Archive for September, 2011

Since their introduction, NoScript's Script Surrogates (or "Surrogate Scripts") have grown both in reliability and flexibility. NoScript 2.1.3 introduced two new types of surrogates (“Before script" and "After script"), so it's a good time to recap.

Script Surrogates replace a blocked script or complements existing scripts which would not work as expected because of NoScript.

A Script Surrogate is defined by a pair about:config string entries:

  1. "noscript.surrogate.surrogate_name.replacement" contains the JavaScript code to be executed.
  2. "noscript.surrogate.surrogate_name.sources" is a URL pattern matching the origin(s) of the scripts to be replaced or complemented.
  3. "noscript.surrogate.surrogate_name.exceptions" is a URL pattern which, if matched, prevents the surrogate from being triggered even if sources matches too.

Various built-in surrogates can be looked up for reference by opening about:config and typing noscript.surrogate. inside the filter box.

Source URL patterns may be prefixed with one or more special characters (<, >, @ and !), which determine the type and behavior of the matching surrogate.

Here's a quick reference of the available surrogate types grouped by source prefix, courtesy of long time contributor al_9x:

  • no prefix
    - blocked script surrogate

    • matches blocked scripts
    • runs only if page is script allowed
    • runs when the blocked matched script would have
  • '<'
    - before script surrogate

    • matches allowed scripts
    • runs only if page and script are allowed
    • runs just before the matched script executes
  • '>'
    - after script surrogate.

    • matches allowed scripts
    • runs only if page and script are allowed
    • runs just after (load event) the matched script executes
  • '@'
    - script allowed page (html document) surrogate

    • matches script allowed pages
    • runs only if the page is script allowed
    • runs before HTML parsing starts
  • '!'
    - script blocked page surrogate

    • matches script blocked pages
    • runs only if the page is script blocked
    • runs on DOMContentLoaded
  • '!@'
    - page surrogate

    • matches pages
    • runs on both script allowed and script blocked pages
    • runs on DOMContentLoaded

Bad Behavior has blocked 1053 access attempts in the last 7 days.