NoScript is ready to use as soon as you install it.
No configuration is required.
When you visit a site and it seems not to work properly, you have the following methods to use NoScript:
- Open the NoScript menu by clicking on the logo in the top or bottom bar; or
- Hover the mouse pointer over the logo; or
- Right-click the web page you are visiting.
Read from the menu the list of scripts and other commands ("executable content"). Note that the NoScript logo is red, or partly red, indicating some blocked content, instead of all blue. See the site address from where these items originate. If you trust that site (especially the site you are on), then use one of the following commands to give permission to it. (For more information on "What is a trusted site?", see this FAQ.) Note that it may require several scripts to be allowed for the function you need to work.
Temporarily allow (domain name)
Revoke temporary permissions
If you decide that this will be a permanent permission, then use:
Allow (domain name)
Make page permissions permanent
If you wish to quickly give permanent permission to all sites that you have temporarily allowed that are active on the current page, you may click Make page permissions permanent. You could also open the menu, click Revoke temporary permissions, then re-allow only the needed items, using the Allow command instead of Temporarily allow. This too places those sources in your permanent whitelist.
Once permanent permissions have been given for the scripts needed at a particular site, you will never again notice NoScript at work while you are at that site. Soon, your most frequently-visited sites will become permanently configured for you.
Be wary of content coming from third parties. However, please note that many respectable sites use companies like Akamai or Cloudfront to help store and provide some of their content, so these are third-party sites that frequently must be allowed. In the case of Cloudfront, you can typically choose to allow only the specific subdomains that you need.
For further information about Akamai or about how to fine-tune its permissions if you wish to do so, please see this FAQ.
Updated 25 Jan 2012: A current Web trend is the use of "content delivery networks", typically showing in the NoScript Menu with the letters "cdn" in the script name. The number of sites using Akamai, as described above, has been declining since this Guide was first posted. So you may see, for example, facebook.com, followed by fbcdn.net (fbcdn = FaceBook Content Delivery Network). Allowing script from facebook.com may not be enough for all images to display properly on all pages. So you may have to allow fbcdn.net also.
Another way of delivering images and other content is by a separate source with "img" or "static" in the name. For example, let us say that you visit maps.google.com, with google.com allowed, either temporarily (TA, as we call it here), or permanently. (It's in the Default Whitelist anyway.) The main map may show, but the "Get directions" and "My Places" buttons won't work unless you TA or allow gstatic.com. "Static" may also come before or after the site name: static-somesite.com, somesite-static.com, or similar variations.
An example with "img" in the name: YouTube. Some basic services may work without any scripts allowed at all, but for all services to function, permission is required not only for youtube.com, but also for ytimg.com. Same with yahoo.com and yimg.com -- Yahoo Mail needs these to function fully. These two sites, along with their "helper" image sites, are also in the default whitelist when you install NoScript. So they're good examples of the kinds of name patterns you might see at other sites with "img" scripts: YouTube = ytimg, Yahoo = yimg.
Generally, if something isn't working -- especially if images aren't displaying -- look for a script that has some similarity in name or initials to the original site, plus "cdn", "img", or "static", as in the above examples. If you make the decision to trust the main site, then presumably its secondary content server would get the same trust, and is probably necessary for the site to work. NOTE: None of this affects the general advice to be wary of third-party sites that don't reasonably appear to be related to your trusted site.
Update 22 November 2011: This post identifies *some* (not all) companies who are principally in the business of advertising or gathering data such as page views. This may help you to decide what is "necessary" to allow in order to make the page work, and what is not necessary. Please note the disclaimer there that this is not necessarily a reflection on the companies listed, and that many free sites and products are supported by advertising.
By default, you receive an audible warning and/or a pop-up warning when scripts or other content are being blocked. If you would like to modify or disable either or both notifications, click the NoScript menu as above, click "Options", then click the "Notifications" tab. You can uncheck "Show message about blocked scripts" to disable the messages completely, or choose to move them to the bottom, and for how long to display them. You can also uncheck "Audio feedback when scripts are blocked", if you prefer. Even without audio or pop-up notification, you will always have the NoScript logo showing partly or completely red (instead of all blue) when some content is being blocked. Also, a site that worked properly without NoScript, but does not seem to work properly with NoScript enabled, is a likely sign that some content is blocked. The logo confirms this for you.
NoScript is customizable in many other ways. As you become familiar with it, you might like to read more about its many features and configurability, in the NoScript FAQ. But this is all you need to do to have NoScript start protecting you now!
I hope you find this guide useful as you begin to browse with much greater safety than ever before.