NoScript Beginner's Guide
Update: We have published a new NoScript guide for Firefox 57 and newer.
This NoScript Beginner's Guide has been designed to provide new Firefox or NoScript users with information on how the browser add-on works. I have published a guide for regular users in 2014 which you may find useful as well.
NoScript is a long standing security add-on for Firefox that is rated highly on Mozilla AMO and quite popular with more than 2.3 million users.
It is often confused with ad-blockers, and while it does that to, it is much more than that and the ad-blocking is more of a side-effect of the extension's functionality than something it has been designed for.
While there is a lot more to NoScript, its main feature blocks scripts only to run on sites that you allow them to run on.
This eliminates all third-party connections of sites you visit that load active content right away for instance, as they all rely on scripts to function but it may also affect scripts running locally on the site that you have visited in Firefox.
NoScript Beginner's Guide
NoScript information can be displayed in several locations in the Firefox interface. I prefer mine to be displayed in a bottom toolbar, but the icon will be displayed by default in the main toolbar at the top.
It indicates whether resources have been blocked from being loaded by a red sign that is attached to the icon.
When you click on it, you see the list of sites the page you are on interacted with, and whether they are allowed to run scripts on the page or not.
Here, the red icon next to sites means that the site has been allowed to run active content which can be confusing at first.
Depending on the site in question, you may need to allow it to run active content on its own domain to work properly as you may experience issues such as broken menus, search, no downloads or other things that prevent you from interacting with it fully.
For each site listed by NoScript, you get the option to allow it temporarily or permanently.
- Allow site - whitelists the site so that it is allowed to run scripts locally or as a third-party connection.
- Temporarily allow site - whitelists the site for the session only. Close Firefox, and it will be reset to being blocked by default.
Please note that new site connections may become available once you allow sites to run scripts permanently or temporarily. For instance, if you allow googlesyndication.com, you may notice that doubleclick.com appears as a new connection after the automatic reload of the page.
The NoScript menu displays options to change permissions in bulk as well. You can allow or temporarily allow all sites on the page you are on, revoke all temporary permissions, or allow scripts globally which turns off the blocking feature for the time being until you enable it.
It is usually not a good idea to use any of those, not even for sites that don't work after changing some permissions.
The main issue that new NoScript users run into is figuring out which sites they need to allow to access a web page properly.
This can be confusing at times, especially if a site makes heavy use of content distribution networks and other third-party connections that pull libraries or other stuff that it uses to display its content to the user.
Managing the whitelist
NoScript maintains a whitelist that you can manage in the options.
- Click on the NoScript icon in Firefox and select options from the menu that opens.
- Switch to the whitelist tab.
There you find listed all addresses that are allowed permanently or temporarily. The temporary sites are listed in italics for easier recognition.
Click on any address to remove the selected site from the whitelist. NoScript ships with a list of whitelisted sites, and it is suggested to go through it to remove those that you don't want whitelisted.
There you may also import and export the whitelist, which is useful if you use Firefox on more than one computer as you can distribute it to other machines this way.
The options that NoScript provides are extensive. Here are a couple that you may want to take a look at while the options window is open.
Switch to General in the options window. There you find the reload behavior of the extension. It can be configured to automatically reload all pages open in Firefox when permissions changes, or only the current tab.
Disable both to block automatic reloads.
Switch to the notifications tab. There you find options to change if and how notifications about blocked scripts are displayed to you. I prefer to disable these notifications altogether as they are displayed on the screen, but you can change when, how and for how long these are displayed on the page.
The advanced page holds several interesting options as well. The untrusted and trusted tabs on the page allow you to configure additional restrictions for these site types, for instance that bookmarklets won't run on these pages.
The HTTPS tab allows you to configure sites that you want to use a secure connection all the time, or never.
It is probably a good idea though to leave these settings for the time being until you have used the extension for a while to understand its base mechanics.
- How to use NoScript efficiently
- How to add custom site exclusions to NoScript
- NoScript Script Surrogates explained
- NoScript Links to Security and Privacy Information
- Top 6 NoScript features that you may not know about
Martin you already wrote an better guide, why not just updated them and bump?
+ NoScript is good but since plugins are dying, I see the future in uMatrix because the most benefits of noScript are the additional protection which secures plugins, cookies and such. But overall I see the future on Umatrix (for normal user).
Thanks anyway to mention this.
Personally, run both NoScript and uMatrix.
NS, because that is what the rest of the family is set up with, as it is “simple” for them to use (along with AdBlock Plus).
uMatrix on my personal computer, as even NS lets too much through, and it has subscriptions to blacklisting sites that automatically block known malicious sites. uMatrix is too complex for the rest of the family – it might work if someone else can import settings for them for the sites they regularly visit. NS wins the trade-off, for now.
Also have AB+ (because family has it), uBlock Origin (rather redundant with uMatrix, but it has that eyedropper selection tool which is nice to kill specific page objects permanently), and HTTPS Everywhere.
>as even NS lets too much through
What do you mean by that? Examples?
@peter : I think bm means that (via the menu) if you allow for example, google analytics, it’s then allowed to always run regardless of the domain you’re on. That said, even though NS under the hood can be configured to achieve this, bm finds uMatrix’s easier per site click, reload, save and forget.
I too use NS, then uBlock Origin, then uMatrix. Unlike bm, I do not have ABP, but instead use UBO’s third party filters (much smaller footprint). I do not consider UBO as “rather redundant with uMatrix” because of this functionality.
@Pants, when you state “NS, then uBlock Origin, then uMatrix.” is this a preference sequence or do you actually run all three, together?!
I run all three. If I do not let an item thru NS, then it will not even show in UBO, so I have to configure NS first. If I do not let an item thru UBO, it will not even show in show in uMatrix, so I need to start allowing domains thru UBO next. There is no other way to do it. Everything is on a default deny for ALL scripts and ALL third party.
uBlock Origin only here,
3rd-party frames, 3rd-part scripts, 3rd-party : blocked by default -> all outgoing is controlled, scripts included
1st-party scripts, in-line scripts : blank by default -> sites domestic data is supervised.
3rd-party filters, My filters, My rules can handle anything, domestic and outgoing.
I must miss something but I don’t see the point of adding any other defensive.
Thanks to Pants’ for his comments.
To add to what Pants had to say…uMatrix shows all the objects behind what would be one line in NS, not all of it is necessary, and there are links to websites (hosts) you wouldn’t think of when authorizing that one line in NS. A good example is YouTube, where a numeric IP address often pops up in uMatrix for authorization, yet that IP doesn’t show up in NS. This also can make using uMatrix a pain when watching YT vids, as those IP addresses are unique.
Another important feature is the subscription filters – on NS you may configure to automatically authorize the base top level domain (website) of the webpage, so you don’t have to repeatedly authorize each page you enter, but with uMatrix subscriptions, you needn’t worry as it will block known malicious sites.
About ABPlus, it is on only because it is installed on all our other family computers. It is redundant with all the rest, but it doesn’t harm anything either (other than some slight, unnoticeable overhead). If it were not for supporting the family systems, would drop NS and ABP at this point, given how robust uMatrix and uBlock O are.
Tip: Had to turn off all the “3rd party filters”, but the uBlock O’s own specific subscriptions, and selected from the uMatrix list (where they are called “host files”) the ones to use, as found issues with running 3rd party filters on both – and confusing to troubleshoot problems, given the significant overlap.
I actually appreciate having a simple explanation. Whenever anyone uses my computer (although I shudder at the thought) they always come away asking how my browser does what it does. I usually neglect to mention NoScript because its just too complicated for the average user.
With a beginners guide I may be able to offer it as advice!
NoScript is a must and nothing compares
Thanks for the detailed guide, Martin!
I remember four or five years back when I first tried NoScript, I couldn’t stick with it for very long, but as websites continued to become more and more convoluted, and I became more concerned with privacy and security, I kept trying NoScript again and again, then finally I came to terms with it and it became my most valued add-on. These days, I use uMatrix along with uBlock-origin, but I still have a copy of NoScript on hand along with my config backups should I want to install NoScript again. In my mind, those are the top 3 add-ons available and I can’t imagine surfing the web without one or more of them in my arsenal.
I much prefer the YesScript, which works in the opposite. It simply does nothing, until I blacklist a site from running any scripts.
You can just run NoScript in ‘Scripts Globally Allowed’ mode, which achieves this while also having filters to protect you from clickjacking, cross-site scripting, cross-zone attacks (on your router), etc…
I can’t imagine browsing a website without NoScript. It is the ultimate security tool.
But can someone make the ABE feature work for me? I have never had consistent results with it.
The support forums are at https://forums.informaction.com
I don’t get it. What is the deal about NoScript?
What is the harm for regular users, (not Pants), in running pages scripts?
What is so dangerous that makes someone install NoScript?
Unless you are Pants-paranoid, why use NoScript?
This said I believe to have a sufficiently protected browser with uBlock Origin fed by the correct filters together with system-wide soldiers. NoScript has a solid reputation but so does uBlock Origin which handles a user’s script policy rather efficiently. NoScript does more than manage scripts but for me it’s a hassle with new sites. Too heavy.
noscript is such a useless thing.
I bet pants have 3 of each kind installed on his computer:
– web script blocker
– CCleaner-like programs
and yet is careful and supicious. LMAO.
“What is the harm for regular users, (not Pants)” : such sweet sweet sweet validation .. woohooo .. I’m not regular
Pants are a special guy everyone.
“is” or “are” whatever. what a dumb aussie/nz nickname.
I will never again use or trust NoScript, or any software written by Giorgio Maone.
The things he did in 2009 will never be forgotten and never be forgiven.
AdBlock Plus statement:
Seven years already… at the time the story had been a bad buzz for Giorgio. Bah, people forget, for most of them. Just say you’re sorry, cry a little but not too much, beg for pardon and there we go for a brand new crusade. I’m not saying forgiving is absurd but it’s often mistaken with forgetting. When the NS 2009 buzz appeared I had just dropped the add-on (like tobacco, I quit and went back on several times) and perhaps this adventure postponed my enthusiasm to reconsider installing the “marvel” even if, forgetting like many others, I did make several attempts afterwards, never successfully and always for the same reasons : too heavy, too long to check new scripts be they 1st-party or 3rd… maybe worthy if you’re the sort of Web adventurer digging in the toughest zones of the Web but otherwise more of a tank, heavy heavy heavy. Not for me but for those who suffer of the over-protection syndrom, NoScript together with uBlock Origin together with uMatrix together with AdBlock Plus together with 1, 2, 3 anti-virus plus another half-dozen anti-malware should be enough to let them sleep quietly without nightmares. I guess.
“It indicates whether resources have been blocked from being loaded by a red sign that is attached to the icon.”
You should state that this applies to the icon in the toolbar – NOT the menu (both of which you show in the image) – because in the menu list, its the reverse, as a toggle – that is if it has a “red sign” and says “Forbid ghacks.net”, that indicates that you are currently allowing ghacks.net, and vice versa.
I thought it was clear that I meant the icon, as I reference it in the paragraph before and after. I have added a new sentence to make that clearer.
“This eliminates all third-party connections of sites you visit right away for instance, as they all rely on scripts to function”
The quoted statement is incorrect.
Consider, for example the decade-long practice of sites embedding trackers ala
(tracking identifier is conveyed via Set-Cookie / Get-Cookie HTTP header)
noscript does NOT marshal all 3p connections; it deals only with scripts.
Right, thanks I have edited the sentence to make that clear.
NoScript is always one of the first 2-3 addons I get when reinstalling/testing etc. Couldn’t live without it. I feel naked if I browse the web without it, haha.
When i grow up i want to be like pants.
he is my hero. he knows so much stuff and chat like he is a pro.
go pants! go put some trousers on you dumb.
“I run all three. If I do not let an item thru NS, then it will not even show in UBO” dame straight `pants`
also using ABE is great too if you can get around the learning curve for that then you have a really good adversary too might not even need uMatrix but have uM the constant reload of a site to find out what broke or what you need to make a video API to load is a pain in the dick. Although i still use `uM`
The only reason i choose ublock origin over no script is because ublock has an integrated adblocker where as noscript does not,Using noscript involves installing another adblock extension.
I wouldn’t recommend relying entirely on uBlock for security purposes. If you only care about adblocking, then sure, you can install just one extension, but for security purposes there isn’t really anything that matches all of NoScript’s advanced features.
The embedding tab says “Additional” restrictions for untrusted sites. If I leave all the boxes unchecked then what restrictions am i still left with for untursted sites? thanks!