Top 6 NoScript features that you may not know about

Martin Brinkmann
May 25, 2013

If I had to pick one extension that I can't browse the Internet without it is Firefox's NoScript extension. You have probably heard about it or are using it as well to block all scripts on all websites that you connect to automatically. This is huge from a security point of view as it blocks many attack vectors that other Internet users are exposed to.

Some users may not like NoScript because of this, as it may render websites partially or fully unusable by default. It is then up to you to change the necessary permissions so that you can browse the site normally. While that is certainly a drawback, it is clearly less important than being safe on the Internet.

I have been using NoScript for a long time and most websites work out of the box when the extension is enabled in the browser. You can get most sites to work by allowing scripts to run on the domain the website is hosted on. Only rarely is it required to enable other scripts for sites to work in the browser.

I'd like to share 6 NoScript features with you that are not known by many of the extension's users.

Top 6 secret NoScript features

  1. You can middle-click the toolbar button of the extension to temporarily allow all scripts to run on the site. This can be useful if you want to allow them all as it takes only one click.
  2. A middle-click on any domain listed in NoScript's interface opens the security and privacy info page in a new tab. It links to services like Web of Trust, McAfee SiteAvisor or hpHost Report so that you can look up information about a particular domain with two clicks.
  3. You know that NoScript supports whitelisting websites temporarily or permanently so that scripts are allowed to run on the added sites. What you may not know however is that the extension ships with a set of domains that are whitelisted by default including,,, or You can remove those sites in the whitelist options.
  4. A right-click on a domain listed by NoScript copies it to the system's clipboard.
  5. You can use the Ctrl-Shift-\ shortcut to temporarily allow the top-level site. You can modify the shortcut in about:config by changing the value of the noscript.keys.toggle preference.
  6. The blacklist is useful if you want to exclude domains from appearing in NoScript's interface. Any blacklisted site will not be allowed even if you use the "allow all temporarily" or "allow all permanently" feature. To mark a domain as untrusted, open the NoScript > Untrusted menu and select it. To mass-add untrusted domains open about:config and add them to the noscript.untrusted parameter.

Have a tip of your own to share or want to comment on one of the tips above? Feel free to post a comment below.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Thrawn said on May 29, 2013 at 12:53 am

    Help is available! The support forums are at, and you’ll usually get a response in less than a day. If you’d like to post details of your issue there (URLs of sites that don’t work, etc), you could probably get it sorted out.

    The Adblock issue was years ago, and it was a mistake on Giorgio’s part, but he did humbly apologise. And if you read more about it, you’ll find that the maintainers of ABP (or more specifically EasyList) were at fault too.

    By the way, the official addon name recently changed to NoScript Security Suite, to reflect the fact that NoScript doesn’t just block JavaScript. It also has built-in protections against Cross-Site Scripting attacks, clickjacking, cursorjacking, tabnapping, Cross-Site Request Forgery, cross-zone attacks (eg attacking your router), insecure cookies…

    All in all, I wouldn’t want to surf without it.

  2. RAC said on May 26, 2013 at 10:15 am

    I used NoScript for years, but recently I found one or two critical websites that absolutely wouldnt “work” even with the sites whitelisted (on my Linux PC). I had to disable NoScript completely and reboot Firefox for the sites to work. That annoyance coupled with the inappropriate code added to NoScript to counteract AdBlock awhile ago convinced me to remove NoScript.

    1. Peter said on May 26, 2013 at 10:58 am

      Like you, I’ve run into a couple of sites that don’t work in Firefox with NoScript, even with “all this page temporarily allowed.” I just fired up a different browser and loaded the recalcitrant sites in that one. (Curiously, one of those sites also wouldn’t work in plain-vanilla Internet Explorer, with no extensions, but *did* work in Google Chrome with NotScripts. In your case, it was clearly a problem with NoScript, but in at least one of mine, it may have been a browser-compatibility problem.)

      I vaguely remember the AdBlock brouhaha. It was petty and somewhat distasteful, but if I remember correctly the NoScript author backpedaled.

      Neither problem is enough to make me want to quit using NoScript. Again, I haven’t had a *single* malware infection since I began using it. If I were like you and regularly had to visit sites that don’t work with NoScript, I would probably install Pale Moon, port my Firefox profile over to Pale Moon using Pale Moon’s profile migration utility, disable or uninstall NoScript on Pale Moon, and use Pale Moon for those incompatible sites. But I understand why some people get fed up with NoScript, and if you’re running Linux, I’m guessing the risk of malware infection is still significantly lower.

  3. Peter said on May 26, 2013 at 9:47 am

    2. For those of you who don’t have a middle mouse button or who use it for a different function, shift-leftclicking on a domain listing in NoScript’s menu loads NoScript’s Security and Privacy Info page for that domain.

    6. You “permanently” blacklist domains on a given page by going into NoScript’s Untrusted submenu. Once you mark a domain as untrusted (in the Untrusted submenu), it will no longer appear in NoScript’s main menu, just in the Untrusted submenu. This is very helpful for reducing clutter in the main menu (and on some pages, the clutter can be substantial).

    Other observations:

    * There is an option in NoScript (the first option in the General tab) that permits you to allow “top-level” sites by default. Top-level means the domain of the URL you are visiting (the one in the address bar). So long as you don’t visit obviously risky sites or follow questionable blind links, enabling this option makes NoScript *much* less intrusive. It compromises security to a degree, but still provides a significant level of security to ordinarily safe surfers.

    * For surfers who can’t tolerate any hassle at all, installing NoScript and “Allowing Scripts Globally” still provides protection against certain types of attacks. It’s better than nothing and something you might consider doing for friends and family members who aren’t computer geeks.

    * The more time you’ve spent training NoScript, the less of a hassle it is.

    * Sites with reader comments sections often require “third-party” domains to be allowed (whitelisted).

    * Sites that use content delivery networks (CDNs) require an affiliated *cdn domain to be allowed. This is becoming increasingly common.

    * If you use Firefox Sync, there is an option in about:config that allows you to include NoScript preferences in your syncs. BE VERY CAREFUL WITH THIS OPTION. If your sync goes wrong, particularly after you install a new instance of Firefox on a different computer, you can wipe out a NoScript whitelist/blacklist that you may have spent *years* developing. If you want to give it a try, back up your Firefox profiles first, or better, archive and then remotely restore your entire Firefox installation using FEBE. Trust me, you do *not* want to be the victim of a bad NoScript sync.

    I consider NoScript the most important extension I use. I haven’t had a *single* malware infection detected since I began using it, and I wouldn’t surf without it.

  4. hessam said on May 25, 2013 at 5:21 pm

    7. Do Not Track features
    type about:config in addressbar
    search for noscript.doNotTrack

    noscript.doNotTrack.enabled (self explanatory)
    noscript.doNotTrack.exceptions, space-separated URL patterns of destinations which are not sent the “Do Not Track” message
    noscript.doNotTrack.forced, space-separated URL patterns of destinations which are sent the “Do Not Track” message even if they match exceptions

  5. Beachbouy said on May 25, 2013 at 11:08 am

    Using Adblock reveals to the site owner that you are purposely blocking ads. Personally, I think it is a mistake to do this. Why? Well, what would you do if you looked at YOUR website statistics and saw half of your viewers blocking ads on your ad supported website? The point is, whether you feel it immediately or not, you’re shooting yourself in the foot. Sooner or later, you’ll feel the pain.

    Hosts file blocking, for example, is more covert.

    1. John said on January 31, 2016 at 6:07 pm

      Maybe you should find a more stable and productive income than cluttering up the Internet with advertisements. We don’t need or want your ads- In fact, the Internet consists mostly of people volunteering their time and expertise to the largest single human endeavor ever undertaken. The advertising and the money came after it was built, like pests often do.

      NoScript, Adblock plus, and Ghostery are great tools. You may have to click a few icons, but you quickly start to see where all your JavaScript is coming from, and it’s shocking the amount of tracking they accomplish with simple JS.

      I browse faster than my friends who don’t have NoScript because they have to wait for the heavy ad content to load. Keep it free and powerful, please :)

    2. BobbyPhoenix said on May 25, 2013 at 11:40 am

      Being covert is worse. If I own a site, and I can’t tell ads are being blocked, then I’m thinking the ads are non-intrusive, and are being displayed by my viewers. I’d rather know if ads are blocked, so I can hopefully change the bad ones to good ones to get paid. I’ll block all intrusive ads at once. Anything more than a simple black and white text ad with no animation, and no sound are intrusive in my book. I don’t want to visit a site to read an article only to have an ad blink/change/move and/or play sound to distract me.

      1. John said on January 31, 2016 at 6:36 pm

        I understand your business sense, but people on the Internet have the right to privacy if they so choose. The Internet is the largest human project ever– a collection of information from all of the globe, and even parts outside our solar system. Don’t reduce it to a single form by saying “we should be able to X”. Figure out how to do it, and do it. If someone else’s technology prevents you from doing it, then you are hosed.

        Just a note to site owners… If you want to run ads on your site, that is your right. However, once those data packets get into my computer, I can do what I want with them. I can block ads by prevent HTTP requests to sites I don’t trust. That is my right.

        Besides, if you sell useful services instead of advertising, you will make people happier and be more productive for the world. Keep ads where they belong, in markets.

      2. Get Real said on March 11, 2015 at 10:51 pm

        @BobbyPhoenix: Do you seriously think that your responsible approach is anything but extremely rare?

        Do you think that Google, Yahoo, Microsoft, virtually every online publication, twice as many online entertainment media website won’t just ban anyone using an adblocker and/or attempt to subvert it?

        THE reason for many of those enterprises mere existence IS advertising. Any other function they provide is an incidental sideline.

        Mainline news media is a classic example of this. How many instances of favourable reporting for blatant wrongdoings have been precisely and explicitly attributed to the conflict of interest between said news media organisation and the target of the wrongdoing news article?

  6. Conan said on May 25, 2013 at 10:42 am

    “Only rarely is it required to enable other scripts for sites to work in the browser.”
    I have also been using NoScript for years, can’t imagine the web without it (together with Adblock Plus). However, I am now doing an experiment, browsing without NoScript (still have ABP). So far so good, I think I can do without it, though I kept my configuration just for the sake of needing it later.

    1. EuroScept1C said on May 26, 2013 at 9:18 am

      You realised NoScript is BS, only pain it brings…

      I have only ABP and do not allow 3rd party cookies at all. The browsing is extremely clean and fast, without complicated rules and mechanisms NoScript is offering… Soon you will realise it’s the best and most easy way. Mind you, I was using NoScript, too.

      1. KnowScript said on June 21, 2016 at 4:02 am

        I just wish there were an option like “Allow/Forbid for only this domain” because clicking allow/forbid from the dropdown menu sets a global rule for it to follow on all sites. The “Temporarily allow all this page” option is not what I want. Besides, there’s not even a “Temporarily forbid all this page” option! I don’t want to have to fool with the white/blacklist mumbo jumbo, I need a quick click option from the dropdown menu!

      2. Get Real said on March 11, 2015 at 11:09 pm

        Absolute twaddle. You have more than script blocking in NoScript, and in some cases protection that ONLY exists in NoScript. NoScript is not primarily an ad-blocking tool. It is a security tool.

        If you don’t want the hassle you should run it with globally allow all scripts, however do you really think that permanently allowing scripts such as the following to run is a safe way to run a browser?


    2. Martin Brinkmann said on May 25, 2013 at 11:11 am

      It depends on the sites you visit.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.