What is Reddit's opinion of
NoScript?
From 3.5 billion Reddit comments
➔ NoScript website
By popularity on Reddit, this Service is:
100 reviews of this app found across Reddit:
This is the reason why I've adblock and noscript. Never again loudass videos when I just want to read something.
edit: noscript it's for firefox, blocks all scripts, which can be either temporary or permanently unblocked, for each adress seperately. For example, you can unblock a video(after you found out which adress is for the specific viedeo), without unblocking all other videos on the side, as long as they're from adifferent adress. This is most of the time the case, as ads have their own adress.
Hahaha even logs you out of MySpace. For those who are curious, just requests the logout url of the sites listed below. It does not clear your cookies but just loads a page in the background to log you out of all of the sites. This should stress the importance of using something like NoScript, in which I had full confidence it would not log me out of any of the sites.
- www.amazon.com
- www.blogger.com
- www.delicious.com
- www.deviantart.com
- panel.dreamhost.com
- www.dropbox.com
- signin.ebay.com
- www.gandi.net
- github.com
- mail.google.com
- www.google.com
- secure.hulu.com
- www.instapaper.com
- manager.linode.com
- www.livejournal.com
- www.myspace.com
- www.netflix.com
- www.nytimes.com
- secure.newegg.com
- photobucket.com
- secure.skype.com
- slashdot.org
- soundcloud.com
- steamcommunity.com
- store.steampowered.com
- www.thinkgeek.com
- www.threadless.com
- www.tumblr.com
- vimeo.com
- en.wikipedia.org
- login.live.com
- account.woot.com
- wordpress.com
- www.yahoo.com
- my.screenname.aol.com
- api.screenname.aol.com
Shame in using an ad-blocker? Wut?
It's --current year-- everyone should be using a damned adblocker. And I hope a lot of you are using noscript/umatrix/requestpolicy.
The thought of people browsing the interwebs without an adblocker makes me want to go to the costume store and buy the neckiest beard they have so I can sit on my porch with a Tandy 1000 and a shotgun while telling you damned kids to get off my cyberlawn.
Ik gebruik Noscript om Javascript te kunnen blokkeren en het is soms absurd hoeveel verschillende websites allemaal een stukje javascript willen inladen. Daarnaast vind je Googletagmanager op zo ongeveer elke website weer terug waarmee het voor Google appeltje-eitje is om jou overal op het internet te volgen.
Ik vind het maar niks en met de huidige advertentiemarkt ben ik een groot voorstander van adblockers.
Only install apps from the Play Store (or trusted sites like apkmirror.com).
Don't install random apps from the Play Store - check the permissions it requires, and preferably see if there are any articles or reviews about it on Android Police / Android Central. Do NOT trust Play Store reviews. As a rule of thumb, avoid apps that claim to speed up your device, "boost" your RAM, remove malware, save battery etc. Avoid all apps made by Cheetah Mobile (aka CM) and PSafe.
Use a system-wide adblocker like AdGuard or DNS66. Enable filtering malware domains.
Install Firefox with the NoScript add-on, and use this when you're doing random Google searches, or you're browsing random websites.
Fuck Altice
I noticed they were injecting javascript content into http connections just yesterday. I use noscript to block javascript and IP addresses started coming up in the permissions list. This is weird because most websites have content linked by domain.
The sepsis. But are you on a PC? You should get ghostery and noscript, they work wonders. Not sure if there are similar solutions for mobile but I think there's a ghostery app for android.
May I introduce you to NoScript: https://noscript.net/
If you use Firefox (not sure if available for chrome or the rest) https://addons.mozilla.org/en-US/firefox/addon/noscript/
This prevents all the background shit from even connecting. I'm fairly certain that this is the reason I haven't had any issues with my Ad Block in the wiki site. I also run uBlock Origin on top of it all. The ONLY place I ever get any crying about Ad Block is some News sites that have videoclips in them and they recognize the Ad Block via the videoplayer after allowing the usage of that player.
Seriously thou, noscript gives insanely more better user experience over any website and provides a ton more security against any malware that might be lurking on sites. Only allow websites main domain to load scripts. It will take some time to get used to if you have no prior experience/understanding of how websites acquire the content behind the curtain. Most of the websites have separate database domain (usually something like (websitename)cdn.com), which you usually need to allow too.
Edit: It can also work as a great improvised tool. Example: Open this http://warframe.wikia.com/wiki/Update_19 You want to search with a keyword from ALL of U19 patches? -> DENIED, since you need to EXPAND each patch separately before you can search within the page, but if you disable the allowance for the wikia.com and wikia-beacon.com, you get the clean version of the site where all text information is available for search.
Or just uninstall Flash altogether, you don't really lose anything and you plug a massive security hole.
edit: for a good reason why, the other day somebody hacked Imgur and used a Flash exploit to make people visiting Imgur into a pseudo-botnet and DDOS 4chan.
I would also strongly recommend NoScript which prevents websites from executing Javascript on your PC without your permission.
I think /u/bluej10013 misinterpreted /u/azbyxc102938's comment.
The add-on NoScript will not necessarily be killed, just some API's that NoScript might be using.
NoScript itself is an add-on for Firefox that would prevent websites from running certain Javascripts. For instance, NoScript could block Google Analytics or certain javascript-based ads from working.
The user can customize NoScript a lot. It's a little bit of a power-users add-on. It is similar to Ghostery.
My goodness, how have you not heard of uBlock Origin and NoScript/ScriptBlock yet?
Some people might not know, but e621 has a HTTPS (aka safer, encrypted) version for those interested, if case you feel like the FBI is watching you fap. I also recommend getting HTTPS Everywhere, which you can get for Firefox, or Chrome, which will force pages to be HTTPS if available. NoScript is also worth mentioning, which prevents execution of elements coming from (the) site(s) unless you allow them.
Stay safe and happy browsing!
uMatrix and NoScript do separate things. uMatrix blocks individual domains and the connections to them. NoScript will allow the connection (I think) but doesn't execute the script.
You can use them in tandem. Block scripts from being downloaded with uMatrix, and the if you want to fine-tune exactly which scripts from a specific domain are executed, you can specify them with rules in NoScript.
It's a pain, but ya.
> it is a way around the protections noscript offers so it is TECHNICALLY a bypass.
It is a bypass, but NoScript doesn't pretend to provide any type of active protections against this kind of bypass. The way that the Anti-XSS feature works is clearly explained. It is clearly stated there that NoScript does not block XSS content from sites not marked untrusted to a trusted site - it is FIrefox that ends up doing that, based on the same-origin policies provided by those websites. NoScript doesn't even check those policies at all, let alone trying to detect if a trusted site is vulnerable to XSS and blocking it. The only way around this would be for NoScript to treat every non-whitelisted site as untrusted, but that would only cause more problems than simply letting Firefox handle this case.
The IFRAME thing (allowing IFRAMEs to run Javascript while the parent document had Javascript blocked), I think, was also a vulnerability in Firefox, which was fixed a long time ago. If not, then NoScript does have an option to block IFRAMEs on non-whitelisted sites.
I'd tell you, but then I'd have to kill you. OPSEC and all.
Nah, just kidding. I use [enterprise-grade](/r/ubiquiti) router/firewall, switch, and AP, configured with decently strong security (for a [simple flat LAN](/r/homenetworking), anyway, I don't segment the network yet). I have my own [DNS filter](/r/pihole), which feeds to my router for any local hostname resolution before being sent upstream to Quad9 instead of my ISP's DNS.
I also segment my /24 so that all my devices are set on assigned IP addresses with logical groupings (these devices are in this range, those in that range, etc), leaving only a small DHCP pool for new clients (new devices yet to be assigned, or guests). I also have alerts on my AP so that I am aware of new devices connected, in case someone finds a way on to my network.
I use multiple browser for different purposes and threat models, and apply [HTTPS Everywhere](/r/eff/) and NoScript on them. One of the browsers has a VPN which I enable for some things but may or may not enable in other cases.
I also have a small server with some VMs, each with different purposes. Some are kept offline, some are online, but connected to the ISP only through a VPN. Others are LAN-only.
I keep all systems that touch the Internet up-to-date with the latest patches. Local devices I often run in custom configurations, such as modified firmware.
I use strong passwords and 2FA on all critical systems. And my 2FA does not rely on anything vulnerable to SIM-jacking.
Android: Firefox + 2 addons: NoScript + uBlock Origin (There's 2x uBlock 1 with and 1 without the origin part. Origin is the one getting updates.)
uBlockOrigin https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
NoScript (mobile version) https://noscript.net/nsa/
Falls "Hendl" "Handy" sein sollte dann uMatrix und uBlock installieren für Firefox - wer einen anderen Browser verwendet: umsteigen!
https://addons.mozilla.org/en-US/android/addon/ublock-origin/
https://addons.mozilla.org/en-US/android/addon/umatrix/
Scheinbar gibts inzwischen auch NoScript Lösungen für Android aber verwende ich nicht https://noscript.net/nsa/
Noscript's available for Quantum now. It doesn't show up if you search addons for Noscript so you have to go to the official site and drag the download link to your address bar to install it.
It's different than it used to be though. Hopefully they're still working on it.
The most common access is through the web browser. Ads.
Use an ad blocker, disconnect, and if you really want to take it home NoScript.
These are things you can do. I use multiple browsers for things I want to do. Protections I want when cruising the web. Sometimes I want, sometimes I don't. These are things you can do. Kick ass!!
From noscript.net :
>Later today NoScript 10, the first "pure" WebExtension NoScript version, will be finally released for Firefox 57 and above, after years of work and months NoScript 5.x living as a hybrid one to allow for smooth user data migration.
Your biggest problem is not going to be the browser so much, but that every webpage wants to be dynamic with tons of javascript running.
To that end, what ever browser you chose, just be sure to disable javascript or better yet run NoScript so you can allow necessary JS and block whats unnecessary.
As far as a ligthweight browser: try Midori. If it doesn't work out for you keep looking around
NoScript can be a bit of a pain in the rear, but I don't know how people can sleep at night without it.
There are legit sites I wind up just throwing my hands up in the air and permanently avoiding after enabling a dozen top level scripts, then confronted with a dozen more to enable, then a wall of third level scripts...NFL dot com I am looking at you.
Thank you so much! I didn't hear about this at all. According to the post, this attack has been fixed, but there may still be vulnerabilities; I would suggest installing Noscript and blocking scripts from running on Tor.com. It seems like there are similar potential issues for any site using Wordpress plugins; it's also possible to block wp.com from running scripts.
>XSS and Clickjacking protection
is unfortunately deactivated when globally allowing scripts (At least that's what people told me. Would need to read up about it at https://noscript.net/features#xss)
If you have Firefox or Chrome any of the javascript blocker plugins will usually do the trick, or at the very least get rid of the absolute worst of the modal windows, popups, auto-play videos, and other garbage they seem intent on smearing all over their page.
I wouldn't mind one or two ads here and there but all of the local TV and newspaper websites in the United States are atrociously over-burdened with ads and popups. I don't know who's teaching user experience and design to the folks maintaining these pages but they need to be tried for war crimes and violating the Geneva Conventions.
BTW for the nincompoops suggesting that OP just pay the $1, paying that doesn't get rid of all the ads.
Depends
Do you allow all first party scripts? If so, some tracking scripts may be first party and Privacy Badger may block them even though you've allowed them through UM/NS/UBO (I hope you mean uBlock Origin). Same for if you whitelist an entire site.
There's also some merit to keeping NS even if you have UM/UBO. NS has better protection against XSS, ClearClick, ABE. https://noscript.net/faq
Chromium/Chrome-verkkoselaimessa Canvas-ominaisuuden saa kokonaan pois päältä --disable-reading-from-canvas flagilla, eli esim. Windowsissa käynnistämällä sovelluksen niin että pikakuvakkeen kohteen (polku varsinaiseen exe-tiedostoon) perään on lisätty tuo tekstinpätkä. Vastaavia flageja ovat myös:
--no-referrers, estää verkkosivustoa näkemästä miltä sivulta saavuit.--disable-remote-fonts, estää yksilöinnin asennettujen fonttien perusteella.--disable-webgl, myös WebGL-ominaisuutta voidaan käyttää yksilöintiin.
Huomionarvoista on, että kyseiset asetukset rikkovat joidenkin sivustojen ulkoasun. Eivät kuitenkaan läheskään niin pahasti, kuin esim. Noscriptin kaltaiset selainlaajennukset.
Look at the header at https://noscript.net/ "PC Slowing you down... Free scan". I bet all us NoScript users are the perfect audience for that crap right? :-/
What's worse is he has taken a lot of effort to put that (and other ads) in the past on his site so that they aren't blocked by NoScript, Adblock Plus or any of the other solutions.
It's one thing to show ethical ads. Everyone has to make a living. But it is just insulting to have the person making a product deeming to protect you from malware/adware spend a bunch of effort on putting ads on his landing page that direct you to malware/adware ridden products so that he can make money off of you. Have you ever stopped to consider why NoScript will almost always open up a new tab in FF everytime you restart it or update it and take you to this landing page?
I would suggest Firefox over Chromium: Google as a company is not to be trusted, Chromium is open source but still based on Chrome.
NoScript is an invaluable extension that will block all scripts, very useful too.
Once again, I can't say it enough, do not trust Google. Use DuckDuckGo instead if you need to search, lock down your privacy settings on Google and take great care with what you connect to it.
Sure, I personally use Firefox so not all of these may be applicable to you.
Ublock Origin, with the privacy filters configured correctly
HTTPS Everywhere (honestly this should be installed by default in every browser as it just adds extra security with almost no down sides)
Cookie Monster. This works much like Noscript but instead of JS it controls Cookies. It can actually make sites work better if they are made poorly. Like say a News site that only lets you read 30 articles a month without paying. However the counter is stored as a cookie. Suddenly when you block it from creating that cookie you can read as many as you want. Cookies are also used for tracking. But they are also used for important things like session handling. Which is how a site knows to keep you logged in between pages. As such most sites only require session cookies.
Some sort of Header modification Addon. But this is more of an advanced thing and I would not recommend it unless you are willing to look up how HTTP headers work.
As for learning about Noscript. The best place is the site of the guy who makes it. Although I believe it does not exist for Chrome, but there are similar addons for other browsers.
> I can't even choose to allow scripts from a certain domain only on a specific page.
I think you can, by writing an ABE rule. uMatrix definitely has the better UI for it, though. I've also used RequestPolicy, which comes with some optional rule sets that allow things like requests to external domains that belong to the owner of the origin domain, so popular web sites often work out of the box.
I don't block ads. I block javascript (https://noscript.net/) because I only want to run code from entities I've chosen to trust. If you want to know I've seen your ad, analyze your server log to see if I've downloaded your image. If you want to know where I saw your ad, you can put that in the URL for your image. Only after you've established trust will I run your obfuscated javascript.
You might not be qualified to make these decisions... ;)
Don't delete flash. Disable it in your browser.
This way if you come across a site you need to access, but they still use flash, you can simply enable it and use the site as needed.
Lots of places are still going to have flash for the foreseeable future. It's just that we're trying to move away from flash (at a snail's pace). Disabling it, or running an add on like No Script is the best way to protect yourself, but still have access if you need it.
Litt mindre praktisk, men NoScript er et bra alternativ til de som vil ha full kontroll selv. Her blokkeres alt, og du tillater script på sidene du besøker etterhvert. Programmet husker hva du har tillatt, så det er stort sett bare når du er på nye sider at du må gjøre noe med tillatelsene.
Noscript can help with some things. Makes the Web a different place. Only real solution (other than embracing the convenience) are anonymizers like Tor/I2P, or completely different networks (Freenet, other "darknets"). I personally don't like Javascript running, so Noscript works for me.
I think the site without them would be blank and it's trying to give you links to follow so you can still use the site. It works well when there's a redirection script blocked.
I found the official explanation:
>JavaScript links auto-detected on an otherwise empty page or sub-frame where JavaScript is disabled. If you don't want to see that anymore, set the noscript.jsredirectIgnore about:config preference to true. Additionally, any invisible link or button is forced to be displayed, unless at least one navigational element is present. >The rationale behind both features is making basic navigation possible on pages which don't degrade gracefully without JavaScript.
> Malvertising is a nasty problem. It’s hard to track. Because of ad targeting (e.g. location, mobile vs desktop, 3G vs Wi-Fi, web browsing history, etc), different users see different ads and different ad campaign are active in different time. Moreover, one third-party ad network script usually loads content from dozens of other partner networks and trackers behind the scenes. For example, recently we worked with a site whose homepage had scripts from 8 different third-parties (ads and widgets) — when loaded in a browser, that single page generated over a thousand HTTP requests to resources on 249 unique domains — 99% of which belonged to various ad networks and trackers. Maybe this is an extreme example, but requests to 30-40 unique domains initiated by ad script is quite typical.
Instead of trusting hundreds of unknown domains to silently install and run software on my computer, I'm just going to block them by default. Sorry for your lost advertising revenue, but maybe you should find an honest line of work.
Good time to plug NoScript extension for Chrome/Firefox. I use it on all the sketchy sites on the net, but especially wikis (since anyone can edit those to add malware).
Some sites might require you to enable JavaScript in Tor Browser to complete CAPTCHA challenges.
In Tor Button/Security Settings/, if the security slider is set at Safest, move the slider to Safer (or Standard) and refresh the browser.
In the menu in the NoScript button (see: NoScript 10 primer by Jeaye, select the Temp. TRUSTED button corresponding to the domain(s) with which you have a connection, e.g., Temp. TRUSTED reddit.com, Temp. TRUSTED redditstatic.com
If you still cannot get pass the CAPTCHA, select Torbutton/New Identity. Tor Browser automatically will close, delete all browser cookies, and restart. Or, you can quit Tor Browser to clear all cookies and restart.
The extra things like XSS, Clearclick/Clickjacking and ABE happen in the background, even if the site is set to allow scripts. So even if you set NoScript to not block anything (and you won't have to configure this for every page), you still get XSS etc protection. I prefer uMatrix's UI so I have them both installed, use uMatrix to block scripts and keep NoScript for the above benefits.
The new version is missing the XSS protection and ABE stuff
The developer said he's open to suggestions on the UI. It does seem rushed, but Mozilla didn't finalize some of the APIs required until very close before the release - some still aren't there, which is why we don't have the missing features.
uMatrix has a nicer UI, and if you're just looking for something to block scripts/frames/cookies whatever, that's a good replacement.
Focus is essentially equivalent to just running Android Firefox in Private Browsing. Both of those will clear your history and Cookies and such, and come with Tracking Protection.
The biggest difference between them is that Focus uses Android's WebView as browser engine, which is far more commonly used than Gecko (probably actually overall, but at the very least on phones for sure), so that would make it less prone to fingerprinting.
But from what I've heard, it actually identifies itself as Focus in its user-agent string, so it sort of depends on how much it takes off. From what I've heard, the response on iOS was huge, and the response on Android so far also seems to be enormous, so it might actually become more often used than Android Firefox, therefore making the Focus user-agent string less unique, less fingerprintable.
Android Firefox however has extensions. Things like NoScript, Decentraleyes, Privacy Badger, various user-agent switchers etc. can provide further privacy protections.
It's also just a less crippled browser, i.e. it has tabs and you can keep a browsing history, if you want, by instead of using Private Browsing, installing a Cookie cleaner add-on and turning on Tracking Protection in normal browsing ("privacy.trackingprotection.enabled" in about:config).
As for what I personally use: Both.
I have Focus set as my default browser, so that links that I click on in apps will open up in it.
And when I need to look something up, I use regular Firefox.
This splits my internet usage up into two browsers, making it a lot harder to piece together.
Also, it's just convenient. Focus loads up really quickly and you don't get random tabs cluttering up your Firefox.
I'm not getting any warnings on Windows 8 with Firefox. I use NoScript and uBlock Origin. The only third party cookie I see is for Google Analytics.
I would highly recommend everyone get a plugin that blocks all javascript. I have to manually white list scripts on websites. This provides protection against websites serving malicious ads or outright skullduggery.
Cookie Grabbers aren't the most common way of cheating anymore (I don't know if they ever were), but they're still around. I use NoScript, which is a browser addon that keeps scripts from running without your permission. I let the known ones run so that sites function properly, but there are a whole bunch of scripts that I'm glad NoScript blocks for me.
get noscript (firefox) or safescript (chrome). They remove everything you're complaining about and are very customizable, plus plenty of people can still get revenue while using these; just unblock double-click.net.
I previously used Ghostery, but now I prefer a different tool to see what is trying to run on my machine without my knowledge: NoScript.
The website looks scary, but once you see what's going on under the hood, I don't think you can look back.
I swtiched from Ghostery to NoScript, because Ghostery is owned by an advertising agency. Seemed suspicious at the time. NoScript fulflls all the needs Ghostery fulfilled for me, but I rest more comfortably knowing there are no conflicting interests.
NS for pm looks to be available here
The error you are seeing is nothing to do with pm build. It's to do with the blocklist.
Change settings on the security tab in prefs and you should be good to go
Not necessarily. A lot of .onion sites are non-JavaScript, so they don't require them to be enabled. For instance, the Dread forum (which looks a lot like Reddit), can be used without JS. However, some other sites require it. There's a site that I moderate on called Psycho Social Network, and you can't log into it without enabling JavaScript. I don't think you really "miss out on much." This site explains the plugin a bit more: https://noscript.net/
noScript, the classic legacy addon v5.1.8.5 still works perfectly
https://noscript.net/getit#classic
all the "old" legacy add ons blocked by firefox Quantum are still working on Waterfox...
Many legacy add on are still better respect new webextensions for firefox (quantum)... That is due by the fact that webextensions API's have some limits...
So, at least until next version of waterfox (based on firefox 60ESR) will be ready, it's still better you install legacy version of your extensions signed for firefox 56
while if you want to try to use web extensions (removing the compatibily check) for firefox quantum, you need to make this passage:
about:config
right click new Bolean
>extensions.checkCompatibility.56.2
and set it to false
NoScript offers Anti-XSS protection, ClearClick protection, and ABE. This was my main usage of NoScript. It wasn't to block scripts because of resource usage or anything like that. It was to block scrips for security purposes and get protection like Anti-XSS.
Without sandboxing I was not confident in using Firefox without these protections.
You can't allow google-analytics.com only on pages pulled from reddit.com for example, it's not its default way of working. If you want this, you have to go into ABE to craft rules, which is far more off-putting to use than point-and-click.
NoScript is one browser extension which has been featured extensively in privacy and security-oriented literature.
Secondly, please read this article from the people in charge of UK government websites. Even if visitors don't explicitly disable JavaScript you still run the risk of your JavaScript code not reaching them. Their estimates were in the range of 1%.
Like I said, it depends on what kind of site you run and whether you run your own measurements (good idea) or are willing to trust somebody else's (not so good). But no matter what kind of website you run, its purpose is to reach people. Not being able to do that goes against the whole point. If there's an easy fix, or a way to at least let them know something's wrong, why not do it?
I'm not sure your understanding of XSS is correct... I recommend reading these two articles, the first explains XSS, and the second explains how noscript tried to mitigate the risk.
/u/barrett777
I see that a lot of people are complaining about malicious ads. I've never had that issue with your site, but I remember back in my more paranoid and piratey days, I would run AdBlock and NoScript.
Wouldn't something like one of these two add-ons allow people to whitelist your site but then set it to never run any scripts other than the ones needed for your page?
https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en-US
If so, then maybe you can make a big button on the front page that has a tutorial or you could even make some settings for the above ad-ons that would work on your site to disable all non-relevant scripts, like how you can download additional lists or filters for AdBlock?
https://noscript.net/
It is a firefox plugin that gives you controller over whether you want to execute scripts like javascript or flash from a certain host. This is nice to have, because most javascript is unnecessary or just there to annoy visitors who maybe stumble upon a website.
In this case I don't see why a news websites would need javascript, so it doesn't gets to execute it. Given that I don't see the adblocker blocker /u/FishGoBoom mentioned it is safe to assume that this is done using javascript.
> Do you have the ability to allow ads with uBlock?
I'm not sure about uBlock, but with uBlock Origin you do. If you click on the button that appears in the navigation bar you are presented with a big power symbol which will disable blocking for the page you are currently in.
You should also run NoScript and only allow domains you trust. This will break most websites until you allow the domain that hosts the content but will give you some control over what does and does not load in your browser.
The combination of those two and some basic firewall in your router will go a long way to keeping your basic browsing safe.
Try installing something like https://adblockplus.org/ and consider using https://noscript.net/ as well.
These two tools will prevent most everything that can carry malicious code from starting when you open a page. There is a learning curve with NoScript and it makes some sites unusable without whitelisting. It's up to you to decide if you wish to allow scripts to run on every site. Without NoScript you don't get this choice. For many these two tools are too much trouble to use. Read and learn about them before installing as you do with every bit of code that you willingly install. ABP stops most ads without your input and it's easy to learn.
For anyone who doesn't know, there's an add-on for Firefox and my preferred browser, Pale Moon, called NoScript that blocks things like Google Analytics.
It can be annoying trying to figure out which scripts to turn on to restore functionality to some pages, but it's well worth the trouble in my opinion.
A browser add-on/extension that blocks JavaScript from executing on sites and domains until you explicitly allow them. You can selectively enable scripts for domains you trust and leave others blocked.
You'll be surprised at how many sites have scripts running from many other domains on them. Some are simply for specific functions, e.g., operating toggle buttons; others are for ads, and some for specific cloud server/video functionality. Then there are ones that are more suspicious.
Edit: see https://noscript.net/
Im not really an expert on XSS and how the different protections work. From my limited knowledge i belive NoScript 'scans' your whitelisted scripts as they are running and makes sure that any malicious change in those scripts is blocked.
From what i understand uMatrix only offers a block or allow option. So if you run a whitelisted script and it has a malicious change uMatrix does not detect and block it.
Hopefully someone more knowledgeable can come in and offer better explanations.
You can also read more here
"NoScript features unique Anti-XSS counter-measures against XSS Type 0 (DOM based) and XSS Type 1 (Reflective, absolutely the most common) attacks targeted to whitelisted sites.
Whenever a certain site tries to inject JavaScript code inside a different trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load."
Correct. NoScript blocks java and flash by source website. Going to something flash/ad-heavy like a porn site could have a dozen or so thrid-party nested sites running at once. Using NoScript you can block everything except the primary site and where ever hosts the video and no weird shit. It's not 100% perfect but is better then nothing. I don't know if there are comparable or better options to NoScript, but it works great!
Facebook's an evil corporation. This news is unsurprising. If you don't want them to track you, install a browser add-on like Disconnect or NoScript.
As I have mentioned above, if you throw in ?nowrap to the download link, you can still get a clean version, though you really shouldn't have to do that. :(
Additionally; interestingly, in my testing, if you have noscript or similar installed and don't allow scripts from fsdn.com on the sourceforge download page, it would appear you never even get offered the wrapper, you will always get the full download link, even without ?nowrap, even if it says you are going to get the SourceForge Installer.
Less effective than NoScript, but more targeted, which typically leads to a better experience browsing a variety of websites in my opinion.
- From what I have heard, uMatrix is no longer being supported unfortunately, so I haven't used it.
- Anti-XSS is supposed to be "cross-site scripting attack" defense. More and better info is available on the NoScript website. They claim that NoScript is the only proper solution to protect against XSS. I'm not all that knowledgeable on this topic, so you may be right that uBlock covers this specifically.
I got sent this link an hour ago, it prompted me for Steam Credentials, so I decided to look the website up on the clearnet. Despite claiming to have major corporate sponsors, there were no hits on Google.
Looking further into the site, it's trying to run scripts from webdev0 dot com, which is a Russian phishing service.
Bottom line: Browse the internet with scripts disabled. Many easy ways to do that, like with NoScript.
I don't know if it's NoScript or uBlock Origin, but I don't see preroll ads on Youtube any more. Lots of sites load a lot faster too, since I don't have to wait for half a dozen slow-as-fuck analytics pings and facebook tracking images on every single page load. The loading speed is the main reason I use these; ads themselves don't bother me that much.
I'd say, common sense. Don't eat away your system performance with multiple AVs. Use uBlock Origin, HTTPS Everywhere, Privacy Badger and Decentraleyes extensions on all your browsers. For those interested in fiddling even more, install No-Script too. Noscript gives you fine grained control over which scripts your browser runs so only trusted vendors are manually allowed/whitelisted. This mitigates so many vulnerabilities automatically!
> The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks, "Spectre", "Meltdown" and other JavaScript exploits. Fx52?
> https://noscript.net/getit
You'll never get a malware. Well, I haven't..
Which is when this happened to me a few years ago I finally installed https://noscript.net/ I had always been subscribed to the idea that the internet needs to be paid for, and ad blockers were somewhat unethical because of this. However if ads block the text you are there for in the first place ads need to be blocked...
Facebook wants to have all your data, but doesn't want others to have, as that would decrease it's value, and they'll sell that data later.
Vice is selling the opportunity to collect your data, they'll have as many trackers as possible.
Since you're aware of how many trackers were there I'm sure you have some form of script blocking, for others, I recomend getting one.
i use No Script, but I'm sure you can find one that suits you better if you don't like it.
Don't need Badger if you have Possum.
I use both NoScript and uMatrix. I set NoScript to globally allow everything through though, on every site, then allow uMatrix to handle the fine grain control over what is and isn't loaded.
This is because NoScript offers some protection against XSS, ClearClick, ABE and ClickJacking, even on sites that are whitelisted. More info can be found here https://noscript.net/faq
100% for certain, Reddit works when using TorButton/Security Settings/Safest. However, after you login your Reddit account, when using the setting: Security Settings/Safest, you cannot submit posts, comments, or replies on Reddit unless your first select NoScript/Temp.TRUSTED/reddit.com and NoScript/Temp.TRUSTED/redditstatic.com
See https://noscript.net → "NoScript 10 primer by Jeaye": https://blog.jeaye.com/2017/11/30/noscript/
No script and uMatrix do the same thing, NoScript has extra protection against XSS, clickjacking
uBo makes privacy badger redundant from my testing (having both installed after 3 months PB hadn't blocked a single tracker) and also NoCoin, just turn on all the filters in the settings
uBo in medium mode does what uMatrix does but I prefer the UI of uMatrix/NS
I believe DDG is basically PB and HTTPS Everywhere combined
Kaspersky is possibly a huge privacy issue, actively scanning every site you visit and could possibly be uploading that to their servers (who knows with closed source, many AVs have done the same. Didn't kaspersky do Chromes built in scanner that does upload data?)
For those of you who see this and now realize that they don't like this on any site, get addons for your browser like NoScript and/or uMatrix.
With these you can pick and choose which scripts/embeds you allow to work on the site and which you block from executing. This way you can stop stuff like Google Analytics, HotJar, etc. from getting your data. Plus it also helps block ads and other possible virus-like scripts from doing whatever they want via your browser.
Firefox blocks most by default and the browser extension noscript allows you to block ads full stop, because it only allows whitelisted scripts to run and ads rely on javascript to run.
https://support.mozilla.org/en-US/kb/install-older-version-of-firefox
If noscript is already upgraded you have to uninstall the new version and install the classic version from https://noscript.net/getit
I simply don't understand the interface and its weird that a new tab has to be opened just for allowing or denying scripts on websites.
What options do we have? IceCatMobile that is built from the latest FF ESR? And then install the old https://noscript.net/nsa non-webextension addon?
Ainda não. Mas disseram que até o final da semana (passada) sairia. Acho que deve sair nos próximos dias, porque tiveram algumas dificuldades para portar o código, pelo que parece.
Pode ler mais no site. https://noscript.net/
At https://noscript.net/getit#devel this little tidbit is in a box marked "Important":
> Before Firefox 57 is released in the stable channel, a pure WebExtension NoScript will be available an you'll be automatically migrated to it.
So it looks like you will be covered.
I surf the internet with NoScript addon.
Sorry, I didnt even know there even was a video on that page. :)
But looking at it again, yes there's a blank spot for it, so I suppose there is a video, I guess.
Do this.
- Download FireFox
- Install NoScript
- Go to HotsLogs, right click and only allow scripts from the main hotslogs.com site.
- Enjoy HotsLogs as it should be, fast and cancer-free.
The specific problem site when you look at sources of scripting blocked is actually an ad network from cloudfront.net, who are somewhat notorious for being a shady CDN arm of AWS that allows drive-by malware installations.
LPT ADDENDUM to OP
Add NoScript to your favorite browser and only enable scripts from the domain you are visiting or 3rd party subdomains on the website you trust , Noscript will automatically block most if not all other types of 3rd party advertisements / trackers plus it gives you the option to support the main domain you are visiting if you don't mind viewing a few ad's , for everything else of course there is adblock and other different addons that perform similar functions (i.e ublock origin / disconnect / ghostery etc)
Yeah, it is. It's far better than AdBlock Plus. From what I understand, Adblock blocks Ads after they appear, while Ublock blocks them before they appear. The dev doesn't really consider it a AdBlock, but closer to NoScript. It's also fairly lightweight too. You can read about what the dev says here
Well, yeah, I didn't say that NoScript is no hassle, just that it's less hassle than uMatrix.
NoScript is the tool for those who'd rather not use the web than have to be exposed to all the bullshit in it.
But well, it doesn't really defeat the purpose. Even if you click "Temporarily Allow Page" on every single entry for every single webpage (or just set NoScript to permissive mode), that still keeps many security features of NoScript active.
It does additional protection against things like click-jacking, cross-site scripting (XSS) exploits, malicious fonts, canvas fingerprinting and more: https://noscript.net/features
I believe that NoScript's application boundaries enforcer should at least partially mitigate this -- scripts running on external websites cannot make requests to the local network at all when the default rules are turned on.
In this case:
Toss out Internet Explorer, use Firefox or Chrome.
Wear an Anti-Virus at all times (Best is Kaspersky, Free is Immunet (still pretty good)).
Use AdBlock Plus https://adblockplus.org/ .
For extra security (Firefox only), there's NoScript: https://noscript.net/ and make Flash permission based only: https://support.mozilla.org/en-US/kb/set-adobe-flash-click-play-firefox
And finally, practice abstinence. Don't just download stuff cause you found a sexy ad. Only go on the internet to find what you need/want. Never follow the white rabbit.
Upvoted "nuke it from orbit" lol - that's the thread-winning point. A backup solution's the only reliable way to deal with the ransomware threat. (unless it's one of those variants that also uploads all your data to their servers, in which case you've still got that to worry about even after a wipe/restore)
Few other random asides:
- UAC's basically useless AFAIK - you might as well disable it completely. In my experience the malware authors are pretty good at bypassing this, so in-practice all it does is create nag-prompts for legit programs. Note: If I'm wrong about this please reply, I'd be genuinely interested in the counter-argument for UAC.
- In theory he could create a new admin account, reduce privileges on his current profile to that of a standard user, and then enter the admin creds in UAC as needed to install programs, etc. However, that's not going to prevent a webpage script from installing crypto for his profile and borking everything in his user folder.
- If he's capable of learning to use the Firefox NoScript add-on (and willing to deal with the additional hassle, which is admittedly considerable but IMO worth it), I'd highly recommend it. Unless someone opens skeezy email attachments or goes out of their way to install questionable software off the net, 99% of their vulnerability to malware consists of web page scripts, most often those nested 3-levels deep in some advertisement. If you're tech-savvy and use NoScript, you can damn-near operate without any real-time AV protection at all. (I'd never recommend that - I'm just emphasizing how dramatically it reduces your attack surface)
Use Firefox or Chrome with NoScript and keep using U-Block. That will protect you from malicious web sites. I keep Avast Anti-Virus installed just in case, but I've honestly never needed to use it since I've started using No-Script.
I find Avast to be very light weight compared to other anti-virus programs.
The NoScript FAQ has a section on ABE with a few examples.
Personally I have found it much easier to accomplish what you have tried with ~~uBlock~~ uMatrix. It has a simple matrix ui that you can click to block and unblock not only domains but also different elements like images or scripts. No need to write rules by hand even though there is that capability as well.
I use NoScript in whitelist mode just for the XSS/clickjacking etc. protection now.
Edit: uBlock in the text should have been uMatrix, sorry.
>Which noscript do you use?
I use <em>NoScript</em>.
>Also, what is the point in blocking certain scripts?
Stopping redirects, stopping auto loading videos, stopping javascripts from other websites...
get https://noscript.net (and ad-blocker if you haven't) It's a bit of a hustle in the beginning with no-script, you need to whitelist the websites that you frequently use, but after that initial stage, browsing becomes so much better.
https://www.reddit.com/search?q=noscript&restrict_sr=&sort=relevance&t=all
https://userstyles.org/styles/117731/a-big-no-to-many-sites
https://addons.mozilla.org/en-US/android/addon/ublock-origin/
You'll want to bookmark chrome://stylish/content/manage.html in Firefox so you can scan for updates and add them appropriately.
Which is why I've used NoScript since I found ii. Everyone always says some sort of ad blocker, but this goes WAY beyond that. From their site:
"...this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).
NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser
Also, when I went to copy that I just discovered it is endorsed by Edward Snowden...
NADAmobile uses JWPlayer for it's videos, try googling some of those keywords. Are you using NoScript or any add on or other programs that might be interfering with the videos? What about trying a new browser? Grab Opera and see if the videos play on it.
Nope, det er ikke lett. Jeg har forlatt mange sider fordi de forsøker å tvinge meg til å skru av AdBlock.
Men det finnes et triks som virker noen steder. "NoScript" er en addon som kan være litt plagsom for noen, men den gir deg muligheten til å blokkere alle skript som kjører på nettsider, også kan du godta akkurat de du ønsker å godta. Funker f.eks på tek.no. En annen fordel er at du hindrer skript i å logge aktiviteten din på nett, så det styrker personvernet ditt.
Jeg er forøvrig helt enig med de andre her. Når reklamen nærmest faller ut av skjermen, og du har "download" knapper som bare er reklame, og nettsidene er så blandet av reklame og reellt innhold at man ikke ser forskjellene. Da blir det helt håpløst. En pent plassert reklamefane til venstre eller høyre for innholdet på midten av siden kunne jeg alltids levd med, men det finnes grenser.
To all NoScript users:
Deactivate ABE in the advanced NoScript options
OR
add there under System "Accept from LOCAL and *.battlelog.com"
# Prevent Internet sites from requesting LAN resources. Site LOCAL Accept from LOCAL and *.battlelog.com Deny
Screenshot: http://i.imgur.com/7Eh4C89.jpg
@ /u/Sk0t0r: I hope you can find a work around for this, since a lot of people use NoScript . Here is the ABE site: https://noscript.net/abe/