NoScript
Template:For Template:Infobox software NoScript (or NoScript Security Suite) is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers, created and actively maintained by Giorgio Maone,<ref name="noscript-developer">Template:Cite web</ref> an Italian software developer and member of the Mozilla Security Group.<ref name="mozilla-sec-group">Template:Cite web</ref> NoScript allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting is considered trusted by its user and has been previously added to a whitelist. NoScript also offers specific countermeasures against security exploits.<ref name="about.com">Template:Cite web</ref>
Features
Security and usage
NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active" content by default in Firefox. This is based on the assumption that malicious websites can use these technologies in harmful ways. Users can allow active content to execute on trusted websites, by giving explicit permission, on a temporary or a more permanent basis. If "Temporarily allow" is selected, then scripts are enabled for that site until the browser session is closed.
Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content, as well, helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat, and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.<ref name="cert">Template:Cite web</ref>
NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1<ref>Template:Cite web</ref>) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.
NoScript also may provide additional defenses against web-based attacks such as XSS, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding, with specific countermeasures that work independently from script blocking.<ref name="al_9x">Template:Cite web</ref>
Site matching and whitelisting
Scripts (and other blockable elements) are allowed or blocked based on the source from where the script is fetched. Very often, this source is not identical to the URL displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.
No scripts are executed if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.
The possibility to allow scripts coming from a certain source only for specific main page locations has been requested frequently, but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.<ref>Can I use ABE to fine-tune NoScript's permissions? NoScript.net. Retrieved November 27, 2010.</ref>
For each source, the exact address, exact domain, or parent domain may be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g. https://www.mozilla.org), its subdirectories are enabled (e.g. https://www.mozilla.org/firefox and https://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.<ref>NoScript Features-Site matching NoScript.net. Retrieved April 22, 2008.</ref>
Untrusted blacklist
Sites can also be blacklisted with NoScript.<ref>NoScript Features-Untrusted blacklist NoScript.net. Retrieved April 22, 2008.</ref> This, coupled with the "Allow Scripts Globally" option, lets users who deem NoScript's "Default Deny" policy too restrictive, to turn it into a "Default Allow" policy.<ref name=techrepublic_interview>Template:Cite web</ref> Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding.<ref name="al_9x"/>
Anti-XSS protection
On April 11, 2007, NoScript 1.1.4.7 was publicly released,<ref>NoScript's first Anti-XSS release Mozilla Add-ons</ref> introducing the first client-side protection against Type 0 and Type 1 Cross-site scripting (XSS) ever delivered in a web browser. Whenever a website tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load.<ref>NoScript Features-Anti-XSS protection NoScript.net. Retrieved April 22, 2008.</ref> Similar features have been adopted years later by Microsoft Internet Explorer 8<ref>Template:Cite web</ref> and by Google Chrome.<ref>Template:Cite web</ref>
Application Boundaries Enforcer (ABE)
The Application Boundaries Enforcer (ABE) is a NoScript module meant to harden the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either directly by the user, or by the web developer/administrator, or by a trusted third party.<ref>Template:Cite web</ref> In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers or sensitive web applications.<ref>Template:Cite web</ref>
ClearClick (anti-clickjacking)
NoScript's ClearClick feature,<ref>https://noscript.net/faq#clearclick</ref> released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based).<ref>Template:Cite web</ref> This makes NoScript "the only freely available product which offers a reasonable degree of protection" against clickjacking attacks.<ref name="Zalewski">Template:Cite web</ref>
HTTPS enhancements
NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites which don't support Strict Transport Security yet.<ref>NoScript FAQ: HTTPS NoScript.net. Retrieved August 2, 2010.</ref> NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.<ref>HTTPS Everywhere</ref>
Unintended benefits
NoScript provides some unintended benefits. Since ads tend to be rich graphics served via JavaScript, use of NoScript (which blocks the JavaScript) can reduce bandwidth consumption by approximately 42%.<ref>Template:Cite web</ref> As some web tracking services depend on JavaScript, and as JavaScript exposes browser and operating system configuration details, NoScript can increase privacy and anonymity as seen via the EFF's Panopticlick tool.<ref>Template:Cite web</ref> NoScript also can be used by web developers as a convenient way to test how well sites work without JavaScript, particularly since modern versions of Firefox have removed JavaScript controls from the regular configuration pane.<ref>Mozilla issue tracker, item 873709</ref>
Awards
- PC World chose NoScript as one of the 100 Best Products of 2006.<ref>PC World Award pcworld.com. Retrieved April 22, 2008.</ref>
- In 2008, NoScript won About.com's "Best Security Add-On" editorial award.<ref>About.com 2008 Best Security Add-On Award about.com. Retrieved August 2, 2010.</ref>
- In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.<ref>Best Privacy/Security Add-On 2010 about.com. Retrieved August 2, 2010.</ref>
- In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.<ref>Best Privacy/Security Add-On 2011 about.com. Retrieved March 20, 2011.</ref>
- NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.<ref>Security Innovation Grant Winner Announcement Dragon Research Group. Retrieved July 17, 2011.</ref>
Criticism
NoScript's default behavior is to block all scripts that are not whitelisted. This may prevent a large number of sites from automatically working due to their reliance on JavaScript technologies such as Ajax. Users may find this behavior overkill, unnecessary, or tedious despite the additional security.<ref>Template:Cite web</ref>
NoScript's standard installation state contains a number of whitelistings that comprise some of the most commonly denounced tracking and data aggregation entities on the web. Some portions of NoScript also contain settings usually hidden from the user's eye or made difficult to remove which list numerous advertising entities, including Maone's own, in a way that can allow activities the user has not willfully consented to.
Controversies
Conflict with AdBlock Plus
In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extension AdBlock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter.<ref name=register_extension_wars>Template:Cite web</ref><ref name=ajaxian_extension_wars>Template:Cite web</ref> The code implementing this workaround was "camouflaged"<ref name="register_extension_wars" /> to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism, and a declaration by the administrators of the Mozilla Add-ons site that the site would change its guidelines regarding add-on modifications,<ref>Template:Cite web</ref> Maone removed the code and issued a full apology.<ref name="register_extension_wars" /><ref>Dear Adblock Plus and NoScript Users, Dear Mozilla Community</ref>
Conflict with Ghostery
Also in May 2009, shortly after the AdBlock Plus incident,<ref name=purplebox>Attention all NoScript users</ref> a spat arose between Maone and the developers of the Ghostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to report web tracking software.<ref>yardley.ca "When blockers block the blockers", Greg Yardley (2009-05-04)</ref> This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites".<ref name=purplebox /> In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.<ref>NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04)</ref>
The conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification.<ref name="comment3935">NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)</ref>
See also
References
| references-column-width
| references-column-count references-column-count-{{#if:1|30em}} }}
| {{#if:
| references-column-width }} }}" style="{{#if: 30em
| {{#iferror: {{#ifexpr: 30em > 1 }}
| Template:Column-width
| Template:Column-count }}
| {{#if:
| Template:Column-width }} }} list-style-type: {{#switch:
| upper-alpha
| upper-roman
| lower-alpha
| lower-greek
| lower-roman = {{{group}}}
| #default = decimal}};">
<references group=""></references>External links
- Template:Official website
- NoScript at addons.mozilla.org
- NoScript presentation in How to Bypass Internet Censorship, a FLOSS Manual, 10 March 2011, 240 pp.
