Why I’ve started using NoScript

Edit: I’ve updated somewhat based on Said’s comment below, to think that NoScript is not a tool for everyone. I haven’t decided to stop using it, but I have decided to stop strongly recommending that others use it. I especially urge you to read about the other extensions he lists at the end of his comment.

Edit 2: It’s also been pointed out to me that uBlock Origin also has capabilities for blocking 3rd party JavaScript, and might be even better at it than NoScript; in line with the idea that this is not for everyone, this functionality requires the user to explicitly claim to be an “advanced user” and read various documentation first. You may also be interested in reading the discussion for this post on lobste.rs

NoScript is a browser extension[1] that prevents your browser from loading and running JavaScript without your permission. I recently started using it, and I highly recommend it.

I had first tried using NoScript around a decade ago. At the time it seemed like too much of a hassle. I ended up wanting to enable almost all the scripts that were included, and this was somewhat annoying to do. Things have changed a lot since then.

For one, NoScript’s user interface has become much better: Now, if a page isn’t working right, you simply click the NoScript icon and whitelist any domains you trust, or temporarily whitelist any domains you trust less. You can set it to automatically whitelist domains you directly visit (thereby only blocking third-party scripts).

A more pressing change is that I’m now much less comfortable letting arbitrary third parties run code on my computer. I used to believe that my browser was fundamentally capable of keeping me safe from the scripts that it ran. Sure, tracking cookies and other tricks allowed web sites to correlate data about me, but I thought that my browser could, at least in principle, prevent scripts from reading arbitrary data on my computer. With the advent of CPU-architecture-based side channel attacks (Meltdown and Spectre are the most publicized, but it seems like new ones come out every month or so), this belief now seems quite naïve.

Finally, in that decade, third-party scripts for tracking and ads have become almost literally ubiquitous on the web. Just about every web site I visit, I’ve discovered, has at least a couple of third-party dependencies, whose provenance I don’t trust, and which I’d rather not spend (even a minuscule proportion of) my energy bill on. Even disregarding the new hardware vulnerabilities, I don’t think arbitrary third party trackers ought to be trusted to run in your browser[2]; if even one of the hundreds of tracking scripts is compromised, this could easily leak your passwords or other data to attackers.

An added benefit has been that NoScript works better than my ad blocker. Around the time I started using NoScript, I was watching a show on a streaming site I don’t normally visit, that shall remain nameless. This site is extremely annoying. It plays more ads per minute than content, somehow evading uBlock Origin, and often the ads seem to break the actual video player so that the show stops partway through. After installing NoScript, I spent about 3 minutes wading through the ~50 script sources, enabling not-ads until eventually the video played. I was thrilled to see that the video played perfectly, with no interruptions.

In summary, just go try it. You might not like it, but at least then you’ll know.


  1. ↩︎

    There is a version for Firefox and one for Chrome; it also has a Wikipedia page.

  2. ↩︎

    Some decent background on the problem can be read here