what is it?

The NoScript status bar menu
Proudly sponsored by NLNet Foundation

There's a browser safer than Firefox...
...it is Firefox, with NoScript!

2006 PC World World Class

The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...

You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
Watch the "Block scripts in Firefox" video by cnet.

Staying safe has never been so easy!
Experts will agree: Firefox is really safer with NoScript!

V. - Friendly Security

If you find any bug or you'd like an enhancement, please report here or here. Many thanks!

Main good news
  • Removed a string literal breaking detection bypass from the InjectionChecker (thanks Mathias Karlsson for reporting).
  • Updated gigya.com and 2mdn.net Script Surrogate replacements (thanks saaib)
  • Narrowed googleapis.com default whitelist entry to ajax.googleapis.com.
  • noscript.middlemouse_temp_allow_main_site about:config preference to control whether middle-clicking the toolbar button should allow current top document's site (thanks barbaz)
  • Fixed inconsistency in HTML5 media blocking.
  • ABE-related performance enhancements.
  • Fixed some ABE-related crashes on most recent pre-release Firefox versions.
  • Script Surrogate for 2mdn.net (thanks barbaz)
  • Various E10s-related fixes and enhancements.
  • Generalized OWASP antiClickjacking Script Surrogate (thanks barbaz for RFE).
  • Script Surrogate to automatically show pages using certain Wordpress themes which otherwise would require scripting to work.
  • Added "bootstrapcdn.com" to default whitelist, in order to make fonts work out of the box in many web sites.
  • Added "mediasource:" to the mandatory whitelist (Moz-Bug 1151638).
  • Updated googletagservices.com Script Surrogate (thanks barbaz).
  • Better compatibility with SDK-based add-ons using data: URIs (thanks Mingyi Liu for report).
  • Improved "Recently blocked sites..." recording.
  • Fixed inconsistencies in data: URIs handling (thanks barbaz for reporting).
  • .gigya.com and js.stripe.com Script Surrogates by barbaz.
  • Improved usability of new Yahoo! video activation (thanks Glenn for reporting).
  • Added googlevideo.com to the default whitelist because it's now required to play Youtube movies (thanks barbaz for RFE).
  • Fixed restrictSubdocScripts/globalHTTPSWhitelist interaction issue (thanks Tor Project for report)
  • Fixed regression always disabling scripts whenever site's host name is a IPv6 literal (thanks ipv6user for report)
  • Fixed menu automatic disappearance on mouse exit broken by Firefox 36 changes (thanks randavis, cumdacon and barbaz for report)
  • Updated Google Analytics Script Surrogate (thanks barbaz).
  • Fixed Cascade top document's permissions to 3rd party scripts option being enforced also if the top document is just implicitly allowed by the Allow HTTPS scripts globally on HTTPS documents option, rather than explicitly whitelisted, causing HTTP subdocument and scripts to be unintendendly allowed when the top document is HTTPS (thanks Tor Project for report)
  • Updated Gravatar Script Surrogate (thanks barbaz).
  • Additional HTML sanitization when pasting rich text into content-editable elements (thanks .mario for RFE).
  • Script Surrogate for OWASP legacy Javascript-based "antiClickjack" protection (used for instance by Adobe): webpages "protected" with it are not hidden anymore when scripting is disabled, unless they are actually framed (thanks barbaz).
  • Fixed regression (from causing data: URI documents to be scripting-enabled (thanks GOF for tweet).
  • Restored noscript.forbidXHR functionality in a more web-compatible form (thanks barbaz for RFE).
  • Better protection against XSS attacks based on new ES6 (Javascript) features (thanks Masato Kinugawa for reporting).
  • New Script Surrogate to make Microsoft's Support website work even if scripts are disabled (thanks thunderscript).
  • Made the Permanent "allow" commands in private windows' checkbox look and behave like the other options in the "Appearance" tab, i.e. controlling the visibility of the menu item by the same name.
  • Fixed private windows detection for UI adaptation broken in SeaMonkey (thanks barbaz for reporting).
  • Permanent "Allow..." commands can be hidden when in private mode by unchecking the new Permanent "allow" commands in private windows option.
  • Volatile temporary whitelist: never gets saved to disk anymore, making it privacy friendlier (thanks to Tor Project for sponsorship).
  • preference is false (thanks to Tor Project for sponsorship).
  • Built-in HTTPS enforcement list, seeded with www.youtube.com.
  • Better compatibility with some sites embedding Youtube movies in bogus ways.
  • Fixed cascade permissions modes breaking some internal Firefox pages.
  • Various tweaks and fixes to support the full HTTPS lockdown of noscript.net.
  • Prevent new tab thumbnails from being generated in a separate process out of reach of extensions like NoScript and other content blockers (controlled by the noscript.bgThumbs.allowed about:config preference).
  • Prevent new tab thumbnails from being generated with JavaScript enabled on the page if a separate process is used for rendering.
  • More accurate local IP detection (especially for ABE LAN protection, thanks stack / inventati).
  • Improved XSS filter sensitivity (thanks Masato Kinugawa).
  • User-facing "Reload the current tab only" option (in the "General" tab).
  • Experimental "Allow HTTPS scripts globally on HTTPS documents" mode (thanks the Tor Project for RFE).
  • New NoScript Options|Advanced|Trusted|Cascade top document's permissions to 3rd party scripts preference for users who prefer the convenience of whitelisting just the top-level domain to make everything work on the fly over the higher security provided by the default finer-grained policy.
  • New NoScript Options|Advanced|Untrusted|Block scripting in whitelisted subdocuments of non-whitelisted pages prevents scripts from running in iframes even if whitelisted, unless the top-level document's site is whitelisted as well.
  • Better ClearClick compatibility with recent Youtube changes.
  • Holding the left mouse button down on an absolutely positioned page element and hitting the DEL key will remove it if scripts are disabled (useful to forcibly kill in-page popups). This feature can be disabled by setting the noscript.eraseFloatingElements about:config preference to false.
  • Right-clicking on NoScript menu items copy site domains to the clipboard (useful for reporting and investigating sites, thanks Tom T. for RFE)
  • "Click to play" protection against WebGL exploitation, now also on whitelisted sites (can be enabled in NoScript Options|Embeddings)
  • Security and Privacy Info page is shown whenever you middle-click on sites exposed by NoScript's UI, either in the menus or in the Whitelist options tab.
  • Middle clicking NoScript's toolbar button temporarily allows all on current page.
More in the changelog...

Experts do agree...

03/10/2014, Edward Snowden endorses NoScript as a countermeasure against state Surveillance State.

08/06/2008, "I'd love to see it in there." (Window Snyder, "Chief Security Something-or-Other" at Mozilla Corp., interviewed by ZDNet about "adding NoScript functionality into the core browser").

03/18/2008, "Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits" (Rich Mogull on TidBITS, Should Mac Users Run Antivirus Software?).

11/06/2007, Douglas Crockford, world-famous JavaScript advocate and developer of JSON (one of the building blocks of Web 2.0), recommends using NoScript.

03/16/2007, SANS Internet Storm Center, the authoritative source of computer security related wisdom, runs a front-page Ongoing interest in Javascript issues diary entry by William Stearns just to say "Please, use NoScript" :)
Actually, NoScript has been recommended several times by SANS, but it's nice to see it mentioned in a dedicated issue, rather than as a work-around for specific exploits in the wild. Many thanks, SANS!

05/31/2006, PC World's The 100 Best Products of the Year list features NoScript at #52!

Many thanks to PC World, of course, for grokking NoScript so much, and to IceDogg who kindly reported these news...

In the press...

Download in a Flash... with FlashGot! Proudly hosted by easyspeedy