Is it time to consider a Web Application Firewall?
Will Fake AV turn to legit names in force?

NoScript: Whitelist your way to a safer web experience

I've been using the NoScript Addon for Firefox by Giorgio Maone for some time now. NoScript provides a whitelisting capability for JavaScript, Java, and other active content types.  A key card identity system is a real world example of whitelisting: it allows only individuals with key cards to enter a facility whose doors are protected by the system. NoScript is basically an identity card reader for your browser. It ensures that only the browser content you trust can execute on your computer.

Whitelister in Training

I'm not going to summarize NoScript's features or describe how to use it. Visit the NoScript Basics page for this, but it is honestly a very intuitive and simple interface. Instead, I'll tackle the common, biggest obstacle for all whitelisting measures: the training period. In a word, it is continuous. How you decide what sites to trust and how much work you want to put into this decision process is up to you. I use several methods to decide what domains to trust. If I'm familiar with the site and have had a positive experience, I'll trust the scripts associated with the site domain (e.g., or its content delivery network). If I'm uncertain, I'll check the scorecard for the domain at MyWot and consider the reputation reported there.  If I'm suspicious I submit the domain to VirusTotal and scan to see if the page contains malware. I may Google the domain: if it is a tracking company, I permanently forbid execution (yes, NoScript also has a blacklisting feature).

Over time, you'll teach NoScript  which scripts to trust when you visit your most frequently visited sites. Note that you won't have to trust every script associated with a page you visit (although this can affect how or whether certain content is displayed, but this is actually quite useful because many sites execute scripts from other domains, and while many of these scripts are beneficial, some are intrusive and others might be malicious. In the absence of a perfect web, NoScript let's me decide what is beneficial and what is not.


Training NoScript may seem inconvenient for a while, but let's consider the rewards you reap from whitelisting scripts:

  • You automatically block ad services tracking and analytics scripts
  • You defend against click-jacking, cross-site script attacks, Flash, and plugin attacks
  • You gain a really powerful insight into what is really happening when you visit a web page

So the reward for taking the time to train NoScript is that (1) you protect against information leakage to evil marketing types, (2) protect against unwitting (drive-by) execution, redirection, or insertion attacks, and (3) learn what's going on behind your browser and who's responsible for the going's on. If this sounds like a bargain, grab the addon. If it sounds like too much trouble and you trust your own good judgment, good luck and take note of where your OEM/OS recovery disks are.


Feed You can follow this conversation by subscribing to the comment feed for this post.

"Training NoScript may seem inconvenient for a while"

More like "extremely frustrating forever". Every time I've installed it, I've uninstalled it a few days later because it's impossible to get anything done. Stuff just doesn't work, and you reload the page and it still doesn't work. It really needs to be based on a huge whitelist, not just block every legit site in existence by default.

After reading your entry, I immediately installed NoScript. After two days of use, I am delighted with it. It's a real eye-opener to see how much goes on after one click. (I find that even just typing this, wants me to permit yahooapis, quantserve, and

I was afraid this experience would be like asking to be prompted whenever a cookie is set -- totally unlivable. But the options of allowing scripts fully in domains you trust, allowing SOME scripts one-time use, and forbidding some scripts outright make this a nice blend of safety and livability. Thanks for the tip!

The comments to this entry are closed.