CINXE.COM

<!doctype html> <html lang="en" class="__NoScript_ThemeWeb__ " > <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="keywords" content="Firefox; Chrome; Brave; Tor; security; XSS; Clickjacking; Script blocking; disable JavaScript; content blocking; safety; safe browsing; exploit; ransomware; attack; vulnerability; addon; add-on; extension; plugin;" /> <meta name="description" content="The NoScript Security Suite is a free extensions for Firefox, Chrome and other browsers, preemptively blocks malicious scripts and allows JavaScript and other potentially dangerous content only from sites you trust. Download it now for free!" /> <meta name="category" content="software,internet,development,downloads" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@noscript" /> <meta name="twitter:creator" content="@ma1" /> <meta name="twitter:title" content="Usage - NoScript: Own Your Browser!" /> <meta name="twitter:description" content="The NoScript Security Suite is Free Software protecting Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers. Install NoScript now!" /> <meta name="twitter:image" content="https://noscript.net/img/noscript-social.png?v=2" /> <meta property="og:type" content="website" /> <meta property="og:url" content="https://noscript.net/usage/" /> <meta property="og:site" content="NoScript Security Suite" /> <meta property="og:title" content="Usage - NoScript: Own Your Browser!" /> <meta property="og:description" content="The NoScript Security Suite is Free Software protecting Firefox (on Android, too!), Chrome, Edge, Brave and other web browsers. Install NoScript now!" /> <meta property="og:image" content="https://noscript.net/img/noscript-social.png?v=2" /> <meta property="og:image:alt" content="Screenshot of a browser configuring site permissions with NoScript" /> <meta name="theme-color" content="#ffffff"> <meta name="msapplication-TileColor" content="#da532c"> <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"> <link rel="manifest" href="/site.webmanifest"> <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5"> <link rel="stylesheet" href="/theme.css?v=1742457801591" type="text/css" /> <script src="/js/darklight.js"></script> <title>Usage - NoScript: block scripts and own your browser!</title> </head> <body> <a class="skip-to-content" href="#main-content">Skip to content.</a> <header> <h1>NoScript</h1> <h2>own YOUR browser!</h2> <a href="#main-menu" id="main-menu-toggle" class="menu-toggle" aria-label="Open main menu"> <span class="sr-only">Open main menu</span> <span class="btn-menu" aria-hidden="true">☰</span> </a> <a class="donate" href="/donate" title="NoScript is free software and can't exist without your help. Please donate now!">Donate</a> <button class="darklight" title="Toggle dark/light theme" aria-label="Toggle dark/light theme" aria-hidden="true"></button> </header> <nav id="main-menu" class="main-menu" aria-label="Main menu"> <a href="#main-menu-toggle" id="main-menu-close" class="menu-close" aria-label="Close main menu"> <span class="sr-only">Close main menu</span> <span class="btn-close" aria-hidden="true">✖</span> </a> <ul><li><a href="/">What is it?</a></li> <li><a href="/getit/">Get it!</a></li> <li class="active"><a href="/usage/">Usage</a></li> <li><a href="/community/">Community</a></li> <li><a href="/faq/">FAQ</a></li></ul> </nav> <a href="#main-menu-toggle" class="backdrop" tabindex="-1" aria-hidden="true" hidden></a> <main id="main-content"> <h2 id="title">Usage </h2> <nav class="table-of-contents"><ol><li><a href="#getting-started">Getting started</a></li><li><a href="#trust-levels">Trust levels</a><ol><li><a href="#contextual-policies">Contextual Policies</a></li></ol></li><li><a href="#preset-customization">Preset customization</a><ol><li><a href="#lan-protection">LAN Protection</a></li></ol></li><li><a href="#persite-preferences-editor">Per-site preferences editor</a></li><li><a href="#bulkdisabling-restrictions">Bulk-disabling restrictions</a></li><li><a href="#crosssite-protections">Cross-site protections</a><ol><li><a href="#xss-filter">XSS Filter</a></li><li><a href="#crosstab-identity-leak-protection">Cross-tab Identity Leak Protection</a></li></ol></li><li><a href="#keyboard-shortcuts">Keyboard Shortcuts</a></li><li><a href="#usercontributed-guides">User-contributed guides</a></li><li><a href="#limitations-on-chromium">Limitations on Chromium</a></li></ol></nav><h3 id="getting-started" tabindex="-1">Getting started</h3> <figure class="screenshot"> <a id="screen-chromium-conf" href="#screen-chromium-conf"> <img src="/img/screenshots/chromium-conf.png" alt="Pinning icon and configuring permissions (Chromium)"/> </a> <figcaption>Pinning icon and configuring permissions (Chromium)</figcaption> <a class="ss-closer" href="#screen-chromium-conf-closed"></a> </figure> <p>First of all, <a href="/getit">install NoScript in your browser</a>!</p> <p>Don't forget to allow NoScript to <strong>run in Private / Incognito windows</strong>, either when prompted on installation or later in the extensions manager option.</p> <p>Otherwise you won't find NoScript where you need it the most.</p> <p>For the same reason, <strong>on Chromium-based browsers</strong>, you'll probably want to <strong>Pin NoScript's icon to the toolbar</strong>, in order to have a visual indicator of what is going on with current page's permissions and a fast way to configure them.</p> <figure class="screenshot"> <a id="screen-icon" href="#screen-icon"> <img src="/img/screenshots/icon.png" alt="Clicking on NoScript toolbar icon"/> </a> <figcaption>Clicking on NoScript toolbar icon</figcaption> <a class="ss-closer" href="#screen-icon-closed"></a> </figure> <p>After installation, you can quickly access NoScript:</p> <ul> <li><strong>on a desktop OS</strong>, either <ol> <li>by left-clicking the NoScript toolbar icon...</li> <li>...or by right-clicking on any web page and selecting the NoScript contextual menu item (most useful on popup windows where the toolbar is hidden)...</li> <li>... or by using the <em>Alt+Shift+N</em> <a href="#keyboard-shortcuts">keyboard shortcut</a>.</li> </ol> </li> <li><strong>on Firefox for Android</strong>, by selecting <em>Add-ons</em> in Firefox's main menu and tapping the NoScript entry.</li> </ul> <h3 id="trust-levels" tabindex="-1">Trust levels</h3> <p>By using NoScript's popup UI you can assign any website or sub-resource origin (e.g. "cnn.com" or "ads-twitter.com") either one of <strong>4 preset trust levels</strong> or a <strong>per-site customized level</strong>.</p> <figure class="screenshot"> <a id="screen-trust-levels" href="#screen-trust-levels"> <img src="/img/screenshots/trust-levels.png" alt="Working with trust levels in NoScript's popup"/> </a> <figcaption>Working with trust levels in NoScript's popup</figcaption> <a class="ss-closer" href="#screen-trust-levels-closed"></a> </figure> <ul> <li><img src="/img/ui/ui-no64.png" alt="DEFAULT__ icon" class="ui-icon first"><strong>DEFAULT</strong>, as the name implies, is the fallback low trust level which NoScript automatically enforces on any not yet configured website. This way unknown sites you visit for the first time are unable to perform any harmful action against you.</li> <li><img src="/img/ui/ui-temp64.png" alt="Temp. TRUSTED__ icon" class="ui-icon first"><strong>Temp. TRUSTED</strong> is the high trust level you can assign to sites requiring JavaScript or other active (and potentially harmful) capabilities to be enabled in order to work. <strong><em>Temp.</em></strong> stands for "Temporarily", meaning that the trust level for this site gets reset to <strong>DEFAULT</strong> as soon as the browser is closed or if you use the <em>Revoke Temporary Permissions</em><img src="/img/ui/ui-revoke-temp64.png" alt="Revoke Temporary Permissions_ icon" class="ui-icon"> button. This is the preferred way to tentatively enable sites which you need to work just now but you're unlikely to visit every day. You can also assign this level to all the sites you <em>currently</em> listed in the popup UI by using the <em>Set all on this page to Temporarily TRUSTED</em><img src="/img/ui/ui-temp-all64.png" alt="Set all on this page to Temporarily TRUSTED_ icon" class="ui-icon"> button.</li> <li><img src="/img/ui/ui-yes64.png" alt="TRUSTED__ icon" class="ui-icon first"><strong>TRUSTED</strong> is the permanent high trust level, enabling JavaScript and other active capabilities and persisting across browser restarts: use it only for sites which you really trust and use frequently.</li> <li><img src="/img/ui/ui-black64.png" alt="UNTRUSTED__ icon" class="ui-icon first"><strong>UNTRUSTED</strong> is the zero-trust level, which blocks every capability (including rendering of plain HTML frames and alternate <noscript> content). It may be useful to flag sites which are definitely not welcome in your browser.</li> <li><img src="/img/ui/ui-custom64.png" alt="CUSTOM__ icon" class="ui-icon first"><strong>CUSTOM</strong> is a special level which can be tailored specifically for each site by turning on and off individual capabilities, such as <em>script</em>, <em>object</em>, <em>media</em>, <em>frame</em>, <em>font</em>, <em>webgl</em>, <em>fetch</em>, <em>ping</em>, <em>noscript</em>, <em>unrestricted CSS</em>, <em>other</em>. Capabilities which the site has tried to use, being blocked by NoScript, are highlighted in red. The temporary/permanent behavior of this level is controlled by a tiny clock-shaped toggle.</li> </ul> <h4 id="contextual-policies" tabindex="-1">Contextual Policies</h4> <figure class="screenshot"> <a id="screen-contextual" href="#screen-contextual"> <img src="/img/screenshots/contextual.png" alt="Example: contextual policy for Twitter embedded timeline"/> </a> <figcaption>Example: contextual policy for Twitter embedded timeline</figcaption> <a class="ss-closer" href="#screen-contextual-closed"></a> </figure> <p>Contextual policies let you assign different permissions (or "enable different capabilities", in NoScript's parlance) to a certain site depending on its context, i.e. which is the top level site (the address currently shown in the navigation bar).</p> <p>For instance, you might want to enable scripts from <em>twitter.com</em> only if you're visiting <em>maone.net</em> (in order to read the embedded tweet feed) but not elsewhere, because you don't like Twitter to track you everywhere you go:</p> <ol> <li>While on <em>maone.net</em>, open NoScript's popup and select CUSTOM as the policy for twitter.com. You'll see a new drop down box, initially set to ANY SITE.</li> <li>Remove all the capabilities (e.g. script) you don't want Twitter to use on ANY SITE (notice that when CUSTOM is selected first time, the capabilities from the previously selected preset get copied, so if it was DEFAULT you can probably leave them that way).</li> <li>Then select <em>...maone.net</em> from the drop down, and switch script, fetch and frame (the capabilities outlined in red, meaning they're are needed by twitter.com) on.</li> </ol> <p>You're done: scripts from twitter.com are allowed to run only when the main site displayed is <strong>maone.net</strong>. You can repeat this on any website (including twitter.com itself) where you want Twitter scripts and subdocuments to work normally. If you change your mind, you can reset some or all the contextual policies you previously set in the CUSTOM permissions deck, either on from the popup (only for the current context) or from the <em>NoScript Options>Per-site</em> permissions panel, where all the context sites you had configured plus the <em>ANY SITE</em> default are listed in the <em>Enable these capabilities when top page matches...</em> dropdown.</p> <h3 id="preset-customization" tabindex="-1">Preset customization</h3> <figure class="screenshot"> <a id="screen-preset-customization" href="#screen-preset-customization"> <img src="/img/screenshots/preset-customization.png" alt="Customizing the DEFAULT preset."/> </a> <figcaption>Customizing the DEFAULT preset.</figcaption> <a class="ss-closer" href="#screen-preset-customization-closed"></a> </figure> <p>Even though this is not recommended, power users may customize also the built-in presets, from <em>NoScript Options>General>Preset customization</em>. The modified capability permissions will be automatically applied to all the sites which the trust level preset has been or will be assigned to.</p> <h4 class="subh" id="lan-protection" tabindex="-1">LAN Protection</h4> <p>Simply put, the LAN capability lets documents coming from the public Internet (AKA World Area Network / WAN) to link / send requests to hosts inside your Local Area Network (LAN), which is pretty much what they can do now, allowing so called cross-zone CSRF/XSS attacks. By keeping it disabled (the factory setting in the DEFAULT and UNTRUSTED presets), you're replicating <a href="https://classic.noscript.net/abe/index.html" target="_blank">the Application Boundaries Enforcer feature</a> from "Classic" NoScript, without the hassle of going through ABE's firewall-like rules when you need to set an exception, which now is just a matter of checking the LAN capability box.</p> <h3 id="persite-preferences-editor" tabindex="-1">Per-site preferences editor</h3> <figure class="screenshot"> <a id="screen-per-site-prefs" href="#screen-per-site-prefs"> <img src="/img/screenshots/per-site-prefs.png" alt="Configuring per-site permissions (light scheme)"/> </a> <figcaption>Configuring per-site permissions (light scheme)</figcaption> <a class="ss-closer" href="#screen-per-site-prefs-closed"></a> </figure> <p>You usually assign trust levels on the fly to the current site and its sub-resources from the popup UI.</p> <p>But you may also want to assign a different trust level to a site you've previously configured, or to configure new sites without actually visiting them.</p> <p>In order to do that, just use the <em>NoScript Options>Per-site permissions</em> panel. To make NoScript "forget" the configuration for a certain site configuration, just assign it the DEFAULT preset.</p> <h3 id="bulkdisabling-restrictions" tabindex="-1">Bulk-disabling restrictions</h3> <figure class="screenshot"> <a id="screen-unrestricted" href="#screen-unrestricted"> <img src="/img/screenshots/unrestricted.png" alt="Restrictions disabled on current tab"/> </a> <figcaption>Restrictions disabled on current tab</figcaption> <a class="ss-closer" href="#screen-unrestricted-closed"></a> </figure> <p>Sometimes you are in a hurry on a complex workflow, spanning multiple redirections through different websites, which must succeed no matter what.</p> <p>One example may be a credit card payment, bouncing from an e-commerce site to one or more payment processor web services.</p> <p>In this case you may want to temporarily relax all the restrictions normally enforced by NoScript for all the sites loaded in the current tab until said tab is closed, by using the <strong>Disable restrictions for this tab</strong><img src="/img/ui/ui-tab64.png" alt="Disable restrictions for this tab__ icon" class="ui-icon"> button.</p> <p>More radical (and <strong>not</strong> recommended) is the <strong>Disable restrictions globally (dangerous)</strong><img src="/img/ui/ui-global64.png" alt="Disable restrictions globally (dangerous)__ icon" class="ui-icon"> button: using it amounts to disabling NoScripts permanently on any site/tab, keeping enabled the XSS filter only. Don't do it!</p> <h3 id="crosssite-protections" tabindex="-1">Cross-site protections</h3> <p>NoScript provides also protection mechanisms independent from core script blocking: most notably, its <strong>XSS Filter</strong> and <strong>Cross-tab Identity Leak Protection</strong></p> <h4 id="xss-filter" tabindex="-1">XSS Filter</h4> <figure class="screenshot"> <a id="screen-xss-warning" href="#screen-xss-warning"> <img src="/img/screenshots/xss-warning.png" alt="NoScript's XSS warning dialog"/> </a> <figcaption>NoScript's XSS warning dialog</figcaption> <a class="ss-closer" href="#screen-xss-warning-closed"></a> </figure> <p>NoScript's <strong>XSS filter</strong> (also known as "Injection Checker") has been the first one and always the most effective available in a web browser. It prevents requests originating from a certain (possibly malicious) web site from injecting and executing code in a different web site, an attack known <a href="https://en.wikipedia.org/wiki/Cross-site_scripting" target="_blank">as Cross-Site Scripting (XSS)</a>. When a suspicious request is detected, a warning dialog is shown for the user to block or allow it, either temporarily or permanently. Exception can be managed from <em>NoScript Options>Advanced>XSS</em></p> <h4 id="crosstab-identity-leak-protection" tabindex="-1">Cross-tab Identity Leak Protection</h4> <p>NoScript's <strong>Cross-tab Identity Leak Protection</strong> (or "TabGuard") is an experimental countermeasure against the <a href="https://leakuidatorplusteam.github.io/" target="_blank">Targeted Deanonymization via the Cache Side Channel</a> attack by Mojtaba Zaheri, Yossi Oren and Reza Curtmola, presented at <a href="https://www.usenix.org/conference/usenixsecurity22/presentation/zaheri" target="_blank">Usenix Security in August 2022</a>.</p> <figure class="screenshot"> <a id="screen-tabguard-warning" href="#screen-tabguard-warning"> <img src="/img/screenshots/tabguard-warning.png" alt="NoScript's Potential Identity Leak dialog"/> </a> <figcaption>NoScript's Potential Identity Leak dialog</figcaption> <a class="ss-closer" href="#screen-tabguard-warning-closed"></a> </figure> <p>It is loosely inspired by the Leakuidator+ browser extension proposed by the authors as a defense, but it's designed to better integrate with Firefox and the Tor Browser and provide protection against variants of the attack not covered yet. When triggered, i.e. on cross-site requests across related tabs, TabGuard removes the authentication headers from the request and shows a red <code class="badge">TG</code> badge near its icon. If you're unexpectedly logged out from a website loaded in a new tab and you can see this badge, you just need to <em>manually</em> reload the page or follow any link, and the authorization will be automatically restored. Only in the rare occurrence of cross-tab cross-site POST requests, which might not be consistently replayed after the fact, TabGuard suspends the load with a <strong>Potential Identity Leak</strong> warning to provide users with the ability to either "Load anonymously" (preventing the attack but also logging out from the target site) or "Load normally", which may be required by some legitimate cross-site workflows such as online payments, single sign-on and 3rd party authentication systems. This protection is enabled by default on any Private Browsing window (and therefore in the Tor Browser and in Mullvad Browser), but can be disabled or enabled globally from the <em>NoScript Options>Advanced</em> panel.</p> <h3 id="keyboard-shortcuts" tabindex="-1">Keyboard Shortcuts</h3> <p>You can open and navigate all the NoScript UI by using the following keyboard shortcuts:</p> <pre><code>Alt+Shift+N start (open NoScript Popup) Arrows/Tab move around DEL/BKSPC/0 DEFAULT + TRUSTED - UNTRUSTED C CUSTOM T Temp S HTTPS-lock HOME jump to the toolbar ESC/ENTER Close the UI R Reload current page without closing the UI Shift+G Globally disable restrictions Shift+T Disable restrictions on this tab P Set all on this page to Temp. TRUSTED F Forget temporary permissions </code></pre> <h3 id="usercontributed-guides" tabindex="-1">User-contributed guides</h3> <ul> <li><a href="https://blog.jeaye.com/2017/11/30/noscript/" target="_blank">A guide to using NoScript 10.x</a></li> <li><a href="https://noscript.net/forum/?t=23974">A basic guide to NoScript 10</a></li> </ul> <h3 id="limitations-on-chromium" tabindex="-1">Limitations on Chromium</h3> <p>The API exposed by Chromium to browser extensions is not as powerful and flexible as its Firefox counterpart. When Mozilla switched for "all powerful" add-ons to the WebExtensions tech (their "clone" of the Chrome Extensions tech), they contracted me to <a href="https://bugzilla.mozilla.org/buglist.cgi?classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&query_format=advanced&product=WebExtensions&list_id=17331459&email1=maone&emailtype1=substring&emailassigned_to1=1&resolution=FIXED" target="_blank">help design and implement</a> improved versions of <code>webRequest</code> and other APIs, specifically suited to support privacy and security extensions like NoScript. This already provides a significant advantage to Firefox in Manifest V2, and the difference <a href="https://www.eff.org/deeplinks/2021/12/googles-manifest-v3-still-hurts-privacy-security-innovation" target="_blank">gets worse with Manifest V3</a>, especially hurting privacy and security innovation. Therefore, even if NoScript is compatible with most browsers, some of its most advanced features are available only on Firefox and its derivatives, such as the <a href="https://torproject.org" target="_blank">Tor Browser</a>. In details, these are the current limitations imposed to NoScript by Chromium-based browsers such as Google Chrome, Edge or Vivaldi:</p> <ul> <li><strong>The Injection Checker XSS filter</strong> ("Sanitize cross-site suspicious requests") <strong>is disabled</strong> because there's no asynchronous blocking webRequest API</li> <li><strong>The Cross-tab Identity Leak Protection (TabGuard) is unavailable</strong> (same reason as above)</li> <li><strong>The LAN protection works for numeric IPs but cannot resolve domain names</strong> (no viable DNS + request interception API combo)</li> </ul> </main> <footer> <div class="copyright"> <p>© 2025 Giorgio Maone.</p> <p> <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" /></a> <br /> This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>. </p> </div> <div id="social-verification"> <a rel="me" href="https://mastodon.social/@noscript"></a> <a rel="me" href="https://todon.eu/@ma1"></a> </div> </footer> </body> </html>