NoScript WebExtension update improves user interface
A new version of the Firefox security extension NoScript was released today. NoScript 10.1.6.2 is the most recent WebExtensions version of NoScript.
The developer of NoScript maintains two different versions of the extension right now: NoScript 5.x, a legacy add-on for Firefox ESR and Firefox pre-57 versions, and NoScript 10.x, the WebExtensions version that is been released shortly after the release of Firefox 57.
NoScript's WebExtension launch was riddled with issues. The launch was delayed for a few days, the extension lacked some functionality because of missing WebExtension APIs, and users had trouble with the new user interface.
Giorgio Maone released updates regularly to address issues. Version 10.1.2 of NoScript added an option to allow scripts temporarily on a page, and enabled support for Firefox's private browsing mode.
One of the biggest additions is the ability to import data from previous versions of NoScript. The import functionality supports imports from legacy and WebExtension versions of the browser extension.
NoScript 10.1.6.2 is the most recent version of the browser extension. It introduces improvements to the user interface among other things.
Here is a short overview of features introduced since the release of NoScript 10.1.2:
- The size of the user interface is smaller now on the desktop.
- Support for Quantum versions (Firefox 57) on Android.
- Fixed Linux rendering performance issues.
- Import functionality for Settings (compatible with NoScript 5.x) and Export functionality.
- Reset to defaults button in options.
- Domain label clicks open "Security and privacy info" web page (similar to middle-click in legacy NoScript).
- Removed Yandex.st from default whitelist.
NoScript 10.1.6.2 removes customization options from Default, Trusted and Untrusted presets in the popup. These customization options are still available on the options page though.
Another change is support for individual temporary and permanent trusted preset buttons which you can activate now directly in the popup.
The interface changes were made to improve usability and remove confusion that many users felt when they upgraded the extension to the new user interface.
NoScript is getting better with every update but the launch has certainly cost the extension. Users switched to other extensions or stayed with the legacy add-on by switching to Firefox ESR. That's a temporary solution only though as Firefox ESR will be updated to Firefox 60 in 2018, and that version won't support legacy extensions anymore.
Now You: Do you use NoScript, or another add-on?
I still use NoScript. I’m using the latest version 5 on Firefox ESR and Basilisk, and an older version on Pale Moon. It would be great if someone would fork it from version 5 since the developer is going to drop it when the next Firefox ESR version comes out.
By the way Martin, your website still doesn’t render correctly for me in Pale Moon. Is UA sniffing going on?
Can you post a screenshot please?
The weird thing is after I post a comment, then your site renders just fine. But the next day (or if I clean out the browser’s cache) it goes back to not rendering properly.
@Ron What operating system is that?
If you have an adblocker, disable it for ghacks.net, or search for $webrtc in your adblocker and uncheck it.
On my end, the strange rendering happens when I’ve blocked “R & D Technologies, LLC” IP 22.214.171.124:443
That IP is one that included in PeerBlock.
If it’s unblocked everything renders just fine.
The bar is still shown on the page but it doesn’t float at the bottom of the screen anymore, it’s clear at the bottom of the page and you have to scroll all the way down to see it.
Hope this helps.
I can get the site to look like this if I block CSS resources from cdn.ghacks.net.
Using uBlock Origin (‘hard mode” = block all and authorize one by one), showing domains connected : 1 out of 5, which is ghacks.net (www and cdn) No issue.
I’m sorry for filtering the ads, Martin, I know gHacks relies on them. But I’d have to make an exception with uBlock on Firefox and PeerBlock, Hosts file and DNSCrypt domain and addresses blacklists at the OS level to let those ads make their way. No offense. I understand the problematic but impacts of lowering my system defenses are so high that I just won’t engage myself on that path. Not to mention the users who decide to allow those ads and those who simply live with them (for the best and for the worse).
I stopped using noscript when I’ve discovered Ublock Origin in medium mode.
How do you set Ublock Origin
in “medium mode”?.
(could not find the Setting for that…).
Raymond Hill describes the settings for medium mode here:
Edit: Just seen, Gavin already mentioned it below.
Yeah, me too. This is really all I need, plus it means less site breakage and fewer interactions with the addon settings.
There’s a lesson in here for anybody in business: customers / users can abandon your product with astonishing speed if you roll something out that they don’t like. We’re not talking months but hours – perhaps even minutes. I had been a dedicated NoScript user for a decade, but all it took was one look at the new version to send me scouring for alternatives. Obviously I wasn’t the only one, either, because NoScript’s rating on AMO dropped measurably within just a few days.
After using NoScript for years, I switched to uMatrix to avoid the recent growing pains and stayed for all the extra features. It has just about everything NoScript does, plus:
– Significantly better UI, with the color-coded grid/matrix layout making it far easier to use.
– Allow 1st-party scripts by default (if you want), meaning more sites ‘just work’ while still blocking 3rd party garbage.
– Block more than just scripts – there are also categories for images, media / Flash, iframes, XHR / AJAX, etc.
– Automatically import blacklists managed by trusted 3rd parties, like AdBlockPlus does with EasyList.
– Allow specific 3rd parties based on the site you’re on. So, for instance, you can allow ads on Ghacks or Twitter embeds on CNN but block them everywhere else by default. This was huge for me!
– Watch a list of requests uMatrix allows/blocks in real-time so you know what it’s doing. Great for figuring out why a site isn’t working quite right with the rules you’ve created.
NoScript does offer some features uMatrix doesn’t, such as XSS and Clickjack protection, but it’s hard to justify sticking with NoScript when it lacks so many other features. And you could still leave NoScript installed with all features turned off except for those, using uMatrix for everything else.
Just to set things straight.
– Yes uMatrix UI is better
– NoScript can do that
– NoScript can do that
– uMatrix can’t do that, it’s not EasyList type filters, just pre-set domain blacklists, not useful per se if you deny by default. (Still useful to reduce “allow” mistakes or if you setup less restrictive global rules)
– NoScript can do that
– Only uMatrix has a logger indeed, but it’s not a problem since you’ll have uBlock Origin installed whether you use uMatrix or NoScript anyway, and uBO has a very similar logger already.
NoScript has script surrogates, which allow you to have sites working without enabling JS. Reducing the need to enable JS is valuable. In fact you can inject whatever JS you want wherever you want with script surrogates. (uBO has “neutered scripts” but they don’t work with uMatrix installed and are less flexible.)
If you don’t use uMatrix properly, NoScript is more secure because it does more than just block/allow, there’s still protection even when stuff is allowed. If you use uMatrix properly, it is IMO better than current NoScript because NoScript is still crippled, though it regains features on each update.
I am very partial to uMatrix because I’m in love with the UI, but NoScript should not be underestimated. When it will be back full force I may have to come back to NoScript on my main profile. I kind of hope that won’t have to happen though, but I miss script surrogates in particular.
> NoScript does offer some features uMatrix doesn’t, such as XSS and Clickjack protection
> Clickjacking = Blocking third party frames
> The only thing NoScript has on uMatrix (which does not make up for its deficiencies and lower performance) is the feature referred to as ‘surrogate scripts’. Essentially mirroring a library, or a modified version of a given library (e.g. mootools, or jquery). uBlock used to have this.
If you allow XHR or frames with uMatrix, you are exposed to things like XSS or clickjacking or DNS rebinding or a myriad other attacks.
uMatrix is just block/allow. It doesn’t offer any protection when shit is allowed, which it has to be to some extent. NoScript does.
These add-ons don’t quite overlap, one is a fine grained content blocker that just happens to increase security, the other is a security tool that just happens to block content fine grained-ly.
This new 10.1.6.2 release is the first one I’ve been able to use since leaving version 5 behind. I had to play around with it a bit to get the hang of it, but it seems to work pretty well, thus far.
The more addon you use, the more vulnerable you are.
Stick with uBlock Origin in medium mode and you won’t need anything else.
That’s a semplification.
That’s an option that works well (but not the only one).
I use the script blocker that comes within uBlock Origin. No need for addicional extensions.
I dropped NoScript back in April, when it made browsing almost unusable because of complications between what it did and the transition work being done in Firefox.
I had already switched from AdBlock+ to uBlock Origin the year before, and found that I honestly couldn’t think of a reason that I needed to re-add NoScript to my extension collection. Add to that the horrible introduction of NoScript 10, and I’m just not even bothering.
Still far from the intuitiveness,userfriendly, and customizablity of the pre-Chrome/Webext version….
RIP NoScript…. You keep crashing Firefox and Memoryleaks gets worst when used.
As others have mentioned, I use uBlock Origin in Medium mode.
> On the other hands, ublock and umatrix are slow. If I block an image, it first loads the image and blocks it immediately.
That is just false.
If an image is blocked through dynamic or static network filtering, the request to the remote server is not even made. No request = no response, no response = nothing to load.
Also, the block count on the badge is just a counter, it’s completely unrelated to how much memory or CPU cycle uBO uses. I’ve run benchmark where the count reached 100K (Tweetdeck), and uBO was still running efficiently, as expected.
I use No Script 5x on WaterFox (WF).. I migrated to it last week as I liked using my legacy add ons and did not care for No Script 10. Incidentally I also use Ublock Origin but it seems that what I read here that Ublock origin does almost do the same thing. A tad confusing for me. I’m just a medium knowledgeable user.
PS When I go into options of WF and then click on security I try to tick the box ‘Remember logins for websites’ BUT I cannot seem to tick it. I tried to run WF in safe mode no luck either. Any WF user out there who can help me please.
Unlike some of you I won’t be calling time of death. Does take a bit of getting used to, and really miss the right click context menu options but it’s still a work in progress.
Am baffled as to where it installs to, looked all over my profile and searched for noscript in about:config but nada..
> That’s a temporary solution only though as Firefox ESR will be updated to Firefox 60 in 2018, and that version won’t support legacy extensions anymore.
Firefox 60 is indeed the next ESR, but Firefox 52 ESR will remain the dominant one until Firefox 62 is released :)
There’s always an overlap of two versions, meaning people waiting stuff on ESR can now wait until August 28th 2018 and still benefit from security updates.
is there any way to block CDN,S in ublock origin.?
@kubrick – You can use uBlock Origin in Advanced Blocking Mode – https://github.com/gorhill/uBlock/wiki/Blocking-mode
i personally and most others as well use Advanced Medium Blocking Mode – https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
Once you get going in Advanced Mode you want to get used to Dynamic Filtering – https://github.com/gorhill/uBlock/wiki/Dynamic-filtering
In 10.1.6.2 how do I change the setting for Default? It is no shown on the Options page.
Robert A. Ober
I think it’s far better now .
It seems there’s a whole book to write about advisable combinations of uMatrix, uBlock Origin and No Script (or their exclusive use), and all the associated settings.
So true, and I guess you’re pointing out an audience’s wondering. One could add a less known Firefox extension called ‘ScriptSafe’. In fact obviously as everywhere in life many tools overlap, very few perform exactly the same and consider the very same features. From there on do we add them in order to “have it all” or do we discriminate to gain efficiency at the price of missing a feature or extra-fine tuning? I’d prefer the latter approach because too much overlapping not only slows down but may as well weaken associated extensions, unless you’re a techie and know exactly what you’re doing. For instance, concerning uBlock Origin and uMatrix, I’ve read two opposed opinions, those who advise not to combine them, others that it’s a good idea to use both. In the latter case overlapping features (mainly the filters’ lists) should I guess be disabled in either of the two. Also, let’s not forget that a computer connects to the Web from elsewhere than the only browser and that consequently a system defense should not be forgotten on the ground that we mainly connect to the Web via the browser. That’s how little-old-non-techie I am sees it.
Another uMatrix guide :
Noscript is suddenly blocking Amazon’s functionality in the last several hours, causing video to not play and lots of site features to fail.
I, for one, use no script whatsoever… why share your browsing data with a third-party extension/company? Isn’t exactly how Apple came on top with it’s iOS; sharing data with other apps… ðŸŒš
I just use strict pop-up blocking option; them popups are like your ex; always popping up everywhere. ðŸŒš
One version of the LEGACY NoScript made many sites malfunction. I went back to a prev. version of the LEGACY NoScript. Has stayed with that due to i don’t know if it becomes the sam F up if i update it again….
Yes, I use NoScript (the web is pretty much unusable without it). I’ve decided not to use Firefox 57 or later (it gives me no benefit that matters to me, and eliminates functionality that does), so I’m using it with Waterfox.
Nowadays if the aim is to conciliate a site’s correct page rendering and a user’s true privacy there is no other way than to fine-tune what is accepted and what is refused.
I find that on sensitive sites such as banks or government services, there are so many necessary processes going on that the easiest is to disable entirely any blockers. I get fed up trying to guess what could possibly be dispensed with. (uMatrix here.)
Banking on the Web is problem-free here but regarding your comment I can testify of my experience with sites which are the interface to a contractual relationship with the user, such as banks, administration where, IMO, advertisement and especially trackers should be banned.
A bank here in France (I won’t name it) even included Facebook with its call blocked thanks to uBlock Origin, but removed it later on.
I also got truly annoyed when my Electricity provider (EDF here in France) required Google’s captcha when logging in, so annoyed that a 3rd-party was included in my connection, not to mention several trackers and craps. I phoned the company and finally wrote them that I’d no longer retrieve my bills on their site because their site was behaving as a whatever commercial one and that being a customer was not compatible, IMO, with the fact of having to endure ads and trackers. Many companies save considerably with not having to snail-mail their customers bills and communication, it is not to have to further endure a commercial site’s practices. Now they pay for sending the bills via snail-mail and if everyone behaved as I did then maybe would those companies think twice before establishing their web policies.
I had to say it, I did.
Not only banks/govs. I get huge problems with music sites as soundcloud/mixcloud and growing problems with github (no rightclick available).
…and all of that’s done ON PURPOSE to disable whatever you’re using.
There’s a bug! Some links (those ones underlined on more than a single line) get the yellow shiny line only on the first part, while the part on the textline below stay pitch black! MISLEADING!
Using both NoScript by Mr. MAONE AND UBlockOrigin by Gorhill for the sake of completeness in my hardened set-up.
What theme do you use on Firefox? It looks colorful and nice.
Hi Jason, it is the Quantum Lights theme: https://addons.mozilla.org/de/firefox/addon/quantum-lights-dynamic/