NoScript
From Wikipedia, the free encyclopedia
 |
This article includes a list of references or external links, but its sources remain unclear because it lacks in-text citations. You can improve this article by introducing more precise citations. |
| NoScript | |
|---|---|
 |
|
| Developed by | InformAction, Giorgio Maone |
| Latest release | 1.6 / April 14, 2008 |
| OS | Cross-platform |
| Available in | 39 Languages |
| Genre | Mozilla extension |
| License | GPL |
| Website | noscript.net |
NoScript is a free, open source, extension for Mozilla Firefox, Flock, SeaMonkey, and other Mozilla based browsers. NoScript allows JavaScript, Java, Flash and other plugins and scripted content to be executed only by web sites that the user permits.[1] NoScript's preemptive script blocking approach and its frequent updates give it a reputation for safety[citation needed].
Contents |
[edit] Features
[edit] Security and Usage
Operating NoScript is relatively simple. After installation, JavaScript, Java, Flash, Silverlight and other executable contents are blocked by default in Firefox. This content can later be allowed to execute when given explicit permission by the user, rather than doing so by default.[2] This whitelist based, preemptive blocking approach prevents exploitation of security vulnerabilities without loss of functionality.
NoScript takes the form of a toolbar in Firefox. It will display every site whose content is being both blocked and allowed for the current page being viewed, with options to either allow the blocked content or forbid the allowed content. Additional options can also be modified through this toolbar.
[edit] Site matching and whitelisting
For each site, the exact address, exact domain, or parent domain can be allowed, and subsequently, its content will be executed. By enabling a domain, (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. http and https). By enabling an address (protocol://host, e.g. http://www.mozilla.org, its subdirectories are enabled (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.[3]
[edit] Untrusted blacklist
Sites can also be blacklisted with NoScript. Blacklisting a site not only blocks it from executing scripted content, but also removes the option of allowing it to execute said content, unless it is removed from the blacklist.[4]
[edit] Anti-XSS protection
NoScript's XSS notification and its menu features unique Anti-XSS counter-measures, even against XSS Type 1 attacks targeted to whitelisted sites. Whenever a non-trusted site tries to inject JavaScript code inside a trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load. By default, Anti-XSS protection filters all requests from untrusted origins to trusted destinations, considering trusted either "Allow"ed or "Temporary allow"ed sites. Furthermore, since version 1.1.4.9 NoScript also checks requests started from whitelisted origins for specific suspicious URL patterns landing on other trusted sites: if a potential XSS attack is detected, even if coming from a trusted source, filters are promptly triggered. [5]
[edit] Awards
NoScript is very popular, often topping Mozilla's most popular extension list[6]
NoScript has also received numerous awards and recommendations. and is often recommended by the media.[7] It has received critical acclaim, winning a PC world 2006 world class award.[8]
[edit] Criticism
NoScript is sometimes viewed as overkill, unnecessary, and tedious.[9]
Since NoScript's default behavior is to block all scripts that are not whitelisted, this may prevent a large number of sites from working correctly due to their reliance on JavaScript technologies such as AJAX. However, this is mitigated by allowing users to temporarily or permanently enable scripting for individual domains.
[edit] References
- ^ NoScript What is it? NoScript.net, Accessed April 22, 2008
- ^ NoScript Features-Usable security NoScript.net, Accessed April 22, 2008
- ^ NoScript Features-Site matching NoScript.net, Accessed April 22, 2008
- ^ NoScript Features-Untrusted blacklist NoScript.net, Accessed April 22, 2008
- ^ NoScript Features-Anti-XSS protection NoScript.net, Accessed April 22, 2008
- ^ https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:all/sort:popular Firefox add-ons sorted by popularity], Accessed September 6, 2007
- ^ Ten free security utilities you should already be using, #10: NoScript for Firefox, TechRepublic.com, Accessed September 6, 2007
- ^ PC World Award pcworld.com, Accessed April 22, 2008
- ^ Top 10 Firefox extensions to avoid, Peter Smith, Accessed April 22, 2008
