NoScript guide for Firefox 57+

[vissha]

A complete NoScript Security suite extension guide for the Firefox web browser version 57 and newer.

 

The developer of the popular Firefox security add-on NoScript launched a Firefox 57 compatible version of the extension shortly after the release of the Firefox 57 browser.

 

He worked with Mozilla to create the new version of NoScript and implemented options to migrate settings from classic versions of NoScript to the new version.

The initial version received mixed reviews. Some users heralded the effort and were happy that NoScript was available for Firefox 57 and newer, others did not like the new user interface or criticized missing functionality.

 

Now that the dust has settled, it is time to publish an updated guide for NoScript for Firefox 57 or newer.

The NoScript for Firefox guide

 

NoScript Security Suite is a browser extension for the Firefox web browser designed to give users control over the content that sites may run. The extension blocks JavaScript execution by default which improves security and privacy significantly. NoScript supports other features, XSS and clickjacking attack protections and other security enhancing features.

The NoScript interface

 

The main interface of the extension changed completely in the new version. The classic version of NoScript listed connections in list view on activation, the new version of NoScript uses a matrix instead similarly to how uMatrix handles connections.

 

The interface displays a button toolbar at the top and below it the list of domains. NoScript lists the current domain at the top all the time and below it the third-party connections of the page.

 

The padlock symbol displayed next to domains indicates that the connection to it uses HTTPS. Note that the padlock symbol is not displayed for some trust levels.

Setting trust levels for domains

 

Each domain listed by NoScript in its interface has a trust level associated with it.

• Default -- JavaScript execution is blocked as are objects, media, fonts, and WebGL.
• Trusted -- Allow JavaScript execution and other elements.
• Trusted Temporarily -- Allow JavaScript execution and the loading of other elements for the session or until revoked whichever is first.
• Untrusted -- Everything is blocked.
• Custom -- Gives you options to allow or disallow elements individually. You may make these temporary by clicking on the "nearly invisible" temp button next to custom.

Each domain listed by NoScript has one trust level associated with it. A click on another trust level in a row switches it to the new one automatically.

The NoScript options reveal the preset permissions for "default", "trusted", and "untrusted".

 

 

There you may also change the default presets by adding or removing checkmarks. The elements that NoScript distinguishes between are:

• Script -- Any type of script the site attempts to execute.
• Object -- The HTML object tag.
• Media -- Media elements.
• Frame -- Frames that the site attempts to load.
• Font -- Font elements.
• WebGL -- WebGL elements.
• Fetch -- requests that use fetch APIs.
• Other -- unknown.

The button toolbar

Seven buttons are displayed on the button toolbar in the latest version of NoScript for Firefox. They are, from left to right:

• Close the interface.
• Reload the page.
• Open the Options.
• Disable restrictions globally.
• Disable restrictions for this tab.
• Set all on the page to temporarily trusted.
• Revoke temporary permissions.

NoScript adds a context menu item to the right-click menu automatically. It has limited use though; a click on it displays the main NoScript interface at the top of the browser UI. You can disable the context menu entry in the options.

Using NoScript

Understanding how NoScript trust levels work is essential to using the extension to its fullest potential.

 

NoScript indicates blocked items in its icon when you load sites in the Firefox browser. A click on the icon displays the connections the extension recognized and trust levels for each site. Note that these may not be all connections a site makes. Since you don't allow the execution of scripts by default, sites may not be able to initiate all third-party connections right away.

 

If you allow scripts to run on the main domain, you may notice that it attempts to make additional connections when those get loaded.

 

Tip: Hover over any domain listed by NoScript and click on it to open a page that is full of links to privacy and security services only to display information about the domain.

 

It may not be necessary to make any changes to trust levels if the site functions properly. You may notice however that some features may not work properly on first connect.

 

Since scripts and other elements are blocked by default, you may notice all sorts of issues related to that. Sites use scripts and other elements for a variety of things, from verifying form submissions and playing videos to often unwanted things such as advertisement or tracking.

 

Changing a domain's trust level to "trusted" or "temporarily trusted" allows it to load additional elements whereas a trust level of "untrusted" prevents even more elements.

 

Note that trusted and untrusted are permanent changes that remain available.

 

Troubleshooting a site comes into play when you notice that site functionality is not available and suspect it is because of the protections that NoScript provides.

 

You have a couple of options to deal with the issue. You could temporarily allow a domain or use the custom trust level to set permissions individually for elements.

 

I'm not a fan of using the "allow all globally" or "allow all for the tab" options as they are often too broad. While they are comfortable, as you only need to press some buttons to get sites to work, using them eliminates most of the protective functionality of NoScript.

 

 

NoScript comes with a whitelist that includes sites by default. You may want to check it in the options under "per-site permissions" to make sure that you trust them all. There is unfortunately no option to remove sites that are on the list by default but you can change the level from trusted to default or even untrusted.

 

If you migrated from a previous version of NoScript, you should see all custom sites there.

 

Check out our guide on using NoScript efficiently for tips on getting the most out of the extension. It offers ten tips, for instance what you may want to do if a site does not load properly with NoScript enabled.

The options

 

The options are somewhat limited at this point in time especially when you compare them to the options of the classic version of NoScript.

 

The NoScript settings are divided into four tabs right now that offer the following functionality:

• General -- Configure preset permissions for the states Default, Trusted, and Untrusted. Also, enable "disable restrictions globally" and "temporarily set top-level sites to Trusted".
• Per-site Permissions -- displays all custom (non-default) permissions. Search included.
• Appearance -- hide the context menu item, disable the count badge of the icon, and enable the listing of full addresses in the permissions popup.
• Advanced -- manage XSS protection and enable debugging.

Options can be reset, imported, or exported.

Resources

• Official NoScript website: https://noscript.net/
• NoScript on Mozilla AMO: https://addons.mozilla.org/firefox/addon/noscript/
• NoScript GitHub: https://github.com/hackademix/noscript

Source