A basic guide to NoScript 10

Ask for help about NoScript, no registration needed to post
blublevita
Posts: 9
Joined: Mon Sep 26, 2016 9:03 am

A basic guide to NoScript 10

Post by blublevita »

Table of contents

Code: Select all

Preface
Introduction
The new interface
Scope? What’s a scope?
How to use scopes
Temporarily allow scripts for a domain
Allow scripts for a domain
Dealing with HTTP and HTTPS
Options
Request for clarification
Acknowledgments
Preface

I came here to look for a guide to NoScript 10. I still haven't upgraded to Firefox 57, but was trying to answer a question for somebody. I couldn't find one, just information scattered across posts. Meanwhile, I cloned my profile and made a parallel installation of Firefox 57 so that I could try out the new features. If there really is no introductory guide to the new NS, then let's build this thread into one people can use. I will update the first entry based on feedback in the thread, but the guide needs to be readable and should be kept basic.

In this guide, "scripts" is short for JavaScript, Flash and other plugins--you know, all the stuff that NoScript blocks. Domains can refer both to domains and subdomains. It's just easier that way.

The guide is current for: NoScript version 10.1.3

I am not 100% sure all of the guide is correct, so I gladly invite more experienced users to post corrections in this thread.

We will get the images sorted soon with the help of some kind mod. The spam filter frowneth upon my newbie status.

Introduction

With the advent of Firefox 57 on November 13, 2017, Mozilla disabled XUL add-ons in favor of Web Extensions. This meant that the NoScript versions used in previous versions of Firefox would no longer work. The developer of NoScript, Giorgio Maone, has released NoScript version 10, a Web Extension add-on for use in Firefox 57 and up. Unfortunately, the new API for Web Extensions does not allow the new NoScript add-on to retain its old user interface, and the new one is not yet well understood by all. Whether you love it or hate it is up to you, this thread simply represents an introductory guide to understanding and using the new interface, since Giorgio doesn't have much time for documentation at the moment. Since the add-on is currently under heavy development, this guide will receive updates.

Use this guide if you have NoScript 10 running on Firefox 57 or above.

The new interface

By default, the NoScript icon lives on the right-hand side of the toolbar. When you are at a site, clicking the toolbar icon drops down a menu that looks like this:

Image

How to use this drop-down menu is described below; first let's describe it. The top of the menu contains the following icons:
  1. Close. Closes the drop-down menu.
  2. Reload. Reloads the current web page, applying any changes in the NoScript menu without exiting the menu.
  3. Options. Opens a new Firefox tab with the NoScript Options, see section on Options below.
  4. Revoke Temporary Permissions. This globally revokes any temporary permissions (for all domains).
  5. Temporarily allow all this page. This temporarily allows blocked elements (such as scripts) to run for all domains currently visible to NoScript as shown in the table.


    A table of domains and their NoScript permissions follows. The domain of the site of your current Firefox tab is listed in the top row, and other domains called on the page each have their own rows. The elements of the rows are as follows:
  6. Default scope. This is the scope applied to any domain for which another scope has not already been appiled.
  7. Trusted scope. Allow scripts from this domain to execute.
  8. Untrusted scope. Block scripts from this domain.
  9. Custom scope. Allows you to apply a custom status of scripts to the individual domains.
  10. Match HTTPS content only. When a green, locked padlock icon shows, the applied scope (one of 7-9) applies only to the domain when it uses the encrypted HTTPS protocol. When it is a red, unlocked padlock, then the selected scope applies to the domain when it uses both HTTP and HTTPS. More on this under “Dealing with HTTP and HTTPS” below.
  11. Domain name. This is so you know to which domain or subdomain you are applying a scope.
Scope? What’s a scope?

There are four scopes: Default, Trusted, Untrusted and Custom. Why call them scopes? NoScript 10 introduces the idea of allowing various levels of blocking and allowing for these four levels. For instance, Trusted means at least trusting scripts (JavaScript), but you also get to define whether to also trust elements from seven further categories: object, media, frame, font, webgl, fetch and other. Similarly, for Untrusted means blocking at least scripts, but you could choose which of those seven categories not to block while still blocking scripts.

The same is also true for Default and for Custom, except that they're wide open, meaning you can toggle any or all of the eight categories. The inital setting of the Default scope is to block scripts. When you visit a new domain, NoScript applies the Default scope. If the Default scope is set to allows scripts, then scripts are allowed for all new domains! Conversely, you could (and usually should) block scripts as the default behavior, but you could also block or allow also any of the other categories by default, such as frames or fonts.
Be careful! Setting the categories of any of the Default, Trusted and Untrusted scopes changes its respective settings globally, not just for that domain. All domains will use these settings as soon as Firefox loads them.
Only the Custom scope allows different settings for different domains, as its name implies.

How to use scopes

For any of the scopes (Default, Trusted, Untrusted or Custom), you can set its global values as follows:
  1. Click the NoScript toolbar button.
  2. For any domain (it doesn't matter which), click the scope you want to change.
  3. Click the scope again (the icon or text) to get a listing of categories for the scope.
  4. Toggle the boxes of the categories to the desired setting. A checkmark means allowed, an empty box means blocked.
Again, when you choose the settings for Default, Trusted or Untrusted, this will change the definition of that scope for all domains. For all three of these scopes, there is no such thing as different scope settings for different domains. This is only allowed for the Custom scope. Obviously, you can only apply one of the four scopes (Default, Trusted, Untrusted or Custom) to any given domain.

Image

Temporarily allow scripts for a domain

You can temporarily allow scripts for the domain of your current Firefox tab as follows:
  1. Click the NoScript toolbar button.
  2. Click the Trusted icon of the desired domain.
  3. Note that a clock appears within the TRUSTED element. This clock serves as the indicator of the temporary status of the domain permissions.
Temporarily allowing scripts means allowing scripts until Firefox restarts. Let's see this in action for Reddit. When I initially click the NoScript toolbar button, all scripts have the default status. Reddit uses the encrypted HTTPS protocol; note that there is an entry both for https://www.reddit.com/ (a subdomain using the HTTPS protocol) and an entry for ...reddit.com (a domain). The same goes for ...redditstatic.com.
Image

I decide to temporarily trust the entire ...reddit.com domain. I click the Trusted icon in its row, but do not click the clock.
Image

After clicking the green Reload icon on the upper left of the menu, the page reloads and I can see that reddit dot com is trying to load scripts from several domains.
Image

I decide to also temporarily allow the redditstatic.com domain, which after reloading is trying to load a script from the redditmedia.com domain. After allowing it as well, this is what my permissions look like.
Image

After restarting Firefox, the Default scope will be applied to these domains.

Allow scripts for a domain

In a similar way you can allow scripts for the domain of your current Firefox tab:
  1. Click the NoScript toolbar button.
  2. Click the Trusted icon of the desired domain.
  3. Note that a clock appears within the TRUSTED element. Click this clock to give the domain a non-temporary status.
NoScript will not block scripts from this domain until you tell to do otherwise.

Let's see this in action for DuckDuckGo. I type duckduckgo.com into the address bar and hit enter, and the page loads. Clicking the NoScript toolbar icon shows that the Default scope is applied.
Image

I click Trusted and the clock appears.
Image

Of course, I don't stop there; clicking the clock removes the temporary status.
Image

This time, instead of clicking the Reload button, I click somewhere outside the menu and the webpage reloads, giving the same result as if I had clicked Reload then Close. The white NoScript button in the toolbar now informs me that I can now enjoy scripted ducky search quality any time I want, including after a restart.
Image

Dealing with HTTP and HTTPS

When domain entries appear in black text, NoScript is telling you that that entry is for the domain using the HTTPS protocol. When the text appears in dark red, it means that that entry is for the domain when it uses either the HTTP or the HTTPS protocol. (It covers both.) This allows you control over the unencrypted HTTP protocol. It is easier to explain how to control this by showing.

Here we have a site that is being served using HTTP. I can see this in the Firefox address bar.
Image

Sure enough, clicking on the NoScript icon shows via dark red text that the relevant domain rule is for HTTP. The red, open padlock shows that I am trusting this site despite it not using HTTPS.
Image

If I click on the red padlock, it turns green. By doing this, I have told NoScript only to allow scripts from this domain when it is using HTTPS. After clicking Reload and letting the page reload, scripts are now blocked since this domain only runs with HTTP. My menu now reflects like this.
Image

Conversely, if the webpage in your tab is using HTTPS, the entry should appear in black. Let’s return to the example of DuckDuckGo above, which is only available in HTTPS.
Image

This time, I select the domain, and a green, closed padlock appears.
Image

After I click reload, the menu confirms that I am trusting the entire domain and that only HTTPS is allowed.
Image

If I were now to click on the padlock icon and hit Reload, then the domain name appears in red and the padlock is red and open. This means that I have changed the rule such that, if in the future DuckDuckGo decided to run their domain unencrypted, then NoScript would still allow scripts from the domain.
Image

Even though this will never happen, there is no reason to leave it like this, so of course I have returned the rule to allow HTTPS only.

Options

To go to options, click the NoScript toolbar icon and then click the Options icon. The Options page opens in a new tab. At present, this page allows you to run scripts globally, choose whether to sanitize cross-site suspicious requests, read the FAQ on them, or clear the whitelist (XSS = cross-site scripting). It also displays a listing of all of the domains you have applied. If you have just upgraded, most of these will only have the Trusted scope applied; after you have started working with scopes, this list will reflect those changes.

Request for clarification

How much of the NoScript FAQ is currently valid for version 10?

Acknowledgments

Thanks to Dedoimedo for an early how-to and use of the word scope.
Thanks to Peter 123 for his explanations in this thread.
Last edited by barbaz on Fri Dec 01, 2017 2:33 pm, edited 10 times in total.
Reason: images
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
blublevita
Posts: 9
Joined: Mon Sep 26, 2016 9:03 am

Re: A basic guide to NoScript 10

Post by blublevita »

Reserved
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: A basic guide to NoScript 10

Post by Pansa »

Very nice write up!

Two remarks:
In regards to red and green lock:

1. For address specific rules (starting with http(s)://)
There is no trusting both. the http rule is red, and applies to http, and the https rules is black and applies to https.
If you switch the locks on these, they just create the opposite specific rule.

2. red lock and green lock behaviour can specifically be seen as red text and black text respectively in general. A red [...page.com ] rule is https+http, a black rule is https only.

3. considering how in some versions there was a disconnect between what was written in the debug log and what the checkmarks said, as well as allowing a clearer understanding of what rules actually look like you might want to make a section about the debug log. (I know it sounds more advanced, but a lot of people seem to have problems with buttons in general, so maybe seeing it in a pure text form is easier to them to understand what is going on)

4. Maybe you want to use a bit of colour for things that are coloured in the interface (red lock, coloured rules)?

Just suggestions, though.
Again, very nice write-up.
Could use a pin to the top if it was up to me.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: A basic guide to NoScript 10

Post by barbaz »

@blublevita

1) Thanks for doing this detailed guide! Image

2) If you have spam filter trouble, you could PM what you want to post to an active Mod (me, GµårÐïåñ, therube, or Thrawn) and we'll try to post it for you. PMs to forum staff are not spam-filtered, and the spam filter is more lenient on us.

3) I'm not sure your guide makes clear that "Custom" is not like the other three. "Custom" allows setting custom permissions for the specific domain, it has no global value, and it has no default settings.

4) Looks like the FAQ hasn't been updated for NoScript 10.
*Always* check the changelogs BEFORE updating that important software!
-
blublevita
Posts: 9
Joined: Mon Sep 26, 2016 9:03 am

Re: A basic guide to NoScript 10

Post by blublevita »

@Pansa

Thanks, and thanks for the correction and explanations. I was pretty sure I didn't understand HTTP and HTTPS. I've made edits, including a new section on dealing with HTTP and HTTPS. For the time being you'll have to imaging the screenshots, but you know what it looks like. Mind checking the new material?

I don't know the first thing about the debug log. I'm a long time NoScript user, but not an advanced one. If you write something down here I can edit it for style consistency and add it on.

I will have to see about color matching later. My annoyance for the moment is in the section "The new interface," where I interrupt the list. The bbcode doesn't allow me to pick the list back up at item 6, which is what would be needed. I searched for ways to do it, but it would have to be enabled on the php server. I suppose I could make a bullet list and then write numbers, or just make an in-line fake list, but those would somehow not look right.


@barbaz

Thanks for all your work in the forums. It took some time, but I felt like giving NoScript some support after using it so long. I will PM you with the changes to defeat the spam filter, so far it's three URLs and all the IMG tags.

Thanks a lot for clarifying the behavior of Custom, I didn't know that. Writing this also taught me the new add-on. :) I have revised the text, would you mind proof-reading the two sections on scopes? I tested it quickly and think I got it, but it's late and I'm prone to errors at this point.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: A basic guide to NoScript 10

Post by Pansa »

blublevita wrote:I've made edits, including a new section on dealing with HTTP and HTTPS. For the time being you'll have to imaging the screenshots, but you know what it looks like. Mind checking the new material?
Looks good to me.
I don't know the first thing about the debug log. I'm a long time NoScript user, but not an advanced one. If you write something down here I can edit it for style consistency and add it on.
I will try to find the things I wrote in regards to other peoples problems and PM it to you later.

Again thanks for writing it up in such a well structured manner.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: A basic guide to NoScript 10

Post by barbaz »

blublevita wrote:Thanks a lot for clarifying the behavior of Custom, I didn't know that. Writing this also taught me the new add-on. :) I have revised the text, would you mind proof-reading the two sections on scopes? I tested it quickly and think I got it, but it's late and I'm prone to errors at this point.
Looks great!

Giorgio, can you please make this an announcement alongside the "NOSCRIPT QUICK START GUIDE FOR NEW USERS" thread?
*Always* check the changelogs BEFORE updating that important software!
-
blublevita
Posts: 9
Joined: Mon Sep 26, 2016 9:03 am

Re: A basic guide to NoScript 10

Post by blublevita »

barbaz wrote:Giorgio, can you please make this an announcement alongside the "NOSCRIPT QUICK START GUIDE FOR NEW USERS" thread?
Maybe we should wait until the screenshots are in, although I just sent them to you so it should go quickly as long as there are no kinks.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Guest

Re: A basic guide to NoScript 10

Post by Guest »

Hello all!

Excuse may bad english, I´m not a native speaker.
Be careful! Setting the categories of any of the Default, Trusted and Untrusted scopes changes its respective settings globally, not just for that domain. All domains will use these settings as soon as Firefox loads them.
I think, for security reasons, this has to be changed. Those "presets" should be locked and while someone changes any value regarding a website the settings have to become "Custom" automatically. The presets for Default, Trusted and Untrusted should never change (or in NoScript-Options only). The risk of manipulating the global settings by accident ist to high.

Regards, Tom
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/604.3.5 (KHTML, like Gecko) Version/11.0.1 Safari/604.3.5
Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: A basic guide to NoScript 10

Post by Pansa »

Guest wrote:Hello all!

Excuse may bad english, I´m not a native speaker.
Be careful! Setting the categories of any of the Default, Trusted and Untrusted scopes changes its respective settings globally, not just for that domain. All domains will use these settings as soon as Firefox loads them.
I think, for security reasons, this has to be changed. Those "presets" should be locked and while someone changes any value regarding a website the settings have to become "Custom" automatically. The presets for Default, Trusted and Untrusted should never change (or in NoScript-Options only). The risk of manipulating the global settings by accident ist to high.

Regards, Tom
1. This doesn't belong here. Like why would you post this HERE?
2. No. For one locking them would seriously create a disconnect between expectations between how the checkboxes behave for the three presets vs the custom preset, and secondly locking them altogether just completely negates how the different people use this addon, and how different their settings and wanted behaviour actually are.
3. Again, this shouldn't be a place to discuss this. posts here should be limited to feedback about the guide.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Graybags

Re: A basic guide to NoScript 10

Post by Graybags »

This is gold dust. Great job.
Hopefully I'm not stupid but I am impatient. I had completely missed the need to click on the clock to make the selection 'permanent'. Ahhh now I see!

One other very useful thing I found is how to do a reset by deleting storage-sync.sqlite (I found this in another thread). Yes I had broken the 'Default' settings and found it very hard to reset them. I feel it might usefully go here?
Along similar lines could you add a picture of the default settings for Default/Trusted/Untrusted which would avoid zapping domains that a user may wish to retain.

And somewhat off topic it would be good to have a 'reset' option in the UI.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
thanks

Re: A basic guide to NoScript 10

Post by thanks »

Great job on the guide. Thank you.

It is mentioned that the scope settings for default, trusted and untrusted are global and not site specific. What are the default settings for each of those scopes? The screen shot shows the default one as allowing everything except script, object and fetch. Does the untrusted one block everything by default and the trusted allow everything? Will NoScript 10 automatically migrate those settings from version 5 or do they need to be set after upgrading (those used to be under options-embeddings correct?)?

In order to duplicate the settings that used to be under options-embeddings in version 5, all the forbid Java/Flash/Silverlight/Other Plugins/Audio Video/IFrame/Frame/Font Face/WebGL checkbxes, can that be accomplished by clicking each scope separately (default then trusted then untrusted) and uncheck everything offered? Does that accomplish the same thing in version 10 as forbidding all of those under embeddings, applying them to whitelisted sites also and blocking every object from a site marked untrusted in version 5?

It also says in order to temporarily allow a site to mark it as trusted. Can temporarily allowing a site also be done by marking it custom (or does that custom scope not allow temporary status)? That would then allow the site specific settings to be used rather than marking something as trusted which would apply the above global settings to everything and changing any of those would then make global setting changes? Marking something as custom temporarily would mean being able to change those settings and only apply it to the specific site instead of globally?

That would then block all of those things globally for each of those three scopes and then allow for per site changes by then using the custome scope for individual sites? Something like..

Default Scope = uncheck everything in order to treat any site as untrusted automatically
Untrusted Scope = same as Default Scope
Trusted Scope = select desired Global settings one wished to apply to any site marked as Trusted but can never change on a per site basis since that would then change these Trusted Scope settings
Custom Scope = use for pretty much anything whether marking something as temporarily allowed or permanently allowed. Marking things as Custom Scope, rather than Trusted Scope, would treat it the same as marking as Trusted Scope but with the benefit of being able to use the settings which would only apply to that site rather than Globally like it would if marked as Trusted

Is that correct?

Last question. Will Noscript automatically retain the whitelist and untrusted lists from 5 to 10 or do they need to be recreated?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Pansa
Senior Member
Posts: 318
Joined: Fri Nov 24, 2017 10:30 pm

Re: A basic guide to NoScript 10

Post by Pansa »

thanks wrote:Great job on the guide. Thank you.

Does the untrusted one block everything by default and the trusted allow everything? Will NoScript 10 automatically migrate those settings from version 5 or do they need to be set after upgrading (those used to be under options-embeddings correct?)?
It tries to convert old rules, but I would strongly advice to manually check everything after every upgrade, or outright start fresh.
In order to duplicate the settings that used to be under options-embeddings in version 5, all the forbid Java/Flash/Silverlight/Other Plugins/Audio Video/IFrame/Frame/Font Face/WebGL checkbxes, can that be accomplished by clicking each scope separately (default then trusted then untrusted) and uncheck everything offered? Does that accomplish the same thing in version 10 as forbidding all of those under embeddings, applying them to whitelisted sites also and blocking every object from a site marked untrusted in version 5?
If you deactivate everything in every scope, no scope runs these things. I don't know why you specifically want to. but ok.
It also says in order to temporarily allow a site to mark it as trusted. Can temporarily allowing a site also be done by marking it custom (or does that custom scope not allow temporary status)? That would then allow the site specific settings to be used rather than marking something as trusted which would apply the above global settings to everything and changing any of those would then make global setting changes? Marking something as custom temporarily would mean being able to change those settings and only apply it to the specific site instead of globally?
What?
Yes, custom can be temp. Custom rules are custom... to that domain. Warning though, you will have to set the check-marks repeatedly that way. It doesn't remember what you had set in their custom rules once they revert back to default.
That would then block all of those things globally for each of those three scopes and then allow for per site changes by then using the custome scope for individual sites? Something like..
Or, you know, set default to nothing, trusted to everything, and make custom rules for sites that you explicitly only want scripts from. Fetch does a lot of different things.
I don't really understand why you would make trusted in essence untrusted, when you have untrusted.....
Default Scope = uncheck everything in order to treat any site as untrusted automatically
Untrusted Scope = same as Default Scope
Trusted Scope = select desired Global settings one wished to apply to any site marked as Trusted but can never change on a per site basis since that would then change these Trusted Scope settings
Custom Scope = use for pretty much anything whether marking something as temporarily allowed or permanently allowed. Marking things as Custom Scope, rather than Trusted Scope, would treat it the same as marking as Trusted Scope but with the benefit of being able to use the settings which would only apply to that site rather than Globally like it would if marked as Trusted

Is that correct?
That's what the guide says. You basically asked everything again that is written in there.
Last question. Will Noscript automatically retain the whitelist and untrusted lists from 5 to 10 or do they need to be recreated?
It tries to. But I would recommend checking everyone again, because of the things that changed (like old rules never really considering http vs https.)
You can go with just letting NS 10 covert it, but I wouldn't trust it blindly.
I would advice clearing most of it, just that things don't fall through the crack. Also it isn't advised to run excessively large rule sets, having a LOT of rules can have performance impacts when visiting the options.

If you are still unclear, there is a debug log that shows the whole ruleset in a plaintext way that may be easier for some to understand what is going on under the hood. (Still trying to make that part ready for bublevita to include in the guide.)
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
FranL

Re: A basic guide to NoScript 10

Post by FranL »

Very nice guide! Thank you for doing this.

It would be nice to include an explanation of what kind of content is blocked by the "fetch" and "other" checkboxes. I have yet to learn what they actually block.
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: A basic guide to NoScript 10

Post by barbaz »

FranL wrote:It would be nice to include an explanation of what kind of content is blocked by the "fetch" and "other" checkboxes.
https://forums.informaction.com/viewtop ... 552#p93552
Last edited by barbaz on Sun Dec 17, 2017 5:05 pm, edited 1 time in total.
*Always* check the changelogs BEFORE updating that important software!
-
Locked