what you are blocking. It doesn’t seem to identify `bad scripts’, which would be helpful for my blog, as it keeps jumping around while browsing through it. If I knew what was causing my blog to be so unstable then i could remove the scripts that cause it. Another major cause of instability throughout Firefox is Adobe Flash Player. Firefox consistently refuse to address this ongoing issue and will not admit that Adobe Flash is just not compatible with it, no matter which version you have.

  20. rickxs
    February 11, 2014

    I tried it over 3-4 times & its a hassle for the average punter ,good in principle, but i can get by without it

  21. Jack
    February 12, 2014

    A NoScript-like extension for Chrome is ScriptSafe. It’s not as easy to use as NoScript, but it’s better than nothing for Chrome javascript blocking.

    • Jack
      February 12, 2014

      Oops…I should have done a text search for Chrome on this page before I commented. You already wrote an article on ScriptNo (now ScriptSafe) and linked it on this page.

      Thanks for all the great informative articles.

  22. Martin
    February 12, 2014

    I use NoScript, but it’s an excellent review.


  23. Al Gee
    February 12, 2014

    More and more websites seem to be using more and more scripts. Which to me makes dealing with NoScript an ever increasing hassle. But fear is a great motivator so I run NoScript. I routinely forbid doubleclick and scripts that have “Google” or anything that sounds like an advertising in their name (i.e. “ad” in their name) on the theory that they’re tracking where I go. But since I don’t understand most of this stuff I don’t have a clue if what I’m doing makes any sense. As helpful and insightful as this NoScript Guide is I still don’t have the picture. I may be blocking harmless stuff and letting through the bad stuff. If a site doesn’t work unless I allow scripts how do I know which script(s) make the site work and which ones may be bad?

    Since I run Firefox in Sandboxie I wonder if it’s really necessary to put up with the hassle of NoScript. As I understand it once I empty the sandbox any tracking cookies or other bad stuff that may be put on my computer will be wiped away. I’m not sure that I even want to know if I’m wrong about that. False security is comforting (for a while).

  24. Peter888
    February 12, 2014

    By the way, Martin, do you prefer your site

    to be whitelisted or don’t you care ?

    • Martin Brinkmann
      February 12, 2014

      It is a personal decision. The ads keep the site alive, but we now also have the membership going that gets rid of the ads and allows you to support the site without being exposed to them.

      If you ask me, I’d like the site to be whitelisted as this is what keeps it going, but if you do not like the ads, then don’t, or become a member instead and donate any amount you want.

Leave a Reply




Back to top
mobile desktop