NoScript is a privacy and internet security extension that is available for Firefox, Seamonkey and other Mozilla-based browsers - as well as Chrome. It is an extension that is considered a must-have by many privacy advocates. In this guide, we show you how it works and how to use NoScript.
NoScript works by blocking unnecessary and unwanted scripts on the pages that you visit. This can stop you from falling victim to exploits that leverage JavaScript and other potentially nefarious scripts. The types of things that you can block with NoScript includes ads, malicious scripts, and annoying pop-ups.
We think NoScript is an excellent extension that is well worth taking advantage of. However, it does have a reputation for being a little trickier to use than many other privacy extensions. With that in mind, we have made this guide to help you get started with NoScript.
How NoScript works
When you surf the web, websites load scripts to provide the visuals and functions associated with their pages. Depending on the nature of those scripts, some of them may install onto your browser client-side.
Some scripts load directly from the pages that you visit, others come from third-party sites that are affiliated with the pages that you visit. Other scripts can be completely unwanted - such as malicious scripts that have been embedded into compromised websites by hackers.
NoScript is a free and open-source extension that stops JavaScript, Java, Flash, and other plugins from being executed by anything but trusted websites. The decision on which websites to trust is made by you, meaning that you have full control over which scripts load.
NoScript also provides cross-site scripting (XSS) protection from inside your browser. These are common vulnerabilities caused by improper website implementation and developer errors, which result in hackers being able to inject malicious code from one site to another. Hackers use these vulnerabilities to steal your credentials and impersonate you on victimized sites.
In addition, NoScript provides anti-Clickjacking protection called ClearClick. This ensures that you never click on any obscured or displaced on-screen items - that have been purposely designed to trick you by hackers.
How to use NoScript
The first thing you need to do is download the NoScript extension into your Firefox or Chrome browser. Once it has downloaded and installed, you are ready to start using it. Although the permissions for NoScript may seem a bit full-on, it is worth bearing in mind that NoScript does need to be able to read your data and data on the websites you visit in order to perform its job.
With NoScript installed you are ready to begin using it. The first thing you need to do is head over to a website that you commonly use. We visited CNN for the sake of making this guide, and, as expected, the page did not load properly because of the scripts that were blocked.
By default, NoScript tends to block all scripts. This means that websites may initially seem to be broken. If a website doesn’t load everything you require - and does not function as you would expect - then it is going to be necessary to unblock the particular scripts that are required to enjoy the page and its contents.
In this guide, we will walk you through unblocking the necessary contents to get CNN working. However, these steps are the same for any website that you visit. Start by clicking on the NoScript icon in your extensions toolbar to see which scripts are being blocked by the extension.
To make, CNN work, we are going to need to alter the setting for cnn.com from untrusted to trusted. This is achieved by clicking on the blue S to the left of the URL that you are interested in.
Once you have set the website you are visiting to Trusted, you can click the green refresh button to reload the website. The website should now load without issues - because the necessary scripts are available.
As you can see in the screenshot above, we left postrelease.com and sharethrough.com blocked by NoScript, because these are not essential services (they are third-party trackers). With the page refreshed, we were able to begin using the CNN website without issues. The same will be true for any other website you visit.
After the page loads properly with the unwanted tracking scripts still blocked in the extension, extra scripts will begin to appear. For us, these only loaded when we disable blocking on CNN (which is why NoScript is now blocking these separately now). These scripts can be left blocked as they are not necessary for enjoying CNN, and the same is true for any unnecessary scripts that may appear on the websites that you use.
In the image above, you can see that the only script we are currently permitting to load is CNN.com, which is showing with a green lock next to the URL. This green lock demonstrates that this script is unlocked.
Now that the CNN website is loading correctly, we visit one of the articles to see if any other scripts might be needed. The article that we visited was supposed to include a video, but it was not loading. A quick glance at NoScript revealed that the extension had blocked another CNN script, this time coming from a server at the URL: CNN.io.
CNN.io is the only CNN address appearing on our list, making it obvious that this is the script that requires our attention. To fix the issue, we went ahead and set this address to Trusted, allowing the video to load on the page.
With both CNN scripts now set to Trusted, our job setting up this website is done. Every time we visit this page from now on, the extension will behave as wanted and only block unnecessary scripts that are not needed for the site to function.
Unfortunately, full control comes at the expense of convenience, meaning you will have to repeat this process for every single website that encounters loading issues when you visit. The bright side is that it only needs to be done once per website and the advantages are massive - allowing you to visit websites without loading unwanted trackers, and potentially harmful scripts that allow cybercriminals to hack you.
Admittedly, the amount of scripts that load on a page may make it confusing from time to time, prompting you to have to use trial and error when seeking out a script that you want to block. Thankfully, NoScript has other features that can protect your privacy as you do.
Other important settings
Although setting scripts to Trusted or Untrusted is the primary method of using the NoScript extension, it is worth understanding some more of its features to better protect yourself.
If you are unsure what you need to unblock, you can opt to trust them temporarily with a Temp.Trusted tag and refresh the page to test them. This ensures that if you set something to trusted and forget about it, it will not affect your privacy and security on a permanent basis.
On the UK news website Express.co.uk, we found that videos would not load with only the express.co.uk URL set to Trusted. A quick glance at the list made it very difficult to see which of the scripts was needed to make the video available.
As is always the case when using NoScript, we had to test each script one by one to discover which script we required. In the image above you can see that we set a script coming from the URL brightcove.com to Temp.Trusted.
The temporarily trusted setting is extremely useful because it lets you use trial and error without making any permanent decisions. When you restart your browser, NoScript will automatically revert any Temp.Trusted scripts to default blocked.
When we refreshed the page with the brightcove.com script enabled - the video loaded. For this reason, we went ahead and changed it from Temp.Trusted to Trusted. This ensures that this script will be trusted next time we visit the site.
Some scripts are whitelisted by NoScript and will automatically be set to Trusted for various reasons. gstatic.com is an example in our case, being a font loading script that is a known requirement for websites to work. You can trust these scripts and don't need to do anything with them, however, the rest can remain Default or Untrusted.
Global settings
In addition to the trust settings situated to the left of each individual script, NoScript provides global settings in the top right. These can be used to set all the scripts on a website to Trusted, Untrusted, or to Temp.Trusted.
Using the global setting is a quick and easy way to make a website work if NoScript is breaking it when you need access. However, it is worth noting that making all the scripts on a page permanently Trusted means that NoScript is not providing you with any benefits when you visit that page.
For this reason, we generally recommend taking the time to only trust individual scripts. If you do opt to use global settings, it is better to trust the page temporarily, so that it resets back to default block next time you visit the website. That way, if you have time in the future, you can set up the website properly by only trusting scripts that are essential to running the page.
Another interesting setting is the Disable restrictions for this tab. This allows you to disable NoScript so that you can access all the features on a webpage, but only within the tab that you are using. Similarly to the Temp.Trust feature, this ensures that the next time you visit the webpage, NoScript will go back to default blocking all scripts.
Custom settings
For advanced users, there is the option to use NoScript to unblock specific individual elements on the domains they visit. This allows users to unblock individual scripts rather than the entire domain. Custom unblock allows users to unblock elements that are split into eight different categories: script, object, media, frame, font, webgl, fetch, and other. You can see these options in the image below.
In our example, all the possible options are currently set to allow, because CNN.com is a domain that we have previously set to trusted.
Generally, most users will not want to use this advanced feature. However, anybody who has a deeper understanding of what is being loaded on the web pages they visit can use this feature to customize NoScript even further.
For anybody who wants to use the custom feature to learn how to block individual web page elements - custom can be used on a temporary basis. This means that NoScript will revert back to default when you restart your browser. This will allow you to test custom settings without concern that they will be permanent.
NoScript Options
Finally, it is possible to set up certain NoScript features by clicking on the options icon.
Clicking this button will open a webpage that allows you to further customize the extension. These options are broken down into four categories; General, Per-site Permissions, Appearance, and Advanced. Most of those settings are self-explanatory, however, there are some options that are worth taking a closer look at.
Clicking on General can allow you to Temporarily set top-level sites to TRUSTED. This is an easy way to make all top-level domains function as normal, acting as a quick and easy way to set up NoScript so that it will still protect you against malicious scripts on random sites you might stumble across - without breaking the majority of websites that you like to use.
Clicking on Per-site Permissions allows you to check which websites have already been set to Trusted, including domains preset by NoScript, such as YouTube.
Conclusion
NoScript is an excellent script blocking extensions that can give you a lot more privacy and security online. Anybody who is worried about falling victim to scam adverts, pop-ups, malicious websites, and dangerous malware including drive-by downloads, is strongly recommended to start making use of NoScript on either Firefox or Chrome.
While setting up NoScript does require some effort during the first time you visit a webpage, there is no doubt that NoScript can provide high levels of privacy and security. For this reason, we recommend taking the time to read this guide so that you can confidently use NoScript to unblock website scripts as and when you need them, while still blocking everything else that you do not need.