How to configure Noscript for ordinary users

Untechnifying the tech. I made an article explaining how to setup Noscript Security Suite (NSS) for ordinary, non-techie users, with scripts enabled by default and custom blocking of specific domains and fonts, always-active XSS protection, and a few other handy tricks. Cogito, ergo nerd.

https://www.dedoimedo.com/computers/noscript-ordinary-users.html


Cheers,
Mrk

 

I remember in the past we have considered the critical Firefox bugs that have come to light over the course of 1 year.
It has been calculated that more than 85% (if I don't remember badly) would have been rendered inoffensive thanks to the use of Noscript.

I remind the members of W. that if they want to deepen some settings of Noscript they can refer to the official forum of my fellow countryman G.Maone:

https://forums.informaction.com/index.php?sid=54e21569fa195f8b5ad5d595f673feda

 

More correctly 100% of problems.
Mrk

 

Few W. members use Noscript.
Many say uMatrix is better (though no longer actively supported).
Others use only uBlock Origin.

 

I have always said that NS is pretty pointless except for the XSS protection feature. It's best to block only third party scripts because blocking ALL scripts will sooner or later break most websites. And I didn't read the review yet.

 

NS is far from pointless. Breaking sites is actually good - you get only the pure content and none of the nonsense around it.
Mrk

 

Yes you are always saying that but just because you are always saying it doesn't make it true. I told you before, you don't understand the program. NoScript does exactly what we want and you don't understand that. Some people want to block just about everything and only allow to run what is required to get the content out of webpages that they want. That is what we do with NoScript, why is it so hard for you to understand that?. Try to make sense of why the program does things the way it does them.

If we couldn't browse or do what we want to do when we are browsing and had to disable NoScript all the time, I would then say that yes, you are right, and NoScript was impossible to use. But that is not the case, Rasheed. After a while, using NoScript should become set and forget. New users should target that. Last thing I am going to tell you is this, my NoScript is even tighter, more restrictive than how it comes by default. I make it so as I don't allow any kind of content in my Default preset and my internet is not broken, most pages work as I want them to work and I get the content I want. The end result of using NoScript is that my browsing is cleaner, the computer and the browser run nicer, easier. No noisy fans running loud all the time. Webpages load faster, and yes, more secure. Regarding security. Since April 2009 (that's when I started using NoScript) I never seen anything that looks like malware while browsing. None, ever. And that is because of using NoScipt.

Bo

 

Also NoScript's developer, Giorgio Maone, seems to be an incredibly talented coder. It looks to be one of the more efficiently coded plug-ins available for blocking scripts.

 

Yes the use of Noscript hardly ever poses any problems.
Probably the biggest problem could come from agreeing to a script for a certain website that "conflicts" with another website.
This is why the combination with UBO is often indispensable.

Yes Giorgio is a great.

 

I don't know what you mean exactly with that but if you mean like allowing google.com is needed for some websites (like when you need to solve a catcha) but you really dont want to white list the domain for the entire universe of websites you visit, what I do with this type of domains is leave them set as Default, and I allow them to run temporarily when they are required to get the content I want from a website. I only have about 5 domains that I treat this way, IMO this is not a problem.

So, IMO, if I am guessing right what you meant to say in the quote at the top of this post, I see no need for using an extra extension to handle rules for 5 domains. Regarding combining NoScript with an adblocker. NoScript is not an adblocker but most ads are blocked by NoScript. For ads to run, you have to allow an script. In most websites, you can get the content you want without having to allow the scripts for the ads. So, in my browsing, I see almost 0 ads. there are some exceptions like in YouTube but most of my browsing is ad free. And doing it with NoScript alone.

Bo

 

Hi Mrk,

I use NoScript in Firefox but I haven't used it in Chromium Edge for ages. After reading your article I reinstalled NoScript and set it as you suggested. No issues yet, but I see there is no XSS protection in ChrEdge.

 

I mainly use NS+Firefox, but I can do some more exploration.
Mrk

 

Hi Bo, it is not easy to manage for example the website under only with Noscript.
To manage means not to have redirects and to get a movie:

https://altadefinizione.gg/

Especially with my browser in Windows XP and Noscript 5.1.9:



Obviously I deleted every reference to enabled scripts and chosen player otherwise it's too easy.

Try scrolling through the pages or even search for a specific movie.

Not to mention that we in Europe have for each web page the acceptance of cookies......

Elements that disturb me and occupy my bandwidth.

 

I have just read the review, and seems like you can now configure NS in a way that it will break less websites, so this makes sense. But uBlock Origin is way more user friendly. Also, my comments are purely about people who use NS to block both first party and third party scripts, this doesn't make sense, I don't know what's so hard to understand about this.

Tools like Ublock Origin and Ghostery will also speed up webpage loading and will also protect against most malvertising attacks without breaking most websites. NS was invented to protect against exploit attacks by blocking almost ALL scripts, this is pointless especially now that browsers are way more safe than 10 years ago because of the built-in sandbox. Of course, as you already know I still prefer to run Sandboxie on top as an extra protection layer.

 

Main content of many websites is just text and images formatted using CSS. You don't really need any scripts for that content.

What about all that spying stuff that fingerprints browser by collecting information from "a scan of your device's unique combination of characteristics."
Aside from that there are speculative execution vulnerabilities in modern processors. Even if exploit will not plant malware on your system malicious website script may extract data from other browser processes.

 

Basically all of those options have been around forever. They are not new. They were available in the old NoScript. So, you could it setup NoScript pretty much the same way regarding what to block by default and what not to with the old or new NoScript. You just didn't know.

Yes, programs that use filter lists are more friendly, easier. But some people don't like filter lists. I don't (by the way, Tor browser doesn't like them either) . Why I dont want to use filter lists? Very simple, because they are other peoples choices, not mine. I want to choose what to block and what not to. Also, doing the blocking yourself is rewarding. When I am the one who does it, makes me feel good

Besides that, once you get in the groove NoScipt becomes sort of set and forget. It should. And becoming so should be one of the goals for people who use NoScript. Over a period of time NoScript should become easier and easier, if that ain't happening, then you are doing something wrong. You are not learning it right. With NoScript users should advance and not stay static with how they use the program, people should not be using NoScript the same way a year after they start using the program than how they did when they started using the program.

So, in the end, websites work the way you the user wants. You think NoScript breaks the internet but it actually it doesn't. That is the wrong way of seeing NoScript. What NoScript does is give you the tools to tailor the internet the way you want it. That my friend, is the bottom line, being able to setup webpages to give you what you want. That right there is what NoScript is all about.

By the way, my NoScript is more restrictive than how it comes by default. I allow nothing to run in websites that fall under the Default preset. In other words, the content that Giorgo sets to be allowed to run in sites that fall under the Default preset, I untick the options to allow this content to run. You can't get more restrictive than that, and I always watch and read, and get whatever I want to get out of any webpage I visit. And all done in a comfortable user friendly and convenient way. To make NoScript feel like that is the mountain top, but it can be reached. Anybody can.

Bo

 

There are not many sites like that that I visit on a daily basis. Basically I have three like that. Setting up sites that can be considered hard gives you learning. So, it is a good thing to try setting up sites like that one with NoScript alone. I bet setting up the site you linked can be done with NoScript alone, you just haven't figured it out how to do it. This being so because you went the easy way, and combined NS with an adblocker.

I used to use Adblock plus. With adblockers you get a lot of those messages that ask you to disable the adblocker (something you don't see often with NS), so a few years ago, one of those sites that can be considered hard to setup asked to disable the adblocker, after I did, I realized that basically all the blocking I wanted to do in that website was being done by NS anyway, so, soon afterward I just quit using ABP. Why use another extension when I get done basically almost everything the adblocker was doing with NoScript alone.

Bo

 

I agree with Rasheed on this. NoScript only allows to block or allow all scripts. It would be so much better if the option to block/allow both first and third party scripts was available, just as with uBlockO.

 

@Sampei Nihira Look at this site below. That site is as rough as they come. The way I have it set it works as watching tv. You turn it on and off, no pop ups or anything opening before you are served the content you are there for.The website rotates scripts every few months so you have to be aware of that but once is set up, it stays working as you have it for a while.

Without NoScript, you would have about 2 to 3 times the amount of domains running that are shown in the screen. So, instead of just 6 domains running (what I set as Trusted), you would have somewhere between 40 and 50. It would be difficult to watch a game, and dangerous of course (if you don't have Sandboxie). The easy way to handle the website in your link is to set up NoScript half fast and install an adblocker which is what you are doing but if you try, you can prove yourself that the site in your link can be tamed with NS alone.



Bo

 

Most scripts if they are good to run in one website they are also good to run in other websites. Bad scripts, you Untrust and by doing that, you get them out of the way. There are really only a few scripts that you need to allow in some websites, but you really don't want to allow for the universe of websites you visit (examples of this are google.com, instagram, facebook, twitter, cloudfare, etc). What I do with this type of domains is leave them set as Default (they dont run), and temporarily allow them to run when they are required. I know some of you think this is a huge deal, but it really is not IMO.

Bo

 

I would still prefer the option to control both 1st and 3rd party scripts. Then in my case, at least, I would simply allow all 1st party scripts, leaving only 3rd party to deal with, resulting in fewer scripts to manage. Other than that, I like NS a lot, and I'm actively looking for a way to strategically combine it with uBlockO in my web browsers where they can gracefully complement one another in blocking unwanted content.

 

From my point of view, the problem with that is that in many websites I dont want to allow nothing. For example, when I visit cbs sports or the Washington post, I don't want nothing running, all I want from those websites is reading. and you get that without allowing anything. All the websites you visit daily should be set up, if that is done, when you open those websites you shouldn't have to fiddle with anything. They should be set up so when they open, you are able to do in the websites whatever you do there daily. Based on what you guys using UBO say, I think you guys have to interact more with the program that what I have to with NoScript.

By the way, NoScript has this setting, look below, it gives you sort of what you want, I think. I never have used it but is there for people that want what you want.



Bo

 

This is where our preferences differ substantially; that's just too much broken content for my liking, but I can appreciate that all you're primarily after is text.

I'll check that option out. Thanks for pointing it out.

 

@bo elam

Other easier example:

https://msfn.org/board/forum/34-windows-xp/



How do you eliminate the disturbing elements in the web site, considering that for its full use it is necessary to consent to the 2 scripts in the highlighted image?
Even using DNS with ads blocking will eliminate part of the problem, not all.

Consider that I made the example of a website not from my country.
Those from my country are even worse can use inline scripts (which can be blocked by UBO) to make a scam pop-up appear.
Recently my wife suffered a small €2,00 scam in just this way with her own smartphone which has less restrictive settings than my smartphone.
She had to change her VISA Card immediately because otherwise these scammers would have unduly withdrawn from her with the excuse of a subscription other small amounts of money every week.

P.S. The first Italian website I brought to your attention uses inline scripts.

 

The banner about cookies at the bottom doesn't appear unless you allow cloudflare. So, dont allow cloudflare. And the one on top, to get rid of it you have to allow msfn.org. You don't need to allow anything to read so if the banner bothers you that much, you allow msfn. Also and more important than that, if this is a site you go often, and you trust the site, allow (white list) msfn. There is no reason not to. In short: Allowing msfn and not allowing clouflare gives you what you want. I would also blacklist the two google domains that run in the site if they are not already in your blacklist.

Bo