NoScript#Anti-XSS protection

File:NoScript screenshot.png

By default, NoScript blocks active (executable) web content, which can be wholly or partially unblocked by allowlisting a site or domain from the extension's toolbar menu or by clicking a placeholder icon.

In the default configuration, active content is globally denied, although the user may turn this around and use NoScript to block specific unwanted content. The allowlist may be permanent or temporary (until the browser closes or the user revokes permissions). Active content may consist of JavaScript, web fonts, media codecs, WebGL, Java applet, Silverlight and Flash. The add-on also offers specific countermeasures against security exploits.{{cite web |url=http://browsers.about.com/od/48/gr/noscript.htm |title=NoScript |author=Scott Orgera |publisher=About.com |access-date=2010-11-27 |archive-date=2010-12-20 |archive-url=https://web.archive.org/web/20101220060900/http://browsers.about.com/od/48/gr/noscript.htm |url-status=dead }}

Because many web browser attacks require active content that the browser normally runs without question, disabling such content by default and using it only to the degree that it is necessary reduces the chances of vulnerability exploitation. In addition, not loading this content saves significant bandwidth{{Cite web|title=The effect of Firefox addons on bandwidth consumption :: IANIX|url=https://ianix.com/pub/firefox-addons-and-bandwidth-consumption.html|access-date=2020-07-14|website=ianix.com}} and defeats some forms of web tracking.

NoScript is useful for developers to see how well their site works with JavaScript turned off. It also can remove many irritating web elements, such as in-page pop-up messages and certain paywalls, which require JavaScript in order to function.

NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1{{cite web |title=NoScript Changelog 2.0.3rc1 |url=https://noscript.net/changelog#2.0.3rc1 |publisher=noscript.net |access-date=16 March 2011}}) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.

NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) that are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run.{{cite news |last1=Brinkman |first1=Martin |title=The Firefox NoScript guide you have all been waiting for |url= http://www.ghacks.net/2014/02/10/firefox-noscript-guide-waiting/ |website=GHacks.net |access-date=14 January 2017 |date=February 10, 2014}} With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.

On November 14, 2017, Giorgio Maone announced NoScript 10, which will be "very different" from 5.x versions, and will use WebExtension technology, making it compatible with Firefox Quantum.{{cite web |url=https://hackademix.net/2017/11/14/double-noscript/ |title=Double NoScript|author=Giorgio Maone |date=2017-11-14 |publisher=Hackademix.net |access-date=2017-11-15}} On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android.{{Cite web|url=https://github.com/hackademix/noscript/pull/28|title=Cosmetic Changes by Issa1553 · Pull Request #28 · hackademix/noscript|website=GitHub|language=en|access-date=2019-01-04}}

On April 11, 2007, NoScript 1.1.4.7 was publicly released,[https://addons.mozilla.org/en-US/firefox/addon/noscript/versions/1.1.4.7 NoScript's first Anti-XSS release Mozilla Add-ons] introducing the first client-side protection against Type 0 and Type 1 cross-site scripting (XSS) ever delivered in a web browser.

Whenever a website tries to inject HTML or JavaScript code inside a different site (a violation of the same-origin policy), NoScript filters the malicious request and neutralizes its dangerous payload.[https://noscript.net/features#xss NoScript Features-Anti-XSS protection] NoScript.net. Retrieved April 22, 2008.

Similar features have been adopted years later by Microsoft Internet Explorer 8{{cite web|url=http://zdnet.com/blog/security/noscript-vs-internet-explorer-8-filters/1421|archive-url=https://web.archive.org/web/20100511182201/http://www.zdnet.com/blog/security/noscript-vs-internet-explorer-8-filters/1421|url-status=dead|archive-date=May 11, 2010|title=NoScript vs Internet Explorer 8 Filters|author=Nathan Mc Fethers|date=2008-07-03|publisher=ZDNet|access-date=2010-11-27}} and by Google Chrome.{{cite web|url=https://blog.chromium.org/2010/01/security-in-depth-new-security-features.html|title=Security in Depth: New Security Features|author=Adam Barth|date=2010-01-26| publisher=Google|access-date=2010-11-27}}

The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the web application-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser.

This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g., plug-ins, webmail, online banking, and so on), according to policies defined directly by the user, the web developer/administrator, or a trusted third party.{{cite web |url=https://noscript.net/abe |title=Application Boundaries Enforcer (ABE) |author=Giorgio Maone |publisher=NoScript.net |access-date=2010-08-02}} In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications.{{cite web |url=https://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/ |title=ABE Patrols Routes to Your Routers |author=Giorgio Maone |date=2010-07-28 |publisher=Hackademix.net |access-date=2010-08-02}}

NoScript's ClearClick feature,{{Cite web|url=https://noscript.net/faq#clearclick|title = NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - faq - InformAction}} released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e., from frames and plug-ins).{{cite web|url=https://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/|title=Hello ClearClick, Goodbye Clickjacking|author=Giorgio Maone|date=2008-10-08|publisher=Hackademix.net|access-date=2008-10-27}}

This makes NoScript "the only freely available product which offers a reasonable degree of protection against clickjacking attacks."{{cite web|url=https://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)|title=Browser Security Handbook, Part 2, UI Redressing|author=Michal Zalewski|date=2008-12-10|publisher=Google Inc.|access-date=2008-10-27}}

NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be triggered either by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites that don't support Strict Transport Security yet.[https://noscript.net/faq#https NoScript FAQ: HTTPS] NoScript.net. Retrieved August 2, 2010.

NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.[https://eff.org/https-everywhere/ HTTPS Everywhere]

• PC World chose NoScript as one of the 100 Best Products of 2006.[http://pcworld.com/article/125706-14/the_100_best_products_of_2006.html PC World Award] {{Webarchive|url=https://web.archive.org/web/20110828015914/http://www.pcworld.com/article/125706-14/the_100_best_products_of_2006.html |date=2011-08-28 }} pcworld.com. Retrieved April 22, 2008.
• In 2008, NoScript won About.com's "Best Security Add-On" editorial award.[http://browsers.about.com/od/allaboutwebbrowsers/a/bestsecurityff.htm About.com 2008 Best Security Add-On Award] {{Webarchive|url=https://web.archive.org/web/20110323055756/http://browsers.about.com/od/allaboutwebbrowsers/a/bestsecurityff.htm |date=2011-03-23 }} about.com. Retrieved August 2, 2010.
• In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.[http://browsers.about.com/od/allaboutwebbrowsers/ss/2010-readers-choice-awards-web-browsers-winners_5.htm Best Privacy/Security Add-On 2010] {{Webarchive|url=https://web.archive.org/web/20100304054954/http://browsers.about.com/od/allaboutwebbrowsers/ss/2010-readers-choice-awards-web-browsers-winners_5.htm |date=2010-03-04 }} about.com. Retrieved August 2, 2010.
• In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.[http://browsers.about.com/od/allaboutwebbrowsers/ss/2011-Readers-Choice-Awards-Winners-Web-Browsers_6.htm Best Privacy/Security Add-On 2011] {{Webarchive|url=https://web.archive.org/web/20110317064904/http://browsers.about.com/od/allaboutwebbrowsers/ss/2011-Readers-Choice-Awards-Winners-Web-Browsers_6.htm |date=2011-03-17 }} about.com. Retrieved March 20, 2011.
• NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.[http://dragonresearchgroup.org/2011/07/18/ Security Innovation Grant Winner Announcement] {{Webarchive|url=https://web.archive.org/web/20150212211829/http://dragonresearchgroup.org/2011/07/18/ |date=2015-02-12 }} Dragon Research Group. Retrieved July 17, 2011.

In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension Adblock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter.{{cite web|last=Goodin|first=Dan|title=Firefox users caught in crossfire of warring add-ons|url=http://theregister.co.uk/2009/05/04/firefox_extension_wars/|work=The Register|access-date=19 May 2013}}{{cite web|title=Extension wars – NoScript vs. AdblockPlus|url=http://ajaxian.com/archives/extension-wars-noscript-vs-adblockplus|work=Ajaxian|access-date=19 May 2013}} The code implementing this workaround was "camouflaged" to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism and a declaration by the administrators of the Mozilla Add-ons site that the site would change its guidelines regarding add-on modifications,{{cite web|title = No Surprises|url = https://blog.mozilla.com/addons/2009/05/01/no-surprises/|date = 2009-05-01}} Maone removed the code and issued a full apology.[https://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ Dear Adblock Plus and NoScript Users, Dear Mozilla Community]

In the immediate aftermath of the Adblock Plus incident,[https://archive.today/20130629095300/http://purplebox.ghostery.com/?p=103180001 Attention all NoScript users] a spat arose between Maone and the developers of the Ghostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software.{{Cite web|url=http://yardley.ca/2009/05/04/when-blockers-block-the-blockers/|title=When blockers block the blockers|archive-url=https://web.archive.org/web/20090508023124/http://yardley.ca/2009/05/04/when-blockers-block-the-blockers/ |archive-date=2009-05-08|work=yardlay.ca|author=Greg Yardley|date=2009-05-04}} This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites". In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.[https://forums.informaction.com/viewtopic.php?p=3704#p3704 NoScript support forum] "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04) This conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification.[https://forums.informaction.com/viewtopic.php?p=3935#p3935 NoScript support forum] "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)

{{Portal|Free and open-source software|Internet

}}

{{div col|colwidth=20em}}

• Content Security Policy
• Flashblock
• Framekiller
• GNU LibreJS
• HTTP Switchboard
• uBlock Origin

{{div col end}}

{{Reflist|30em}}

• {{Official website|https://noscript.net/}}
• [https://addons.mozilla.org/en-US/firefox/addon/noscript/ NoScript at addons.mozilla.org]
• [https://noscript.net/nsa NoScript Anywhere] (3.5a15) for Firefox for Android
• [https://web.archive.org/web/20160923062558/http://en.flossmanuals.net/bypassing-censorship/ch017_noscript/ NoScript presentation] in [http://howtobypassinternetcensorship.org/ How to Bypass Internet Censorship], a FLOSS Manual, 10 March 2011, 240 pp.

{{DEFAULTSORT:Noscript}}

Category:Free security software

Category:Free Firefox WebExtensions