Based on the immediate user feedback, here's my TODO list for what I'm doing today:Temporarily allow on NoScript 10 Quantum

  • Fixing the Private Browsing (Incognito) bug making the UI unusable on private windows (even though everything else, including the XSS filter, still works)
  • Getting rid of all the "legacy" localization strings that are creating confusion on internationalized browsers, and restart fresh with just English, refining the messages for maximum clarity and adherence with the new UI paradigm
  • Tweaking a bit the permissions preset system by making them customizable only on the options page, rather than in the popup, except for the CUSTOM preset.
  • Figuring out ways to make more apparent that
    • temporary permissions are still there: you just need to toggle the clock button on the preset (TRUSTED or CUSTOM) you choose: the permission will go away as soon as you close the browser;
    • selecting DEFAULT as a preset really means "forget about this site", even though you keep seeing its entry until you close the UI (for convenience, in case you made a mistake or change your mind);
    • the "lock" icon is actually another toggle button, and dictates how sites are matched: if its locked/green, as suggested by the title ("Match HTTPS only"), only sites served on secured connections will be matched, even if the rule is for a (base) domain and cascades to all its subdomains. This is a convenience to, say, make just "" TRUSTED and match also "" and "" but not" neither".

    OK, an updated guide/tutorial/manual with screenshots is sorely needed, to. One thing at a time. Back to work now!

165 Responses to “Top immediate priorities for NoScript Quantum”

  1. #1 Bio says:

    Thanks for all the work, but... what about the ability to import my whitelist? D:

  2. #2 no says:

    just no, you made this addon unusable.
    it kills my firefox, not only the tab of the settings but the whole browser window.
    this version of noscript is totally not for use.

  3. #3 folk says:

    NoScript 10 has a huge impact on performance for me. I'll be going back to the 5.1.x version (I've used firefox nightly since 1.0 anyway, so the legacy-pref works for me) until you start using github so that we can help you.

    Hopefully the performance issues can be looked at then.

    Another area that needs performance tuning is the preferences section; my whitelist is over 25500 characters long, and when I open the (new) noscript preferences page the browser spews errors on stdout/err like
    - [GFX1-]: Failed buffer for 1907, 0, 13, 1042
    - [GFX1-]: Failed to lock new back buffer.
    and others. Looks like thousands of those message - I did not count yet.
    Probably the "best" solution is and/or:
    1. Move them to a separate page/fake tab in the preferences, so that they don't load until you click there
    2. Toggle them based on alphanumerical headers based on the first character in the URL, or whatever

    I don't know, but I know that noscript 10 brings my nightly build to its knees, and that it's very hard for people to help you outside of the mozilla IRC because you're not on github (or some sort of public version control with pull requests/issues/etc, but of course github would probably potentially attract more contributors than most other platforms currently)

  4. #4 juggle says:

    the new version is blocking live bookmark feeds in firefox ??

    Disabling NoScript restores all live-feed functionality.

  5. #5 Clara says:

    I would like an option to revoke temporary permissions (like old NoScript had). Some people can go weeks (or months) without ever closing their browser.

  6. #6 Mark says:

    Thank you for your help, Can you please add an option to hide the number of blocked websites that appear in toolbar icon?

  7. #7 a NoScriptUser says:

    The GUI is looking terrible. Is there a way to get the old gui?

  8. #8 Paul says:

    How about a temporary allow all, rather than having to do it to individual scripts?

  9. #9 williaty says:

    1) Absolutely need a "temporarily allow all" function to return. It's critical for troubleshooting sites with stupidly large number of scripts a.k.a. "Is this site just broken or is noscript breaking it because the site relies on some stupid 3rd party script".

    2) Absolutely need a "revoke temporary permissions" function to return. As noted, some of us don't quit the browner very frequently.

    3) Yes, the UI is a dumpster fire.

    4) Some performance enhancement needed because if you have many script-intensive tabs open, things get ugly.a

    Thanks for coding it for us!

  10. #10 Giorgio says:

    It seems you just need to allow the "fetch" permissions in the DEFAULT preset for the live feeds to load. I'll fix it transparently in next release ("fetch" without scripting makes no sense for web pages anyway).

    Revoke temporary is planned.

    Yes, but higher priorities first.

    @a NoScriptUser:
    No, the old GUI is technically impossible as a WebExtension. But we've got a real chance to make the new UI both powerful (as it is) and simple (as it was). Waiting for concrete suggestions.

    Temporary allow all is planned

    Could you point me to a performance-critical URL (maybe in an email)? Thanks!

  11. #11 fan of noscript says:

    Thank you for all your hard work. It felt uncomfortable to use firefox without noscript.

    But the GUI needs to be refreshed. The buttons/icons are not intuitive.

    The temp permissions should not be hidden inside another button. I think that was an important feature of the old GUI. Revoke temp is also needed.

  12. #12 iioiooioo says:

    I have no complaints, feature requests, or bug reports. Just a big THANK YOU, please keep it up - it sounds like a ton of work...

  13. #13 h4ns says:

    First, Thanks for your hard work!

    Then, I don't get the meaning of the CUSTOM Button. You can also change the permissions in the TRUSTED and UNTRUSTED pop up, by clicking twice on it.

    Also you are saying here the DEFAULT button is to "forget about this site".
    If I choose the CUSTOM preset and change a permission manually in the pop up underneath like 'object' and change the preset back to DEFAULT, it stores the changed permission 'object' for the DEFAULT preset. Still there after closing the browser.
    After this the set permission 'object' is now set in the UNTRUSTED preset too. That's rather hard to get.

  14. #14 Joe says:

    What are some limitations that you are facing when it comes to design?

    I can perhaps try to think of some ideas and submit them on the forums but where can I find out whats possible and whats not?

  15. #15 Thomas says:

    The new UI is an inconvenient change for "noscript veteran users" but after a day of using it, it´s not such a big deal. I get used to it quickly and I don´t regret the change anymore.

    From previous UI I would also appreciate – except already mentioned temporarily allow whole page & revoke all temps – hide the list of untrusted domains or sort them somehow not to bother me (e.g. at the end of the list).

    And foremost thanks a lot for noscript, I am happy it is back again, it makes the world (wide web) better!

  16. #16 Bio says:

    @Giorgio: Any solutions for someone like me who uninstalled everything and exported Noscript settings/whitelist in preparation for starting with a fresh clean profile on Quantum? I really don't want to add my 9000 exceptions manually again.

  17. #17 Wolfe says:

    Hi, I'm not sure if this is a NoScript issue or an issue with Linux Mint, but on Mint 18.1 I was experiencing extreme crashes with NoScript enabled (for example as soon as I installed NoScript it crashed immediately) It is also breaking when I click on NoScript preference page (as in tab freezes or crashes or makes every other page turn white) the other issue is 90% of pages i've used are just blank white pages (with the appropriate script allowed) and another issue is that facebook messenger breaks even with scripts allowed, anyways thanks for NoScript 10, but currently it's completely unusable and i'll have to deal with uMatrix for the time being, which sucks lol, and again please try to make the new UI resemble the old UI.

  18. #18 ControlFreak says:


    For the toggle buttons - especially since some of them appear to have more than two states, I think you ought to include a tiny little down arrow in the icon to indicate to the user that there are additional options. Then, when the user clicks the button a drop down appears and all the options are presented. Ideally, the drop-down will provide an icon and descriptive text for each option, so that the user can read and become familiar with what they do. That way, they can see what the options are and choose the one they want.

    It shouldn't be necessary to read a user manual to figure out what this does and how it works. This addon needs to be for the masses. So, hopefully the user interface can continue to be refined until the point where even my wife (ahem) can use it. I think there will be loads of people wanting to assist you with this once it goes up on github.

    Please don't forget the people who upgraded Firefox for Android expecting to be able to use the new extension, only to find out that it doesn't work on it at all and are now stuck unprotected. I didn't see it on your to-do list, but I hope it's on there somewhere.

    Thank you!

  19. #19 Psion says:

    I actually think I'm one of the few people who *likes* the new UI ... it needs some tweaks, but it's easy enough to understand. One thing I've noticed is that the old Noscript would update all the tabs when a common permission is changed, but this version only updates the currently selected tab.

  20. #20 rebro says:

    After today's installation of NoScript 10.1.1 in FF 57.0 (Win 10 x64) it does its blocking-business in the background without responding in the slightest to my desperate left- (and sometimes even more desperate right-) clicking on its icon whenever I want to make use of some blocked script.
    Is this a known common problem or just home-made blundering on my side?
    As I see now: The bookmarks toolbar is also completely blocked by NoScript 10.1.1

  21. #21 toby says:

    Great Work!
    I'm just waiting for planned ClearClick and ABE implementation, which I classify as very important.
    Will all security settings of NoScript 5.x be implemented in the new version?
    Well, one thing bothers me right now: I can't distinguish between Frames and IFrames, in NoScript 5.x I could.

    PS: I also like the new UI.

  22. #22 Average Joe says:

    First of all, thank you for the new NS version. I'm a long time NS user and it is nice to have it back on FF57.

    Like #15 says, for old users, the new UI is a bit disconcerting at first but you get used to it after only a few minutes. I just have two requests (on top of the one already made):

    1. Please add a direct option to only allow temporarily a script. Right now, you first have to allow a script and only then you have the option to allow it temporarily.
    I'm a control freak and for some site, I prefer to have to allow it temporarily every time. Having to have to click twice instead of one is annoying compare to the old version. Please add a fourth button "temporarily trusted" beside "Trusted", "Untrusted" and "Customs"

    2. Please bring back all the options that were present in the settings of the old NS. The new settings page is kind of empty (but I guess this is coming).

    Thank you very much for your work

  23. #23 w13d0w says:

    I am not gonna bitch about the new UI, it took me a minute but I get it now. Its basically the same as the old dropdown menu, exept there isnt a line for every option any more but one for every domain and all the options are in the same line. Suggested immediate changes:

    -make "not trusted" the default
    -switch the "not trusted" button for a "temporailly trust" button
    -adjust column space for non english translations or switch back to english completely
    -add "temporailly trust all" option and the revoke option for it

  24. #24 Nego says:

    I've been a now long time user of no script and thanks for the hard work you're putting into it,
    I just want to give my honest feedback on this version and the ui is definitely lacking the option to immediately toggle temporary permission.

    I also don't know if anyone is having the same experience with the ui but it is very cluttered and wastes a lot of space on my screen

    You could (maybe) toggle the choice as they were presented via a drop down menu or something similar ?
    I found myself quite at loss at the config page which is just a list of the permissions (but maybe you've got something planned)
    Options to display only certain buttons would be great (I.E. i'd love to have only temporarily allow and block options only displayed)

    Anyway thanks for all and keep on the good work

  25. #25 JohnX says:

    Thank you very much for coming through with the new version of
    NoScript. There must be thousands of people who are grateful and

    Three things:

    (1) It took me a long time to figure out how to get it working right.
    The solution turned out to be: (*) Open the Options screen; (*) Click
    the "debug" checkbox on the bottom; and (*) Edit the json to delete
    the line under the DEFAULT|capabilities.

    That change makes NoScript load pages the way it used to.

    (2) Please restore the option to suppress automatic reloading when a
    change is made. What I often do is enable scripting long enough to
    load a page, and then disable scripting so that I can read the page
    and click on links without the page doing crazy stuff.

    (3) I realize this is low priority, but there's a function that I used
    to use a hundred times a day: Click on an element in the page and
    press the delete key, thus removing the element from the displayed
    page. This makes it possible to get rid of all sorts of crap on the
    page, and makes the page much easier to read.

    Thanks again for doing all this, and I hope that someone, somewhere is
    paying you a salary for this.

  26. #26 JohnX says:

    Correction: (*) Edit the json to delete the line "script," under the

  27. #27 Scott39 says:

    Thank you, Giorgio, for all you work on the Quantum version, and the other versions of Noscript as well! A great product that I can't do without!

  28. #28 ns user says:

    revoke temporary allowed permissions(the easy way) is definitely missing;
    temporarily allow and revoke is now in two steps(trust and then clock or clock and then untrusted again).

  29. #29 Erpolo says:

    Uso NoScript da anni e mi addolora ammettere che questa versione è terribile. Non potevo immaginare una GUI peggiore e meno intuitiva di così, per non parlare delle funzioni mancanti rispetto alla precedente.
    Mi spiace Giorgio ma qui c'è da riprogettare l'interfaccia da capo, attenderò con fiducia.

  30. #30 Stevo says:

    Just to point you to this posting

    I run in the same issue. That means if i do for example in tab "xyz" a "custom temporary allow" and click the "script" box below,then ALL "script" boxes in all settings are clicked, even in other tabs with other sites open. this allows scripts in tabs where everything is in "default" as i opened the page initially.

    FF57 with ns 10.11 on win7x64 (updated a few hours ago from former FF56.X with ns 5.1.7 and ublock origin as the only addons, since then fiddling with ns). i'm a manual reader ;-) if any ..

    Sorry for my english, but i'm no native speaker.

  31. #31 ControlFreak says:


    I'm a huge fan of NoScript. I wont browse the web without it. However, I'm not sure whether it is just me, but neither your old nor your new NoScript seem to do what I *really* want. Also, the new interface seems way too flexible/complicated for the way I would like to use it. I think I just need a grouped list of scripts/objects/etc. with three buttons, 'Allow' (with sub-categories - see below), 'Deny' (with sub-categories - see below) and 'Forget Rule'!

    This is how I think about it and how I'd like it to work at a basic level. There are several categories of script that could try to run on the page:

    Global-Allow) Those that I always want to allow on any site/domain.
    Global-Deny) Those that I always want to deny on all sites/domains.
    Site-Allow) Those I always want to allow for the current site (matching on protocol and full domain name) or just domain (matching on second and top-level domain names only).
    Site-Deny) Those I always want to deny for the current site (matching on protocol and full domain name) or just domain (matching on second and top-level domain names only).
    Site-Unknown) Those I haven't yet decided about, and may wish to move into one of the other categories. These should be blocked by default.

    Within the UI, I'd like the following:
    - When I am visiting a page, I should be able to tell if there are any scripts in the Site-Unknown category via some kind of indication.
    - I should be able to quickly and easily bring up details of all the scripts associated with (blocked or running on) the page.
    - Scripts should be grouped according to the categories above.
    - Site-Unknown is the most important category and scripts in this category should be listed first, since I may wish to re-categorise them.
    - It should be very easy to move a script from Site-Unknown into to one of the other categories. i.e. There should be an 'Allow' button/drop-down with options 'for all sites', 'for this site #####://###.###.##/' and 'for this domain *.###.##', and a button 'Deny' with the same options (and with ### replaced by the current page info).
    - It is important that the other (non-Site-Unknown) category scripts are listed so that I can easily see what is being allowed and denied. It should be easy to move a script out of such categories back into the Site-Other category. This could be done via a single button, 'Forget Rule'.

    In addition, I would like to be able to apply the same principles above to plugins, fonts, object, etc.

    With this scheme, there is no more temporary allow and temporary deny (!) because normally you want NoScript to *remember* your rules, not forget them!

    Personally, while I loved the old NoScript, I never found it optimal, because I would end up constantly faffing around with temporary permissions on pages when NoScript could have learnt what I wanted to do for a specific site and never bothered me about it again. This scheme above would overcome that... and it appears to be far simpler than what you proposed. If we can take the opportunity with the new NoScript to make it learn and remember what you want per site, so that with time you can forget it even exists for the sites you visit most often, that would be amazing.

    Oh... and the UI should be designed keeping in mind that this has got to be accessible and work on mobile and desktop from the start, otherwise you're going to have to do a lot of redesigning later.... I read suggestions for relying on double-clicks in the above etc. with horror (especially since how is anyone starting out with the addon supposed to know that performing such an action does such a thing)!

    Sorry for the long post. You did ask for input! Good luck.

  32. #32 Harry Potter says:

    Why are some domains white listed by default? I enjoyed No script pre-version 10 when we had a choice whether to decide if something is OK. Now, you install Noscript and Google domains along with other unnessessary domains are white listed. I'm not saying some of them are unnessessary cause I know that Google's domains are important for some sites, but I want to decide if I want it white listed for that site or not.
    And there are so many domains white listed by default that switching them to the "default" setting with the new UI takes a god chunk of time.

    The users using your extension aren't tech illiterate. I don't know one person who would use your extension if they can barely use a computer. I implore you to remove the "by default" whitelisted domains as (and im saying this as respectfully as i can) I don't think I need someone else choosing which domains are OK and which ones aren't by default.

  33. #33 w13d0w says:

    Cont. from #23:

    Oh, and maybe consider having only the "custom" option customizable in the quick menu to battle confusion a bit

  34. #34 Chron says:


    I feel like the graphics could make it more clear that the four icons on the left with the trusted/untrusted/default text are the primary intended controls. The eye initially gets drawn to the red/green of the lock icon, but it seems like a niche feature--is there a reason I should be caring whether I have an http or https connection to a site that wants to run scripts? Are sites with malicious javascript spoofing that they're coming from a more legitimate source? If a line is only configuring the settings for a site when it's using HTTPS, what settings does it use when it's NOT using https? The default?

    The left column of icons, I still think would be clearer if Default/Trusted/Untrusted/Custom were column headers or mouseovers. Maybe a button motif around the icons with the selected one depressed. The icons are okay for "scripts allowed/not allowed", but the icons are overwhelmed by the text, and the text is less obvious than the text in old-NoScript's controls--"Forbid" and "Allow" are clear, it was not clear to me that "Default" means "forbid" and "Trusted" means "allowed". Even after figuring out that the left-side was controls it wasn't clear what I was supposed to set a site to to enable scripts.

    I'm not sure where the clock icon for temporary permissions would have to go if the selected profile icon didn't have a ton of extra space from expanding with text. Is the intended workflow here that to grant temporary permission, you click once to set the site as "Trusted" and then click the clock to make that temporary? That...has a feeling like you're giving the site more trust than you want, because you have to pass through the non-temporary state while setting it. Maybe part of the problem is the word "Trusted", since allowing scripts in old-NoScript didn't have anything suggesting that you were actually trusting the site (and a lot of the time I used the temporary permissions, it was because I really didn't trust the site, I just felt it might be necessary for something I wanted to do at the moment).

    What is supposed to be the difference between Default and Untrusted? Old NoScript might have had a concept of Untrusted, but I never made use of it. Are they not both just disallowed from running scripts?

  35. #35 Stevo says:

    Seems the UI has an issue. if i tick (for example) "script" in the "custom" section of ns-menue on any open website-tab and switch to the next entry below, select "default" there, then sometimes (!) in the '"default" there is also "script" checked without me doing it.
    i can reproduce this. this is also stored in the settings (i looked with "debug" enabled and see it having changed in the "default" section.)

    also, while selecting one entry in the ns-menue and the line with the corresponding boxes ("script" etc) opens, at the bottom of the whole menue-window of ns under the last menue entry the line with the boxes is also open (and only half visible).

    German language version.

    I apologize for my english, i tried to express the issue as good as i'm able to .... but thats the way it is .. ;-)

  36. #36 Langenscheiss says:


    You realize that you also interfere with content scripts of other web extensions?

    On Chrome and Opera, xmlhttp requests can be sent from background pages, with cross-site priviledges set to either the active tab or any website specified in permissions. On Firefox quantum, requests from background in general often seem to be disallowed by same origin policy (it was allowed before), unless you want to grant the extension access to every website. So the only way to make http requests is to use content scripts, as you are then restricted to this one origin which you have already loaded anyhow. However, not even these requests work with NoScript enabled.

    I don't think this is good behavior. Content scripts from other webextensions are privileged by definition, so NoScript should not disallow them! I read there is going to be some changes in Firefox 58 (again!!! It's becoming a pain in the butt already with their cross site policy), but maybe you can change something as well.

  37. #37 Rob says:

    I understand that making the old UI exactly might not be possible in a web extension, but could you not get the stuff which happens when you click on the NoScript icon to be the same as before, a dropdown of allow, temporarily allow of forbid (shown as words, pictograms are confusing and hard to see) for each domain currently being loaded. Then restore the ability to click on blocked elements (can you still cover these up and allow and disable individually each object on a page or has the new API wrecked this) to enable objects like flash, iframes, html 5 videos...

    Then I understand that all web extensions use one of those webpages for controls rather than a pop-up window like noscript 5 has, can't the control "webpages" be made to reflect exactly the content that used to be in the pop-up window?

    Keep up the good work Giorgio, thanks.

  38. #38 Rob says:

    Is re-enabling the way that old NoScript had a "reload this tab only when i change permissons" possible? That too is a feature I found really important.

    Does the new API also make the "message at bottom" and "audio feedback" impossible?

    The really important thing about noscript is the way you can choose exactly what to allow and what to block, that's what makes it such a wonderful tool.

    Thanks, hope you can get things back to a form we feel familiar with but can't begin to imagine how tough it must be to do.

  39. #39 Rain says:

    Like others mentioned, a toggle clock in the top bar that allows temporarily all and one to revoke temporary permission for all would be great. For some sites you have to click through a couple dozen links if you want to temporarily allow them.
    Other than that, I like the new layout and custom settings. It just takes some time to get used to the new UI.

  40. #40 ZeroSum says:

    The new NoScript does not appear to function in FF 57.0 when in private browsing mode.

  41. #41 Kelly says:

    As a heavy user of NS, I find the new UI very confusing. I get that the old UI is not exactly possible since the bastards took away XUL access, but surely it could be made to look generally similar?

    Anyway, I have typically used NS with default block, with a few domains set to trusted and the webgl/fonts/html5 media/etc blocks on, and set to block on trusted sites as well (so e.g. youtube is trusted, but I still have to unlock the elements to play (click to play everywhere)

    I don't get why if the site is set to trusted, the "script" option is always checked and greyed out. and when set to "untrusted" you can check everything... If I am understanding what it is doing correctly (assuming we don't go back to something closer to the old interface), maybe better to just have a "default" and "custom" mode - default well, defaulting to whatever global setting you had, and "custom" allowing it to remember specific per-site settings, you pick which ones?

  42. #42 Jackie says:

    Can you re-add the feature where you could hover over the icon and the menu would pop down? That was more convenient than you can imagine for me.

  43. #43 John says:

    Why did you dump the existing UI and also the best features without at least polling your user base? Seems like a mistake you'd expect from Mozilla, not you, with all due respect.

  44. #44 NoScript-User says:

    Many thanks for all your hard work, Giorgio!

    As some already mentioned - is it a bug that changing CUSTOM settings also changes DEFAULT settings in the same way - remaining even after a restart of Firefox?

    Maybe you could better clarify what is the CUSTOM setting intended for?

  45. #45 Snog says:

    In the past version I was a heavy user of the temporary allow permissions feature (accessed via that pale yellow bar that would show up on the bottom of the browser) - but I had to disable this version for now because I could not figure it out and stop it from breaking websites that I didn't want it to... (though reading through this thread has given me an idea of how to use the new UI)

  46. #46 Haarek says:

    Hi Giorgio,

    I have some suggestions to the UI and have made a alternative UI (only a mockup), I'll see if I can post my suggestions here tomorrow.

  47. #47 George Hazard says:

    Add-on works fine. The only thing I'd like is to be able to hide the number notification at the upper right corner of the add-on in the browser. I personally don't think it's necessary but it's a minor issue and I hope i t gets added in some future update :)

  48. #48 uwe says:

    I think there must be a lot of pressure by askings from the crowd. I'm impressed how relaxed you react on this Giorgio! Keep it that way. Take your time and don't forget to enjoy your life and your family.

  49. #49 Talji Mera says:

    First of all thank you very much for your effort and time working on this new version of NoScript for FF Quantum. I truly appreciate it.

    After playing with it a bit I think I am slowly getting used to the new UI. I did noticed, however, that whenever I open up the Option page, FF will SOMETIMES just freeze. When this happened I cannot scroll up or down on the option tab nor switch to another tab. This does not affect the system as I can still switch to other running programs. The only way to unfreeze FF is to close the option page. And it took sometime after clicking the X on the tab for the tab to close and FF unfreezed.

  50. #50 Jellybean says:

    Thanks a ton Giorgio. I've been using NoScript since Firefox 2, and it's really a pleasure to see activity buzzing around it again.

    I think putting it all on GitHub will help a lot since you have a family now and income sources that take priority over NoScript. Even if within the next few months it will have a lot of your attention, GitHub should future proof it even further :)

    Beyond a new guide or FAQ or whatever, I am also curious about an exhaustive feature to feature comparison with legacy NoScript, as feature parity will only be reached mid 2018 or so, if I understand correctly.

    I know it's a lot of work, so thanks again and congrats on the milestone :)

  51. #51 T says:

    Thanks for all your hard work! I would, however, like to leave a bug report.

    There's something VERY buggy with the XSS popup; for me, I run into trouble when I'm on tumblr. When I'm on my dashboard, it's fine, but if I try to visit an individual blog, I'll get a popup that says something like window.[something] (I'm not going to check) that will (theoretically) allow me to sanitize, allow, or always allow -- except no matter which option I select, the xss warning popup keeps coming back (and I have to kill the firefox process to get do anything). Other times, I get an xss popup warning me about a long string of characters (which, as far as I can tell, just controls the buttons that allows me to like/reblog a post) - this one seems to go through when I choose block/allow/always allow, but I have to get to this one first (the other popup won't let me if I get that one first). But even this one does not let me set an exception for all of tumblr - just that one individual's blog. This one's easy to reproduce - just ensure "" is whitelisted, and visit a few people's blogs, such as veliseraptor or mikkeneko (I got errors with both of these).

  52. #52 Hello says:


    I've used noscript for like 10 years and I have no idea what's going on with the new look. I just use it, I'm not into the tech behind it or anything.

    Websites I use often are not being blocked in the way they used to be. Sites like gamefaqs, reddit look completely different font wise with the new noscript compared to the old one, which also blocked all ads etc. It doesnt do that now.

    I have no idea what noscript is doing or not doing. I cant stand the look of Quantum so that doesnt help either...

  53. #53 J says:

    I'm used to one-click temp allow all via middle click. If this now requires 2 clicks for every site that may be real issue.

  54. #54 IHateIt says:

    The UI should stand for Unusable Interface, because that's what it is now. I've been using NoScript for years, but today I switch to Umatrix, which is a lot more user friendly than NoScript in its current form.

  55. #55 pop says:

    Loved the old ns ui and options.. Sorry to say I'll be switching to umatrix until this mess gets sorted out...

  56. #56 JacksonFireX says:

    Maybe this will help with further troubleshooting and sharing (Firefox 57 Quantum, Windows 7-64, v10.1.1 Noscript + latest Ublock Origin = only security/adblocking addons)

    CUSTOM / DEFAULT issue like the others have said : any changes to either, will either auto-reloads other unrelated website tabs and applies globally to all CUSTOM/DEFAULT urls. If it doesn't auto-reload the Tab, just refresh the Tab and now see all permission scripts allowed.

    This can be replicated if you wish to try:

    1. Load up or remove whitelisting to the noscript forum (easy to restore since 1 main address) + CNN (or any other heavy news website with dozens of urls)

    2. Modify CUSTOM (without clock toggle) to "allow script" > any other tab you have that didn't have scripts enabled by DEFAULT (refresh that Tab or see if it auto-reloades), have now enabled them for every url. This will be for any website tab.

    3. I tested this with the noscript forum + CNN website that were blocked by DEFAULT.

    4. Clicked on noscript forum > CUSTOM > allow SCRIPT

    5. Immediately, my FF-57 tab with CNN reloads by itself and the DEFAULT is now set to "allow script" on every url - it was almost an unreadable page but now works like you never had NS. Even the videos now play without a single other modification. If the website doesn't auto-reload, just refresh the Tab.

    If you click only the Clock toggle under CUSTOM, then it won't apply globally to every DEFAULT website tab or url.

    I noticed that it's easy to miss the clock timer button and you run the risk of selecting CUSTOM and it globally changes all the DEFAULT tabs.

    * Changing any setting in your WHITELIST DEFAULT OR CUSTOM, also changes every other DEFAULT setting on your open Tabs and other whitelisted tabs. I tested to remove one url in the whitelist by changing it from TRUSTED to DEFAULT and then UNCHECKED "allow script" and all my open tabs changed to be blocked.

  57. #57 Wrecked on the Tundra says:

    I also had some grouchy times with the changes to FF and ALL the extensions, but as time goes by and I figure this out it is becoming clear there is great potential here. I wish I could offer more than just mundane words but I accidentally knocked the small remaining cluster of brain cells of their perch atop my spinal cord and I am having trouble simply typing and breathing at the same time.

  58. #58 Jim Firefox says:

    I think there's hysteria here. The interface is not nearly as bad as you ninnies are claiming

  59. #59 JacksonFireX says:

    Somebody did tinker around to modify CCS/HTML to make a classic look on the forum (almost looks like old NS but missing some things) - not sure however if it's safe, legitimate/valid with Webextension requirements but may help with brainstorming ideas:

    noscript forum link the their comment (user: mutik , 2nd post)

  60. #60 IHateIt says:

    I just want to be able to temporarily allow sites, and then remove all the temp settings at the click of a button. NoScript no longer lets you do this, you have to restart the entire browser for Temp settings to revert back.
    Umatrix lets you do it. It can do everything Noscript could, and the more I use it the more I realize it is a lot more customizable than Noscript ever was. It lets you allow 2nd level sites to run scripts, but only on a site you want it to, and not on every site. Or you can allow scripts from a site globally accross every site too, like you could in NoScript. I wouldn't have switched if NoScript had a more user friendly UI, but now I don't think I will switch back now even if NoScript's UI does improve. I should have switched to Umatrix years ago.
    Arrivederci, Giorgio.

  61. #61 LS says:

    Unless I am completely misunderstanding things, the new NoScript currently operates with a Default whitelist, and only blocks scripts when told that a domain is Untrusted.

    This the exact opposite of the old NS. As a matter of protecting the user from new harmful scripts, it is utterly useless. One might as well not be using NS at all.

    Defaulting to a blacklist, and then individually whitelisting domains, was the biggest reason to use NS to begin with. NS needs to get back to this, ASAP.

  62. #62 j39m says:

    Giorgio, thank you so much for getting this out there. Hats off.

    I wish all the best to those whose mouths are full of complaints but whose hands never formed a pull request.

  63. #63 pop says:


    Some think the interface is good, some think it's bad. The question is- Is it better than the old UI, and will it attract new users and keep the old ones?

    This has nothing to do with hysteria and everything to do with a user's browsing experience. And like IHate, i too ended up finding and liking umatrix, an add-on i had never even heard about until the new ns pushed me to look for an alternative. Whether or not i switch back to ns will be determined on where it goes from here. But umatrix is working pretty darn good right now after using it for less than an hour.

    This is not a knock on Giorgio and all his contributions..
    Good luck to all

  64. #64 C says:

    Greetings and Salutations!

    It is awesome...

    Thank you!

  65. #65 FrancisT says:

    I have a problem with localhost URLs.

    E.g. http://localhost/cgi-bin/

    Some of the time - and annoyingly it is not predictable - these turn black (a bit like the private browsing windows). I have localhost in my whitelist but that doesn't seem to make a difference.

    Once this happens new tabs of all sorts start failing and turning black I have to restart the browser. Then they all start workign again for a while

  66. #66 Q says:

    Thank you for all your hard work!

    What I like about the UI:
    - Each domain on a single line in the page dialogue
    - The CUSTOM permissions option
    - The HTTPS only option
    - The blocked items count on the toolbar badge

    What I don't like about the UI:
    - The check box menus opened by the settings gear on DEFAULT, TRUSTED, UNTRUSTED, and CUSTOM appear to be site/domain specific because they're on every button on every page, but they function like global options. If they are meant to be global options they should be present once in the global options dialogue not on every button on every page.
    - I'd like to be able to temporarily trust/custom a domain with one click instead of two

    UI questions:
    - Why do some checkbox options have a red background while others don't?
    - What is the difference between script and fetch checkboxes?

    UI bugs:
    - Selecting checkbox options in CUSTOM changes options in DEFAULT.
    - Sometimes clicking the Noscript toolbar icon opens the global options dialogue instead of the page dialogue. It happens every time on

    - A button to revoke temporary permissions for a page.
    - A button to revoke temporary permissions globally.
    - Bring back the feature that turns media/elements into a clickable Noscript icon.
    - Bring back clickjacking protection.
    - Android support, even something minimal like just a script whitelist.

  67. #67 theblackscorpio says:

    Thanks for the bullets of sweat, that must have gone into this. And thanks for the thorough explanation on the functions too :)

  68. #68 stevE says:

    First of all: Thank You very much for this gift over all these years (yes I donated but still see it as a gift).
    I wanted to write a bug report at the forum, but the fitting thread was closed. So here:

    Default block doesn't seem to block by default. Opening with the old plugin on Firefox ESR shows as expected a message about Javascript not activated. Opening the same URL with Firefox 57 and the new NoScript shows the complete content of the site as with JavaScript activated (even it's marked as "default" in the UI). Looks like the "Default" is allowing everything and not blocking. :-(

  69. #69 Gaurav says:

    Hi Giorgio, thank you so much for all the hard work you've put into this, and the work and maintenance you have planned ahead.

    First of all, let me say that I am impressed by your calm responses to the capslock-heavy, knee-jerk reactions that seem to mainly center around the UI. Looking at the reviews on AMO feels like what I imagine is like cancer (as if it were a tangible fluid) injected into my eyeballs. It reminds me that, yes, some of our most vocal fellow human beings on the internet display an unusual amount of assumed privilege and autistic properties ("it's not the way it was! change it back! or I'll take my business(?) elsewhere!"), so soon after seeing similar complaints directed at Mozilla for the fact that an extension called Classic Theme Restorer is not working on Firefox Quantum. These complaints are mindbaffingly absurd as is their follow-up threat to move to another browser. (how does that NOT enlarge their perceived issues?) I only hope you won't let yourself get disheartened by these irrational responses, and still find the willingness to listen to those that present their issues more constructively.

    I'm also surprised by the number of people who consider a temporarily allow all button so all-important, some mentioning they "use it all the time". Doesn't that defeat the purpose of blocking any scripts to begin with? But I digress.

    I think the new UI is a good start as a replacement for what could not be replicated. It is at least as intuitive as the old UI, and it's not the unintelligible mess some unintelligible people make it out to be. I'm noticing a few issues that I'll mention here while you don't have a public issue tracker up yet:

    - On Linux (Ubuntu 16.04), with a clean profile on stable: once you have a good amount of rules added, the noscript preference page starts to bog down and sometimes even cause temporary freezes in firefox. Some of these seem to be coupled with drawing issues, and when those occur, closing the preferences will cause the tab you return to turn all white, or black, or have major flickering issues. The only fix is to restart Firefox. The issue is probably on Firefox's end, but I'll mention it anyway since it only happens with noscript and maybe you'll stumble on what might be causing this.

    - If you put a non-HTTPS resource on trusted, the clock icon lights up automatically, indicating this is only temporary. However, in this specific case, when the page has reloaded, looking at the permissions shows the clock icon transparant again, indicating it is trusted permanently.

    Looking forward to your continued work and you opening up the project once you get a github page up. :)

  70. #70 aname says:

    Hey there - was looking forward to your update of noscript. Big thanks!

    However the new UI ... I don't mind the design too much, but please revise it. What was 1 click before is now 2 clicks (for the clock) which is really annoying.

  71. #71 Belladonna says:


    Please accept a big thank you from me too for the huge amount of work you've put into NS 10. And all the tweaking that will be needed afterwards, no doubt.

    As far as I can see, it works alright for me, although I too need some considerable time to get to grips with the new GUI of NS.

    A future suggestion popped into my mind though, while reading the comments here:
    Maybe you should think about creating (also) a NS Light, which would hold similar/ just hold the (unique, e.g. XSS and ABE) elements of the current NS? After all, users seem to have considerable overlap, since many seem to use other settings/ addons that already do many of the things NS also does. And that might potentially reduce (reported) system load considerably...

  72. #72 Exzentrik says:

    Well, after seeing the Screenshot above, I'm certain now, that almost every complaint about the bad UI is caused by the fixed button size. The temporary permissions are simply not visible, if the Buttontext overlaps into ne next button, which confused me a lot. I already posted this in the comments for the last Update, but here it is again:

    Aside from that issue, I REALLY like the new UI. Especially that NoScript now seems to pick up way more scripts. There are only three things, that really concern me:

    1. Some domains were already whitelistet, without showing up in the settings-Window. I cleared all domains after installing NS10 and visited The scripts were already allowed, without me having done so. needed to be whitelisted again.

    2. The old NoScript had some sort of redirect-prevention feature. I don't know how this worked, but when a site tried to redirect me, I saw a white page instead. This white page only showd the small NoScript Icon, followed by a link to the redirection target. I had to manually click this link in order to get there.
    This feature was awesome! I HIGHLY appreciated it! Is there any way to get this back? Firefoxes own feature ("Warn me when sites try to redirect") doesn't work most of the time, and in the new FF-Version, this Option completely vanished from the settings page.

    3. Maybe a clear info on how to remove domains from the settings-Page. Many people complained about this in the last updates' comments. They seem to not have realized, that Only pages with permissions get saved. So they can be removed by simply setting the permissions beack to Default.

    Anyway, Thank you for your awesome work!

  73. #73 Jan says:

    Thank you for your hard work and I'm sure you'll get Quantum up to the quality of the olf noscript.

    I have just one wish: Please prioritize whitelist import! I've collected a pretty extensive list with sources I trust and distrust. I even did a backup every 2 month just so I don't have to go through all the trouble again. Now I just reinstalled Windows and got the new Firefox and all that was for naught :/

  74. #74 GrumpyOldLady says:

    When you're finalising the power user interface, I'd like to see something for the casual browser who is
    less concerned with privacy and complex security navigation than with efficient quick page loads combined with protection from scripting per page.
    This is how I've always used NoScript and efficient access to 'temp allow', 'untrusted', and in particular key shortcut CTRL SHIFT "/" to let the main domain's script run are top of my RFE's.

    After a day's casual browsing around a couple of news sites and a few twitter accounts - along with government agency information sites - all of which are low XSS risks in my experience - I find that keeping a separate window about:config and toggling javascript.enabed along with NoScript enabled is giving me more efficient casual browsing than wrestling with the new interface, along with the significant performance hit that simply having default NS running appears to give.
    This is because most of my casual browsing is ok without pages running scripts. Indeed, with the new
    emphasis on mobile-friendly loads, I've found that many sites - twitter included - run well and load faster without js on their mobile default display.

    Main RFE is therefore for something similar to the simple/full preference toggle that the VLC player offers.
    The simple interface would be something like: one click for top domain temporarily (can a single stroke both enable and then enable temporarily as a chained action that doesn't need separate clicks?), with another click to
    expand to full interface for embeds and more security and privacy etc. The case for a simple temporary allow top domain per page is I think fairly good for the person who wants to avoid drive-by hits and advertising. That way I can relax knowing I have the fabulous XSS protection that I've always thought was the best NS innovation ever.

    Thanks for working to take us all into the new decade as the best friend of web travellers ever!

  75. #75 GrumpyOldLady says:

    And kudos for the new iconified menu! It's as intuitive as the XUL one, and signals to the
    person how to work within the new browser.
    Text on the icons should stay of course until all the new workers on github start contributing.
    As we say in Australia: NoScrpt for Quantum is fast out of the blocks.

  76. #76 Stefani says:

    When i invoke the settings page the whole browser dies... :-(

    But anyway, thanks so much for your hard work. I donated it.

    In meanwhile i must switch to chromium until noscript matures to an useable addon. Hope this comeing in the near future.

  77. #77 Richard says:

    I noticed that subdomains do not work as intended. I am on a corporate network. If I set the top level domain (acme.corp) to https I still need to allow each subdomain.

  78. #78 QWERTY-TURBO says:

    Thank you verry much, respect for the hard work !

  79. #79 Reda says:

    if you set a custom setting (temporary or not) it changes the default settings for every site as well
    so that from now, on every site scripts are allowed !!!

  80. #80 Wonderw says:

    First of all: Thank You very much for this gift over all these years (yes I donated but still see it as a gift). I wanted to write a bug report at the forum, but the fitting thread was closed. So here:

    Default block doesn't seem to block by default. Opening a Javascript-loaded-site with the old plugin on Firefox ESR shows as expected a message about Javascript not activated. Opening the same URL with Firefox 57 and the new NoScript shows the complete content of the site as with JavaScript activated (even it's marked as "default" in the UI). Looks like the "Default" is allowing everything and not blocking. :-(

    So just one question how do I switch it back to the original "Default": "block all except whitelist"? Thank You!

  81. #81 Reda says:

    @ Wonderw
    If you change the settings for "custom" the settings for "default" are changed too. So you have to untick the checkbox for scripts manually. Thats a bug.

  82. #82 George Valitsas says:

    As the poster above, Default does not block anything. if I expand it, everything is allowed and is ticked: scripts, objects, media etc, it is not blocking anything! the untrusted button un-ticks all these options, but if default is meant to mean blocked, it is not!

  83. #83 Reda says:

    @George Valitsas
    Everytime you change the settings for "Custom" with or without the Clock-Symbol, the settings for "Default" are changed as well, so the possibility to allow scripts for "Custom" (temporarily or not) is useless.

  84. #84 Werner says:

    caro signor Maone.
    Grazie mille per Noscript 10.funziona alla grande e funziona intuitivamente.
    Tutto il meglio per te e la tua famiglia.
    Saluti dalla Germania.

  85. #85 George Valitsas says:

    Well, I did not use the custom buttons at all. I just visited some websites, and everything was allowed, with the default option on! The websites run exactly the same way as with the noscript disabled!

  86. #86 Reda says:

    @George Valitsas
    When you click on "Default" you can see, which checkboxes are ticked, only frame, fetch and other should be ticked by default.

  87. #87 George Valitsas says:

    As I said already, in my case everything is ticked, i.e. allowed, when the default button is the chosen one! I did bot press the trusted or the custom buttons! Only the untrusted button to see if it was any different from the default (it was, blocks everything!). Other people have exactly the same problem. In our case, default seems to mean allow all, as opposed to the old noscript, when default was to block all, apart from the websites in the white list!

  88. #88 Richard says:

    With respect to subdomains: I noted that external sites work (at least I didn't notice otherwise so far), meaning those ending in well-known top-level domains. Our internal sites use "corp" as top level domain and these don't work for subdomains: I allow "acme.corp" with https switched on. However, "portal.acme.corp" is excluded although served with https.

  89. #89 Reda says:

    @George Valitsas
    When everything is ticked under "default", so you can untick the checkboxes for script etc. and scripts are not allowed anymore

  90. #90 George Valitsas says:

    So, I un-tick everything, making the default and the untrusted buttons the same, or should I allow some things to run in default. What is the properly configured default option, and why do we have to find and configure it manually, by ourselves?

  91. #91 Reda says:

    @George Valitsas
    at my installation the checkboxes for frame, fetch and other were ticked by default. On the settings-site (when you scroll at the bottom) you can also see and edit the settings in the debug section

  92. #92 George Valitsas says:

    I am directing this question to the developer as well. Which options should be un-ticked and which should be ticked under the default button?

  93. #93 Charlie says:

    HI Giorgio

    I'm going to go paypal you a donation for the work you are doing here.

    I have never considered NoScript an extension for the masses; most browser users do not know the precise definitions of the words software, script, and program.

    That being said, the UI is very counterintuitive right now, but very close to being quite good. The things I would change are:

    1) right now "temporary" is subordinate to "trusted", so "trusted temporarily" is two clicks. This is not optimal for most NS users, who use "trust temporarily" more than "trust". "Trust temporarily" should be a top-level option again. Having it there also gives you the "revoke" ability with one click.

    2) right now "trust HTTPS only" is a top level option, thus one click. But it only applies to some of the settings it's lined up with (trusted and custom, it does not apply to untrusted) so it makes the control hierarchy incoherent. This should be, instead, a subordinate option to the "Trusted" and "custom" options, or else a click box in custom settings.

    Thank you again for all your work. NoScript and SDC are the best things that ever happened to browsing!

    --Charlie Brooks

  94. #94 Richard says:

    Any chance you could either turn off, or add an option to turn off, the console logging? (At least the "info" messages.)

    As a web developer, I use the console quite a lot, but the output I'm looking for is being drowned out by the huge number of "[NoScript] ..." messages being logged.

    Thanks. :)

  95. #95 flaep says:

    can we get noscript back in the "right click /context menu"?

  96. #96 User Interface says:

    I agree with Psion @19 and others that like the new UI.

    Thank you for your hard work!

  97. #97 BIll says:

    Many thanks for getting this out there, it was what was holding me back from FF57. I can understand the trouble you must have had with this change of direction.

    Taking a little time to get used to, but thanks to #25 from JohnX I realised that by editing the policy settings for the DEFAULT section in the debug panel at the bottom of the NS options tab, in my case deleting all text between the [..] of capabilities, the default action seemed to be more like that of NS5, i.e. no scripts are run unless previously allowed/trusted.

    As before it is then necessary to experiment or remember what it is needed to allow before the page will respond as I wish it to!

    It appears that the default state of "Default" is the same as "Trusted" so that the page loads as designed. As others have said, this appears to be counter to the idea of NoScript, which I would expect to block all and allow only what I choose.

    I might be spoiling my web experience unnecessarily by disallowing all the options as default, but if the default is to allow everything and then turn it off after the page has loaded then the scripts have already run and the moment has passed!

    Perhaps it is just early days and a change to the default is all that is needed. Hope this helps somebody.

    Also tend to agree that the padlock is too prominent and doesn't convey the message clearly. Locked is good, unlocked bad, but is not a representation of the state of the script settings, which is what the eye thinks with a quick look at the drop down. Unless I am missing something, which is very possible!

    Keep up the good work. Many thanks.

  98. #98 io says:

    Is there a way to clear my permissions list? I'd like to start fresh.

  99. #99 Exzentrik says:

    @io #93 simply open the settings-windows for NS and set all domains on "Default".
    Then close the Window. When you reopen it, all domains should be gone. NS only saves domains for which you have settings that need to be saved.

  100. #100 io says:

    @Exzentrik is there an easier way? There's literally thousands of domains. I'm not going to sit there and click each one individually.

  101. #101 TheFastestFood says:

    Hallo all together,

    thanks for this great application, which makes my browaser safe again! I'm using it for years and I can't imgine Firefox without!

    The following things are NOT bugs, but may get improved as well:
    1. What exactly "Default" means isn't said or adjustable in the settings. (Waitig for the manual... ;) )
    2. The different sliding Buttons are confusing for me; I think it would be better to place them aligned to the right rim of the Window. => Like a table with the different URLs left and the adjustments right.
    3. The Window would be much more nice with an option for size adjustment.
    4. The Logo in the top right corner is cut to half and just the left half of it is visible.

    Thank you again!

  102. #102 detzt says:

    Hi Giorgio,

    first of all, thanks for all your effort!
    I know it's only a first version to get the basics working again, so I won't complain about anything. I think the new UI has a lot of potential, but is still immature.
    As you said "Waiting for suggestions". Here's mine:

    I liked to categorize every script either as trusted or as untrusted, so that the icon reaches either the completely white or the half white half dark state. Whenever the red prohibition sign appeared I knew there was a new script to decide whether I trust it or not.
    Currently the icon does not show a difference between "some scripts are untrusted" and "some scripts are default".
    The second point is that the alphabetical ordering causes a cluttered list of trusted and untrusted script.
    Hence my suggestion:

    - Toolbar icon has only a prohibition sign if there are default entries
    - List of scripts is first ordered by permission state (with default at the top) and only secondly alphabetically (changing the state should not affect the ordering immediately ;)
    - Separate button for temporarily allow, as others stated

    - Allow only on this side would be nice to have as well, but would probably overload the interface. Maybe it could be added to a more advanced configuration along with the custom option and only accessible with two clicks, hidden from fist sight.

    Keep up the good work!

  103. #103 Haarek says:

    Hi again Giorgio! As I promised yesterday here follows my suggestions and alternative UI concept.

    Possibly, the most confusing part about the new UI is that if you for example click on TRUSTED and change the rules it actually change the rules for every site marked as trusted. Assuming that is by design and not a bug, I think it would be better if the rulesets for default/trusted/untrusted are just presented once and not repeated for every site.

    I'm by no means a professional designer and I do not pretend to fully understand the addon or what your plans further down the road is for it, but I did make a alternative UI mockup that hopefully better explain what I mean:

    If you happen to like some parts of the concept or even all of it, feel free to use it at your disposal! :)

    Is the ruleset "Default" even necessary or could "Default" be merged with "Untrusted"? If "Default" is not needed, I think we could simplify the UI even further like for example just have a off/on switch where off equals to untrusted.

    I believe I read somewhere that you plan putting NoScript up at GitHub, I'm looking forward to it as I think that would be a better place to have a conversation. Maybe we then also could have some engagement from the group?

    Best regards

  104. #104 David says:

    Lubuntu 16.04.03 kerenl 4.10.38
    AMD 6 core, 16 g

    Loading the Noscript preferences never completes. Icons for the sites never fully paint. Scrolling down gives a list with no icons. Scrolling back up will lose previous painted icons. Changing tabs -- might get blank, might get Noscript page.
    JUST loading preferences page locks all other tabs.
    With Noscript enabled, I can't go to many, many sites that I could go to before. Without Noscript: works OK.

    But there are many sites I can't go to anymore no matter what.

    The current suite of browsers all know better than me how safe I want to be.
    I DO NOT have a choice of turning all the security off.
    A choice I don't have, that I had before.

    That is not freedom.

    I was going to donate, but unusable is unusable.

  105. #105 Solo says:

    Can someone please CLARIFY what DEFAULT should be set to so that it works like the previous versions of NS? It seems that by default it just opens everything on the webpage if you like it or not. Thanks.

  106. #106 Forka says:

    Hi @Solo, this is what I have in the "debug" section and works great, only modified the "DEFAULT" that blocks everything like the previous versions of NS:

    "DEFAULT": {
    "capabilities": []
    "TRUSTED": {
    "capabilities": [
    "UNTRUSTED": {
    "capabilities": []
    "sites": {
    "trusted": [
    "untrusted": [],
    "custom": {}
    "enforced": true

  107. #107 Forka says:


  108. #108 Exzentrik says:

    ; @Solo #99: I have just "fetch" and "other" active, for Default. This way no scripts are loaded but RSS should still work.

    @io #95:

    Open the NS-Settings-Tab an scroll to the very bottom. Check the debug-Box and copy the following into it, replacing what is already in there. It removes all saved domains.

    "DEFAULT": {
    "capabilities": [
    "TRUSTED": {
    "capabilities": [
    "UNTRUSTED": {
    "capabilities": [
    "sites": {
    "trusted": [],
    "untrusted": [],
    "custom": {}
    "enforced": true

  109. #109 Bazon says:

    and thanks for many good years with NS!!

    The current version is, sorry for that, unusable. I don't unterstand how it works, and very often it didn't work at all! What is meant by DEFAULT - everything is whitelisted??
    I changed to uMatrix.

    Hope the probs are solved in a few weeks, maybe I'm back then. Or I'm getting used to uMatrix and still no longer miss NS. So sad, but I need a good blockingtool - it's more important than loyalty.


  110. #110 io says:

    @Exzentrik, Thanks

  111. #111 IHateIt says:

    Giorgio in my opinion, I think you should give up on NoScript and focus on porting over FlashGot. Unless you pull some miracle I think you're going to slowly but surely lose your userbase to uMatrix. Script blocking in Quantum is already covered, but what we do sorely need is a good Media downloader, as there isn't a single decent one in webextensions right now. I loved your addons and used them for years. I hope you shift your priorities and focus on FlashGot.

  112. #112 Solo says:

    @Exzentrik I tried what you said to make the changes but it does not save the changes. How do you do that?

  113. #113 AC says:

    Does 'Default' mean blocked? I have no clue what anything on the interface means or does.

  114. #114 Mike says:

    Before updating NS everything was fine (no unwanted scripts and other nasties).
    Now I don't understand why i have this settings for DEFAULT :
    "DEFAULT": {
    "capabilities": [
    "TRUSTED": {
    "capabilities": [
    "UNTRUSTED": {
    "capabilities": []

  115. #115 Thank you says:

    I'm really struggling to figure the UI out. Before it was either trusted or untrusted. Now there are categories, each with check boxes. Does a check mark under Untrested mean only that is untrusted? If yes, does that mean all of the "tabs" (I don't know what to call each of Default, Trusted, Untrusted, Custom) are active so that if you check media under untrusted it unchecks it under Default, Trusted, and Custom?

    I'm sure it would be fine if I could just figure it out? Maybe someone who knows what's going on could do a side by side showing how things worked in the old NoScript and how to perform those tasks in the new version?

  116. #116 Exzentrik says:

    @Solo #105:
    You can just click the NoScript Icon, then click the Default button to toggle the permissions.
    No you just have to be careful, that you actually click on the Checkboxes you want to disable (or enable) and not outside of it. I actually miss the boxes quite often which causes them to be hidden again...

  117. #117 IHateIt says:

    @Thank you
    Just switch to uMatrix. In uMatrix, all changes are temporary until you commit them. And there's a global remove all temporary changes button like NoScript used to have.
    If you want to spend time figuring something out, do it with uMatrix. NoScript is a dead addon as far as I'm concerned. It's time to move on.

  118. #118 Solo says:

    @Exzentrik but how do you do that globally for the Default setting?

  119. #119 pehlm says:

    Don't give up on this! The extension is immature now with certain bugs. But will mature in the future. I will say that it's working as it is. You can trust a site, either temporarily or forever by clicking the clock icon on the trusted pane like it was before maybe not as intuitive as it was. I hope though that Giorgio or someone else can make a manual. I cannot , like many others, really understand what 'Default' and 'Custom' are used for. But having 'fetch', 'font' and 'other' ticked in the Default pane seems to work really good, but I do not touch 'Custom' pane. Maybe I've misunderstand all of NS 10.x but I think that NS is working really good considering its early stage. It is a complete rewrite of the earlier version and we can NOT compare each.

  120. #120 Jim Firefox says:

    The DEFAULT settings do seem too loose . Was this a mistake?

    What does OTHER allow?

  121. #121 AC says:

    Firefox 'Ctrl-F' keyboard shortcut for 'find' no longer works on pages, but does work on other pages. I have no idea why.

    This is increasingly frustrating.

  122. #122 unixwizzard says:

    Thank you! Thank you! Thank you! Thank You!

    I no longer feel naked using FF! Heck I even sent in a donation, if I weren't so broke I'd have given more.

    anyway, Giorgio if you are in need of another Alpha/Beta tester, as I'm just recovering from Back surgery, I have plenty of time on my hands, just say the word!

  123. #123 AC says:

    AmazonDOTcom scripts still load and run after having been all marked 'untrusted,' with all check boxes in the submenu unchecked. Am I just not understanding how this is supposed to work, or is it broken, or . . .???

    There needs to be more clarity in the selections, too. 'Default' does not communicate anything. I have no idea what this setting does, or is supposed to do, from the name.

    Untrusted does not appear to mean 'block these fuckers' (as I expected it would) - as scripts continue to load and run, at least sometimes.

    I don't know what all the various check boxes are for, in the submenus. 'Scripts' is fairly clear, but the other things are not.

  124. #124 Rain says:

    Thank you for adding my suggestion to include the clock in the top menu for allowing and revoking temporary permissions. This makes it much easier for some websites that have dozens of links but are generally save to accept.

  125. #125 mason says:

    Thanks for all your work, Giorgio!

    Not sure if Linux prob. or Firefox or NoScript, but the UI looks very wrong. On a macbook i also run it matches your screenshots, but in Linux it's a mess. The button icons for 'default', 'trusted', etc. do not appear, replaced by old-school radio buttons; it's difficult to click on 'temporary allow'; and even when i get the checkbox 'checked' on temp. allow, after the refresh it doesn't work (the 'temp allow' isn't actually going into effect).

    Another request: when you pull together a tutorial, can you please clarify the distinction between "DEFAULT" and "TRUSTED" vs "UNTRUSTED" ? What default means still eludes me for now :)


  126. #126 mason says:

    Sorry, forgot to add: my linux box is running Ubuntu MATE, 16.04, and FF 57, of course.

  127. #127 Jim Firefox says:

    AC says amazon scripts still run. How can you tell? I'm no expert, but seems to be from looking at the console that scripts are being blocked when untrusted, and not blocked when trusted

  128. #128 AC says:

    Re #119 - amazon has script dependent page features that are still working, therefore script still executing.

    Also, on google, FF is refusing to follow search result links. I disabled noscript, and could follow the links. No clue what is going on.

    I'm rolling back to 52.5 ESR - Maybe I'll try again in a few months.

  129. #129 Bo Elam says:

    @#74 Wonderw, on a domain labeled "Default", click it to open the window. Once the window opens, untick every item you see in there. That would make "Default": "block all except whitelist".


  130. #130 Bo Elam says:

    @#84 George, in my opinion, default should be all boxes unticked. You ask, why do we have to configure it manually, by ourselves?

    We also did that in the old version. What you see in the boxes in this version of NoScript, same settings were in Embedding and other places in the old version. There you check marked what you wanted to allow while in this version you have the drop down box.


  131. #131 George Valitsas says:

    @#122, default should be something common for all users, like the "factory" settings or defaults. I do not recall having any input on the default settings in the old nosript! The moment you enabled noscript it was blocking things by default, and then you decided what to permit, temporarily or permanently etc. The new one, at least in my case, was permitting everything by default, despite the default button icon having the "snake" script with the stop sign on it, giving the impression that it was blocking, whereas it was not blocking anything! The default and the trusted buttons were basically the same! Anyway, I did read some other posts and un-tick most of the allow options of the default button, apart from frame, fetch and other. Still, I do not know yet if these "allow" options correspond to the default settings of the old noscript!

  132. #132 Bo Elam says:

    @ George #123. Hi George. Let me ask you, Do you want NoScript to be as strong as it was in version 5? If the answer is yes, try what I suggested (untick every option under Default). Try it for a few hours, visit sites that you regularly visit and are familiar with. Thats how you can test it.

    When I first installed version 10, I did tick a few items under Default but quickly realized that I had done something wrong because I saw stuff running that usually did not run in webpages that I am familiar with. That clicked in my head and I figured something was not right. So, I unticked every box under default and things started to look familiar. Thats the way to go, IMO.

    Anyway, like I told you earlier, this same settings were there in the old version, you just dont remember them because they were not in your face, like now. Greetings. Give it a try, you ll be happy.


  133. #133 George Valitsas says:

    reply#124, Hello, I did this, thanks. The reason I am posting quite a lot about this, is that there are quite a lot of people out there that do not realize that, without manually adjusting, the default is basically allow all! That is why they get confused when they visit sites and all scripts run unblocked! I am not a computer expert or anything, but the in the old noscript the "default" behaviour of the addon was to block! now the icon remains the same , i.e the snake script with the stop sign, but nothing gets blocked, and this is confusing and misleading for a lot of people, who assume that the new version will function in a similar way with the old one!

    I have nothing against the developer, he is to be commented for all the work that he put in this extension for years!

  134. #134 Joseph Pollock says:

    Thanks for all the long term effort you put into these essential add-ons! Really hoping that you will eventually port them (especially Flashgot) to Vivaldi (Chromium-based). Good luck dealing with the randomness from the Firefox team.

  135. #135 czerkies says:

    Hello. First of, thank You very much, Mr. Giorgio. I would like to ask about NoScript settings/options: additional restrictions for sites:

    * Forbid Java
    * Forbid Adobe Flash
    * Forbid Microsoft Silverlight
    * Forbic /
    * Forbid
    * Forbid
    * Forbid @font-face

    * Block every object coming from a site marked as untrusted
    * Forbid WebGL

    And so on. I know, that e.g. WebGL option can be marked etc. But, I'm thinking about NoScript behavior similar to v5. It was really amazing, simple - block by default. What about "Advanced" tab (that's from v5)? And handling of secure cookies and ABE - what about these options?

    Generally, in my opinion, it could be very cool if v10 can looks like v5 is. Simplicity, amazing, advanced options (mentioned above) and... v10 will be super! And an "old" GUI :- )

    Thank You.

  136. #136 czerkies says:

    Geez, sorry. I don't know why some parts of my above post is not visible. Anyway, there was:

    * Forbid AUDIO / VIDEO
    * Forbid IFRAME
    * Forbid FRAME

    Once again, sorry.

  137. #137 rebro says:

    RE: # 20

    In the new version NoScript 10.1.2 the above mentioned problems (Fx 57.0/Win10_x64) have all gone.
    Thank you for your immediate response!

  138. #138 bjm says:

    @122 Regarding "We also did that in the old version. What you see in the boxes in this version of NoScript, same settings were in Embedding and other places in the old version. There you check marked what you wanted to allow while in this version you have the drop down box."

    Um, with NoScript 5. I check marked (add check) in Embeddings to Forbid.

  139. #139 Stevo says:

    So far,the above mentioned issue has gone in 10.1.2 (detail settings of "other","Trusted", etc influencing each other,even when in other tabs - seeabove postings). Thanks for that quick response.

    the decision to show only the top-level domain in the ns menue of the opened site is a regression, imho

    anyway, thank you for the effort on the development!!

  140. #140 crypt0 says:

    Hi, thanks for your hard work :)
    2 Questions:
    1. Is there a way to provide keyboard shortcuts - like e.g. ctrl+shift+S to toggle UI?
    2. IIRC you may planned to create a github (or other codehosting provider) repo. Is this still planned?
    Tracking issues there would be very helpfull and maybe some of use can help you fixing bugs / implementing features...

  141. #141 David says:

    HTOP is suggeting that a thread is opened for EVERY site on your list when you open the settings page.

    If you have a lot of sites in your list: DEAD
    Firefox can't do any video handling anymore.

    Furthermore, it looks like old time thread exhaustion.

    WHAT! This is LINUX. That can't happen!!

  142. #142 Giorgio says:

    Alt+Shift+N opens the UI.
    Github still planned for the next month or so.

    unfortunately I've little or no control of low-level stuff now: WebExtensions, from an API standpoint, are almost identical to HTML pages, completely blind to the OS or even to the inner details of the browser :(

  143. #143 bjm says:

    Sorry, I meant #138 as Reply to #130

    #138 bjm says:
    November 23rd, 2017 at 3:41 pm

    #130 Bo Elam says:
    November 23rd, 2017 at 5:51 am


  144. #144 Jim Firefox says:

    Seeing an ugly bug on my install after the latest update.

    The dropdown is not synchronized with the actual settings.

    So when I set a site to TRUSTED, and then look at it again in the dropdown , is says DEFAULT.

    In the options page, it has been set to trusted.

    Anyone else seeing this issue.

    Not sure if its all sites or only some doing this.

  145. #145 Jim Firefox says:

    I have one site that seems to do this , maybe the number in the name is a factor.. check it out

  146. #146 Jim Firefox says:

    I have one site that seems to do this , maybe the number in the name is a factor.. check it out


  147. #147 Bo Elam says:

    @#138, #143 bjm. Yes, thats what I meant, we check marked to forbid in version 5. Basically, what I was saying in post 130 is that unticking the boxes in Default (Version 10) works about the same as ticking the restrictions in Embedding (version 5).

    I am unticking all boxes in Default, that gives me about the same experience as I had in version 5 with domains labeled Default (domains not in my Untrusted or white list).


  148. #148 thomas says:

    NoScript is not dead and it's hard to see how ungrateful a lot of users are in their comments.

    I used NoScript+RequestPolicy for years. Then I found uMatrix and I loved the switchboard UI. From this moment I use NoScript with "Scripts globally allowed" beside uMatrix. RP is gone. The reason is because NoScript is much more than a scriptblocker. XSS protection, ABE*, ClearClick* are still unique (* announced for NoScript10 for the next weeks).

  149. #149 John says:

    I like the new noscript but it BREAKS DISQUS comments all over the place. Essentially, the NoScpt is enabled discuss "discussion" pages don't load at all. Also, on some sites that use Disqus for commnets normally, the comment links hang and won't load.

    With NS disable, everything works fine again.

    Anyway, not trying to rain on the parade, just suggesting you look act DISQUS interactions.

  150. #150 Doug says:

    So glad to see NoScript working on FF 57 but to be honest I am not loving the new interface. If this was my first exposure to NoScript I would have uninstalled it by now.

    Very un-intuitive. Never clear when I am granting temporary permissions or permanent permissions to a site. I think I am setting temp permissions using the clock, but they show up in settings as permanent even after closing browser?

    I'm with the others who suggested they would love to see the power and simplicity of the old interface: It was intuitive while giving you access to all the features. One thing I REALLY REALLY MISS is I had the old NoScript set to auto-reload current tab only. Having to manually reload pages is a serious pain.

  151. #151 jacky says:

    First of all, thank you so much Giorgio for updating NoScript to be compatible with FF57!

    I'm not a programmer myself so not sure if the suggestions would be feasible, but here are my thoughts.

    1. The default whitelist should be the same as NoScript 5.x (not taking any history/bookmarks into consideration)
    2. In the NoScript options window, adding the base domain should allow both https and http traffic by default (same behavior as NoScript 5.x)
    3. Once the base domain is added in #2 above, one should not have to enable or click the "trusted" button again when visiting the site after for the first time
    4. Add a checkbox / switch for advanced users for each to "match https contents" and "match http content" should they wish to do so, user should be able to select at least one, or both options, and cannot uncheck both.

    IMHO this would make NoSCript a lot more user friendly, thanks again Giorgio, keep up the awesome work!

  152. #152 Felix says:

    Can we please have an option to disable URL truncation:

    I can't tell what I'm about to enable.

  153. #153 John says:

    firefox57 with noscript10.1.2 freez 10 to 20 seconds, everytime when i try to open this page
    and some others (can not go to other tabs or can not open any links at the pages)

    without noscript ? no problem at all
    so could you plz fix the bug ?

  154. #154 AKDave says:

    Thanks for your hard work. The internet would not be the same without noscript.

  155. #155 Harold says:

    Thanks for your work. But for now the interface is more difficult to managed ad generated problem for visualization.

  156. #156 BugsBugsBugs says:

    1-The close button in the popup appears like unknown character
    2-The first click should be temporary trusted then another click on the activated clock icon to make the rule permanent as opissite to the current behavior which alot of ppl will find annoying

    for first issue see pic >>


  157. #157 Very Confused says:

    I have depended very, very heavily on NoScript for many years and am very grateful for it. I did not know that it was made by only one programmer. I am very impressed and grateful to you Giorgio for the many years of NoScript.

    I am having insurmountable problems with the new UI. I see many people saying they easily "got used to" the new UI after a week. But I have a severe (though quite common) disability that makes me _entirely_unable_ to learn new things "from context". I do not have the neurological pathways that recognize or extrapolate contexts. For me the new UI, without words, is not only unintuitive. It is not Accessible, meaning I cannot use it at all. It is equivalent to stairs for a person in a wheelchair. I have tried to experiment with the new UI to learn it, and I remain totally unable to do anything, and still have no idea what the buttons do.

    @Giorgio says:
    No, the old GUI is technically impossible as a WebExtension. But we've got a real chance to make the new UI both powerful (as it is) and simple (as it was). Waiting for concrete suggestions.

    Please, if it is at all possible, please add _words_ in addition to the icons (under each icon?), so that it is possible to read what the icons do. Please add words that relate the new buttons directly to the specific "Block", "Allow", "Temporarily Allow", "Revoke Temporary Permissions", "Https", "Http", and other old-UI options that each icon corresponds to.

    The barrier that makes the new UI totally not Accessible for me, with my disability, is that the old words are gone. The old UI had words which I could read. Words allowed me to understand what the options did, or to guess. I understand that eliminating words may make it easier to cross language barriers, but it created a new barrier for people with my disability.

    When I open the new UI I see no words except "Default". The icons are so unfamiliar to me that I cannot perceive or guess any meaning in them "from context", and several of them are also blurry. I hovored my mouse over them, and opened "Custom", and see some words that appear then, but they are not the same words that the old UI had. Only "Untrusted" and "Options" have a meaning that I can understand. I tried to guess what the others do, but I was not able to. This is what happened when I tried :

    My whitelist is not working right anymore, so websites I used to Permanently Allow (except my email) are now "Default", which I guess is similar to "Block"? because they have stopped working. I tried to guess that "Trusted" might be similar to "Allow", but it apparently is not. When I click on "Trusted", nothing happens. The websites stay on (or revert to?) Default and they still don't work. I saw a suggestion on the NoScript forum to click on the Lock thing, after clicking Trusted. I tried that, but the websites that I tried still stay on Default even after I do that and refresh them.

    I clicked the Options button, and it opened what appears to be my whitelist (although the whitelist no longer works). But I do not see any options other than "Scripts Allowed Globally", and "Sanitize" which I don't understand. I do not see any words, tabs, or menus saying where to find the Options that used to exist in the old UI. On the forum some people say that the "Debug Options Menu" bring the words back to the UI, but I have been unable to find "Debug Options". I see a single checkbox next to the word "Debug" but there are no options or menu next to it. I am afraid to click the box without knowing what it will do.

    When Microsoft Office switched from words to pictograms with no words in 2007, it took me 9 years to learn to use the no-words Word and Excel on even a very rudimentary level, even after taking classes teaching how. I am very afraid to go for 9 years without any addon to block dangerous scripts and ads, and don't think I can use the internet for 9 years with almost every site on Default and not working. I am going to try to go back to FF 56 and Classic NoScript, if I can find out how. But I doubt I can refuse all FF updates from now on (for how long?) and remain safe. I am at a total loss what to do.

  158. #158 Very Confused says:

    I tried clicking the checkbox next to "Debug" and it produced a words-only version of my whitelist. It did not contain any words that I know how to relate to "Block", "Allow", "Temporarily Allow", or "Revoke Temporary Permissions". So I am just as confused and locked out of the UI as before.

  159. #159 StashOfCode says:

    First of all, many many thanx for noScript, which should be a default functionnality in any browser.

    The new UI is disappointing at this time, but here are some suggestions so that we may move forward, so that noScript remains the most useful add-on for Quantum :

    1/ Could the menu contain more detailed informations to control the authorizations ? The script names were displayed in the old UI and it was very useful to allow scripts on a file basis and not on a domain basis

    2/ The options panel should contain an option to make temporary authorization the default type of authorization

    3/ It should also contain an option to remove the domain based authorization proposal from the menu

    Keep on your great work. It must not be easy at this time because I understand that a lot of users are disappointed with the new UI, but I'm sure you will find a way to enhance it !

  160. #160 justin says:

    user interface is retarded

  161. #161 justin says:

    How do I make all my other windows programs use retarded in window options? Everything else I've used since 1990 has dialog. p.s. I don't own a tablet or mobile phone!

  162. #162 Idl says:

    @Very Confused: maybe you already know, but there are tooltips for all icons, if you can hover your pointer over one, a descriptive word should appear.

    @NoScript: this is a vital extension, I’m thankful to see it on Quantum, however for now it breaks a few things for me, the worst being authentication forms (allowing everything doesn’t help, only the global switch does).
    As for the interface I only used the context menu before, hope it will return.

    (PS: thanks for the non-silly captcha)

  163. #163 Very Confused says:

    #144, 155 Jim
    Maybe I was having the same bug you are. I remember one of the websites that was stuck on Default had a number in its url, too.

  164. #164 Very Confused says:


    Yeah, I did find the tooltips, which was what led me to try to "Allow" websites by marking them "Trusted"... but either it did nothing, or else it was the same bug Jim #144 described (changing the status of a website in Options but not in the Dropdown). Or possibly it did something totally different and strange that I didn't see. So I don't trust my capacity to interpret any of those tooltips words, at all.

    For now I'm using FF 56 and NS 5... until next year I guess. (?)

  165. #165 Labadal says:

    As someone else mentioned (#51), with the new version I keep getting XSS warnings on lots of websites.
    For instance, I go to and immediately I get a warning:
    "from to"

    Clicking "block" only means the warning will pop-up immediately as soon as I move to a different page.
    This is annoying. I do not seem to find an option to prevent it.

Bad Behavior has blocked 868 access attempts in the last 7 days.