Updated: May 5, 2021
The Noscript Security Suite (NSS) is a fantastic, fantastic tool. It comes as an extension for Firefox and various Chromium-based browsers, and what it does is transform the useless, noisy so-called "modern" Internet into a pool of tranquility. And it does so by blocking scripts and other elements on Web pages. Beautiful, elegant. You end up with a fast, quiet experience. No nagging, no overhead. When you do need scripting, you selectively enable it. Works great, but only if you're a techie.
Unfortunately, for common folks AKA not nerds, this is not a solution. They can't be bothered with per-site permissions, figuring out if something is broken when scripts don't run, or similar. But then, what if you do want to have all the flexibility of non-restricted browsing but still use some of the great powers of Noscript? Well, I think I may have the formula. Follow me.
Allow all but
Normally, Noscript is a default-deny tool. You only whitelist specific domains that you trust - and even then, you can do it per-session, temporarily. Great, but you need rigor and discipline. Going default-allow isn't the right solution, either, because then, you don't really need Noscript. But this is where this extension shines.
Default with scripting
As I've outlined in my two guides on Noscript, there are three levels of permissions - default, trusted and untrusted. The first blocks scripts but allows some other Web elements (like images, media, etc). Trusted mandates scripting and (optionally) allows everything else. Untrusted blocks everything. Trusted + Untrusted work well together - even if you temporarily allow all (trust) on a page, the untrusted domains will still remain blocked. So you do get some protection and convenience. We can tweak this principles for the ordinary folks!
Set the default zone to allow several common, required elements for everyday browsing. Normally, this includes script, object, media, and frame. The other elements are optional, really. In a nutshell, the usage boils down to this:
- WebGL - If you don't want to allow WebGL, then you won't have hardware-accelerated 2D/3D graphics in your browser, and you will only rely on software rendering. The downside is reduced battery life on battery-powered devices and somewhat slower page rendering in some cases. The upside is you won't be exposed to any bugs or issues in the hardware graphics stack. In most cases, using WebGL is okay.
- Fonts - This is a hot one, and I've talked about it at length in the past. Remote fonts can pose a problem, and they are also a great source of security drama on the net. I don't like remote fonts for many reasons, because websites should be complete solutions, and loading random stuff from third-party sources is just lazy. There are also security and privacy implications, but - once again - Noscript provides a superb solution. Blocking fonts can make pages "uglier" so to speak, but then, you also get to see how fragile and badly designed the modern Internet really is. So there.
- Fetch - Basically, this is used for handling requests. You should allow it, in order to make sure the sites respond "correctly", including any redirects, errors and whatnot.
- Ping - This is something that has no value to the end users, only the server. The ping attribute specifies a list of URLs to be notified if the user follows a hyperlink. In other words, in "modern" words, this can be yet another vector for useless, pointless tracking. So you don't need to enable it.
- Noscript - When scripts are disabled, the content wrapped in noscript elements in an HTML page source will then be shown. Since we do want to allow scripts, this shouldn't really matter. Still, it doesn't hurt to have it allowed.
- Other - Everything else that pages may contain. Why not. Okay-ish.
With this configuration in place, people can browse websites with seemingly no interruptions. Everything should work by default, and you ought not to encounter any cardinal problems. But then, there are still a few more things we can do - and Noscript can do for us.
XSS and Untrusted domains
Another nice advantage of Noscript is that it protects against cross-site scripting attacks. The technical explanation for what these are is a bit wordy, but in essence, even if you allows scripts (the main reason for why one should use Noscript), you still benefits from its other capabilities. So you're covered there.
Then, if you untrust certain domains, while your default zone will be quite liberal and open, you can still get rid of annoying sites, especially when these are third-party domains only used for advertisement or tracking. On any site, you can expand the Noscript icon menu, and then set the relevant permissions for each domain. You can also use the Custom option.
For instance, you may want to block all fonts, but only allow them on a specific set of pages. On the same note, you may want to remove specific domains, so your Web activity cannot be easily tracked and associated across multiple domains. Browsers are trying to solve this problem with enhanced/strict browsing protection, reducing or removing third-party cookies and such, but you can use Noscript to make the solution even more robust. You can also combine the use of this extension with adblocking, so even if you miss or forget certain domains in your list, the adblocking extension will sanitize the Web pages for you, when their scripts do load.
Does it work?
Yes, quite well. I've been using Noscript and uBlock Origin side by side for quite some time. In fact, I've been testing all the different permutations - nothing, one or the other, both side by side, different browser settings. As it unsurprisingly turns out, the most optimal combination is Noscript + UBO, as the latter also has the ability to block and sanitize all sorts of annoying features on Web pages. The only thing that is noticeable - third-party fonts not being loaded. Good.
However, you can always change the state of a domain and reload the page. And you can also configure a Custom zone - disable fonts for the vast majority of pages, but allow them for a small, select number of domains you like AND that are not part of your Trusted zone. This way, you don't have to compromise on the other settings and protections just to allow one element for specific pages.
If you do this, you will also discover a few other cool things like:
- You will see how much useless stuff sites load in addition to their "core" content.
- You will see how many sites look like dog vomit if you disable some of their third-party content (like fonts).
- You will also notice a speed boost - even with scripts enabled - because lots of useless stuff won't load.
In combination with adblocking, you will save bandwidth, reduce noise, and improve your browsing performance. Win win win!
Conclusion
So how do you setup Noscript for ordinary folks? Well, you create your own instance, tweak it - and then export the settings. When you help other people configure their browser, you can then import the settings. The basic idea is to allow scripts and a few other elements in the Default zone, which solves 99% of all problems with Noscript + non-techies. You can optionally make the setup even more elegant with creating your own trusted, untrusted and custom lists.
Is this foolproof? Of course not. No technology is. In between the broken-and-confusing Web experience that Noscript purposefully creates as part of its cleansing mission, and veteran nerds who know exactly what they're doing, it's still possible to make this extension useful for the common users. My testing is limited, but I believe the configuration I outlined above works well, provides extra security, improves privacy, and does not break the surfing. Have a go, throw this at your unsuspecting relatives, and share your findings. We're done.
Cheers.