Do you use Noscript to switch off Javascript ? As both "trusted" and "new" website can be exploited , and as almost every "new" site requires Javascript is there any point to it ? If you do use it , could you mention if you often browse new sites. Edit Thanks for the interest and replies I'm asking specifically if you use it for blocking Javascript. /Edit
I use multiple browsers regularly, but use FF for research and industry news reading. I use the NS add-on as a simple form of pre-screening for the site scripting before I temporarily allow them based on their relative threat and what I am doing at that particular moment in time. It might be a lazy approach in some ways, but it does filter out the garbage in most cases and allows me to focus in on exactly what I am looking for on a given site as well as a level of control over what does go on initially. YMMV
Yes, but I tweaked it. JavaScript, for example, is allowed globally. Reasons: https://trac.torproject.org/projects/tor/ticket/3007 And I browse new sites frequently.
NoScript does a bit more than blocking javascript. Are you asking if we use NoScript for specifically blocking Javascript or if we use NoScript at all? Either way I'm on Chrome =p
Don't use it at all for anything on Firefox. Edit: And although this doesn't apply to me, "If you do use it , could you mention if you often browse new sites.", I do visit new sites if I need to but they're mostly boring ones.
When Firefox was my browser I used it for a while. I stopped using it as it really made browsing very uncomfortable.
Nope, it is just too bothersome, pretty much every web page needs it anyway. I prefer adblock, flashblock and popup blocker, which blocks javascripts popups as well.
I use Noscript. I don't find it to bothersome or my browsing experience uncomfortable, most sites work fine with out "white listing". If I find I need to temporarily allow an URL it's only a couple of clicks away. Sites I visit or use frequently (Wilders for example) the URL get permanently white listed. A few sites, like Yahoo! Mail need more than one URL to to function properly, but it's really no trouble once white listed.
Same here. I agree that most "new" sites work without being whitelisted as they are usually readable/viewable (in many cases 3rd party scripting is blocked which doesn't affect the site itself - and by adding such stuff like doubleclick, googleanalytics and so forth to the blacklist you're getting fewer and fewer notifications over time). I find assertions that Noscript doesn't let you comfortably surf the web grossly exaggerated..
You have a point, for sure, but for me it was more a case of not really feeling I could trust many of the WOT reputation scores, and I don't like basing security decisions on guesswork or uncertainty. Also, I reasoned my other system security measures were sufficient to cover what NS does, and then I've since settled on using IE9, so it's now all irrelevent for me anyway
I'm lazy and I agree, so +1. Creating a white- and blacklist doesn't take that much time. And no, I don't use it just for blocking javascript (also for the other features) and I do visit new sites frequently.
wat0114, quite frankly, I don't understand this argument. First of all, by middle-clicking a domain in the Noscript menu you get a selection of five services (WOT being only one of them) that help you to evaluate the trustworthiness of a site. Secondly, if some burglars are able to break your front door, does that mean that you leave it wide-open? What other security measures protect you against XSS, Clickjacking etc.?
Sure, and that ties me up potentially 5x longer trying to make a decision I don't believe I've left any doors, figuratively speaking, wide open. IE9 has some form of XSS protection and securing script-initiated windows with size and position restraints, firewall port restrictions for applications, Standard account and AppLocker. I'm also at least somewhat cautious about clicking on links. Historically, for me, I've never been burned this way before, so it makes it hard for me to justify the need to use this approach. All I've been doing for the most part is surfing away like a free spirit and nothing evil seems to come my way
EDIT: I realized my post would likely cause some debate about browsers or something... Chrome and IE9 have xss protection. Chrome has XSRF protection. Clickjacking is a nonissue, which is something I discussed on the NoScript board.
I used to use it a while ago but ever since i started using sandboxie i stopped using it. Deleting the sandbox contents would remove all the decisions i had made with noscript which became annoying very quickly. There may be a work around but i couldnt be bothered looking into it.
I use it on Firefox & SeaMonkey usually with RequestPolicy. I believe that NoScript can be run on K-Meleon as well.
Sorry, I meant a nonissue for Chrome =p It's kinda like having a flash exploit in Chrome, you still need another exploit on top of that to break into the sandbox. In the case of clickjacking there's another step, first you have the clickjack page, and then you have the first exploit page, and then you have the payload, which needs an exploit to break out of the sandbox.
No, definitely not. It's just not an issue. Clickjacking is a method to get the user to an exploit page or a direct download. Since downloads are scanned/ blocked if executable and you would need a plugin exploit + sandbox exploit it's not something to really worry about.