Flattr NoScript
Usable security

Operating NoScript is really simple.

When you install NoScript, JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default. You will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you're just surfing randomly, or permanently, when you visit it often and you really trust it. This means that NoScript learns from your own browser habits and tends to disappear in the background after a while, but it promptly comes back to save your day if you stumble upon a malicious web page.

When you browse a site containing blocked scripts a notification, similar to those issued by popup blocker, is shown.
Look at it or at the toolbar icon to know current NoScript permissions:

NoScript: one click to enable/disable JavaScript globally or PER SITE The number of detected <script> tags for current page is shown in a tooltip when you fly over the icon with your mouse. If the "S" inside the icon is white rather than blue (Forbidden Icon - no active script Partially Allowed Icon - no active script Partially Allowed / Partially Untrusted Icon - no active script Allowed Icon - no active script Globally Allowed Icon - no active script), 0 script tags have been detected: this likely means you don't need to enable JavaScript in that page at all.

If you left click on the icon, you can change script permissions using a simple menu.
You can reach the same menu by right clicking over the document, so you can operate also in windows which don't provide any toolbar. Of course, if you don't like contextual menus, you can hide it.
Most menu items are in the form "Allow somesite.com", "Temporarily allow somesite.com", "Forbid somesite.com". The "Temporarily" permissions are in effect until you exit the browser.

You can either middle-click or shift+left+click any of NoScript's command menu entries (e.g. "Allow noscript.net " or "Forbid flashgot.net") in order to open a Security and Privacy Info page, which tries to help you deciding whether a certain script source should be allowed or not. The actual address of this page can be configured by editing the noscript.siteInfoProvider about:config preference, e.g. in order to point it directly to a certain search engine.

Further commands available in the menu:

A set of toolbar buttons is also provided:

To install these buttons, just right click on any Firefox toolbar and select the Customize menu item, the drag the one(s) you want from the buttons palette onto your choosen toolbar.

If you're not a mouse lover, you will find these two keyboard shortcuts helpful:

  1. CTRL + SHIFT + \ (backslash) toggles allowance status for the current top-level site - temporarily by default, to make it permanent set the about:config noscript.toggle.temp preference to false.
  2. CTRL + SHIFT + N opens the NoScript menu, which lets you perform every NoScript related operation using the cursor keys.

Both these shortcuts can be changed using the about:config noscript.key.* preferences.

Every NoScript menu includes a command to open the Options dialog: you use it to allow or forbid many sites at once, to customize user interface and to decide if you want to automatically reload current site when you change permissions. Other useful options are also available there.

Site matching

For each site you can decide to allow the exact address, or the exact domain, or a parent domain. If you enable a domain (e.g. mozilla.org), you're implicitly enabling all its subdomains (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. http and https). If you enable an address (protocol://host, e.g. http://www.mozilla.org, you're enabling its subdirectories (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings, i.e. mozilla.org and addons.mozilla.org will not be automatically enabled.
By default only the 2nd level (base) domain is shown (e.g. mozilla.org) is shown in the menus, but you can configure appearance to show full domains and full addresses as well.

NoScript recognizes two kinds of "shorthand" patterns, to be manually entered in the NoScript Options|Whitelist panel:

  1. Jolly port matching - an address with a 0 (zero) port specification will match every site with the same protocol, domain and any non-standard port: if one is met during navigation, it gets temporarily enabled. For instance, http://acme.org:0 matches http://acme.org:8080 and http://acme.org:9999, but not https://acme.org:9999 (different protocol) nor http://acme.org (standard 80 port, omitted). Since protocol specification is mandatory, regular subdomain matching with rightmost components comparison couldn't work for multiple subdomain. You can specify subdomain matching patterns using an asterisk in place of the leftmost domain component: for instance, you need to match all the subdomains of acme.org for all ports with the HTTPS protocol, you can whitelist https://*.acme.org:0. This is the ONLY situation where asterisk is considered a wildcard.
  2. Subnet matching - an address with a partial numeric IPv4 IP will match all the subnet. You must specify at least the 2 leftmost bytes, e.g. 192.168 or 10.0.0. Again, matching sites will be temporarily allowed on demand.

Important notice: the asterisk character (*) have NO special meaning to NoScript, other than subdomain matching in Jolly port matching patterns (see above). Asterisk is NOT a general wildcard, so if you're typing it while manually adding a site to your whitelist, double check you know what you're doing. By the way, most of the time you prefer not to fiddle with your whitelist manually: just use the NoScript "Allow" and "Forbid" menu items, it's much simpler and error free!

Beyond JavaScript: blocking Java, Silverlight, Flash and other embedded content

While its primary aim is preventing malicious JavaScript from running, NoScript effectively blocks Java™, Silverlight™, Flash®, and other plugins and embeddings (such HTML video/audio elements and downloadable fonts) on sites you haven't explicitly whitelisted. Java Applets, Flash movies/applications, Quicktime clips, PDF documents and other content won't be even downloaded from sites where you consider them annoyances or dangers, saving your bandwidth and increasing your navigation speed. While in early NoScript versions only JavaScript and Java were blocked by default, this restriction has been extended to Flash and the other embeddable content, in order to prevent Flash-based XSS and other plugin-based attacks. Anyway you can configure the kinds of content you want to forbid using the NoScript Options|Embeddings panel. The status bar tooltip and the message bar display the total count of detected embeddings (<OBJECT>) next to the <script> count. Keep in mind that some sites use Java applets, Silverlight embedded objects or Flash movies to deliver rich content and applications, hence if you meet some web page you need to use but you find some functionality is missing, consider the possibility that you're blocking some essential applet or movie.

On a non-whitelisted site you can still temporarily allow an individual embedded object with just one left click on its placeholder (screenshot). The movie/applet/clip will stay enabled until the end of the session or until you Revoke Temporary Permissions.
Middle clicking on an object placeholder opens it in a window of its own.
Right clicking on an object placeholder opens the context menu for links, allowing you to save the content with Save Link As....
Holding down the Shift key and clicking on an object placeholder temporarily hides it.

You can also use the Blocked Objects menu to find out which content instances you're blocking even if their placeholder is not easily visible, and/or enable them individually, per site or per type.

It's worth noticing that while early NoScript versions used to block plugin content objects checking exclusively their origin, i.e. the site where they were downloaded from, most recent NoScript versions check also the parent site which is embedding the content: a non-whitelisted site won't be able to run a plugin content piece, even if coming from a trusted site, unless you explictly unblock it through its placeholder or the Blocked Objects menu.
This behavior is meant to provide effective protection against Flash-based XSS. Reverting to the old behavior is possible, even if not recommended: just switch the noscript.forbidActiveContentParentTrustCheck about:config preference to false.

The same blocking treatment can be reserved to IFRAMEs as well, especially to defeat clickjacking. Please read this FAQ for more details.

Finally, toggling NoScript Options/Embeddings/Apply these restrictions to whitelisted sites too extends the embedded content restrictions set for untrusted sites also to "trusted" pages which are in your whitelist, turning NoScript in a general content blocker for Java, Silverlight, Flash and other embeddings, functionally similar to FlashBlock.

You can configure some exception to the forbidden embeddings (both plugins and frames) by setting the noscript.allowedMimeRegExp about:config preference to a number of space-separated regular expressions matching the content types you want to allow (the patterns get automatically anchored, both left and right). For instance, setting it to "application/pdf application/x-silverlight" will let PDF documents and Silverlight applets load automatically on every site.

You can restrict the execution to some sites only by matching the concatenation of the mime type with the URL(s) of the content to be executed. For example, if you want to permanently authorize any Flash movie from Youtube, you'll need to add a pattern like "application/x-shockwave-flash@https?://[^/]+\.(?:youtube|ytimg)\.com".

If you want to match any frame (IFRAMEs or FRAMEs) independently of its actual MIME content type, you can use the FRAME pseudo content type.

Other similar pseudo content-type to be used with this preference are

For example, setting the noscript.allowedMimeRegExp preference value to "FRAME@https?://somesite\.com FONT@https?://some-other-site\.com WebGL@https://www\.khronos\.org" will permanently allow any FRAME/IFRAME load from somesite.com, web fonts from some-other-site.com and WebGL 3D content from https://www.khronos.org.

Untrusted blacklist

Some sites, especially those serving ads, can appear in your "Allow ..." menu more often than you like, making it too much long and noisy.

If you know you don't want to allow a certain site now and in the foreseeable future, you can permanently mark it as untrusted: just click the NoScript icon, open the Untrusted menu and select the Mark bad-site.com as Untrusted menu item.

NoScript won't even propose you to allow it again and your NoScript will be even more clean and usable.

If you later change your mind, don't worry: just open the Untrusted menu again (on the same page), and you'll find the Allow bad-site.com command there.

This feature is especially useful if you decided to use the (not recommended) Temporarily allow top level sites by default or Allow Scripts Globally modes, because sites marked as untrusted won't be allowed anyway.

Advanced users: even though the untrusted sites blacklist has no listing UI of its own, you can mass-edit it either modifying the noscript.untrusted about:config preference or using the Import/Export functionality of the NoScript Options|Whitelist panel, knowing that the untrusted entries are exported under an [UNTRUSTED] header.

Anti-XSS protection

Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).

This kind of vulnerability, often overlooked, is very widespread and becoming highly popular among hackers: someone even bothered to write a JavaScript-based bot, called Jikto, turning your browser into a zombie which relentlessly sends automated XSS attacks all around. Of course this tool has been built "for research purpose", but its code unfortunately appears to be leaked in the wild, so anybody can take advantage of it, now...

NoScript XSS notification and its menu NoScript features unique Anti-XSS counter-measures against XSS Type 0 (DOM based) and XSS Type 1 (Reflective, absolutely the most common) attacks targeted to whitelisted sites.

Whenever a certain site tries to inject JavaScript code inside a different trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load.

Then a yellow notification bar displays a message like
"NoScript filtered a potential cross-site scripting (XSS) attempt from [some-evil-url.com]. Technical details have been logged to the Console."
On the left side of this bar there's also an "Options..." button: if you click it, you can choose among the following actions:

The specific Anti-XSS counter-measures are controlled by the NoScript Options|Advanced|XSS options.
Both these options are enabled by default for your maximum protection.

By default, Anti-XSS protection automatically filters the requests from untrusted origins to trusted destinations, considering trusted either "Allow"ed or "Temporary allow"ed sites. If you prefer "Temporarily allow"ed sites to be still considered as untrusted origins from the XSS point of view, you just need to set about:config noscript.xss.trustTemp preference to false.

Furthermore, NoScript's sophisticated InjectionChecker engine checks also all the requests started from whitelisted origins for suspicious patterns landing on different trusted sites: if a potential XSS attack is detected, even if coming from a trusted source, Anti-XSS filters are promptly triggered.

This feature can be tweaked by changing the value of the noscript.injectionCheck about:config preference as follows:

  0 - never check
  1 - check cross-site requests from temporary allowed sites
  2 - check every cross-site request (default)
  3 - check every request

NoScript's Anti-XSS filters have been deeply tested and proved their ability to defeat every known reflective XSS technique, but their power is a double-edged sword: sometime they may detect a weird looking but legitimate request as a "potential XSS attempt". This should almost never be a show stopper, since the filter most of the time doesn't prevent you from navigating the filtered page, but the aforementioned Unsafe reload command and the XSS Advanced Options have been made easily accessible so you can work-around if you hit a false positive with side effects. Just please notify me when it happens, possibly reporting the messages NoScript logged (the lines starting with "[NoScript XSS]" in the Error Console), so I can keep tweaking NoScript's "XSS sensibility" as needed.

NoScript also protects against most XSS Type 2 (Persistent) attacks: in facts, the exploited vulnerabilities usually impose space constraints, therefore the attacker is often forced to rely on the inclusion of external scripts or IFrames from origins which are already blocked by default.

While Cross-Site Scripting (XSS) vulnerabilities need to be fixed by the web developers, users can finally do something to protect themselves: NoScript is the only effective defense available to "web-consumers", waiting for "web-providers" to clean up their mess.

See also the NoScript XSS FAQ.


Most NoScript options are quite simple and self explanatory.

Default values are almost always OK, however you may find useful knowing about these:

Some about:config preference you may want to know are:


NoScript is currently translated in the following languages:

  1. Arabic (thanks Nassim Dhaher & Khaled Hosny)
  2. Belarusian (thanks Drive DRKA)
  3. Bengali (thanks swarnava)
  4. Bulgarian (thanks Georgi Marchev)
  5. Catalan (thanks Joan-Josep Bargues)
  6. Chinese Simplified (thanks blackdire)
  7. Chinese Traditional (thanks Chiu Po Jung and FreeXD)
  8. Croatian translation (thanks Stiepan A. Kovac)
  9. Czech (thanks drAcOniS and Petr Jirsa)
  10. Danish (thanks Jørgen Rasmussen, roellum and Carsten Winkler)
  11. Dutch (thanks Liesbeth)
  12. English GB (thanks Ian Moody)
  13. Estonian (thanks aivo)
  14. English (thanks William Shakespeare)
  15. Finnish (thanks Mika Pirinen)
  16. French (thanks Xavier Robin)
  17. Galician (thanks roebek)
  18. German (thanks Thomas Weber & Volker Hable)
  19. Greek (thanks Sonickydon)
  20. Hebrew (thanks Asaf Bartov)
  21. Hungarian (thanks Mikes Kaszmán István and LocaLiceR)
  22. Indonesian(thanks regfreak)
  23. Italian (thanks Dante Alighieri)
  24. Japanese (thanks Haebaru & Beerboy)
  25. Kazakh (thanks Baurzhan Muftakhidinov)
  26. Lithuanian (thanks Algimantas Margevičius & Mindaugas Jakutis)
  27. Macedonian (thanks to Ivan Jonoski)
  28. Malay translation (thanks Joshua Issac)
  29. Norwegian bokmål (thanks Håvard Mork)
  30. Persian (thanks Pedram Veisi)
  31. Polish (thanks Lukasz Biegaj)
  32. Portuguese (thanks Dario Ornelas)
  33. Portuguese/Brazil (thanks Raryel Costa Souza)
  34. Romanian (thanks Ultravioletu)
  35. Russian (thanks Alexander Sokolov)
  36. Simplified Chinese (thanks George C. Tsoi)
  37. Slovak (thanks SlovakSoft)
  38. Slovenian(thanks Tomaž Mačus)
  39. Swedish (thanks jameka)
  40. Spanish (thanks Alberto Martínez, EduLeo and Urko)
  41. Thai (thanks Qen)
  42. Traditional Chinese (thanks Chiu Po-Jung)
  43. Turkish (thanks Engin Yazılan and eveterinary)
  44. Ukrainian (thanks MozUA)
  45. Vietnamese (thanks tonynguyen and loveleeyoungae)

If you want to contribute another translation, please feel free to contact me.

Download in a Flash... with FlashGot!