NoScript

Last updated
NoScript
Original author(s) Giorgio Maone
Developer(s) Giorgio Maone
Initial releaseMay 13, 2005;18 years ago (2005-05-13) [1]
Stable release
11.4.29 [2] / 7 December 2023;5 months ago (7 December 2023)
Preview release
11.4.29rc5 / 7 December 2023;5 months ago (2023-12-07)
Repository https://github.com/hackademix/noscript
Written in JavaScript, XUL, CSS
Available in45 [3] languages
Type Browser extension
License GPLv2+
Website NoScript.net

NoScript (or NoScript Security Suite) is a free and open-source extension for Firefox- and Chromium-based web browsers, [4] written and maintained by Giorgio Maone, [5] a software developer and member of the Mozilla Security Group. [6]

Contents

Features

The classic NoScript menu in Firefox NoScript screenshot.png
The classic NoScript menu in Firefox

Active content blocking

By default, NoScript blocks active (executable) web content, which can be wholly or partially unblocked by allowlisting a site or domain from the extension's toolbar menu or by clicking a placeholder icon.

In the default configuration, active content is globally denied, although the user may turn this around and use NoScript to block specific unwanted content. The allowlist may be permanent or temporary (until the browser closes or the user revokes permissions). Active content may consist of JavaScript, web fonts, media codecs, WebGL, and Flash. The add-on also offers specific countermeasures against security exploits. [7]

Because many web browser attacks require active content that the browser normally runs without question, disabling such content by default and using it only to the degree that it is necessary reduces the chances of vulnerability exploitation. In addition, not loading this content saves significant bandwidth [8] and defeats some forms of web tracking.

NoScript is useful for developers to see how well their site works with JavaScript turned off. It also can remove many irritating web elements, such as in-page pop-up messages and certain paywalls, which require JavaScript in order to function.

NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1 [9] ) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.

NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) that are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run. [10] With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.

On November 14, 2017, Giorgio Maone announced NoScript 10, which will be "very different" from 5.x versions, and will use WebExtension technology, making it compatible with Firefox Quantum. [11] On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android. [12]

Anti-XSS protection

On April 11, 2007, NoScript 1.1.4.7 was publicly released, [13] introducing the first client-side protection against Type 0 and Type 1 cross-site scripting (XSS) ever delivered in a web browser.

Whenever a website tries to inject HTML or JavaScript code inside a different site (a violation of the same-origin policy), NoScript filters the malicious request and neutralizes its dangerous payload. [14]

Similar features have been adopted years later by Microsoft Internet Explorer 8 [15] and by Google Chrome. [16]

Application Boundaries Enforcer (ABE)

The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the web application-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser.

This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g., plug-ins, webmail, online banking, and so on), according to policies defined directly by the user, the web developer/administrator, or a trusted third party. [17] In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications. [18]

ClearClick (anti-clickjacking)

NoScript's ClearClick feature, [19] released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e., from frames and plug-ins). [20]

This makes NoScript "the only freely available product which offers a reasonable degree of protection against clickjacking attacks. [21]

HTTPS enhancements

NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be triggered either by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites that don't support Strict Transport Security yet. [22]

NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on. [23]

Awards

Conflicts

Conflict with Adblock Plus

In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension Adblock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter. [29] [30] The code implementing this workaround was "camouflaged" [29] to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism and a declaration by the administrators of the Mozilla Add-ons site that the site would change its guidelines regarding add-on modifications, [31] Maone removed the code and issued a full apology. [29] [32]

Conflict with Ghostery

In the immediate aftermath of the Adblock Plus incident, [33] a spat arose between Maone and the developers of the Ghostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software. [34] This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites". [33] In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site. [35] This conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification. [36]

See also

Related Research Articles

<span class="mw-page-title-main">Firefox</span> Free and open-source web browser by Mozilla

Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. Firefox is available for Windows 10 or later versions, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, illumos, and Solaris Unix. It is also available for Android and iOS. However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements. An optimized version is also available on the Amazon Fire TV as one of the two main browsers available with Amazon's Silk Browser.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

Pop-up ads or pop-ups are forms of online advertising on the World Wide Web. A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears in the foreground of the visual interface. The pop-up window containing an advertisement is usually generated by JavaScript that uses cross-site scripting (XSS), sometimes with a secondary payload that uses Adobe Flash. They can also be generated by other vulnerabilities/security holes in browser security.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

Mozilla Firefox has features which distinguish it from other web browsers, such as Google Chrome, Safari, and Microsoft Edge.

<span class="mw-page-title-main">Adblock Plus</span> Content-filtering and ad blocking browser extension

Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, Safari, Yandex Browser, and Android.

<span class="mw-page-title-main">Greasemonkey</span> Userscript manager extension for Firefox

Greasemonkey is a userscript manager made available as a Mozilla Firefox extension. It enables users to install scripts that make on-the-fly changes to web page content after or before the page is loaded in the browser.

Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related applications. Mozilla hosts them on its official add-on website.

<span class="mw-page-title-main">Mozilla Application Suite</span> Discontinued Internet suite

The Mozilla Application Suite is a discontinued cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition by AOL. It was based on the source code of Netscape Communicator. The development was spearheaded by the Mozilla Organization from 1998 to 2003, and by the Mozilla Foundation from 2003 to 2006.

In computer programming, monkey patching is a technique used to dynamically update the behavior of a piece of code at run-time. It is used to extend or modify the runtime code of dynamic languages such as Smalltalk, JavaScript, Objective-C, Ruby, Perl, Python, Groovy, and Lisp without altering the original source code.

Flashblock is a discontinued Flash content-filtering Firefox extension for Mozilla Firefox and SeaMonkey.

<span class="mw-page-title-main">Stylish (software)</span> User style manager

Stylish is a user style manager that can change the appearance of web pages in a user's browser without changing their content by including user-supplied CSS style sheets with those supplied by the web site itself. The Stylish browser extension includes tools with which to write user styles, and can install user styles written by other Stylish users from a companion website. These user styles may be more or less selective, targeting just one web page, or all of the pages on a domain, or every page on the web.

<span class="mw-page-title-main">Firebug (software)</span> Web development add-on for Firefox

Firebug is a discontinued free and open-source web browser extension for Mozilla Firefox that facilitated the live debugging, editing, and monitoring of any website's CSS, HTML, DOM, XHR, and JavaScript.

<span class="mw-page-title-main">Firefox 4</span> Firefox browser released in 2011

Mozilla Firefox 4 is a version of the Firefox web browser, released on March 22, 2011. The first beta was made available on July 6, 2010; Release Candidate 2 was released on March 18, 2011. It was codenamed Tumucumaque, and was Firefox's last large release cycle. The Mozilla team planned smaller and quicker releases following other browser vendors. The primary goals for this version included improvements in performance, standards support, and user interface.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

uBlock Origin Web browser extension

uBlock Origin is a free and open-source browser extension for content filtering, including ad blocking. The extension is available for Chrome, Chromium, Edge, Firefox, Brave, Opera, Pale Moon, as well as versions of Safari before 13. uBlock Origin has received praise from technology websites and is reported to be much less memory-intensive than other extensions with similar functionality. uBlock Origin's stated purpose is to give users the means to enforce their own (content-filtering) choices.

References

  1. "Version 1.0". NoScript. Mozilla Addons. 2005-05-13. Archived from the original on 2018-10-02.
  2. Giorgio Maone (7 December 2023). "Release 11.4.29" . Retrieved 9 December 2023.
  3. Supported language on noscript.net.
  4. "NoScript Extension Officially Released for Google Chrome". ZDNet . Retrieved 2019-04-12.
  5. "Meet the NoScript Developer". Mozilla. Archived from the original on 2011-10-09. Retrieved 2011-09-27.
  6. "Mozilla Security Group". Mozilla. Archived from the original on June 29, 2011. Retrieved 2011-06-29.
  7. Scott Orgera. "NoScript". About.com. Archived from the original on 2010-12-20. Retrieved 2010-11-27.
  8. "The effect of Firefox addons on bandwidth consumption :: IANIX". ianix.com. Retrieved 2020-07-14.
  9. "NoScript Changelog 2.0.3rc1". noscript.net. Retrieved 16 March 2011.
  10. Brinkman, Martin (February 10, 2014). "The Firefox NoScript guide you have all been waiting for". GHacks.net. Retrieved 14 January 2017.
  11. Giorgio Maone (2017-11-14). "Double NoScript". Hackademix.net. Retrieved 2017-11-15.
  12. "Cosmetic Changes by Issa1553 · Pull Request #28 · hackademix/noscript". GitHub. Retrieved 2019-01-04.
  13. NoScript's first Anti-XSS release Mozilla Add-ons
  14. NoScript Features-Anti-XSS protection NoScript.net. Retrieved April 22, 2008.
  15. Nathan Mc Fethers (2008-07-03). "NoScript vs Internet Explorer 8 Filters". ZDNet. Retrieved 2010-11-27.
  16. Adam Barth (2010-01-26). "Security in Depth: New Security Features". Google. Retrieved 2010-11-27.
  17. Giorgio Maone. "Application Boundaries Enforcer (ABE)". NoScript.net. Retrieved 2010-08-02.
  18. Giorgio Maone (2010-07-28). "ABE Patrols Routes to Your Routers". Hackademix.net. Retrieved 2010-08-02.
  19. "NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - faq - InformAction".
  20. Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". Hackademix.net. Retrieved 2008-10-27.
  21. Michal Zalewski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved 2008-10-27.
  22. NoScript FAQ: HTTPS NoScript.net. Retrieved August 2, 2010.
  23. HTTPS Everywhere
  24. PC World Award Archived 2011-08-28 at the Wayback Machine pcworld.com. Retrieved April 22, 2008.
  25. About.com 2008 Best Security Add-On Award Archived 2011-03-23 at the Wayback Machine about.com. Retrieved August 2, 2010.
  26. Best Privacy/Security Add-On 2010 Archived 2010-03-04 at the Wayback Machine about.com. Retrieved August 2, 2010.
  27. Best Privacy/Security Add-On 2011 Archived 2011-03-17 at the Wayback Machine about.com. Retrieved March 20, 2011.
  28. Security Innovation Grant Winner Announcement Archived 2015-02-12 at the Wayback Machine Dragon Research Group. Retrieved July 17, 2011.
  29. 1 2 3 Goodin, Dan. "Firefox users caught in crossfire of warring add-ons". The Register. Retrieved 19 May 2013.
  30. "Extension wars – NoScript vs. AdblockPlus". Ajaxian. Retrieved 19 May 2013.
  31. "No Surprises". 2009-05-01.
  32. Dear Adblock Plus and NoScript Users, Dear Mozilla Community
  33. 1 2 Attention all NoScript users [ permanent dead link ]
  34. Greg Yardley (2009-05-04). "When blockers block the blockers". yardlay.ca. Archived from the original on 2009-05-08.
  35. NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04)
  36. NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.