This is the start of a short series on making your browsing on Firefox, which is already a more secure browser than Internet Explorer, but there are some improvements that you can make on your own to increase the security you have when browsing.
The first of those is to download an easy-to-use extension called NoScript. The purpose of it is to take all of those various scripts and objects that you find on a webpage and block them from getting to your browser. Needless to say, it is one of the most popular extensions for Firefox out there, consistently in the top ten in terms of downloads. However, there are some detractors who may ask why you’d want to use this, and also those who wonder how it works.
Have you ever wondered why it takes a site seemingly forever to load? Does your browser freeze on you when you’re viewing a page? Are you concerned about picking up a virus from an unfamiliar page on the internet?
Of course, most of these are scripts of the “friendly” variety, but there are some scripts that can be used to your detriment, by trying to exploit a security flaw, or in some rare instances, try to put a virus on your system.
Why not NoScript?
In the interest of fairness, there are several detractors to this particular extension – they point out that Firefox is already a very safe browser, which is true, but the point of NoScript is to allow you to choose which scripts run on a page. My personal favorite is this plea posted in the reviews section for the addon –
Of course, he goes on to explain how Cross-site scripting can be used to damage your personal data (by the way, NoScript blocks Cross-site scripting attempts).
Installation & Getting started
To install NoScript, it is no different to installing any other Addon – simply visit the Mozilla Addons site and install the extension. After restarting Firefox, you’ll likely be directed to the NoScript website to see the change log (you’ll be directed to that site every time that it updates as well – you can turn that particular feature off; instructions are available in the FAQ).
When you visit the next site (except for sites that are already preloaded in the whitelist – Google, Yahoo, Microsoft, Mozilla Addons, and the author’s sites), you will receive a notification that looks like this –
You may also hear a sound from NoScript telling you that scripts have been blocked on the page. If you want to allow the scripts on a page, simply click the Options menu and choose to either Permanently or Temporarily allow the site’s scripts.
After allowing the scripts, you will need to reload the page to activate them – this is something you will always have to do whenever you select to allow or disallow scripts on a page. Also, when you allow a site, you can revoke the permission by clicking on the NoScript icon in the status bar – which is the blue S in a circle, possibly with a crossed circle on it if there are other scripts on a site which are still blocked.
Also, if you have turned off the notification bar, you can use the S in the status bar to adjust permissions on a site by site basis. This is what the menu looks like after allowing mozilla temporarily (a temporary permission is in italics and a permanent permission is in bold) –
So far, I’ve only shown mozilla.com which does not have any external scripts running on the site.
More advanced usage – sites with external scripts
However, where NoScript comes into its own is when you’re browsing a site that has a lot of external scripts. For this example, I’ll show you my site. First off, this is what a page on my site looks like with NoScript turned off (i.e. allowing all scripts to run globally) –
And then, this is what the site looks like with scripts turned off; you’ll notice the missing elements all in the right hand column – Entrecard, MyBlogLog, Blog Catalog and Alexa.
And, just to show you all the sites that have scripts on here, this is what the menu looks like when I’ve got all scripts blocked (note that this is the status bar menu, and not the information bar menu) –
This is where, for some users, NoScript can become quite tedious. If you want to allow a script to run on a site, you need to both the site that hosts the script (for example, with Entrecard, you need to allow both amazonaws.com (to show the card), and when you refresh the page to show the card, entrecard.com – so that you can drop your card). This is what the widget looks like if you only have amazonaws.com allowed –
As you can see, you can see the card, but the Drop yours link is not there. When you allow entrecard.com and reload the page, you will then see the link to drop your card –
Now, an important thing to know is that even if you have allowed a site to display its scripts, you need to allow the host site to show scripts before you can see things like Entrecard, MyBlogLog and Blog Catalog.
To use a practical example of how this works, this is what SCHWOIT looks like with schwoit.com blocked (note that the Entrecard widget should appear right in the upper-right corner of the site) –
If you view the full size image, you’ll notice that the information on the info bar has changed. Since there are scripts on this site from other sites that I’ve permitted to show scripts, it now says that scripts are partially allowed, and tells you how many sites are allowed out of the number of sites that have scripts on that page. Now, if I go to allow schwoit.com, this is how the window looks –
More advanced features
There are a few more advanced features that are included in NoScript, such as a pseudo blacklist – that is available in the menu under Untrusted. However, since NoScript is a whitelist-based add-on, the only thing that this untrusted list does is prevent a site from appearing in the list you see of sites to allow when you open the Options menu, status bar menu, or right-click menu.
For a full list of features, along with the full range of settings that are available to you in NoScript, you can check out the features page at the author’s site.
If you have any questions about how this all works, or if you have more advice on making the NoScript experience better, feel free to leave a comment.
As always, if you’d like a how-to written up about something, all you need to do is drop me a line via the contact form. If I know how to do it, I’ll write it up, but even if I don’t know how to do it, I will go and figure it out and then write up the how-to on getting it sorted out. 🙂
Sometime in the next week or so, I’ll have the other half of the combination that makes (at least) my browsing experience so much more improved – Adblock.