Helping people with computers... one answer at a time.
With cross-site-scripting and other forms of malicious attacks increasing in frequency, blocking JavaScript with NoScript is a sensible safety step.
I think I've mentioned before that I run FireFox most of the time instead of Internet Explorer. One of the reasons I run Firefox is the wealth of addins that are available for it.
If, like me, you run FireFox, I strongly recommend that you consider the NoScript plugin.
•
JavaScript is a programming language that is supported by most browsers and in turn used by many web pages. With JavaScript, web page authors can do more than just display text and pictures - they can write full featured programs that actually do things in your browser.
A great example is Google Docs. Their word processing program and spreadsheet program are handled entirely within your browser, and rely heavily on JavaScript. Many websites use JavaScript for various features, and some occasionally even require it to function.
But like any programming language, JavaScript can also be used with malicious intent.
I often talk about not visiting "malicious websites", and what often makes them malicious is that they use JavaScript to fool, hack or otherwise gain access to things that you don't want them to. It's not necessarily easy, and it's not necessarily so common as to be particularly scary, but it does exist, and is another way that hackers get into things they shouldn't.
The browser pretty much lets you turn JavaScript on or off completely. That's not a practical option since so many sites - sites we trust and use every day - actually require JavaScript to operate. So we pretty much need to turn JavaScript on ... but then all sites, good or bad, can use it.
NoScript addresses this very simply. To quote their site:
... this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank) ..."
After installing NoScript, scripting is disabled on all sites you visit. Each time you then encounter a site that you trust that requires JavaScript you tell NoScript "this site is OK". NoScript enables JavaScript for that site and remembers - you never have to tell it that site's OK again.
When you encounter a site that is not on your trusted list, NoScript's icon in the lower right of your browser window will change to indicate that scripts have been blocked, and a "Scripts Currently Forbidden" line is added:
You can then click on the NoScript icon (1) or the Options button (2) and NoScript will list the sources attempting to run JavaScript on the current web page. In this example, you would click on "Allow ask-leo.com" (3) to allow JavaScript that originates from ask-leo.com to be run.
You'll note that JavaScript often originates from sites other than the page you're looking at. In the example above. you can see that even though you are visiting ask-leo.com, JavaScript is also coming from kontera.com (4) and aweber.com. It's not at all uncommon, but worth paying attention to. In this example, Kontera.com is an advertising provider, and aweber.com is my email newsletter provider. Enabling those individually will turn on additional functionality when you view the page. Third party scripts are, most frequently, advertising, but they can also be core functionality that's required for the site to operate properly.
Once you've clicked on "Allow ask-leo.com", or any of the other domains that can be allowed, scripts originating from those domains will be allowed and run from then on.
Over time, after you build up your list of allowed sites, you'll rarely even think about NoScript unless or until you visit a site that is new, or has unexpectedly added scripting. This is where NoScript's real value comes into play: scripts from new sources will not run. Any attempts to perform malicious actions via scripting will not be able to take place until you've had a chance to determine if the site is trustworthy or not.
With malicious attacks always seemingly on the rise, blocking scripting by default and allowing on an as-needed basis make a lot of sense.
NoScript - another tool for your security arsenal.
I recommend it.
Article C3718 - April 29, 2009
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Noscript is too much trouble, I use Flashblock addon. It blocks all flash content, unless I double
Posted by: Kenny55 at October 15, 2010 9:53 AMclick on it, or right click and select always allow flash on this site.
I love FireFox for the add ins too. Too bad those who provide them don't keep up with the FireFox release cycle, even though they have more than fair warning that a new version (4.0) is on the horizon (are you listening Norton Toolbar?!).
Posted by: Kara at March 29, 2011 10:30 AMI thought I would enable NoScript onto Firefox and when I tried to watch the video describing Noscript, it was blocked. So I disabled it.
Posted by: gloryatz at April 10, 2011 8:39 AMDuty now, for the future.
Noscript, as with other programs like ZoneAlarm, are real boogers when you first start. Soon you will have it configured and goes unnoticed until....something out of the ordinary pops up. That's when it shines because it's doing exactly what it should do.
While McAfee & WOT provides "green light-red light" assistance, you need to know why a site is getting a red light. Example w/ WOT: a site I've used for years [myway.com] w/o any problems was a red light. Why? It had a "smiley icons" link at the bottom of the page [never click this link- adware/malware]. That was it. The page itself was fine. WOT is just very careful. But as far as McAfee's "user based" input for site warnings, I found way too many false negatives for my liking. Sites I've used for years were cited as dangerous, although I never had ANY problem. Never.
I just had comment on the above. The best advice while visiting a new uncertain site - don't click links that are not part of the main pages intention. Stay on the path brother & sisters - do not wander.
Posted by: GREG JACKSON at November 15, 2011 10:02 AMIt may be a good recommendation, but my recent experiences with Firefox and plugins have been very frustrating. With a new so-called version coming out every 30 days or so, trying to keep my favorite plugins and add-ons working with the latest Firefox is an effort in futility.
Posted by: bubbainmiss at November 15, 2011 2:03 PM