Helping people with computers... one answer at a time.

Javascript is become more and more common on web pages, but some security experts prefer to leave it disabled. I look at why, and one great alternative for FireFox users.

I've been using NoScript recently. It's a add on for Firefox that only allows JavaScript to run on sites after I've specifically agreed to allow that to happen. I've started doing this because I've read that running untrusted JavaScript from every site you visit online increases your security risk online. Do you think I'm overdoing it? What are your thoughts on the topic of allowing any site I visit to run JavaScript on my machine.

Well, I actually believe that JavaScript is relatively safe. Not perfectly safe - nothing is - but safe enough.

Having said that, I should tell you that I also run NoScript.

Let's look at what that all means.

JavaScript is a programming language. What makes it special is that most all web browsers support Javascript programs (or program fragments) embedded in web pages.

If you read that carefully you'll realize that this means a web page - any web page - can now include a computer program. Rather than just displaying text and pictures, web pages can now "do" things. A popular example is GMail's web interface, which makes heavy use of JavaScript to present a very complete and functional email program - all in a web page.

Now, JavaScript operates in a "sandbox" - meaning it can only operate within that sandbox, and not outside of it. JavaScript is an interpreted language, which among many other things means that each operation a JavaScript program attempts to perform can be restricted by the JavaScript interpreter. In theory, and in practice most of the time, this prevents a JavaScript program from doing anything harmfully to your computer.

In other words, JavaScript is safe.

However, as we all know, all software has bugs. This holds true for the various implementations of JavaScript, as well as the browsers that JavaScript runs in. Some of those bugs can, when discovered, be exploited to bypass the sandbox, or to perform other malicious actions on your machine.

The good news is that it's very rare. And once again, as long as you keep your computer up-to-date with the latest patches and versions of the operating system, browser and JavaScript interpreter, you're likely quite safe. That's actually how I run most of my other machines.

"...as long as you keep your computer up-to-date with the latest patches and versions of the operating system, browser and JavaScript interpreter, you're likely quite safe"

However, after learning about NoScript, I decided to give it a try. Exactly as you say, it enables JavaScript on a site-by-site basis, depending on what you tell it. If you visit a site that you haven't OK'ed, NoScript tells you, and the JavaScript programs that might be on that page do not run. The result is that some web sites simply don't work, while others might only work partially. The point is that you now have the choice of whether or not to enable JavaScript for each site you visit.

An interesting side effect is that much advertising relies on JavaScript, and if you turn JavaScript off a lot of advertising just disappears. In fact, if you visit Ask Leo! with JavaScript disabled, you'll not see much of the advertising that supports this site. On other sites you may enable JavaScript for the site in question, only to be told that other domains that site references are still blocked - often because those other domains are used to present some of the ads or content on the original page.

And of course, blocking JavaScript from sites you haven't explicitly trusted does protect you from any attempts at malicious behavior, whether or not they could actually succeed.

My bottom line is this: running with JavaScript enabled is not that scary a thing and many, many sites now require it for full functionality. If you're at all concerned, or just want to turn off some of the content that it implies, NoScript is a fine approach for FireFox users to take control.

Article C2826 - November 1, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Jeff
September 13, 2007 5:09 PM

but how do we know that "NoScript" is actually safe itself? Thanks,

Smite man
November 15, 2007 2:09 AM

interesting and concise. Thank you.

SZEBI
January 15, 2008 12:02 PM

I say that you leva these problem because i see that you don`t know more from javascript >:P

Linda
April 10, 2009 10:28 PM

I have heard a great deal about java script and for the most part not too many good things. However I can see the advantage of having java script, it makes the site pages come alive. Safety is a concern of mine as well, therefore I am asking you about No Script. What exactly is NoScript? A program in and of itself? Or a helper dll that can be activated and deactivated at will? Where does one find NoScript at?

dlatner
November 24, 2009 2:39 PM

Actually, that explanation isn't totally correct. Javascript can be quite dangerous because it allows control of all settings inside the browser. A simple example is seen on many web sites that disable your back button as soon as you arrive at the site -- trapping you on their site. You have to actually close your browser to get out. Very annoying. But more dangerous is the fact that they can change ANY setting in your browser -- not just the back button. So javascript apps can actually turn off your security settings in your browser, and then let all types of malicious software in from that (or other) web sites. I recommend keeping javascript off for safety, except for sites that you trust and really require it to run. Ditto for activeX and most of all, Flash.

za
February 7, 2010 12:57 PM

Javascript can't turn off the security settings in your browser...that's a bit misleading. It can however control the way the browser acts while you are on the site. If it acts weird on your computer, just close the browser or if necessary use taskmanager through ctrl+alt+delete keys and don't return to that site. Web browsers don't allow Javascript to write to your local harddrive directly...making it safer than other languages.

Holly
February 17, 2010 11:36 PM

A great strait-to-the-point and accurate article!

The problem is, as the intaknetz evolves, users demand more functionality, which means handing more power over to the developers. But this also means people with a malicious intent have more tools at their disposal.

But as well as this, rumors get started and spread quickly about "how dangerous JS really is". I do not deny it can be used to very dubious effects, like stealing data stored in cookies for example. But people do get paranoid about these things, and thinks everyone is out to get them, which isn't true.

Javascript's capabilities are solely in the hands of your browser, so if the web page is being granted too much power (Like changing security settings), you should switch to a different browser. Or, as this article so rightly points out, stay up-to-date with your updates, because as better security procedures and safeguards are implemented, better hacks and back doors are found; the best bet is to try and stay one step ahead of them.

And as for NoScript... Never used it because i've never felt a reason to do so; i feel competent enough to judge whether a site is trustworthy and would not allow itself to be compromised (My fault if i'm wrong.). But yes, if a friend asked me: "How can i improve the security of Firefox?"(I don't know of any NoScript equivalents for the other "major" browsers.), i would recommend it, as by completely denying the code to be executed until explicitly allowed to do so, you will lower your chances of getting any nasty surprises, but you have to remember, there is nothing stopping you allowing something malicious to run.

...just saying...

Mark
May 2, 2011 8:25 PM

NOTE: your browser does not appear to have Javascript turned on. Javascript is required in order to post a comment.

Oh the irony of it...

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.