Giorgio Maone, the developer behind the popular Firefox security add-on NoScript, released NoScript 10, the first “pure” WebExtensions version today.
NoScript 10 did not make it in time for the release of Firefox 57, the first version of the web browser that supports only WebExtensions and no longer the legacy add-on system of Firefox 56 and earlier versions.
But, the extension that is compatible with Firefox 57 and newer is out now, and users can finally install it on their devices if they have updated their systems to that version of the browser already.
Note: It won’t work on Android right now, and does not work in private browsing mode either.
Giorgio released a hybrid extension of NoScript earlier this year. The main purpose of hybrid extensions was to make the migration from the legacy add-on system to the WebExtensions system as smooth as possible.
Existing NoScript users will have their settings and preferences migrated to the new version; that is good news as you don’t have to configure the new version of NoScript after the update to version 10. It is still recommended to go through the preferences once to make sure they are set correctly, and to make adjustments as you see fit.
NoScript 10 is a work in progress. While it is released as a WebExtension so that it can be installed in Firefox 57 and newer versions of the web browser, it is not a complete one-to-one copy of the legacy add-on.
The main reason why that is not the case yet is that APIs are still not available that NoScript requires for some of its functionality.
NoScript 10 supports content blocking and XSS protection just like its legacy counterpart. Some parts come with improved performance thanks to the new WebExtension APIs, others still need to be implemented before they become available in NoScript 10.
The interface looks different to the previous interface, and the options lack most settings right now as well. If you open the options of NoScript 10 right now, you get only a few of them.
You can whitelist or blacklist addresses, allow scripts globally, or clear the XSS whitelist. That’s about it. Features such as ClearClick or ABE are missing right now.
NoScript ships with a list of whitelisted (trusted) domains. You cannot remove these anymore, but you can change the state of them. So, setting them all to default will do the trick but it would obviously be better if you could just throw these out instead.
The main interface of the security extension has changed as well. You interact with it by clicking on its icon in the Firefox main toolbar. There you find listed all connections the current web page tried to establish, and the status of each.
Addresses are blocked by default, but you can change that by setting a domains status to trusting or untrusting. One interesting option that you have here is to allow certain content types but not others.
The option to temporarily allow a site is still there, but it is easy to miss. You need to set the domain to custom first, and then click on the small clock icon that is displayed once you do. There does not appear to be an option though to whitelist all temporarily in the frontend.
The UI is different, and while it offers more options, it is more complicated as a consequence especially since Giorgio switched from text labels to buttons, and displays information on buttons only when you hover with the mouse over an item.
Giorgio plans to maintain NoScript 5.x, the legacy add-on version of the security add-on, until Firefox ESR is moved to version 59 (at least). This happens in mid-2018. Firefox users who want to keep on using the legacy version of NoScript can do so until then, either by switching to Firefox 52 ESR, or a third-party browser such as Pale Moon or Waterfox that support legacy Firefox add-ons.
Old features, and some new ones, will be implemented in the coming weeks. Contextual permissions is the one that sounds very promising; it allows you to trust a domain only on another, e.g. trust domain A only when it is loaded on domain B, but not elsewhere.
NoScript 10 is finally there. That is a good thing. The new version is limited in comparison to the old however, and users who migrate to Firefox 57 or newer will have to get used to the new UI and functionality.
Those who don’t, may want to check out uMatrix instead which offers similar functionality.
Now You: What’s your take on the first NoScript WebExtension release?