How to use NoScript efficiently

Martin Brinkmann
Nov 29, 2014
Updated • Nov 29, 2014
Firefox
|
56

Whenever I speak to someone who used NoScript for a day or two I'm told that the add-on is complicated and a nuisance.

NoScript, for those of you who do not know it, is an add-on for the Firefox web browser whose main feature is the blocking of scripts running on web pages you visit in the browser.

This includes advertisement, tracking, social media, many media embeds, other third-party scripts such as Discus and also first-party scripts required for functionality on the website itself.

The main issue that new users have with NoScript is that it can render websites inoperable. Elements such as video or audio playback may not work, comments may not show up or images may not be displayed.

Depending on where you go on the Internet you may experience this a lot or not at all. Facebook for example does not work if you don't allow the facebook.com domain in NoScript while you should not have any issues browsing ghacks.net without whitelisting anything.

Tips for new users

You need to understand that it takes time to get accustomed to NoScript and how it works. You will encounter websites and pages that won't work properly at first and it may seem a daunting task to whitelist them temporarily or permanently.

It gets better over time though. An added benefit is that you understand domain relations better as well. You identify ad serving domains quickly for example but also third-party services that many sites use for functionality.

  1. If a site does not load properly while NoScript is enabled, look at the list of domains that try to run scripts. It often helps to allow the first-party domain and many sites will work with it enabled. You can identify it easily as it has the same domain name as the site you are on. It is also listed first by NoScript so that you can find it easily. A left-click on the NoScript icon adds it to the whitelist temporarily.
  2. If that is not enough, search for additional first-party related domain names. You may want to look for cdn.name entries for example or domain names that sound similar to the one you are on. Sometimes you need to know more about the company running the site. To use the example above again, AOL owns the Huffington Post which makes aolcdn.com a high-profile target for enabling missing functionality on the site. There you also find huffpost.com which is another domain.
  3. Other domains identify as ads or tracking services almost immediately. There is adtech, scorecardresearch, advertising, quantserve or adsonar for example. There are only a few sites on the Internet that force you to enable these for functionality.
  4. Social Media sites are also easily identifiable: Twitter, Google or Facebook for example can be spotted easily.
  5. You can middle-click on any domain listed there to display links to security tools such as Web of Trust, Safe Browsing, McAfee Site Advisor and others.
  6. If you are not certain about a domain, do some research on it especially if you encounter it regularly.Tacoda.net for instance does not ring any bell but a quick search on the Internet reveals that it has been a tracking company that AOL acquired.
  7. The information that you gather can be useful later on when you encounter domains you have researched on other sites.
  8. If you trust a domain, you can whitelist it permanently. For example, if you operate your own website you can add it to the whitelist so that you don't have to whitelist it temporarily anymore whenever you visit it.
  9. Temporary whitelisting comes into play sometimes. It is useful if you want to allow a domain for the current session but not permanently. I use it sometimes to find out which domains are required for a site's functionality and which are not.
  10. If you cannot figure it out or don't want to whitelist domains, try a different browser. Run a portable Chromium or Opera version for example and open these edge-case sites in those browsers instead, preferably in a sandbox as well (Use Sandboxie for example for that).

Now You: Feel free to share your NoScript tips and comments below.

Summary
How to use NoScript efficiently
Article Name
How to use NoScript efficiently
Description
NoScript is a very powerful script blocker add-on for the Firefox web browser that blocks any script from running automatically in the browser.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. elsalvador said on December 2, 2016 at 3:27 pm
    Reply

    Henk van Setten – that’s because you’re more than likely a total fuckin’ plank!

  2. Timo said on October 4, 2015 at 8:57 am
    Reply

    Been using NoScript for many many years. It is NOT a difficult tool. I too started from Forbid everything and then, in case the site is not functioning, I take a moment to think: Do I really need this site? Is this site worth so much that I want to Allow it? Is this site a possible source of trouble? Does it have a large bunch of 3rd party script-links? (if has, it is a strong negative). This has resulted me not to use a couple of Web-shops, and some sites here and there, but not many, I have 2536 sites on my WhiteList.

    So, I Forbid all, then in case a site that I really need/want to use is not working properly without scripts I allow it, after a moment of thinking. Very easy. And very safe.

    The ABE section in NoScript adds plenty to the power of NoScript, but it does require a little bit of learning. I used the ABE from the start but during the four first years I only had two rules there that I copied from the NoScipt site. Only after that I took a closer look into ABE and found out that it is not too difficult. And that it certainly is worth the work. I now block most of the web-bugs, from Google, Facebook, Twitter and such. For example the Like-button of Facebook is a web-bug, every time a page shows that button (the user needs not to press it) a lot of info goes to Facebook. Same is true with the Tweet-button and G+-button and many more. I get scriptless Google search return pages (scripts from the Google search return page is one of the most common ways to to get a virus) and in the tradition format. And much much more.

    It happens sometimes (very very rarely) that I need to get a site Allowed and it seems to be difficult because in addition of NoScript I have a couple of other Firefox add-ons (they are also for security) and at the OS level I have the OutpostPro firewall. So, sometimes there is quite a lot of work first to find out why the site does not work properly and then how to get it allowed in such way that the overall security is not degraded. Usually the NoScript is the easiest solution to the latter.

  3. Harry said on September 1, 2015 at 8:16 am
    Reply

    I’ve tried NoScript on and off for years. It simply breaks too many sites.

    I also ditched Adblock Plus.

    Right now I run uBlock Orig and DISCONNECT.

    The result, in my option, I have noticed that Firefox is much faster on all sites.

  4. PJ said on June 19, 2015 at 1:40 am
    Reply

    “With NoScript you can also get rid of https everywhere, since noscript can enforce https.
    At least, I don’t need https everywhere anymore.”

    I tried this feature of NoScript recently. It is possible but it is clumsy and annoying. As I understand it, https everywhere automatically displays https when it is available and http when it is not. NoScript on the other hand requires you to manually figure out if https is available from the site, and if so, to enter the site in a whitelist. Anyway, bottom line, NoScript is far from being a good alternate to https everywhere.

  5. bob said on January 15, 2015 at 6:21 am
    Reply

    The main reason I no longer use NoScript is that once you install it for the first time it takes BLOODY AGES to configure the damn thing for all of the sites you visit frequently and then another eon to configure for sites you visit semi-often.

    Sorry, the setup time for the damn thing is just way too much for me to even care about anymore. I use AdBlock, Do Not Track Me (now known as Blur), and Ghostery and let them handle all of the dirty work for me.

    1. Earl said on February 20, 2015 at 12:39 am
      Reply

      How often do you install it for the first time? It seems an oxymoron to say more than once. ;) But, really, I install it “new” maybe dozens of times a year (used to be hundreds of times)–I do a lot of testing on various releases of Firefox (though much less now than I used to). I just install it and go on about normal usage; initial setup takes 30 seconds or less. As I hit the various sites that require it, I click-click-click through the lists and I’m done–takes no time at all. I just don’t worry about trying to organize some migration path from one older install to a newer one. The little time I spend more than makes up for the time saved/not wasted because of NoScript “cleaning up” sites for me (to remove annoyances that just slow you and your browsing traffic down).

  6. alfie said on December 5, 2014 at 4:47 pm
    Reply

    whitelisting sites with noscript as far as i understand it means you trust that site (and its scripts) permanently, which i think is a total security risk, it only takes a server to be hacked and then you have instantly gained a way to propagate a bot to “trusting” victims? maybe i am just super paranoid but i only use noscript with two icons placed in menu, one to temporarily allow top level , the other to reject all temporarily allowed, when i am finished viewing the page i reject all,clean history and run ccleaner after to be sure. always untick allow global scripts , clearclick off, and allow/disallow permanent scripts ..seems to keep me clear of probs so far !

  7. greg said on November 30, 2014 at 10:25 pm
    Reply

    @pants do you have any proof that after unchecking of ghostrank and autoupdate in Ghostery option it “calls home ” or sells personal data/spies in some way ? If only general suspicion that such tool can do it(knows sites you opened) -so we may suspect every adblock or peerblock/hostsman….
    Does ultimate list includes also social list ? Having this list Ghostery is redundant = true or not ?
    Is RP Continued indeed so much better -that one should switch to it from regular RP -no problems with import rules/lists from RP?
    Folks who prefer Policeman to NS+Request Policy should look for uMatrix.crx for chromium browsers .
    Also I find old RIP addon still better then Element Hiding Helper .

    1. Pants said on December 1, 2014 at 1:34 pm
      Reply

      I never said anything about Ghostery spying (I said privacy concerns)… I thought I read it on here about Ghostery monetizing user’s activity .. anyway .. a quick google search

      http://lifehacker.com/ad-blocking-extension-ghostery-actually-sells-data-to-a-514417864

      “Ghostery is owned by Evidon, a company that collects and provides data to advertising companies. It has a feature called GhostRank that you can check to “support” them. The problem is, Ghostery blocks sites from gathering personal information on you—but Ghostrank will take note the ads you encounter and which ones you block, and sends that information back to advertisers so they can better formulate their ads to avoid being blocked. The data is anonymous, and Ghostery still does everything it promises to do to protect your privacy.”

      At the end of the day, for me Ghostery and DoNotTrackMe (Blur) were “limited” lists and essentially never took any action due to other OS methods and browser extensions. When I say “limited”, I mean they are based on lists, and do not necessarily look at everything. And again, I want full control, client side only.

      As for tracking what information is sent .. use WireShark, or Fiddler, or any number of tools (eg firefox extension foxmeter) and filter. Mission creep in any extension is a worry (eg FVD Speed Dial wants to call home to googleplus to get fav icons, for every single dial when you load it’s tab .. goodness only knows what is being aggregated there – I actually block it using .. FVD Speed Dial’s block list – I dont even want icons on my speed dials).

      No idea what you’re talking about re some “Ultimate List”. End of the day I prefer to see everything listed (eg requestpolicy or policeman or noscript and set my own rules)

  8. Peter CM said on November 30, 2014 at 9:12 pm
    Reply

    I’ve used NoScript for years and — to my knowledge — haven’t suffered a single exploit in that time. The only thing my antimalware scanners ever come up with are a few false positives (hacker-ish utilities from Sysinternals and NirSoft). I’ve had a chance to compare results with a friend and a family member who use the same OS and close to the same browser and security set-up as me (W7, Firefox/Pale Moon, Adblock Plus, HTTPS Everywhere, Privacy Badger, Avast, Malwarebytes, EMET, etc.) but who don’t use NoScript because it’s “too much of a hassle.” The differences are dramatic. Within the past few months alone, both have suffered browser-mediated infections that required a couple of hours of post-infection cleanup work in one case and a complete OS reinstall in the other.

    Yes, there is a learning curve, and yes, there is an even steeper “training curve,” but even just in terms of “net hassle” (factoring in the hassle of repairing exploits but ignoring privacy costs), I still think it’s worthwhile. My biggest gripes are (1) dealing with sites that want to run scripts from a huge number of different domains, and (2) how difficult it is to evaluate the trustworthiness of third-party domains, notwithstanding the tools NoScript links you to when you shift-left-click on a domain in its dropdown list.

    I think someone (the author?) already pointed out that it’s possible to configure NoScript to temporarily allow all first-party domains by default. For hassle-averse users, this cuts down pretty dramatically on how much configuring they have to do to get most sites to work, and it’s reasonably safe so long as they stick to (presumably safe) mainstream sites. And of course, if you run into a mainstream site that just won’t work no matter what you do, you fire up Internet Explorer or Chrome and cross your fingers. And hey, sometimes it’s not a NoScript issue.

    PS: Is it just me, or is uBlock (discussed above) in fact a Chrome/Chromium extension that is not available for Firefox?

    1. Ray said on November 30, 2014 at 11:42 pm
      Reply

      uBlock is Chromium-only.

      I hope a Firefox dev uses gorhill’s algorithm to create a version of uBlock for Firefox in the near future.

      In the meantime, you could use Bluhell Firewall, which is kind of a mini-version of Adblock Plus + Easylist, but only uses 7 regex blocking rules instead of the 100s of rules in Easylist.

  9. Hy said on November 30, 2014 at 10:39 am
    Reply

    For Pants, above:

    I noticed that DoNotTrackMe had become “Blur” recently. Can you say more specifically why you dumped them for privacy reasons? I hadn’t read anything about that yet… Thanks!

    1. Pants said on November 30, 2014 at 12:20 pm
      Reply

      https://addons.mozilla.org/en-US/firefox/addon/donottrackplus/

      ^^ Read the reviews. Go back a a dozen or more reviews since they became blur

      Honestly, I do not think DoNotTrack ever did anything on my machine, because after Privoxy, RequestPolicy, AdBlock Plus, NoScript, Ghostery (when I had it) and others … I don’t think it did jack sh*t. HOWEVER, I suddenly found myself unable to connect thru Privoxy after they became Blur (took me an hour of troubleshooting to work out who the culprit was). Whatever they did, they screwed up using proxies. Once on their addon page, reading the reviews .. I just decided to ditch them. I never used their masking anyway – but now its all about paid models, and you can bet they track you. I’d rather have all control client side.

      1. Pants said on November 30, 2014 at 5:47 pm
        Reply

        Privacy issues as in I do not want a third party to monitor my email or credit card inputs, I do not wish to be pushed to change settings online and have my data in the cloud, I do not want syncing, I do not want to be assaulted with reminders for premium services yada yada yada (not that I ever used it anyway or saw any of that stuff). I want client side .. not cloud. When they first merged MaskMe with DoNotTrackMe, the field notifications were annoying, and were killed forthwith once and forever. Settings/options took you to an online web page. The last change to blur killed proxies, and had a lot of bugs for people. Purely on the cloud issues, I dropped them like a hot potato.

        https://abine.com/legal.html – privacy policy and to get to that I had to search their site via google – couldn;t actually find it via their website, which, btw, is rather pushy on signing up I must say.

        Privacy reason #1: they will (and do) SHARE data with third parties (and then who knows what those parties may do with it).
        Privacy reason #2: they will give up your info if compelled by law.
        Privacy reason #3: they can and will change their terms & conditions any time they want to.

      2. Hy said on November 30, 2014 at 4:27 pm
        Reply

        Thanks for the reply! I hadn’t read the reviews and didn’t know how unhappy some users were with the new version of the add-on. I haven’t noticed much or any difference and haven’t experienced any problems. I didn’t see anything about privacy issues–I mean, not like Ghostery’s tracking users and selling their information, etc.–so I’ll keep using it unless/until I hear otherwise. It’s curious how Blur seems to be causing some users problems and others, like me, nothing at all.
        Thanks again!

  10. Gonzo said on November 30, 2014 at 6:13 am
    Reply

    NoScript requires you to micromanage an ever changing internet. I used it for nearly a year (5-6 years ago). It was interesting to learn it’s capabilities and it’s truly awesome but it’s just too much constant work.

    Adblock with EasyPrivacy + EasyList takes care of most of the issues users have with adverts and privacy. Add Fanboy’s Social list if you don’t use FB, Twitter etc. Clean and simple and requires little or no interaction (you could add it to grandma’s computer and know she won’t be calling you for help next week)

    If security is your concern then you should rethink your permissions first. Running as an Admin is a bad idea.

  11. Blue said on November 30, 2014 at 6:02 am
    Reply

    Besides the complications with NoScript there are some sites which uses a specific script for spam purposes, but another site uses that same if not similar script for usefulness. Once we block that script for one site, it basically stops the 2nd site from working properly. Go find another site you say… it’s not that simple. The spam script I was blocking was a domain off a Yahoo news site. But that same script is used for my online banking login … so either block the script on site A to not get spammed silly and no access to site B online banking or allow spam bots only so I can do banking.

    Much simpler to use uBlock + Ghostery and with uBlock I can still block out individual page elements. In ABP, I had to install a 2nd add-on to get that function.

    1. gorhill said on November 30, 2014 at 1:06 pm
      Reply

      I just want to add, if ever a user still want the ability to block scripts, uBlock contains a mini-script blocker which works on a “inline scripts” / “1st-party scripts” / “3rd-party scripts” basis. It helps cut a lot of bloat[1] without having to use a more complicated script blocker.

      [1] https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Benefits-of-blocking-3rd-party-script-and-iframe-tags

  12. tuna said on November 30, 2014 at 4:25 am
    Reply

    Another useful, informative write-up, Martin. I hope potential users will take the disagreement & alternate suggestion comments with a grain of salt. I find NoScript enables me to learn more about the sites I visit & what is happening behind the curtain.

    My tip for new users, view and edit the default white-list, some may prefer to keep the default whitelist players out of their life. Not missing keystrokes and my browser freezing while *search engine* loads their agenda is a nice feature, IMO. Another is the much improved page load times while NOT waiting for 7 or 8 adservers to connect/load everywhere else. Pregnant pauses, CPU usage, battery drain all go down noticeably, and what is even more noticeable, is how annoying the internet has become without NoScript.
    Of course, YMMV.

  13. Aram said on November 29, 2014 at 11:19 pm
    Reply

    Is there a solution to this I-frame problem?

    Since I-frames could potentially be harmful, I would like to block them all.
    I use NoScript with “Forbid IFRAME” and “Apply these restrictions to whitelisted sites too”.
    When I visit “majorgeeks.com” with Adblock Edge on and download something I get a “lecture” (on the download page) that I am “blocking their Awesome ads”. (I have to allow “majorgeeks.com” or else I can’t download at all.)
    Majorgeeks detects the use of NoScript, loads another script (http://dev.majorgeeks.com/b/advertisement.js) and presents this “lecture” in an I-frame.
    I can easily block this particular I-frame with Adblock’s element blocking but I would like to block this I-frame “trick” on any site.
    Would be grateful for any help.

    1. Tom Hawack said on November 30, 2014 at 12:07 am
      Reply

      If Adblock can block something on one site it can block it on any site/all sites.
      If you are using Element Hiding Helper for Adblock Plus (works with Adblock Edge as well) just select Any Domain on the Element Hiding Helper‘s pop-up window at top-left.
      If not, simply remove the domain’s name on the left of the custom rule you’ve created.

      I have no issue on MajorGeeks with Adblock Edge alone (No NoScript). Things may get complicated when using simultaneously two tools which operate on common grounds with occasionally possible conflicts. They can be complimentary but in some circumstances (like yours, maybe) the user may have to dig the story to be sure one is not conflicting with the other.

      1. Tom Hawack said on November 30, 2014 at 10:49 am
        Reply

        Aram, now that I think about it I do recall majorgeeks notifying me at one time of the fact I was blocking ads. This notification disappeared since. May very well be related to new Adblock filters list(s).

        The filters used in Adblock may make the difference. I’ve checked my imported filters’ list and searched for those including majorgeeks.com and found several within the :

        Fanboy Ultimate List (This includes Easylist, Easyprivacy, Enhanced Trackers List and Annoyances List)
        https://www.fanboy.co.nz/filters.html

        This list is really very efficient. Hope that helps.

        EDIT : Is it not possible to block an i-frame with a filter of the sort ##IFRAME[src*=”amazonaws.com”], which is one of those I use?

      2. Aram said on November 30, 2014 at 2:13 am
        Reply

        Thank you kindly for your prompt response, Tom.

        However,
        1) In this case there are no apparent conflicts between NoScript and AdBlock. Everythings works in fact as expected.
        2) If you have never seen the message “Hey. You are blocking are Awesome ads.” then one’s Adblocker is not really working is it?
        3) I am used to writing custom filters for Adblock and as a standard procedure I strip off the domain’s name so I can use a site through a proxy with the custom filters still working.
        4) The whole problem is that Adblock does not allow wildcards for element hiding. Take a look at “Writing Adblock Plus filters” (https://adblockplus.org/en/filters#elemhide_attributes).
        5) The only thing that may work is a GreaseMonkey script.

  14. EuroScept1C said on November 29, 2014 at 9:44 pm
    Reply

    Ad Block Plus with 3 lists. Easylist, Easyprivacy and Social Blocking list. With all these you never experience a single problem and I truthfully don’t see the reason to install NoScript. Everything is being done easily and mostly automatically.

    With ABP you also block only the truly essentials and no useful stuff that can cause problems.

    1. Doc said on December 1, 2014 at 12:12 am
      Reply

      The problem with relying on AdBlock (Plus, Edge, Light…) is that you’re explicitly trusting scripts on the site itself, i.e. first-party scripts. Since I got hit with a “drive-by download” of a fake antivirus a few years ago on XP (“Your computer has been locked!” whenever I tried to open ANY file, whether a document or executable), I installed NoScript and block *any* new domain I visit **until and unless** I decide to trust it. Ad-blockers won’t do that unless the site is already in its blocklist.

    2. Blue said on November 30, 2014 at 5:56 am
      Reply

      ABP is a memory hog and often slow down the loading of any page especially custom off-site home pages like FVD Speed Dial with 100+ dials as I do. I switched to uBlock which does the exact same thing as ABP with a smaller footprint thus faster overall.

  15. ziehman said on November 29, 2014 at 6:03 pm
    Reply

    Easiest way to use NoScript is with two of its icons –> ‘Temporarily Allow All This Page’ &
    ‘Revoke Temporary Permissions’

    I primarily use an older version of Firefox with NoScript set to block all scripts; this works fine for surfing most websites (I surf new sites a lot), with no effort involved.
    But some sites obviously don’t load/display properly or at all — a quick click on NoScript’s “Temporarily Allow” usually solves the problem immediately, though a second click is sometimes required for secondary domains arising after the first click.
    When done with that site, another single click revokes all those permissions.

    Very easy to get used to… and you get to know which sites you frequent require javascript (temporarily). I don’t bother with whitelists and sleuthing thru domains — too much hassle.
    I don’t need/use ABE — and don’t like how ABE instantly connects to Europe by merely opening a browser to a blank page.

  16. MaDel said on November 29, 2014 at 2:30 pm
    Reply

    Major advantage of NoScript: A.B.E.
    You can use A.B.E. as a mere site blocker with something like this:
    Site ^[A-Za-z-]+://(?:[^:/]+\.)?badsite\.[^\.]+[^0-9A-Za-z_\.%-]
    Deny
    But you can also use it for fine tuning cross domains requests: Allow, Sandbox, Anonymize, Deny.
    https://noscript.net/abe/abe_rules.pdf
    Learning how to really use A.B.E. require time, but results are greats.

    Also, NoScript gives you scripts surrogates. Are you really happy of running in almost every sites you visit that damn ajax.googleapis, quite allways downloaded from google domains? Of course, you can strip referrer, but big G anyway can collect your browser string, your IP and many oyher stuff, since you don’t block scripts.
    Or maybe typekit (Adobe), or google-analytics?
    I’m not.
    You can try Local Load (https://addons.mozilla.org/it/firefox/addon/local-load/?src=search)… Oh wait, Local Load maybe is good, but strongly need updates…
    With NoScript you can also get rid of https everywhere, since noscript can enforce https.
    At least, I don’t need https everywhere anymore.

    And so on, so on (clickjaking, iframes, frames, font-face, media, objects…).

    Using A.B.E. for fine tuning, I made the dirty “just block” works with Silent Block: https://addons.mozilla.org/it/firefox/addon/silentblock/
    If you know regex, you can insert wildcards of course (once again, like A.B.E.), but it support also simple entries like (just an example):
    badsite.com

    About Request Policy: it’s great, but I suggest to switch to Request Policy Continued, which is lighter, had a better interface and better support for wildcards.

    Finally, english is not my native language, so I hope this post does not seem aggressive to anybody: if is that the case, I do apologize, because this was not absolutely my intention.
    Have a nice day.

    1. Antonio said on November 30, 2014 at 12:46 pm
      Reply

      You write:
      Also, NoScript gives you scripts surrogates. […] You can try Local Load
      I do not understand if these stamements are related. Are you sayng that NoScript offers local version of google js libraries?
      Can you clarify please? Thank you.

      1. MaDel said on November 30, 2014 at 4:57 pm
        Reply

        Hi Antonio
        Unfortunately no, sorry maybe my words were a little ambiguous.
        Noscript comes with some surrogate, the most famous is probably the google-analytics surrogate, but not ajax.
        What I have done, is to download the ajax libraries which are interesting for me to keep function of sites I visit usually, and set up a surrogate.
        I have learned how to by lurking on the noscript forum:
        https://forums.informaction.com/viewtopic.php?f=10&t=19598&sid=f5cf8394752fb8982fc7109ba9cd40b9

        In the replacement you can either put an address pointing to a local file file, like in the example they give, or the entire (huge) library, verbatim.
        Since I’m a little sloppy I have sometimes taken this second way: this is not particularly clever, I admit… :)
        But I don’t need a surrogate for all the ajax libraries, so I don’t have problems of memory consumption, lagging or anything else.

        Of course, maybe my needs are not really extensive (since I don’t work with computers), but having put ajax.googleapis.com in my hosts file, I have still managed to keep most of the sites I visit still working.
        I had to make only a few sacrifices. As others in this thread have said rightly and better than me, it is a personal matter if and how much this may be acceptable.

        @ privacy addict
        Thank you.
        Probably we are in a very similar situation: a continuous learning. :)

    2. privacy addict said on November 30, 2014 at 8:46 am
      Reply

      Are we really having these conversations? I’m so sick of having to worry about circumventing some tracker, analytics, advertiser and what have you….. as well as wondering/worried about: if my connection is secure, security on sites themselves and how they are storing my info or how good my passwords are etc. It never ever, ever, ends. I’m tired of the Internet and really wish on some days it did not exist. I want to throw the computer out the window, off a cliff – whatever. No one ever says that. Does anyone ever secretly long for the old days when the Internet just wasn’t that big of a deal – or rather I should say when it didn’t rule our lives? Probably not. lol. I’ve been thinking this forever. It takes a lot of courage to say this on ghacks! I’m not a techie person by nature and all this self-learning really is tiresome, but it is so darn rewarding when you finally “get” something. So I keep learning even though I wish things didn’t have to be this way. I had a light bulb moment the other day and understand how crypto/public/private keys/digital sigs work. That stuff was confusing for so long! AND I’m watching a Moxie Marlinspike talk from an old DEFCON & understood/laughed at the jokes he cracked!!! Couldn’t of done that even 3 months ago. I like the challenge of NoScript, would never be without it and love the concept of the surrogates (I dig pulling a fast one on GA). MaDel, I don’t think your comment was aggressive at all and very helpful. Thank you!

    3. Tom Hawack said on November 29, 2014 at 3:27 pm
      Reply

      “You can use A.B.E. as a mere site blocker with something like this:
      Site ^[A-Za-z-]+://(?:[^:/]+\.)?badsite\.[^\.]+[^0-9A-Za-z_\.%-]
      Deny”

      You are pointing out the very obstacle to many users when using NoScript or some of its “best features” (tailored for experts) : they (we) are not born with code in the brains :)

  17. Henk van Setten said on November 29, 2014 at 1:55 pm
    Reply

    I think configuring NoScript is only worth the trouble if you always visit just the same set of sites while rarely browsing to something new. But if you often go to sites you’ve never seen before, then you just keep spending way too much time configuring it.

    I myself dumped NoScript and went for a really simple solution without any whitelists or blacklists: the Toggle JS extension for Firefox. It simply adds a one-click Javascript on-off switch button to the main toolbar (the button is red when JS is off, green when JS is on).

    When browsing around I normally keep Javascript off. If I happen to land on a site that doesn’t work as expected, I just click the Toggle JS button to switch Javascript on.

    1. Pants said on November 29, 2014 at 2:18 pm
      Reply

      As MarkB says above about the hassle of getting a site to work and wasting 5 minutes. Well, I find I can fix that in about 30 seconds at most – I find it’s pretty intuitive/easy myself.

      But yes … building up over time a comprehensive set of rules is good. I visit about 200 or so sites on a regular basis. One off pages/sites – if its something I might visit again then I’ll work it out quick smart. If it’s too troublesome, then that’s what I have numerous other browsers for. I use my FF and palemoon as tight as a nun’s arse, chrome and iron slightly less restrictive, opera less again, and finally IE rather tight but of course it’s rather limited.

      I personally don’t believe just toggling JS on and off is the answer!

      1. Pants said on November 30, 2014 at 3:16 am
        Reply

        Hank – absolutely. Each to their own.

        Massive set of rules – maybe for some: Mine has been built up over time and is not even that great (in my case – I hardly allow anything to run, and my list is really rather small really considering 3 years). I “research” a lot – those (tens of) thousands of pages that I have never set rules for – if some of those pages were to NOT function for me for a one off view (i.e readable) I can usually make them work in 2 or 10 seconds IF i wanted with a temp allow of a domain, and some I just fire them open in another browser (which is less restrictive, but still has some constraints in place). That’s just me. I don’t find NoScript hard to use, understand or implement. And it takes up essentially none of my time. But that’s me – each to their own.

        My point was just toggling JS on or off is, IMO, not a real or comprehensive solution on its own (it doesn’t allow control over object types, XSS, etc) – its an all or nothing approach. I am talking about within the browser itself, not external measures such as hosts or router or av or peerguard etc which provide a different or additional type of block such as known malicious websites. If you have JS toggled off, too many sites break IMO, but if you have a default off but whitelist your favorite sites, then at least that is a time saver. If you’re going to have NoScript, then at least build some rules or otherwise it’s next to useless and a time waster.

        Liekwise, zeihman’s suggestion (below) of “temporarily allow all of this page” to me is also not a real solution (but handy if you trust the site and it’s a one off visit).

        As Tom says below – combinations of extensions (which may or may not clash) start to muddy the waters. Eg I have “privoxy” as a local proxy. Then within FF extensions such as RequestPolicy kick in, followed by NoScript, AdBlock and previously Ghostery (dumped for privacy reasons) and DoNotTrack (now Blur dumped due to privacy reasons and they moved to a paid model) – not to mention greasemonkey and userstyles. As well as header referral manipulations. Any one of those could be causing the site to not function. For the average user, this is just way too much and they don’t care and give up.

      2. Tom Hawack said on November 29, 2014 at 5:49 pm
        Reply

        I agree, Henk. Perhaps is a medium approach the best to conciliate defense and ease of discovery, that approach being at least a blacklist such as provided by a Hosts file depending on the pertinence of its sources, not to mention “address intervals” based applications such as PeerBlock, both set and forget and possibly automatically updated.

        Nevertheless it becomes quickly a habit to set on a per-site basis tools such as NoScript or Policeman as very often the same parasites regularly reappear (blacklisting them as well being a boring start but then after proportionally to that blacklist easier to manage). If I don’t use NoScript it is simply and mainly because of its extra features which require a knowledge I just don’t have. Of course one can use default NoScript settings but still, not for me when PoliceMan as well as Request Policy before appear to me much more obvious. This is personal as you’ve wisely stated yourself.

      3. Henk van Setten said on November 29, 2014 at 5:16 pm
        Reply

        Everyone is fully entitled to their own preferences and habits. This would be a dull world if we were all the same. For myself, I wouldn’t like to spend even half a minute setting rules for every new site I visit. Or to maintain some massive set of site-specific rules. I prefer utter simplicity.

        You know, one of my own personal core beliefs is this: often, less is more.

        If I look at Madel’s NoScript scripting suggestion below, to me it’s the perfect illustration of the same philosophy in reverse: sometimes, more makes actually less — less usable, that is.

  18. hessam said on November 29, 2014 at 12:57 pm
    Reply

    just Policeman forgot noscript.the developer also plan add HOSTS blocking method
    https://www.ghacks.net/2014/10/19/policeman-is-a-rule-based-add-on-for-firefox-to-control-web-requests/

  19. Ex0 said on November 29, 2014 at 12:02 pm
    Reply

    When I started to use NoScript, other add-ons such as Ghostery or Disconnect or Adblock (with a lot of filters) helped me to choose some scripts to untrust. After some time I removed other add-ons and now NoScript blocks almost all the junk and show me only few scripts to choose.
    For less pain, it’s possible to set NoScript to temporary permit the scripts from top domain.

  20. Peter (NL) said on November 29, 2014 at 11:57 am
    Reply

    @MarkB Can you describe a bit more what you mean with “a HOSTS file for ads blocking” ? How do you set this up ?

    Thanks, Peter

    1. Pants said on November 29, 2014 at 2:11 pm
      Reply

      Windows has a hosts file in which you can load redirects for DNS lookups. Software like SpyWareBlaster Pro and Spybot Search & Destroy add entries in here for known malicious websites.

      The file is:
      C:\Windows\System32\drivers\etc\hosts
      It does not have an extension.
      In order to edit it you need to open it under administrative rights, and make sure to save it with no extension.

      Example of an entry in hosts file
      # Start of entries inserted by Spybot – Search & Destroy
      127.0.0.1 http://www.007guard.com
      127.0.0.1 007guard.com
      127.0.0.1 008i.com

      To add my own custom entries I use BlueLife Hosts Editor ( http://www.sordum.org/8266/bluelifehosts-editor-v1-2/ ) which is portable – run it as admin to use it. In my BlueLifeHosts Editor portable folder I also keep a txt file called “LIST of personal entries.txt” in which I add new entries, so when I migrate in future (or should my computer blow up), I have a record (backed up) and can copypasta them back in manually.

      Additionally, SpyBot S&D and SpywareBlaster etc will add entries to specific browsers – such as within FF or IE. Your router can also block items. WAN-wide, OS-wide levels such as hosts or peerblock or AV etc, browser-specific etc. A fine granular browser control over “non-malicious” stuff however is the aim and focus of the article – i.e, pretty sure I don’t want to block ajax.googleapis.com system wide because for me it is needed on a couple of sites. But if I whitelist it in NoScript, then it will go ahead on all sites (hence why I also use Request Policy, but as others have mentioned Policeman looks great for this fine control on a site by site basis with even better control over object types)

    2. Ennovy said on November 29, 2014 at 1:55 pm
      Reply

      This site gives you a lot of information about hosts files and the software you can use to manage it, like hostsman
      http://winhelp2002.mvps.org/hosts.htm

      1. Bill said on December 11, 2014 at 2:21 am
        Reply

        A vote for HostsMan, it takes a little bit of setting up but after that it auto updates your Hosts file. Wonderful freebie.

  21. MarkB said on November 29, 2014 at 11:19 am
    Reply

    I used NoScript for many years and I have given up recently and switched to a HOSTS file for adblocking and Disconnect for anti-tracking. NoScript is just far too restrictive for the internet we have in 2014. Once you have an extensive white list things are fine until you visit a new website with heavy scripting (most new sites these days) then it can take 5 minutes to get the site into a usable fashion, only to read an article for 2 minutes and never return. Temp. white-list all you say? Well if you resort to that, why bother in the first place?

    1. Hy said on November 30, 2014 at 10:34 am
      Reply

      I’ve read that even using NoScript with “Allow Scripts Globally” enabled still protects the user from some things…forgot which ones exactly…maybe “clickjacking,” etc. FWIW

      1. Ronald said on December 1, 2014 at 9:09 am
        Reply

        That’s how I, too, use it. Allow Scripts Globally but with the baseline protection capability of NoScript still enabled. Also still enabled are NoScript’s “script surrogates”, which fool sites like Google Analytics, for example, into thinking that their scripts are being executed and their tracking cookies placed.

        In addition, I changed the Firefox cookie setting so that third-party cookies are accepted only when they come from sites I have directly visited before. Oh, and AdBlock Plus, of course (except for a few sites like ghacks).

        Together with keeping the system up to date with security patches, I feel safe enough.

        I tried the whitelisting rigmarole with NoScript but it was just too time-consuming so I dropped that part.

  22. none said on November 29, 2014 at 10:40 am
    Reply

    btw there’s new sheriff in the town

    https://addons.mozilla.org/en-US/firefox/addon/policeman/

  23. Tom Hawack said on November 29, 2014 at 10:19 am
    Reply

    Why make things complicated as NoScript when they can be both easy and more elaborated with a tool such as the Policeman add-on (for Firefox)?

    I have tested, tried several times NoScript. A pain in the neck. But I do agree on the implications of scripts nowadays, abundant on practically all sites. Also, cross-sites exist and not only to call scripts, and also when they call “honest” scripts in terms of security when not in terms of privacy. Hence, the Policman add-on I mention may not only blocks scripts but a site itself, or reduces access to that site’s images, media, fonts, objects, frames and more. It is easily configurable, truly fastens page rendering and is not bloated as NoScript is. Not to mention NoScripts including Google and other privacy objectionable domains in its default white-list (if such is still the case, I’m referring to several years ago).

    Policeman add-on is available here : https://addons.mozilla.org/en-US/firefox/addon/policeman/

    This add-on has been for me the add-on of the year. A gem.

    1. Jan said on November 29, 2014 at 1:32 pm
      Reply

      Any advantage of Policeman over Request Policy ?

      1. Anonymous said on December 1, 2014 at 3:27 pm
        Reply

        @Tom Hawack: you can disable these default rule sets in preferences

      2. Tom Hawack said on November 29, 2014 at 2:09 pm
        Reply

        Pants wrote it. Policeman is far more elaborated but also flexible than Request Policy (which I had used for some time, which is continued under a new label long to update). With Policeman blocking can be granular as mentioned. It is still a work in progress but the developer on Github is active and reactive. Here it runs fine and as I always say it, having a look on all the cross-sites which were not required left behind is an invaluable pleasure.

        There’s one thing I forgot to mention when comparing Policeman to NoScript.
        Policeman will block (content-type or all) access to external sites as conducted by the user of course. But it will not block whatever from the site itself which has not an external source. This means that whatever the site holds concerning ads and/or scripts, frames, fonts etc. will require a classical blocker, AdBlock Plus/Edge (or another) and/or NoScript. Scripts by themselves are not the first purpose of an ad-blocker if they concern not ads, but as we all know there are many filter lists for Adblock Plus/Edge which deal with far more than basic ads only.

      3. Pants said on November 29, 2014 at 1:52 pm
        Reply

        Jan: from the addon’s page : “It’s different from the former [Request Policy] in that it supports rules based on content type (for example, you can allow images and styles, but not scripts and frames ”

        This Policeman looks good .. I’m going to give it a whirl when I get time. Thanks Tom :)

  24. Pants said on November 29, 2014 at 10:10 am
    Reply

    I use RequestPolicy with a default block all. over time I have added site by site rules of origin & destination cross site scripting allowed. I mention this only because it drastically reduces the amount of info you need to deal with in NoScript. NoScript – default block all. If a site is not working/displaying (ignoring one off page loads from search results) then I usually allow the domain. If some aspects of the site don’t work, then I usually one by one allow cross site scripting through in Request Policy, and one by one allow that script to run in NoScript. For example, I need disqus to work if I want to read comments at TorrentFreak – but damned if I will let disqus load on every site. Or an even better example, I allow FB, but only on FB. (Or i could use mutliple browsers etc, yeah yeah).
    Essentially I get per sites rules thru a combination of RequestPolicy and NoScript.

    Interesting. Over three years of slowly building up the whitelist (default is block everything) .. I exported my whitelist and it came to 1679 line items (scrolling through .. a few cloudfronts in there .. grrr damnit cloudfront). Not bad. I see a few I can remove but the rest can stay in case I revisit the site.

  25. jimbo said on November 29, 2014 at 10:05 am
    Reply

    If a site does not load properly …
    How can you possibly tell ? Half a page could be missing and you wouldn’t know.

    1. Martin Brinkmann said on November 29, 2014 at 11:19 am
      Reply

      If I can access the functionality that I need, then it is working for me.

  26. Dwight Stegall said on November 29, 2014 at 9:49 am
    Reply

    Since I’m not the sharpest tool in the shed I gave up using it because I didn’t know which scripts to allow or not. Also it takes a lot of time to get it working on on the sites you visit. I thought it was more trouble than it was worth.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.