NoScript

For the <noscript> HTML element, see HTML element#Other block elements.

NoScript

Developer(s)	Giorgio Maone
Stable release	2.1.8 / October 28, 2011; 10 days ago (2011-10-28)
Operating system	Microsoft Windows, GNU/Linux, and Mac OS X
Available in	45 Languages
Type	Mozilla extension
License	GPL
Website	noscript.net/

NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers, created and actively maintained by Giorgio Maone,^[1] an Italian software developer and member of the Mozilla Security Group.^[2] NoScript allows executable web content such as JavaScript, Java, Flash, Silverlight, and other plugins only if the site hosting it is considered trusted by its user and has been previously added to a whitelist. NoScript also offers specific countermeasures against security exploits.^[3]

Features

Security and usage

NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active" content by default in Firefox. This is based on the assumption that malicious web sites can use these technologies in harmful ways. Users can allow active content to execute on trusted web sites, by giving explicit permission, on a temporary or a more permanent basis. If "Temporarily allow" is selected, then scripts are enabled for that site until the browser session is closed.

Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content as well helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.^[4]

NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked or allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1^[5]) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.

NoScript may also provide additional defenses against web-based attacks such as XSS, CSRF, clickjacking, man-in-the-middle attacks and DNS rebinding, with specific countermeasures which work independently from script blocking.^[6]

Site matching and whitelisting

Scripts (and other blockable elements) are allowed or blocked based on the source from where the script is fetched. Very often, this source is not identical to the URL displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.

No scripts are executed if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.

The possibility to allow scripts coming from a certain source only for specific main page locations has been frequently requested but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.^[7]

For each source, the exact address, exact domain, or parent domain can be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g. http://www.mozilla.org), its subdirectories are enabled (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.^[8]

Untrusted blacklist

Sites can also be blacklisted with NoScript.^[9] This, coupled with the "Allow Scripts Globally" option, lets users who deem NoScript's "Default Deny" policy too restrictive, to turn it into a "Default Allow" policy. Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks and DNS rebinding^[6].

Anti-XSS protection

On April 11, 2007, NoScript 1.1.4.7 was publicly released,^[10] introducing the first client-side protection against Type 0 and Type 1 Cross-site scripting (XSS) ever delivered in a web browser. Whenever a web site tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load.^[11] Similar features have been adopted years later by Microsoft Internet Explorer 8^[12] and by Google Chrome.^[13]

Application Boundaries Enforcer (ABE)

The Application Boundaries Enforcer (ABE) is a NoScript module meant to harden the web application oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted third party.^[14] In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers or sensitive web applications.^[15]

ClearClick (anti-clickjacking)

NoScript's ClearClick^[16] feature, released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based).^[17] This makes NoScript "the only freely available product which offers a reasonable degree of protection" against clickjacking attacks.^[18]

HTTPS enhancements

NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those web sites which don't support Strict Transport Security yet.^[19] NoScript's HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.^[20]

Awards

• PC World choose NoScript as one of the 100 Best Products of 2006.^[21]
• In 2008, NoScript won About.com's "Best Security Add-On" editorial award.^[22]
• In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.^[23]
• In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category at About.com.^[24]
• NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.^[25]

Criticism

Blocking in general

NoScript's default behavior is to block all scripts that are not whitelisted. This may prevent a large number of sites from automatically working due to their reliance on JavaScript technologies such as Ajax. Inexperienced users may find this behavior overkill, unnecessary, or tedious despite the additional security.^[26] However, NoScript supports also an optional blacklist mode: users can choose to enable scripts globally and disable them on selected sites which they do not trust. Even in this configuration, NoScript keeps providing a significant security enhancement because anti-XSS, anti-CSRF, anti-clickjacking and other protection features remain active. NoScript can emulate, and therefore restore, frame breaking scripts on a page, when JavaScript is otherwise disabled.

NoScript exceptions

As of May 2009^[update], the default NoScript whitelist contained some of the sites of the extension's developer, some domains of Google (including the one necessary to display Google AdSense advertisement), Yahoo!, and Microsoft, whose Ajax webmail services may be the only way of using e-mail familiar to some users, who would otherwise be able to unintentionally lock themselves out by installing NoScript. The whitelist can be edited in the Options dialog, as explained at the extension’s official site.^[27]

AdBlock Plus

On May 1, 2009, Wladimir Palant, author of Adblock Plus, a well-known Firefox extension, announced that one week earlier, NoScript version 1.9.2 had started interfering with the functionality of Adblock Plus. It allowed NoScript's sponsor's sites to be interpreted and displayed without the consent of Adblock Plus or the user. Palant said that NoScript had been using obfuscated code to avoid detection of this modification through the use of Unicode hexadecimal encoding.^[28][29] Almost immediately, Mozilla Add-ons decided to change its guidelines regarding add-on modifications.^[30] The April 30 version 1.9.2.3 update to NoScript, though, had already replaced the allegedly obfuscated code with a user-visible and documented^[31] Adblock Plus filterset whitelisting NoScript's sites. Wladimir Palant pointed out that this filterset kept being re-added on each startup even though it was deleted by the user, but this was likely just an unintentional bug, since the whitelist could still be disabled permanently and/or overridden by the user's own blocking filters as explained in NoScript's FAQ.^[31] Some hours later, on May 2, 2009, a further automatic NoScript update (version 1.9.2.6) completely removed the Adblock Plus whitelist, and public apologies were given on the release notes page for having modified Adblock Plus' behavior without asking users' consent in advance.^[32] On May 4, 2009, in a long blog post, NoScript's author personally apologized for the initial obscure approach, recognizing it had been a breach of trust and declaring his contrition. He also explained that the Adblock Plus whitelist deployed by NoScript was intended as a countermeasure against unusually aggressive EasyList entries specifically targeting Maone's websites, which broke almost all the dynamic functionality and even the links to install the NoScript software package itself.^[33]

NoScript website and Ghostery

On Friday, May 1, 2009,^[34] and again on Sunday, May 3, 2009,^[35] in the wake of discussions about NoScript's interaction with AdBlock Plus, it was pointed out in the NoScript support forum, that a stylesheet rule on the NoScript website kept notifications of Ghostery, a Firefox extension that informs about web bugs, hidden. Ghostery would otherwise inform users about the use of Google AdSense on NoScript's website. Maone in response explained that his stylesheet was only styling the web site content itself, that Ghostery's way of displaying notifications was technically inadequate, because their information could be spoofed by any web site, and that the notifications obstructed websites' content without real purpose, since they could be easily and more safely displayed in the browser chrome.^[36] In later statements, he specifically criticized the obstruction of a donation button and license terms^[37][38] and stated that his stylesheet did not prevent Ghostery from working, since the same information was available via the browser's status bar icon.^[39]

Critics responded that the stylesheet file contained information purposefully targeted at Ghostery. It was pointed out that Ghostery's notification in its original state did not obstruct Maone's donation button and vanished after a few seconds. Users underlined that Maone's stylesheet rule kept Ghostery from providing information about a web bug and criticized Maone for his information policy in general. Maone's assertions that Ghostery's way of displaying information was unfavorable and susceptible to manipulation met agreement.^[40][41]

The issue spread to third-party websites,^[42][43] some of which falsely claimed that the NoScript extension rather than its website interfered with the Ghostery add-on. Among the websites fueling speculations was the blog of David Cancel, author of Ghostery, who later corrected his earlier presumptions.

On May 6, 2009, after actively discussing the matter with online users, Maone announced that he had changed his opinion on the subject and in consequence modified the stylesheet of his website.^[38] The Ghostery notification box is no longer kept hidden but moved slightly towards the center of the page, in order to not obstruct donation buttons or license information.

See also

Free software portal

• NotScripts
• Framekiller

References

1. ^ "Meet the NoScript Developer". Mozilla. https://addons.mozilla.org/en-US/firefox/addon/noscript/developers. Retrieved 2011-09-27. 
2. ^ "Mozilla Security Group". Mozilla. http://www.mozilla.org/projects/security/secgrouplist.html. Retrieved 2011-09-27. 
3. ^ Scott Orgera. "NoScript". About.com. http://browsers.about.com/od/48/gr/noscript.htm. Retrieved 2010-11-27. 
4. ^ Will Dormann and Jason Rafail (2008-02-14). "Securing Your Web Browser". CERT. http://www.cert.org/tech_tips/securing_browser/#Mozilla_Firefox. Retrieved 2010-11-27. 
5. ^ "NoScript Changelog". noscript.net. http://noscript.net/changelog#2.0.3rc1. Retrieved 16 March 2011. 
6. ^ ^{a b} Giorgio Maone (2010-08-01). "al_9x Was Right, My Router is Safe". Hackademix.net. http://hackademix.net/2010/08/01/al_9x-was-right-my-router-is-safe/. Retrieved 2010-08-02. 
7. ^ Can I use ABE to fine-tune NoScript's permissions? NoScript.net. Retrieved November 27, 2010.
8. ^ NoScript Features-Site matching NoScript.net. Retrieved April 22, 2008.
9. ^ NoScript Features-Untrusted blacklist NoScript.net. Retrieved April 22, 2008.
10. ^ NoScript's first Anti-XSS release Mozilla Add-ons
11. ^ NoScript Features-Anti-XSS protection NoScript.net. Retrieved April 22, 2008.
12. ^ Nathan Mc Fethers (2008-07-03). "NoScript vs Internet Explorer 8 Filters". ZDNet. http://m.zdnet.com/blog/security/noscript-vs-internet-explorer-8-filters/1421. Retrieved 2010-11-27. 
13. ^ Adam Barth (2010-01-26). "Security in Depth: New Security Features". Google. http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html. Retrieved 2010-11-27. 
14. ^ Giorgio Maone. "Application Boundaries Enforcer (ABE)". NoScript.net. http://www.noscript.net/abe/d. Retrieved 2010-08-02. 
15. ^ Giorgio Maone (2010-07-28). "ABE Patrols Routes to Your Routers". Hackademix.net. http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/. Retrieved 2010-08-02. 
16. ^ http://noscript.net/faq#clearclick
17. ^ Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". Hackademix.net. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/. Retrieved 2008-10-27. 
18. ^ Michal Zalevski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc.. http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing). Retrieved 2008-10-27. 
19. ^ NoScript FAQ: HTTPS NoScript.net. Retrieved August 2, 2010.
20. ^ Dancho Danchev (2010-06-18). "The EFF Releases New HTTPS Everywhere Firefox Extension". ZDNet. http://m.zdnet.com/blog/security/the-eff-releases-new-https-everywhere-firefox-extension/6738. Retrieved 2010-08-02. 
21. ^ PC World Award pcworld.com. Retrieved April 22, 2008.
22. ^ About.com 2008 Best Security Add-On Award about.com. Retrieved August 2, 2010.
23. ^ Best Privacy/Security Add-On 2010 about.com. Retrieved August 2, 2010.
24. ^ Best Privacy/Security Add-On 2011 about.com. Retrieved March 20, 2011.
25. ^ Security Innovation Grant Winner Announcement Dragon Research Group. Retrieved July 17, 2011.
26. ^ Peter Smith (17 Apr 2007). "Top 10 Firefox extensions to avoid". Computerworld. International Data Group. http://www.computerworld.com.au/article/180008/top_10_firefox_extensions_avoid. Retrieved 2 May 2009. 
27. ^ Giorgio Maone. "Q: What websites are in the default whitelist and why?". The official NoScript FAQ. InformAction. http://noscript.net/faq#qa1_5. Retrieved 17 May 2009. 
28. ^ Palant, Wladimir (2009-05-01). "Attention NoScript users". Adblock Plus and (a little) more. Cologne, Germany: Wladimir Palant. http://adblockplus.org/blog/attention-noscript-users. Retrieved 2009-05-02. 
29. ^ "mrd.js". http://noscript.net/downloads/mrd.js.html. ^[when?]
30. ^ "No Surprises". 2009-05-01. http://blog.mozilla.com/addons/2009/05/01/no-surprises/. 
31. ^ ^{a b} "NoScript FAQ 3.21: Why can I see ads on this site even if I've got AdBlock Plus + EasyList?". 2009-04-30. http://noscript.net/faq#qa3_21. 
32. ^ "NoScript 1.9.2.6 release notes page". 2009-05-02. http://noscript.net/?ver=1.9.2.6. 
33. ^ Maone, Giorgio (2009-05-04). "Dear Adblock Plus and NoScript Users, Dear Mozilla Community". Hackademix.net. http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/. 
34. ^ NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3133, Guest (2009-05-01)
35. ^ NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3610, Curious Inquiry (2009-05-03)
36. ^ NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3133, Giorgio Maone (2009-05-01)
37. ^ NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04)
38. ^ ^{a b} NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)
39. ^ Ghostery News "Attention all NoScript users", comment by Giorgio Maone, (2009-05-05)
40. ^ NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3929, Another guest (2009-05-04)
41. ^ NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3929, Another guest (2009-05-06)
42. ^ Twitter tweet by Mark Pilgrim (diveintomark) (2009-05-03)
43. ^ yardley.ca "When blockers block the blockers", Greg Yardley (2009-05-04)

External links

• NoScript homepage
• NoScript at addons.mozilla.org
• NoScript presentation in How to Bypass Internet Censorship, a FLOSS Manual, 10 March 2011, 240 pp.