Skip to content.

NoScript

own YOUR browser!

Open main menu

Usage

Getting started

Pinning icon and configuring permissions (Chromium)
Pinning icon and configuring permissions (Chromium)

First of all, install NoScript in your browser!

Don't forget to allow NoScript to run in Private / Incognito windows, either when prompted on installation or later in the extensions manager option.

Otherwise you won't find NoScript where you need it the most.

For the same reason, on Chromium-based browsers, you'll probably want to Pin NoScript's icon to the toolbar, in order to have a visual indicator of what is going on with current page's permissions and a fast way to configure them.

Clicking on NoScript toolbar icon
Clicking on NoScript toolbar icon

After installation, you can quickly access NoScript:

Trust levels

By using NoScript's popup UI you can assign any website or sub-resource origin (e.g. "cnn.com" or "ads-twitter.com") either one of 4 preset trust levels or a per-site customized level.

Working with trust levels in NoScript's popup
Working with trust levels in NoScript's popup

Contextual Policies

Example: contextual policy for Twitter embedded timeline
Example: contextual policy for Twitter embedded timeline

Contextual policies let you assign different permissions (or "enable different capabilities", in NoScript's parlance) to a certain site depending on its context, i.e. which is the top level site (the address currently shown in the navigation bar).

For instance, you might want to enable scripts from twitter.com only if you're visiting maone.net (in order to read the embedded tweet feed) but not elsewhere, because you don't like Twitter to track you everywhere you go:

  1. While on maone.net, open NoScript's popup and select CUSTOM as the policy for twitter.com. You'll see a new drop down box, initially set to ANY SITE.
  2. Remove all the capabilities (e.g. script) you don't want Twitter to use on ANY SITE (notice that when CUSTOM is selected first time, the capabilities from the previously selected preset get copied, so if it was DEFAULT you can probably leave them that way).
  3. Then select ...maone.net from the drop down, and switch script, fetch and frame (the capabilities outlined in red, meaning they're are needed by twitter.com) on.

You're done: scripts from twitter.com are allowed to run only when the main site displayed is maone.net. You can repeat this on any website (including twitter.com itself) where you want Twitter scripts and subdocuments to work normally. If you change your mind, you can reset some or all the contextual policies you previously set in the CUSTOM permissions deck, either on from the popup (only for the current context) or from the NoScript Options>Per-site permissions panel, where all the context sites you had configured plus the ANY SITE default are listed in the Enable these capabilities when top page matches... dropdown.

Preset customization

Customizing the DEFAULT preset.
Customizing the DEFAULT preset.

Even though this is not recommended, power users may customize also the built-in presets, from NoScript Options>General>Preset customization. The modified capability permissions will be automatically applied to all the sites which the trust level preset has been or will be assigned to.

LAN Protection

Simply put, the LAN capability lets documents coming from the public Internet (AKA World Area Network / WAN) to link / send requests to hosts inside your Local Area Network (LAN), which is pretty much what they can do now, allowing so called cross-zone CSRF/XSS attacks. By keeping it disabled (the factory setting in the DEFAULT and UNTRUSTED presets), you're replicating the Application Boundaries Enforcer feature from "Classic" NoScript, without the hassle of going through ABE's firewall-like rules when you need to set an exception, which now is just a matter of checking the LAN capability box.

Per-site preferences editor

Configuring per-site permissions (light scheme)
Configuring per-site permissions (light scheme)

You usually assign trust levels on the fly to the current site and its sub-resources from the popup UI.

But you may also want to assign a different trust level to a site you've previously configured, or to configure new sites without actually visiting them.

In order to do that, just use the NoScript Options>Per-site permissions panel. To make NoScript "forget" the configuration for a certain site configuration, just assign it the DEFAULT preset.

Bulk-disabling restrictions

Restrictions disabled on current tab
Restrictions disabled on current tab

Sometimes you are in a hurry on a complex workflow, spanning multiple redirections through different websites, which must succeed no matter what.

One example may be a credit card payment, bouncing from an e-commerce site to one or more payment processor web services.

In this case you may want to temporarily relax all the restrictions normally enforced by NoScript for all the sites loaded in the current tab until said tab is closed, by using the Disable restrictions for this tabDisable restrictions for this tab__ icon button.

More radical (and not recommended) is the Disable restrictions globally (dangerous)Disable restrictions globally (dangerous)__ icon button: using it amounts to disabling NoScripts permanently on any site/tab, keeping enabled the XSS filter only. Don't do it!

Cross-site protections

NoScript provides also protection mechanisms independent from core script blocking: most notably, its XSS Filter and Cross-tab Identity Leak Protection

XSS Filter

NoScript's XSS warning dialog
NoScript's XSS warning dialog

NoScript's XSS filter (also known as "Injection Checker") has been the first one and always the most effective available in a web browser. It prevents requests originating from a certain (possibly malicious) web site from injecting and executing code in a different web site, an attack known as Cross-Site Scripting (XSS). When a suspicious request is detected, a warning dialog is shown for the user to block or allow it, either temporarily or permanently. Exception can be managed from NoScript Options>Advanced>XSS

Cross-tab Identity Leak Protection

NoScript's Cross-tab Identity Leak Protection (or "TabGuard") is an experimental countermeasure against the Targeted Deanonymization via the Cache Side Channel attack by Mojtaba Zaheri, Yossi Oren and Reza Curtmola, presented at Usenix Security in August 2022.

NoScript's Potential Identity Leak dialog
NoScript's Potential Identity Leak dialog

It is loosely inspired by the Leakuidator+ browser extension proposed by the authors as a defense, but it's designed to better integrate with Firefox and the Tor Browser and provide protection against variants of the attack not covered yet. When triggered, i.e. on cross-site requests across related tabs, TabGuard removes the authentication headers from the request and shows a red TG badge near its icon. If you're unexpectedly logged out from a website loaded in a new tab and you can see this badge, you just need to manually reload the page or follow any link, and the authorization will be automatically restored. Only in the rare occurrence of cross-tab cross-site POST requests, which might not be consistently replayed after the fact, TabGuard suspends the load with a Potential Identity Leak warning to provide users with the ability to either "Load anonymously" (preventing the attack but also logging out from the target site) or "Load normally", which may be required by some legitimate cross-site workflows such as online payments, single sign-on and 3rd party authentication systems. This protection is enabled by default on any Private Browsing window (and therefore in the Tor Browser and in Mullvad Browser), but can be disabled or enabled globally from the NoScript Options>Advanced panel.

Keyboard Shortcuts

You can open and navigate all the NoScript UI by using the following keyboard shortcuts:

Alt+Shift+N     start (open NoScript Popup)
Arrows/Tab      move around
DEL/BKSPC/0     DEFAULT
+               TRUSTED
-               UNTRUSTED
C               CUSTOM
T               Temp
S               HTTPS-lock
HOME            jump to the toolbar
ESC/ENTER       Close the UI
R               Reload current page without closing the UI
Shift+G         Globally disable restrictions
Shift+T         Disable restrictions on this tab
P               Set all on this page to Temp. TRUSTED
F               Forget temporary permissions

User-contributed guides

Limitations on Chromium

The API exposed by Chromium to browser extensions is not as powerful and flexible as its Firefox counterpart. When Mozilla switched for "all powerful" add-ons to the WebExtensions tech (their "clone" of the Chrome Extensions tech), they contracted me to help design and implement improved versions of webRequest and other APIs, specifically suited to support privacy and security extensions like NoScript. This already provides a significant advantage to Firefox in Manifest V2, and the difference gets worse with Manifest V3, especially hurting privacy and security innovation. Therefore, even if NoScript is compatible with most browsers, some of its most advanced features are available only on Firefox and its derivatives, such as the Tor Browser. In details, these are the current limitations imposed to NoScript by Chromium-based browsers such as Google Chrome, Edge or Vivaldi: