• What's
• Download
• Roadmap
• Forum

NSA - NoScript Anywhere

NoScript Mobile Multiprocessing / Android Porting Project

What's

NoScript Anywhere (NSA) is the nickname for the next major iteration of the NoScript security add-on (NoScript 3.x), whose guts have been turned upside down in order to match Mozilla's Electrolysis multiprocessing architecture and implement a porting for Firefox Mobile, available on Android smartphones and tablets.

This open source (GPL) effort has started in the very beginning of 2011, and is partially funded by the NLNet Foundation.

NoScript 3 alpha, available on Firefox 4 Mobile for the Android and Maemo operating systems, offers all the the major security features of "classic" NoScript:

1. Easy per-site active content permissions management.
2. The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
3. ClearClick, the one and only effective client-side protection against Clickjackings available on the client side.*
4. ABE (App Boundaries Enforcer), a true webapp firewall inside your mobile browser to protect your router and web applications against CSRF and DNS rebinding attacks.**

* Fully implemented on the first NSA (Firefox 4 Mobile); recent (2012) subfeatures and the warnning dialog still need to be ported in NSA++ (Android-native Firefox).
** Fully implemented on the first NSA (Firefox 4 Mobile); partially working on NSA++ (Android-native Firefox) but needs bug fixing, testing and the Sync functionality to be restored for being usable beyond the basic default LAN protection (which already works).

NoScript 3.x's UI is greatly simplified and optimized for touch devices, featuring a brand new page permission editing UI, specifically redesigned for smartphone usage and easily accessible by tapping on a floating finger-friendly icon.

Once installed (with no need to restart the browser), it blocks every script and other potentially dangerous active content unless the loading resource is whitelisted.

NoScript 3.x also introduces convenient Permissions Presets, which are offered for choice on first run and can be switched at any time:

• Easy Blacklist (you pick untrusted sites where JavaScript and plugins must be blocked)
• Click To Play (plugins are blocked until you click)
• Classic Whitelist (you pick trusted sites where JavaScript and plugins can run)
• Full Protection (like "Classic Whitelist", but all the embedded content is blocked until you click, even on trusted sites)

NSA++, the new Android Native NoScript porting

Unfortunately, this change made the original NSA incompatible almost overnight, and required yet another massive NoScript rewrite to bring it back on mobile devices.

This effort is currently ongoing with NLNet's continued help, and experimental 3.5 alpha builds compatible with the Android Native Firefox is already downloadable here for testing purposes, even if they're not as complete as the legacy (Firefox 4 Mobile) version.

At this moment:

• Script blocking and the XSS filter are fully functional.
• ClearClick and ABE are partially working but have no UI yet (they do silently block "tapjacking" attempts and cross-zone CSRF respectively, though).
• Remote synchronization (Sync) is still completely missing, but is a priority as well.

Downloads

Roadmap