MSD Computer Services - On-site Computer Service in Orange County, California

Click below to pay an invoice received from MSD Computer Services

NoScript Tutorial

Security experts generally agree that the number one measure you can take to make your web browsing safer is to disable scripting. Every browser has an option to disable it. The problem with simply disabling all scripting is that most web sites are crippled without it. The web site may not display at all without scripting or large parts of it may not appear. Menu bars, drop down lists, buttons, and links may not function. Without scripting, a web site cannot run malicious scripts behind your back and infect you with spyware, but legitimate sites won't work either. What we need is an easy way to permit scripting only for sites we trust while forbidding scripting for all others.

NoScript operates on the principle of whitelisting. A whitelist is a list of things that are allowed while everything else is forbidden. In NoScript, you create a whitelist of domains that you allow to run scripts. Aol.com, yahoo.com, microsoft.com, and msdcomputer.com are examples of domains. When you whitelist a domain in NoScript, you are telling it to allow any pages in that domain to run scripts in Firefox. If a domain is not on your whitelist, it cannot run scripts. A single web page may contain content from many different domains. These additional domains may be operated by the same company as the site you're visiting or they may belong to companies serving ads.

After installing NoScript, when you visit a web page that contains scripts, you'll see a yellow bar at the bottom of the Firefox window indicating that scripts have been blocked. In the example below, Firefox is showing AOL's home page and NoScript has blocked 58 scripts from running.

Clicking the Options button (arrow #5 in the picture below) brings up NoScript's menu. Arrow #2 points to the menu item that reads "Show message about blocked scripts". Clicking this will turn off the NoScript notification bar. This is optional but leaving it enabled will result in seeing the NoScript bar at the bottom of nearly every page you visit because nearly every web page attempts to run scripts.

Arrow #1 points to the domain of the page being displayed, in this case, aol.com. In NoScript's menu, arrow #4 points to the controls for aol.com. This is where you can allow aol.com to run scripts in Firefox. You have two choices: allow or temporarily allow. Choosing allow will add this domain to your whitelist and it will always be allowed to run scripts in the future. For domains you trust and visit often, allow is the best choice. Temporarily allow will allow that domain to run scripts, but only until you close Firefox. The next time you run Firefox and encounter this domain, NoScript will block scripts. This option is more appropriate for sites you rarely visit or don't expect to ever visit again. Remember, its best to keep the whitelist as short as possible for the best protection, so don't permanently add domains to it unless you use them frequently.

Arrow #3 points to the controls for a second domain, aolcdn.com, that has content on this page. CDN stands for content delivery network. Web sites with heavy traffic such as AOL, Yahoo, or Youtube use content delivery networks to improve the performance of their sites by having copies of key items (pictures or videos, for example) stored at various locations around the Internet. If you were to allow aol.com but not aolcdn.com, the page would not be fully functional.

After clicking "Show message about blocked scripts" (arrow #2 above), the NoScript notification bar will no longer show up at the bottom of the Firefox window. To access the NoScript menu, click the small icon in the lower right corner of the window as show by the red arrow below.

Below is the Orange County Register's web site with scripting disabled. Notice that the page contains a notice reading "For a complete user experience please use a javascript enabled browser". Clicking the NoScript icon on this page brings up the menu shown below. Notice that four separate domains are attempting to run scripts on this page: freedom.com, tacoda.net, brightcove.com, and ocregister.com. Obviously, ocregister.com is the site we're looking at and scripting should be allowed for it. The other three are less obvious though. We don't want to let unknown and untrusted domains run scripts but we want the page to function properly. In this case, freedom.com is the domain for Freedom Communications, The Register's parent company. Tacoda.net is AOL's advertising branch, and brightcove.com is a video software company. The identity and purpose of these domains can be found by visiting their site (www.tacoda.net for example) or searching for them in Google. In this case, I would allow freedom.com but not tacoda.net. Brightcove.com may be responsible for videos shown on The Register's site. Leave brightcove.com blocked to start but if you find that you cannot view a video on the site, then allow brigtcove.com. Its really just trial and error. The goal is to have the web site function while enabling scripting for as few domains as possible.

NoScript comes with some popular domains already allowed. Below, Firefox is displaying Yahoo's web site. When we click the NoScript icon, we see what the menu looks like when domains are allowed to run scripts. Since yimg.com and yahoo.com are currently allowed, you now have the option to forbid scripts for those domains if desired.

One of the items on the NoScript menu is options. Clicking options will bring up the window below. The whitelist tab shows a list of all domains that are allowed to run scripts in Firefox on your computer. If you ever need to remove a domain from the whitelist, find it in the list, click "Remove Selected Sites", then click OK to close the window.