Firefox 57-59 & Noscript 10 usage guide - 2nd edition

Updated: March 30, 2018

As you know, Firefox 57 ushered a new era of WebExtensions into Mozilla's addons world, breaking the ecospace, and forcing massive changes. One of the affected addons is the highly popular Noscript Security Suite (NSS), which, frankly, is probably the only real reason to still favor and use Firefox over Chrome. Giorgio Maone, the Noscript creator, had to make a brand new version of his tool, and it was a radical change for many users.

To that end, I wrote my first guide on Noscript 10 usage, trying to explain the new terminology and concepts, new permissions model, and such. It was received fairly well, and it's quoted in the official basic usage howto on the Noscript forums. Yay. Now, several weeks had gone by, Noscript had undergone additional changes, and I'd like to give some more focus on this sweet little tool and its capabilities. Of course, you should read the first guide first to grasp the basics, then continue here. After me.

Noscript 10 working

New looks

Noscript 10 now looks better than before. More elegant text and icons, better spacing. There's also a separate button to temporarily allow the currently listed domains, with page reload happening as soon as you depress the mouse button. You can also individually change the permissions for the listed domains. The settings page has also undergone some rework, but we will talk about that in a few moments.

Look & feel

New functionality

There are several major changes in the UI. Most notably, for a while, where applicable, domains were listed several times. But this actually makes sense. You have the option to allow permissions for the entire domain (think of it as a wildcard) or a very specific entry. For instance, if you allow for dedoimedo.com, ALL variations and subdomains will be permitted, including both http and https traffic. However, if you choose to allow only for https://www.dedoimedo.com, only this particular URL will be matched. This allows you additional granularity in control. More recent version of the 10.x branch have gone back to displaying a single entry that covers all types of traffic.

Temporarily allow

When it comes to permissions, temporarily allow is now a separate category, which also makes sense - and it is easier to click on the temp-allow icon than the little cogwheel on the trusted icon as before. You also no longer have the list of available elements shown in the main interface. Again, very logical. You can change them through the settings window, rather than accidentally click and apply a scope-wide change.

Settings

You can open the settings page in several ways. If you're on a blank tab, just click on the icon (it will show a ?). If you're actually using a tab and have a website loaded, click on the Noscript icon on the left top side of the Noscript popup menu, close to the stop and reload buttons. The interface has undergone several rounds of changes.

Options

The panel is cleaner and easier to use. I versions 10.1.6.x, you have the options to allow scripts globally, temporarily allow top-level domains (useful if you're troubleshooting), and allow/disable XSS checks. This functionality was somewhat buggy in the interim releases, but it works well now. You can also clear the list of your XSS choices. Useful for troubleshooting.

XSS warning

This is actually a bogus warning - but it emphasizes what the XSS warnings look like.

Presets for the scope now show on separate tabs - default, trusted and untrusted. Below, you have the list of site permissions - anything with a non-default set will show in the list. You can also use the search window, and it also works for domains you are currently working with (temp-allowed, for instance).

Search or add sites

The Debug feature remains, allowing you to better understand the current ruleset, if you don't mind reading JSON. Last but not the least, you can export the configuration (just a text file), and import existing ones, so this is useful if you want to reuse a well-tested set across multiple systems or Firefox profiles. Also good for backups in case you are about to make some big changes to the NSS settings.

In the 10.1.7.x branch, the layout has been edited one more time. You have tabs, which offer a cleaner look, and easier access to different parts of the addon functionality. Under General, you can edit the scopes presets, globally allow scripts, or temp-allow all top-level (1st level) domains, i.e. on dedoimedo.com, for instance, everything that originates from this domain will be allowed, but not any third-party scripts.

Interface tabs

Per-site permissions, same as before. Appearance gives you the ability to make minor visual tweaks, like displaying the number of allowed/blocked scripts on each page, expand domain names, and so forth. Advanced gives you the JSON view of the configuration file, as we've seen in the first guide. You have the option to import, export or reset settings.

Conclusion

Noscript is maturing nicely. It is not the all-can-do tool that we had in Firefox before the 57th release, but it is adequate and suitable for most people, and it provides the necessary protection, and more importantly, the necessary quiet you want when browsing the net. Silent, static pages so you can focus on reading and not having your senses assailed any which Web 2.0 or Web 3.0 way. But I guess most people will focus on the security side of things.

I am using the addon across multiple profiles and systems, and I have not observed any big breakages or bugs. Occasional tiny issues crop here and there, and then vanish a day later. The one that I do remember was a temporary issue with XSS for a brief while, but other than that, it seems to work in a very similar fashion to the old Noscript. Performance is also comparable. And then, there's still more room for improvements and new stuff, which I'm sure will be coming. Hopefully, this was a pleasant read. Take care.

Cheers.

You may also like: