NoScript Tutorial | Locking Down Firefox To Boost SecurityCategory: addons
A 3 Minute Read
06 Jan 2014
Although it can seem somewhat daunting at first, using NoScript is fairly simple. After installation, a small icon that looks like an "S" will appear in your Firefox window. Clicking it will bring up a list of all the domains that the site you're on is pulling scripts from. By default, NoScript blocks all scripts from all domains, meaning that you have to enable them if you want them to operate. There are a few options to do this. One option, is to simply allow the scripts from a domain permanently by clicking "Allow [Insert Domain Here]". This is the method that you'll most likely usually end up using. The second option is to "Temporarily Allow [Insert Domain Here]". This option is useful if you find a script from a suspicious domain that is absolutely required to run in order for the website to function properly. Temporarily enabling it allows the script to run until you close your browser or revoke the temporary permission, at which point NoScript will block it again. The third option is the nuclear one, which is to "Allow Scripts Globally". This will allow all scripts from all domains, and is usually not recommended. I have used it myself a few times on sites that frustratingly require fourty-nine different scripts just to work (other times I will simply leave the site entirely).
Of course, scripts are often both safe and required. For example, if you open up NoScript at this site, you'll notice that The Tin Hat requires a script to run properly (update: since February 2014, The Tin Hat has been designed for use with NoScript). This script simply loads images as they enter your browser window to decrease initial load times. Disabling The Tin Hat from using this script will result in very few images actually loading, leading to the site looking like, well, crap. Often when I get to a site, and it looks like something just isn't quite right I'll pop open the NoScript menu and I'll look for the sites name and allow only that. For example, if I were at TheTinHat.com, I would "Allow TheTinHat.com", or at ArsTechnica.com, I would "Allow Arstechnica.com". Scripts from the website itself are usually safe to run (assuming our threat model is advertisers and marketers, not attackers). The scripts from other domains are what we usually don't want. Looking at NHL.com, for instance, we see that it requires scripts from nine different domains. I've found that only around three to four of these are actually required, the rest are just marketing tools.
Getting an eye for which domains are both safe and necessary is just like using Request-Policy: it takes a bit of time and experience, though not much. The same tips I gave on that tutorial apply here as well, so give it a read if you want to get on your feet when starting to use NoScript.
NoScript is a tool that really does give you quite a bit of control, and it's one of the add-ons I would recommend using the most. If you don't use it already or you find it cumbersome or complicated, challenge yourself to use it for just one week. At first you may find that it's a bit daunting and that none of your websites work, but after seven days and you'll be a NoScript wizard.