NoScript blocks *all* scripting, all plugins listed on the Options > Plugins tab, (Java, Flash, Silverlight, and others,) and has default protection against clickjacking and cross-site scripting. So you are protected against all of those, at the best present state of the art, until and unless YOU decide to allow any of them, either temporarily at a given site, permanently at a given (trusted) site, or blanket permission (not recommended). For example, on the Plugins tab, if you uncheck "Forbid Flash", then Flash will be allowed *everywhere*. It's better, in my opinion, to allow it only at sites you trust or only on a per-use basis. For example, if I visit YouTube, rather than allow the entire site to run Flash, I click the red NoScript block-logo, or "placeholder", for the particular video I want to watch. Then I'm only exposing myself to one video instead of millions.
On the Advanced/Untrusted tab, I prefer to check everything except "Hide NOSCRIPT elements". There is no need to change anything else in the Advanced, at least until you become very comfortable with NoScript and want to try, e. g., the forced HTTPS for forcing secure sites (banks, etc.) to use secure cookies (and secure logins, for the ones that are very poorly coded).
More information can be found in the
FAQ on such advanced features. In the meantime, just use your bank's (credit card company, etc.) secure login page, rather than their home page, to login. For example, instead of logging in from
http://www.wachovia.com, bookmark their secure login page,
https://onlineservices.wachovia.com/aut ... returnHome. Fortunately, many of these poorly-coded sites have corrected their mistakes due to the negative publicity from the existence of tools like NoScript's Force HTTPS. For example,
http://www.wachovia.com is now also secure - you are automatically redirected to
https://www.wachovia.com/. This is a good trend.
Please remember that NoScript is *not* an anti-virus program, although it blocks many viruses that are delivered by scripting or plugins. You still need a good AV program and a good firewall. Anti-phishing protection is available through Firefox itself. Safe practices such as not opening spam e-mail, and especially not opening attachments from unknown sources, are still a necessity. And of course, you must only download and install software from sources that you trust. I still scan it with my anti-virus before installing it anyway, in case the site has been compromised.
As the primary author of the Guide, it was my hope to make clear that NoScript "out of the box" provides immediate and complete blocking and protection, and that the user must configure it to do
less than that if s/he wishes, rather than having to configure it to protect you. It's already configured that way. If you have any suggestions as to wording, as to how I could make that point more clear, of course I'd appreciate hearing them. And if you have any questions that the FAQ don't answer, and a search of the forum doesn't answer, please feel free to post them. We'll be happy to help.
Thanks for installing NoScript, and welcome to the community of safer browsing!
Edit: I was still composing this lengthy message while Giorgio was posting his. Hopefully, it never hurts to hear from two different sources.
