Original author(s) | Giorgio Maone |
---|---|
Developer(s) | Giorgio Maone |
Initial release | May 13, 2005 [1] |
Stable release | 11.5.2 [2] / 31 October 2024 |
Preview release | 11.5.0rc1 / 26 October 2024 |
Repository | https://github.com/hackademix/noscript |
Written in | JavaScript, XUL, CSS |
Available in | 45 [3] languages |
Type | Browser extension |
License | GPLv2+ |
Website | NoScript.net |
NoScript (or NoScript Security Suite) is a free and open-source extension for Firefox- and Chromium-based web browsers, [4] written and maintained by Giorgio Maone, [5] a software developer and member of the Mozilla Security Group. [6]
By default, NoScript blocks active (executable) web content, which can be wholly or partially unblocked by allowlisting a site or domain from the extension's toolbar menu or by clicking a placeholder icon.
In the default configuration, active content is globally denied, although the user may turn this around and use NoScript to block specific unwanted content. The allowlist may be permanent or temporary (until the browser closes or the user revokes permissions). Active content may consist of JavaScript, web fonts, media codecs, WebGL, and Flash. The add-on also offers specific countermeasures against security exploits. [7]
Because many web browser attacks require active content that the browser normally runs without question, disabling such content by default and using it only to the degree that it is necessary reduces the chances of vulnerability exploitation. In addition, not loading this content saves significant bandwidth [8] and defeats some forms of web tracking.
NoScript is useful for developers to see how well their site works with JavaScript turned off. It also can remove many irritating web elements, such as in-page pop-up messages and certain paywalls, which require JavaScript in order to function.
NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1 [9] ) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.
NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) that are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run. [10] With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.
On November 14, 2017, Giorgio Maone announced NoScript 10, which will be "very different" from 5.x versions, and will use WebExtension technology, making it compatible with Firefox Quantum. [11] On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android. [12]
On April 11, 2007, NoScript 1.1.4.7 was publicly released, [13] introducing the first client-side protection against Type 0 and Type 1 cross-site scripting (XSS) ever delivered in a web browser.
Whenever a website tries to inject HTML or JavaScript code inside a different site (a violation of the same-origin policy), NoScript filters the malicious request and neutralizes its dangerous payload. [14]
Similar features have been adopted years later by Microsoft Internet Explorer 8 [15] and by Google Chrome. [16]
The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the web application-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser.
This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g., plug-ins, webmail, online banking, and so on), according to policies defined directly by the user, the web developer/administrator, or a trusted third party. [17] In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications. [18]
NoScript's ClearClick feature, [19] released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e., from frames and plug-ins). [20]
This makes NoScript "the only freely available product which offers a reasonable degree of protection against clickjacking attacks." [21]
NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be triggered either by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites that don't support Strict Transport Security yet. [22]
NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on. [23]
In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension Adblock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter. [29] [30] The code implementing this workaround was "camouflaged" [29] to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism and a declaration by the administrators of the Mozilla Add-ons site that the site would change its guidelines regarding add-on modifications, [31] Maone removed the code and issued a full apology. [29] [32]
In the immediate aftermath of the Adblock Plus incident, [33] a spat arose between Maone and the developers of the Ghostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software. [34] This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites". [33] In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site. [35] This conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification. [36]
Mozilla Firefox, or simply Firefox, is a free and open source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. Firefox is available for Windows 10 and later versions of Windows, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, and other platforms. It is also available for Android and iOS. However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements. An optimized version is also available on the Amazon Fire TV as one of the two main browsers available with Amazon's Silk Browser.
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.
Pop-up ads or pop-ups are forms of online advertising on the World Wide Web. A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears in the foreground of the visual interface. The pop-up window containing an advertisement is usually generated by JavaScript that uses cross-site scripting (XSS), sometimes with a secondary payload that uses Adobe Flash. They can also be generated by other vulnerabilities/security holes in browser security.
This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.
Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, Safari, Yandex Browser, and Android.
Greasemonkey is a userscript manager made available as a Mozilla Firefox extension. It enables users to install scripts that make on-the-fly changes to web page content after or before the page is loaded in the browser.
Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related applications. Mozilla hosts them on its official add-on website.
The Mozilla Application Suite is a discontinued cross-platform integrated Internet suite. Its development was initiated by Netscape Communications Corporation, before their acquisition by AOL. It was based on the source code of Netscape Communicator. The development was spearheaded by the Mozilla Organization from 1998 to 2003, and by the Mozilla Foundation from 2003 to 2006.
In computer programming, monkey patching is a technique used to dynamically update the behavior of a piece of code at run-time. It is used to extend or modify the runtime code of dynamic languages such as Smalltalk, JavaScript, Objective-C, Ruby, Perl, Python, Groovy, and Lisp without altering the original source code.
Flashblock is a discontinued Flash content-filtering Firefox extension for Mozilla Firefox and SeaMonkey.
Firebug is a discontinued free and open-source web browser extension for Mozilla Firefox that facilitated the live debugging, editing, and monitoring of any website's CSS, HTML, DOM, XHR, and JavaScript.
Mozilla Firefox 4 is a version of the Firefox web browser, released on March 22, 2011. The first beta was made available on July 6, 2010; Release Candidate 2 was released on March 18, 2011. It was codenamed Tumucumaque, and was Firefox's last large release cycle. The Mozilla team planned smaller and quicker releases following other browser vendors. The primary goals for this version included improvements in performance, standards support, and user interface.
Mozilla Firefox 2 is a version of Firefox, a web browser released on October 24, 2006 by the Mozilla Corporation.
Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.
Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.
Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.
Self-XSS is a type of security vulnerability used to gain control of victims' web accounts. In a Self-XSS attack, the victim of the attack runs malicious code in their own web browser, thus exposing personal information to the attacker.
uBlock Origin is a free and open-source browser extension for content filtering, including ad blocking. The extension is available for Chrome, Chromium, Edge, Firefox, Brave, Opera, Pale Moon, as well as versions of Safari before 13. uBlock Origin has received praise from technology websites and is reported to be much less memory-intensive than other extensions with similar functionality. uBlock Origin's stated purpose is to give users the means to enforce their own (content-filtering) choices.