Using NoScript with less work - Feasible?

[Elvey]

I seek a way to use NoScript that requires less work than I have found it to be.

SUMMARY
I was an active NoScript user, fan and supporter. For about 3 years; I joined in 2011.
I found that the necessary tinkering was taking up an untenable amount of my time, and I couldn't find a solution, short of abandoning it, which I did.
I've come back and very soon, began wondering if there is or can be a way to use NoScript to have significantly better security than the tools I have made do with, without the untenable time suck I found NoScript to be.

I start documenting my attempt at "Using NoScript with less work", as I expect it will facilitate improving NoScript and its documentation by shedding light on some hurdles, and or be useful for sparking a feature set (such as a better way to develop good settings (per varying levels of consensus)). This post is that documentation, and hopefully useful comments will come next. (If nothing comes of it, I anticipate reluctantly abandoning NoScript again.)

Thank you to Georgio and all the regulars here!

PREFACE/BACKGROUND:
I joined this forum back in Mid-2011, and was an active NoScript user for about 3 years. I was a fan and a supporter.
I found that the necessary tinkering was taking up an untenable amount of my time, and I couldn't find a solution, short of abandoning it. Since then have made do with a number of alternative solutions.

Let's define NSLW (NoScript Less Work) as the goal - "a way to have better security than other tools out there allow, without the untenable time suck folks like me found NoScript to be."

So my experience returning so far is this:

I open https://addons.mozilla.org/en-US/firefo ... /noscript/ (See "FYI", below for how/why.) And in the first sentence, I'm drawn back in by:
"[ B ]undled with the Tor Browser, NoScript gives you the best available protection on the web."

I read https://hackademix.net/2017/12/04/noscr ... utshell-2/. (Munged as I don't want to trigger a spam blocker. [edit by barbaz: un-munged] )

I click install.

I start reading https://blog.jeaye.com/2017/11/30/noscript/

I visit a couple sites that work without JS - gizmodo, TheNextSystem.org

I click back to an open tab; it displays:

>We're sorry, but Facebook doesn't work properly without JavaScript enabled. If you can't enable JavaScript try visiting the mobile-optimized website.

Now, I'm running Firefox, including the "Facebook Container" extension†. But a click to trust facebook seems like a dumb move.

Ok, so time to read the documentation. Because presumably I don't want to just allow everything by facebook.com javascript. If I was going to do that, I'm thinking, why not just use a simple per-site Javascript toggler extension?

I begin reading documentation and after over an hour, I start composing this thread, after remembering that not finding NSLW led me to abandon NoScript. I figure even if I do find that there already is a NSLW, by documenting my experience, a way the documentation much better can emerge, and I can submit a suggestion or pull request, as not knowing if NSLW even exists after over an hour isn't good. And maybe main problem is a PEBCAK error. I'm not understanding how to use it.

I visit a site I haven't been to before, HypeAuditor, and it doesn't work. it relies on googleadmanager.com and cloudflare.com.

I ponder what to do: How do I decide what to allow on what sites? How often should I resort to custom? What are best practices?

I will return to the documentation now, but first I'll post this to the forum. Maybe someone can point me to a NSLW solution before I put too much time into the questions of the above paragraph.

TO BE CONTINUED, HERE.


Aside: I try using facebook's mobile-optimized website. It's ... well, I can't do half of what I want to do. I suppose I could try it for a while. Perhaps I'll find I am using facebook 'better' when I use it this way - using facebook less and spending more time doing things I really want to be doing while I am on facebook. It's a long shot, but worth experimenting with. To be clear: experimenting with, not merely 'trying'. When I can't do something, I have to stop myself and consider and track whether that's a good or bad thing.

FYI, what brought me back? Seeking to maintain acceptable performance*, I was reading
https://support.mozilla.org/en-US/kb/fi ... -resources (Title: Firefox uses too much memory or CPU resources - How to fix - A Knowledge Base support article in Support.) It says "NoScript allows you to selectively enable and disable scripts running on websites. " under one of the 14 sections, each on one kind of solution. NoScript is mentioned under the "Hide intrusive content" section. Also, I occasionally browse the web with a friend who uses it. And aparrently likes it.

(*because I keep too many tabs open; arguably, persisting with efforts to change my behavior would be a better use of my time than treating the underlying symptom - too many tabs being open is not the problem, it is just a symptom.)

(†And sometimes an ad blocker, a per-site Javascript toggler, a password manager, an active 2-way firewall, and/or Privacy Badger.)

[barbaz]

FYI, what brought me back? Seeking to maintain acceptable performance*, I was reading
https://support.mozilla.org/en-US/kb/fi ... -resources (Title: Firefox uses too much memory or CPU resources - How to fix - A Knowledge Base support article in Support.) It says "NoScript allows you to selectively enable and disable scripts running on websites. " under one of the 14 sections, each on one kind of solution. NoScript is mentioned under the "Hide intrusive content" section.

That's not part of NoScript's intended purpose. You might try uBlock Origin.

wondering if there is or can be a way to use NoScript to have significantly better security than the tools I have made do with, without the untenable time suck I found NoScript to be.

[...]

I ponder what to do: How do I decide what to allow on what sites? How often should I resort to custom? What are best practices?

If it's only the permissions management you find to be an "untenable time suck", you could mostly just forget about it: Go into NoScript Options and check everything under "Default", then under "Per-site Permissions" set every Trusted site to Default. This can leave permissions management mostly up to other tools, while keeping NoScript's "extra" security features like XSS filter active, and still letting you script-block individual sites if you want by setting them Untrusted.