NoScript Tip: Check the whitelisted sites listing

Martin Brinkmann
Jul 9, 2015
Updated • Aug 10, 2018

NoScript is a powerful security add-on for the Firefox web browser that blocks the execution of scripts on websites and includes additional security features that improve protection on the Internet.

NoScript users may whitelist sites temporary or permanently, and the difference between the two is that temporary permissions are revoked while permanent remain across sessions.

The whitelist may grow over time when users start to add sites they trust to it to improve their accessibility. I have whitelisted my own site Ghacks for instance but you are free to whitelist sites you come across, for instance your favorite shopping site or news site.

NoScript ships with a default whitelist that includes internal browser pages as well as popular external websites including many Google and Microsoft properties but also PayPal, Mozilla or Yahoo. A full list of default sites is available on the official NoScript website.

This is done for convenience only and has backfired recently when security researcher Linus Särud used it to bypass its security and get code executed.

The core issue he exploited was that NoScript had in its whitelist which meant that all subdomains would work fine as well.

All that he had to do was reference from any other domain to bypass NoScript's protection. The issue has been fixed in the meantime but it shows that this is problematic.

The whitelist in NoScript for Firefox 57 and newer

NoScript was ported to a new extensions format in 2017 to remain compatible with Firefox 57 and newer. Mozilla dropped the classic add-on system in the browser version.

The interface changed significantly in the process and so has the whitelisting management options. Here is what you need to do to manage the whitelist in recent versions of Firefox (you find the old instructions below):

  1. Open about:addons and select the options link next to NoScript.
  2. Select Per-Site Permissions.

NoScript displays all site permissions on the screen. If you have installed NoScript just then and there you will find only the whitelisted sites on the page. Note that it is no longer possible to remove sites from the listing.

What you can do is set the trust level to default for each of them to remove the special status that these have.

Just select "default" for each and you are done.

How to display the whitelist

  1. Load about:addons in Firefox and locate the NoScript listing on the page that opens.
  2. Click on options next to it.
  3. Select whitelist in the NoScript options to display the list of whitelisted sites.

Manage the sites

Even if you have never added a single site to NoScript, you will find sites listed in it. Chance is high that you may not have heard about some of them before, for instance, or

If you are security conscious, you may remove them all for full control. Even if you don't mind a couple of sites listed there, you may want to go through the listing to remove sites you never visit or don't know at all.

The best option in my opinion is to clear the list completely and rebuild it as you use the web browser. Once you visit a site you trust you can add it to the whitelist to improve its accessibility.

You find import and export options on the page, as well as a reset button which may come in handy.

All in all though it pays to have as few sites as possible listed on the whitelist.

Now You: Have other NoScript tips? Share them in the comments below!

NoScript Tip: Check the whitelisted sites listing
Article Name
NoScript Tip: Check the whitelisted sites listing
The guide explains why you want to check the NoScript whitelist, and how to manage sites that you find in it.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. RIITACAT said on August 9, 2018 at 11:00 pm

    i’m not getting that white list page…did before, now getting a page with options i don’t understand….no white list page

  2. oz said on July 10, 2015 at 4:48 am

    Yes sir, I too always totally clear the default whitelist in NoScript, and then add only those rules that I choose. In most cases, when I run across a website that doesn’t work with NoScript enabled, I simply move on to other websites because the fact is, I’ve never seen a website that I couldn’t live without. NoScript is a top priority add-on for me.

    Thanks for the article, Martin.

    1. Chains The Bounty Hunter said on July 11, 2015 at 3:09 am

      By that reasoning, I should have stopped visiting Ghacks two years ago.

  3. theMike said on July 9, 2015 at 11:01 pm

    i’ve always cleared the default whitelist. i’ll let through what i want

  4. Chains The Bounty Hunter said on July 9, 2015 at 9:28 pm

    “All in all though it pays to have as few sites as possible listed on the whitelist.” It doesn’t if you browse regularly enough that you’re going to be clicking “temporarily allow” just to get some semblance of site functionality back dozens of times a day.

  5. Dondog said on July 9, 2015 at 9:09 pm

    Many years used 2 browser scheme. Safe and UnSafe ones. My safe browser is of course Firefox with NoScript extension. Across all my 3 OS. (Linux, Windows, Mac)
    As Unsafe browser i used to have many browsers and profiles. (Chromium, Yandex, Safari, Maxthon, Opera, IE and second profile of Firefox)
    So with this scheme my Firefox was like max sec prison built by my own hands for myself. No compromise, any exception, whitelisting regarding to safety and privacy. Specially in last few years. Snowden effect :)

    After installing NoScript i usually did few things. First, in Whitelist section Control-A and clicked remove all selected sites. Left only unremovable entries, which absolutely needed for internal working of Firefox. Second, in Embeddings section additionally blocked IFrame, Frame, WebGL things.
    Check apply to trusted sites too, uncheck confirmation, notification staffs.

    Of course NoScript was not my only security, privacy related extension. Just one of them. But most important one.
    If i wanted watch some movie online just fires up my unsafe browser. Most time inside my “prison wall”. Safe and secure. Happy :)

    Recently my web browsing habit drastically changed. After long thought i decided to replace NoScript with Umatrix and ditch my 2 browser scheme. Now only one browser (Firefox) across all OS, and with almost identical extensions. No more middle clicking.

    So my NoScript tip is if you use it use it 100%. Do not compromise. Never whitelist any site permamently.
    Sorry Martin.

    Greetings from Mongolia.

    1. A different Martin said on July 10, 2015 at 11:47 pm

      The granularity of uMatrix’s site-specific and content-type controls looks very interesting. I’m not sure how I missed Martin’s article about it back in May.

      For most NoScript users, never permanently whitelisting any sites would make for extremely frustrating browsing. There are lots of major mainstream sites that would like to run scripts from a large number of different domains, only a small subset of which are necessary for the site to be functional. Does anyone really want to have to re-identify those necessary domains and temporarily whitelist them them every new browsing session? Researching which domains are presumably safe and which are not is a time-consuming hassle, and unless you have a superb memory or are willing to maintain research notes — essentially, an external whitelist — it’s not something most users will want to have to do more than one time per domain.

      My NoScript recommendation would be to permanently whitelist necessary domains (after vetting them) on sites that you visit more than just rarely. That approach has made my browsing much faster and more enjoyable, and while it may be technically more insecure than redoing the vetting and authorizing repeatedly, I haven’t had a single browser-mediated malware problem in the many years I’ve been using NoScript. My friends and relatives whose browsing habits are no more dangerous than mine but who do not use NoScript (because “it’s too much of a hassle”) cannot say the same thing, and some of their problems have been serious.

      1. wybo said on July 11, 2015 at 1:57 pm

        I agree. I do the same thing whitelist sites I visit on a regular basis. The other I just temporarily whitelist.
        Together with Request Policy continued, HTTPS everywhere, Better Privacy. Privacy Badger, Flash Control and Ublock origin no problems whats so ever:)

  6. abcdef said on July 9, 2015 at 7:27 pm


  7. Hy said on July 9, 2015 at 3:51 pm

    Thanks, Martin! Just went through and cleaned it up. One can never be too careful… ;)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.