NoScript 10 Goes WebExtensions for Firefox 57+

Subject: General Tech | November 24, 2017 - 08:39 PM |
Tagged: noscript, mozilla

While I like the flexibility that JavaScript brings to the web, I also like that tools exist to control it. NoScript is a relatively popular Firefox extension that does just that. When Mozilla shifted away from their own extension framework and opted for WebExtensions API, which is supported by both Microsoft and Google, a lot of browser features became immediately unavailable.

View Full Size

It turns out that Mozilla has enough hooks for a new version of NoScript, however. As such, NoScript 10.x has been released earlier this week. It allows you to disable scripts on a domain by domain basis until they are added to a white list, or given access via the add-on button.

I also don’t really think it’s all the useful as a security tool outside of special use cases – JavaScript doesn’t really have a whole lot of room for malicious use – but its presence does allow things like heuristically tracking individuals and loading content into the handful of plug-ins that still exist. So, like, if you’re the Tor browser, then it makes sense. For the public? I doubt it. I would be more interested in an add-on that lets you just shutdown JavaScript on a tab-by-tab basis, so you can make particularly heavy sites act read-only once they are loaded.

Still, it’s available now.

Source: NoScript

Video News

November 24, 2017 | 09:06 PM - Posted by willmore

The short interval between when FF57 came out and the WebExtension version of Noscript came out was one of the ugliest times I've spent on the internet in a long time.

November 24, 2017 | 09:29 PM - Posted by Corrigan (not verified)

NoScript's main utility is keeping websites from taxing CPUs with their absurd amount of scripts.

That said, the new version is a lot worse than the previous versions, because it's more granular, while completely changing the UI. So now it's got the finickiness of uMatrix without the UI that makes it easy to go for fine tuned control of a site's script activation.

November 24, 2017 | 09:53 PM - Posted by willmore

Can you check this for me? If you have a list of websites that are blocked or unblocked and you click on the button to change them, do you have to wait until the animation is completed before you can click the next one? Try toggling a long list of them quickly and see if it misses clicks for you, please.

November 24, 2017 | 10:43 PM - Posted by nanoflower (not verified)

Hopefully they can fix all of the complaints about the new version. I know they've stated that it's not as full featured as the non web-ex version but they will be working on adding in features.

At least it seems to work better than the new version of LastPass which is almost useless for how I use it. (Can't bring up sites and copy passwords till they fix it.)

November 25, 2017 | 01:41 AM - Posted by Goofus Maximus

It's probably using the same APIs as umatrix... I debated between using that, or using ublock origin, during noscript's sabbatical. In the end, I picked ublock because it was so much simpler to use.

November 24, 2017 | 10:39 PM - Posted by ItsSomeMadHouseOnTheWWWunderAdControl (not verified)

Long running scripts happen occasionally on PCper's website and can really slow things down. I'd like to see user level browser control over ad scripts that prevent the page from loading or ads that are hijacking the browser's UI. Often times it's the ad severs unable to timely push out the ads that is stopping the web page from being fully loaded and composed and there needs to be some form of timeout and sandboxing of the ads so they can not mess with the timely loading and display of the content.

I think that there should be hard processor usage time limits placed on ad scripts and browser generated close buttions around all ads so users can turn the annoying ads off and stop them from interfering with the browsing experience. So wherever there is a defined ad on the page the browser should generate and display a close button control next to or over(corner) of that HTML defined ad's HTML defined client area with the user able to click that close button if the ad/ad's script is abusing system resources or interfering with the navigation history/etc.

I have been on many websites where once one navigates forward into a webpage they can never navigate back out as the navigation history has been modified to simply load more ads rather than navgate back out using that back button on the browser. Ad content needs to be sandboxed and wrapped in a generated close button control by the web browsers in such a way that no ad can remain if the user clicks the close button and stops the ad and flushes its ad script.

I don't mind ads that tastefully stay out of my way but so many ads are so disruptive that full webpage ad blockers have become necesary to the detriment of some website's income. And that's because of the abusive ads/ad scripting and its control over the browser's UI elements.

Some web pages are so poorly designed that all of the virtical screen space is taken up by the page design with big header menus that make the webpage mimic a browser interface within the internet browser's interface leaving about 4 inches of readable vertical screen space and ExtremeTech's webage is a shining example of a poorly constructed webpage where there are frames within frames and ads that load and mess with the scrolling functionality to jog the page up to where the ad is displaying making reading the text an almost impossible task. And it would be nice if there were browsers where all that excesive HTML/HTML5 functionality can be user disabled and the webpage functionality limited by the user including any navigation hijacking by ads/ad scripts.

ExtremeTech's webpage also ignores the meta refresh setting on the browser and auto reloads the page and really the major search engine providors need to start delisting any webpages in their search engines' results that ignore the standards like meta refresh browser settings.

November 25, 2017 | 01:28 AM - Posted by Goofus Maximus

I see the second revision of the new noscript has already happened, when the "temporarily allow all this site" and "revoke temporary permissions" icons made their appearance, and noscript could now be used (sort of) in private windows. (Don't ask me why I know that!)

It still feels a bit clunky, but it works well enough, and I feel safe, while being able to visit sites that go adblock nutso if you use ublock origin.

For a while, after the change to FF57, I "went bare", and discovered how bad things were at sites I never had problems with. I got to see bitdefender's blocked site notice more than once, with pop ups and pop unders and redirects and, most annoyingly, a popup page with a username/password box, that WOULD NOT GO AWAY, while yelling "threat detected", and made me kill FF via task manager. After that, I basically narrowed things down to using ublock origin or umatrix, and ended up using ublock origin because it was more "fire and forget" than matrix, which sounded difficult to manage... but then I got rapidly familiar with all the adblock blocker tech out there.

November 25, 2017 | 01:20 AM - Posted by razor512

Sadly the latest version is pretty buggy, on some sites, it refuses to alloy you to allow scripts where when you allow a set of scripts and then refresh the page, they will be blocked again.

On top of that, they have not given us the allow all on this page button.

November 25, 2017 | 01:35 AM - Posted by Goofus Maximus

A workaround to this, currently, is to go into "options" and add the required site or webaddress manually there. Then you get to scroll down the list to find your new entry, to set it the way you want; block, allow, allow temporary, or custom.

Also, the current version (it has updated) has a "temporarily allow all this page" button, though I don't know if it works, or if it works right...

November 25, 2017 | 01:54 AM - Posted by razor512

The temporarily allow all does not work on the sites where you are unable to allow any scripts. While some can be added manually, it can be a major annoyance where you need to allow like 20 different script sources to get the site to work right.

November 25, 2017 | 11:30 AM - Posted by Goofus Maximus

Heh! I feel your pain! I do it that way anyway, since I always want to limit the 3rd party scripts to only those needed for the webpage to function properly. (I'm paranoid, but they really are out to get me!)

I hope they fix the wonky behavior soon. I imagine the developer is pulling his hair out in his rush to develop and bug-stomp the new version running the new APIs.

November 25, 2017 | 02:02 PM - Posted by razor512

Agreed, it must be really tough on them, especially with how limited the new extension system is. It seems many requested features were not added, thus making some addons nearly impossible to port, while crippling many others.

November 28, 2017 | 04:21 PM - Posted by Goofus Maximus

Well, they appear to have fixed this bug now. I miss the additional tab that popped up when a noscript update occured, though.

November 25, 2017 | 05:25 AM - Posted by Drazen (not verified)

So, what we have in last 5 years, web pages have 20% of their own content and 80% of ads. Stupid legislation wants notification about cookies and do not care about auto-start movies with sound! To get decent speed we are forced to use ad blockers. And, by purpose?, they force WebExt where a lot of functionality is limited. How convenient.
FF56 was "crap" but I had a lot of nice extensions. Only reason why I use it. Now we have faster, 64 bit, multi-process FF57 with all limitations on extensions. And btw it is way slower in zooming than Edge or Chrome. Almost unusable on my I5 tablet. Not to mention power consumption.

November 25, 2017 | 07:01 AM - Posted by Keith Jones (not verified)

The WebExtension version of NoScript 10 for Firefox 57.0+ is very very annnoying as there is no Import/Export option so you have to start from fresh every time i all so spotted that Adblock Plus 3 for Firefox 57.0+ all so has the same issue with no Import/Export option this might be down to limitation of the new Api i wish Mozilla had left things alone

November 25, 2017 | 08:49 PM - Posted by spartibus

If you go to the bottom of the NoScript options page, and check the "Debug" item, you can copy & paste your rules into there. It's annoying, but at least there's an option.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.