Why I’ve started using NoScript

Edit: I’ve up­dated some­what based on Said’s com­ment be­low, to think that NoScript is not a tool for ev­ery­one. I haven’t de­cided to stop us­ing it, but I have de­cided to stop strongly recom­mend­ing that oth­ers use it. I es­pe­cially urge you to read about the other ex­ten­sions he lists at the end of his com­ment.

Edit 2: It’s also been pointed out to me that uBlock Ori­gin also has ca­pa­bil­ities for block­ing 3rd party JavaScript, and might be even bet­ter at it than NoScript; in line with the idea that this is not for ev­ery­one, this func­tion­al­ity re­quires the user to ex­plic­itly claim to be an “ad­vanced user” and read var­i­ous doc­u­men­ta­tion first. You may also be in­ter­ested in read­ing the dis­cus­sion for this post on lob­ste.rs

NoScript is a browser ex­ten­sion[1] that pre­vents your browser from load­ing and run­ning JavaScript with­out your per­mis­sion. I re­cently started us­ing it, and I highly recom­mend it.

I had first tried us­ing NoScript around a decade ago. At the time it seemed like too much of a has­sle. I ended up want­ing to en­able al­most all the scripts that were in­cluded, and this was some­what an­noy­ing to do. Things have changed a lot since then.

For one, NoScript’s user in­ter­face has be­come much bet­ter: Now, if a page isn’t work­ing right, you sim­ply click the NoScript icon and whitelist any do­mains you trust, or tem­porar­ily whitelist any do­mains you trust less. You can set it to au­to­mat­i­cally whitelist do­mains you di­rectly visit (thereby only block­ing third-party scripts).

A more press­ing change is that I’m now much less com­fortable let­ting ar­bi­trary third par­ties run code on my com­puter. I used to be­lieve that my browser was fun­da­men­tally ca­pa­ble of keep­ing me safe from the scripts that it ran. Sure, track­ing cook­ies and other tricks al­lowed web sites to cor­re­late data about me, but I thought that my browser could, at least in prin­ci­ple, pre­vent scripts from read­ing ar­bi­trary data on my com­puter. With the ad­vent of CPU-ar­chi­tec­ture-based side chan­nel at­tacks (Melt­down and Spec­tre are the most pub­li­cized, but it seems like new ones come out ev­ery month or so), this be­lief now seems quite naïve.

Fi­nally, in that decade, third-party scripts for track­ing and ads have be­come al­most liter­ally ubiquitous on the web. Just about ev­ery web site I visit, I’ve dis­cov­ered, has at least a cou­ple of third-party de­pen­den­cies, whose prove­nance I don’t trust, and which I’d rather not spend (even a minus­cule pro­por­tion of) my en­ergy bill on. Even dis­re­gard­ing the new hard­ware vuln­er­a­bil­ities, I don’t think ar­bi­trary third party track­ers ought to be trusted to run in your browser[2]; if even one of the hun­dreds of track­ing scripts is com­pro­mised, this could eas­ily leak your pass­words or other data to at­tack­ers.

An added benefit has been that NoScript works bet­ter than my ad blocker. Around the time I started us­ing NoScript, I was watch­ing a show on a stream­ing site I don’t nor­mally visit, that shall re­main name­less. This site is ex­tremely an­noy­ing. It plays more ads per minute than con­tent, some­how evad­ing uBlock Ori­gin, and of­ten the ads seem to break the ac­tual video player so that the show stops part­way through. After in­stal­ling NoScript, I spent about 3 min­utes wad­ing through the ~50 script sources, en­abling not-ads un­til even­tu­ally the video played. I was thrilled to see that the video played perfectly, with no in­ter­rup­tions.

In sum­mary, just go try it. You might not like it, but at least then you’ll know.

  1. There is a ver­sion for Fire­fox and one for Chrome; it also has a Wikipe­dia page. ↩︎

  2. Some de­cent back­ground on the prob­lem can be read here ↩︎