Firefox add-on "No Script" - is it worth it?

I admit to being very, very cautious about malware since I got one heck of a virus a few months ago, using Firefox and with all the usual protection running.

I was recommended NoScript, which, as the name suggests, blocks all scripts on every website, unless you ask it not to. I’m finding it a bit of a hassle, nothing seems to work properly with it enabled, for good or for ill, and I’m left to my own judgement when allowing things, which takes me back to square one.

Anyone else tried it?

I found it more trouble than it was worth, too. Between Adblock Plus and Firefox’s own popup blocker, I seem to have gotten by just fine.

Every website and its mother uses JS these days and having to manually give each one permission is really annoying. If you keep Firefox and your anti-malware stuff updated, dangerous JavaScript exploits these days are somewhat rare and usually fixed pretty quickly. Not to mention the latest Firefox releases also link to Google’s database of bad sites, adding another layer of shielding.

Of course, you’re the only person who can ultimately decide how much security you want to trade for convenience.

How did you get the last virus?

It is annoying at first, although No Script does have a long list of pre-whitelisted websites. However, after the break-in period, where you’re whitelisting all your usual websites, it’s very helpful. You would not believe how many sites have hooks from other, data-gathering websites that are completely irrelevant to your browsing needs (google-analytics being a big one. I like Google, but I don’t especially like them watching me). I’ve also found that few websites, at least those that I visit, seriously break when blocked by No Script, but then I can tolerate a site that’s improperly displayed as long as the content is available.

Tried it for an hour, hated it, couldn’t figure out what it was trying to protect me from…and then finding it in my system to delete it was a nightmare, since it wasn’t listed anywhere as NoScript and it gave no uninstall or delete or turn off option of its own. It was just a royal pain.

As a person who’s writing JavaScript almost every day, the idea of something universally disallowing it without discrimination makes me cringe. Javascript increases the usability of websites dramatically, removing it is like moving backwards 10 years.

On the other hand, being able to control what sites use Javascript on my computer is part of what keeps it safe. I have no problem allowing my bank’s website to JS it up, but I’d rather keep from doing so.

Mmm, this is why I’m conflicted. I don’t want any nasty or annoying javascript effects from (which can be hidden in otherwise legit sites), but blocking seemingly any javascript reduces the functionality of sites beyond tolerance, forcing me to ‘allow all’ which takes me back to square one.

@ Reply - I’ve no idea how I got it, was a really annoying redirect virus that infected all my browsers, so I’ve become a paranoid wreck ever since.

Can you set it to disallow scripts from external domains? If so, that would be fine with me.

Like, don’t allow to load scripts from

That would solve 99% of the problem and still allow the interface-enhancing scripts.

I’ve found it to be helpful, if a bit hassling. The Web of Trust extension might be a better bet; I use both it and NoScript at the same time. It can be a bit annoying to constantly have to “Allow all this page” for the clearly safe new sites you visit, but better to be safe than sorry.

I may have to check this out. Seems like a hassle at first, but I’ve already gotten used to my firewall screaming at me about all sorts of things :slight_smile:

Since I’ve never used something like this, how could I even tell if I’ve picked up a nasty bug on some website?

Options -> General tab -> Temporarily allow top-level sites by default

I use No Script and always install it along with Firefox on my Brother’s/Parent’s PC. It might be a pain to start with but once you allow all your usual/trusted websites it’s fine. I don’t have to worry about clicking a link because of what it might contain. I find my firewall more annoying but nobody (sane) would dream of turning that off.

For me there was a little bit of a learning curve at first, lots of trial and error, but being able to block the likes of the aforementioned Google-Analytics (Tribal Fusion is another pernicious adware site that I had learned to loathe) has been absolutely invaluable. You of all people should be aware of just how much these kinds of sites/scripts can be bandwidth hogs, either of the pointless or malicious variety. Shoots down all sorts of popups as well, ones the other popup blockers often miss. At another site I frequent other posters were up in arms about a Trojan which was imbedded in a banner ad, but NoScript blocked the ad just fine for me.

The guy who maintains No Script pulled some shady nonsense in the past with his add-on secretly creating filter exceptions in Adblock Plus so the ads on his site would show up. He’s apologized and promised not to do it again, but some people might not want to trust someone who has shown such profoundly bad judgement in the past.

Here’s a random article on the subject:

I use No-Script all the time, and can’t imagine browsing without it.

It’s easy enough to authorize a script to run when I want to, and important to not have them run automatically without my knowledge.

Most websites work fine without the scripts, and often I will authorize the basic script from the website but NOT others that collect information on me, send me ads, etc. Many of the scripts running on site are of no value at all to ME, and I see no reason to waste my computer power on them.

Thank you for bringing that up. I hadn’t heard about it. I noticed when the option to disable automatically loading the NoScript page was moved from about:config to the options menu in the add-on itself, but I thought that was the author simply making it more user-friendly rather than responding to backlash.

I’m not sure I’ll remove NoScript, but it sounds like going with AdBlock Plus by itself for now may be smarter. The NoScript author may have only been tweaking the add-on to pimp his own page and not for anything truly malicious, but allowing holes in a security add-on is bad juju no matter the intention.

Adblock plus and noscript aren’t really comparable. They do fairly radically different things. I wouldn’t count on ADblock to protect me from anything except being annoyed by advertisements. It does a great job of that, but mostly because it has a good list of known ad sites that it blocks. That’s really all it does (well, and lets you add sites/urls/etc to the list, so if there’s some guy with a REALLY ANNOYING forum avatar…).

Noscript, on the other hand, is a security tool. It stops sites from running scripts on your PC. It means you can access a website without having to worry about all the random data-gathering they might be enlisting third parties to do. It means that if someone hijacks a site and redirects some of your traffic that you’re safe. Yes, you have to allow things at first, but c’mon. How many websites do you really visit? It takes two clicks to make sure you never need to worry about allowing a site again. Browse normally, go to a site you need to use, and allow scripts from that site if it’s not working right. If it’s still not working right, either global allow all pages on that site (if you trust it) or selectively allow them (if you’re skeptical of some of them.) That’s it. You’re done with that site. You’ve spent less than a minute and you’ll never need to do this for that site again. You’ll probably end up spending maybe half an hour, spread out over the course of several days, getting all your usual sites set up. It’s a very small price to pay for not having to worry about the sketchy site you got when you googled “imported video games” hasn’t done anything nasty to your PC.

Except that Adblock Plus can block just about anything, whether they’re images, Flash banners, JavaScript, or tracking cookies as long as your filter subscrpitions includes it or you add it yourself. Adblock simply takes a blacklist approach instead of NoScript’s whitelist.

ABP’s EasyList subscription already filters out TribalFusion, and the EasyPrivacysubscription on the filters page filters out tons more of these sites if they really worry you.

So your choices come down to: Trust someone to know what’s safe (Good luck. New random sites and domains and whatnot come up every day.) or… know what’s safe yourself and blacklist it? Sure, technically Adblock can be used for security, but I certainly wouldn’t say it’s designed to be. Why kludge a tool into place for incomplete security when you can be secure with very little effort?

I’d submit that people who know what they’re doing don’t need to worry about JavaScript much in the first place. People who aren’t that familiar with the internet, on the other hand, probably won’t be able to tell the difference between good sites and bad sites better than a community-maintained blacklist that has already proven itself very effective over the last few years.

Dangerous JavaScript exploits are [del]exceedingly rare[/del] uncommon these days, I believe, and the more practical point of NoScript is to block ads, popups, and tracking devices… in other words, what Adblock was designed for.