Firefox extension NoScript is now available for Chrome
The popular Firefox security and privacy extension NoScript has been released for the Google Chrome web browser. NoScript has the sixth largest user count of all Firefox extensions at the time of writing.
Note: The developer of NoScript, Giorgio Maone, labels the Chrome port as beta currently. The Chrome extension page does not list it as such, though. A stable release is planed for the end of June 2019.
NoScript was a Firefox-exclusive extension for a very long time and one of the main reasons for security-conscious users to use Firefox instead of Chrome or other browsers.
We published several guides in the past years to highlight NoScript functionality and promote the extension. A NoScript guide covering all major features in 2014, a beginner's guide in 2016, and a guide for the WebExtensions version of NoScript.
Third-parties made attempts to bring NoScript functionality to Chrome, the 2010 extension release NotScript tried that for instance.
Mozilla paved the way for a cross-platform NoScript extension when it turned off the classic extension system in Firefox 57. The organization selected WebExtensions as the new system for Firefox which, among other things, ensured compatibility (to a degree) with Chrome extensions.
Up until now, we have seen ports of Chrome extensions to Firefox for the most part. NoScript, which was launched in 2005 (just like this blog), has been turned into a cross-platform extension fourteen years after its initial release.
Today's release marks a milestone for the extension; the Firefox and Chrome versions of NoScript share a codebase and it is possible that support for other browsers may be added in the future.
NoScript for Chrome works just like the Firefox WebExtension version for the most part. The extension adds an icon to the Chrome toolbar that indicates blocked content. A click displays connections and whether they are allowed or blocked.
You can allow connections temporarily or permanently, and make other configuration changes in the options.
There you find a list of allowed connections that you may want to go through to remove those that you don't want to allow. Our tip to check the NoScript whitelist section on first install still holds, as you may not want to allow connections to Google, Microsoft, Yahoo, and other domains owned by these companies by default.
One of the main reasons for using NoScript, its XSS filter, is not available in the Chrome version right now. The main reason for that is that Chrome's extensions engine does not support certain features that Mozilla added to Firefox when it started to work on the WebExtensions switch.
Closing words
Support for WebExtensions in Firefox enabled compatibility with lots of Chrome extensions and options to port extensions from the browser to Firefox easily. Firefox extension ports to Chrome are rarer, but they do happen as well.
NoScript becoming available for Chrome is major news, even though functionality is limited in comparison to Firefox at this point in time.
Now You: Which security extensions do you use, and why?
If I don’t lock my door 99% of the time nothing bad will probably happen but it only takes one time for your life to be changed forever I feel the same way about privacy and security online.
I use this extension on Firefox for years now. I was wondering if there is a way on Chrome, to import the custom list I have for sites that I permit to have Java enabled. on advanced options/privacy & security/content settings/Java. where I have disabled Java everywhere and only allow it on the sites/domains I trust.
Thank you in advance.
The power of fear, people would install a brick in the screen if they believe it provides protection.
Tor comes with noscript built in; it messes up most sites at least a little, some don’t work at all. Some load a no javascript version which has many elements and functions missing.
I don’t need noscript in everyday use, not concerned about java script itself, ads and tracking are addressed with other add ons.
The way chrome spawns captchas, blocks sites and redirects when you do something it doesn’t like, I can see noscript being tried and removed a few hours later by all but the most tech savvy. That is, if it’s even allowed to remain in the store.
@greg
I USE NATURAL HERBS, SO NO DOCTORS NEEDED, THANK YOU
Excellent. And now, for a change, try to take them orally. :)
Mostly the worst paranoid extension ever. Most likely “internet is more secure with the modem off”.
I understand John G. I really do. Surfing nearly four years with no problem, no virus, no malware–why bother using an extension like NoScript, especially when it initially requires some effort to set up?
The problem comes when he makes idiotic slurs like calling it “the worst paranoid extension ever†and ridiculous disingenuous exaggerations like “internet is more secure with the modem off.†[It is, by the way! ;) ]
It’s always fascinating that it bothers some people SO MUCH when other people seek to enhance their own privacy and security. Such naysayers will even go so far as to label those who care more than they do about their privacy and security as mentally ill with so-called “paranoia.â€
John G. uses the Google browser Chrome, and finds Internet Explorer perfectly fine to use as well–that tells you everything you need to know about him for the purposes of this discussion. He also thinks, wrongly, that only Google Chrome browser and no other browser provides protection and security to the user! This is a lie. He either knows this, in which case he is trolling, or he doesn’t know that he is wrong, in which case his pronouncements on this topic are false and to be disregarded. Just because something isn’t your style doesn’t mean you have the right to bash it unfairly and try to scare others away from it. NoScript is certainly NOT for every user, and especially not for most users, average users, users who don’t understand or appreciate it, users who lack patience, etc.. But for more advanced users who do understand and appreciate it and who have an attention span and patience to set it up, it’s a godsend. Other users who don’t want to bother with it–which I truly understand as well–are recommended to stick with simpler, more set-it-and-forget-it blockers such as uBlock Origin and/or Privacy Badger.
With all my respect and tolerance and good words, you wrote “It’s always fascinating that it bothers some people SO MUCH when other people seek to enhance their own privacy and security.” In my opinion, It is also fascinating that it bothers so people so much when other users feel themselves safety browsing with a “extensionless” browser. There is no way to considere trolling when my opinion is different than yours. And also I know well the history of this extension, there are lots of info about NoScript, please read yourself the bad ones also.
“NoScript proudly calls itself a security extension advertising itself as an extension with “whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality…†Well, guess again. The author has a history of doing shady things, such as messing with AdBlock filters to whitelist ads on his own website. But what is even more serious is the fact that the author advertises on his website malware. Especially to Windows users. Every time NoScript updates itself, the users are shown the homepage of the extension. (…) Trojan.Win32.Generic!BT, Malware/Gen.Generic, Win32/SpeedUpMyPC.A potentially unwanted – just to name few.”
https://liltinkerer.surge.sh/noscript.html
https://news.ycombinator.com/item?id=12624000
It’s obvious “John G.†has quite an axe to grind against NoScript and its developer Giorgio Maone. The links he posted are bullsh*t too. He just has it in for some reason for NoScript and its developer and wants to spread fear based on misinformation to try to discourage people from using it. Does he really think NoScript, or any browser extension, would be written about here on ghacks, so many times over the years, and even used personally by Martin himself, if there was anything wrong with it? Sorry, guy: I trust ghacks, not you.
I dislike NoScript and I won’t ever recommend it to my friends. Do you like NoScript? Ok, fine, please use it every second of your life and please write good comments everywhere. However, let people have different opinions about NoScript or any other extension, thanks. And about your last phrase ” I trust ghacks, not you.”, I also trust Ghacks, and I want to thank Martin for the freedom to post comments and also for the every day work. This site has solved at least five problems for me, including fix my W10 update problem months ago. :)
* I have recommended this site to all my friends, so I really trust Ghacks too, and this is my last post about NoScript, it does not deserve more words from me.
Its not paranoia if its true. We both know, if you regular any reputable sites (ghacks included ofcourse) that protecting yourself and others is dam near impossible.
My father is using nowadays IE11 with no extension at all, surfing everywhere with the only protection of Avast Free, and he hasn’t any problem at all after long years. In my opinion, the browser should provide all protection and security to the user, and the user must to be able to browse with no problem for every page. Currently, the only browser that allows this is Chrome. Noscript in Chrome is just a paper to protect a tank, useless. I want’ ever recommend it.
Please do not troll here. Thank you.
Please, tell me why do you think I am trolling. I was a former user of this extension and after a couple of months I ought to uninstall it because browsing became a real nightmare: people can’t live tweaking every single page, every single movement, every single step “for safety reasons”. Browsers should allow it, with no single extension, don’t they? I use Chrome with Nano Adblocker and Nano Defender now, near four years also in the past with Ublock Origin with no problem, no virus, no worms, no malware issues at all. Surfing and browsing everywhere. And everywhere means everywhere. So yes, I still say with no all the words the same thing I said in my post: Noscript is the worst extension for the users because the steps to face the “problems” is like putting yourself a bodyguard just to walk for the street or simply going to the cinema. I have never experienced so much disgusting experience like those couple of months using NoScript. Do you like my opinion? Fine. If not, relax and take it easy.
Given Chrome’s dominance this will go one of two ways.
1. Designers and big hosting companies such as Wix (whose sites display absolutely nothing without JS enabled) will have to up their game and respect the choices made by the reading public.
2. Chrome users will uninstall NoScript when confronted with so many non-functional and ugly looking sites. .
I think the latter is the most likely result. The former won’t happen because it’s an expense site owners/hosters don’t need and a skill they don’t have.
Normal users won’t even know about Noscript
@Anonymous
Normal users know very little.
@MAONE’S ADEPT
…the Doctor will see you now…
Yes I LOVE noScript…I keep promising myself I’ll learn uMatrix.
Its possibly better for what I want to do,Im not sure.
I also use uBlock Origin, Cookie AutoDelete, CSS Exfil Protection, Privacy Possum & 2Google Analytics Blockers.
They seem to be working !!!
I can use Firefox 60ESR to go thru Captchas again!!!
( ͡° ͜ʖ ͡°)
What a relief! Maybe Google isn’t 100% dishonest right just yet.
If you are running uBO in advanced user mode then you already have a good start on learning uMatrix.
Pale Moon comes up a lot here on various comment threads. Replacing Noscript with eMatrix solved a recent problem for me involving frequent browser crashing. Turns out that I like it a lot better for blocking the crud while maintaining reasonable website usability. There’s been no downside other than having to set the endless blocking rules again. It’s worth it, though. Some of the worst, most obnoxiously over-designed sites can now be navigated without (as much) frustration. That’s for sites I couldn’t tweak to my satisfaction with Noscript. So now it’s eMatrix on Pale Moon and uMatrix on anything based on Chromium.
Not entirely happy about this, as the vast majority of people will think that it’s identical protection to the Firefox version when it is not, but I guess it is nonetheless still a solid tool from a trustworthy source with a good number of eyeballs on it.
i see no reason to use noscript when ublock origin can do the same.
uBlock origin can do some of the things NoScript can do, but not all. Another reason to use NoScript is that its interface is much clearer and easier to use. But there’s no problem here, as this a false dichotomy–for those who want to, just use them both!
Maone is the boss in addons or – as M0ZILLA rebranded them – extensions.
NoScript pawed the way folllowed by others like gorhill.
But Maone was there, as the first man writing down rules in code…
like Manu, like Hammurabi.
—> ALL HAIL MAONE <—
Wow, good points. I was just going to say this.
Mozilla did not rebrand add-ons to extensions.
In Mozilla’s terms, extensions (NoScript, uBlock Origin, Decentraleyes…) + themes + plugins (Flash, Silverlight…) + language packs + user scripts + search engines etc. are all collectively “add-ons”.
Basically everything you can add to Firefox is an add-on.
So, every extension is an add-on, but not every add-on is also an extension.
I’ve used NS for a long time. Sent them donations now and then.
My problem with the extension is that there should be an easy way to tell what a script is up to and whether I want to allow it to run.
Right now, all you can do is click the middle mouse button, which will open a new page that lets you look at what some net services know about the script domain. Like this for the h-bid.com script used by ghacks:
==============
h-bid.com
Security and Privacy Info
This service is experimental and far from being complete yet.
Currently it provides links to other resources helping to assess the security and privacy trustworthiness of h-bid.com.
Safe Browsing Diagnostic on h-bid.com
virustotal h-bid.com URL submission
McAfee SiteAdvisor® rating for h-bid.com
Talos Intelligence Reputation for h-bid.com
Webmaster Tips Site Information about h-bid.com
hpHost Report on h-bid.com
URLVoid Scan on h-bid.com
===========
NS has had that experimental message up for years w/o any changes.
But the service links don’t tell you WHAT the script is trying or will do if you enable it. Much of the info is useless at best and plowing through all the info at each of these links is time consuming.
We need more development in this area.
I personally swapped NoScript for uMatrix for more control.
Now, regarding your concern, I would say a better solution would be to download the scripts (.js files) in the background and make a local database of their hashes. That database should be compared against a public repository of “safe” hashes. If a script that does not match it is loaded when you visit a website, a warning should popup letting you know if you still want to proceed. Moreover, a direct link to scan the script with VirusTotal could be provided to whitelist it manually if VirusTotal results are clean.
Is there a list somehwere of commonly whitelisted domains?
I guess around 1000 of the most common benign domains would be necessary to not make using it a pain.
Nah. It takes about a second to whitelist the scripts that you want to run. For sites that are frequently vistited its plenty fast. Thats one of the nice things about using noscript in addition to somethine like ublock origin et al, the ui makes it fast. Its also very enlightening sometimes to see how many garbage scripts they are loading for otherwise simplistic sites.
I don’t see a point in doing all that work for browsing, javascript isn’t a problem security-wise, and performance is already increased with ad-blockers.
It just gives a people a good feeling of a “clean website”
@user17843: “javascript isn’t a problem security-wise”
This is simply not true.
if you want a good clean feeling for sites you could always use ublock which includes blocking large media elements and cosmetic filtering based upon large collections of adblocking lists, which include cosmetic filtering. Whilst blocking javascript
Assuming one is using ToR at the very least enabling javascript allows for fingerprinting and identity tracking and google is one of the worst because they are on next to every site which means they if you have javascript enabled for most of the sites you visit (which likely incorporate a google syndication, ad services, etc) then they can use your fingerprint to build up a database of websites you have visited for that session.
Suppose you also login to a gmail account or some other service within that session they then associate your browsing activity to your email account (of which google knows your name, address, mobile, etc).
Google is the biggest tracker on the planet. Sell suggestions of your interests to facebook and before you know it whatever you thought you were searching for privately, eg, switching insurance providers or banks, political persuasions, etc is passed to facebook and other providers. Before you know it you get a call from a high pressure insurance salesperson who has cork on his breath.
This is a massive industry and these a®sew|-|oles are selling everything about you. Only individual javascript for each subdomain restricts the spread of your information.
Check out browserleaks.com/js with both javascript disabled then enabled and you can see how it opens you up to fingerprinting.
This is just the beginning, javascript spreads malware, performing clickjacking, XSS, CSRF are all possible with having JS enabled.
@user17843
I think there’s a problem here around subjectivity. The domains you consider benign and the ones I consider benign may not be the same.
My experience with NoScript was that it took a month or so to work out which domains I’m OK with giving which permissions to. Once that settled down, I rarely have to adjust anything.
noscript should be close, umatrix is better than noscript
Bro, ….don’t smoke that stuff. did not done good 4you
@887 Well said
Do we still puff puff pass?