what is it?

The NoScript status bar menu
Proudly sponsored by NLNet Foundation

There's a browser safer than Firefox...
...it is Firefox, with NoScript!

2006 PC World World Class

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...

You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
Watch the "Block scripts in Firefox" video by cnet.

Staying safe has never been so easy!
Experts will agree: Firefox is really safer with NoScript!

V. - Friendly Security

If you find any bug or you'd like an enhancement, please report here or here. Many thanks!

Main good news
  • Fixed InjectionChecker over-optimization bug (thanks Maxim Rupp for reporting).
  • Updated Arabic locale (thanks Nassim Dhaher).
  • Fixed NoScript blocking WebExtensions by default.
  • Updated googletag script surrogate (thanks barbaz).
  • Fixed incompatibility with importScript() from workers breaking new reCaptcha implementation (thanks Mr_KrzYch00 for reporting)
  • Fixed breakage due to const declarations behavior changes in latest Firefox nightlies.
  • Fixed <NOSCRIPT> elements being hidden on script-disabled pages in release Firefox versions (bug 1208818)
  • Fixed regression: bookmarklet emulation on about:newTab causing JavaScript to be enabled for the tab (thanks James Strange for reporting).
  • Fixed subtle bug in load context association causing an origin mismatch in one corner case (thanks Gareth Heyes for reporting).
  • Enhanced Script Surrogates (thanks barbaz).
  • Fixed InjectionChecker bugs in minimal inline JavaScript fragment detection (thanks Frederik Braun and Gareth Heyes for reporting).
  • Updated Russian translation (thanks fatboy).
  • Added domains required for Netflix playback (netflix.com, nflxext.com, nflximg.com, nflxvideo.net) to the default whitelist
  • Fixed edge case causing JavaScript redirections detection to fail on http://qklnk.co/ (thanks Jess Hampshire for RFE).
  • Fixed attribute injection checks regression (thanks Maxim Rupp and .mario of Cure53 for reporting).
  • More restrictive and accurate INCLUSION type check in ABE (thanks Meee).
  • noscript.middlemouse_temp_allow_main_site about:config preference to control whether middle-clicking the toolbar button should allow current top document's site (thanks barbaz)
  • Fixed inconsistency in HTML5 media blocking.
  • ABE-related performance enhancements.
  • Additional HTML sanitization when pasting rich text into content-editable elements (thanks .mario for RFE).
  • Better ClearClick compatibility with recent Youtube changes.
  • Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it if scripts are disabled (useful to forcibly kill in-page popups). This feature can be disabled by setting the noscript.eraseFloatingElements about:config preference to false.
  • Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
  • "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
  • Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
  • Middle clicking NoScript's toolbar button temporarily allows all on current page.
More in the changelog...

Experts do agree...

03/10/2014, Edward Snowden endorses NoScript as a countermeasure against state Surveillance State.

08/06/2008, "I'd love to see it in there." (Window Snyder, "Chief Security Something-or-Other" at Mozilla Corp., interviewed by ZDNet about "adding NoScript functionality into the core browser").

03/18/2008, "Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits" (Rich Mogull on TidBITS, Should Mac Users Run Antivirus Software?).

11/06/2007, Douglas Crockford, world-famous JavaScript advocate and developer of JSON (one of the building blocks of Web 2.0), recommends using NoScript.

03/16/2007, SANS Internet Storm Center, the authoritative source of computer security related wisdom, runs a front-page Ongoing interest in Javascript issues diary entry by William Stearns just to say "Please, use NoScript" :)
Actually, NoScript has been recommended several times by SANS, but it's nice to see it mentioned in a dedicated issue, rather than as a work-around for specific exploits in the wild. Many thanks, SANS!

05/31/2006, PC World's The 100 Best Products of the Year list features NoScript at #52!

Many thanks to PC World, of course, for grokking NoScript so much, and to IceDogg who kindly reported these news...

In the press...

Download in a Flash... with FlashGot! Proudly hosted by easyspeedy