RequestPolicy for the Firefox web browser has been designed to put you back in control over the connections the browser makes. It works in this regard similar to the popular NoScript add-on, but with the difference that it does not prevent onsite scripts from running.

When you first install the add-on, you can add sites to the whitelist. The developer has prepared international and location specific lists.

The majority of suggestions allow connections between sites by the same company. Examples are to allow google.com connections when you are on gmail, or fbcdn.net connections when you are on Facebook. These can significantly reduce issues that users encounter after enabling the add-on in the browser. It is however not necessary to add any site combination to the whitelist.

This whitelist approach is different from NoScripts whitelisting approach, as NoScript allows connections from that domain on all websites, whereas RequestPolicy only allows them on one specific site.

RequestPolicy adds an icon to the Firefox status bar that acts as a control panel and indicator at the same time. A red flag indicates that connections have been blocked on a website. A click on the flag displays information about those connections, and options to temporarily or permanently allow those connections to be made on the current site.

The page is automatically reloaded if you allow connections to be made.

The preferences let you manage the whitelist, export or import settings, and modify the strictness of the add-on. The add-on by default uses base domains, e.g. ghacks.net to allow same-site requests. You can change that to full domain names, e.g. www.ghacks.net, or full addresses instead.

What I personally like most about RequestPolicy is the granular whitelisting which allows you to run the same scripts on some sites but not on others (for instance to show Adsense ads on Ghacks, but not on other sites). It is also less intrusive than NoScript if the whitelisting suggestions are added during setup.

Ghacks reader Jojo just mentioned that he discovered a new NoScript feature that opens a page of security and privacy related links for domains listed in the NoScript domain listing. The method, while stile requiring a few clicks to receive results, is improving this workflow significantly.

A middle-click on a domain name opens a new browser page with links to several privacy and security information.

The page links to the following security and privacy related services and databases: Web of Trust, McAfee Site Advisor, Webmaster Tips Site, Safe Browsing Diagnostic and hpHost Report.

• Web of Trust – Displays trustworthiness, vendor reliability, privacy and child safety ratings as well as user comments.
• McAfee site Advisor – Informs about download safety, online affiliations and possible annoyances.
• Webmaster Tips – Does not load currently.
• Google Safe Browsing – Displays if Google considers the site to be suspicious, if it has distributed or hosted malware, and if pages on the site contained malware during Google bot visits.
• hpHosts – Lists IP, host and server related information about the selected domain.

Direct optional integration of at least one service into the NoScript domain listing would be optimal. It would also be great if links to standard web searches would be displayed on the services page.

The ScriptNo extension adds an icon to the Chrome address bar. The icon acts as a notifier that informs the user about the number of scripts that have been blocked on the current page. The icon color indicates blocked scripts (red), temporarily allowed scripts (blue), whitelisted parent pages but blocked scripts (white) or if the extension is disabled on that particular page (grey).

A left-click on the icon displays all blocked resources, the domain name and links to options and a quick start guide.

All script elements are blocked by default. Users now have options to change the preferred action for a particular script or domain.

• Allow: Whitelists the specific domain which does not necessarily have to be the root domain. E.g. whitelist www.ghacks.net but not de.ghacks.net.
• Trust: Whitelist the entire domain and all of its subdomains
• Distrust: Adds the current domain to the blacklist.
• Temp: Depending on the default mode the domain will either be allowed for the current session (if default mode is set to block) or allowed (if default mode is set to allow).

When you change a script’s state, e.g. from blocked to allow, the page will be reloaded to take that into account. If you click on the icon again you will then see that the script is listed under Allowed Resources and no longer under blocked resources. A clear button is added to those scripts to undo the preference change.

The options of the ScriptNo extension offer customizations. Here you can set the default mode of operation (block or allow) and allow or block specific HTML elements. The latter could be interesting for users who always want to see noscript contents on the page or audio and video contents. There is even an option to block images from being loaded automatically.

The options list four additional settings to configure the extension. Privacy Settings allow the user to configure the following features:

• Block Unwanted Content: (Default: enabled; remove unwanted content from known ad / malware domains; domains gathered from MVPS HOSTS, hpHOSTS (ad / tracking servers), Peter Lowe’s HOSTS Project, MalwareDomainList.com, and DNS-BH – Malware Domain Blocklist)
• Unwanted Content Mode: (Default: Relaxed; Relaxed = whitelisted domains will not be blocked; Strict = domains in the unwanted domain list will be blocked even if whitelisted)
• Antisocial Mode: (Default: disabled; always remove social widgets/buttons, even if whitelisted)
• Remove Webbugs: (Default: enabled; remove “invisible” third-party elements)
• Block Click-Through Referrer: (Default: enabled; blocks referrer information when clicking on external links)

Behavior Settings include the following options:

• Page Link Opening Behaviour: (Default: -Unchanged-; modifies how all links are opened)
• Respect Same-Domain: (Default: disabled; preserve same-domain elements)
• Auto-Refresh Page: (Default: enabled; auto-refresh page after list change)
• Show Rating Button: (Default: enabled; if ticked, adds rating button under domains in tab popup)
• Classic Options Mode: (Default: disabled; if ticked, closes tab options everytime an option is clicked)
• Sort by Domain: (Default: enabled; sorts URL lists by domains)

The remaining settings include a whitelist and blacklist where all previously added domains are listed (with options to remove), and import and export settings.

New users should take a look at the quick start guide. The guide needs a bit of revamping considering that it uses terms that are no longer found in the extension. But that’s not a big issue.

The extension is hosted both on the Chrome Web Store and on Google Code where the source code can be downloaded and analyzed. Google Chrome users who want NoScript like protection for their web browser should definitely take a look at ScriptNo, it is awesome.

NotScripts is available for Opera 11.10 or newer. the installation process is a bit on the complicated side. Here are the instructions on how to install NotScripts correctly.

• Install the extension. You can install the latest NotScripts version right from the Opera Extensions repository.
• Close the Opera window and re-open Opera.
• Click the NotScripts button in the Opera toolbar.
  It would show you a message saying you to set User JS Storage Quota to 5000. Click the message and it will take you to the ‘User JS Storage Quota’ setting.
• Change the value of the setting from 0 to 5000.
• Click the Save button. You might need to scroll down to find the Save button.
• You may need to restart the Opera browser before the changes take effect.

Opera’s Notscript, unlike NoScript comes with three different script blocking mode. The default mode is whitelist which blocks all scripts except those that are run from whitelisted domains. Blacklist, the other option allows all scripts by default and blocks only scripts on a user maintained blacklist (much like the Firefox add-on YesScript). The last mode Whitelist + Same Origin uses the whitelist approach to block all scripts but allows scripts running on the same domain the user is on automatically.

So more choice in this regard which is really nice. When you visit a site you need to click on the NotScript icon to display the list of blocked scripts. There is no indicator that scripts where blocked which is probably the biggest usability issue. A click on the icon displays the scripts which options to allow, block or temporarily allow them individually.

If you run the blacklist mode (allow all scripts except selected ones) then you see a script listing similar to that on the screenshot above. The blue action is the current one for that script on that particular site. Just like with NoScript you can allow all scripts, globally allow all temporarily until revoked or temporarily allow the shown scripts.

NotScript seems to work considerably well. I have two big gripes with it. First the missing notification as it is a guess game if a script has been blocked or not and second that the developer has not updated the script in a while (the last update dates back to April 2011).

The extension itself works and that’s the most important aspect obviously. It is not a 100% port of NoScript but a port that brings the most important feature of the Firefox security extension to Opera. For that, it is highly recommended to be installed.

An alternative to that is the Opera NoScript Alternative BlockIt which I have reviewed in the linked article.

A side effect of this is that most advertisements and other script driven objects and elements will be blocked as well by the extension.

NoScript offers more than just script blocking and whitelisting though. It comes with additional modules to enforce HTTPS usage, Cross-Site Scripting filters, Clickjacking protection and a firewall like component that the developer calls Application Boundaries Enforcer.

The developer of NoScript has been working for quite some time on a Firefox Mobile port of the extension. The recently released NoScript 3 Alpha 9 version is the first feature-complete version of the security add-on for Firefox Mobile on Android and Maemo devices.

NoScript Mobile in particular offers the following major security features that the desktop version of the add-on offers:

• A domain based content permission management for scripts
• Anti-XSS (cross-site scripting) filtering options
• Clickjacking protection called ClearClick
• The web application firewall App Boundaries Enforcer

NoScript Mobile furthermore introduces permission presets that can be configured after installation and later on in the extension’s options.

The developer has added four different permission presets to the add-on.

• Easy Blacklist – The user picks the sites where JavaScript and plugins are blocked on
• Click to Play – Plugins are automatically blocked until activated with a click by the user
• Classic Whitelist – The standard setting on NoScript for desktop Firefox versions. Blocks all scripts automatically and will only run whitelisted scripts.
• Fortress – Like the Classic Whitelist setting but all contents are blocked even on whitelist sites until clicked on.

Another interesting feature that will be implemented eventually is the ability to synchronize NoScript settings between desktop and mobile versions.

Users interested in running NoScript on mobile devices can download the latest version from the NoScript Anywhere project website.

WidgetBlock offers a way out, at least for users of the Google Chrome web browser. The Google Chrome extension basically blocks the majority of social media widgets on all Internet websites the user opens in the browser.

It removes the widgets from the page so that they are not displayed anymore on the page, or at least replaced with a non functioning place holder.

Here is a screenshot of a Techcrunch article without the extension installed:

And here is the same article with the extension installed and enabled:

And finally how it looks in the Firefox web browser with NoScript enabled:

As you see, there is not much of a difference in page design. WidgetBlock comes with an option page to enable individual widgets, which is obviously helpful if they are regularly used by the Chrome user.

The options page lists several dozen Web 2.0 and statistics sites and services that are blocked by the extension. Among them services that are not shown on the page like Google Analytics or Scorecardresearch.

Chrome users who encounter a lot of those social media and stat tracking widgets and scripts may want to install WidgetBlock in their browser to make the pages that embed the widgets load faster and less obtrusive (via).

Chrome users who want to open some websites with scripts and plugins disabled have now another option. The Safy extension for Chrome offers to open links in the browser in in iframe sandbox with both JavaScript and all plugins disabled.

Options provided are to open the selected link in a new tab in the same browser window or in the current tab. This works fine in most instances, but not all the time. It is for instance not working in Google Search. An error message is displayed if Safy is used to display a search result in a sandboxed tab.

That’s the biggest quirk right now. The other problem that some users may experience is that they cannot launch websites using Safy if no link is present. Say you are on a website and want to open it without JavaScript or plugins, or you want to enter a web address directly, or open a bookmark in the browser. Safy cannot be used in all of those cases.

Then again, it works very well for normal links on most sites. Ideal for opening a link on Twitter, Facebook or blogs in a safer environment.

Safy is available only for the Chrome browser. It can be installed directly from the Chrome extension gallery.

I do however understand the need for ways to protect the browser and computer from script based attacks, and there is nothing better for that than the Firefox NoScript extension or an equivalent for other browsers. The NoAds extension for the Opera 11 browser combines both ad blocking with NoScript functionality.

Opera 11 users can install Noads by visiting the add-on’s page over at the Opera extensions site. The installation is quick and without a browser restart. NoAds works right after installation on most sites.

The extension places an icon in the Opera address bar that opens the configuration menu.

Probably most interesting is the Preferences link that opens the extensive tabbed configuration page. It loads the site preferences by default listing all blocked external scripts as well as css filters and user css filters.

Here it is possible to add external scripts to a whitelist, or allow all scripts on the website.

The global Preferences tab lists the whitelisted scripts, as well as user css filters and css filters. The subscriptions tab can be used to subscribe to an ad blocking list which is then used to automatically block the ads on the listing. Available are lists for the United States, Germany, France, Russia, a general list and a custom option to add an url to another listing.

Elements on a page can be blocked as well. This is done with the following shortcut keys:

• Block ads – Alt+Shift+A
• Block element – Alt+Shift+B
• Unblock – Alt+Shift+U
• Unblock latest element – Alt+Shift+L

Pressing the Block Element hotkey for instance opens highlights all element blocks on the page. A left-click can then be used to block the current element on the page permanently, or at least for as long as it is not unblocked again. This is excellent for removing elements on a website that are not ads but not needed or distracting.

NoAds is an excellent add-on for the Opera web browser. The extension has its quirks though which need to be sorted out. It is for instance sometimes necessary to switch tabs back and forth before the icon in the address bar becomes active.

The developer of the NotScript extension for Chrome explains recent changes in the browser that made the extension possible:

NotScripts uses a unique and novel method to provide this “NoScript” like functionality in Google Chrome that was not previously possible. It introduces a break through technique of intelligent HTML5 storage caching to over come the limitations in Google Chrome that prevented an extension like this from being made before. NotScripts blocks third-party content BEFORE they load and it does this while also having a whitelist. This is one of the key extensions that many people have been waiting for since Google Chrome came out.

The installation of the script requires the user to set a password in the Chrome profile folder, by manually editing the file CHANGE__PASSWORD__HERE.js. This may turn away many users who would probably like to use the add-on, and the developer should consider another way to set that password.

noscript

A NotScripts password is required to be set for the initial use on a computer or if NotScripts was updated. The password is used to protect your privacy by preventing web sites from viewing the NotScripts whitelist caches. Due to technical limitations, you are required to open a file to set the password.

Once that is done NotScript will start to function similar to NoScript. The extension blocks most – but not all – scripts from being executed automatically on a website, with the possibility to whitelist scripts so that they can be executed normally.

It places an icon in the address bar, that displays the currently blocked and allowed scripts on the site.

notscript

Scripts that are allowed are added to a whitelist.

notscript whitelist

It is furthermore possible to allow scripts temporarily for all sites for a while. Functionality that is currently missing is the option to enable a script temporarily for a session only.

As mentioned previously, NotScript has several limitations at this point in development, they are:

NotScripts can block plugins like Flash and Silverlight. However, Java applets are a special case. Java applets embedded with the standard <EMBED> </EMBED> or <OBJECT> </OBJECT> tags can be blocked, but Java applets embedded with the old, deprecated <APPLET> </APPLET> tags cannot be blocked because Google Chrome does not fire load events for this legacy method. The current workaround is to disable Java in your browser until this can be fixed.

All scripts loaded from a source location (the vast majority) can be blocked. However, inline scripts that are directly written into the HTML code of a web page cannot be blocked by NotScripts because Google Chrome does not fire load events for them.
For example: <script src=”http://example.com/aScriptFile.js”> </script> can be blocked without any issues. However, <script>alert(“Hello, World!”); </script> written directly into the HTML code by the site you are visiting cannot be blocked by NotScripts because it is not loaded from anywhere, it is a direct part of the web page you view. However, these inline scripts are usually useful and are often required for a site to function properly. If you want to, you can set Google Chrome to deny javascript for all sites and use NotScripts to selectively pick the scripts to run on sites you enable javascript on.

When you visit a web site for the first time with scripting enabled, you may see NotScripts quickly reload it once as it caches the whitelist and refreshes. Subsequently, there is no reloading needed unless you happen to change a part of your whitelist that directly affects the site. This is only a minor issue and happens less and less as NotScripts learns your desired whitelist.

NotScript is a unique extension for Google Chrome, that provides a good chunk of NoScript’s functionality. The first official release version shows great promise, and if the developer continues to implement features and maybe, finds ways to remove some of the limitations and the dreaded password creation, then NotScript could become what NoScript is for Firefox: An indispensable add-on

So far only Last Pass has made its way to the Google Chrome browser. Daxpit, a reader of my blog, recently mentioned the BlockIt userscript that offered NoScript like functionality in the Opera web browser.

A userscript in Opera is an external script that can be loaded in the web browser. Much like add-ons but more complicated to setup in my opinion.

BlockIt is compatible with the latest versions of Opera up to Opera 10.50 which is where I have tested the script. It displays a small icon in the lower right corner of the screen. A click on that icon displays a menu that is showing the scripts on the page, the number of scripts that have been blocked, a pulldown menu listing all script names and controls to unblock scripts on the page.

All scripts that are executed normally on the page are disabled by default just like they are in NoScript. BlockIt divides the elements on the page into categories like scripts, images or embeds with the option to unblock those elements individually or completely. This is one of the differences between both scripts. NoScript ignores images as they are not scripts whereas BlockIt blocks them as well in the beginning.

The following controls are available:

• Block: This is a button that toggles between “Unblock” and “Block”, and adds the selected element to the whitelist if “unblock” is clicked, and removed if “Block” is clicked, also when this button is clicked anything that is viewable on the page will show up(red outline) and be blocked on the spot, same if “Unblock” is clicked(but orange outline and scrolled to)
• All: This is a button that unblocks or blocks all elements of that type, only use this if the site needs all of the elements for the page to work regularly,otherwise its good for quickly blocking/unblocking most elements quickly.
• T-Unblock: This is a button that allows toggling this script off temporarily for the whole tab, so if you are only visiting this site temporarily and want to view it properly in its entirety, this button is for you.
• Server: This is a button that blocks/unblocks all elements of the type based on the server name, say if you wanted all scripts from one site to be loaded but others not to be, this button does what it says on the tin.
• Preview: This is basically a button that allows you to preview the element in a new tab, this is especially good for scripts that cannot be previewed the normal way.

BlockIt remembers the configuration changes made by the user so that elements that have been unblocked remain unblocked in future sessions. The information are stored in cookies which means that cookies need to be enabled for the settings to be saved by the script.

Tips

• Holding shift and clicking on the “Unblock”/”Block” button is a quick shortcut for blocking all elements of the same type on the page(like clicking on the “All” button), holding ctrl is a shortcut for blocking elements based on the same servername as itself(like clicking the “Server” button).
• Holding ctrl while clicking the “Server” button actually stores the servername for all element types, this is useful for youtube as sometimes it holds all scripts and images on similar servers
• Holding shift while clicking the “T-unblock” button will actually only unblock everything for that url only, need to turn blocking back on again? Here is a bookmarklet that will do so. Drag this to a toolbar or bookmark it for future use. BlockIt toggle
• BlockIt adjusts to your screen size, the user interface will shrink its font and total width accordingly, if BlockIt cannot fit, it will tell you, but this script is mainly designed to work on screens with width 300px and above.
• By default, BlockIt will appear in the bottom right position, if you’d like to change the position, change “cornerposition” to either 1(top-left),2(top-right),3(bottom-left) or keep it as it is as 4(bottom-right)

BlockIt is a great NoScript alternative for the Opera web browser. This ties the score between Google Chrome (which got Last Pass) and Opera (which got NoScript). BlockIt can be downloaded from the forum page over at the Opera forum where the developer announced the script.

Check this instructions if you need to know how to install userscripts in Opera.

NoScript is primarily a security add-on but it also provides other benefits like ad blocking since most advertisements on the Internet are using either JavaScript or Flash.

Google Chrome has made leaps forward with Chrome 4 stable being released to the public and Chrome 5 in the workings. Extensions are now supported out of the box in Chrome 4 and users are asking (again) why NoScript has not been ported or copied yet.

The developer of NoScript, Giorgio Maone, gives us the answer on December 10, 2009.

Chrome is still lacking the required infrastructure for selective script disablement and object blocking. Maybe Google plans to implement the missing stuff later, maybe they’re still trying to figure out whether it can be done without enabling effective ad blocking, but in the meanwhile the pale AdBlock and FlashBlock imitations which have been hacked together by overwhelming popular demand, are forced to use a very fragile CSS-based hiding approach, ridiculously easy to circumvent.

The developer posted an update on January 28, 2010 in the Informaction forum:

It means the the technology infrastructure to make it possible is not there yet (so “now be possible” does not makes much sense), but I’m in talks with good will Google people who say they want it to happen.

Talks are underway which is good to hear although Google had contacted the developer previously (as early as April 2009) and nothing seemed to have changed since then.

Google Chrome 5 on the other hand might deliver exactly the functions needed to port NoScript to Google Chrome. If you remember yesterday’s review you know that JavaScript and Plugin blocking with whitelisting resources was shown in the new Content Settings menu. It would be interesting to hear what the NoScript developer thinks of this development.

There are two things that are keeping me personally from switching to Opera. I would like to outline those two below with the hope that these features get added eventually to the web browser:

1. Password Manager

Like every web browser Opera has a build in password manager. What it does not have is support for the excellent Last Pass service that has been ported to many web browsers. Last Pass is a password management service that makes it much easier to create and maintain accounts. Some of its features are a password generator, form profiles, online access to passwords and auto-login to websites.

Last Pass is currently supporting various web browsers including Firefox and Google Chrome. The only option to use it in Opera is the Last Pass bookmarklet which provides limited functionality as it only provides login or form filling support but not other features like generating passwords.

The developer’s of Last Pass state that they would love to create a version of their service for the Opera web browser. The nature of the web browser, in particular the missing or limited browser SDK, makes it impossible at this point.

The build in password managers are no alternative at this point and the bookmarklet is not either. Opera Link provides data syncing but it is limited to Opera only. The benefit of Last Pass is that the stored passwords can be used with any web browser that is supported by Last Pass.

NoScript like functionality

The second feature that I do not want to miss anymore is provided by the NoScript Firefox add-on which turns of all scripts on any website by default. That’s a security precaution as scripts are usually used to attack computers.

Opera has a feature to disable some scripts globally and per website. The problem here is that this would require lots of manual work. The only viable option would be to disable scripts globally and enable them on a per site basis.

NoScript on the other hand offers a finer handling. Opera’s per site settings enable JavaScript, plugins, Flash or Java for the whole site and all scripts of that type that are executed on the website. NoScript can be used to enable a specific script (e.g. JavaScript) but block all other JavaScripts on a website.

Conclusion

I’d really like to switch. I’d might be able to either get used to the bookmarklet (with additional help of tools to generate secure passwords) or switch to Opera’s build in password manager. It would be possible to sync the passwords across all Opera browsers but other web browsers would not be able to use those passwords then.

NoScript on the other hand is the real culprit. It does not look as if there will be an option in the near future that comes close to the functionality of NoScript.

I’m currently trading speed and reliability for support of these two extensions.

Are you thinking of switching to Opera as well? Or have you already switched? What’s keeping you or why did you make the move?

I want to go beyond the usual recommendations to discuss PC security issues that many users do not think about at all or not enough.

Update

You can install a secure operating system, an award winning anti-virus software and firewall and still fall prey to attackers through outdated system components. Programs that are used on the computer system need to be up to date. That is especially true for the operating system and programs that connect to the Internet. This includes the web browser (including web browser plugins like Flash), email client, instant messengers, but also the security software programs (which usually come with automatic updates turned on). The computer is vulnerable if the operating system and programs are not up to date.

Email

There are only three rules for emails: Do not open attachments, do not click on links and do not use HTML emails. Email attachments can contain malicious software. They usually do if the sender is unknown or by a company that never send you attachments before. Links can be disguised to look as if they point to a trustworthy website when in fact they lead to a phishing website to grab your username and password. HTML emails can be used to exploit the browsing engine and are also used for tracking users.

Here is how I handle these three risks. Attachments send by friends are usually safe. It is important to check the extension of the attachment. I’m cautious if it is an executable (even when send by a friend). Executables send by senders I do not know are deleted instantly. I check the remaining executable attachments at the online service Virus Total. If I’m still unsure I contact the friend asking about the attachment and why it was send to me.

I never click on links in the email client. If it points to a site I know I open the site manually in my web browser. I otherwise check if the link text and the link are pointing to the same url. If they do I copy and paste the link in my web browser (Firefox with Noscript, so barely any risk here). I do not have to supply username and password since I do not know the service so no fear of phishing in this case.

HTML can be disabled in most email clients.

The Web

I use Firefox mainly for the add-ons and in particular because of the NoScript add-on which provides an excellent layer of security (it disables all scripts by default with the option to enable them individually again). NoScript takes care of most threats on the Internet if it is used in the right way. Someone who always enables all scripts on a website (because it is faster than enabling only some) is not more protected than someone without NoScript. If you enable scripts only on websites that you trust then you are well protected (yes there is always a tiny chance that you are attacked on these sites as well e.g. through malicious banner advertisement).

Another add-on that I have come to love is Last Pass. A password manager and secure password generator that can create and remember passwords and profile information. Last Pass connects urls and passwords which is an excellent phishing protection as well. Say you have username and password saved in Last Pass for PayPal.com. If you open a phishing website that mimics the PayPal website you will notice that Last Pass will not automatically fill out the username and password. Something that the add-on would have done on the real PayPal website.

Files that can be executed are another threat on the Internet. A good way of dealing with those files is to use Virus Total again to check them out before executing them on the local system. It is advised to only download these files from trustworthy sources (big download portals, websites of trusted developers).

Verdict

The majority of attacks can be rendered useless with the right PC security. Updates are probably the most important part of every PC security strategy but caution is a close second. It is always advised to double-check a file or site. This might take more time but it can prevent attacks on a computer system which will save the user lots of time in the end.

The Firefox add-on gets updated quite regularly and one rather annoying trait is that it will open the NoScript website after each update. Most users do not care that much and close the tab in this situation. Some users might prefer a permanent solution so that the website will not be opened when the script updates.

This can be achieved in the Firefox preferences. To go there type in [about:config] in the address bar, confirm the “it’s dangerous” warning if it is your first time and filter for the parameter [noscript.first].

The parameter noscript.firstRunRedirection should be displayed with the default value true. This means that NoScript will open the website whenever the add-on gets updated. A double-click on the line will change the value to false which will prevent this from happening from now on.

It is possible to revert the changes with another double-click on the line.

We would like to encourage you to post additional tips and hints about website manipulation in the comments of this article so that the page becomes as comprehensive as possible. All methods of manipulating websites have been tested with Firefox 3.5x and 3.0.x. Most will probably also work in previous versions of the web browser.

1. Userscripts and Greasemonkey

Greasemonkey and its userscripts are probably the most popular and known method of manipulation website contents in real time. Thousands of userscripts exist that add, remove or modify elements and features of web services. Some classic examples are changing the design of Gmail, adding new features to the Internet Movie Database IMDB or skipping the wait time at popular file hosts.

Generation of scripts requires web development knowledge, especially of html, JavaScript and CSS as these are used to alter the contents of the websites.

2. Platypus – Modify Websites Without Programming Skills

Platypus allows a user to modify websites with any programming skill requirements. This limits the reach of the Firefox add-on a bit as it is not possible to reach the depth of Greasemonkey. Possible options are to permanently remove elements from websites, change style attributes, change the font and background colors to black and white or to remove fixed sizes and positioning on a page.

3. Stylish – Modify CSS

The Stylish add-on for Firefox and its accompanying userstyles directory provide access to new styles that manipulate the CSS of a website.It can be used to remove, add, move and manipulate elements on a website permanently. The screenshot above shows the popular Atistic Google userstyle.

4. Yet Another Remove It Permanently

Yet Another Remove It Permanently is an add-on for the Firefox web browser that makes it possible to remove elements on websites permanently. Can for example be used to remove advertisement from Google Search results or images from websites. Basically any element can be removed with this add-on. A similar add-on is Nuke Anything Enhanced.

5. Firebug

Firebug is first and foremost an add-on for Firefox that presents lots of useful information to web developers. What many do not know is that it comes with the capabilities to manipulate elements on a website. It is probably not the first choice for this kind of manipulations but this comes in handy when testing different kinds of layouts, color combinations or fonts.

6. NoScript and Adblock Plus

Both the NoScript and the Adblock Plus add-on for Firefox are primarily being used to prevent scripts and advertisements from being displayed on the user’s computer monitor. This does make them limited tools for modifying websites.

7. Aardvark

Aardvark can be used to isolate or remove elements from websites.Has been primarily been designed to remove unneeded elements before printing a website.

Verdict:

There are definitely a lot possibilities to modify websites in Firefox; Certainly more than have been mentioned in this post. Probably the easiest possibilities are in the form of Greasemonkey. If you know of any additional add-ons that should be mentioned let us know in the comments.

There is one additional problem concerning websites that do offer HTTPS connections on most of their network but not everywhere. Mouser over at Donation Coder mentioned a hidden setting in the NoScript (check my Firefox security profile for additional information) add-on of the Firefox web browser allowing to force HTTPS connections for listed websites. This is helpful in a few cases. Some websites offer both HTTP and HTTPS connections to their servers. Another possibility are websites that make use of HTTPS connections but not on all pages.

Users with the excellent No Script add-on installed can configure sites to always use a secure https connection when they are visited. This option can be accessed by right-clicking the NoScript icon in the Firefox status bar, selecting Options from the context menu, clicking on the Advanced tab in the configuration and there on the HTTPS tab.

New websites or pages that should be forced to use secure HTTPS connections can be added to NoScript in there. The use of wildcards is possible. Users should however note that this will not work on all websites. It will obviously not work on websites that do not offer HTTPS. There are also sites that automatically redirect HTTPS requests to HTTP. Google.com is a prime example of this. If you add google.com to the list you will notice a never ending loop when opening that website because of NoScript trying to force HTTPS and Google redirecting to HTTP.

Most users on the other hand prefer simplicity and no user interaction and that’s where YesScript comes into play. Its approach is the complete opposite of NoScript. YesScript allows all scripts on all websites unless they are blacklisted by the user.

The advantage of this method is that less user interaction is required. It does however undermine the security aspect because scripts will be executed normally as long as the website is not in the blacklist.

It comes down to an evaluation of the advantages and disadvantages of both methods. NoScript provides enhanced security while YesScript less work and vice versa. Installing YesScript from a security standpoint does not make that much sense but it is quite capable of removing scripts from websites that make extensive use of them.