NOSCRIPT QUICK START GUIDE FOR NEW USERS [Updated 03 Mar 15]

Ask for help about NoScript, no registration needed to post
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

NOSCRIPT QUICK START GUIDE FOR NEW USERS [Updated 03 Mar 15]

Post by Tom T. »

Watch the video here.

Using NoScript

NoScript is ready to use as soon as you install it.
All JavaScripting, Flash, Silverlight, Java, and other potentially-harmful commands to your browser are blocked by default.
No configuration is required.

Allowing certain JavaScript to run

Many websites need JavaScript to function properly. The scripts may be provided by the website itself, or by 3rd party websites. Hence you may need to allow JavaScript to run from the website you are currently visiting, or from other websites as well. NoScript will show you the websites that are attempting to run JavaScript.

When you visit a site and it seems not to work properly, you have the following methods to use NoScript:
  • Open the NoScript menu by clicking on the logo in the top or bottom bar; or
  • Hover the mouse pointer over the logo; or
  • Right-click the web page you are visiting.
You can choose your preferred method of opening the menu by opening it and clicking Options, then General tab. Halfway down is a checkbox, "Open permissions menu when mouse hovers over NoScript's icon." Check it for "hover"; uncheck it for "click the icon".

Read from the menu the list of scripts and other commands ("executable content"). Note that the NoScript logo is red, or partly red, indicating some blocked content, instead of all blue. See the site address from where these items originate. If you trust that site (especially the site you are on), then use one of the following commands to give permission to it. (For more information on "What is a trusted site?", see this FAQ.) Note that it may require several scripts to be allowed for the function you need to work.

NoScript commands

Temporarily allow (domain name)
and
Revoke temporary permissions

By clicking Temporarily allow (domain name), all JavaScript from this domain name will be allowed to run on all sites you visit from then on. This is a temporary setting. It will be allowed only in the current session of your browser. Once you restart your browser, this setting no longer be in effect. You may also open the menu and click Revoke temporary permissions before leaving the site.

If you decide that this will be a permanent permission, then use:

Allow (domain name)

If you select this command, then all JavaScript from this domain name will be allowed to run on all sites you visit from then on. This is a permanent setting. It will always be allowed, on all sites, even when you shutdown and restart your browser.

Make page permissions permanent

If you wish to quickly give permanent permission to all sites that you have temporarily allowed that are active on the current page, you may click Make page permissions permanent. You could also open the menu, click Revoke temporary permissions, then re-allow only the needed items, using the Allow command instead of Temporarily allow. This too places those sources in your permanent whitelist.

Once permanent permissions have been given for the scripts needed at a particular site, you will never again notice NoScript at work while you are at that site. Soon, your most frequently-visited sites will become permanently configured for you.

Third-party content

Be wary of content coming from third parties. However, please note that many respectable sites use companies like Akamai or Cloudfront to help store and provide some of their content, so these are third-party sites that frequently must be allowed. In the case of Cloudfront, you can typically choose to allow only the specific subdomains that you need.

For further information about Akamai or about how to fine-tune its permissions if you wish to do so, please see this FAQ.

Updated 25 Jan 2012: A current Web trend is the use of "content delivery networks", typically showing in the NoScript Menu with the letters "cdn" in the script name. The number of sites using Akamai, as described above, has been declining since this Guide was first posted. So you may see, for example, facebook.com, followed by fbcdn.net (fbcdn = FaceBook Content Delivery Network). Allowing script from facebook.com may not be enough for all images to display properly on all pages. So you may have to allow fbcdn.net also.

Another way of delivering images and other content is by a separate source with "img" or "static" in the name. For example, let us say that you visit maps.google.com, with google.com allowed, either temporarily (TA, as we call it here), or permanently. (It's in the Default Whitelist anyway.) The main map may show, but the "Get directions" and "My Places" buttons won't work unless you TA or allow gstatic.com. "Static" may also come before or after the site name: static-somesite.com, somesite-static.com, or similar variations.

An example with "img" in the name: YouTube. Some basic services may work without any scripts allowed at all, but for all services to function, permission is required not only for youtube.com, but also for ytimg.com. Same with yahoo.com and yimg.com -- Yahoo Mail needs these to function fully. These two sites, along with their "helper" image sites, are also in the default whitelist when you install NoScript. So they're good examples of the kinds of name patterns you might see at other sites with "img" scripts: YouTube = ytimg, Yahoo = yimg.

Generally, if something isn't working -- especially if images aren't displaying -- look for a script that has some similarity in name or initials to the original site, plus "cdn", "img", or "static", as in the above examples. If you make the decision to trust the main site, then presumably its secondary content server would get the same trust, and is probably necessary for the site to work. NOTE: None of this affects the general advice to be wary of third-party sites that don't reasonably appear to be related to your trusted site.

Update 22 November 2011: This post identifies *some* (not all) companies who are principally in the business of advertising or gathering data such as page views. This may help you to decide what is "necessary" to allow in order to make the page work, and what is not necessary. Please note the disclaimer there that this is not necessarily a reflection on the companies listed, and that many free sites and products are supported by advertising.

By default, you receive an audible warning and/or a pop-up warning when scripts or other content are being blocked. If you would like to modify or disable either or both notifications, click the NoScript menu as above, click "Options", then click the "Notifications" tab. You can uncheck "Show message about blocked scripts" to disable the messages completely, or choose to move them to the bottom, and for how long to display them. You can also uncheck "Audio feedback when scripts are blocked", if you prefer. Even without audio or pop-up notification, you will always have the NoScript logo showing partly or completely red (instead of all blue) when some content is being blocked. Also, a site that worked properly without NoScript, but does not seem to work properly with NoScript enabled, is a likely sign that some content is blocked. The logo confirms this for you.

NoScript is customizable in many other ways. As you become familiar with it, you might like to read more about its many features and configurability, in the NoScript FAQ. But this is all you need to do to have NoScript start protecting you now!

I hope you find this guide useful as you begin to browse with much greater safety than ever before.
Last edited by barbaz on Tue Mar 03, 2015 6:04 pm, edited 9 times in total.
Reason: update information about generic third-party CDNs
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.25) Gecko/20111212 Firefox/3.6.25