YesScript is NoScript's Antagonist

Martin Brinkmann
Aug 12, 2008
Updated • Dec 9, 2014
Firefox, Firefox add-ons

NoScript is a highly acclaimed Firefox security add-on that protects its user from scripts that are executed on websites. The approach is to block all scripts on a website unless the website gets whitelisted by the user. These whitelists can be temporary for the browsing session or permanently.

While that is certainly the best security approach it does require lots of work especially in the beginning as you will encounter sites that won't work without at least some whitelisting.

Most users on the other hand prefer simplicity and no user interaction and that's where YesScript comes into play. Its approach is the complete opposite of NoScript: YesScript allows all scripts on all websites unless they are blacklisted by the user.

The advantage of this method is that less user interaction is required. It does however undermine the security aspect because scripts will be executed normally as long as the website is not on the blacklist.

There are other differences. YesScript adds a single button to Firefox that you click on to enable or disallow scripts on the domain you are on. This means that either all or no scripts are allowed to run on it which is different from NoScript's behavior that allows to enable scripts individually.

NoScript in addition to this ships with a set of additional security features that improve the overeall security of the browser further.

It comes down to an evaluation of the advantages and disadvantages of both methods. NoScript provides enhanced security while YesScript less work and vice versa. Installing YesScript from a security standpoint does not make that much sense but it is quite capable of removing scripts from websites that make extensive use of them which can be beneficial on sites that use lots of cpu for example or load slowly because of those scripts.

If you ask me, YesScript is great for turning off JavaScript on sites with the click of the button. It won't help security-wise though and the author of the extension confirmed that he created it to remove hassles from websites and not improve overall security of the browser.

software image
Author Rating
no rating based on 0 votes
Software Name
Landing Page

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Thrawn said on November 18, 2011 at 2:35 am

    Actually, the web is a jungle – or, at least, parts of it are, and until you visit a page, you don’t know whether it’s safe or not. But since YesScript isn’t a security addon, that’s not the key point.

    YesScript is redundant when NoScript can be easily configured to do the same job, only better.

  2. LOL said on August 18, 2011 at 8:34 pm

    “there’s so much to block that it would be a lot more work to do that than just to unblock selected sites”

    LOL, Are you crazy?

    The web is not a jungle where you’ll be raped in any corner with the “cock Javascript”. Thanks NoScript for creating users paranoid.

    @x +1

  3. Thrawn said on March 4, 2011 at 8:31 am

    I’m with Pietzki…there’s so much to block that it would be a lot more work to do that than just to unblock selected sites. And NoScript in Allow Scripts Globally mode will behave the same way as YesScript, except that it adds silent protection against XSS, CSRF, etc.

  4. x said on April 19, 2010 at 5:14 am

    Old post but still relevant today. The replies are obviously from NoScript fans, stuck in mindless “NoScript is a panacea” mode.

    YesScript isn’t meant as a security solution, and it isn’t useless. It lets you block scripting on sites that have problematic scripts, and allow everything else. It’s really not hard to understand. Unless you’re mindless.

  5. Stephan Sokolow said on September 29, 2008 at 4:19 am

    I have to agree that blacklisting is bad. I assume you’ve never read “The Six Dumbest Ideas in Computer Security”? Enumerating badness is always doomed to failure.

  6. David Bradley said on August 18, 2008 at 4:33 pm

    This is an interesting…but totally useless idea. It’s like having a house with NoKeys enabled. All doors are left unlocked unless you blacklist them for a particular person…a burglar say…but how would you know in advance that a particular person is not trustworthy?

  7. Pietzki said on August 13, 2008 at 12:52 pm

    er, how is that useful? Isnt it MORE of a hassle to manually blacklist bad scripts (by which time the script would already have run anyway)?! Besides, this doesn’t protect you against cross site scripting either..

  8. Transcontinental said on August 12, 2008 at 5:21 pm

    I use YesScript and QuickJava, the latter being a quick Java/script on-off button for when I wander in red light zone districts :)
    I never liked NoScript, too heavy but above all, participates to a negative approach of the Web as a whole. So many sites use java nowadays, even to load a page, to download a file. Better off with Java on — besides exceptions — within a very good if not sophisticated system security overall.

  9. indy said on August 12, 2008 at 5:08 pm

    it’s totally useless! :D

    I agree with Tony, NoScript has that option and it works really good. It’s between “block all” and “allow all”, we can say “block extra”. I find it is a good approach

  10. Tony S. said on August 12, 2008 at 4:27 pm

    In NoScript’s options, you can enable that any 1st level domain (i.e. has scripting allowed by default.

    (and then you can ban some page, if you want)

  11. Tim said on August 12, 2008 at 3:55 pm

    This looks useful.

    The tool I have been searching for is a CPU Usage Meter that indicates the processor load imposed by each tabbed web page. It can display the average/max cpu load in a tool-tip box when the mouse hovers the tab. Then I can take more informed action on the offending site.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.