New Update Firefox "NoScript" Extension - What are people's thoughts?

Status
Not open for further replies.

jetman

Level 10
Thread author
Verified
Well-known
Jun 6, 2017
470
I have started using an extension called "No Script" for Firefox and so far I am impressed. It blocks Javascript from running on webpages, but you can get it to selectively ignore sites or individual scripts by trusting them or temporarily trusting them. Its very revealling to see how many sites run scripts aimed at advertising or tracking. You wouldn't see this otherwise.

Do other users have thoughts on this extension. Is it a form of preotection against certain forms of Malware or tracking activities ?

I'd be interested to hear what you think.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Ok, here's my take

NoScript website is here

NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? - InformAction

If you read through you can find that NoScript offers the following features

- Scripts protection
- XSS Type 0 (DOM based) & Type 1 (Reflective) attacks

- CSRF
- DNS rebinding attacks
- HTTPS cookie hijacking - 100% HTTPS at all times is the best way to prevent this type of session hijacking. You can also leave the session cookie unsecure to maintain the session, and have a second (HTTPS only) cookie to handle the authentication. It's a good way to separate the two concerns maintaining the session and authentication, even when using HTTPS all the time
- Application Boundaries Enforcer (ABE) - hardening the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser i.e. to protect web browser plugins from being exploited. It’s similar to the dynamic filtering panel in uBO, to set per-site rules.
- Clickjacking (aka UI redressing or IFRAME overlay) –
protects against iFrame-based attacks and cursorjacking

Now, here are the current protections offered by FF Quantum (also for Chrome browser)

- CSRF/XSRF (cross-site request forgery). Disabling 3rd-party cookies helps in preventing CSRF
- Reflective XSS (cross-site scripting)
- Clickjacking (aka UI redressing)

Security/Features/XSS Filter - MozillaWiki

So, if you'll to compare NoScript vs FF Quantum you can see that FF Quantum do have some features of NoScript.. The main strength in NoScript is its very customizable blocking of scripts on per site basis. This you can also achieve using uBlock Origin(in medium mode)/uMatrix or any extension with script blocking capability e.g. No-Script Suite Lite

There are many former users of the old version of NoScript who are not happy with the new webextension verison of NoScript for some reasons and have migrated to using uBO(in medium mode)/uMatrix instead

In addition, script blocking through micro-managing per site basis takes a lot of time and effort. Can you imagine micro-managing 200 sites? Do you want to spend your time doing it or rather surfing the net?

The best I can think of in using NoScript is to use its other features (if possible) and disables the script-blocking feature just like using other extensions with script-blocking capability. I just turned this feature off.

Or you can don't use NoScript (except for DNS rebinding attacks) if you'll to use

uBO(in medium mode)/uMatrix or any extension with script blocking capability + NetCraft extension which offers XSS protection + only surfing HTTPS sites + those protections mentioned above that come with FF Quantum
 
Last edited:
L

Local Host

Most browsers have the option to block scripts (it will break website functionality), as for HTTPs everywhere, not all the websites support it and forcing it can cause more issues than not.
We also shouldn't compare uBlock to NoScript in no way, uBlock is default-allow, while NoScript is default-deny. uBlock functions like any other Ad-Blocker (all of them can and block scripts contained in their Black List).
I'm not paranoid enough to fill my desktop with software and addons, Adguard pretty much covers all I need, in worst case scenario I rather use the in-built browser tools/options than relying on a third-party.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I have started using an extension called "No Script" for Firefox and so far I am impressed. It blocks Javascript from running on webpages, but you can get it to selectively ignore sites or individual scripts by trusting them or temporarily trusting them. Its very revealling to see how many sites run scripts aimed at advertising or tracking. You wouldn't see this otherwise.

Do other users have thoughts on this extension. Is it a form of protection against certain forms of Malware or tracking activities ?

I'd be interested to hear what you think.

You may want to check out this how-to video re: uBO (also pertains to Nano Adblocker, available in Chrome and Edge):




This will show you a simple way to use either of these as a virtual browser firewall, blocking all kinds of crap! Depending on the type of browsing you do, this may be all you need. Video is funny as well.

I haven't used NoScript in a long time. If I were to use a script blocking extension, I would use uBlock Origin. Configured correctly, it was easier to use than NoScript.

+1 on that. Used in Meidum Mode it rocks! (y)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Most browsers have the option to block scripts (it will break website functionality), as for HTTPs everywhere, not all the websites support it and forcing it can cause more issues than not.
We also shouldn't compare uBlock to NoScript in no way, uBlock is default-allow, while NoScript is default-deny. uBlock functions like any other Ad-Blocker (all of them can and block scripts contained in their Black List).
I'm not paranoid enough to fill my desktop with software and addons, Adguard pretty much covers all I need, in worst case scenario I rather use the in-built browser tools/options than relying on a third-party.

Yes, you can use uBO strictly for blocking of ads/trackers/spams/domains/social etc with filters and you also can use it for the management of individual site if used in medium/advanced mode similar to uMatrix.

FYI, the latest beta version,, 1.16.21b2, of uBO has a master switch which disables JS everywhere by default, and enable on a per-site basis. So, for blocking JS, its default-deny similar to NoScript

gorhill/uBlock

And most sites nowadays are HTTPS so there's no need of HTTPS Everywhere extension. As long as you surf only HTTPS sites then you should be safe from HTTPS cookie hijacking
 
Last edited:

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
HTTPS Everywhere I find redundant now, for the fact that most daily visited sites use HTTPS as default, as an example the one you're on now is using it. I find Scriptsafe to be fairly easy to use and very good at blocking Script/unwanted content, alongside Netcraft & uBlock Origin you can't go wrong.

~LDogg
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top