NoScript (or NoScript Security Suite) is a

free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...

extension Extension, extend or extended may refer to: Mathematics Logic or set theory * Axiom of extensionality * Extensible cardinal * Extension (model theory) * Extension (predicate logic), the set of tuples of values that satisfy the predicate * E ...

for Mozilla Firefox,

SeaMonkey SeaMonkey is a free and open-source Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code, which itself grew out of Netscape Communicator and formed the base of Netscape 6 and Netscape ...

, other

Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, w ...

-based

web browsers A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...

and

Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS ...

, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group.

Features

Active content blocking

By default, NoScript blocks active (executable) web content, which can be wholly or partially unblocked by allowlisting a site or domain from the extension's toolbar menu or by clicking a placeholder icon. In the default configuration, active content is globally denied, although the user may turn this around and use NoScript to block specific unwanted content. The allowlist may be permanent or temporary (until the browser closes or the user revokes permissions). Active content may consist of

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of websites use JavaScript on the client side for webpage behavior, of ...

, web fonts, media

codecs A codec is a device or computer program that encodes or decodes a data stream or signal. ''Codec'' is a portmanteau of coder/decoder. In electronic communications, an endec is a device that acts as both an encoder and a decoder on a signal or d ...

WebGL WebGL (Short for Web Graphics Library) is a JavaScript API for rendering interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. WebGL is fully integrated with other web standards, allowing GPU-accelera ...

, and

Flash Flash, flashes, or FLASH may refer to: Arts, entertainment, and media Fictional aliases * Flash (DC Comics character), several DC Comics superheroes with super speed: ** Flash (Barry Allen) ** Flash (Jay Garrick) ** Wally West, the first Kid F ...

. The add-on also offers specific countermeasures against security exploits. Because many web browser attacks require active content that the browser normally runs without question, disabling such content by default and using it only to the degree that it is necessary reduces the chances of vulnerability exploitation. In addition, not loading this content saves significant bandwidth and defeats some forms of web tracking. NoScript is useful for developers to see how well their site works with JavaScript turned off. It also can remove many irritating web elements, such as in-page pop-up messages and certain

paywalls A paywall is a method of restricting access to content, with a purchase or a paid subscription, especially news. Beginning in the mid-2010s, newspapers started implementing paywalls on their websites as a way to increase revenue after years of ...

, which require JavaScript in order to function. NoScript takes the form of a

toolbar The toolbar, also called a bar or standard toolbar (originally known as ribbon) is a graphical control element on which on-screen icons can be used. A toolbar often allows for quick access to functions that are commonly used in the program. Some ...

icon or

status bar A status bar is a graphical control element which poses an information area typically found at the window's bottom. It can be divided into sections to group information. Its job is primarily to display information about the current state of its ...

icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing. NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) that are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run. With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily. On November 14, 2017, Giorgio Maone announced NoScript 10, which will be "very different" from 5.x versions, and will use WebExtension technology, making it compatible with Firefox Quantum. On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android.

Anti-XSS protection

On April 11, 2007, NoScript 1.1.4.7 was publicly released, introducing the first client-side protection against Type 0 and Type 1

cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability m ...

(XSS) ever delivered in a web browser. Whenever a website tries to inject HTML or JavaScript code inside a different site (a violation of the same-origin policy), NoScript filters the malicious request and neutralizes its dangerous payload. Similar features have been adopted years later by Microsoft Internet Explorer 8 and by

Application Boundaries Enforcer (ABE)

The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the

web application A web application (or web app) is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection. History In earlier computing models like client-serv ...

-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g., plug-ins, webmail, online banking, and so on), according to policies defined directly by the user, the web developer/administrator, or a trusted third party. In its default configuration, NoScript's ABE provides protection against

CSRF Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced ''sea-surf'') or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitt ...

and

DNS rebinding DNS rebinding is a method of manipulating resolution of domain names that is commonly used as a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the net ...

attacks aimed at intranet resources, such as routers and sensitive web applications.

ClearClick (anti-clickjacking)

NoScript's ClearClick feature, released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of

clickjacking Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or ...

(i.e., from frames and plug-ins). This makes NoScript "the only freely available product which offers a reasonable degree of protection against clickjacking attacks.

HTTPS enhancements

NoScript can force the browser to always use

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...

when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be triggered either by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites that don't support Strict Transport Security yet. NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its

HTTPS Everywhere HTTPS Everywhere is a free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which is developed collaboratively by The Tor Project and the Electronic Frontier F ...

add-on.

Awards

PC World ''PC World'' (stylized as PCWorld) is a global computer magazine published monthly by IDG. Since 2013, it has been an online only publication. It offers advice on various aspects of PCs and related items, the Internet, and other personal tech ...

chose NoScript as one of the 100 Best Products of 2006. * In 2008, NoScript won

About.com Dotdash Meredith (formerly About.com) is an American digital media company based in New York City. The company publishes online articles and videos about various subjects across categories including health, home, food, finance, tech, beauty, ...

's "Best Security Add-On" editorial award. * In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at

. * In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at

. * NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.

Conflicts

Conflict with Adblock Plus

In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension

Adblock Plus Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by developer Wladimir Palant's Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox (inc ...

after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter. The code implementing this workaround was "camouflaged" to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism and a declaration by the administrators of the

Mozilla Add-ons Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related applications. Mozilla hosts them on its official add-on website. Browser extensions are the primary type of add-on. In 2017, Mozilla enacted ...

site that the site would change its guidelines regarding add-on modifications, Maone removed the code and issued a full apology.

Conflict with Ghostery

In the immediate aftermath of the Adblock Plus incident,Attention all NoScript users
/ref> a spat arose between Maone and the developers of the

Ghostery Ghostery is a free and open-source privacy and security-related browser extension and mobile browser application. Since February 2017, it has been owned by the German company Cliqz International GmbH (formerly owned by Evidon, Inc., which wa ...

add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software. This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites". In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.NoScript support forum
"Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04) This conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification.NoScript support forum
"Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)

References

External links

*
NoScript at addons.mozilla.org

NoScript Anywhere
(3.5a15) for

Firefox for Android Firefox for Android is a web browser developed by Mozilla for Android smartphones and tablet computers. As with its desktop version, it uses the Gecko layout engine, and supports features such as synchronization with Firefox Sync, blocking w ...

NoScript presentation
i
''How to Bypass Internet Censorship''
a

FLOSS Free and open-source software (FOSS) is a term used to refer to groups of software consisting of both free software and open-source software where anyone is freely licensed to use, copy, study, and change the software in any way, and the source ...

Manual, 10 March 2011, 240 pp. {{DEFAULTSORT:Noscript Free security software Free Firefox WebExtensions