NoScript WebExtension update improves user interface

Martin Brinkmann
Dec 30, 2017

A new version of the Firefox security extension NoScript was released today. NoScript is the most recent WebExtensions version of NoScript.

The developer of NoScript maintains two different versions of the extension right now: NoScript 5.x, a legacy add-on for Firefox ESR and Firefox pre-57 versions, and NoScript 10.x, the WebExtensions version that is been released shortly after the release of Firefox 57.

NoScript's WebExtension launch was riddled with issues. The launch was delayed for a few days, the extension lacked some functionality because of missing WebExtension APIs, and users had trouble with the new user interface.

Giorgio Maone released updates regularly to address issues. Version 10.1.2 of NoScript added an option to allow scripts temporarily on a page, and enabled support for Firefox's private browsing mode.

One of the biggest additions is the ability to import data from previous versions of NoScript. The import functionality supports imports from legacy and WebExtension versions of the browser extension.


NoScript is the most recent version of the browser extension. It introduces improvements to the user interface among other things.

Here is a short overview of features introduced since the release of NoScript 10.1.2:

  • The size of the user interface is smaller now on the desktop.
  • Support for Quantum versions (Firefox 57) on Android.
  • Fixed Linux rendering performance issues.
  • Import functionality for Settings (compatible with NoScript 5.x) and Export functionality.
  • Reset to defaults button in options.
  • Domain label clicks open "Security and privacy info" web page (similar to middle-click in legacy NoScript).
  • Removed from default whitelist.

NoScript removes customization options from Default, Trusted and Untrusted presets in the popup. These customization options are still available on the options page though.

Another change is support for individual temporary and permanent trusted preset buttons which you can activate now directly in the popup.

The interface changes were made to improve usability and remove confusion that many users felt when they upgraded the extension to the new user interface.

Closing Words

NoScript is getting better with every update but the launch has certainly cost the extension. Users switched to other extensions or stayed with the legacy add-on by switching to Firefox ESR. That's a temporary solution only though as Firefox ESR will be updated to Firefox 60 in 2018, and that version won't support legacy extensions anymore.

Now You: Do you use NoScript, or another add-on?

Article Name
NoScript WebExtension update improves user interface
A new version of the Firefox security extension NoScript was released today. NoScript is the most recent WebExtensions version of NoScript.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Jason said on January 15, 2018 at 8:00 pm

    What theme do you use on Firefox? It looks colorful and nice.

    1. Martin Brinkmann said on January 15, 2018 at 8:09 pm
  2. Hack n' Slash said on January 13, 2018 at 8:58 pm

    Using both NoScript by Mr. MAONE AND UBlockOrigin by Gorhill for the sake of completeness in my hardened set-up.

  3. DJ Drum (Bug Team) said on January 13, 2018 at 8:54 pm

    There’s a bug! Some links (those ones underlined on more than a single line) get the yellow shiny line only on the first part, while the part on the textline below stay pitch black! MISLEADING!

  4. Kubrick said on January 9, 2018 at 2:50 pm

    why not just disable the javascript in the browser and then whitelist on a per site basis.?

    1. Tom Hawack said on January 9, 2018 at 2:59 pm

      Because most sites require javascript and that consequently the per-site (whitelist) approach is fastidious for anyone surfing further than a post-office or a bank. Because one given site may include valid, trustful scripts but also nasty ones, because either may be issued by the site as well as by a 3rd-party site.
      Nowadays if the aim is to conciliate a site’s correct page rendering and a user’s true privacy there is no other way than to fine-tune what is accepted and what is refused.

      1. Clairvaux said on January 9, 2018 at 6:30 pm

        I find that on sensitive sites such as banks or government services, there are so many necessary processes going on that the easiest is to disable entirely any blockers. I get fed up trying to guess what could possibly be dispensed with. (uMatrix here.)

      2. Messed up sites stink! SAD! said on January 13, 2018 at 9:08 pm

        Not only banks/govs. I get huge problems with music sites as soundcloud/mixcloud and growing problems with github (no rightclick available).

        …and all of that’s done ON PURPOSE to disable whatever you’re using.

      3. Tom Hawack said on January 9, 2018 at 6:56 pm

        Banking on the Web is problem-free here but regarding your comment I can testify of my experience with sites which are the interface to a contractual relationship with the user, such as banks, administration where, IMO, advertisement and especially trackers should be banned.

        A bank here in France (I won’t name it) even included Facebook with its call blocked thanks to uBlock Origin, but removed it later on.

        I also got truly annoyed when my Electricity provider (EDF here in France) required Google’s captcha when logging in, so annoyed that a 3rd-party was included in my connection, not to mention several trackers and craps. I phoned the company and finally wrote them that I’d no longer retrieve my bills on their site because their site was behaving as a whatever commercial one and that being a customer was not compatible, IMO, with the fact of having to endure ads and trackers. Many companies save considerably with not having to snail-mail their customers bills and communication, it is not to have to further endure a commercial site’s practices. Now they pay for sending the bills via snail-mail and if everyone behaved as I did then maybe would those companies think twice before establishing their web policies.

        I had to say it, I did.

  5. John Fenderson said on January 3, 2018 at 1:14 am

    Yes, I use NoScript (the web is pretty much unusable without it). I’ve decided not to use Firefox 57 or later (it gives me no benefit that matters to me, and eliminates functionality that does), so I’m using it with Waterfox.

  6. Stefan said on January 2, 2018 at 9:30 pm

    One version of the LEGACY NoScript made many sites malfunction. I went back to a prev. version of the LEGACY NoScript. Has stayed with that due to i don’t know if it becomes the sam F up if i update it again….

  7. AAA said on January 2, 2018 at 12:53 am

    I, for one, use no script whatsoever… why share your browsing data with a third-party extension/company? Isn’t exactly how Apple came on top with it’s iOS; sharing data with other apps… 🌚

    I just use strict pop-up blocking option; them popups are like your ex; always popping up everywhere. 🌚

  8. TrishTrish said on January 1, 2018 at 11:17 pm

    Noscript is suddenly blocking Amazon’s functionality in the last several hours, causing video to not play and lots of site features to fail.

  9. Clairvaux said on January 1, 2018 at 7:08 pm
  10. Clairvaux said on January 1, 2018 at 3:46 pm

    It seems there’s a whole book to write about advisable combinations of uMatrix, uBlock Origin and No Script (or their exclusive use), and all the associated settings.

    1. Tom Hawack said on January 1, 2018 at 4:04 pm

      So true, and I guess you’re pointing out an audience’s wondering. One could add a less known Firefox extension called ‘ScriptSafe’. In fact obviously as everywhere in life many tools overlap, very few perform exactly the same and consider the very same features. From there on do we add them in order to “have it all” or do we discriminate to gain efficiency at the price of missing a feature or extra-fine tuning? I’d prefer the latter approach because too much overlapping not only slows down but may as well weaken associated extensions, unless you’re a techie and know exactly what you’re doing. For instance, concerning uBlock Origin and uMatrix, I’ve read two opposed opinions, those who advise not to combine them, others that it’s a good idea to use both. In the latter case overlapping features (mainly the filters’ lists) should I guess be disabled in either of the two. Also, let’s not forget that a computer connects to the Web from elsewhere than the only browser and that consequently a system defense should not be forgotten on the ground that we mainly connect to the Web via the browser. That’s how little-old-non-techie I am sees it.

  11. Omar said on January 1, 2018 at 12:38 pm

    I think it’s far better now .

  12. Robert A. Ober said on January 1, 2018 at 4:04 am

    In how do I change the setting for Default? It is no shown on the Options page.

    Robert A. Ober

  13. kubrick said on December 31, 2017 at 8:38 pm

    is there any way to block CDN,S in ublock origin.?

    1. Rick A. said on January 1, 2018 at 2:46 am

      @kubrick – You can use uBlock Origin in Advanced Blocking Mode –

      i personally and most others as well use Advanced Medium Blocking Mode –

      Once you get going in Advanced Mode you want to get used to Dynamic Filtering –

  14. JiminFlorida said on December 31, 2017 at 6:37 pm

    Using YesScript2 on Firefox 57.0.3 (32 bit) with Private Browsing always enabled. The extension allows pages to function normally. When I hit a problem site, I simply click the icon and it auto refreshes and blocks javascript and remembers the block next time I visit that domain.The icon stays gray in normal mode, turns red on blocked sites. There are no settings, click on, click off. Simple.

  15. Anonymous said on December 31, 2017 at 6:16 pm

    > That’s a temporary solution only though as Firefox ESR will be updated to Firefox 60 in 2018, and that version won’t support legacy extensions anymore.

    Firefox 60 is indeed the next ESR, but Firefox 52 ESR will remain the dominant one until Firefox 62 is released :)

    There’s always an overlap of two versions, meaning people waiting stuff on ESR can now wait until August 28th 2018 and still benefit from security updates.

  16. leanon said on December 31, 2017 at 2:45 pm

    Unlike some of you I won’t be calling time of death. Does take a bit of getting used to, and really miss the right click context menu options but it’s still a work in progress.

    Am baffled as to where it installs to, looked all over my profile and searched for noscript in about:config but nada..

  17. wybo said on December 31, 2017 at 11:54 am

    I use No Script 5x on WaterFox (WF).. I migrated to it last week as I liked using my legacy add ons and did not care for No Script 10. Incidentally I also use Ublock Origin but it seems that what I read here that Ublock origin does almost do the same thing. A tad confusing for me. I’m just a medium knowledgeable user.

    PS When I go into options of WF and then click on security I try to tick the box ‘Remember logins for websites’ BUT I cannot seem to tick it. I tried to run WF in safe mode no luck either. Any WF user out there who can help me please.

  18. Name said on December 31, 2017 at 9:54 am

    Noscript is too complicated to use. The biggest problem is that it is difficult to whitelist ads on a site. If I whitelist a site, all ads domains are whitelisted on other sites. On the other hands, ublock and umatrix are slow. If I block an image, it first loads the image and blocks it immediately. Desirable behavior is not to load the image at all. If I disable Easylist, the blocked count increases overtime. It constantly keeps reloading and slow down the browser if I open a page long enough. Moreover, some websites can detect ublock with their first party scripts. Last, its picker is not working on websites that reloads ads every few seconds. It picks the same url, but can’t block it. I only like the Chrome built-in javascript blocker. Very fast and easy to use. Sadly, Mozilla executives don’t get it.

    1. gorhill said on December 31, 2017 at 4:41 pm

      > On the other hands, ublock and umatrix are slow. If I block an image, it first loads the image and blocks it immediately.

      That is just false.

      If an image is blocked through dynamic or static network filtering, the request to the remote server is not even made. No request = no response, no response = nothing to load.

      Also, the block count on the badge is just a counter, it’s completely unrelated to how much memory or CPU cycle uBO uses. I’ve run benchmark where the count reached 100K (Tweetdeck), and uBO was still running efficiently, as expected.

  19. Gavin said on December 31, 2017 at 3:21 am

    As others have mentioned, I use uBlock Origin in Medium mode.

  20. chromefox said on December 31, 2017 at 2:21 am

    Still far from the intuitiveness,userfriendly, and customizablity of the pre-Chrome/Webext version….

    RIP NoScript…. You keep crashing Firefox and Memoryleaks gets worst when used.

  21. David said on December 30, 2017 at 10:55 pm

    I dropped NoScript back in April, when it made browsing almost unusable because of complications between what it did and the transition work being done in Firefox.

    I had already switched from AdBlock+ to uBlock Origin the year before, and found that I honestly couldn’t think of a reason that I needed to re-add NoScript to my extension collection. Add to that the horrible introduction of NoScript 10, and I’m just not even bothering.

  22. Jim Crown said on December 30, 2017 at 7:31 pm

    I use the script blocker that comes within uBlock Origin. No need for addicional extensions.

  23. JahFox said on December 30, 2017 at 7:24 pm

    The more addon you use, the more vulnerable you are.
    Stick with uBlock Origin in medium mode and you won’t need anything else.

    1. Getup Standup said on January 13, 2018 at 9:02 pm

      That’s a semplification.
      That’s an option that works well (but not the only one).

  24. basicuser said on December 30, 2017 at 7:11 pm

    Use NoScript with Firefox (still with 50.1.0) but moved to Pale Moon and JS Switch. It’s simpler to toggle scripts on/off with JS Switch as needed. Also use uBlock Origin, and uMatrix to fine tune sites that need Javascript.

  25. oz said on December 30, 2017 at 6:49 pm

    This new release is the first one I’ve been able to use since leaving version 5 behind. I had to play around with it a bit to get the hang of it, but it seems to work pretty well, thus far.

  26. Jack said on December 30, 2017 at 6:48 pm

    After using NoScript for years, I switched to uMatrix to avoid the recent growing pains and stayed for all the extra features. It has just about everything NoScript does, plus:
    – Significantly better UI, with the color-coded grid/matrix layout making it far easier to use.
    – Allow 1st-party scripts by default (if you want), meaning more sites ‘just work’ while still blocking 3rd party garbage.
    – Block more than just scripts – there are also categories for images, media / Flash, iframes, XHR / AJAX, etc.
    – Automatically import blacklists managed by trusted 3rd parties, like AdBlockPlus does with EasyList.
    – Allow specific 3rd parties based on the site you’re on. So, for instance, you can allow ads on Ghacks or Twitter embeds on CNN but block them everywhere else by default. This was huge for me!
    – Watch a list of requests uMatrix allows/blocks in real-time so you know what it’s doing. Great for figuring out why a site isn’t working quite right with the rules you’ve created.

    NoScript does offer some features uMatrix doesn’t, such as XSS and Clickjack protection, but it’s hard to justify sticking with NoScript when it lacks so many other features. And you could still leave NoScript installed with all features turned off except for those, using uMatrix for everything else.

    1. Anonymous said on January 1, 2018 at 3:18 am

      > NoScript does offer some features uMatrix doesn’t, such as XSS and Clickjack protection
      > Buzzwords.
      > Clickjacking = Blocking third party frames
      > As far as XSS is concerned, there are a myriad of techniques for it, most of which rely on scripts, frames and browser exploits (one could in theory execute JavaScript via HTML IMG tags, but browsers no longer allow that to happen).
      > The only thing NoScript has on uMatrix (which does not make up for its deficiencies and lower performance) is the feature referred to as ‘surrogate scripts’. Essentially mirroring a library, or a modified version of a given library (e.g. mootools, or jquery). uBlock used to have this.

      1. Zorg said on January 1, 2018 at 1:52 pm

        If you allow XHR or frames with uMatrix, you are exposed to things like XSS or clickjacking or DNS rebinding or a myriad other attacks.

        uMatrix is just block/allow. It doesn’t offer any protection when shit is allowed, which it has to be to some extent. NoScript does.

        These add-ons don’t quite overlap, one is a fine grained content blocker that just happens to increase security, the other is a security tool that just happens to block content fine grained-ly.

    2. Zorg said on January 1, 2018 at 2:29 am

      Just to set things straight.
      – Yes uMatrix UI is better
      – NoScript can do that
      – NoScript can do that
      – uMatrix can’t do that, it’s not EasyList type filters, just pre-set domain blacklists, not useful per se if you deny by default. (Still useful to reduce “allow” mistakes or if you setup less restrictive global rules)
      – NoScript can do that
      – Only uMatrix has a logger indeed, but it’s not a problem since you’ll have uBlock Origin installed whether you use uMatrix or NoScript anyway, and uBO has a very similar logger already.

      NoScript has script surrogates, which allow you to have sites working without enabling JS. Reducing the need to enable JS is valuable. In fact you can inject whatever JS you want wherever you want with script surrogates. (uBO has “neutered scripts” but they don’t work with uMatrix installed and are less flexible.)

      If you don’t use uMatrix properly, NoScript is more secure because it does more than just block/allow, there’s still protection even when stuff is allowed. If you use uMatrix properly, it is IMO better than current NoScript because NoScript is still crippled, though it regains features on each update.

      I am very partial to uMatrix because I’m in love with the UI, but NoScript should not be underestimated. When it will be back full force I may have to come back to NoScript on my main profile. I kind of hope that won’t have to happen though, but I miss script surrogates in particular.

  27. Tony said on December 30, 2017 at 6:44 pm

    I stopped using noscript when I’ve discovered Ublock Origin in medium mode.

    1. Jason said on December 31, 2017 at 6:53 pm

      Yeah, me too. This is really all I need, plus it means less site breakage and fewer interactions with the addon settings.

      There’s a lesson in here for anybody in business: customers / users can abandon your product with astonishing speed if you roll something out that they don’t like. We’re not talking months but hours – perhaps even minutes. I had been a dedicated NoScript user for a decade, but all it took was one look at the new version to send me scouring for alternatives. Obviously I wasn’t the only one, either, because NoScript’s rating on AMO dropped measurably within just a few days.

    2. Sfer said on December 31, 2017 at 12:09 am

      Tony –
      How do you set Ublock Origin
      in “medium mode”?.
      (could not find the Setting for that…).

      1. HansS said on December 31, 2017 at 9:28 am

        Raymond Hill describes the settings for medium mode here:
        Edit: Just seen, Gavin already mentioned it below.

  28. Ron said on December 30, 2017 at 6:35 pm

    I still use NoScript. I’m using the latest version 5 on Firefox ESR and Basilisk, and an older version on Pale Moon. It would be great if someone would fork it from version 5 since the developer is going to drop it when the next Firefox ESR version comes out.

    By the way Martin, your website still doesn’t render correctly for me in Pale Moon. Is UA sniffing going on?

    1. Tom Hawack said on December 31, 2017 at 9:04 pm

      Using uBlock Origin (‘hard mode” = block all and authorize one by one), showing domains connected : 1 out of 5, which is (www and cdn) No issue.

      I’m sorry for filtering the ads, Martin, I know gHacks relies on them. But I’d have to make an exception with uBlock on Firefox and PeerBlock, Hosts file and DNSCrypt domain and addresses blacklists at the OS level to let those ads make their way. No offense. I understand the problematic but impacts of lowering my system defenses are so high that I just won’t engage myself on that path. Not to mention the users who decide to allow those ads and those who simply live with them (for the best and for the worse).

    2. gorhill said on December 31, 2017 at 4:26 pm

      I can get the site to look like this if I block CSS resources from

    3. LongTimeLurker said on December 31, 2017 at 8:02 am

      I have to modify my earlier comment about “Besides the funny rendering it also doesn’t show the black bar across the bottom of the screen that says “We use cookies to ensure that we give you the best experience, …. blah blah blah” with the blue OK button, when I’ve blocked that IP.”
      The bar is still shown on the page but it doesn’t float at the bottom of the screen anymore, it’s clear at the bottom of the page and you have to scroll all the way down to see it.
      Hope this helps.

    4. LongTimeLurker said on December 31, 2017 at 7:52 am

      On my end, the strange rendering happens when I’ve blocked “R & D Technologies, LLC” IP
      That IP is one that included in PeerBlock.
      If it’s unblocked everything renders just fine.
      Besides the funny rendering it also doesn’t show the black bar across the bottom of the screen that says “We use cookies to ensure that we give you the best experience, …. blah blah blah” with the blue OK button, when I’ve blocked that IP.

    5. Anonymous said on December 31, 2017 at 4:24 am

      If you have an adblocker, disable it for, or search for $webrtc in your adblocker and uncheck it.

    6. Martin Brinkmann said on December 30, 2017 at 6:49 pm

      Can you post a screenshot please?

      1. G-Flex said on January 4, 2018 at 12:28 pm

        @Ron What operating system is that?

      2. Ron said on December 30, 2017 at 7:47 pm

        The weird thing is after I post a comment, then your site renders just fine. But the next day (or if I clean out the browser’s cache) it goes back to not rendering properly.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.