NoScript 10 WebExtension is out

Martin Brinkmann
Nov 21, 2017
Updated • Nov 21, 2017
Firefox, Firefox add-ons
|
46

Giorgio Maone, the developer behind the popular Firefox security add-on NoScript, released NoScript 10, the first "pure" WebExtensions version today.

NoScript 10 did not make it in time for the release of Firefox 57, the first version of the web browser that supports only WebExtensions and no longer the legacy add-on system of Firefox 56 and earlier versions.

But, the extension that is compatible with Firefox 57 and newer is out now, and users can finally install it on their devices if they have updated their systems to that version of the browser already.

Note: It won't work on Android right now, and does not work in private browsing mode either.

Giorgio released a hybrid extension of NoScript earlier this year. The main purpose of hybrid extensions was to make the migration from the legacy add-on system to the WebExtensions system as smooth as possible.

Existing NoScript users will have their settings and preferences migrated to the new version; that is good news as you don't have to configure the new version of NoScript after the update to version 10. It is still recommended to go through the preferences once to make sure they are set correctly, and to make adjustments as you see fit.

NoScript 10 is a work in progress. While it is released as a WebExtension so that it can be installed in Firefox 57 and newer versions of the web browser, it is not a complete one-to-one copy of the legacy add-on.

The main reason why that is not the case yet is that APIs are still not available that NoScript requires for some of its functionality.

NoScript 10 supports content blocking and XSS protection just like its legacy counterpart. Some parts come with improved performance thanks to the new WebExtension APIs, others still need to be implemented before they become available in NoScript 10.

The interface looks different to the previous interface, and the options lack most settings right now as well. If you open the options of NoScript 10 right now, you get only a few of them.

You can whitelist or blacklist addresses, allow scripts globally, or clear the XSS whitelist. That's about it. Features such as ClearClick or ABE are missing right now.

NoScript ships with a list of whitelisted (trusted) domains. You cannot remove these anymore, but you can change the state of them. So, setting them all to default will do the trick but it would obviously be better if you could just throw these out instead.

The main interface of the security extension has changed as well. You interact with it by clicking on its icon in the Firefox main toolbar. There you find listed all connections the current web page tried to establish, and the status of each.

Addresses are blocked by default, but you can change that by setting a domains status to trusting or untrusting. One interesting option that you have here is to allow certain content types but not others.

The option to temporarily allow a site is still there, but it is easy to miss. You need to set the domain to custom first, and then click on the small clock icon that is displayed once you do. There does not appear to be an option though to whitelist all temporarily in the frontend.

The UI is different, and while it offers more options, it is more complicated as a consequence especially since Giorgio switched from text labels to buttons, and displays information on buttons only when you hover with the mouse over an item.

Giorgio plans to maintain NoScript 5.x, the legacy add-on version of the security add-on, until Firefox ESR is moved to version 59 (at least). This happens in mid-2018. Firefox users who want to keep on using the legacy version of NoScript can do so until then, either by switching to Firefox 52 ESR, or a third-party browser such as Pale Moon or Waterfox that support legacy Firefox add-ons.

Old features, and some new ones, will be implemented in the coming weeks. Contextual permissions is the one that sounds very promising; it allows you to trust a domain only on another, e.g. trust domain A only when it is loaded on domain B, but not elsewhere.

Closing Words

NoScript 10 is finally there. That is a good thing. The new version is limited in comparison to the old however, and users who migrate to Firefox 57 or newer will have to get used to the new UI and functionality.

Those who don't, may want to check out uMatrix instead which offers similar functionality.

Now You: What's your take on the first NoScript WebExtension release?

Summary
NoScript 10 WebExtension is out
Article Name
NoScript 10 WebExtension is out
Description
Giorgio Maone, the developer behind the popular Firefox security add-on NoScript, released NoScript 10, the first "pure" WebExtensions version today.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. mra said on December 7, 2017 at 6:22 pm
    Reply

    The new version is miserable! My screen is constantly filled with huge warnings about cross-scripting and I can’t get them to stop. They show up over and over and over again even when I am still on the same site. When I paid my phone bill on AT&T this morning I must have encountered the multiple warnings 5 or 6 times. Arrrrrrrrrrgh…

  2. Anonymous said on November 27, 2017 at 10:46 pm
    Reply

    Glad that Giorgio finally updated NoScript for FF57, but it pales in comparison to its predecessor.
    1. Gone are the “temporarily allow …” options.
    2. Gone are the specific domain names – only top-level domains for most things now, so you have to trust google.com as opposed to not trusting google.com and only trusting accounts.google.com like you could previously.
    3. The new UI is pants. Any domains longer than about twenty characters get ellipsisized (…) so there’s no telling what they really are.
    I really hope future updates fix these glaring problems otherwise I’ll be looking for alternatives. Maybe even downloading and installing FF56 again from http://ftp.mozilla.org!

  3. Anonymous said on November 26, 2017 at 8:19 pm
    Reply

    prefer the old UI this one is obnoxious, what happened to the wee drop down menu with the sites and their simple buttons, why the huge menu taking up the whole screen O_o

  4. ed said on November 26, 2017 at 1:13 am
    Reply

    So to try and restore the original blocking behavior, I had to manually go through the whitelist and set everything to UNTRUSTED. Why is there not an option to do this???

  5. Greta Van Fleet said on November 25, 2017 at 5:26 pm
    Reply

    I’m going to donate to NoScript’s developers. The new NoScript is lacking in terms of ease of use and results (I assume future releases will address these concerns), but nonetheless I’m going to donate as they the developers are surely under a lot of pressure to get things working and they could use our support.

  6. Pierre said on November 24, 2017 at 6:02 pm
    Reply

    Can’t disable XSS notifications. Warnings come up constantly. Unusable.

  7. Neil J said on November 22, 2017 at 5:58 pm
    Reply

    At the moment, NoScript has gone from being useful to rather obtrusive and restrictive. It prevents useful functionality on many web pages and it isn’t as easy or as quick to access the relevant settings to tweak pages to run properly. Also, the lack of things working in private mode is a problem.

    I get that it’s a work in progress but I’ll be disabling it and looking elsewhere until it is mature enough to use properly.

  8. Charlie said on November 22, 2017 at 4:08 pm
    Reply

    I have never considered NoScript an extension for the masses; most browser users do not know the precise definitions of the words software, script, and program.

    That being said, the new UI is very counterintuitive right now, but very close to being quite good. The things I would change are:

    1) right now “temporary” is subordinate to “trusted”, so “trusted temporarily” is three clicks in. This is not optimal for most NS users, who use “trust temporarily” more than “trust”. “Trust temporarily” should be a top-level option again.

    2) right now “trust HTTPS only” is a top level option. But it only applies to some of the settings it’s lined up with (trusted and custom, it does not apply to untrusted) so it makes the control hierarchy incoherent. This should be, instead, a subordinate option to the “Trusted” and “custom” options, or else a click box in custom settings.

    I’m going to go paypal Giorgio a few quatloos for all his hard work making the web and firefox better. I hope the rest of you will consider doing the same!

  9. chromeFOX said on November 22, 2017 at 8:43 am
    Reply

    Dumb down version of the fully featured Gecko/XPCOM/XUL based NoScript, my suggestion is to use uMatrix instead!!!!

  10. rj said on November 22, 2017 at 5:13 am
    Reply

    Anyone know about NoScript 10 for Android???

  11. Anonymous said on November 22, 2017 at 3:46 am
    Reply

    How long is it safe to stay on FF 56 before its security bugs make it necessary to move to FF 57?

    1. Anonymous said on November 23, 2017 at 1:10 am
      Reply

      If you’re using NoScript and remove the default whitelist, and only use temporary whitelisting, and are careful about which sites you temporarily allowed, and make sure you toughen up the “Embedded objects” options tab, you could last even until Firefox 58 is released.

    2. joe said on November 22, 2017 at 4:03 pm
      Reply

      That just depends on what bugs are found and when. It’s safer to switch to Firefox ESR (currently version 52.5.0), but the ESR branch will only be based on FF59 by July 2, 2018, so that still only buys you a few months.

      https://wiki.mozilla.org/RapidRelease/Calendar

  12. Prophet of Hacking said on November 21, 2017 at 10:21 pm
    Reply

    Privacy/Security addon… WHOOPS! Webextensions are going to be scarce in the future.

    Pissing on the GUI is like blaming Mozilla and NOT the devs.

    Let’s keep the few extension still available in a good consideration.

    1. Barret said on November 22, 2017 at 5:55 pm
      Reply

      > Privacy/Security addon… WHOOPS! Webextensions are going to be scarce in the future.

      Obviously not, since NoScript as a WebExtension is going to reach feature parity with legacy NoScript, and go beyond that thanks to, at a minimum, containers API and per-site permissions.

  13. Hortz Mueller said on November 21, 2017 at 4:50 pm
    Reply

    You can easily remove ALL the per-populated domains in this new NS….just set them to “untrusted”, and refresh…the entire list clears in one fell swoop. Then add the ones YOU desire.

  14. User1 said on November 21, 2017 at 2:42 pm
    Reply

    Nothing can beat uMatrix :) gorhill said he only uses uBlock though, but the interface is just so much better in uMatrix.

  15. anon said on November 21, 2017 at 11:38 am
    Reply

    There’s some scathing comments about it on Reddit, people are less than impressed. Some are just plain rude.

    1. webesucks said on November 21, 2017 at 10:18 pm
      Reply

      World can be hard sometimes, but Firefox ESR can keep you happy.

  16. wybo said on November 21, 2017 at 10:45 am
    Reply

    It was weird to not being able to use no script on FF57 which I accidentally have now. It certainly is faster although I was not complaining about the speed of FF 56.0.02.
    I miss my legacy add-ons. So I will dl WaterFox and I guess I have to start all over again as I presume nothing will migrate automatically from FF 57 to WaterFox.

    1. Anonymous said on November 22, 2017 at 3:59 am
      Reply

      What are the legacy add-ons that you miss ? And in particular, what features from these add-ons ?

      1. FloridaJim said on November 25, 2017 at 5:28 pm
        Reply

        I just installed and tested the suggestion of “Disable Javascript” Add-on/WebExtension and unfortunately it works just like YesScript2, meaning it blocks all javascript including photos being loaded on the page from elsewhere. It wipes out all the photos on Daily Mail’s news site. The original YesScript Add-on is not so severe, it allows photos, though on Drudge’s site, occasionally some get blocked. I wish someone would take YesScript’s open source code and update it for FF 57 and call it YesScript3. or YesScript-Quantum or something. I’ll keep monitoring the progress of WebExtensions and stay with FF 56.0.02 in the meantime and the wonderful YesScript. Thanks.

        https://addons.mozilla.org/en-US/firefox/addon/yesscript/

      2. Anonymous said on November 23, 2017 at 1:06 am
        Reply

        The following one keeps a blacklist behind the scenes. You can’t see the list now but the feature seems planned. ( https://github.com/dpacassi/disable-javascript )

        https://addons.mozilla.org/en-GB/firefox/addon/disable-javascript/

      3. FloridaJim said on November 22, 2017 at 1:51 pm
        Reply

        For me, YesScript, a simple javascript toggle on/off blacklist. It allows scripts by default and you click the icon and put bad sites on the blacklist as you visit them and find out they’re a problem. Someone made a “YesScript2” for 57 but it is too severe and not a blacklist. I don’t want to be hassled figuring out settings. YesScript has none. I won’t leave 56.0.02 until there’s an identical replacement for YesScript.

  17. Appster said on November 21, 2017 at 10:41 am
    Reply

    You should be using uMatrix, to be honest. NoScript has some questionable connections to advertisers, much like AdBlock Plus. Ironically, it was the AdBlock Plus dev who wrote an article about it, and I have no reason to distrust it: https://adblockplus.org/blog/attention-noscript-users @NoScript users: If this is still valid, you should reconsider your choice.

    1. Anonymous said on November 22, 2017 at 3:57 am
      Reply

      NoScript is awesome. I’ve been using it for more than 10 years and I know it inside out, it’s safe.

      I also use uMatrix on a different profile, it’s not the same add-on but it’s good as well. If NoScript 10+ ends up with a good UI like uMatrix and per-site permissions (which it will), there possibly won’t be much of a reason to use uMatrix any more. (which is kind of sad in a way, I will really miss that UI) But uBlockOrigin’s developer seems to want that people stop using uMatrix and move to uBO, so he can maintain only one codebase and not worry any more about uMatrix preventing uBO’s site unbreaking feature to kick in.

    2. webesucks said on November 21, 2017 at 10:17 pm
      Reply

      huh not this again. you can remove the whitelists

    3. HLFaustus said on November 21, 2017 at 1:12 pm
      Reply

      Plus “NoScript is harmful and promotes Malware!”

      https://liltinkerer.surge.sh/noscript.html

      1. Anonymous said on November 21, 2017 at 2:10 pm
        Reply

        Making money with gangsters, about this one not new for me. Same behavior I was talking about there: https://www.ghacks.net/2017/11/16/winaero-tweaker-0-9-out-with-lots-of-new-features/

        Decidedly It seems that Ghacks can’t stop to promote that kind of developers. Shame.

  18. Keith said on November 21, 2017 at 10:23 am
    Reply

    There is no import/export option for your settings on the new version of Noscript so you have to start fresh every time which i am not willing to do so i am staying with the older 5.1.x version

    all so i had to install Waterfox instead of Firefox as Waterfox has a option to disable updates of the application three times Firefox 56.0 updated to version 57.0 and broke all my Legacy Extensions even though the Firefox package was locked in the Synaptic Package Manager in Ubuntu Linux which was very annoying

  19. Stefan said on November 21, 2017 at 9:53 am
    Reply

    Martin, does this mean that the old addons will get this UI as well or is it just Webextension ?

    1. webesucks said on November 21, 2017 at 10:16 pm
      Reply

      It is webextensions. The interface/GUI options are reduced. Devs do what they can on this mighty Webextensions “‘feature”‘

    2. leanon said on November 21, 2017 at 12:42 pm
      Reply

      You like the new UI?

    3. Martin Brinkmann said on November 21, 2017 at 10:19 am
      Reply

      Which old add-ons?

  20. leanon said on November 21, 2017 at 9:34 am
    Reply

    Take? Will need to get back with ya on that, first need to get this ol girl updated again. Good to see earthlng has an alpha out, should save alot of time.

    1. leanon said on November 21, 2017 at 12:04 pm
      Reply

      Will always be thankful to Giorgio Maone for NoScript it sure let me know just how little I knew about the real world wide web. Six months prior to running NoScript full time I must have uninstalled it a dozen times due to site breakage. But after a lot of searching and researching things finally calmed down and the world really did start looking better. Of course i’m still clueless of all the intricacies of it all but have no doubt soon this new WebExtension will be back to its former glory.

  21. Saturn09 said on November 21, 2017 at 8:25 am
    Reply

    You can do pretty much everything NoScript does in uBlock Origin (not to mention uMatrix) with dynamic filtering and 3rd party filter lists.

    https://www.wilderssecurity.com/threads/noscript-or-ublock-origin.388562/page-2#post-2618335

    Yes i’m aware that this is an apples to oranges comparison since these tools NS, UBO & uM are designed for differnet purposes however i do believe that uBlock Origin is more than enough to achive a good level of privacy/security without sacrificing cpu resources which NS (at least the XUL-based legacy version) was notorious as being very heavy on that department.

    1. webesucks said on November 21, 2017 at 10:14 pm
      Reply

      Ok, but more options are always welcome.

    2. Rick A. said on November 21, 2017 at 12:34 pm
      Reply

      @Saturn09 – Yeah, i use uBlock Origin in Advanced Medium Blocking Mode. However i would welcome a good article on a good comparison of uBlock Origin in Advanced Blocking Mode, uMatrix and NoScript, especially an up to date version comparing the web extensions. i have never actually used uMatrix or NoScript. i have always been tempted to try them but uBlock Origin in Advanced Medium Blocking Mode has been good enough to keep me from trying them.

      i remember searching for a good comparison article and couldn’t find one. if you do one Martin, it’ll definitely be a read from me, one that i could send the link to anyone who has questions about them.

      i’ve seen that Wilders Security Link before @Saturn09, don’t know if it was you that posted it on ghacks before, but i Bookmarked it this time and will read it again. Thanks.

  22. Frustrated said on November 21, 2017 at 7:48 am
    Reply

    Still can not block Javascript on accounts.google.com in FFox with NoScript like you can in Google Chrome. uMatrix blocks Javascript on accounts.google.com but it does not past the noscript flag on to accounts.google.com. I want to be able to use the old login for Google that logs one out on browser shutodown.

  23. Gavin said on November 21, 2017 at 7:27 am
    Reply

    “The interface looks different to the previous interface…”

    That’s one way to put it.

    1. Sam said on December 6, 2017 at 8:37 pm
      Reply

      One of the prime reasons I used Firefox was NoScript. I cannot intuitively understand the new UI and I am not spending hours working it out. So there is no advantage now to using Firefox over Safari.So I’ve deleted Firefox. Maybe Mozilla should have helped GM more instead of leaving him to catch up with FF57. All looks so lame.

      1. Jay said on December 11, 2017 at 9:05 pm
        Reply

        The new interface is NOT intuitively easy to use. I used to be able to go to a particular webpage and then selectively add scripts one at a time until I could display particular content I wanted. Now I can’t. New interface is may be better in some ways, but it is definitely worse in terms of workflow – you automatically enable a whole bunch of things at one click instead of one at a time. Too risky.

    2. webesucks said on November 21, 2017 at 10:13 pm
      Reply

      Say thank you mozilla for the newest features !!

  24. XenoSilvano said on November 21, 2017 at 7:13 am
    Reply

    omg, while I just received the update after initiating a check for legacy add-ons, Martin on the other hand has already written an entire article about it

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.