The Tin Hat

NoScript Tutorial | Disabling Javascript for Security

Category: addons
A 3 Minute Read

Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Web developers are increasingly leaning on javascript to make their sites usable, meaning it is becoming harder and harder to disable it completely. At the same time, hackers are finding more and more ways to use javascript to exploit the browser, while marketers have also started using javascript extensively to track our movements around the web. As a result of this, disabling javascript selectively can drastically increase your level of security and privacy online. NoScript is a rock-solid add-on that does just this.

NoScript

NoScript is a Firefox add-on that blocks all scripts and executable content, particularly javascript. Today, javascript is responsible for a wide variety of security vulnerabilities that can be protected against by simply disabling it. If you want to get into the nitty-gritty, NoScript claims to protect against cross-site scripting attacks (XSS), cross-zone DNS rebinding/CSRF attacks (router hacking), and clickjacking attempts. In addition to these security benefits, disabling javascript also increases your online anonymity, as a myriad of tracking tools require the use of javascript to collect information about your computer.

Although it can seem somewhat daunting at first, using NoScript is fairly simple. After installation, a small icon that looks like an "S" will appear in your Firefox window. Clicking it will bring up a list of all the domains that the site you're on is pulling scripts from. By default, NoScript blocks all scripts from all domains, meaning that you have to enable them if you want them to operate. There are a few options to do this. One option, is to simply allow the scripts from a domain permanently by clicking "Allow [Insert Domain Here]". This is the method that you'll most likely usually end up using. The second option is to "Temporarily Allow [Insert Domain Here]". This option is useful if you find a script from a suspicious domain that is absolutely required to run in order for the website to function properly. Temporarily enabling it allows the script to run until you close your browser or revoke the temporary permission, at which point NoScript will block it again. The third option is the nuclear one, which is to "Allow Scripts Globally". This will allow all scripts from all domains, and is usually not recommended. I have used it myself a few times on sites that frustratingly require fourty-nine different scripts just to work (other times I will simply leave the site entirely).

Of course, scripts are often both safe and required. For example, if you open up NoScript at this site, you'll notice that The Tin Hat requires a script to run properly (update: since February 2014, The Tin Hat has been designed for use with NoScript). This script simply loads images as they enter your browser window to decrease initial load times. Disabling The Tin Hat from using this script will result in very few images actually loading, leading to the site looking like, well, crap. Often when I get to a site, and it looks like something just isn't quite right I'll pop open the NoScript menu and I'll look for the sites name and allow only that. For example, if I were at TheTinHat.com, I would "Allow TheTinHat.com", or at ArsTechnica.com, I would "Allow Arstechnica.com". Scripts from the website itself are usually safe to run (assuming our threat model is advertisers and marketers, not attackers). The scripts from other domains are what we usually don't want. Looking at NHL.com, for instance, we see that it requires scripts from nine different domains. I've found that only around three to four of these are actually required, the rest are just marketing tools.

Getting an eye for which domains are both safe and necessary is just like using Request-Policy: it takes a bit of time and experience, though not much. The same tips I gave on that tutorial apply here as well, so give it a read if you want to get on your feet when starting to use NoScript.

NoScript is a tool that really does give you quite a bit of control, and it's one of the add-ons I would recommend using the most. If you don't use it already or you find it cumbersome or complicated, challenge yourself to use it for just one week. At first you may find that it's a bit daunting and that none of your websites work, but after seven days and you'll be a NoScript wizard.


I personally use NordVPN and Digital Ocean.
Show some love by signing up using my affiliate links:
Or support me directly on Patreon

Help Me Out: Share, Follow, & Comment

Latest Posts

What is Device Fingerprinting?

Learn what browser fingerprinting is and how it canb e used to track you online.

How To Torrent Privately & Anonymously For Free

Learn the pros and cons of using a VPN to torrent, as well as how to use I2P to anonymously torrent for free!

VPN Drop Protection Using Simple Linux Firewall Rules

Learn how to protect against your VPN dropping using these simply Linux firewall rules

Ledger Nano S Review | Why You Need a Bitcoin Hardware Wallet

A review of the Ledger Nano S, and an explanation of why hardware wallets just make life better when using Bitcoin

What is Two Factor Authentication (2FA) And Why Use It?

What 2FA is, why you should use it, and why we need FIDO U2F.

Support The Tin Hat on Patreon!

The Tin Hat now has a few more ways to support the site.

What is a hash?

A simple explanation of what hashing is, and how hashes are used.

Trump's Toolbox | Future Attribute Screening Technology

FAST is a program that attempts to wirelessly detect whether youre a terrorist, and its in Trump's back pocket.

uBlock Origin, The Best AdBlock Alternative

For AdBlock (Plus) alternatives, look no further than uBlock Origin. This tutorial explains why, and how, you should use it.

I2P Browser Setup Tutorial | Using The Tor Browser For I2P

Learn how to browse I2P using the Tor Browser with this short guide

Privacy On Android | 2017 Android Privacy Guide

A tutorial on how to build privacy on your Android device. Learn what you need to do to stay safe and secure.

New I2P Portal For TheTinHat

TheTinHat has moved to a new server, with a new I2P hidden service to accompany it.

Rebranding 'The Dark Net'

Disassociating decentralized networks with the term 'darknets'.

In Defense of Browser-Based Email Encryption

Why I've reversed my opinion on Protonmail and Tutanota

Privacy Focused Blog Platform

A rundown of the tools I use to power my blog, hidden services.

A Lighter-weight Firefox

How I've set up a lightweight, yet still private browser.