Is it time to consider a Web Application Firewall?
Will Fake AV turn to legit names in force?

NoScript: Whitelist your way to a safer web experience

I've been using the NoScript Addon for Firefox by Giorgio Maone for some time now. NoScript provides a whitelisting capability for JavaScript, Java, and other active content types.  A key card identity system is a real world example of whitelisting: it allows only individuals with key cards to enter a facility whose doors are protected by the system. NoScript is basically an identity card reader for your browser. It ensures that only the browser content you trust can execute on your computer.

Whitelister in Training

I'm not going to summarize NoScript's features or describe how to use it. Visit the NoScript Basics page for this, but it is honestly a very intuitive and simple interface. Instead, I'll tackle the common, biggest obstacle for all whitelisting measures: the training period. In a word, it is continuous. How you decide what sites to trust and how much work you want to put into this decision process is up to you. I use several methods to decide what domains to trust. If I'm familiar with the site and have had a positive experience, I'll trust the scripts associated with the site domain (e.g., or its content delivery network). If I'm uncertain, I'll check the scorecard for the domain at MyWot and consider the reputation reported there.  If I'm suspicious I submit the domain to VirusTotal and scan to see if the page contains malware. I may Google the domain: if it is a tracking company, I permanently forbid execution (yes, NoScript also has a blacklisting feature).

Over time, you'll teach NoScript  which scripts to trust when you visit your most frequently visited sites. Note that you won't have to trust every script associated with a page you visit (although this can affect how or whether certain content is displayed, but this is actually quite useful because many sites execute scripts from other domains, and while many of these scripts are beneficial, some are intrusive and others might be malicious. In the absence of a perfect web, NoScript let's me decide what is beneficial and what is not.


Training NoScript may seem inconvenient for a while, but let's consider the rewards you reap from whitelisting scripts:

  • You automatically block ad services tracking and analytics scripts
  • You defend against click-jacking, cross-site script attacks, Flash, and plugin attacks
  • You gain a really powerful insight into what is really happening when you visit a web page

So the reward for taking the time to train NoScript is that (1) you protect against information leakage to evil marketing types, (2) protect against unwitting (drive-by) execution, redirection, or insertion attacks, and (3) learn what's going on behind your browser and who's responsible for the going's on. If this sounds like a bargain, grab the addon. If it sounds like too much trouble and you trust your own good judgment, good luck and take note of where your OEM/OS recovery disks are.


Feed You can follow this conversation by subscribing to the comment feed for this post.

"Training NoScript may seem inconvenient for a while"

More like "extremely frustrating forever". Every time I've installed it, I've uninstalled it a few days later because it's impossible to get anything done. Stuff just doesn't work, and you reload the page and it still doesn't work. It really needs to be based on a huge whitelist, not just block every legit site in existence by default.

After reading your entry, I immediately installed NoScript. After two days of use, I am delighted with it. It's a real eye-opener to see how much goes on after one click. (I find that even just typing this, wants me to permit yahooapis, quantserve, and

I was afraid this experience would be like asking to be prompted whenever a cookie is set -- totally unlivable. But the options of allowing scripts fully in domains you trust, allowing SOME scripts one-time use, and forbidding some scripts outright make this a nice blend of safety and livability. Thanks for the tip!

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)