From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
NoScript icon
Original author(s)Giorgio Maone
Developer(s)Giorgio Maone
Initial releaseMay 13, 2005; 14 years ago (2005-05-13)[1]
Stable release
11.0.12 / 8 January 2020; 29 days ago (2020-01-08)
Preview release
11.0.12rc2 / 8 January 2020; 29 days ago (2020-01-08)
Written inJavaScript, XUL, CSS
Available in45[2] languages
TypeMozilla extension

NoScript (or NoScript Security Suite) is a free software extension for Mozilla Firefox, SeaMonkey, other Mozilla-based web browsers, and Google Chrome,[3] created and actively maintained by Giorgio Maone,[4] an Italian software developer and member of the Mozilla Security Group.[5]

By default, NoScript blocks active (executable) web content, which a user can wholly or partially unblock by whitelisting a site or domain from the extension's toolbar menu: Sites can be set as 'allowed', 'trusted', or 'untrusted', and the whitelist persists between sessions. Temporarily allowed sites won't be added to the permanent whitelist, and work only until the browser session ends. Active content may consist of JavaScript, web fonts, Java, Flash, Silverlight, and other plugins. The add-on also offers specific countermeasures against security exploits.[6]


The classic NoScript menu in Firefox

NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active" content by default in Firefox. This is based on the assumption that websites can use these technologies in harmful ways. Users can allow active content to execute on trusted websites, by giving explicit permission, on a temporary or a more permanent basis. If "Temporarily allow" is selected, then scripts are enabled for that site until the browser session is closed.

Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content, as well, helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat, and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.[7]

NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1[8]) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.

NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) which are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run.[9] With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.

NoScript may provide additional defenses against web-based attacks such as XSS, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding, with specific countermeasures that work independently from script blocking.[10]

On November 14, 2017, Giorgio Maone announced NoScript 10, which will be "very different" from 5.x versions, and will use WebExtension technology, making it compatible with Firefox Quantum.[11]. On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android and there is also preliminary work to port it to Chromium.[12]

Site matching and whitelisting[edit]

NoScript Anywhere 3.5a15 site permissions in IceCat Mobile 52.6 on Android 4.1.2

Unlike general ad-blocking extensions that rely on blacklists, NoScript relies on whitelisting through 'Allow' or 'Trust' commands in NoScript's toolbar pop-up. Sources of scripts and other active content are listed by domain name, less often by IP address. Domains that are not whitelisted, are blocked by default, save for a built-in pre-approved whitelist that can later be edited.

Often, domain names that would offer active content, are not identical to the domain name shown in the address field of the displayed web page. This is because many web pages and web applications fetch elements such as iframes, style sheets, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify a blocking policy for the main address and each of the domains separately.

No scripts are executed, if the address of the main page has been marked as untrusted. Once any source is marked as trusted, NoScript will regard it as 'trusted', even if it is loaded indirectly by web pages or scripts originating from other domains.

The names of certain domains often indicate the purpose of the scripts they might serve, for example, domains from online advertising and tracking firms. This gives users the ability to very specifically not to allow domains that they do want active content to run from. This is a trial-and-error process. Upon allowing (trusting) the domain of a website, the entire web page is reloaded by default, and the process of having to allow further domains with necessary scripts must then be repeated, as additional domains that would offer active content, may be listed after allowing the previous domain.[13][14]

The possibility to allow scripts coming from a certain source only for specific main page locations has been requested frequently, but is not yet easy to configure. It may be achieved in classic NoScript by configuring the built-in ABE module to fine-tune cross-site resource access.[15]

For each source, the exact address, exact domain, or parent domain may be specified. By enabling a domain (e.g., all its subdomains are implicitly enabled (e.g., and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g., its subdirectories are enabled (e.g. and, but not its domain ancestors nor its siblings. Therefore, and will not be automatically enabled.[16]

Untrusted blacklist[edit]

Sites can also be blacklisted with NoScript.[17] This, coupled with the "Allow Scripts Globally" option, lets users who deem NoScript's "Default Deny" policy too restrictive, to turn it into a "Default Allow" policy.[18] Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding.[10]

Anti-XSS protection[edit]

On April 11, 2007, NoScript was publicly released,[19] introducing the first client-side protection against Type 0 and Type 1 Cross-site scripting (XSS) ever delivered in a web browser. Whenever a website tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load.[20] Similar features have been adopted years later by Microsoft Internet Explorer 8[21] and by Google Chrome.[22]

Application Boundaries Enforcer (ABE)[edit]

Resources blocked by ABE are logged to the browser console. The Console extension shows the block events of two CSS files, as logged by NoScript Anywhere 3.5a15 in GNU IceCat 38.8.0 on Android 2.3.6

The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the web application-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. plugins, webmail, online banking, and so on), according to policies defined either directly by the user, by the web developer/administrator, or by a trusted third party.[23] In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications.[24]

ClearClick (anti-clickjacking)[edit]

NoScript's ClearClick feature,[25] released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based).[26] This makes NoScript "the only freely available product which offers a reasonable degree of protection" against clickjacking attacks.[27]

HTTPS enhancements[edit]

NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites which don't support Strict Transport Security yet.[28] NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.[29]

Surrogate scripts[edit]

NoScript is able to run user-provided scripts instead of, or in addition to, website-provided scripts, in a similar manner to the Greasemonkey addon. This feature was originally designed to fix pages that make use of third-party scripts (such as Google Analytics) in a way that causes the pages to break when the third-party scripts are blocked, but is not required for the actual functionality of the page.[30] The list of built-in surrogate scripts is actively maintained[31] and included 48 sites as of version

Unintended benefits[edit]

NoScript can provide some unintended benefits. An IANIX benchmark on the top 150 Alexa websites sans country-code duplicates with NoScript enabled showed a reduction in bandwidth consumption by approximately 42%.[32] In addition, the use of NoScript reduces the amount of system resources required by the browser to display web pages.[citation needed]

As some web tracking services depend on JavaScript, and as JavaScript exposes browser and operating system configuration details, NoScript can increase privacy and anonymity as seen via the EFF's Panopticlick tool.[33] NoScript also can be used by web developers as a convenient way to test how well sites work without JavaScript, particularly since modern versions of Firefox have removed JavaScript controls from the regular configuration pane.[34]


  • PC World chose NoScript as one of the 100 Best Products of 2006.[35]
  • In 2008, NoScript won's "Best Security Add-On" editorial award.[36]
  • In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at[37]
  • In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at[38]
  • NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.[39]


Conflict with Adblock Plus[edit]

In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension Adblock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter.[40][41] The code implementing this workaround was "camouflaged"[40] to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism, and a declaration by the administrators of the Mozilla Add-ons site that the site would change its guidelines regarding add-on modifications,[42] Maone removed the code and issued a full apology.[40][43]

Conflict with Ghostery[edit]

Also in May 2009, shortly after the Adblock Plus incident,[44] a spat arose between Maone and the developers of the Ghostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software.[45] This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites".[44] In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.[46]

The conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification.[47]

See also[edit]


  1. ^ "Version 1.0". NoScript. Mozilla Addons. 2005-05-13. Archived from the original on 2018-10-02.
  2. ^ Supported language on
  3. ^ "NoScript Extension Officially Released for Google Chrome". ZDNet. Retrieved 2019-04-12.
  4. ^ "Meet the NoScript Developer". Mozilla. Archived from the original on 2011-10-09. Retrieved 2011-09-27.
  5. ^ "Mozilla Security Group". Mozilla. Archived from the original on June 29, 2011. Retrieved 2011-06-29.
  6. ^ Scott Orgera. "NoScript". Retrieved 2010-11-27.
  7. ^ Will Dormann and Jason Rafail (2008-02-14). "Securing Your Web Browser". CERT. Retrieved 2010-11-27.
  8. ^ "NoScript Changelog 2.0.3rc1". Retrieved 16 March 2011.
  9. ^ Brinkman, Martin (February 10, 2014). "The Firefox NoScript guide you have all been waiting for". Retrieved 14 January 2017.
  10. ^ a b Giorgio Maone (2010-08-01). "al_9x Was Right, My Router is Safe". Retrieved 2010-08-02.
  11. ^ Giorgio Maone (2017-11-14). "Double NoScript". Retrieved 2017-11-15.
  12. ^ "Cosmetic Changes by Issa1553 · Pull Request #28 · hackademix/noscript". GitHub. Retrieved 2019-01-04.
  13. ^ "NoScript features". NoScript. Retrieved 14 January 2017.
  14. ^ "NoScript FAQ". NoScript. Retrieved 14 January 2017.
  15. ^ Can I use ABE to fine-tune NoScript's permissions? Retrieved November 27, 2010.
  16. ^ NoScript Features-Site matching Retrieved April 22, 2008.
  17. ^ NoScript Features-Untrusted blacklist Retrieved April 22, 2008.
  18. ^ Kassner, Michael. "An interview with Giorgio Maone, creator of NoScript". TechRepublic. Retrieved 19 May 2013.
  19. ^ NoScript's first Anti-XSS release Mozilla Add-ons
  20. ^ NoScript Features-Anti-XSS protection Retrieved April 22, 2008.
  21. ^ Nathan Mc Fethers (2008-07-03). "NoScript vs Internet Explorer 8 Filters". ZDNet. Retrieved 2010-11-27.
  22. ^ Adam Barth (2010-01-26). "Security in Depth: New Security Features". Google. Retrieved 2010-11-27.
  23. ^ Giorgio Maone. "Application Boundaries Enforcer (ABE)". Retrieved 2010-08-02.
  24. ^ Giorgio Maone (2010-07-28). "ABE Patrols Routes to Your Routers". Retrieved 2010-08-02.
  25. ^
  26. ^ Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". Retrieved 2008-10-27.
  27. ^ Michal Zalewski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved 2008-10-27.
  28. ^ NoScript FAQ: HTTPS Retrieved August 2, 2010.
  29. ^ HTTPS Everywhere
  30. ^ Giorgio Maone (2009-01-25). "Surrogate Scripts vs Google Analytics". Retrieved 2015-07-07.
  31. ^ "NoScript changelog".
  32. ^ "The effect of Firefox addons on bandwidth consumption".
  33. ^ "Panopticlick: How Unique and Trackable is Your Browser?".
  34. ^ Mozilla issue tracker, item 873709
  35. ^ PC World Award Retrieved April 22, 2008.
  36. ^ 2008 Best Security Add-On Award Retrieved August 2, 2010.
  37. ^ Best Privacy/Security Add-On 2010 Retrieved August 2, 2010.
  38. ^ Best Privacy/Security Add-On 2011 Retrieved March 20, 2011.
  39. ^ Security Innovation Grant Winner Announcement Dragon Research Group. Retrieved July 17, 2011.
  40. ^ a b c Goodin, Dan. "Firefox users caught in crossfire of warring add-ons". The Register. Retrieved 19 May 2013.
  41. ^ "Extension wars – NoScript vs. AdblockPlus". Ajaxian. Retrieved 19 May 2013.
  42. ^ "No Surprises". 2009-05-01.
  43. ^ Dear Adblock Plus and NoScript Users, Dear Mozilla Community
  44. ^ a b Attention all NoScript users
  45. ^ Greg Yardley (2009-05-04). "When blockers block the blockers". Archived from the original on 2009-05-08.
  46. ^ NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04)
  47. ^ NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)

External links[edit]