I have been warning of the dangers of JavaScript on the web for quite some time now (see related articles at the bottom of this article). I have also always said it is unrealistic to expect people to turn JS off completely. Hence, my advice has been the same, use FireFox, and use the NoScript add-on. However, I’ve never actually done a proper review of NoScript, until now.

Initially NoScript was only for blocking JavaScript but it is an add-on that is under active development and has evolved a lot. It now can now block all browser plugins on untrusted sites, no just JS. From a security point of view the added ability to block Java, Flash and all other plugins has really increased the effectiveness of this tool. However, some what disappointingly, the default settings only protect you from JS and Java, not from Flash or other plugins.

Basic Operation

NoScript works similarly to the popup blocker built into FireFox. It uses a similar information bar to tell you when it has blocked scripts and to allow you to change the settings for the site in question. The big difference is that the bar for NoScript is at the bottom rather than the top. Like the popup blocker NoScript lets you white-list the sites that you will allow scripts etc from. However, it also has an extra list which the popup blocker does not have, a black-list, or list of untrusted sites to which you can add the sites you want to block silently. This means that once you’ve been running NoScript for a while and it has learned all the sites you trust and don’t trust it gets out of your way more than the popup blocker does. Another very nice feature that NoScript has which the popup blocker is missing is the ability to temporarily trust a site. This means that the site will be trusted for this session only, once you close the browser the site will not be trusted anymore. This is a great way to stop sites you only stumble across needlessly cluttering your white-list.

All in all it has to be said that the interface to NoScript has been worked out very well and works perfectly. Below are some screen shots of NoScript in action.

NoScript in Action (small)
Click to Enlarge

NoScript in Action 2

Tweaking the Settings

The default settings are almost perfect, but not quite. By default JavaScript and Java are blocked on all sites not explicitly trusted, however, flash and other plugins are allowed on all sites. Considering that Flash is actually a specialised version of JavaScript and that video plugins have been responsible for a number of recent security problems on the web, this does not seem like a wise decision anymore. There are only two very minor changes needed to the basic settings to give you the optimum protection. To edit the settings click on the NoScript icon in the right-hand corner of the status bar at the bottom of the window and select Options ... from the popup menu. This will open the NoScript settings window. Chose the Advanced tab and within that tab the Untrusted sub-tab. In this sub-tab place a check mark next to Forbid Macromedia Flash and Forbid other plugins, then click OK.

NoScript - Edit Settings Step 1

NoScript - Edit Settings Step 2

A Word of Warning

NoScript is not like a virus scanner, simply having it installed is not enough to protect you. You need to use it wisely. If you allow all sites you may as well not have it installed! Only allow sites you trust! Also, bear in mind that some sites are inherently more dangerous than others. The most dangerous type of site are ones where users can upload their own content. In other words, it’s places like MySpace where you are particularly at risk. These are high profile targets for attackers and have already been successfully used to spread viruses using browser plugins (in particular the Apple QuickTime plugin) in the recent past. NoScipt gives you the power to chose what sites to trust. The protection it gives you is directly related to the wisdom with which you use it! Think twice before trusting a site.

Related Articles