How to configure Noscript for ordinary users

Updated: May 5, 2021

The Noscript Security Suite (NSS) is a fantastic, fantastic tool. It comes as an extension for Firefox and various Chromium-based browsers, and what it does is transform the useless, noisy so-called "modern" Internet into a pool of tranquility. And it does so by blocking scripts and other elements on Web pages. Beautiful, elegant. You end up with a fast, quiet experience. No nagging, no overhead. When you do need scripting, you selectively enable it. Works great, but only if you're a techie.

Unfortunately, for common folks AKA not nerds, this is not a solution. They can't be bothered with per-site permissions, figuring out if something is broken when scripts don't run, or similar. But then, what if you do want to have all the flexibility of non-restricted browsing but still use some of the great powers of Noscript? Well, I think I may have the formula. Follow me.

Allow all but

Normally, Noscript is a default-deny tool. You only whitelist specific domains that you trust - and even then, you can do it per-session, temporarily. Great, but you need rigor and discipline. Going default-allow isn't the right solution, either, because then, you don't really need Noscript. But this is where this extension shines.

Default with scripting

As I've outlined in my two guides on Noscript, there are three levels of permissions - default, trusted and untrusted. The first blocks scripts but allows some other Web elements (like images, media, etc). Trusted mandates scripting and (optionally) allows everything else. Untrusted blocks everything. Trusted + Untrusted work well together - even if you temporarily allow all (trust) on a page, the untrusted domains will still remain blocked. So you do get some protection and convenience. We can tweak this principles for the ordinary folks!

Default, scripting allowed

Set the default zone to allow several common, required elements for everyday browsing. Normally, this includes script, object, media, and frame. The other elements are optional, really. In a nutshell, the usage boils down to this:

With this configuration in place, people can browse websites with seemingly no interruptions. Everything should work by default, and you ought not to encounter any cardinal problems. But then, there are still a few more things we can do - and Noscript can do for us.

XSS and Untrusted domains

Another nice advantage of Noscript is that it protects against cross-site scripting attacks. The technical explanation for what these are is a bit wordy, but in essence, even if you allows scripts (the main reason for why one should use Noscript), you still benefits from its other capabilities. So you're covered there.

XSS protection

Then, if you untrust certain domains, while your default zone will be quite liberal and open, you can still get rid of annoying sites, especially when these are third-party domains only used for advertisement or tracking. On any site, you can expand the Noscript icon menu, and then set the relevant permissions for each domain. You can also use the Custom option.

Unstrusted list

For instance, you may want to block all fonts, but only allow them on a specific set of pages. On the same note, you may want to remove specific domains, so your Web activity cannot be easily tracked and associated across multiple domains. Browsers are trying to solve this problem with enhanced/strict browsing protection, reducing or removing third-party cookies and such, but you can use Noscript to make the solution even more robust. You can also combine the use of this extension with adblocking, so even if you miss or forget certain domains in your list, the adblocking extension will sanitize the Web pages for you, when their scripts do load.

Does it work?

Yes, quite well. I've been using Noscript and uBlock Origin side by side for quite some time. In fact, I've been testing all the different permutations - nothing, one or the other, both side by side, different browser settings. As it unsurprisingly turns out, the most optimal combination is Noscript + UBO, as the latter also has the ability to block and sanitize all sorts of annoying features on Web pages. The only thing that is noticeable - third-party fonts not being loaded. Good.

Example

With scripting disabled, you won't see the search box or the cookie overlay - but here they show.

However, you can always change the state of a domain and reload the page. And you can also configure a Custom zone - disable fonts for the vast majority of pages, but allow them for a small, select number of domains you like AND that are not part of your Trusted zone. This way, you don't have to compromise on the other settings and protections just to allow one element for specific pages.

Custom settings

If you do this, you will also discover a few other cool things like:

In combination with adblocking, you will save bandwidth, reduce noise, and improve your browsing performance. Win win win!

Conclusion

So how do you setup Noscript for ordinary folks? Well, you create your own instance, tweak it - and then export the settings. When you help other people configure their browser, you can then import the settings. The basic idea is to allow scripts and a few other elements in the Default zone, which solves 99% of all problems with Noscript + non-techies. You can optionally make the setup even more elegant with creating your own trusted, untrusted and custom lists.

Is this foolproof? Of course not. No technology is. In between the broken-and-confusing Web experience that Noscript purposefully creates as part of its cleansing mission, and veteran nerds who know exactly what they're doing, it's still possible to make this extension useful for the common users. My testing is limited, but I believe the configuration I outlined above works well, provides extra security, improves privacy, and does not break the surfing. Have a go, throw this at your unsuspecting relatives, and share your findings. We're done.

Cheers.

You may also like: