NoScript
Encyclopedia
NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey
, and other Mozilla
-based web browser
s, created and actively maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group. NoScript allows executable web content such as JavaScript
, Java
, Flash
, Silverlight
, and other plugins only if the site hosting it is considered trusted by its user and has been previously added to a whitelist. NoScript also offers specific countermeasures against security exploits.
Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content as well helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.
NoScript takes the form of a toolbar
icon or status bar
icon in Firefox. It displays on every website to denote whether NoScript has either blocked or allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.
NoScript may also provide additional defenses against web-based attacks such as XSS
, CSRF
, clickjacking
, man-in-the-middle attack
s and DNS rebinding
, with specific countermeasures which work independently from script blocking.
displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets
, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.
No scripts are executed if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.
The possibility to allow scripts coming from a certain source only for specific main page locations has been frequently requested but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.
For each source, the exact address, exact domain, or parent domain can be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g.http://www.mozilla.org ), its subdirectories are enabled (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird ), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.
(XSS) ever delivered in a web browser. Whenever a web site tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load. Similar features have been adopted years later by Microsoft Internet Explorer 8
and by Google Chrome
.
and DNS rebinding
attacks aimed at intranet resources, such as routers or sensitive web applications.
as the basis of its HTTPS Everywhere add-on.
. Inexperienced users may find this behavior overkill, unnecessary, or tedious despite the additional security. However, NoScript supports also an optional blacklist mode: users can choose to enable scripts globally and disable them on selected sites which they do not trust. Even in this configuration, NoScript keeps providing a significant security enhancement because anti-XSS, anti-CSRF, anti-clickjacking and other protection features remain active. NoScript can emulate, and therefore restore, frame breaking
scripts on a page, when JavaScript is otherwise disabled.
(including the one necessary to display Google AdSense
advertisement), Yahoo!
, and Microsoft
, whose Ajax
webmail services may be the only way of using e-mail familiar to some users, who would otherwise be able to unintentionally lock themselves out by installing NoScript. The whitelist can be edited in the Options dialog, as explained at the extension’s official site.
to avoid detection of this modification through the use of Unicode hexadecimal encoding. Almost immediately, Mozilla Add-ons
decided to change its guidelines regarding add-on modifications. The April 30 version 1.9.2.3 update to NoScript, though, had already replaced the allegedly obfuscated code with a user-visible and documented Adblock Plus filterset whitelisting NoScript's sites. Wladimir Palant pointed out that this filterset kept being re-added on each startup even though it was deleted by the user, but this was likely just an unintentional bug, since the whitelist could still be disabled permanently and/or overridden by the user's own blocking filters as explained in NoScript's FAQ. Some hours later, on May 2, 2009, a further automatic NoScript update (version 1.9.2.6) completely removed the Adblock Plus whitelist, and public apologies were given on the release notes page for having modified Adblock Plus' behavior without asking users' consent in advance. On May 4, 2009, in a long blog post, NoScript's author personally apologized for the initial obscure approach, recognizing it had been a breach of trust and declaring his contrition. He also explained that the Adblock Plus whitelist deployed by NoScript was intended as a countermeasure against unusually aggressive EasyList entries specifically targeting Maone's websites, which broke almost all the dynamic functionality and even the links to install the NoScript software package itself.
on the NoScript website kept notifications of Ghostery
, a Firefox extension that informs about web bug
s, hidden. Ghostery would otherwise inform users about the use of Google AdSense
on NoScript's website. Maone in response explained that his stylesheet was only styling the web site content itself, that Ghostery's way of displaying notifications was technically inadequate, because their information could be spoofed by any web site, and that the notifications obstructed websites' content without real purpose, since they could be easily and more safely displayed in the browser chrome. In later statements, he specifically criticized the obstruction of a donation button and license terms and stated that his stylesheet did not prevent Ghostery from working, since the same information was available via the browser's status bar icon.
Critics responded that the stylesheet file contained information purposefully targeted at Ghostery. It was pointed out that Ghostery's notification in its original state did not obstruct Maone's donation button and vanished after a few seconds. Users underlined that Maone's stylesheet rule kept Ghostery from providing information about a web bug and criticized Maone for his information policy in general. Maone's assertions that Ghostery's way of displaying information was unfavorable and susceptible to manipulation met agreement.
The issue spread to third-party websites, some of which falsely claimed that the NoScript extension rather than its website interfered with the Ghostery add-on. Among the websites fueling speculations was the blog of David Cancel, author of Ghostery, who later corrected his earlier presumptions.
On May 6, 2009, after actively discussing the matter with online users, Maone announced that he had changed his opinion on the subject and in consequence modified the stylesheet of his website. The Ghostery notification box is no longer kept hidden but moved slightly towards the center of the page, in order to not obstruct donation buttons or license information.
SeaMonkey
SeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code...
, and other Mozilla
Mozilla
Mozilla is a term used in a number of ways in relation to the Mozilla.org project and the Mozilla Foundation, their defunct commercial predecessor Netscape Communications Corporation, and their related application software....
-based web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
s, created and actively maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group. NoScript allows executable web content such as JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
, Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
, Silverlight
Microsoft Silverlight
Microsoft Silverlight is an application framework for writing and running rich Internet applications, with features and purposes similar to those of Adobe Flash. The run-time environment for Silverlight is available as a plug-in for web browsers running under Microsoft Windows and Mac OS X...
, and other plugins only if the site hosting it is considered trusted by its user and has been previously added to a whitelist. NoScript also offers specific countermeasures against security exploits.
Security and usage
NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active" content by default in Firefox. This is based on the assumption that malicious web sites can use these technologies in harmful ways. Users can allow active content to execute on trusted web sites, by giving explicit permission, on a temporary or a more permanent basis. If "Temporarily allow" is selected, then scripts are enabled for that site until the browser session is closed.Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content as well helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.
NoScript takes the form of a toolbar
Toolbar
In a graphical user interface, on a computer monitor, a toolbar is a GUI widget on which on-screen buttons, icons, menus, or other input or output elements are placed. Toolbars are seen in office suites, graphics editors, and web browsers...
icon or status bar
Status bar
A status bar, similar to a status line, is an information area typically found at the bottom of windows in a graphical user interface.A status bar is sometimes divided into sections, each of which shows different information. Its job is primarily to display information about the current state of...
icon in Firefox. It displays on every website to denote whether NoScript has either blocked or allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.
NoScript may also provide additional defenses against web-based attacks such as XSS
Cross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
, CSRF
Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
, clickjacking
Clickjacking
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages...
, man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
s and DNS rebinding
DNS rebinding
DNS rebinding is a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the...
, with specific countermeasures which work independently from script blocking.
Site matching and whitelisting
Scripts (and other blockable elements) are allowed or blocked based on the source from where the script is fetched. Very often, this source is not identical to the URLUniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets
Cascading Style Sheets
Cascading Style Sheets is a style sheet language used to describe the presentation semantics of a document written in a markup language...
, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.
No scripts are executed if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.
The possibility to allow scripts coming from a certain source only for specific main page locations has been frequently requested but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.
For each source, the exact address, exact domain, or parent domain can be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g.
Untrusted blacklist
Sites can also be blacklisted with NoScript. This, coupled with the "Allow Scripts Globally" option, lets users who deem NoScript's "Default Deny" policy too restrictive, to turn it into a "Default Allow" policy. Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks and DNS rebinding.Anti-XSS protection
On April 11, 2007, NoScript 1.1.4.7 was publicly released, introducing the first client-side protection against Type 0 and Type 1 Cross-site scriptingCross-site scripting
Cross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
(XSS) ever delivered in a web browser. Whenever a web site tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load. Similar features have been adopted years later by Microsoft Internet Explorer 8
Internet Explorer 8
Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
and by Google Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
.
Application Boundaries Enforcer (ABE)
The Application Boundaries Enforcer (ABE) is a NoScript module meant to harden the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted third party. In its default configuration, NoScript's ABE provides protection against CSRFCross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
and DNS rebinding
DNS rebinding
DNS rebinding is a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the...
attacks aimed at intranet resources, such as routers or sensitive web applications.
ClearClick (anti-clickjacking)
NoScript's ClearClick feature, released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based). This makes NoScript "the only freely available product which offers a reasonable degree of protection" against clickjacking attacks.HTTPS enhancements
NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those web sites which don't support Strict Transport Security yet. NoScript's HTTPS enhancement features have been used by the Electronic Frontier FoundationElectronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
as the basis of its HTTPS Everywhere add-on.
Awards
- PC WorldPC World (magazine)PC World is a global computer magazine published monthly by IDG. It offers advice on various aspects of PCs and related items, the Internet, and other personal-technology products and services...
choose NoScript as one of the 100 Best Products of 2006. - In 2008, NoScript won About.comAbout.comAbout.com is an online source for original information and advice. It is written in English, and is aimed primarily at North Americans. It is owned by The New York Times Company....
's "Best Security Add-On" editorial award. - In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.comAbout.comAbout.com is an online source for original information and advice. It is written in English, and is aimed primarily at North Americans. It is owned by The New York Times Company....
. - In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.comAbout.comAbout.com is an online source for original information and advice. It is written in English, and is aimed primarily at North Americans. It is owned by The New York Times Company....
. - NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.
Blocking in general
NoScript's default behavior is to block all scripts that are not whitelisted. This may prevent a large number of sites from automatically working due to their reliance on JavaScript technologies such as AjaxAjax (programming)
Ajax is a group of interrelated web development methods used on the client-side to create asynchronous web applications...
. Inexperienced users may find this behavior overkill, unnecessary, or tedious despite the additional security. However, NoScript supports also an optional blacklist mode: users can choose to enable scripts globally and disable them on selected sites which they do not trust. Even in this configuration, NoScript keeps providing a significant security enhancement because anti-XSS, anti-CSRF, anti-clickjacking and other protection features remain active. NoScript can emulate, and therefore restore, frame breaking
Framekiller
A framekiller is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window...
scripts on a page, when JavaScript is otherwise disabled.
NoScript exceptions
, the default NoScript whitelist contained some of the sites of the extension's developer, some domains of GoogleGoogle
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
(including the one necessary to display Google AdSense
AdSense
Google AdSense which is a program run by Google Inc. allows publishers in the Google Network of content sites to automatically serve text, image, video, and rich media adverts that are targeted to site content and audience. These adverts are administered, sorted, and maintained by Google, and they...
advertisement), Yahoo!
Yahoo!
Yahoo! Inc. is an American multinational internet corporation headquartered in Sunnyvale, California, United States. The company is perhaps best known for its web portal, search engine , Yahoo! Directory, Yahoo! Mail, Yahoo! News, Yahoo! Groups, Yahoo! Answers, advertising, online mapping ,...
, and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, whose Ajax
Ajax (programming)
Ajax is a group of interrelated web development methods used on the client-side to create asynchronous web applications...
webmail services may be the only way of using e-mail familiar to some users, who would otherwise be able to unintentionally lock themselves out by installing NoScript. The whitelist can be edited in the Options dialog, as explained at the extension’s official site.
AdBlock Plus
On May 1, 2009, Wladimir Palant, author of Adblock Plus, a well-known Firefox extension, announced that one week earlier, NoScript version 1.9.2 had started interfering with the functionality of Adblock Plus. It allowed NoScript's sponsor's sites to be interpreted and displayed without the consent of Adblock Plus or the user. Palant said that NoScript had been using obfuscated codeObfuscated code
Obfuscated code is source or machine code that has been made difficult to understand for humans. Programmers may deliberately obfuscate code to conceal its purpose or its logic to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source...
to avoid detection of this modification through the use of Unicode hexadecimal encoding. Almost immediately, Mozilla Add-ons
Mozilla Add-ons
Mozilla Add-ons is the official Mozilla Foundation website to act as a repository for add-ons for Mozilla software, including Mozilla Firefox, Mozilla Thunderbird, SeaMonkey, and Mozilla Sunbird. These add-ons include extensions, themes, dictionaries, search bar "search engines," and plugins...
decided to change its guidelines regarding add-on modifications. The April 30 version 1.9.2.3 update to NoScript, though, had already replaced the allegedly obfuscated code with a user-visible and documented Adblock Plus filterset whitelisting NoScript's sites. Wladimir Palant pointed out that this filterset kept being re-added on each startup even though it was deleted by the user, but this was likely just an unintentional bug, since the whitelist could still be disabled permanently and/or overridden by the user's own blocking filters as explained in NoScript's FAQ. Some hours later, on May 2, 2009, a further automatic NoScript update (version 1.9.2.6) completely removed the Adblock Plus whitelist, and public apologies were given on the release notes page for having modified Adblock Plus' behavior without asking users' consent in advance. On May 4, 2009, in a long blog post, NoScript's author personally apologized for the initial obscure approach, recognizing it had been a breach of trust and declaring his contrition. He also explained that the Adblock Plus whitelist deployed by NoScript was intended as a countermeasure against unusually aggressive EasyList entries specifically targeting Maone's websites, which broke almost all the dynamic functionality and even the links to install the NoScript software package itself.
NoScript website and Ghostery
On Friday, May 1, 2009, and again on Sunday, May 3, 2009, in the wake of discussions about NoScript's interaction with AdBlock Plus, it was pointed out in the NoScript support forum, that a stylesheet ruleCascading Style Sheets
Cascading Style Sheets is a style sheet language used to describe the presentation semantics of a document written in a markup language...
on the NoScript website kept notifications of Ghostery
Ghostery
Ghostery is a free privacy browser extension for Internet Explorer, Opera, Mozilla Firefox, Apple Safari, and Google Chrome that enables its users to easily detect and control tags, web bugs, pixels, and beacons that have the potential to collect data on their browsing habits...
, a Firefox extension that informs about web bug
Web bug
A web bug is an object that is embedded in a web page or e-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail. One common use is in e-mail tracking. Alternative names are web beacon, tracking bug, and tag or page tag...
s, hidden. Ghostery would otherwise inform users about the use of Google AdSense
AdSense
Google AdSense which is a program run by Google Inc. allows publishers in the Google Network of content sites to automatically serve text, image, video, and rich media adverts that are targeted to site content and audience. These adverts are administered, sorted, and maintained by Google, and they...
on NoScript's website. Maone in response explained that his stylesheet was only styling the web site content itself, that Ghostery's way of displaying notifications was technically inadequate, because their information could be spoofed by any web site, and that the notifications obstructed websites' content without real purpose, since they could be easily and more safely displayed in the browser chrome. In later statements, he specifically criticized the obstruction of a donation button and license terms and stated that his stylesheet did not prevent Ghostery from working, since the same information was available via the browser's status bar icon.
Critics responded that the stylesheet file contained information purposefully targeted at Ghostery. It was pointed out that Ghostery's notification in its original state did not obstruct Maone's donation button and vanished after a few seconds. Users underlined that Maone's stylesheet rule kept Ghostery from providing information about a web bug and criticized Maone for his information policy in general. Maone's assertions that Ghostery's way of displaying information was unfavorable and susceptible to manipulation met agreement.
The issue spread to third-party websites, some of which falsely claimed that the NoScript extension rather than its website interfered with the Ghostery add-on. Among the websites fueling speculations was the blog of David Cancel, author of Ghostery, who later corrected his earlier presumptions.
On May 6, 2009, after actively discussing the matter with online users, Maone announced that he had changed his opinion on the subject and in consequence modified the stylesheet of his website. The Ghostery notification box is no longer kept hidden but moved slightly towards the center of the page, in order to not obstruct donation buttons or license information.
External links
- NoScript homepage
- NoScript at addons.mozilla.org
- NoScript presentation in How to Bypass Internet Censorship, a FLOSSFree and open source softwareFree and open-source software or free/libre/open-source software is software that is liberally licensed to grant users the right to use, study, change, and improve its design through the availability of its source code...
Manual, 10 March 2011, 240 pp.