Should I use No-Script?

Definitely!

Attackers can use malicious scripts to perform multiple attacks such as XSS:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users...

Read more in wikipedia.

No script give you the power to control all the scripts on a web page (or a website) and the plugins it uses such as flash, java, etc. You add trusted sites to a whitelist and the other are not allowed to run scripts, unless you let them (temporarily or permanently).


A question and it's answer on no-script website (faq) can provide some clarifications:

Why should I allow JavaScript, Java, Flash and plugin execution only for trusted sites?

JavaScript, Java and Flash, even being very different technologies, do have one thing in common: they execute on your computer code coming from a remote site. All the three implement some kind of sandbox model, limiting the activities remote code can perform: e.g., sandboxed code shouldn't read/write your local hard disk nor interact with the underlying operating system or external applications. Even if the sandboxes were bullet proof (not the case, read below) and even if you or your operating system wrap the whole browser with another sandbox (e.g. IE7+ on Vista or Sandboxie), the mere ability of running sandboxed code inside the browser can be exploited for malicious purposes, e.g. to steal important information you store or enter on the web (credit card numbers, email credentials and so on) or to "impersonate" you, e.g. in fake financial transactions, launching "cloud" attacks like Cross Site Scripting (XSS) or CSRF, with no need for escaping your browser or gaining privileges higher than a normal web page. This alone is enough reason to allow scripting on trusted sites only. Moreover, many security exploits are aimed to achieve a "privilege escalation", i.e. exploiting an implementation error of the sandbox to acquire greater privileges and perform nasty task like installing trojans, rootkits and keyloggers. This kind of attack can target JavaScript, Java, Flash and other plugins as well:

  1. JavaScript looks like a very precious tool for bad guys: most of the fixed browser-exploitable vulnerabilities discovered to date were ineffective if JavaScript was disabled. Maybe the reason is that scripts are easier to test and search for holes, even if you're a newbie hacker: everybody and his brother believe to be a JavaScript programmer :P

  2. Java has a better history, at least in its "standard" incarnation, the Sun JVM.There have been viruses, instead, written for the Microsoft JVM, like the ByteVerifier.Trojan. Anyway, the Java security model allows signed applets (applets whose integrity and origin are guaranteed by a digital certificate) to run with local privileges, i.e. just like they were regular installed applications. This, combined with the fact there are always users who, in front of a warning like "This applet is signed with a bad/fake certificate. You DON'T want to execute it! Are you so mad to execute it, instead? [Never!] [Nope] [No] [Maybe]", will search, find and hit the "Yes" button, caused some bad reputation even to Firefox (notice that the article is quite lame, but as you can imagine had much echo).

  3. Flash used to be considered relatively safe, but since its usage became so widespread severe security flaws have been found at higher rate. Flash applets have also been exploited to launch XSS attacks against the sites where they're hosted.>

  4. Other plugins are harder to exploit, because most of them don't host a virtual machine like Java and Flash do, but they can still expose holes like buffer overruns that may execute arbitrary code when fed with a specially crafted content. Recently we have seen several of these plugin vulnerabilities, affecting Acrobat Reader, Quicktime, RealPlayer and other multimedia helpers.

Please notice that none of the aforementioned technologies is usually (95% of the time) affected by publicly known and still unpatched exploitable problems, but the point of NoScript is just this: preventing exploitation of even unknown yet security holes, because when they are discovered it may be too late ;) The most effective way is disabling the potential threat on untrusted sites.


In theory you can get viruses on Linux and Mac OS. The reason most people don't is because Linux and Mac OS are not big targets. The malware writers want to cast a wide net with minimal effort. Secondarily Linux/Unix offer more in the way of security and better informed users (in general). That being said I use Flashblock and No Script on Windows, Mac OS X and Ubuntu at all times. Pages load faster, it helps with online anonymity by preventing flash cookies and all manner of other issues. I highly recommend them, regardless of platform. At minimum they make you more aware of what pages are trying to do.


I use NoScript regularly on Firefox, and recommend it for daily use.

It doesn't block ads, so you still support the site costs for their administrators.

However, it does block flash ads, greatly reducing your CPU load when browsing (provided that you have the flash plugin installed)

You can individually allow content to run, so most video sharing sites will start to work after you allow the scripts related to video playback (This may take a bit of guessing if there are several scripts on the page). The permissions you grant may be temporary for the session, or permanent so the site will work unless you decide to block them again.

When filling out forms such as site registrations, it's a good idea to allow the scripts before filling out the forms so you don't have to repeat your work. Allowing a script on a page forces a reload of the page.

The most important protection NoScript grants you is from malicious sites that try to change your window size, post content to social sites or do anything else unwanted. NoScript changes the default action to denied, and you can choose per-site if you judge that the scripts are trustworthy.

Here's the install link for Firefox: https://addons.mozilla.org/en-US/firefox/addon/noscript/