The Firefox NoScript guide you have all been waiting for
Update: We have published a new NoScript guide for Firefox 57 and newer.
One of the core reasons why I'm using the Firefox web browser on my desktop PC and not another browser is that the NoScript extension is only available for that browser.
NoScript does what the name implies, it blocks scripts from running automatically on
all most websites. This boosts security significantly, as most attacks run on websites require scripts to be effective. It will also improve page loading times on average, as less contents need to be loaded when NoScript is enabled.
The downside here is that site functionality may also not work properly on select sites. Since scripts are blocked by default, a site may simply not work at all, or only partially with NoScript installed.
The extension offers controls to resolve those issue though, as you can allow scripts to run temporarily or permanently on sites.
Another issue is that script are blocked on the domain level. Most websites load scripts from various sources. First from its own domain, but also from third-party servers, for instance to display ads, use tracking scripts, or to make use of a hosted version of jquery.
It is often difficult to tell which scripts are required for a site's core functionality, and which are not. This is especially true for Internet users who have little experience when it comes to domains, website technologies and scripts.
The NoScript configuration
The NoScript out of the box experience is quite good. You can use it without modifications, but if you want to get the most out of the add-on, you may want to go through the options at least once to make sure everything is configured in an optimal fashion.
As I mentioned earlier, NoScript blocks scripts on most websites by default. The extension ships with a domain whitelist, which means that the sites that you find here are allowed to run scripts they host on their own domain.
Side Tip: NoScript distinguishes between root domains and subdomains. Domains like addons.mozilla.org and mozilla.org are handled as different domains by the extension.
Among the list of domains that are whitelisted are addons.mozilla.org, google.com, googleapis.com, live.com, hotmail.com, outlook.com or paypal.com.
You can remove any of the whitelisted sites under Whitelist in the NoScript options.
My suggestion would be to remove domains that you do not want listed here. I recommend leaving Firefox's internal pages on the list though, as you will run into issues otherwise.
Here you can also import or export the selection, useful if you use Firefox on multiple devices and want to use the same whitelist.
The second configuration change that you may want to do concerns the NoScript icon. You may want to place it in a location that you can easily access.
I have placed mine in the add-on bar, but with the removal of the bar in Firefox Australis (version 29 is the target) you may also place it on the main toolbar of the browser.
Another option that you have is to use the context menu instead exclusively for that. NoScript adds an entry to Firefox's right-click context menu which you can use to allow or disallow sites, or to open the options and other features of the extension.
If you use the icon, you can make use of a couple of smart features the developer has built-into the extension. To allow all scripts on the current site, middle-click the icon. You can furthermore enable a left-click toggle to allow or block the top-level site under General in the options.
You may notice that a message about blocked scripts is displayed on the screen in a notification. This can be useful if you use the context menu exclusively, but if you use an icon, that is also highlighted by the icon itself.
I prefer to remove the notification as it blocks part of the screen without telling me anything that I don't know already.
You can disable the notification under the notifications tab in the options.
Instead of displaying a message, you can also enable audio feedback instead. I do not recommend you do so, especially if you load many sites during a browsing session.
Going back to the sites listing that NoScript displays when you left-click or right-click on the icon.
The menu highlights all scripts that the site tries to run. The root domain is always listed at the bottom of the listing, while all other domains are listed on top of it.
Tip: To ensure a site's full functionality, it is usually enough to allow the root domain. I'd recommend you load sites without whitelisting first to see if it works out of the box or not. If it does not, it is likely caused by a script that needs to be loaded. There are exceptions to the rule. You may find that some sites use content distribution networks, e.g. cdn.ghacks.net that you need to allow as well, and that some sites load libraries from third party sites such as jquery.
As I have mentioned in my 6 NoScript tips guide, you can middle-click on any domain here to run a security check on it. When you middle-click, you are taken to a page on the NoScript website that links to several popular site security services such as Web of Trust, McAfee Site Advisor, or hpHost.
Use those to check a domain that you do not know anything about before you allow it. An alternative to that is to manually check a domain on Virustotal.
Tip: Right-click any domain name to copy it to the clipboard.
Lets dig in a little bit deeper. NoScript offers more than just script blocking. It can be used to handle embedded contents as well.
While those contents are blocked by default for sites that are not whitelist, they are not for sites that you have temporarily or permanently whitelisted.
This means that contents such as Java, Flash, Silverlight or other plugins are loaded on whitelisted sites by default. If you do not want that to happen, you have to make the following configuration change under NoScript Options > Embeddings.
Here is an example where this may be useful. Say you need to whitelist a site to make use of all of its functionality. By doing so, you may inadvertently also allow it to play Flash ads, videos, or other contents that require the use of plug-ins.
While it may make sense to allow these contents to play on whitelisted sites sites such as YouTube, as you visit the site for videos, it improves security and privacy if you apple these restrictions to whitelisted sites as well.
It means more clicking though to enable those contents, but it is a trade-off.
If you enable that feature, you will get a confirmation message every time you click on blocked contents. You can disable that by disabling "Ask for confirmation before temporarily unblocking an object".
Note: you can configure the forbidden items on the same page. So, it is theoretically possible to allow some of the contents while disallowing others. One possible option is to allow Flash, and to disallow all other contents.
The advanced options may look scary at first, as you find many technical terms such as XSLT, XSS, ABE, or even ping, mentioned here.
Generally speaking, those options are best left alone unless you require specific features.
One feature that may be of interest here is the handling of secure cookies. You can configure NoScript to force encryption for cookies set over HTTPS for select sites.
Some web services set cookies over a secure connection but fail to mark those cookies as secure. The result is that requests for that cookie from the same domain are allowed even if they come from non-HTTPS pages.
You may however run into issues on some sites, so that you may not be able to log in on those sites anymore, or are logged out automatically when you switch pages.
You find information about those issues by opening Firefox's Web Console using the shortcut Ctrl-Shift-i. Use the information to add exceptions to the rule.
Probably the best location for additional information about NoScript is the FAQ that the author maintains. Several of the technological terms are explained here, and there is a tips and tricks section as well that you may find handy.
Questions are based asked on the official forum which is well frequented.Advertisement