Андрей Смирнов
Время чтения: ~12 мин.
Просмотров: 1

NoScript: дополнительное обеспечение безопасности в браузере Mozilla Firefox

ss0.pngNoScript is Free Software (source code): if you like it, you can support its progress 🙂

—> wc06.jpg


NoScript 10 «Quantum» resources

  • A Basic NoScript 10 Guide
  • NoScript 10 primer by Jeaye
  • Quantum vs Legacy comparison

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.

NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known, such as Meltdown or Spectre, and even not known yet!) with no loss of functionality…

You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.Watch the «Block scripts in Firefox» video by cnet.

Staying safe has never been so easy!Experts will agree: Firefox is really safer with NoScript!

Recommended: protect your Internet traffic, too, with Military Grade Encryption.


V. 11.0.12 — Quantum Security for everyone!

If you find any bug or you’d like an enhancement, please report here or here. Many thanks!

Main good news
  • o
  • Better support for service workers and their imported scripts.
  • Fixed settings export button broken on Vivaldi.
  • Fixed UNTRUSTED domains accidentally set in «match HTTPS only» mode.
  • Added beacon/ping capability control.
  • Fixed UI not working where sessionStorage is disabled.
  • Fixed some XSS Filter false positives.
  • Several new and updated translation, thanks to the Localization Lab / OTF NoScript Transifex project.
  • «Override Tor Browser Security Level preset» option offers more flexibility to NoScript+Tor power users.

More in the changelog…

Experts do agree…

03/10/2014, Edward Snowden endorses NoScript as a countermeasure against state Surveillance State.

08/06/2008, «I’d love to see it in there.» (Window Snyder, «Chief Security Something-or-Other» at Mozilla Corp., interviewed by ZDNet about «adding NoScript functionality into the core browser»).

03/18/2008, «Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits» (Rich Mogull on TidBITS, Should Mac Users Run Antivirus Software?).

11/06/2007, Douglas Crockford, world-famous JavaScript advocate and developer of JSON (one of the building blocks of Web 2.0), recommends using NoScript.

03/16/2007, SANS Internet Storm Center, the authoritative source of computer security related wisdom, runs a front-page Ongoing interest in Javascript issues diary entry by William Stearns just to say «Please, use NoScript» 🙂 Actually, NoScript has been recommended several times by SANS, but it’s nice to see it mentioned in a dedicated issue, rather than as a work-around for specific exploits in the wild. Many thanks, SANS!

05/31/2006, PC World’s The 100 Best Products of the Year list features NoScript at #52!

Many thanks to PC World, of course, for grokking NoScript so much, and to IceDogg who kindly reported these news…

In the press…

  • CNET News: «Giorgio Maone’s NoScript script-blocking plug-in is the one-and-only Firefox add-on I consider mandatory.» (March 9, 2009, Dennis O’Reilly, Get a new PC ready for everyday use)
  • Forbes: «The real key to defeating malware isn’t antivirus but approaches like Firefox’s NoScript plug-in, which blocks Web pages from running potentially malicious programs» (Dec 11, 2008, Andy Greenberg, Filter The Virus Filters).
  • PC World: Internet Explorer 7 Still Not Safe Enough because it doesn’t act like «NoScript […] an elegant solution to the problem of malicious scripting» (cite bite)
  • New York Times: «[…] NoScript, a plug-in utility, can limit the ability of remote programs to run potentially damaging programs on your PC«, (Jan 7, 2007, John Markoff, Tips for Protecting the Home Computer).
  • PC World‘s Ten Steps Security features using NoScript as step #6. (cite bite)
  • The Washington Post security blog compares MSIE «advanced» security features (like so called «Zones») to Firefox ones and recommends NoScript adoption as the safest and most usable approach. (cite bite)

Giorgio Maonewhat is it?  features  changelog  screenshots  forum  faq  get it!   privacy  (Redirected from Noscript)Jump to navigationJump to search

Original author(s) Giorgio Maone
Developer(s) Giorgio Maone
Initial release May 13, 2005 (2005-05-13)[1]
Stable release 11.0.12 / 8 January 2020 (2020-01-08)
Preview release 11.0.12rc2 / 8 January 2020 (2020-01-08)
Repository https://github.com/hackademix/noscript
Written in JavaScript, XUL, CSS
Available in 45[2] languages
Type Mozilla extension
License GPLv2+
Website NoScript.net

NoScript (or NoScript Security Suite) is a free softwareextension for Mozilla Firefox, SeaMonkey, other Mozilla-based web browsers, and Google Chrome[3], created and actively maintained by Giorgio Maone,[4] an Italian software developer and member of the Mozilla Security Group.[5]

By default, NoScript blocks active (executable) web content, which a user can wholly or partially unblock by whitelisting a site or domain from the extension’s toolbar menu: Sites can be set as ‘allowed’, ‘trusted’, or ‘untrusted’, and the whitelist persists between sessions. Temporarily allowed sites won’t be added to the permanent whitelist, and work only until the browser session ends. Active content may consist of JavaScript, web fonts, Java, Flash, Silverlight, and other plugins. The add-on also offers specific countermeasures against security exploits.[6]



NoScript blocks JavaScript, Java, Flash, Silverlight, and other «active» content by default in Firefox. This is based on the assumption that websites can use these technologies in harmful ways. Users can allow active content to execute on trusted websites, by giving explicit permission, on a temporary or a more permanent basis. If «Temporarily allow» is selected, then scripts are enabled for that site until the browser session is closed.

Because many web browser attacks require scripting, configuring the browser to have scripting disabled by default reduces the chances of exploitation. Blocking plug-in content, as well, helps to mitigate any vulnerabilities in plug-in technologies, such as Java, Flash, Acrobat, and so on. NoScript will replace these blocked elements with a placeholder icon. Clicking on this icon enables the element.[7]

NoScript takes the form of a toolbar icon or status bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1[8]) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script’s processing.

NoScript’s interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) which are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run.[9] With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.

The names of certain URLs often give indications of the purposes of these scripts, for example scripts from online-advertising and tracking firms. This gives users the ability to very specifically weed out scripts that they do not have the desire to run. This is a trial-and-error process. Upon unblocking a script the entire webpage is reloaded, and the weeding-out process must then be repeated.[10][11]

NoScript may provide additional defenses against web-based attacks such as XSS, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding, with specific countermeasures that work independently from script blocking.[12]

On November 14, 2017, Giorgio Maone announced NoScript 10, which will be «very different» from 5.x versions, and will use WebExtension technology, making it compatible with Firefox Quantum.[13]. On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android and there is also preliminary work to port it to Chromium.[14]

Site matching and whitelisting[edit]

175px-NoScript_Anywhere_3.5a15_site_permissions_in_IceCatMobile_52.6_on_Android_4.1.2.pngNoScript Anywhere 3.5a15 site permissions in IceCat Mobile 52.6 on Android 4.1.2

Scripts (and other blockable elements) are allowed or blocked based on the source from where the script is fetched. Very often, this source is not identical to the URL displayed in the address field of the web page (main page). This is because many web pages fetch elements such as iframes, style sheets, scripts, and embeddable objects from remote sites. When a web page includes scripts and other blockable elements from many sources, the user may specify blocking policy for the main address and each of the sources separately.

No scripts are executed, if the address of the main page is untrusted. Once any source is marked as trusted, NoScript will regard it as trusted even if it is loaded indirectly by web pages or scripts originating from other domains.

The possibility to allow scripts coming from a certain source only for specific main page locations has been requested frequently, but is not yet easy to configure. It may be achieved by configuring the built-in ABE module to fine-tune cross-site resource access.[15]

For each source, the exact address, exact domain, or parent domain may be specified. By enabling a domain (e.g. mozilla.org), all its subdomains are implicitly enabled (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. HTTP and https). By enabling an address (protocol://host, e.g. https://mozilla.org), its subdirectories are enabled (e.g. https://mozilla.org/firefox and https://mozilla.org/thunderbird), but not its domain ancestors nor its siblings. Therefore, mozilla.org and addons.mozilla.org will not be automatically enabled.[16]

Untrusted blacklist[edit]

Sites can also be blacklisted with NoScript.[17] This, coupled with the «Allow Scripts Globally» option, lets users who deem NoScript’s «Default Deny» policy too restrictive, to turn it into a «Default Allow» policy.[18] Even if the security level is lower than in the default configuration, NoScript still provides a number of defenses against certain web-based attacks, such as cross-site scripting, CSRF, clickjacking, man-in-the-middle attacks, and DNS rebinding.[12]

Anti-XSS protection[edit]

On April 11, 2007, NoScript was publicly released,[19] introducing the first client-side protection against Type 0 and Type 1 Cross-site scripting (XSS) ever delivered in a web browser. Whenever a website tries to inject HTML or JavaScript code inside a different site, NoScript filters the malicious request, neutralizing its dangerous load.[20] Similar features have been adopted years later by Microsoft Internet Explorer 8[21] and by Google Chrome.[22]

Application Boundaries Enforcer (ABE)[edit]

150px-The_Console_extension_in_IceCatMobile_38.8_showing_the_effect_of_NoScript%27s_ABE_rules.pngResources blocked by ABE are logged to the browser console. The Console extension shows the block events of two CSS files, as logged by NoScript Anywhere 3.5a15 in GNU IceCat 38.8.0 on Android 2.3.6

The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden the web application-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser. This «firewall» is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. plugins, webmail, online banking, and so on), according to policies defined either directly by the user, by the web developer/administrator, or by a trusted third party.[23] In its default configuration, NoScript’s ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications.[24]

ClearClick (anti-clickjacking)[edit]

NoScript’s ClearClick feature,[25] released on October 8, 2008, prevents users from clicking on invisible or «redressed» page elements of embedded documents or applets, defeating all types of clickjacking (i.e. frame-based and plugin-based).[26] This makes NoScript «the only freely available product which offers a reasonable degree of protection» against clickjacking attacks.[27]

HTTPS enhancements[edit]

NoScript can force the browser to always use HTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be either triggered by the websites themselves, by sending the Strict Transport Security header, or configured by users for those websites which don’t support Strict Transport Security yet.[28] NoScript’s HTTPS enhancement features have been used by the Electronic Frontier Foundation as the basis of its HTTPS Everywhere add-on.[29]

Surrogate scripts[edit]

NoScript is able to run user-provided scripts instead of, or in addition to, website-provided scripts, in a similar manner to the Greasemonkey addon. This feature was originally designed to fix pages that make use of third-party scripts (such as Google Analytics) in a way that causes the pages to break when the third-party scripts are blocked, but is not required for the actual functionality of the page.[30] The list of built-in surrogate scripts is actively maintained[31] and included 48 sites as of version

Unintended benefits[edit]

NoScript can provide some unintended benefits. An IANIX benchmark on the top 150 Alexa websites sans country-code duplicates with NoScript enabled showed a reduction in bandwidth consumption by approximately 42%.[32] In addition, the use of NoScript reduces the amount of system resources required by the browser to display web pages.

As some web tracking services depend on JavaScript, and as JavaScript exposes browser and operating system configuration details, NoScript can increase privacy and anonymity as seen via the EFF’s Panopticlick tool.[33] NoScript also can be used by web developers as a convenient way to test how well sites work without JavaScript, particularly since modern versions of Firefox have removed JavaScript controls from the regular configuration pane.[34]


Продолжая начатый цикл я расскажу Вам о плагине про который некогда уже писал на этом блоге. Сегодня мы поговорим про NoScript и пускай мы будем рассматривать его на примере Firefox, — плагин существует для всех браузеров (воспользуйтесь поиском, статьи есть на сайте).

Этот плагин по праву считается лучшим решением для защиты от вирусов (всех типов и мастей), межсайтового скриптинга (кросс-скриптинг атаки XSS), Clickjacking и прочих уже известных и еще неизвестных уязвимостей как самого браузера, так и системы. С ним Ваш антивирус реально заскучает, уж поверьте моему опыту.


Помимо всего прочего исчезнет куча всплывающих окон, перенаправлений на другие сайты, немалая часть рекламы, увеличится скорость загрузки сайтов и перемещения по ним и много чего еще. Серфинг по интернету станет реально безопасным и комфортным.

Носит этот плагин название NoScript и занимается блокировкой JavaScript и близких по духу скриптов на всех сайтах, кроме тех, которым Вы действительно доверяете (например, Яндекс, Google и тп).

скидки от 50%Хотите знать и уметь больше?Записаться сейчас!Используемые источники:

  • https://noscript.net/
  • https://en.wikipedia.org/wiki/noscript
  • https://sonikelf.ru/cikl-statej-maksimalnyj-komfort-s-mozilla-firefox-chast-2/

Рейтинг автора
Подборку подготовил
Максим Уваров
Наш эксперт
Написано статей
Ссылка на основную публикацию
Похожие публикации