NoScript is a powerful security add-on for the Firefox web browser that blocks the execution of scripts on websites and includes additional security features that improve protection on the Internet.
NoScript users may whitelist sites temporary or permanently, and the difference between the two is that temporary permissions are revoked while permanent remain across sessions.
The whitelist may grow over time when users start to add sites they trust to it to improve their accessibility. I have whitelisted my own site Ghacks for instance but you are free to whitelist sites you come across, for instance your favorite shopping site or news site.
NoScript ships with a default whitelist that includes internal browser pages as well as popular external websites including many Google and Microsoft properties but also PayPal, Mozilla or Yahoo. A full list of default sites is available on the official NoScript website.
This is done for convenience only and has backfired recently when security researcher Linus Särud used it to bypass its security and get code executed.
The core issue he exploited was that NoScript had googleapis.com in its whitelist which meant that all subdomains would work fine as well.
All that he had to do was reference storage.googleapis.com from any other domain to bypass NoScript's protection. The issue has been fixed in the meantime but it shows that this is problematic.
NoScript was ported to a new extensions format in 2017 to remain compatible with Firefox 57 and newer. Mozilla dropped the classic add-on system in the browser version.
The interface changed significantly in the process and so has the whitelisting management options. Here is what you need to do to manage the whitelist in recent versions of Firefox (you find the old instructions below):
NoScript displays all site permissions on the screen. If you have installed NoScript just then and there you will find only the whitelisted sites on the page. Note that it is no longer possible to remove sites from the listing.
What you can do is set the trust level to default for each of them to remove the special status that these have.
Just select "default" for each and you are done.
How to display the whitelist
Manage the sites
Even if you have never added a single site to NoScript, you will find sites listed in it. Chance is high that you may not have heard about some of them before, for instance sfx.ms, securecode.com or mootools.net.
If you are security conscious, you may remove them all for full control. Even if you don't mind a couple of sites listed there, you may want to go through the listing to remove sites you never visit or don't know at all.
The best option in my opinion is to clear the list completely and rebuild it as you use the web browser. Once you visit a site you trust you can add it to the whitelist to improve its accessibility.
You find import and export options on the page, as well as a reset button which may come in handy.
All in all though it pays to have as few sites as possible listed on the whitelist.
Now You: Have other NoScript tips? Share them in the comments below!Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.