Firefox addon #1: NoScript

20 Jun

If you run Mozilla Firefox, or a related browser like SeaMonkey or Pale Moon, you should seriously consider installing the NoScript addon, by Giorgio Maone. If you don’t use a Firefox-related browser, then you should seriously consider doing so at least part-time, just to get the benefits of this great extension. NoScript single-handedly keeps me on Firefox.

Imagine this: You decide to eat out tonight, so you drive down the road to a restaurant. As soon as you walk in the door, a waiter ushers you to your seat, vanishes into the kitchen, and starts bringing out plates and trays of food. Before you can interrupt him and ask for a menu, he’s piled the table high. “Bon appetit!”

“But…I didn’t order any of this!” you start to say.

“Of course not. You came to us, so we served you what we think you want. Don’t worry about a thing; our kitchen has a strict hygiene policy, and the scanner at the door already charged everything to your credit card.”

You leave and try another restaurant. The same thing happens. And another. Pretty soon, you’re pushing your credit limit. Things go from bad to worse when at one restaurant, the waiter pulls a blackjack, taps you behind the ear, and you wake up missing a kidney.

If it sounds like a crazy story, it is. But it’s also similar to how your web browser normally works. You go to a site, and the site then tells your browser to download anything the site pleases; music, images, videos, or half a dozen different types of programming code. And your browser will meekly obey. Not only does this hammer your bandwidth and allow advertisers to track your movements, it even means that malicious sites can tell your browser to download and install viruses, keyloggers, and so forth. Theoretically your browser should refuse these last requests, but all it takes is a loophole in the browser, or the Flash plugin, or the Adobe Reader plugin, or the Silverlight plugin, or the Java plugin…and those vulnerabilities crop up all the time. Somehow, we’ve become accustomed to websites – even ones that we’ve never seen before – owning our browsers.

Enter NoScript.

The premise of NoScript is simple, effective, but for those who are accustomed to letting websites take control, it can be painful. It simply blocks all of the active content on all sites – handcuffing the waiter – until you’ve had a chance to look around and decide whether you want to place an order. You’ll see just static pages – text, images, stylesheets – unless and until you choose to trust the scripts, applets, videos, timers, etc, that would otherwise be running.

“But that will break practically every site that exists!” Yes and no. If you just want to read a site, you have no need for overlays that demand you click to close them before you can view the page text. You have no need for ‘hit the monkey’ advertisements. You don’t even need the page to look exactly as it was intended. You can fill in forms, complete searches, and so on, without anything active on the page. Google works fine this way; it doesn’t jump ahead and suggest keywords for you, but it will fulfil your searches without any trouble. Yes, blocking active content will alter the behavior of practically every website that exists, but depending on why you were visiting the site, that may or may not ‘break’ it.

“I tried turning off JavaScript before, and it wasn’t practical.” This much is true. Turning off JavaScript completely will break most sites where you log in to an account and do things. Likewise, disabling your Flash plugin, or your Java plugin, may give you trouble. But you see, NoScript isn’t all-or-nothing. The point of it is that you choose which sites to trust, either temporarily until you close the browser, or permanently if you know you’ll be back often. Once you’ve permanently trusted your usual sites – webmail, banking, social networking – NoScript won’t touch them any more. It’s when you’re browsing around to new, unknown places that NoScript will be blocking everything, and that’s exactly when you need that protection. That’s when you might end up somewhere unsafe, and you want to handcuff the waiter before you find out that he was carrying a weapon.

Since its initial release in 2005, NoScript has grown in size and capabilities, but stayed firmly with its basic premise. What has largely been added, apart from bug fixes, is an impressive list of protections against threats that you may or may not know about. Cross-site scripting, clickjacking, cross-site request forgery, cross-zone attacks…you might not know about them (more to come in future posts), but that’s all to the advantage of those who use them. NoScript can detect and block them.

The most common complaint about NoScript is that it blocks too much. Too paranoid, too restrictive, too much work. Those who use it regularly don’t usually feel that way. However, NoScript accommodates even those who are unready, unwilling, or unable to sign up for its full protection. It can be configured to automatically trust the exact site that you visit, while still distrusting any third-party sites (like Doubleclick) that the site might try to connect to. It can be used in a click-to-play mode, blocking only Flash movies and so forth, and allowing you to download and play them by clicking on a placeholder. It can even allow all active content – which almost switches it off – while still giving the abovementioned protections against clickjacking etc. So anyone can benefit from it, from novices to experts.

NoScript is very actively maintained by Giorgio, with bug fixes and enhancements almost weekly, and an efficient support forum at If you’re curious about it, struggling with it, or excited about it and want to improve it, your input is welcome there.

Have you ever tried NoScript? What did you think about it?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: