NoScript 5.0 add-on for Firefox released
NoScript 5.0, a popular script blocker (and more) for Firefox has just been released to the public after two release candidate build releases.
NoScript is the main reason why I'm still using Firefox as my main web browser, and not another browser.
The browser add-on is a script blocker first and foremost. It blocks any script from running on sites you visit, unless you whitelist them.
The approach makes it one of the best add-ons from a security point of view, but means that you will have to adjust website permissions regularly as sites may fail to load completely or partially due to scripts not being loaded when the site is opened in the Firefox web browser.
NoScript supports more than just script blocking though. We talked about many of those features in our NoScript beginner's guide, how to use NoScript efficiently, top six NoScript features and our NoScript guide for instance. Other tutorials of interest include explanation of script surrogates, a tutorial on adding custom site exclusions to NoScript, or checking the whitelisted sites listing.
NoScript 5.0 for Firefox
NoScript 5.0 is the extension's first step to becoming a WebExtension. Version 5.0 has been released as an embedded WebExtension.
Embedded WebExtensions allow developers to embed WebExtensions in classic Firefox add-ons. Embedded WebExtensions are designed first and foremost to aid developers in migrating legacy add-ons to WebExtensions.
Mozilla plans to end support for all legacy add-ons for Firefox with the release of Firefox 58. The browser is scheduled for a November 2017 release. Any add-on that is not ported to WebExtensions will stop working at that point.
You can find out more about embedded WebExtensions on the Mozilla Developer site.
The new NoScript 5.0 release marks an important step for the future of the add-on. While there is still work to be done to turn NoScript into a full WebExtension, the first step is completed.
The biggest change from a user perspective in NoScript 5.0 are user interface synchronization performance improvements especially on load-intensive web pages. So, performance should be a lot better on heavy pages if you are using NoScript.
NoScript 5.0 for Firefox features two additional changes besides that. The first is a fix for multi-process Firefox if more than one content process is used. This is currently only the case if you have changed the number of content processes manually in Firefox Stable. Mozilla plans to increase the number of content processes in the future though.
The second change is a new replacement for the Google Analytics script.
Firefox users can download the latest version of NoScript from Mozilla. The browser should pick up the 5.0 update automatically unless you have modified the configuration and blocked automatic update checks.
It remains to be seen how well the transition to WebExtensions will be. Mozilla is working with the NoScript developer on this which means that API support should not be an issue in this case.
Now You: Do you use NoScript?
I find it unnecessarily complicated and tiring. The normal ad-blocking addons block scripts anyway. I understand the positives it is offering, but still, so far haven’t had a problem without noscript.
Especially when you have both, no-script and ad-blocking addons, it comes to a point the browser becomes even heavier than having ad-related scripts or other being blocked.
I prefer uMatrix, even if it lacks some of the features, it has a was better ui.
You can also run uBlock in a “block all scripts globally” way. And then allow the scripts per site. Actually quite easy.
But I prefer to allow the site scripts from the start.
I always run everything in a default deny-all mode, then whitelist. I actually have NS which I have to allow first (auto-refresh), then uBO (where I may need to allow cross origin domains, and then manual refresh), and then uMatrix where the only auto-allowed is css and images – and of course then I can allow scripts on a cellular level. That CA cert cache fingerprinting, total failure for me, found zero, because it was all blocked by default in uBo which meant uMatrix never got to see it.
EuroScept1C, yup, it’s more work initially, but once you’ve set up your 500 most common websites, basically you’re set – and its a good way to learn what to block and what not to. I don’t see any of these slowing anything down, not one bit. They all offer something unique, and compliment each other (eg see my example where by default I was already defeating CA cert cache fingerprinting). NS has some nice extra expert features, uBo offers adblocking and other lists as well as cosmetic filtering, and uMatrix offers an (easier-than-NS) granular level of per domain XSS.
While this may seem nuts to some of you, and I don’t expect everyone to want to do it, don’t forget that there are always multiple profiles and multiple browsers for one off problem sites or other accounts.
Yes, I also found Noscript to be incredibly onerous to use, blocking all scripts. Instead I use uBlock Origin and block only third-party scripts by default, using its dynamic filtering scheme. I feel this is the best tradeoff between security and annoyance.
I base the judgment mostly on the site in question. If it does not work by default, I may close it right away without enabling any of the scripts to run on it. If I need to access it, I look at the scripts.
Usually, it is enough to either allow scripts to run on that domain, or on subdomains the site uses. I only enable those if the site checks out fine though or is known. So, Wikipedia is okay, but handsinyourpants.info not so much. I may research the domain before I do that, check out whois, run a quick check to see if there are reports about the site, use Virustotal, and so on.
Yes, that is work but it keeps you safe.
If that does not work either, I may open it using a proxy such as the one from Startpage to browse the site instead of enabling additional scripts.
> Embedded WebExtensions allow developers to embed WebExtensions in classic Firefox add-ons…
Note that these embedded things doesn’t support “classic” non-restartless XUL add-ons, so their scope is sort of limited…
Just tried it with Pale Moon, not fully compatible, I have to allow all scripts globally. Back to 220.127.116.11 until I remove it definitively, like it was the case for Firefox already.
Thanks for that report.
Won’t install it
in my Pale Moon browser, then.
It also means the the new FF “WebExtensions”
do NOT work at all in Pale Moon…
what are you doing to your loyal Firefox users
with perfectly working addons?
It doesn’t make sense…get it?
Pale Moon developers have made it clear that they’re not keeping step with upstream Firefox developments. Are you really surprised that WebExtensions don’t work in Pale Moon? Either you use Firefox to use Firefox extensions, or you don’t and you don’t; you can’t have your cake and eat it too.
@Andy: So why the author of NoScript is keeping Pale Moon as targetApplication in the install.rdf? This nonsense so evident for you could not be so evident for others, don’t you think?
Just a precision: since the v18.104.22.168 NoScript was already not fully compatible with PM, “reload only activ tab” is not working but I still can live without, not so important than to be forced to allow all scripts globally.
I haven’t noticed any issues with NoScript (v22.214.171.124) in Pale Moon (v27.1.2).
I am using the out-of-the-box settings though.
Thanks for that mini-No Script portal, so to speak. It’s badly needed. I use No Script, but find it incredibly user-hostile.
I find it much easier to use than Chrome’s counterpart – uMatrix.
Actually uMatrix is available for Firefox, too, and they complement each other pretty well. I use both, myself.
Right On, Mr. Brinkmann!
Start Page is the Home page for all of my Browsers . . . Love It!
I use uMatrix. Also first thing I did after installing Tor was to remove NoScript and install uBlckOrigin and uMatrix. If only it would stop installing NoScript after each update. Isn’t the NoScript dev the one who was purposely breaking ABP? Not that ABP devs are saints, but nasty practice on its behalf nonetheless.
Switched from NoScript to Umatrix. Never looked back.
Users who prefer convenience over security probably need to look elsewhere (thankfully there’s no shortage of some really good, viable alternatives), otherwise for power users once you dig into NoScipt’s options menu and get things set up the way that best suits you, it becomes kind of scary to go online using a browser without NoScript installed.
uMatrix here too, I’ve set it up on one browser, now I just export the settings and use them in other browsers. NoScript served me well before, nothing against it.
Why does your screenshot of ghacks look like that. is it because you’re an admin? i doubt it’s an add-on.
Testing the new theme. Well spotted.
NoScript is essential, and thanks for this article, really good news.
Canâ€™t understand why some have problems with it. (If you temporarily allow, for example?). On trusted sites if this was all you did for only essential scripts, would be a huge plus.
do you like not gaving favicons on tabs like in the screenshots, I’m a big fan of favicons
jupe: You can always whitelist after checking them out, or you can have some like in my post, (either/or). :)