NoScript

NoScript

Developer(s)	InformAction, Giorgio Maone
Stable release	1.9.9.27 / 2009-12-18; 4 days ago
Operating system	Microsoft Windows, GNU/Linux, and Mac OS X
Available in	43 Languages
Type	Mozilla extension
License	GPL
Website	noscript.net

Free software portal

NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey, Flock and other Mozilla-based web browsers. NoScript allows JavaScript, Java, Flash, Silverlight and other plugins and scripted content to be selectively executed based on a whitelist.^[1]

Features

Security and usage

After installation, JavaScript, Java, Flash, Silverlight and other executable content is blocked by default in Firefox. This content can later be allowed to execute when given explicit permission by the user.^[2]

NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays every site whose content is being either blocked or allowed for the current page being viewed, with options to allow the blocked content or forbid the allowed content.

Site matching and whitelisting

For each site, the exact address, exact domain, or parent domain can be allowed, and subsequently, its content will be executed. By enabling a domain, (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. http and https). By enabling an address (protocol://host, e.g. http://www.mozilla.org), its subdirectories are enabled (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.^[3]

Untrusted blacklist

Sites can also be blacklisted with NoScript. Blacklisting a site not only blocks it from executing scripted content, but also removes the option of allowing it to execute said content.^[4]

Anti-XSS protection

On April 11, 2007, NoScript 1.1.4.7 was publicly released ^[5], introducing a client-side protection against Type 0 and Type 1 Cross-site scripting (XSS). Whenever a web site tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load.^[6]

Award

NoScript was named as one of the 100 Best Products of 2006 by PC World.^[7]

Criticism

Blocking in general

NoScript's default behavior is to block all scripts that are not whitelisted. This may prevent a large number of sites from working due to their reliance on JavaScript technologies such as Ajax. Inexperienced users may find this behavior overkill, unnecessary, or tedious despite the additional security.^[8] However NoScript supports also an optional blacklist mode: users can choose to enable scripts globally and disable them on selected sites which they do not trust. Even in this configuration, NoScript keeps providing a significant security enhancement because anti-XSS, anti-CSRF and anti-Clickjacking features remain active.

NoScript exceptions

As of May 2009^[update], the default NoScript whitelist contained some of the sites of the extension's developer, some domains of Google (including the one necessary to display Google AdSense advertisement), Yahoo!, and Microsoft, whose AJAX webmail services may be the only way of using e-mail familiar to some users, who would otherwise be able to unintentionally lock themselves out by installing NoScript. The whitelist can be edited in the Options dialog, as explained at the extension’s official site.^[9]

AdBlock Plus

On May 1, 2009, Wladimir Palant, the author of Adblock Plus, another well-known Firefox extension, announced that, one week earlier, NoScript version 1.9.2 had started interfering with Adblock Plus, allowing NoScript's sponsor's sites to be interpreted and displayed without the consent of Adblock Plus or the user. Palant said that NoScript had been using obfuscated code to avoid detection of this modification through the use of unicode hex encoding. ^[10][11] Almost immediately, Mozilla Add-ons decided to change its guidelines regarding add-on modifications.^[12] The April 30 version 1.9.2.3 update to NoScript, though, had already replaced the allegedly obfuscated code with a user-visible and documented ^[13] Adblock Plus filterset whitelisting NoScript's sites. Wladimir Palant pointed out that this filterset kept being re-added on each startup even though it was deleted by the user, but this was likely just an unintentional bug, since the whitelist could still be disabled permanently and/or overridden by user's own blocking filters as explained in NoScript's FAQ. ^[13] Some hours later, on May 2 2009, a further automatic NoScript update (version 1.9.2.6) completely removed the Adblock Plus whitelist, and public apologies were given on the release notes page for having modified Adblock Plus' behavior without asking users' consent in advance. ^[14] On May 4 2009, in a long blog post, NoScript's author Giorgio Maone personally apologized for the initial obscure approach, recognizing it had been a breach of trust and declaring his contrition. He also explained that the Adblock Plus whitelist deployed by NoScript was intended as a countermeasure against unusually aggressive EasyList entries specifically targeting Maone's websites, which broke almost all the dynamic functionality and even the links to install the NoScript software package itself.^[15]

NoScript website and Ghostery

On Fri May 1, 2009^[16] and again on Sun May 3, 2009^[17] in the wake of discussions about NoScript's interaction with AdBlock Plus it was pointed out in the NoScript support forum, that a stylesheet rule on the NoScript website kept notifications of Ghostery, a Firefox extension that informs about web bugs, hidden. Ghostery would otherwise inform users about the use of Google AdSense on Maone's website. Maone in response claimed, that his stylesheet was only styling the web site content itself, that Ghostery's way of displaying notifications was technically inadequate and that the notifications looked bad and obstructed his website's content without real purpose.^[18] In later statements he specifically criticized the obstruction of a donation button and license terms^[19][20] and stated that his stylesheet did not prevent Ghostery from working.^[21]

Critics responded that Maone's stylesheet file contained information purposefully targeted at Ghostery. It was pointed out that Ghostery's notification in its original state did not obstruct Maone's donation button and vanished after a few seconds. Users underlined that Maone's stylesheet rule kept Ghostery from providing information about a web bug and criticized Maone for his information policy in general. Maone's assertions that Ghostery's way of displaying information was unfavorable and susceptible to manipulation met agreement.^[22][23]

The issue spread to third-party websites,^[24][25] some of which falsely claimed that the NoScript extension rather than Maone's website interfered with the Ghostery add-on. Among the websites fueling speculations was the blog of David Cancel, author of Ghostery, who later corrected his earlier presumptions.^[26]

On May 6, 2009, after actively discussing the matter with online users, Maone announced that he had changed his opinion on the subject and in consequence modified the stylesheet of his website.^[20] The Ghostery notification box is no longer kept hidden but moved slightly towards the center of the page, in order to not obstruct donation buttons or license information. Whether Ghostery's approach to displaying information will be revised is unknown.^{[citation needed]}

References

External links

• NoScript homepage