|Stable release||22.214.171.124 / April 30, 2013|
|Operating system||Microsoft Windows, GNU/Linux, and Mac OS X|
|Available in||45 Languages|
Security and usage 
Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content as well helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.
NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked or allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.
NoScript may also provide additional defenses against web-based attacks such as XSS, CSRF, clickjacking, man-in-the-middle attacks and DNS rebinding, with specific countermeasures which work independently from script blocking.
Site matching and whitelisting 
Scripts (and other blockable elements) are allowed or blocked based on the source from where the script is fetched. Very often, this source is not identical to the URL displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.
No scripts are executed if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.
The possibility to allow scripts coming from a certain source only for specific main page locations has been frequently requested but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.
For each source, the exact address, exact domain, or parent domain can be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g. http://www.mozilla.org), its subdirectories are enabled (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.
Untrusted blacklist 
Sites can also be blacklisted with NoScript. This, coupled with the "Allow Scripts Globally" option, lets users who deem NoScript's "Default Deny" policy too restrictive, to turn it into a "Default Allow" policy. Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks and DNS rebinding.
Anti-XSS protection 
Application Boundaries Enforcer (ABE) 
The Application Boundaries Enforcer (ABE) is a NoScript module meant to harden the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted third party. In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers or sensitive web applications.
ClearClick (anti-clickjacking) 
NoScript's ClearClick feature, released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based). This makes NoScript "the only freely available product which offers a reasonable degree of protection" against clickjacking attacks.
HTTPS enhancements 
NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites which don't support Strict Transport Security yet. NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.
Unintended benefits 
- PC World choose NoScript as one of the 100 Best Products of 2006.
- In 2008, NoScript won About.com's "Best Security Add-On" editorial award.
- In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.
- In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.
- NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.
|This section's factual accuracy may be compromised due to out-of-date information. (March 2013)|
Blocking in general 
Hidden partners: third-party scripts 
Most websites make no notification of uncontrolled third-party web scripts used by the website, some of which may have untrustworthy reputations. Sites may claim to be trustworthy but nonetheless be responsible for undeclared and undescribed use of third-party scripts. NoScript does list, but cannot explain the reasons such unaccountable third-party scripts are used. NoScript does provide links to several independent resources to help a website visitor assess the third-party trustworthiness for security, privacy, safety: primarily WOT Scorecard (which can be a separate browser add-on), but also McAfee SiteAdvisor, Webmaster Site Tips, Safe Browsing Diagnostic and hpHost Report.
NoScript exceptions 
As of April 2013[update], the default NoScript whitelist contained some of the sites of the extension's developer, some domains of Google, Yahoo!, and Microsoft, whose Ajax webmail services may be the only way of using e-mail familiar to some users, who would otherwise be able to unintentionally lock themselves out by installing NoScript. The whitelist can be edited in the Options dialog, as explained at the extension’s official site.
AdBlock Plus 
On May 1, 2009, Wladimir Palant, author of Adblock Plus, a well-known Firefox extension, announced that one week earlier, NoScript version 1.9.2 had started interfering with the functionality of Adblock Plus. It allowed NoScript's sponsor's sites to be interpreted and displayed without the consent of Adblock Plus or the user. Palant said that NoScript had been using obfuscated code to avoid detection of this modification through the use of Unicode hexadecimal encoding. Almost immediately, Mozilla Add-ons decided to change its guidelines regarding add-on modifications. The April 30 version 126.96.36.199 update to NoScript, though, had already replaced the allegedly obfuscated code with a user-visible and documented Adblock Plus filterset whitelisting NoScript's sites. Wladimir Palant pointed out that this filterset kept being re-added on each startup even though it was deleted by the user, but this was likely just an unintentional bug, since the whitelist could still be disabled permanently and/or overridden by the user's own blocking filters as explained in NoScript's FAQ. Some hours later, on May 2, 2009, a further automatic NoScript update (version 188.8.131.52) completely removed the Adblock Plus whitelist, and public apologies were given on the release notes page for having modified Adblock Plus' behavior without asking users' consent in advance. On May 4, 2009, in a long blog post, NoScript's author personally apologized for the initial obscure approach, recognizing it had been a breach of trust and declaring his contrition. He also explained that the Adblock Plus whitelist deployed by NoScript was intended as a countermeasure against unusually aggressive EasyList entries specifically targeting Maone's websites, which broke almost all the dynamic functionality and even the links to install the NoScript software package itself.
NoScript website and Ghostery 
On Friday, May 1, 2009, and again on Sunday, May 3, 2009, in the wake of discussions about NoScript's interaction with AdBlock Plus, it was pointed out in the NoScript support forum, that a stylesheet rule on the NoScript website kept notifications of Ghostery, a Firefox extension that informs about web bugs, hidden. Ghostery would otherwise inform users about the use of Google AdSense on NoScript's website. Maone in response explained that his stylesheet was only styling the website content itself, that Ghostery's way of displaying notifications was technically inadequate, because their information could be spoofed by any website, and that the notifications obstructed websites' content without real purpose, since they could be easily and more safely displayed in the browser chrome. In later statements, he specifically criticized the obstruction of a donation button and license terms and stated that his stylesheet did not prevent Ghostery from working, since the same information was available via the browser's status bar icon.
Critics responded that the stylesheet file contained information purposefully targeted at Ghostery. It was pointed out that Ghostery's notification in its original state did not obstruct Maone's donation button and vanished after a few seconds. Users underlined that Maone's stylesheet rule kept Ghostery from providing information about a web bug and criticized Maone for his information policy in general. Maone's assertions that Ghostery's way of displaying information was susceptible to manipulation met agreement.
The issue spread to third-party websites, some of which falsely claimed that the NoScript extension rather than its website interfered with the Ghostery add-on. Among the websites fueling speculations was the blog of David Cancel, author of Ghostery, who later corrected his earlier presumptions.
On May 6, 2009, after actively discussing the matter with online users, Maone announced that he had changed his opinion on the subject and in consequence modified the stylesheet of his website. The Ghostery notification box is no longer kept hidden but moved slightly towards the center of the page, in order to not obstruct donation buttons or license information.
See also 
- "Meet the NoScript Developer". Mozilla. Retrieved 2011-09-27.
- "Mozilla Security Group". Mozilla. Retrieved 2011-09-27.
- Scott Orgera. "NoScript". About.com. Retrieved 2010-11-27.
- Will Dormann and Jason Rafail (2008-02-14). "Securing Your Web Browser". CERT. Retrieved 2010-11-27.
- "NoScript Changelog". noscript.net. Retrieved 16 March 2011.
- Giorgio Maone (2010-08-01). "al_9x Was Right, My Router is Safe". Hackademix.net. Retrieved 2010-08-02.
- Can I use ABE to fine-tune NoScript's permissions? NoScript.net. Retrieved November 27, 2010.
- NoScript Features-Site matching NoScript.net. Retrieved April 22, 2008.
- NoScript Features-Untrusted blacklist NoScript.net. Retrieved April 22, 2008.
- NoScript's first Anti-XSS release Mozilla Add-ons
- NoScript Features-Anti-XSS protection NoScript.net. Retrieved April 22, 2008.
- Nathan Mc Fethers (2008-07-03). "NoScript vs Internet Explorer 8 Filters". ZDNet. Retrieved 2010-11-27.
- Adam Barth (2010-01-26). "Security in Depth: New Security Features". Google. Retrieved 2010-11-27.
- Giorgio Maone. "Application Boundaries Enforcer (ABE)". NoScript.net. Retrieved 2010-08-02.
- Giorgio Maone (2010-07-28). "ABE Patrols Routes to Your Routers". Hackademix.net. Retrieved 2010-08-02.
- Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". Hackademix.net. Retrieved 2008-10-27.
- Michal Zalewski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved 2008-10-27.
- NoScript FAQ: HTTPS NoScript.net. Retrieved August 2, 2010.
- HTTPS Everywhere
- "The effect of Firefox addons on bandwidth consumption".
- "Panopticlick: How Unique and Trackable is Your Browser?".
- PC World Award pcworld.com. Retrieved April 22, 2008.
- About.com 2008 Best Security Add-On Award about.com. Retrieved August 2, 2010.
- Best Privacy/Security Add-On 2010 about.com. Retrieved August 2, 2010.
- Best Privacy/Security Add-On 2011 about.com. Retrieved March 20, 2011.
- Security Innovation Grant Winner Announcement Dragon Research Group. Retrieved July 17, 2011.
- Peter Smith (17 Apr 2007). "Top 10 Firefox extensions to avoid". Computerworld. International Data Group. Retrieved 2 May 2009.
- Giorgio Maone. "NoScript Features". Retrieved 20 July 2012.
- Giorgio Maone. "Q: What websites are in the default whitelist and why?". The official NoScript FAQ. InformAction. Retrieved 17 May 2009.
- Palant, Wladimir (2009-05-01). "Attention NoScript users". Adblock Plus and (a little) more. Cologne, Germany: Wladimir Palant. Retrieved 2009-05-02.
- "No Surprises". 2009-05-01.
- "NoScript FAQ 3.21: Why can I see ads on this site even if I've got AdBlock Plus + EasyList?". 2009-04-30.
- "NoScript 184.108.40.206 release notes page". 2009-05-02.
- Maone, Giorgio (2009-05-04). "Dear Adblock Plus and NoScript Users, Dear Mozilla Community". Hackademix.net. Unknown parameter
- NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3133, Guest (2009-05-01)
- NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3610, Curious Inquiry (2009-05-03)
- NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3133, Giorgio Maone (2009-05-01)
- NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04)
- NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)
- Ghostery News "Attention all NoScript users", comment by Giorgio Maone, (2009-05-05)
- NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3929, Another guest (2009-05-04)
- NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3929, Another guest (2009-05-06)
- Twitter tweet by Mark Pilgrim (diveintomark) (2009-05-03)
- yardley.ca "When blockers block the blockers", Greg Yardley (2009-05-04)