NoScript: Good or bad?

@Eice @dw426 Be as it may, we are all entitled to our respective opinions - end of subject for me as I will not provide a thesus on the subject simply to justify their common use by users on the Internet

 

We cannot thank you enough for that!

 

Cool but last updated in 2006... I've found another! Roll your own here, 'Toggle JavaScript':

http://codefisher.org/toolbar_button/toolbar_button_maker

 

NoScript is great! I started using it yesterday(thanks Pinga), I recall installing it before & unistalling it immidiately because I hadn't spent time to learn how to use it and it 'seemed' annoying.

I have a question though, now that I can mark any website I want as untrusted do I need adblock plus anymore?

 

It doesn't matter what you are going to use to control scripting (including java script) as long as you don't allow it indiscriminately. Not all sites deserve access to your computer just because you happened to visit them nor all can be trusted not to damage it by downloading malware to it. Enjoy the net but be aware of the dangers too

 

You're throwing out the baby with the bathwater. While I agree that the security situation is not as catastrophic as often said, it's also true that there have been many sites with XSS vulnerabilities, e.g. banking sites, and many attacks through plugins. Although newer FF versions warn against old plugins, it's still a good idea to block them by default IMHO.

It's true that Noscript has more and more features and is a little bit confusing for beginners, it's also true that there many examples for the other threats NS protects against. Just have a look on http://ha.ckers.org/ and its forums. And it's interesting to know that the guy running that site, RSnake (aka Robert Hansen), is the coauthor of this book - he should definitely know what he's doing. And you know what - he's a Noscript user.

 

Yes you do. For example, there may be a site that needs Javascript to function but that doesn't mean that you want to see the ads

 

But I still can block the ad servers, I don't think there is any site that needs ads to function?

 

Well after a bit more browsing, I think it's needed. There are annoying jpegs and animated gifs which NoScript can't block.

 

I can't stand it personally, cripples the browser. Most malware comes through normal sites these days, so I'm not 100% sold on the value of blocking all scripts, but selecting 'always allow' on normal websites that I visit. What if the normal website I visit and allow scripts on in no script is hacked? For these reasons I'd rather not go through the trouble and use other security measures.

 

My pleasure

 

Even on whitelisted sites the XSS filters are still enabled. Quote from http://noscript.net/features#xss :

The same applies to, e.g., the clearclicking protection if configured accordingly in the Plugins tab of Noscript.

And you forgot one important thing: Even if you whitelist a site, 3rd party scripts on that site are still blocked.

 

Which brings us back to the original question: Good or bad? NoScript can be a real pain in the ass when banking, shopping or booking flights as it blocks essential functionality required to successfully engage in such transactions by default...

 

@Pinga: saw that too after posting, but QJ suits me fine (I don't use FF 3.6).

 

You click on "Temporarily allow all this page" in that case?

 

That's what people say all the time but I don't get it. Example: banking. You don't use a different bank for every day of the week, do you? Since I assume that you trust your banking site, just whitelist it and Noscript will remember your decision until the end of time. The same logic applies to your shopping sites (I assume that you don't use a completely new, unknown site every other day). Whitelist them and all is well.

Again, I don't understand your statement. It would only make sense if you whitelisted your trusted sites, which you visit frequently, only temporarily (which is an option in Noscript, indeed). But why should you do that?

I'm sure that for most people 80% of the websites they surf every day are trusted sites they frequently visit (like this forum) - just whitelist them. But on the other 20% which you stumble over via, e.g., Google any potential malware is blocked by default. That's what Noscript is for. It's as easy as that.

 

good posts tlu, thanks. I'll admit it was several years ago last I used noscript, I might test it out again and you make a good case.

 

What about Policy Manager? I have been told by a lot of people that this is better than NoScript.

 

It's not comparable with Noscript at all. As far as I can see Policy Manager doesn't offer much more than you get by right-clicking the current website, chosing Page Info from the menu and selecting Permissions. I don't see why you would need an extension for that.

On the other hand, it doesn't offer XSS filters, protection against clearclicking etc. So no - it's definitely not better than Noscript.

 

Its great as a security add on for blocking malicious scripts and other java based nasties.

 

OK, thanks for the info.

 

too obstrubsive for me i uninstall the add on

 

I believe a less obtrusive & peremptory system is being considered for Webkit based browsers like Chrome/Iron.

 

The whitelist in NoScript made my decision the first time I tried it. Since that time, I haven't even looked at it. No need when Proxomitron does most everything it does and more, plus works with all installed browsers.

 

Proxomitron looks quite interesting.