Firefox NoScript Tutorial

Does anyone know of a good Firefox NoScript Tutorial? I have tried NoScript before, but it seems to be frustrating to use. Please share any tips for making surfing the web with Firefox NoScript a Safe and Enjoyable Experience.

Thanks in Advance.

 

You have to allow scripts per domain, so it's always a hassle to use in the beginning until you've build a decent whitelist. However it is also possible to allow all scripts globally and then you'll still have a more secure browser than without NoScript.

 

How would the web browser be more secure if you allow all scripts globally?

 

http://hackademix.net/2010/08/01/al_9x-was-right-my-router-is-safe/

 

Thank you.

 

We had a recent discussion with some strategies put forward in this thread: https://www.wilderssecurity.com/showthread.php?t=293545 starting at about post #18...

This is also worth reading: http://www.dedoimedo.com/computers/noscript-use.html

 

It would be dangerous if you allow scripts globally. I would set "Allow all this page" to my trusted websites, and forbid all other websites by default.

 

I just manually allow trusted sites.

 

my tips would be to uninstall the bloody nuisance.
you can thank me later.

 

If you can tell what is wrong with what I wrote here, I will accept your statement. If you can't, your remark is simply irrelevant.

 

there is nothing wrong with what you wrote.

it's your opinion, i have mine.

that's all.

 

Fair enough. But a bit contextual supplementation would be nice

 

--Nice read there. Thanks. I too am contemplating to allow scripts globally (though am jittery here...) because sometimes (sometimes when in a hurry...)to allow it manually is annoying. I experimented turning NoScript off and just use Avast's Script shield in the meantime. Loads faster and smoother (in SBIE) but still observing. Will also try with Avast's own sandbox later this week.

 

Allowing scripts globally is OK, if you consider the main risks coming from embedded objects (Flash/Java/Other plugins etc.) and XSS/Clickjacking/CRSF/MITM deception type attacks rather than delivered through Javascript.

As you're running SBIE, using NoScript for controlling Javascript and embedded objects is probably a moot point anyway! I use SBIE as well and run NoScript more for its awareness of deception/spoofing techniques (XSS/Clickjacking/CRSF etc.) and the blocking of third-party scripting which is mostly advertising and tracking.

As an cheap hardening technique, if you're wanting to allow scripts globally, you could implement an anti-executable with SRP/Applocker. This will stop virtually all Javascript delivered malware (that normally tries to download and run a file on your system) even if SBIE fails...

 

there is no need for Java or JavaScript and other scripting to run for every site out there. Matter of principle

 

Here's my tutorial:
If you sandbox your browser and/or whitelist your system, remove unless sensitive about privacy and/or has old hardware that can't support scripts efficiently.

 

I support this statement. Do yourself a favor and begin with building the white-list for sites that you frequent. Just open up in tabs those sites as you often go to (try to think of them right now) and if need be, even those that you visit once in a while. It won't be easy and might take you a few days...or even weeks. Go easy and browse along like you normally do...patience is the keyword here. Make sure to white-list only those specific individual domains that the sites need to work. You might even want to blacklist a few certain domains. (e.g. ad/tracker domains usually). Backup your config. This is very important...otherwise, you end up losing your time and manual work for nothing.

When things seem to go wrong and you can't figure out which domains to white-list on a particular site, choose to "Allow all this page". Again, keep a backup of your new config (and don't delete the older one).

When you're finding NoScript a nuisance, a pain in the neck, bothersome, etc etc, then try going with the setting "Temporarily allow top-level sites by default" checked. This is a compromise but with far fewer manual input (having to white-list each and every single domain can be tiring if you're not the type who have a strict browsing "pattern" and keep on venturing/stumbling onto new sites) IMO, this is a fair setting especially for those who practice safe surfing in general (let's not get into the "no sites are safe" argument/debate here) but don't have the willingness to build a white-list.

If things reach to the point where you feel tired/sick of NoScript, to the point of uninstalling it, then choose to just "Allow all Scripts Globally". Forget those statements that advises you against the idea. It's natural for NoScript users to tell you that because either they're not comfortable with the notion or think that it's counter-productive/self-defeating. While they're right in their own ways, I think a bit of flexibility is needed. The thing is you need time to regain patience and motivation to work things out at such moments and having to restrain yourself listening to advices by those hardcore NoScript users won't do you any good. To the contrary, you might end up hating NoScript to the max and swear that you'll never ever use it again. Or spread word around as to how idiotic NoScript is. That's not the objective here, isn't it?

Whichever option you go with, you can't possibly end up with anything worse than a vanilla Firefox without NoScript. Just keep remembering that and you'll see no fuss.