NoScript configuration

26 Jun

NoScript is a complex piece of software, with lots of settings visible (and even more hidden away for geek eyes only). Most of the time, the defaults do a good job, but for those who are interested, here’s a summary of what you’ll find in the options dialog.

General tab:

  • Temporarily allow top-level sites by default: This tells NoScript to automatically trust sites that you visit (but not third-party sites). This reduces your security, but also reduces the amount of work needed to fix sites that are broken. You can also specify how strict to be, eg if you visit, can it automatically run scripts from (since they’re both, or does it have to be an exact match?
    I like maximum security, so I leave this off. But if you really want more convenience, then this setting may be for you.
  • Open permissions menu when mouse hovers over NoScript’s icon: This is fairly self-explanatory. Personally I turn this off too, so that I don’t accidentally open the menu, but it’s switched on by default and it does make things faster.
  • Left clicking on NoScript toolbar button toggles permissions for current top-level site: This is another feature aimed at speeding up menu access. With this switched on, you can tell NoScript to trust the site that you’re at (but not third parties) just by clicking on the NoScript icon, without even using the menu. Again, you can decide how strict to be.
  • Automatically reload affected pages when permissions change: When you trust a site (or revoke that trust), nothing changes until you reload the page. This setting tells NoScript to do it automatically, which makes sense. It’s enabled by default.
  • Allow sites opened through bookmarks: For those who usually use bookmarks to access their favorite sites, this is a way of managing your permissions. If you visit a site via a bookmark, this tells NoScript to trust it. Personally I haven’t had much use for it, because if I had used a site for long enough to bookmark it, I would probably have allowed it already. But some people might work differently.
  • Scripts Globally Allowed (dangerous): This tells NoScript to trust every site. It’s almost the same as switching NoScript off, but there are still some protections that apply even on trusted sites. It’s marked dangerous for a reason, although it’s worth noting that this is still safer than the regular situation without NoScript. Remember the restaurant story?

Whitelist tab: As per the description at the top of this tab, it lists all of the sites that you have chosen to trust. You can also add and remove entries, or export the whole list to a file (and import it again).

Embeddings tab:

  • Additional restrictions for untrusted sites: NoScript always blocks scripting languages (such as JavaScript and VBScript) on untrusted sites, but it can also block other objects like Flash movies and Java applets, because they can be a security risk too. I block everything listed here.
  • Apply these restrictions to whitelisted sites too: By default, this is off. If you enable it, then objects like Flash and Java will be blocked even on trusted sites. You can still play them by clicking on the placeholder that NoScript gives you. This setting is useful in two situations: either you want to trust all sites, but block objects until you click on them (like the FlashBlock addon), or else you’re paranoid and want to stay in control at all times. I usually enable it :).

The remaining options are for trusted sites only.

  • Block every object coming from a site marked as untrusted. This is mostly relevant if you haven’t already blocked every kind of object on untrusted sites. Let’s say that you haven’t checked the box to block Flash, so Flash is allowed even on untrusted sites. If a trusted site tries to include a Flash movie from an untrusted site, this is considered to be an extra risk. So, this setting allows you to block it in that situation.
  • Forbid WebGL: WebGL technology has been found to be a security risk if sites are allowed to run JavaScript. This makes it harmless on untrusted sites (where JavaScript is blocked), but theoretically, a trusted site could use it to attackĀ  you. If you’re the paranoid type, and don’t really trust even the sites that you trust, then you can block it.
  • No placeholder for objects coming from sites marked as untrusted: This is cosmetic, for if you want your pages to look cleaner (with less placeholders for blocked objects). I don’t bother with it myself.
  • Ask for confirmation before temporarily unblocking an object: When you click on a placeholder, you get a dialog box asking you to confirm it. This is useful if you think you might click on one by accident, or if a site tries to tamper with your mouse and make you click on things you didn’t intend. However, if the dialog box bothers you, you can turn it off.
  • Collapse blocked objects: This hides blocked objects, to make the page cleaner (but it means that you won’t be able to click on the placeholders).
  • ClearClick protection on pages: This is a very valuable protection that works even if you trust every site. It warns you when you click on something invisible or obscured, which could mean that the site you’re on is trying to trick you.

Appearance tab: This allows you to choose which icons and menu items will appear. Of particular note is the ability to control how strict the menu items will be (eg allowing just vs allowing everything from

Notifications tab: This allows you to choose which alerts you’ll see from NoScript’s various activities. Of particular note is Display the release notes on updates, which opens the NoScript homepage each time NoScript is updated. Since NoScript is very actively maintained and updated frequently, many people want to turn this off.

For details of the Advanced tab, your best source is the NoScript website.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: