« Back to Fireday

NoScript

November 9th, 2007 at 7:00am — Rating: Firefox pointFirefox pointFirefox pointFirefox pointFirefox pointLink

If you're a JavaScript developer, you know all about XSS (Cross Site Scripting), but how do you protect yourself from it? I think we have a solution for you today.

Overview

NoScript is a Firefox extension that protects you from external scripts by notifying you of scripts that aren't part of the current domain. If you think the script is safe, you can validate it by approving it.

NoScript only allows JavaScript and Java execution from trusted domains, which is great for you power surfers who venture into unknown territory on the Internet. :-)

Not only is NoScript great for protecting you from XSS, it also won PC World's Top 100 Products of the Year of 2006. The Washington Post and the New York Times also love this extension.

Installation

NoScript installed into Firefox with no problems whatsoever. The download was 223K directly into Firefox.

When Firefox restarts, you'll notice a small 'S' icon in your status bar. Every time you visit a web site, NoScript kicks into gear and shows you the number of scripts loaded and whether or not you want to run them or not.

Features

After visiting a site or two with NoScript, a yellow bar at the bottom of my browser appeared and notified me that Java/JavaScripts were detected.

When you click the options button, a context menu appears with a list of all of the domains where the Java/JavaScripts were loaded. If you notice familiar domains in your list, click on the "Allow <domain name>" option to accept it.

As you visit other web sites, you'll start to create what is called a "whitelist" of trusted domains. This whitelist is generated while you are surfing and can easily be edited in the options of the extension (see below).

While there isn't a lot of features available for this extension, it definitely overcompensates in the configuration department. :-)

Configuration

The configuration for this extension is accessible through the 'S' icon in the status bar. Left-click on the 'S' to get the context menu and select the "Options..." item.

NoScript Configuration Dialog Box

The options are broken into 6 sections: General, WhiteList, Plugins, Appearance, Notification, and Advanced.

On the General tab, you have the ability to control when NoScript should detect any unknown JavaScripts (Is it at the top domain or second-level domains?).

The Whitelist tab was briefly discussed above. Here is where you maintain your whitelist of trusted domains. If you made a mistake of adding a site, simply select the site here and remove it.

The Plugin tab adds additional restrictions to plugins, whether it be Microsoft Silverlight, Java, or Flash.

The Appearance tab gives you the option of making NoScript appear in the status bar as an icon or a label, and allows you to modify the context menu by adding or removing options.

The Notifications tab sets options for when you want to be notified when something happens. Do you want to be notified of an XSS attack as well as <NOSCRIPT> elements? You even have the option to play a sound file to notify you.

The Advanced tab displays additional restrictions and permissions for untrusted, trusted, and XSS sites.

Conclusion

Even though NoScript is small and considered a notification extension, it still shows that one small extension can make a difference in providing better security in your browsing experience, which is why Firefox is so popular among the techies.

NoScript is an extension that I would consider to be an "Iceberg" extension. Above the water, it doesn't look like it does much, but underneath the water, it's doing a lot to protect you from the various XSS threats from Type 0 to Type 2.

Definitely an extension to install immediately.

The rating for NoScript is a solid 5 out of 5.