NoScript Awarded $10,000

An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."

Should have been a default in browsers from day 1

[elrous0]

The fact that this ever had to be an *add-on* is just shameful. The fact that IE and Safari still don't have it (or something very similar) is close to criminal. Okay, Chrome has NotScripts [lifehacker.com], but that apparently requires some weird hacking to use securely.

And, no, the non-default ability to turn *all* scripts on or off isn't even close to the same thing. As the great Jules would say--it's not the same ballpark, not the same league, not even the same sport.

Re:

[Anonymous Coward]

For safari: Glimmer blocker [glimmerblocker.org] is both an ad blocker and can deny and or rewrite scripts on the fly.

Re:

[Anonymous Coward]

The fact that this ever had to be an *add-on* is just shameful.

As long as it's disabled by default. It'd make more sense for Adblock Plus to be integrated by default with ad/privacy lists added. NoScript is still a usability-destroying sledgehammer unfortunately. I haven't been able to find a reason as to why I should keep it installed and endure the headache.

Re:Should have been a default in browsers from day

[fast turtle]

Well I love the Neutered web experience because I absolutely Hate flash/silverlight and iframes because they've been exploited to many times. As to the usability of a website, I feel that any site that absolutely depends upon flash/silverlight to be usable is one I don't need to visit again. For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users (flash doesn't support screen readers - nor does it work worth a damn for those who have even a mild vision impairment).

Hopefully, we'll start seeing companies getting it right by sticking with Standards compliant HTML for their main pages with proper links to the various departments. There is absolutely no reason for a website to depend on anything except HTML for functionality, as it is the lowest common denominator.

Flash *does* support screen readers

[Anonymous Coward]

I'm not a big fan of Flash on the web, but it is absolutely untrue that Flash doesn't support screen readers. http://www.adobe.com/accessibility/products/flash/best_practices.html [adobe.com]

What is true is that it is possible to build websites in either HTML or Flash that don't support screen readers.

Re:

[roman_mir]

For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users

- yeah, because for some reason companies must spend time and money building things for corner cases rather than for their main target customer. Government. Is there anything it can do that does not hurt the economy? If it can, I haven't found one example yet so far.

Re:Should have been a default in browsers from day

[Jah-Wren Ryel]

Government. Is there anything it can do that does not hurt the economy? If it can, I haven't found one example yet so far.

+5 ironic for writing that on the internet.

Re:

[roman_mir]

+5 ironic for writing that on the internet.

- Oh, yes. Al Gore invented it, while DARPA misused an old packet switching protocol from POTS and mixed it up at tax payers expense with existing communication systems. Or did you think that before DARPA there were no networks? Or that DARPA came up with packet switching out of nothing?

How much innovation is stifled by government intervention into the economy, by mis-allocation of resources, and what would we have today if there was no government intervention and mis-allocation?

No, I don't consider my ori

Re:Should have been a default in browsers from day

[Mister Whirly]

This morning I was awoken by my alarm clock powered by electricity generated by the public power monopoly regulated by the US Department of Energy. I then took a shower in the clean water provided by the municipal water utility. After that, I turned on the TV to one of the FCC regulated channels to see what the National Weather Service of the National Oceanographic and Atmospheric Administration determined the weather was going to be like using satellites designed, built, and launched by the National Aeronautics and Space Administration. I watched this while eating my breakfast of US Department of Agriculture inspected food and taking the drugs which have been determined as safe by the Food and Drug Administration. At the appropriate time as regulated by the US Congress and kept accurate by the National Institute of Standards and Technology and the US Naval Observatory, I get into my National Highway Traffic Safety Administration approved automobile and set out to work on the roads built by the local, state, and federal Departments of Transportation, possibly stopping to purchase additional fuel of a quality level determined by the Environmental Protection Agency, using legal tender issued by the Federal Reserve Bank. On the way out the door I deposit any mail I have to be sent out via the US Postal Service and drop the kids off at the public school. Then, after spending another day not being maimed or killed at work thanks to the workplace regulations imposed by the Department of Labor and the Occupational Safety and Health Administration, I drive back to my house which has not burned down in my absence because of the state and local building codes and the fire marshal's inspection, and which has not been plundered of all its valuables thanks to the local police department. I then log onto the Internet which was developed by the Defense Advanced Research Projects Administration and post on Slashdot how the government can't do anything right.

Re:

[St.Creed]

I so agree! I've always wanted to print my own currency, but that darn gubermint just stops me all the time! :)

Re:

[SleazyRidr]

So, you basically want to live in a land with no government at all?

Re:

[Jah-Wren Ryel]

So, you basically want to live in a land with no government at all?

Nah, he's all talk. Read his resume, he's spent years working for a canadian telco, sucking at the teat of government regulation.

Re:

[roman_mir]

No, that's impossible. I find that using 5 flag methodology works though.

Re:

[roman_mir]

Ha, I worked for many Canadian and US telcos on contracts. I also had a contract with electrical utility, which used to be an arm of government.

I also contracted for Symcor, ADP, IFDS, Christie Digital, Boomboat, Avema. Subcontracted for World Insure, Davis + Henderson, Danli Promotions.

For the last 2 years I've been building my own suite of software for retail chains in Asia.

Thanks for asking.

Re:

[Mister Whirly]

Who says I am a "progressive" besides you? I am not a huge "government should regulate everything" kind of guy, but saying the government has NEVER done anything right and provides no benefit is as naive as it is silly. There are things they have done right, and a list of some of them is in my post. Why does everybody on Slashdot need to put people in to one of two groups : Those who think everything the government does is evil, and those who think everything the government does is great? I don't think eith

Re:

[Jah-Wren Ryel]

Al Gore invented it, [snopes.com]

But of course I shouldn't expect to reason you out of a position you never reasoned yourself into in the first place.

while DARPA misused an old packet switching protocol from POTS

Saying that shows that you fundamentally misunderstand the difference between POTS, by which you presumably mean circuit switching, and packet switching. It wasn't even derivative, much less "misuse" of circuit switching.

The earliest work on packet switching was done by Paul Baran at the RAND Corp, a US defense contractor.

How much innovation is stifled by government intervention into the economy, by mis-allocation of resources, and what would we have today if there was no government intervention and mis-allocation?

You write that as if the same can't be said of pri

Re:

[Jah-Wren Ryel]

So you posted to whine instead?

Way to confirm the worst stereotypes of people like yourself.

Re:

[Jah-Wren Ryel]

?As to the gist of your comment - you have stereotypes about 'people like me'? Funny.

Yes, the stereotype is uncompromisingly loud-mouthed. thin-skinned and intellectually rigid. People like that love to trot out meaningless credentials as an appeal to authority. So yeah you hit the stereotype on the head with that reply too.

Re:

[Jah-Wren Ryel]

funny, your comments are filled with ad-hominems here, talk about stereotypes.

Really? Do you know what an ad-hominem is? It ain't an insult. It's a argumentive fallacy that says "you are wrong because you suck." What I've done here is say "doing that means you suck because ..." Like making up an excuse to not respond to my points but instead still posting about how he's so put upon and unwanted. That's sucking.

Note that he came back 24 hours later and still didn't live up to his word to respond with his own account, despite posting a non-denial elsewhere in this thread. That'

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Should have been a default in browsers from day

[nabsltd]

This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents.

The whole point of NoScript is to allow you to control whether scripts run on a finer level than the "off/on" that browsers support natively, and it does that easily, with one click per domain.

If you use NoScript to deny scripts globally, then you are using it wrong. Instead, you enable each domain (just once, as NoScript remembers the setting) that you deem safe. This makes browsing much more secure, although you can still be caught if a trusted domain starts serving malware scripts, but it's better than being open to attack from every domain.

Re:

[hedwards]

The point of noscript is to deny scripts globally and then just enable the ones that you deem to be safe. I assume that's what you meant because if you just blacklist domains that you know to be malicious you might as well just send your information directly to the crackers.

Re:

[nabsltd]

Yeah, I was a little unclear.

What I meant was that if you just install NoScript (which by default denies all scripts) and then never enable scripts on any site, you end up with the "neutered web" that the GP wrote about. If you do that, you don't need NoScript...you can just disable Javascript in the browser.

Except you have to turn it off everywhere

[pavon]

I tried to use it for a couple months, but more than half of the web-forms on the internet require javascript to submit properly. So I would spend all this time filling out these forms, get to the end, and either nothing happens when you click submit or you get an error. So I disable NoScript for the site, only to have the browser (or the website) clear everything that I just entered into the form, and I have to start over again.

Other sites wouldn't have working menus, others didn't have working links at al

Re:

[antdude]

Ditto. It was frustrating to me too. I do use other addons/extensions like PrefBar (disable referrers, Java, etc.), AdBlock Plus, etc. Even those run into problems once in a while. NoScript drove me nuts.

Re:

[rgviza]

You should print this out and hang it over your desk. That way when some crappy site's hacked javascript redirects you to a 0day flash driveby and your computer gets totally destroyed by 0day stuff that the antivirus and microsoft patches haven't dealt with yet, you can remember that you called whitelist security "nonsense".

Suggest everyone read this http://www.ranum.com/security/computer_security/editorials/dumb/index.html. The parent is guilty of items 1-3 on this list. He's a network infrastructure turd

Re:

[spire3661]

My computer is fully prepared to die, thats what backups are for. I dont worry about virii because I back up like a crazy person with no less then 3 full versions in 3 separate physical locations with versioning. I can be up and running in less then 10 minutes with a loss of no more then 8 hours of work. I would rather risk that then constantly approve/deny considering I have to backup no matter what.

You made my point for me: "how do you stop a 0 day? With backups thats how." IM not quite sure what to ma

Re:

[spire3661]

I would like to say "Fuck you" to whoever modded me Troll, you are a child. I merely pointed out MY experience with the program, i never said for others not to use it. Thats pretty much the opposite of a troll.

Re:Should have been a default in browsers from day

[uigrad_2000]

Ghostery [ghostery.com]exists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.

Re:

[phatphoton]

I use both. it makes the list of scripts that I should consider considerably shorter and also blocks confusing scripts I may otherwise allow in the process of trying to get a webpage to work. They all make life easier and more secure. Or at least I feel secure knowing so many things that used to happen now are blocked and I still have a usable web browsing experience.

Re:

[hitmark]

I see a potential improvement for Noscript, the identification of known tracking services.

Re:

[Pope]

It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.

Re:

[Anonymous Coward]

It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.

PrefBar [tuxfamily.org] restores this functionality. Single-click control of images (for those not-necessarily-SFW threads), colors (for that asshat on FailSpace who thought that red on a green background was a good idea), and of course, Javashit, Java, Flash, cookies, referrer-sending, and so on.

Re:

[TheRaven64]

Safari still has menu items to turn images, JavaScript, and CSS on and off for the current web page. The point of NoScript is to give you a greater level of granularity (i.e. allow just these scripts on this site, but not those) and to make these persist across browsing sessions.

Re:

[jellomizer]

For a simple reason it isn't installed by default.
Security isn't convenient.
The best security tools make your experience seem like you are warden of a jail house. There is only so much you can do to make them easy. The rest the company will decide not to add because it will make the app too hard to use. Especially if you need to compete with Internet Explorer. Where you need to be more secure and show that it can run all the stuff that IE can.

Re:

[Tolkien]

I think, personally, that the fact that we even need NoScript is shameful.

Re:

[Ant P.]

IE had "zones" 10 years ago. Chrome has had per-site whitelisting for several major releases.

Mozilla... Mozilla has an open bug from the previous millenium.

WTF...

[MBC1977]

Are you stupid / dumb / bat-shit crazy / or high off of canned air?

What the fuck...does this have to do with NoScripts?

Did they also get a grant...

[twocows]

Did they also get a grant for messing with other addon settings so their ads show up on their homepage [slashdot.org]?

Re:

[improfane]

Yes, the author does not have a good track record.

He apologized for it but you do have to wonder. Money blinds.

Re:

[melikamp]

As much as I loved NoScript, I uninstalled it the moment the story broke. But After reading Giorgio's apology [hackademix.net] I was totally convinced that he meant no harm and learned his lesson, so I reinstalled NoScript only a few days later.

Re:Did they also get a grant...

[Anonymous Coward]

Yes, two fucking years ago the guy made a poor decision in the heat of the moment which he later apologized for. We should definitely crucify him for it forever.

MOD PARENT UP

[mdm42]

Please.

Re:Did they also get a grant...

[twocows]

It certainly was a while ago and he did apologize (after the backlash), and I agree that we shouldn't hold it against him forever. Still, I tend to be wary of NoScript these days because of it. I'm not sure I would trust someone who abused his position like that with a $10k grant is all. Maybe I'm being unreasonable, but I don't think it's a big leap to think that someone who abused their position for monetary gain once might do so again. And it's definitely something that I think people who use NoScript should know about, old or not.

incomplete, thus misrepresentation

[Onymous Coward]

If you want people to be aware of Giorgio Maone's mentality and motivations, you should probably link them to his blog entry on the matter [hackademix.net]. He goes into great detail.

Here are some snippits:

I screwed up. Big time.

Please let me apologize first, then briefly explain what happened from a slightly different point of view than Wladimir Palantâ(TM)s, then apologize again.

... I began tracking EasyList changes and counterreacting. Of course Ares2 didn't stop, nor I did, so we engaged in an escalation through more than 30 EasyList updates (even 4-5 per day) specifically aimed at my sites ... If you've got some familiarity with Adblock Plus filters, you'll notice any standard web technology beyond basic HTML/CSS (scripting, frames, AJAX) was completely disabled.
They got to the point where users could no longer even see the regular links to install NoScript or FlashGot.

If you're describing his actions only as "[abusing his] position for monetary gain", you are spreading a simplistic understanding of the situation. That is virtually misinformation.

If anyone expects to have and share an opinion on this matter they really ought to read his blog post.

Re:

[Baloroth]

Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

Oh yeah, and why one addon is able to make changes to another in Firefox without notifying the user. I haven't used Firefox much (prefer Opera), but is this still possible? If it is, why? Seems like a

Re:

[tlhIngan]

Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

Who cares about the guy's integrity? After all, NoScript is open-source and isn't that the important part?

If you don't trust the guy, take the latest revision (it's GPLv2+ and the source is in the XPI

Re:

[drsmack1]

Good thing you are posting anonymously, betcha don't want to get caught again!

Re:

[TheVelvetFlamebait]

Two years! Wow, they practically get a free ride in /. terms! If Microsoft could have had a two year grudge period, back when they did things wrong...

Re:

[hedwards]

If MS had only made one mistake 2 years ago, I doubt very much that we'd be after them to this extent.

Re:

[Mister Whirly]

I don't doubt it at all. People can take any problem no matter how unrelated and still blame Microsoft here.

Re:Did they also get a grant...

[Microlith]

So he has a stupid spat with the guys at AdBlock Plus. So what?

People make stupid mistakes every once in a while. He apologized, and hasn't done anything dumb since. In the meantime, NoScript has continued to be a valuable tool that I add to every Firefox installation I use (well, all once he adds support for Firefox Mobile.)

Re:

[Anonymous Coward]

(well, all once he adds support for Firefox Mobile.)

NoScript 3 alpha for Mobile here [noscript.net]

Re:

[interkin3tic]

Dude writes one of the most useful extensions ever to most people who uses it, protecting millions, lets the world use it for free, makes one questionable move, apologizes for it a few days later, continues making useful product...

And people act like he's a scumbag.

If you feel hurt by his actions, you get a free year of using noscript. You can use it all you want and don't have to pay him a dime. If you've donated a reasonable amount in the past, you can whine about it. If you were using noscript f

Re:

[interkin3tic]

Can't tell if trolling or just extremely bad at explaining your position... the guy has done plenty of penance is what I'm saying.

Recognition vs usefulness

[DeHackEd]

Does this mean web designers will start making their web sites actually work when users without javascript try to use them?

(The list of offenders is too long to name.)

Re:

[betterunixthanunix]

How dare you speak that kind of blasphemy against web 2.0! Do you not see how using javascript for everything is improving the user experience and making the world a better place?!

Re:

[Bengie]

AJAX reduces server load by removing excess postbacks. Pretty much any interactive website.

The problem are websites that don't require postbacks but use Javascript for random crap.

Re:

[wwfarch]

I don't even think using Javascript is the issue. The problem is requiring Javascript for random crap. Graceful degradation is something most websites fail to adhere to even when it's easily possible.

Re:

[Anrego]

Graceful degradation is something most websites fail to adhere to even when it's easily possible.

Not enough return on investment to be worth the bother of even thinking about it for the tiny fraction of users you turn away having a site not work without javascript.

Web accessibility is much like building accessibility. Totally not worth the owners money (from a purely business standpoint..). Unless it's done as a PR thing (someone whines loudly enough) or the law comes by and says "look, we know it's not financially worth it for you.. but do it anyway because it's the moral thing to do" .. probably won'

Re:Recognition vs usefulness

[b4dc0d3r]

I leave sites when they require JS, and follow up by sending them a screenshot of me placing an order on a competitor's web site (with certain identifying information blanked out).

Depending on their site design, I also point out how they spent more effort blocking script-less usage than it would have taken to have a graceful fallback. That's not always the case, but it helps.

I never get a reply, but I don't expect one either.

Re:

[atomicbutterfly]

This seems like a lot of time/effort/trouble for what you even admit doesn't get any result or feedback from the owners of the offending site.

Re:

[PPH]

lynx, is that you?

Re:

[Requiem18th]

I've come to realise this was a huge blunder from the beginning of the web.

Remember how we took so long to make a standard for moving fonts over the web? We could have done so much better if we only had invented a way for a page to contain the required fonts, and images, and scripts.

Loading a web page basically means code injection. Even without javascript, every "src=" in a web page is code executed in your host, as commanded by an untrusted source.

But alas, we were too concerned with net load. We had to,

Re:

[Requiem18th]

Also, slashdot's javascript makes it impossible to click on links. Or write comments.

Re:

[Mandrel]

My primary reason for using No Script is not security but to eliminate distracting content animations and auto-play videos.

Re:

[space_jake]

Don't let the comedic animated gif hit you on the way out.

Re:Recognition vs usefulness

[6031769]

JavaScript [...] is extremely helpful for making useful, clean, modern websites.

I'll see your "useful, clean, modern" and raise you "glacial, bloated, bug-ridden".

Both JS and non-JS sites can be written well or poorly, and I'm not averse to a little javascript where it demonstrably improves the user experience, such as auto-focus into form fields for example. However, the problem is that some designers/developers just don't know when to stop, and seemingly only test their results on a gigabit LAN with a browser on their quad-core monster. As a consequence they think nothing of pulling in scripts and libraries from half a dozen sources and then proceed to use only one tenth of that code in the page. Frequently I see JS code where the whole way through it keeps testing over and over again for specific user agents so that it can choose which hackish workaround to employ instead of testing once and pulling in a brower-specific library. I have a 10Mbps broadband connection here and some pages take longer to load and render than they did 15 years ago.

Good designers and devs can produce excellent JS-based sites. But the other 99% are just a struggle to use and a good proportion of those are close to unusable.

Re:Recognition vs usefulness

[hedwards]

Javascript itself isn't the problem so much as the tendency to need to allow javascript from 20 or 30 sites just to view a page in its entirety. Typically they don't tell you what sites they genuinely use so if you don't recognize the domain name then you don't have any way of knowing if it's intended to be executed by the web devs.

sad

[orange47]

its sad that we have to remove functionality to be more secure. I do like noscript and use it all the time, but the problem is more and more websites require js for simple tasks. wish there was a better way, for eg using user interaction to select which part of js are 100% ok or something like that. or perhaps whitelisting md5sums of common scripts (if that hasn't been already done). ironically, posting this comment seems to require some scripts turned on.

Re:

[hedwards]

It's a phase that's looking more and more like a new normal. We were lucky with those huge painterly sites of the late 90s that they eventually went away. Sure they looked cool, but on a dial up connection they'd take 20 minutes to fully load.

Now, sites take 20 minutes to load because they've got to load content from all over the web and frequently the slowest things to load are the ads. Each hop from server to server takes more time and with the sites pulling in stuff from other sites it can easily stall o

They will probably celebrate with a new version

[ydrol]

Any excuse for those page hits. Good tool though, but I switched of the bit that opens the home page every time there is a new "important" update.

Re:

[psyclone]

I like watching changelogs, to see what holes were patched. With NoScript, the right pane shows the changes -- new attack vectors are blocked all the time. (At this point they are mostly minor, but still crazy that default browser security with respect to local and remote script invocation is nearly non-existent.)

Helps prevent trojan infections

[madhatter256]

No Script helped in stemming the amount of infected PCs I received. I'd install it on my customer's PCs and showed them how it worked and that they should turn it off only when doing stuff like online banking, otherwise leave it on.

It was of tremendous help and a lot of repeat customers stopped coming back with the same infection.

If nothing else, use it for speed.

[dezert1]

Not having JS loading makes all pages load incredibly fast. Use it like a turbo button. That combined with Ghostery and Better Privacy make for a pretty good browsing experience (and shows you what each page is attempting to do). If you are looking for perfection, there is nothing stopping you from writing your own browser. NoScript is the biggest reason I stick with FF. Love it!

Re:

[tunapez]

And all the ad servers and affiliates! Fecebook, Twatter, Google, Google Syndication, Google Analytics, the 3rd party adverts that malware peddlers crack regularly. Fuck that.

NS and Live Bookmarks is why I stayed through all the post 3.5 feature bloat. I could run any stripped browser in a sandbox, but what I can't find is a Live Bookmark equivalent...ie: just headlines, no pix, no diarrhea of the keyboard descriptions, no new windows, no muss. Just headlines to scan.

All your scripts are belong to noscript

[djl4570]

The author deserves this. I reported a small problem on Amazon and he had a release candidate ready for testing about six hours later.

I wish it supported white/black list groups.

[BlueCoder]

One feature I would love is if it supported whole lists. That is whole white and black lists from different people that are assigned at different priority levels.

What's the Point?

[AmberBlackCat]

I don't agree with this. I think awarding them for making the web safer by removing javascript is like awarding somebody for keeping children from hurting themselves by locking them in cages. Of course you're safer if you don't do anything. But the real goal should be to make things safer while still being able to use those features. they might as well give an award to Lynx for safe browsing.

Re:Why I don't use NoScript

[JBMcB]

That's too bad, because it's awesome. I haven't found anything else that comes close to how flexible and easy to use it is.

As far as trust goes - I trust the developer of NoScript over the entirety of the javascript code injected by advertising and tracking agencies out there.

By the way - did you read the NoScript developer's mea culpa?

Re:

[grommit]

As far as trust goes - I trust the developer of NoScript over the entirety of the javascript code injected by advertising and tracking agencies out there.

That is a very very good point.

Re:

[geminidomino]

I haven't found anything else that comes close to how flexible and easy to use it is.

Have you checked out Request Policy [requestpolicy.com]?

I don't suggest it out of NoScript hate[0] -- I still run noscript on some machines -- but because it's fantastically easy to use to do things you need to mess with ABE to do on NoScript (if even then. I haven't had the time to mess much with ABE). My favorite is being able to block everything google, and then only allow it, if needed, permanently and only on the sites that need it (mostly on sites using recaptcha)

It's pretty nice and one of the four extensions that keeps

Re:

[ColdWetDog]

[ 0]Though its insistence on opening up the homepage twice a week lately on minor updates is becoming a pet peeve.

You can change this [noscript.net], but of course, you have to RTFM to discover that. The horrors....

Re:

[geminidomino]

My problem wasn't with the opening of the page itself. It was with the frequency. Is some localization changes worth an update?

  It turns out, no. I apparently got bit by some AMO bug or something that got me on the testing version so every single blasted change prompted me for an update.

Re:

[NoNonAlphaCharsHere]

I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness, and the damn thing wastes more CPU cycles running than the wild JavaScript it purports to block.

I'd like it much better if browsers themselves simply didn't execute any JavaScript from any inactive tabs/minimized windows.

Re:

[Bengie]

They're adding in real-time socket communication to Javascript. If I was chatting with a friend and had to keep the window in focus, that would irk me. Good idea, but would definitely have to be optional. May be trusted sites?

Re:Why I don't use NoScript

[nabsltd]

I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness

What, exactly, is confusing about clicking one time on a menu item that reads "Allow slashdot.org" (for example)?

The only time I find there to be a problem is when a domain loads scripts from 5-10 other domains. That does make it difficult to figure out which scripts are required to make the site functional, but that's not a problem with NoScript...that's a problem with the site. And, it's exactly this "code from random sites" that makes NoScript important for browser security.

Re:

[hedwards]

The UI isn't confusing, what is confusing is the tendency of sites to use a large number of largely anonymous servers to give even basic functionality. What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them. For things like Facebook which are inexplicably everywhere even though they aren't necessary on any site that I routinely go to.

Re:Why I don't use NoScript

[0123456]

What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them.

You mean like 'mark as untrusted'?

I'd like to see domain-based functionality, so for example I can allow Facebook Javascript when I'm actually using Facebook, but block if when I'm at any other site.

Ah, I still remember the early days of Javascript when we were telling people what a horrible insecure pile of crap it would be and they were assuring us that nothing could possibly go wrong.

Re:

[hedwards]

Yes, and as far as I can tell there isn't any way of doing it now. Which is annoying when you are OK temporarily allowing a long list, except for Facebook.

And allowing it site by site would definitely be helpful, just because I'm trusting a site with javascript doesn't mean that every site should also get that trust.

Re:Why I don't use NoScript

[grommit]

Even though the author recognized his mistake, backed out the changes, and apologized profusely in a very public manner you still don't trust him? Harsh man, harsh.
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net]
I'd rather not blacklist somebody over a single incident. However, if you happen to know of other instances where he did something sketchy, please let us know.

Re:

[VGPowerlord]

Fool me once, fool me twice...

No, no, no.... it's
"Fool me once, shame on... shame on you. Fool me... you can't get fooled again!" -- GW Bush

Re:

[ArchieBunker]

Hey its open source, aren't you reading every line of code that's run on your system?

Re:

[Anonymous Coward]

Thing is I trust websites even less.

Turned it off and surfed around for about 2 hours. 3 damn viri...

So I surf around with a broken internet...

Re:

[Anonymous Coward]

here are plenty of vulnerabilities found that do not need scripts

For many of them (e.g. Clickjacking or cross-zone CSRF with DNS rebinding) NoScript features specific countermeasures which go far beyond script blocking.

Furthermore NoScript blocks plugins, XSLT, HTML5 media and web fonts on untrusted sites, which reduces the attack surface to HTML/CSS parsing or image decoding vulnerabilities, relatively rare nowadays. And even those, usually, still require scripting to be exploitable on modern systems (e

Re:

[schwit1]

No browser is perfect, but all other things being equal NoScript makes the web a far safer place. Include Adblock and not running the browser as an admin, and you are pretty safe.

Re:Not the holy grail of browser security

[CCarrot]

There are plenty of vulnerabilities found that do not need scripts, lets not make NoScript out to be more than what it is.

I'm sorry, I've got to call BS. That's like saying "There are plenty of illnesses out there that aren't virus-based or bacterial, so let's not make washing our hands out to be more important than it is."

Fact is, NoScript is an invaluable resource, with a clear, easy-to-use interface, and even the less-than-tech-savvy user can use it to vastly reduce their chance of 'catching' something. Yes, it does not provide perfect protection from everything, but I'm afraid the only way you can achieve that is to pull the plug on teh interwebs and live in your own virtual 'bubble'.

I for one applaud this award as well-deserved. Good on them!

Re:

[couchslug]

"My condom won't stop buckshot and is therefore useless."

Re:

[ColdWetDog]

Why do all people assume that Javascript makes a site slow to load?

Javascript was the tool by which I could significantly *cut down* loading time for my site. Previously, I had to transmit a lot of redundant HTML. Now I'm transmitting the actual payload data as JSON and build the DOM tree on the client side.

Really, NoScript is the equivalent of "people use hammers when they should use screwdrivers, so let's ban all hammers". That's all fun and games unless you're the one who has to push a nail into the wall with a screwdriver because all hammers were banned in the latest panic wave du jour.

Unfortunately, there are one hell of a lot of hammers on the Internet.

Re:

[Ant P.]

It's in the D1 layout in the same place it's always been, YOU BLIND INGRATE.