The Tin Hat
NoScript Tutorial | Locking Down Firefox To Boost Security

NoScript Tutorial | Locking Down Firefox To Boost Security

Category: addons
A 3 Minute Read

Web developers are increasingly leaning on javascript to make their sites usable, meaning it is becoming harder and harder to disable it completely. At the same time, hackers are finding more and more ways to use javascript to exploit the browser, while marketers have also started using javascript extensively to track our movements around the web. As a result of this, disabling javascript selectively can drastically increase your level of security and privacy online. NoScript is a rock-solid add-on that does just this.


NoScript is a Firefox add-on that blocks all scripts and executable content, particularly javascript. Today, javascript is responsible for a wide variety of security vulnerabilities that can be protected against by simply disabling it. If you want to get into the nitty-gritty, NoScript claims to protect against cross-site scripting attacks (XSS), cross-zone DNS rebinding/CSRF attacks (router hacking), and clickjacking attempts. In addition to these security benefits, disabling javascript also increases your online anonymity, as a myriad of tracking tools require the use of javascript to collect information about your computer.

Although it can seem somewhat daunting at first, using NoScript is fairly simple. After installation, a small icon that looks like an "S" will appear in your Firefox window. Clicking it will bring up a list of all the domains that the site you're on is pulling scripts from. By default, NoScript blocks all scripts from all domains, meaning that you have to enable them if you want them to operate. There are a few options to do this. One option, is to simply allow the scripts from a domain permanently by clicking "Allow [Insert Domain Here]". This is the method that you'll most likely usually end up using. The second option is to "Temporarily Allow [Insert Domain Here]". This option is useful if you find a script from a suspicious domain that is absolutely required to run in order for the website to function properly. Temporarily enabling it allows the script to run until you close your browser or revoke the temporary permission, at which point NoScript will block it again. The third option is the nuclear one, which is to "Allow Scripts Globally". This will allow all scripts from all domains, and is usually not recommended. I have used it myself a few times on sites that frustratingly require fourty-nine different scripts just to work (other times I will simply leave the site entirely).

Of course, scripts are often both safe and required. For example, if you open up NoScript at this site, you'll notice that The Tin Hat requires a script to run properly (update: since February 2014, The Tin Hat has been designed for use with NoScript). This script simply loads images as they enter your browser window to decrease initial load times. Disabling The Tin Hat from using this script will result in very few images actually loading, leading to the site looking like, well, crap. Often when I get to a site, and it looks like something just isn't quite right I'll pop open the NoScript menu and I'll look for the sites name and allow only that. For example, if I were at, I would "Allow", or at, I would "Allow". Scripts from the website itself are usually safe to run (assuming our threat model is advertisers and marketers, not attackers). The scripts from other domains are what we usually don't want. Looking at, for instance, we see that it requires scripts from nine different domains. I've found that only around three to four of these are actually required, the rest are just marketing tools.

Getting an eye for which domains are both safe and necessary is just like using Request-Policy: it takes a bit of time and experience, though not much. The same tips I gave on that tutorial apply here as well, so give it a read if you want to get on your feet when starting to use NoScript.

NoScript is a tool that really does give you quite a bit of control, and it's one of the add-ons I would recommend using the most. If you don't use it already or you find it cumbersome or complicated, challenge yourself to use it for just one week. At first you may find that it's a bit daunting and that none of your websites work, but after seven days and you'll be a NoScript wizard.

Share, Follow & Comment