Topic: The NoScript Firefox extension provides extra protection for Firefox, Seamonkey+

[Software Santa]

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript
 
, Java
 
, Flash
 
and other plugins
 
to be executed only by trusted web sites of your choice (e.g. your online bank). NoScript also provides the most powerful anti-XSS
 
and anti-Clickjacking
 
protection ever available in a browser.
 NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
 You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon
 
(look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.



Usable security

Operating NoScript is really simple.

When you install NoScript, JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default. You will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you're just surfing randomly, or permanently, when you visit it often and you really trust it. This means that NoScript learns from your own browser habits and tends to disappear in the background after a while, but it promptly comes back to save your day if you stumble upon a malicious web page.

When you browse a site containing blocked scripts a notification, similar to those issued by popup blocker, is shown.
Look at it or at the toolbar icon to know current NoScript permissions:

    Forbidden Icon - this means that scripts and plugin contents are blocked for the current site and its subframes. Even if some of the 3rd party script sources imported by the page may be in your whitelist, no code could run because the hosting documents are not enabled.
    Partially Allowed Subcontent Icon - this means the top level site is still forbidden but some active subcontent pieces (either frames or plugin objects) are allowed: some code may be running, but the page is likely not to work correctly yet because its main script source is still blocked.
    Partially Allowed Icon - this means scripts are allowed for the top-level (main) document, but some other active content or script sources imported by this page are not allowed yet. This happens when there are multiple frames, or script elements linking code hosted on 3rd party hosts.
    Since they're often unnecessary, the site is likely to work even in this "partially allowed" state. Furthermore, in most cases when a site is compromised with JavaScript malware, the malicious code is hosted on external "shady" sites. Even if you've previously allowed the top-level site, these external sites are still blocked and the attack fails anyway.
    Allowed with Blocked Embedded Content Icon - this means that all the script sources for the page are allowed but some embedded content (frames or plugin objects) is blocked. You can check and allow the blocked content either by looking for yellow visual placeholders in the page or by examining the Allowed with Blocked Embedded Content Icon Blocked Objects sub-menu.
    Partially Allowed / Partially Untrusted Icon - this means that scripts are allowed for some URLs, and all the other ones are marked as untrusted.
    Allowed Icon - this means that script execution is allowed for the current site
    Globally Allowed Icon - this means that scripts are globally allowed (why did you decide to browse with low protection??!)




NoScript: one click to enable/disable JavaScript globally or PER SITE The number of detected <script> tags for current page is shown in a tooltip when you fly over the icon with your mouse. If the "S" inside the icon is white rather than blue (Forbidden Icon - no active script Partially Allowed Icon - no active script Partially Allowed / Partially Untrusted Icon - no active script Allowed Icon - no active script Globally Allowed Icon - no active script), 0 script tags have been detected: this likely means you don't need to enable JavaScript in that page at all.

If you left click on the icon, you can change script permissions using a simple menu.
You can reach the same menu by right clicking over the document, so you can operate also in windows which don't provide any toolbar. Of course, if you don't like contextual menus, you can hide it.
Most menu items are in the form "Allow somesite.com", "Temporarily allow somesite.com", "Forbid somesite.com". The "Temporarily" permissions are in effect until you exit the browser.

You can either middle-click or shift+left+click any of NoScript's command menu entries (e.g. "Allow noscript.net " or "Forbid flashgot.net") in order to open a Security and Privacy Info page, which tries to help you deciding whether a certain script source should be allowed or not. The actual address of this page can be configured by editing the noscript.siteInfoProvider about:config preference, e.g. in order to point it directly to a certain search engine.

http://noscript.net/