Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

NoScript

From Wikipedia, the free encyclopedia
Extension for Mozilla- and Chromium-based web browsers
For the <noscript> HTML element, seeHTML element § Other block elements.
NoScript
NoScript icon
Logo used since November 2022
Original author(s)Giorgio Maone
Developer(s)Giorgio Maone
Initial releaseMay 13, 2005; 19 years ago (2005-05-13)[1]
Stable release
12.1.1[2] / 28 December 2024; 3 months ago (28 December 2024)
Preview release
11.5.3rc1 / 11 November 2024; 5 months ago (2024-11-11)
Repositoryhttps://github.com/hackademix/noscript
Written inJavaScript,XUL,CSS
Available in45[3] languages
TypeBrowser extension
LicenseGPLv2+
WebsiteNoScript.net

NoScript (orNoScript Security Suite) is afree and open-sourceextension forFirefox- andChromium-based web browsers,[4] written and maintained by Giorgio Maone,[5] a software developer and member of the Mozilla Security Group.[6]

Features

[edit]
The classic NoScript menu in Firefox

Active content blocking

[edit]

By default, NoScript blocks active (executable) web content, which can be wholly or partially unblocked by allowlisting a site or domain from the extension's toolbar menu or by clicking a placeholder icon.

In the default configuration, active content is globally denied, although the user may turn this around and use NoScript to block specific unwanted content. The allowlist may be permanent or temporary (until the browser closes or the user revokes permissions). Active content may consist ofJavaScript, web fonts, mediacodecs,WebGL,Java applet,Silverlight andFlash. The add-on also offers specific countermeasures against security exploits.[7]

Because many web browser attacks require active content that the browser normally runs without question, disabling such content by default and using it only to the degree that it is necessary reduces the chances of vulnerability exploitation. In addition, not loading this content saves significant bandwidth[8] and defeats some forms of web tracking.

NoScript is useful for developers to see how well their site works with JavaScript turned off. It also can remove many irritating web elements, such as in-page pop-up messages and certainpaywalls, which require JavaScript in order to function.

NoScript takes the form of atoolbar icon orstatus bar icon in Firefox. It displays on every website to denote whether NoScript has either blocked, allowed, or partially allowed scripts to run on the web page being viewed. Clicking or hovering (since version 2.0.3rc1[9]) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.

NoScript's interface, whether accessed by right-clicking on the web page or the distinctive NoScript box at the bottom of the page (by default), shows the URL of the script(s) that are blocked, but does not provide any sort of reference to look up whether or not a given script is safe to run.[10] With complex webpages, users may be faced with well over a dozen different cryptic URLs and a non-functioning webpage, with only the choice to allow the script, block the script or to allow it temporarily.

On November 14, 2017, Giorgio Maone announced NoScript 10, which will be "very different" from 5.x versions, and will use WebExtension technology, making it compatible withFirefox Quantum.[11] On November 20, 2017, Maone released version 10.1.1 for Firefox 57 and above. NoScript is available for Firefox for Android.[12]

Anti-XSS protection

[edit]

On April 11, 2007, NoScript 1.1.4.7 was publicly released,[13] introducing the first client-side protection against Type 0 and Type 1cross-site scripting (XSS) ever delivered in a web browser.

Whenever a website tries to inject HTML or JavaScript code inside a different site (a violation of thesame-origin policy), NoScript filters the malicious request and neutralizes its dangerous payload.[14]

Similar features have been adopted years later byMicrosoft Internet Explorer 8[15] and byGoogle Chrome.[16]

Application Boundaries Enforcer (ABE)

[edit]

The Application Boundaries Enforcer (ABE) is a built-in NoScript module meant to harden theweb application-oriented protections already provided by NoScript, by delivering a firewall-like component running inside the browser.

This "firewall" is specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g., plug-ins, webmail,online banking, and so on), according to policies defined directly by the user, the web developer/administrator, or a trusted third party.[17] In its default configuration, NoScript's ABE provides protection againstCSRF andDNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications.[18]

ClearClick (anti-clickjacking)

[edit]

NoScript's ClearClick feature,[19] released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types ofclickjacking (i.e., from frames and plug-ins).[20]

This makes NoScript "the only freely available product which offers a reasonable degree of protection against clickjacking attacks."[21]

HTTPS enhancements

[edit]

NoScript can force the browser to always useHTTPS when establishing connections to some sensitive sites, in order to prevent man-in-the-middle attacks. This behavior can be triggered either by the websites themselves, by sending theStrict Transport Security header, or configured by users for those websites that don't support Strict Transport Security yet.[22]

NoScript's HTTPS enhancement features have been used by theElectronic Frontier Foundation as the basis of itsHTTPS Everywhere add-on.[23]

Awards

[edit]
  • PC World chose NoScript as one of the 100 Best Products of 2006.[24]
  • In 2008, NoScript wonAbout.com's "Best Security Add-On" editorial award.[25]
  • In 2010, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category atAbout.com.[26]
  • In 2011, for the second year in a row, NoScript was "The Reader's Choice Awards" winner in the "Best Privacy/Security Add-On" category atAbout.com.[27]
  • NoScript was the 2011 (first edition) winner of the Dragon Research Group's "Security Innovation Grant". This award is given to the most innovative project in the area of information security, as judged by an independent committee.[28]

Conflicts

[edit]

Conflict with Adblock Plus

[edit]

In May 2009, it was reported that an "extension war" had broken out between NoScript's developer, Giorgio Maone, and the developers of the Firefox ad-blocking extensionAdblock Plus after Maone released a version of NoScript that circumvented a block enabled by an AdBlock Plus filter.[29][30] The code implementing this workaround was "camouflaged"[29] to avoid detection. Maone stated that he had implemented it in response to a filter that blocked his own website. After mounting criticism and a declaration by the administrators of theMozilla Add-ons site that the site would change its guidelines regarding add-on modifications,[31] Maone removed the code and issued a full apology.[29][32]

Conflict with Ghostery

[edit]

In the immediate aftermath of the Adblock Plus incident,[33] a spat arose between Maone and the developers of theGhostery add-on after Maone implemented a change on his website that disabled the notification Ghostery used to reportweb tracking software.[34] This was interpreted as an attempt to "prevent Ghostery from reporting on trackers and ad networks on NoScript's websites".[33] In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.[35] This conflict was resolved when Maone changed his site's CSS to move—rather than disable—the Ghostery notification.[36]

See also

[edit]

References

[edit]
  1. ^"Version 1.0".NoScript. Mozilla Addons. 2005-05-13. Archived fromthe original on 2018-10-02.
  2. ^Giorgio Maone (28 December 2024)."Release 12.1.1". Retrieved3 January 2025.
  3. ^Supported language on noscript.net.
  4. ^"NoScript Extension Officially Released for Google Chrome".ZDNet. Retrieved2019-04-12.
  5. ^"Meet the NoScript Developer". Mozilla. Archived fromthe original on 2011-10-09. Retrieved2011-09-27.
  6. ^"Mozilla Security Group".Mozilla. Archived fromthe original on June 29, 2011. Retrieved2011-06-29.
  7. ^Scott Orgera."NoScript". About.com. Archived fromthe original on 2010-12-20. Retrieved2010-11-27.
  8. ^"The effect of Firefox addons on bandwidth consumption :: IANIX".ianix.com. Retrieved2020-07-14.
  9. ^"NoScript Changelog 2.0.3rc1". noscript.net. Retrieved16 March 2011.
  10. ^Brinkman, Martin (February 10, 2014)."The Firefox NoScript guide you have all been waiting for".GHacks.net. Retrieved14 January 2017.
  11. ^Giorgio Maone (2017-11-14)."Double NoScript". Hackademix.net. Retrieved2017-11-15.
  12. ^"Cosmetic Changes by Issa1553 · Pull Request #28 · hackademix/noscript".GitHub. Retrieved2019-01-04.
  13. ^NoScript's first Anti-XSS releaseMozilla Add-ons
  14. ^NoScript Features-Anti-XSS protectionNoScript.net. Retrieved April 22, 2008.
  15. ^Nathan Mc Fethers (2008-07-03)."NoScript vs Internet Explorer 8 Filters". ZDNet. Archived fromthe original on May 11, 2010. Retrieved2010-11-27.
  16. ^Adam Barth (2010-01-26)."Security in Depth: New Security Features". Google. Retrieved2010-11-27.
  17. ^Giorgio Maone."Application Boundaries Enforcer (ABE)". NoScript.net. Retrieved2010-08-02.
  18. ^Giorgio Maone (2010-07-28)."ABE Patrols Routes to Your Routers". Hackademix.net. Retrieved2010-08-02.
  19. ^"NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - faq - InformAction".
  20. ^Giorgio Maone (2008-10-08)."Hello ClearClick, Goodbye Clickjacking". Hackademix.net. Retrieved2008-10-27.
  21. ^Michal Zalewski (2008-12-10)."Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved2008-10-27.
  22. ^NoScript FAQ: HTTPSNoScript.net. Retrieved August 2, 2010.
  23. ^HTTPS Everywhere
  24. ^PC World AwardArchived 2011-08-28 at theWayback Machinepcworld.com. Retrieved April 22, 2008.
  25. ^About.com 2008 Best Security Add-On AwardArchived 2011-03-23 at theWayback Machineabout.com. Retrieved August 2, 2010.
  26. ^Best Privacy/Security Add-On 2010Archived 2010-03-04 at theWayback Machineabout.com. Retrieved August 2, 2010.
  27. ^Best Privacy/Security Add-On 2011Archived 2011-03-17 at theWayback Machineabout.com. Retrieved March 20, 2011.
  28. ^Security Innovation Grant Winner AnnouncementArchived 2015-02-12 at theWayback MachineDragon Research Group. Retrieved July 17, 2011.
  29. ^abcGoodin, Dan."Firefox users caught in crossfire of warring add-ons".The Register. Retrieved19 May 2013.
  30. ^"Extension wars – NoScript vs. AdblockPlus".Ajaxian. Retrieved19 May 2013.
  31. ^"No Surprises". 2009-05-01.
  32. ^Dear Adblock Plus and NoScript Users, Dear Mozilla Community
  33. ^abAttention all NoScript users
  34. ^Greg Yardley (2009-05-04)."When blockers block the blockers".yardlay.ca. Archived fromthe original on 2009-05-08.
  35. ^NoScript support forum "Re: Latest NoScript version (1.9.2) breaks Adblock Plus", comment #3704, Giorgio Maone (2009-05-04)
  36. ^NoScript support forum "Re: Additional steps to regain and retain user trust", comment #3935, Giorgio Maone (2009-05-06)

External links

[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=NoScript&oldid=1275237339"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp