NoScript

Description

Usable securityOperating NoScript is really simple. When you install NoScript, JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default. You will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. Notice that you shouldn't disable JavaScript and Java using Firefox settings, i.e. Tools|Options|Content|Enable JavaScript and Enable Java options have to be checked (JavaScript and Java enabled), otherwise JavaScript remains disabled everywhere even when allowed by NoScriptWhen you browse a site containing blocked scripts, a brief sound is optionally played and a notification, similar to those issued by popup blocker, is shown (Firefox only).Look at the statusbar icon to know current NoScript permissions: * Forbidden Icon - this means that scripts are blocked for the current site * Partially Allowed Icon - this means scripts are allowed for some of the URLs sourcing scripts from the current site. It happens when there are multiple frames, or script elements linking code hosted on 3rd party hosts. For instance, in most cases when a site is compromised with JavaScript malware, the malicious code is hosted on external "shady" sites. Even if you've previously allowed the top-level site, these external sites are still blocked and the attack fails anyway. * Partially Allowed / Partially Untrusted Icon - this means scripts are allowed for some URLs, and all the other ones are marked as untrusted. * Allowed Icon - this means that script execution is allowed for the current site * Globally Allowed Icon - this means that scripts are globally allowed (why did you decide to browse without any protection??!)If you left click on the icon, you can change script permissions using a simple menu.You can reach the same menu by right clicking over the document, so you can operate also in windows which don't provide a status-bar. Of course, if you don't like contextual menus, you can hide it.A toolbar button is also provided: right click on your toolbar and select the Customize menu item to add it. By clicking on the NoScript toolbar button you will toggle the forbidden/allowed state of the top-most site in the current page, i.e. the one displayed in your address bar. Also, if you click the tiny arrow near the NoScript toolbar button, the usual NoScript menu will be dropped down.If you're not a mouse lover, you will find these two keyboard shortcuts helpful: 1. CTRL + SHIFT + (backslash) toggles allowance status for the current top-level site - temporarily by default, to make it permanent set the about:config noscript.toggle.temp preference to false. 2. CTRL + SHIFT + S opens the NoScript status bar menu, which lets you perform every NoScript related operation using the cursor keys.Both these shortcuts can be changed using the about:config noscript.key.* preferences.Every NoScript menu includes a command to open the Options dialog: you use it to allow or forbid many sites at once, to customize user interface and to decide if you want to automatically reload current site when you change permissions. Other useful options are also available there. Site matchingFor each site you can decide to allow the exact address, or the exact domain, or a parent domain. If you enable a domain (e.g. mozilla.org), you're implicitly enabling all its subdomains (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. http and https). If you enable an address (protocol://host, e.g. http://www.mozilla.org, you're enabling its subdirectories (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings, i.e. mozilla.org and addons.mozilla.org will not be automatically enabled.By default only the 2nd level (base) domain is shown (e.g. mozilla.org) is shown in the menus, but you can configure appearance to show full domains and full addresses as well.NoScript recognizes two kinds of "shorthand" patterns, to be manually entered in the NoScript Options|Whitelist panel: 1. Jolly port matching - an address with a 0 (zero) port specification will match every site with the same protocol, domain and any non-standard port: if one is met during navigation, it gets temporarily enabled. For instance, http://acme.org:0 matches http://acme.org:8080 and http://acme.org:9999, but not https://acme.org:9999 (different protocol) nor http://acme.org (standard 80 port, omitted). Since protocol specification is mandatory, regular subdomain matching with rightmost components comparison couldn't work for multiple subdomain. You can specify subdomain matching patterns using an asterisk in place of the leftmost domain component: for instance, you need to match all the subdomains of acme.org for all ports with the HTTPS protocol, you can whitelist https://*.acme.org:0. This is the ONLY situation where asterisk is considered a wildcard. 2. Subnet matching - an address with a partial numeric IPv4 IP will match all the subnet. You must specify at least the 2 leftmost bytes, e.g. 192.168 or 10.0.0. Again, matching sites will be temporarily allowed on demand.Important notice: the asterisk character (*) have NO special meaning to NoScript, other than subdomain matching in Jolly port matching patterns (see above). Asterisk is NOT a general wildcard, so if you're typing it while manually adding a site to your whitelist, double check you know what you're doing. By the way, most of the time you prefer not to fiddle with your whitelist manually: just use the NoScript "Allow" and "Forbid" menu items, it's much simpler and error free!JavaO, SilverlightO, Flash« and other pluginsWhile its primary aim is preventing malicious JavaScript from running, NoScript can effectively block JavaO, SilverlightO, Flash« and other plugins on untrusted sites. Java Applets, Flash movies/applications, Quicktime clips, PDF documents and other content won't be even downloaded from sites where you consider them annoyances or dangers, saving your bandwidth and increasing your navigation speed. While in early NoScript versions only JavaScript and Java were blocked by default, this restriction has been extended to Flash and the other plugins, in order to prevent Flash-based XSS and other plugin-based attacks. Anyway you can configure the kinds of content you want to forbid using the NoScript Options|Plugins panel. The status bar tooltip and the message bar display the total count of detected plugin objects () next to the script count. Keep in mind that some sites use Java applets, Silverlight embedded objects or Flash movies to deliver rich content and applications, hence if you meet some web page you need to use but you find some functionality is missing, consider the possibility that you're blocking some essential applet or movie.On a non-whitelisted site you can still temporarily allow an individual plugin object with just one left click on its placeholder (screenshot). The movie/applet/clip will stay enabled until the end of the session or until you Revoke Temporary Permissions.Middle clicking on a Java/Silverlight/Flash/Plugin object placeholder opens it in a window of its own..Right clicking on a Java/Silverlight/Flash/Plugin object placeholder opens the context menu for links, allowing you to save the content with Save Link As....Holding down the Shift key and clicking on a Java/Silverlight/Flash/Plugin object placeholder temporarily hides it.You can also use the Blocked Objects menu to find out which plugin content instances you're blocking even if their placeholder is not easily visible, and/or enable them individually, per site or per type.It's worth noticing that while early NoScript versions used to block plugin content objects checking exclusively their origin, i.e. the site where they were downloaded from, most recent NoScript versions check also the parent site which is embedding the content: a non-whitelisted site won't be able to run a plugin content piece, even if coming from a trusted site, unless you explictly unblock it through its placeholder or the Blocked Objects menu.This behavior is meant to provide effective protection against Flash-based XSS. Reverting to the old behavior is possible, even if not recommended: just switch the noscript.forbidActiveContentParentTrustCheck about:config preference to false.The same blocking treatment can be reserved to IFRAMEs as well, but it's not recommended (especially if you extend the blocking options to trusted sites), because it breaks too much stuff for the little additional security it gives: as a matter of fact, if you block all plugins and you've got XSS filters active, you're likely already protected against any IFRAME-based exploit. Read this FAQ for more details.Finally, toggling NoScript Options/Plugins/Apply these restrictions to trusted sites too extends the plugin content restrictions you set for untrusted sites also to whitelisted pages, turning NoScript in a general content blocker for Java, Silverlight, Flash and other plugins functionally similar to FlashBlock.You can configure some exception to the Forbid Other Plugins option by setting the noscript.allowedMimeRegExp about:config preference to a pattern matching the content types you want to allow. For instance, setting it to "application/pdf" will let PDF document load automatically on every site. That said, are you sure you need to? Adobe Acrobat Reader plugin got its share of vulnerabilites so far, and after all, you can still allow individual PDF documents from untrusted sites just clicking on their placeholders. Most NoScript options are quite simple and self explanatory.Default values are almost always OK, however you may find useful knowing about these: * General o Temporarily allow top-level sites, not recommended and disabled by default, grants permissions "on the fly" to the address of the main page (the one usually displayed in the location bar), excluding subframes, embedded objects and sites marked as untrusted. o Allow sites opened through bookmarks, grants permissions "on the fly" to sites you open clicking on a bookmark of yours. o Left clicking on NoScript toolbar button toggles permissions for current top level site, action reachable also using the CTRL+SHIFT+S keyboard shortcut. * Whitelist An interface to manually manage the list of your trusted sites, adding or removing web addresses. This panel contains also "Import" and an "Export" buttons to backup/restore your whitelist as a plain text file. * Plugins A list of content blocking options. * Appearance Contains preferences to hide/show UI elements. * Notifications Contains preferences to enable/disable various notifications (message bars and sound alerts). * Advanced o Untrusted Contains additional restrictions and policies for untrusted (unknown) sites: + Attempt to fix JavaScript links ( enabled by default): this means that NoScript will try to turn javascript: links into normal ones on untrusted sites as you click them, improving usability of the most unfriendly pages. + Hide noscript elements prevents the replacement content from being displayed on JavaScript disabled sites. + Forbid "Web Bugs" blocks Web Bugs (tracking images) found inside noscript tags, used as a (less effective) fall-back to spy on user's behavior when scripts are not available. + Forbid META redirections inside noscript elements, which are often used to send the unwilling user to a dumb "Please enable JavaScript" page. Notice that this option may interfere with the RefreshBlocker extension. + Forbid bookmarklets, disabled by default, prevents JavaScript bookmarks (also known as bookmarklets) from working on untrusted sites. + Forbid (enabled by default), controls the controversial "ping" feature on untrusted sites. o Trusted Contains additional permissions and bonuses for trusted sites: + Show the noscript element which follows a blocked script forces the nearest replacement content to be shown for blocked 3rd party script tags even if the main page has JavaScript enabled. + Allow (disabled by default), controls the controversial "ping" feature. + Allow rich text copy and paste from external clipboard is an additional permission you can grant to trusted sites, e.g. on Web Mail or CMS user interfaces where you may want to copy inside an editor box styled text content from outside the browser. + Allow local links (disabled by default) allows linking local resources from web pages, as required by some gaming on line sites. o XSS Preferences for the Anti-XSS protection system: + Sanitize cross-site suspicious requests* - potentially dangerous characters, why may be used to inject malicious JavaScript code, are stripped out from both the URL and the REFERER header. + Turn cross-site POST requests into data-less GET requests - the request is sent but no malicious data is uploaded. + Anti-XSS Protection Exceptions, a list of regular expressions (one on each line) used to identify web addresses which you deem do not need to be protected against XSS. * "Cross-site suspicious requests" are requests from untrusted origins to trusted destinations, considering trusted either "Allow"ed or "Temporary allow"ed sites. If you prefer "Temporarily allow"ed sites to be still considered as untrusted origins from the XSS point of view, you just need to set about:config noscript.xss.trustTemp preference to false. o JAR Preferences for JAR document blocking: + Block JAR remote resources being loaded as documents - jar: URLs which are loading from remote in a context which will lead to document building are blocked. This prevents XSS attacks like the one described in this article. + JAR document blocking Exceptions, a list of regular expressions (one on each line) matching JAR urls which you want to bypass blocking.Some about:config preference you may want to know are: * noscript.jsredirectIgnore - defaults to false, if true disables searching and displaying JavaScript links in non-whitelisted pages which do not contain any regular link, like www.fordvehicles.com. * noscript.jsredirectFollow - when true (default) and only one single JavaScript link is found in a top-level page, that link is automatically followed becaus we assume it's a JavaScript redirection (e.g. www.ford.com) * noscript.autoReload.allTabs - switch it to false if you want only the current page to be reloaded when permissions change (it will prevent a slowdown when you've got many tabs open on the same site). * noscript.autoReload.global - decides if allowing scripts globally causes an autoreload or not.LanguagesNoScript is currently translated in the following languages: 1. Arabic (thanks Nassim Dhaher) 2. Belarusian (thanks Drive DRKA) 3. Bulgarian (thanks Georgi Marchev) 4. Catalan (thanks Joan-Josep Bargues) 5. Chinese Simplified (thanks blackdire) 6. Chinese Traditional (thanks Chiu Po Jung and FreeXD) 7. Czech (thanks drAcOniS and Petr Jirsa) 8. Danish (thanks roellum and Carsten Winkler) 9. Dutch (thanks Liesbeth) 10. English GB (thanks Ian Moody) 11. English (thanks William Shakespeare) 12. Finnish (thanks Mika Pirinen) 13. French (thanks Xavier Robin) 14. Galician (thanks roebek) 15. German (thanks Thomas Weber & Volker Hable) 16. Greek (thanks Sonickydon) 17. Hebrew (thanks Asaf Bartov) 18. Hungarian (thanks Mikes Kaszm?n Istv?n and LocaLiceR) 19. Indonesian(thanks regfreak) 20. Italian (thanks Dante Alighieri) 21. Japanese (thanks Beerboy) 22. Lituanian (thanks Mindaugas Jakutis) 23. Norwegian bokmnl (thanks Hnvard Mork) 24. Persian (thanks Pedram Veisi) 25. Polish (thanks Lukasz Biegaj) 26. Portuguese (thanks Dario Ornelas) 27. Portuguese/Brazil (thanks Raryel Costa Souza) 28. Romanian (thanks Ultravioletu) 29. Russian (thanks Alexander Sokolov) 30. Simplified Chinese (thanks George C. Tsoi) 31. Slovak (thanks SlovakSoft) 32. Slovenian(thanks Toma? Mačus) 33. Swedish (thanks jameka) 34. Spanish (thanks Alberto MartYnez, EduLeo and Urko) 35. Thai (thanks Qen) 36. Traditional Chinese (thanks Chiu Po-Jung) 37. Turkish (thanks Engin Yazılan and eveterinary) 38. Ukrainian (thanks MozUA) 39. Vietnamese (thanks tonynguyen). FlashGot - Best Firefox Download Manager Integration - what is it? - InformAction. FlashGot gets your preferred download manager to work with Firefox! Download it now for free! - what is it?

Firefox Download Manager - Firefox Download Accelerator - Mozilla - Integration - Download All - Getright - Flashget - Free - Mp3 - Mpeg - Avi - Mpg - Music - Reget - Linux - Information Technology - Software Solutions - Web Design - E-Commerce - E-Government - B2b - B2c - Java - J2ee - Ejb

Published By:InformAction

License Type:Freeware

Date Added:06 April, 2011

Version:1.9.1.4

Price:Free

Downloads:297

Size:307.2 KB

Platform: Windows All

What people say
- required fields
     
Related Downloads

Web-Monitor, Bookmark Manager, Web Capture Tool and Web-Page Archiver. Checks web sites for updates and notifies you of changes. Automatically captures changed web pages and highlights the new content.

DateSep 25, 2014

AuthorActiveURLs

Size:6.6 MB

LicenseShareware

Price:$39.95

PlatformWin95, Win98, WinME, WinNT 4.x

CategoryBrowser Tools

ActiveURLs Check&Get - Web-Monitor, Bookmark Manager and Web-Page Archiver

Bytescout PDF SDK is a .NET library capable to write/modify/sign/fill/linearize(fast-web-view)/optimize PDF documents from .NET programming languages Visual Basic.NET, C#, ASP.NET.

DateSep 25, 2014

AuthorByteScout

Size:8.6 MB

LicenseShareware

Price:$599.00

PlatformWinXP, Windows 2000, Windows 2003, Windows Vista Ultimate

CategoryComponents & Libraries

Bytescout PDF SDK

Screen capturing SDK makes screen video recording as easy as 5 lines of code in your Visual Basic, C# or C++ application.

DateSep 25, 2014

AuthorByteScout

Size:4.7 MB

LicenseShareware

Price:$245.00

PlatformWindows, Win2000, WinVista, WinVista x64

CategoryComponents & Libraries

Bytescout Screen Capturing SDK 1.11a

Fill scanned paper forms in fast and easy!

DateSep 25, 2014

AuthorByteScout

Size:1.5 MB

LicenseFreeware

Price:Free

PlatformWin Vista/2000/XP

CategoryAccounting & Finance

E Multiplatform - works on MS Windows, Linux and Mac OS X.

DateSep 25, 2014

AuthorFoxyTunes

Size:716.8 KB

LicenseFreeware

Price:Free

PlatformWindows All

CategoryManagement Tools