Code: Select all
Preface
Introduction
The new interface
Scope? What’s a scope?
How to use scopes
Temporarily allow scripts for a domain
Allow scripts for a domain
Dealing with HTTP and HTTPS
Options
Request for clarification
Acknowledgments
I came here to look for a guide to NoScript 10. I still haven't upgraded to Firefox 57, but was trying to answer a question for somebody. I couldn't find one, just information scattered across posts. Meanwhile, I cloned my profile and made a parallel installation of Firefox 57 so that I could try out the new features. If there really is no introductory guide to the new NS, then let's build this thread into one people can use. I will update the first entry based on feedback in the thread, but the guide needs to be readable and should be kept basic.
In this guide, "scripts" is short for JavaScript, Flash and other plugins--you know, all the stuff that NoScript blocks. Domains can refer both to domains and subdomains. It's just easier that way.
The guide is current for: NoScript version 10.1.3
I am not 100% sure all of the guide is correct, so I gladly invite more experienced users to post corrections in this thread.
We will get the images sorted soon with the help of some kind mod. The spam filter frowneth upon my newbie status.
Introduction
With the advent of Firefox 57 on November 13, 2017, Mozilla disabled XUL add-ons in favor of Web Extensions. This meant that the NoScript versions used in previous versions of Firefox would no longer work. The developer of NoScript, Giorgio Maone, has released NoScript version 10, a Web Extension add-on for use in Firefox 57 and up. Unfortunately, the new API for Web Extensions does not allow the new NoScript add-on to retain its old user interface, and the new one is not yet well understood by all. Whether you love it or hate it is up to you, this thread simply represents an introductory guide to understanding and using the new interface, since Giorgio doesn't have much time for documentation at the moment. Since the add-on is currently under heavy development, this guide will receive updates.
Use this guide if you have NoScript 10 running on Firefox 57 or above.
The new interface
By default, the NoScript icon lives on the right-hand side of the toolbar. When you are at a site, clicking the toolbar icon drops down a menu that looks like this:
How to use this drop-down menu is described below; first let's describe it. The top of the menu contains the following icons:
- Close. Closes the drop-down menu.
- Reload. Reloads the current web page, applying any changes in the NoScript menu without exiting the menu.
- Options. Opens a new Firefox tab with the NoScript Options, see section on Options below.
- Revoke Temporary Permissions. This globally revokes any temporary permissions (for all domains).
- Temporarily allow all this page. This temporarily allows blocked elements (such as scripts) to run for all domains currently visible to NoScript as shown in the table.
A table of domains and their NoScript permissions follows. The domain of the site of your current Firefox tab is listed in the top row, and other domains called on the page each have their own rows. The elements of the rows are as follows: - Default scope. This is the scope applied to any domain for which another scope has not already been appiled.
- Trusted scope. Allow scripts from this domain to execute.
- Untrusted scope. Block scripts from this domain.
- Custom scope. Allows you to apply a custom status of scripts to the individual domains.
- Match HTTPS content only. When a green, locked padlock icon shows, the applied scope (one of 7-9) applies only to the domain when it uses the encrypted HTTPS protocol. When it is a red, unlocked padlock, then the selected scope applies to the domain when it uses both HTTP and HTTPS. More on this under “Dealing with HTTP and HTTPS” below.
- Domain name. This is so you know to which domain or subdomain you are applying a scope.
There are four scopes: Default, Trusted, Untrusted and Custom. Why call them scopes? NoScript 10 introduces the idea of allowing various levels of blocking and allowing for these four levels. For instance, Trusted means at least trusting scripts (JavaScript), but you also get to define whether to also trust elements from seven further categories: object, media, frame, font, webgl, fetch and other. Similarly, for Untrusted means blocking at least scripts, but you could choose which of those seven categories not to block while still blocking scripts.
The same is also true for Default and for Custom, except that they're wide open, meaning you can toggle any or all of the eight categories. The inital setting of the Default scope is to block scripts. When you visit a new domain, NoScript applies the Default scope. If the Default scope is set to allows scripts, then scripts are allowed for all new domains! Conversely, you could (and usually should) block scripts as the default behavior, but you could also block or allow also any of the other categories by default, such as frames or fonts.
Only the Custom scope allows different settings for different domains, as its name implies.Be careful! Setting the categories of any of the Default, Trusted and Untrusted scopes changes its respective settings globally, not just for that domain. All domains will use these settings as soon as Firefox loads them.
How to use scopes
For any of the scopes (Default, Trusted, Untrusted or Custom), you can set its global values as follows:
- Click the NoScript toolbar button.
- For any domain (it doesn't matter which), click the scope you want to change.
- Click the scope again (the icon or text) to get a listing of categories for the scope.
- Toggle the boxes of the categories to the desired setting. A checkmark means allowed, an empty box means blocked.
Temporarily allow scripts for a domain
You can temporarily allow scripts for the domain of your current Firefox tab as follows:
- Click the NoScript toolbar button.
- Click the Trusted icon of the desired domain.
- Note that a clock appears within the TRUSTED element. This clock serves as the indicator of the temporary status of the domain permissions.
I decide to temporarily trust the entire ...reddit.com domain. I click the Trusted icon in its row, but do not click the clock.
After clicking the green Reload icon on the upper left of the menu, the page reloads and I can see that reddit dot com is trying to load scripts from several domains.
I decide to also temporarily allow the redditstatic.com domain, which after reloading is trying to load a script from the redditmedia.com domain. After allowing it as well, this is what my permissions look like.
After restarting Firefox, the Default scope will be applied to these domains.
Allow scripts for a domain
In a similar way you can allow scripts for the domain of your current Firefox tab:
- Click the NoScript toolbar button.
- Click the Trusted icon of the desired domain.
- Note that a clock appears within the TRUSTED element. Click this clock to give the domain a non-temporary status.
Let's see this in action for DuckDuckGo. I type duckduckgo.com into the address bar and hit enter, and the page loads. Clicking the NoScript toolbar icon shows that the Default scope is applied.
I click Trusted and the clock appears.
Of course, I don't stop there; clicking the clock removes the temporary status.
This time, instead of clicking the Reload button, I click somewhere outside the menu and the webpage reloads, giving the same result as if I had clicked Reload then Close. The white NoScript button in the toolbar now informs me that I can now enjoy scripted ducky search quality any time I want, including after a restart.
Dealing with HTTP and HTTPS
When domain entries appear in black text, NoScript is telling you that that entry is for the domain using the HTTPS protocol. When the text appears in dark red, it means that that entry is for the domain when it uses either the HTTP or the HTTPS protocol. (It covers both.) This allows you control over the unencrypted HTTP protocol. It is easier to explain how to control this by showing.
Here we have a site that is being served using HTTP. I can see this in the Firefox address bar.
Sure enough, clicking on the NoScript icon shows via dark red text that the relevant domain rule is for HTTP. The red, open padlock shows that I am trusting this site despite it not using HTTPS.
If I click on the red padlock, it turns green. By doing this, I have told NoScript only to allow scripts from this domain when it is using HTTPS. After clicking Reload and letting the page reload, scripts are now blocked since this domain only runs with HTTP. My menu now reflects like this.
Conversely, if the webpage in your tab is using HTTPS, the entry should appear in black. Let’s return to the example of DuckDuckGo above, which is only available in HTTPS.
This time, I select the domain, and a green, closed padlock appears.
After I click reload, the menu confirms that I am trusting the entire domain and that only HTTPS is allowed.
If I were now to click on the padlock icon and hit Reload, then the domain name appears in red and the padlock is red and open. This means that I have changed the rule such that, if in the future DuckDuckGo decided to run their domain unencrypted, then NoScript would still allow scripts from the domain.
Even though this will never happen, there is no reason to leave it like this, so of course I have returned the rule to allow HTTPS only.
Options
To go to options, click the NoScript toolbar icon and then click the Options icon. The Options page opens in a new tab. At present, this page allows you to run scripts globally, choose whether to sanitize cross-site suspicious requests, read the FAQ on them, or clear the whitelist (XSS = cross-site scripting). It also displays a listing of all of the domains you have applied. If you have just upgraded, most of these will only have the Trusted scope applied; after you have started working with scopes, this list will reflect those changes.
Request for clarification
How much of the NoScript FAQ is currently valid for version 10?
Acknowledgments
Thanks to Dedoimedo for an early how-to and use of the word scope.
Thanks to Peter 123 for his explanations in this thread.