Summary: With cross-site-scripting and other forms of malicious attacks increasing in frequency, blocking JavaScript with NoScript is a sensible safety step.
I think I've mentioned before that I run FireFox most of the time instead of Internet Explorer. One of the reasons I run Firefox is the wealth of addins that are available for it.
If, like me, you run FireFox, I strongly recommend that you consider the NoScript plugin.
•
JavaScript is a programming language that is supported by most browsers and in turn used by many web pages. With JavaScript, web page authors can do more than just display text and pictures - they can write full featured programs that actually do things in your browser.
A great example is Google Docs. Their word processing program and spreadsheet program are handled entirely within your browser, and rely heavily on JavaScript. Many websites use JavaScript for various features, and some occasionally even require it to function.
But like any programming language, JavaScript can also be used with malicious intent.
I often talk about not visiting "malicious websites", and what often makes them malicious is that they use JavaScript to fool, hack or otherwise gain access to things that you don't want them to. It's not necessarily easy, and it's not necessarily so common as to be particularly scary, but it does exist, and is another way that hackers get into things they shouldn't.
The browser pretty much lets you turn JavaScript on or off completely. That's not a practical option since so many sites - sites we trust and use every day - actually require JavaScript to operate. So we pretty much need to turn JavaScript on ... but then all sites, good or bad, can use it.
NoScript addresses this very simply. To quote their site:
... this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank) ..."
After installing NoScript, scripting is disabled on all sites you visit. Each time you then encounter a site that you trust that requires JavaScript you tell NoScript "this site is OK". NoScript enables JavaScript for that site and remembers - you never have to tell it that site's OK again.
When you encounter a site that is not on your trusted list, NoScript's icon in the lower right of your browser window will change to indicate that scripts have been blocked, and a "Scripts Currently Forbidden" line is added:
You can then click on the NoScript icon (1) or the Options button (2) and NoScript will list the sources attempting to run JavaScript on the current web page. In this example, you would click on "Allow ask-leo.com" (3) to allow JavaScript that originates from ask-leo.com to be run.
You'll note that JavaScript often originates from sites other than the page you're looking at. In the example above. you can see that even though you are visiting ask-leo.com, JavaScript is also coming from kontera.com (4) and aweber.com. It's not at all uncommon, but worth paying attention to. In this example, Kontera.com is an advertising provider, and aweber.com is my email newsletter provider. Enabling those individually will turn on additional functionality when you view the page. Third party scripts are, most frequently, advertising, but they can also be core functionality that's required for the site to operate properly.
Once you've clicked on "Allow ask-leo.com", or any of the other domains that can be allowed, scripts originating from those domains will be allowed and run from then on.
Over time, after you build up your list of allowed sites, you'll rarely even think about NoScript unless or until you visit a site that is new, or has unexpectedly added scripting. This is where NoScript's real value comes into play: scripts from new sources will not run. Any attempts to perform malicious actions via scripting will not be able to take place until you've had a chance to determine if the site is trustworthy or not.
With malicious attacks always seemingly on the rise, blocking scripting by default and allowing on an as-needed basis make a lot of sense.
NoScript - another tool for your security arsenal.
I recommend it.
Related:
-
Is JavaScript dangerous? JavaScript is become more and more common on web pages, but some security experts prefer to leave it disabled. I look at why, and one great alternative for FireFox users.
-
Why won't Flash work, even though it's installed? Adobe Flash is a nearly ubiquitous tool for displaying video on the web. You must install if, of course, but often that's not enough.
Article C3718 - April 29, 2009
One point about using NoScript. For the first few days it will be very annoying. Once you get the hang of it the add-on works great and is worth having.
Posted by: Dan Ullman at April 29, 2009 9:16 AMI use NoScript also but users need to remember that your allowed sites may have malware in the future. Only allow sites that you always use or need. If you are just reading a particular site then you want to consider whether you want that site to allow scripts. NoScript doesn't allow you to act foolishly on the internet. It is a tool that helps make it safer.
Posted by: Minot Isok at April 29, 2009 3:11 PMI've read Google Chrome runs Java script in a sandbox and becauses of that is virtually safe from these attacks. Is that true?
Posted by: Mark at April 29, 2009 3:48 PMI gave up on NoScript because if you visit many new sites you will be constantly clicking to allow javascript to run. Many, many sites use javascript. After a while you just click mindlessly negating the purpose of NoScript.
Also, many sites have several things that NoScript blocks. If the site doesn't work you have to enable them all or enable them sequentially to get things to work. Very time consuming.
Sometimes you won't notice that some feature of the site isn't working because NoScript is blocking it and you'll miss something important.
All in all, if you visit only mainstream sites I'd say the risk of infection because of a compromised site is not worth the trouble of using NoScript.
However, if you regularly visit "iffy" sites then I recommend using it and being very careful about what you enable.
Posted by: J G at April 30, 2009 12:37 PMJG makes a good point. Some users install protection and then negate it at every opportunity, rather like someone installing ZoneAlarm and then granting access to everything that asks for it. Punch enough holes in your defence wall, and it's no longer a wall, it's garden trellis!
Posted by: Graham Peters at May 6, 2009 3:02 AMThanks for the tip on NoScript. I'm a computer consultant (for 25 years), and always searching for something new or for a customer. I often have to remove junk that wasn't expected from some sites. Hopefully, this will cut down on the trash.
Posted by: Thom at May 9, 2009 7:59 AMI agree with JG: I have Firefox installed (though I prefer Opera) and NoScript. I thought NoScript great until I found how often I had to consider whether I could trust a site. One finds oneself allowing "all on this site" so frequently that it amplifies one's paranoia to the point of neurosis.
Besides, is it not the case that javascript implementations are pretty safe, apart from any unfixed vulnerabilities? And they mostly use a sandbox - see http://en.wikipedia.org/wiki/Javascript.
There is a small, but growing class of malware that leverages Javascript. While there are some things it cannot do, by virtue of the sandbox you mention, that should not lead you to believe it's always 100% safe. It can be used for malicious purposes as well.
08-May-2009
I don't find it a problem that I have to "allow" sites I want to use Javascript. What I'm worried about is when going to allow it, many times there are multiple sites are listed. I understand this is by design and not a bug in NoScript, but I don't know what should be allowed and shouldn't.
For example, NoScript lists for this very website four sites to possibly allow: ask-leo.com, pugetsoundsoftware.com, aweber.com, and kontera.com. Obviously, I want to allow ask-leo.com because that's the site I came to. But I don't know what the other ones are. I'm not saying they're malware; I'm only using them as an example. But as a web surfer, I only know that I want to allow ask-leo.com in this instance. I don't know what these other sites are and, if I allow them, would just be doing so blindly, negating the purpose of the add-on.
Let's use my site as an example:
- pugetsoundsoftware.com is my corporate/parent site, and where I have certain scripts that relate to commenting, content management and spam prevention.
- aweber.com is the email provider I use for my newsletters, and the scripts relate to the newsletter signup forms you'll find on my site
- kontera.com is an adverstising service that helps support the cost of running Ask Leo! - it's the one responsible for the double-underlined links in text.
There are occasionally others like various google domains for site search, advertising and analytics.
You don't have to enable them. The cost, of course, is that whatever it is they represent won't happen. You might not be able to comment, I might miss out on advertising revenue to help support the site, and you might not be able to search the site, for a few examples.
So I go back to trust: if I trust the site I'm visiting, I typically allow that trust to transfer to all the scripting sites that it pulls in. If I'm not sure, I'll only allow the site itself, and enable others on a case-by-case basis if things aren't working.
And of course if I don't trust the site - or just don't know - I trust, and enable, nothing.
13-May-2009