v 10.1.2
+ Added "Revoke temporary permissions" button
+ Added "Temporarily allow all this page" button
x Simplified popup listing, showing base domains only (full
  origin URLs can still be entered in the Options window to
  further tweak permissions)
x Fixed UI not launching in Incognito mode
x Fixed changing permissions in the CUSTOM preset affecting
  the DEFAULT permissions sometimes
x Fixed UI almost unusable in High Contrast mode
x Fixed live bookmark feeds blocked if "fetch" permissions
  were not given
x Fixed background requests from other WebExtensions being


Oh, and in case you missed it (sorry, how couldn't you, since I didn't manage to write any documentation yet?), Alt+Shift+N is the convenient keyboard shortcut to #NoScript10's permission management popup :)

183 Responses to “NoScript 10.1.2: Temporary allow all and more”

  1. #1 asdf says:

    Clicking on the noscript toolbar button opens "ui/options.html" in a new tab instead of showing that dropdown menu in my browser.

  2. #2 George Valitsas says:

    Can you please clarify what the "default" default configuration is? when you expand the allow options of the default button, which are meant to be allowed (ticked) and which not allowed (un-ticked) by default? The default options should not be-in my opinion-that accessible and amenable, people may change them without even being aware of what they have done! In my case when the new noscript installed, the default option/button had basically the same permissions like the trusted option/button!

  3. #3 Pero says:


    From the changelog: "Fixed background requests from other WebExtensions being blocked"

    Was that even possible ? I thought that was impossible for WebExt to block each other. Which API(s) allow this ? What are limitations ?

    This is interesting because I could install more extensions, knowing either uBlockOrigin or NoScript is able to catch them should I configure them to.

  4. #4 fsd says:

    I have a bug, in that attempting to log into tumblr fails, even with all listed domains allowed, and with temporarily allow all, but succeeds when I enable scripts globally. It seems that it is blocking domains that it isn't listing, even to it's own temporarily allow all function.

  5. #5 Poke says:

    When I go into the Options menu, Firefox will freeze up and I have to force close it through Task Manager. Any reason why that is? All I do is go to it. It hangs before I can do anything.

    Also, is there anyway you could just remove the "default" option? I liked it better when it was black and white. You either block a script all together it or you don't block it at all. It just seems like unnecessary bloat to have the "default" option and the "untrusted" option. I get that you can fine tune your default to fit your needs, but everyone was fine with the previous method and, with no disrespect to you, if you really want to fine tune everything, you'd probably have a better time using Umatrix with its easier to manage UI where you can see every domain without having to click to each one and changing them.

    Some nitpicky stuff would be if you could have the drop down menu show when you hover over the icon and if you could possibly remove the default whitelisted domains and let the user choose what they want to whitelist. I like having a blank slate you could say and I don't like something slipping past me when I never wanted it whitelisted.

  6. #6 Solo says:

    I have to agree with others that the default button or switch makes no sense because it allows everything by default and yet this program is called NO SCRIPT meaning it should be be blocking first by default. That is what the previous one did. You should have just stuck to the previous naming convention.

  7. #7 Giorgio says:

    DEFAULT applies to all the sites you don't have visited yet: by configuring this preset you decide what runs when you land first time on an unkown website.
    Then you can choose in which category each site falls: either TRUSTED (a preset where at least scripts are always allowed), UNTRUSTED (a preset where script are always forbidden) or CUSTOM, not a preset but a per-site configuration you can fine-tune at your will.

    So, (re)setting a site to DEFAULT is exactly the same as removing it from your \known sites\ list (which is both a whitelist of TRUSTED and CUSTOM sites, and a blacklist of UNTRUSTED sites).

  8. #8 Poke says:

    That makes sense and all, but why is it an option? Pre-webextention, Noscript blocked EVERYTHING. We knew what the default was. The default was having nothing to do with a script unless we trusted it or blacklisted it. If the user of Noscript is supposed to chose whether to trust or blacklist a script, what is the point of even showing a "default" option? We wouldn't want to go back to the default option anyways once we've chosen. Personally, I think you should bring back the default behavior of the previous Noscript that just runs passively in the background like it used to (if you haven't already) and remove the "default" button. That way it looks cleaner and the "default" option won't confuse a new user with the "untrusted" option.
    I know I'm just throwing ideas at you, but is there any way you could also separate the "untrusted" domains from the trusted domains from the "undecided domains"? With the pervious version, it was easier to see which was what, but now, if you're on a site that's trying to connect with a ton of different domains, it's hard to tell what's been whitelisted and which haven't and which you need to alter to make the site work.
    I love Noscript and I'll stick with it throughout this transition, but it just feels like it's "unfinished" if you get me.

  9. #9 Kwarizmi says:

    With this latest release, I am really liking version 10. In fact, I like it more than the pre WebExtension version. Excellent job Giorgio!

  10. #10 Tomate says:

    * HTTP domains now save the setting with "Match HTTPS filter" by default, unless I click on the green lock before closing; so lock/text should be red in the first place
    example: http://www.zeit.de/index

    * UI: still think "temp. allow" should have its own button or be the first click state not the second
    when using "temp allow" the frequency of click actions is generally much higher than when TRUSTing a domain once;
    therefore the button shouldn't be hidden

    @Poke: Options are working fine here.

  11. #11 Tomate says:

    * HTTP domains now save the setting with "Match HTTPS filter" by default, unless I click on the green lock before closing; so lock/text should be red in the first place
    example: http://www.zeit.de/index

    * UI: still think "temp. allow" should have its own button or be the first click state not the second
    when using "temp allow" the frequency of click actions is generally much higher than when TRUSTing a domain once,
    therefore the button shouldn't be hidden

    @Poke: Options are working fine here.

  12. #12 George Valitsas says:

    respond to #7:

    Giorgio, in the old noscript, when you visited an unknown website, things were blocked by default, i.e. if there was something malicious in the site it was stopped.Then it was up to you to decide what is safe to allow or not. Now, the way the new noscript was downloaded in my computer, the default and trusted options/buttons had the same permissions/boxes ticked in their drop down menus! So, by default, you permit everything, which totally the opposite in comparison to the old noscript!

    People are confused by the icon of the the default button-which indicates that things are blocked- and go to the net completely unprotected, with websites permitted to run everything! A lot of posts in your forum and your blog talk about scripts not being blocked at all in the default option. After reading some posts I unchecked most allow options in the default button, apart from frame, fetch and other. Does this configuration correspond to default configuration of the old noscript? And it does not, what is the right corresponding configuration for the new noscript?

  13. #13 Pop says:

    Thanks for the additional options and explanations. I'm sure the upcoming manual will cover what all the checkboxes under the buttons mean.

    Regarding DEFAULT: if it applies to all sites, maybe it could be a single button that doesn't need to be listed in a column multiple times

  14. #14 George Valitsas says:

    Reply to #7 again: Also, maybe the default configuration should not be that accessible and amenable in the noscript interface! It would be a better idea for the default to be a "factory" preset and tinkering with it should be an advanced option, hidden away! That way people will not mess up the default configuration by mistake!

  15. #15 fan of noscript says:

    thanks for the update Girogio. I echo the sentiment of the above comments, the default setting is unnecessary / confusing. The old noscript blocked everything by default, and thats the way it should be.

    Also is there any way to remove sites from the whitelist? I havent figured out how.

  16. #16 me says:


    Dude, you need to explain how this new version works. Tutorial, video, screen shots, whatever. C'mon.

  17. #17 Poke says:

    @Tomate So I just created a new profile on Firefox and just downloaded Noscript and I can verify that on a clean install it's fine. After playing around with it more, I realized that when I go the options menu, it hangs for a minute and then acts properly. I do have a lot of rules for different domains so that could be the reason though.

    @Pop I like this idea. @Giorgio Could you put the default button in the options menu and remove the button from the dropdown? It'd be cleaner and I agree with Pop that we don't need the "default" button for every domain since changing one default option changes all the other defaults.

    And after thinking on it, I now see the use of giving control of what the user wants as their defaults (hence why moving the button to the options menu might be good), so removing the default button, as I originally wanted wanted might be bad (my mistake). I do think though, that the defaults are too lenient when you first install it with a ton of things passing through it (I didn't even think it was working when I first tried it compared to the old version that blocked a lot) and I think it'd be good if you set the defaults as they were in the old Noscript. I think the stricter approach as it was in the old Noscript should be kept the same.

  18. #18 Bio says:

    I'll just keep asking mostly because I keep not getting a response, but are we gonna be able to import our whitelists soon? I know you made it take the old whitelist for people who did a standard upgrade, but for anytime like me who had exported and uninstalled everything that didn't work out. Can't even paste them manually in the options. :(

    Anyway I don't want to sound ungrateful, I really do appreciate your work but If really like to know if importing my thousands long whitelist is going to be an option.

  19. #19 Pop says:


    Not sure if this works, but until there's an import option, can try this:

    Go to options
    Click debug checkbox
    Copy paste your list under "sites" , in between the "trusted" brackets [ ]
    Uncheck debug

  20. #20 Pop says:


    Good idea of moving it to options menu

  21. #21 Talji Mera says:

    My two cents worth: I agree with some of the commenters here that the default button should not be there. Firstly, we do not want the default setting to be changed by users, otherwise it will no longer be the default. When user change the default option it is no longer the original "factory setting" it is intended to be. Secondly, if you change the default setting, then it becomes a custom setting. So since there is already an option for custom setting, the default setting is rather redundant.

    But I do agree that there should be some way for users to go back to the way it was originally, the so called "factory setting", before anything was changed. Maybe just call this button "reset". But pressing this button should not allow user to change the default setting in anyway. It should simply bring the setting back to the "factory setting."

  22. #22 Bo Elam says:

    @George #13. Hi George, domains labeled Default are domains that you havent included in your White list or Untrusted list. This are domains that appear in the Menu when you visit sites at random, they have to be displayed in the Menu, because sometimes you might need to temporarily trust them for a web page to work properly and sometimes you might want to include them in your white list or black list. They can not be hidden, they have to be accessible.

    The domains with the default label are the same that used to have the Allow or Temporarily allow label next to their name in the old UI. Its all the same really, things just look a little different in this version.

    You asked a few times what Default should have checked in the drop down window. What I am doing is unchecking every box for Default. That ends up working pretty much how that was for me in the old version. Almost identical.

    @Giorgio. Thanks. To me, you and Tzuk (original developer of Sandboxie) are the best ever developers in the whole world. Thanks a lot for NoScript. I am liking the new version. 10.1.2 brought back important settings, keep up the good work.


  23. #23 Paul says:

    Thanks so much for the rapid updates. I notice that unblocking scripts in incognito mode is not working (page also doesn't automatically refresh after making changes), even though the UI appears now.

  24. #24 Paul says:

    Please ignore previous comment, after more testing I noticed it was an HTTPS issue on my test sites. "unlocking" the padlock solved the issues.

  25. #25 poke says:

    @Talji Mera I do want to clear up a misconception that you have. When you change the default option, it does not change it to the "custom setting" so it isn't redundant in that sense. Here's an example:
    Let's say I've just installed Firefox and Noscript and I go to Gmail. Because I've never been there, obviously it defaults to the default setting where a few things are allowed and a few are blocked (frame, fetch, and other are allowed by default). Now let's say I hate that default, so I change it so script and object are now OK to run as well. Now if I go to a new site, "frame, fetch, other, script, and object" will be allowed to run. Noscript does not default to the custom setting which is why it is not redundant because it only looks for what you set as the default if that makes sense. After you connect to a domain, THEN can you change it to your custom setting, but before then, it looks at your default. Basically, all I'm saying is the default is based off of which checkboxes are checked. No matter what, the default is the default. It's the first thing that Noscript will look at when you connect to a new domain. In my eyes, the "original factory setting" as you put it is more of a suggestion by Giorgio and you can shape it into what you want and it's still the default. It'd just be more like a "custom default setting", but it wouldn't be a custom setting.
    This is why I suggested the default option be moved to the options menu. So that it's not completely gone in case you want to fine tune your defaults, but not in our faces as well for the people who have their defaults as they like it.

  26. #26 poke says:

    @Talji Mera I'm not sure I like my explanation, so let me reword it.
    If you look at comment #21, @Bo Elam states that they have unchecked every box for their Default. All that means is that when they go to a new domain, no script (not "Noscript" as the extention, but literally no script) will run for that domain. This is what I meant in my previous comment by a "custom default setting". It's still the default, and the one that Noscript defaults to, but you've changed it.
    Afterwards, you can change it to a custom setting if you want.

    Noscript will never default to you custom setting which is why it isn't redundant.

  27. #27 hans says:

    Thank you SO MUCH for the speedy RSS fix.
    Just couldn´t get some RSS to work and gave up on the rest, waiting hopefully for your fix.

    So we can five you money without the goddamn man in the middle.

  28. #28 Talji Mera says:

    Poke, thanks for clearing that up. Based on this understanding, I agree with you that the option to change the default setting should be moved to the options menu; since it applies to all sites it is confusing to display it in the drop down menu for each site. It gives the impression that each site can have its own default setting (which explains why I thought it then become just like a custome setting). But a reset button for each site would be nice in case one makes a mistake and wish to "unlist" the site. Thanks again.

  29. #29 Preston Maness says:

    Howdy! I just updated to Firefox 57 after noticing this 10.1.2 release that appears to have fixed a handful of UI-related issues and other immediate problems. Noscript is one of those add-ons (along with tree style tabs) that I simply wasn't going to live without.

    Overall, I'm content (for now) with the baseline features that appear to be in the webext version. My whitelist was imported, which was a nice transition feature!

    For me at least, the default behaviour is to block scripts (as expected), and I can either permanently or temporarily allow scripts (along with a number of other elements), and I can mark scripts as explicitly untrusted too. Tooltips are, for the most part, helpful, though it looks like the tooltip for the green and red lock boxes is the same. Presumably, the red lock box shouldn't read "match HTTPS content only".

    The only major feature that I might consider missing is the more fine-grained host blocking (i.e., http://google.com is different from http://www.google.com, which is different from https://www.google.com, etc). Sometimes it seems subdomains are included as separate hosts to trust/distrust, and sometimes not. Cloudfront is the main concern here, which seems to expose the subdomains as desired, but having more fine-grained host blocking is nice. Obviously not a default, as it can blow up the menu, but as an option would be nice.

    Also, I can confirm that viewing the options page causes firefox to effectively be unusable. No other tabs will render, and I have to "File > Quit" and reload firefox entirely. Looking at the console (64-bit GNU/Linux), I see lots of lines like this:

    [Parent 27236, Main Thread] WARNING: file /builds/worker/workspace/build/src/ipc/chromium/src/base/shared_memory_posix.cc, line 216
    [GFX1-]: Failed 2 buffer db=0 dw=0 for 48, 50, 1289, 2178

    Whether this is a noscript issue or firefox issue that the noscript option page exposes, I don't know. The options page also tends to be a bit sluggish, which might be a result of my lengthy whitelist.

    Finally, I also recommend prioritizing getting the project into github or gitlab.

  30. #30 Richard says:

    I noticed that corporate subdomains still don't work (acme.corp with green padlock does not match https://portal.acme.corp), see also https://hackademix.net/2017/11/21/top-immediate-priorities-for-noscript-quantum/#comment-38686.
    I assume something is amiss with the matching algorithm.

  31. #31 poke says:

    @Talji Mera No problem. This new version has quite the learning curve so I get why it's confusing. It's a lot of playing to actually figure everything out. I hope I'm not wrong though. I'd hate to mislead anyone who read my interpretation of the "default" behavior.
    A "test" you can do is on this site actually.
    Just go to Noscript and there are two domains:
    If you change the default settings of one, the other's defaults SHOULD, in theory, mirror whatever change you made. On my machine, it does and if I go to another random site, the defaults stick which is why I think a default for one is a default for every.

  32. #32 hakts says:

    Thanx for the good work!
    It's almost more fun to handle this new UI now than it was with the old UI.
    Some little bugs (?) are still there though. The following relates to the pop-up, not tested with the options page.

    If you open the "Trusted Temporarily" checkbox row and after that open the "Custom" checkbox row, "Custom" shows the same boxes checked as for "Trusted Temporarily". If you select "Untrusted" after that and change back to "Custom", "webgl" and "other" will be checked in "Custom" even if all boxes in "Untrusted" were unchecked. If you change back to "Trusted Temporarily", "Custom" will have the same boxes checked as in "Trusted Temporarily" again.
    So it seems that "Custom" checkbox settings always change to the checkbox settings of the mode previously selected, with the exception regarding "Untrusted", which always changes "Custom" checkboxes the the previously mode set plus "webgl" and "other" checked no matter what. Shouldn't the "Custom" mode checkbox settings act completely independent of the other modes checkbox settings?

    Changing from one mode to another and leaving the pop-up doesn't reload new mode for the site, you have to manually reload in the pop-up. Sometimes the newly selected mode doesn't even show in the pop-up after opening it again, but shows as set on the options page.

  33. #33 Jose says:

    I detected two bugs running Quantum under macOS 10.12.6:

    1) NoScript 10 blocks some pages in load progress (did not happened on previous versions). If the addon is disabled page loads as normal, example: www.xataka.com

    2) If I change NoScript button to "More tools" section, the UI doesn't fit inside popup width. Demo: http://bit.ly/2AqDxHb

  34. #34 Wonderw says:

    Thank You for explaining the DEFAULT-Button. I guess I got your point now.

    I just wish it would have a different icon or better the icon would change accordingly to the default options.
    So showing the stroked snake by allowing all is extremely confusing. In this case it should be the old white-blue-S icon with the red "!". By allowing some parts it should be the old white-blue-S icon with the little strike-sign on the right side. And only if all is forbidden it should be the major S-stroked icon, please.

    In this case if all DEFAULT-buttons changing accordingly at once it would be more obvious it's changing this behavior globally even it's listed in the context of one URL.
    Thank You so much in any way!

    Anyway I wondering why the heavy loaded javascript site which shows a message I have to activate JavaScript with the old Version does show me all it's content with the new Version even with marking all URLs as Default and having all marks in the Default-section away.

  35. #35 Momo says:

    Hi Giorgio,
    Can you please check why, unlike with previous versions under pre-Firefox v56, default settings of NoScript v10 block even content (not just scripts) of a page like P2P site 1337x.to ?

    URL: https://1337x.to/

    The main reason why I use NoScript is that, as its name says, it blocks all scripts, nothing more. Quick settings from the toolbar are also great.

    Thanks for this great add-on. Keep up the good work.

  36. #36 Bugreport says:

    Thanks for the update.

    But I have two bug reports:
    the preferences page only loads outside of private mode, in private more I'm only getting a blank page
    after opening the preference page, Firfox stops rendering all pages (I get only large black areas). After a restart the rendering works again until I open the preferences again.

  37. #37 Richard says:

    Still flooding the console with NoScript debug messages. :(

    11:01:55.984 [NoScript] Loading NoScript in document https://hackademix.net/2017/11/23/noscript-1012-temporary-allow-all-and-more/, scripting=true, content type text/html
    11:01:56.009 [NoScript] Received message
    Object { type: "seen", request: {…}, allowed: true, policyType: "script", ownFrame: true }
    11:01:56.139 [NoScript] Received message
    Object { type: "seen", request: {…}, allowed: true, policyType: "script", ownFrame: true }
    TypeError: document.getElementById(...) is null
    [Learn More]
    11:01:56.206 [NoScript] Received message
    Object { type: "seen", request: {…}, allowed: true, policyType: "script", ownFrame: true }
    11:01:56.454 [NoScript] Received message
    Object { type: "seen", request: {…}, allowed: true, policyType: "script", ownFrame: true }

  38. #38 Richard says:

    Still flooding the console with NoScript debug messages. :(

  39. #39 John Patterson says:

    Thanks very much for your hard work on noscript, especially getting this new version out to us so promptly. I really appreciate it.

    I know others are clearly having problems with it but I like the new UI, and found it took less than 10 mins to figure out how most of it worked. I'm sure it will improve over time but I think it's a really promising base to build on.

    One thing I haven't got to grips with yet is how permissions cascade from a base domain. E.g. I have cloudfront.net trusted, but I'm finding I need to separately allow subdomains of cloudfront.net on individual sites. Is that how it's intended to work?

    Lastly, with this update, you only show base domains - would you consider displaying the full site as a hover over the base domain?

  40. #40 Talji Mera says:

    Poke, I tried out the "test" you suggested. When I changed the default of one site, the changes is reflected in the default of other sites as well. So it seems the default setting is "universal" to all sites.

    On another matter: You mentioned above that the default settings just after new install are too lenient. I am just trying to learn something here. How would you set the default settings?

  41. #41 Solo says:

    Why don't you just do what the previous version of No Script did. Any sites that you have never visited before block everything that way you can choose what to run or not. Also, if a pop up screen appears nothing in that pop up will run since it is new too. I assume that in this version of NS a pop up website will run whatever content is there?

  42. #42 Sorenzo says:

    Now you're talking. Great work Giorgio!
    There is off course a learning curve, but after reading some of the other comments, it's starting to make sense to me - even the much talked about "default" button.

    I reckon that in a few weeks time, more and more users will come to love the new UI.

    I second the wish for another "noscript" allow temporarily button to put in the toolbar.

    Btw the "close" icon is still broken, I can see from the screen shots that it's not the case on other versions.
    The broken image for "close" is in the top left corner of the UI. (If you were in doubt)
    It may be a locale problem, because I've got a desktop running Linux mint 17.3, and a laptop running windows 7 - both Danish language, that includes the language of the installed Firefox 57 on both machines.
    This is also the case on my fathers win 10 laptop, which also runs on Danish.

    But it's working. Thank you very much Giorgio. :-)

  43. #43 czerkies says:

    Hello. First of, thank You very much, Mr. Giorgio. I would like to ask about NoScript settings/options: additional restrictions for sites:

    * Forbid Java
    * Forbid Adobe Flash
    * Forbid Microsoft Silverlight
    * Forbid AUDIO / VIDEO
    * Forbid IFRAME
    * Forbid FRAME
    * Forbid @font-face

    * Block every object coming from a site marked as untrusted
    * Forbid WebGL

    And so on. I know, that e.g. WebGL option can be marked etc. But, I'm thinking about NoScript behavior similar to v5. It was really amazing, simple - block by default. What about "Advanced" tab (that's from v5)? And handling of secure cookies and ABE - what about these options?

    Generally, in my opinion, it could be very cool if v10 can looks like v5 is. Simplicity, amazing, advanced options (mentioned above) and... v10 will be super! And an "old" GUI, please! :- )

    Thank You.

  44. #44 Adam says:

    1. I don't see any import/export whitelist anywhere. Should it be on Options-window?

    2. On Options-window there is a box addressed "Address of Web Site", with a "+" and there happens nothing, only always shows noscript.net. What is its purpose?

    3. Just now this 1.2-version works only with "All scripts allowed". If not allowed, it seems to block all scripts no matter what I do in that pop-down menu (mark all trusted or temporary trusted or what ever). This is a bit better than on version 1.1 witch did not work even All scripts allowed! May be next time?

    4. As some other writers have said I also hope that there were more buttons to add to the Firefox toolbar.
    I only needed a "Temporary allow" button. (Like I had before.)

  45. #45 Adam says:

    3. Just now this 1.2-version works only with "All scripts allowed". If not allowed, it seems to block all scripts no matter what I do in that pop-down menu (mark all trusted or temporary trusted or what ever). This is a bit better than on version 1.1 witch did not work even All scripts allowed! May be next time?

    By "All scripts allowed" i mean that in Options-window I must check the box
    "Scripts Globally allowed" to make Firefox work.

  46. #46 VIPStephan says:

    The new NoScript appears to be blocking more than it should (and more than the old one). I can’t log in to Gmail or use ReCAPTCHA (the version where you select fields with cars, traffic signs, etc.) anymore. Turning off NoScript makes it work again, so that’s a sign that NoScript is the culprit. And on another site (namely http://www.tagesschau.de/) the whole layout breaks, while, if I just disable all JS (using the developer console) it just does that, disable JS, without screwing up the layout.

    Also, I added a domain via the input in the NoScript options but I don’t see any way to remove domains.

  47. #47 Ziks says:

    The "Custom" setting is bugged or I don't understand it:
    if I set some particular rule a website using the custom label, then ALL other websites on TRUST label get the same rules.

  48. #48 Znrl says:

    I just did some suggestions for the UI:

    Maybe some who might only read here can add some feedback as well.

  49. #49 Wrecked on the Tundra says:

    I can't seem to block certain ... I am not sure just what I should call them -- but they are listed as "...sharethrough (etc)" and "...adtoany (again etc)". I have googled them and see they are ads and probably more, but no matter how many times I "untrust" them they keep coming back.

    I have noticed there are a lot of ad thingies that keep coming back, like your wife's mother, even after they have been brutally clubbed like a baby harp seal. I could start compiling a list of these resurrecting nasties but I have the feeling it could take several lifetimes. The advertisers have whole buildings full of worker-drones pumping out this rubbish... I am but one sorry peon huddled under my pile of logs, doing my best not to get crushed by the big money making, people eating machine called the "modern" economy.

    I sure pine for the old days, when the worst I might expect is a virus -- or some idiotic malware that could be dealt with. Now it's the "good guy" marketers who are trying to own me and my great, great, great grandchildren.

    but I digress, again...

  50. #50 IHateIt says:

    NoScript is crap now. Port over FlashGot instead.

  51. #51 the_blaggy$ says:

    For me, a red question mark is displayed in the noscript window instead of the red x. What should I do?

  52. #52 Michal says:

    x Simplified popup listing, showing base domains only (full
    origin URLs can still be entered in the Options window to
    further tweak permissions)

    Yes, we can still add full origin URL from options... but now that only base domain is displayed, there is no easy way to learn the full URL. I would highly appreciate if the full address was displayed, or if there was some other way to extract it from NoScript.

  53. #53 SameAsPoke says:

    Regarding #5 Poke: "When I go into the Options menu, Firefox will freeze up and I have to force close it through Task Manager. Any reason why that is? All I do is go to it. It hangs before I can do anything."

    It actually comes back to life for me after 20-30 seconds or so. But then the tab, which was active when I entered NoScript options, freezes, starts to flicker with some blackb boxes here and there and then it crashes and FF shows a crash report.

    Just in case it is relevant: I am on Linux.

  54. #54 bam says:

    So when will the shift & click feature be available to users again?

  55. #55 Langenscheiss says:

    It's still blocking webrequests from content scripts of other webextensions. As I have said in other comments, this is currently the only way to deal with the same origin policy on firefox. Web requests from other webextensions, whether from the background or from content scripts, should be allowed!

    If someone is installing a malicious webextension, it's not NoScript's job to prevent harm.

  56. #56 Giorgio says:

    I believed I unblocked XHR from other WebExtensions with this code in 10.1.2:

      if (("fetch" === policyType || "frame" === policyType) &&
                  (url === originUrl && originUrl === documentUrl ||
                ) {
                  // livemark request or similar browser-internal, always allow;
                  return null;

    Have you got any contrived test case for me to check?

  57. #57 poke says:

    @ Talji Mera I feel it's too lenient because it doesn't feel like I'm blocking anything. With the old Noscript, it felt as though every site I went to was "broken" which I like because I knew that it was working and that nothing was running that I didn't want running.
    If you can, you should test out the old Noscript. I think you'll see there's a difference. It may be a little extreme for some people (although this was [I assume] the default behavior of the old Noscript), but I personally would like everything unchecked in the defaults. I know we can do that manually, but for all the people migrating, it makes the change seemless other than the UI changes.

    @SameAsPoke I wonder if it only affects Linux then? I wonder if Windows or Mac users have this problem. Do you have a good number of rules set for different domains (I mean like have you white listed and blacklisted a bunch of sites). That's the only reason I can think of for the freezing. If you just install Firefox and Noscript in a new profile, it don't even freeze or lag.

  58. #58 scriptfox says:

    Thanks for all the hard work, Giorgio, it's much appreciated!

    Regarding the fake-domain CSP reports, any reason why it couldn't be / / localhost instead of noscript.net? In the event of some bug or other unexpected scenario preventing NoScript from intercepting the request, no network connections would leave the user's computer, not even DNS queries.

    Since you called for crazy ideas, here's my suggestion for future handling of ABE in the new UI: create a uMatrix-style interface.

    The top row's request types (uMatrix's cookie, css, image, etc) are replaced by NoScript's permissions (script, fetch, media, iframe, etc) and the left column is kept the same, a list of the connected domains including the special type 1st party. That way users can easily create rules of the "allow google on self and youtube, deny elsewhere" sort without having to type them out and risk syntax mistakes. It would make ABE much more accessible to less experienced users (like me).

    For a much simpler to implement request, I support the above suggestions of making the default permissions modifiable only behind a special options dialogue (with a conveniently placed reset button). Only site-specific custom permissions should be editable from the pop-up menu.

  59. #59 NoScriptian says:


    Thanks for all the hard work you put into this great gem!

    Q couple of questions/ annotaions from my experience so far:

    Since v 10.1.2, Ns is no longer refreshing automatically for me when I get back to my site after using the web-extension. I need to do it manually either inside the WE or browser.

    Regarding usability: Would it be doable to show the clock symbol next to Trusted right from the get-go? It would make it a lot easier to set a website's script to Temporary, like in the old UI where this was just one click away.

    By the way, would it be also feasible to highlight the top-level/ main domain in bold characters and sub-domains/ scripts in normal font (likw in the old UI) to make it easier to differentiate more easily between them?

    I just checked the old 5.x version regarding the "Untrusted" option. There, it really blocks all and everything once this has been set. In the new version, however, nothing really seems to be affected by this. When I first use Trusted and then change to Untrusted and reload the website, everything is still loaded as if it was still in Trusted mode.

    Keep up the fantastic work you do and all the best to you!

  60. #60 Solo says:

    I am confused. If I change the settings for Default it keeps it even for my trusted sites and automatically they become Default. Is that a bug? How do I keep my trusted sites trusted and Default only on new sites?

  61. #61 NoScriptian says:

    Have you checked whether this appears only on websites that don't have https versions of it? If these are http only, you need to toggle the green-lit padlock to red and it should work.

  62. #62 Bo Elam says:

    @#44 VIPSTEPHAN. To remove (Trusted and Untrusted) domains, Click the Default icon in Options or in the Drop down menu.


  63. #63 Markus44 says:

    Thank you very much for your hard work, with version 10.1.2 NoScript has really become usable again, great!

    2 questions:

    1. Are XSS protection, ClearClick and ABE still functional in version 10? I see "Clear XSS whitelist" and the possibility to check the box "Sanitize cross-site suspicious requests", so I assume XSS protection is still functional. What about the other two?

    2. Similar to user NoScriptian above (#57), I think it would be a good idea to have the clock symbol _active_ directly after clicking the TRUSTED button. Judging from my own practice, I guess most people use the _temporary_ trust more often than the permanent trust, so a reversion of the present order would be great, because it would mean one click less for the usual case of only temporary trust. With the second click, the active clock could be deactivated for those cases where permanent trust is given.

    It has become a pleasure again for me to use NoScript, so thanks again for your incredible work!

  64. #64 detzt says:

    It seems the 10.1.2 version introduced a bug when allowing non https sites (at least for me).

    On a http site, e.g., http://www.imdb.com/, when I set ...imdb.com to trusted, it wont save the change. The only way I got it to work was clicking trusted and then toggling the http(s) lock icon until it turned red and then it saved the setting.
    In order to mark it as untrusted, its even neccessary to mark it first as trusted, then change the lock and then set it to untrusted...

    I guess the http state is not detected and set properly in the first place automatically?

    And I would really appreciate to order the scripts by state of trust instead of alphabetically ;)

  65. #65 detzt says:

    Not sure whether my original comment was lost somewhere or if this will be a doulbe post...

    It seems the 10.1.2 version introduced a bug when allowing non https sites (at least for me).

    On a http site, e.g., http://www.imdb.com/, when I set ...imdb.com to trusted, it wont save the change. The only way I got it to work was clicking trusted and then toggling the http(s) lock icon until it turned red and then it saved the setting.
    In order to mark it as untrusted, its even neccessary to mark it first as trusted, then change the lock and then set it to untrusted...

    I guess the http state is not detected and set properly in the first place automatically?

    Also, I would really appreciate it to order the list of domains by state of trust instead of alphabetically ;)

  66. #66 detzt says:

    I'm not sure whether my original comment was lost somewhere or if this will be a doulbe post...

    It seems the 10.1.2 version introduced a bug when allowing non https sites (at least for me).

    On a http site, e.g., http://www.imdb.com/, when I set ...imdb.com to trusted, it wont save the change. The only way I got it to work was clicking trusted and then toggling the http(s) lock icon until it turned red and then it saved the setting.
    In order to mark it as untrusted, its even neccessary to mark it first as trusted, then change the lock and then set it to untrusted...

    I guess the http state is not detected and set properly in the first place automatically?

    Also, I would really appreciate it to order the list of domains by state of trust instead of alphabetically ;)

  67. #67 Toodeloo says:

    Guys, I don't see why we're bellyaching over the Default. Seriously. Just set the Default on whatever preference you personally like - allow nothing, allow some things or allow all, it's up to you. For each site to have a different setting; well that's what the whitelist is for, n'est ce pas? You configure each site as you wish and each time you visit it - voilà! you have your custom settings as a departure point. Problems with Google? Well damned right! -NS's doing its job in Default then - just add Google to your list and customise the settings. If the Default-customisation function were to be taken away from the dropdown menu, there'd have to be a permanent Default customisation choice in Options?

    I fricking love the default being customisable. And I've unticked every motherloving box as a universal rule. Thanks Giorgio for getting 10.01.02. out there so damned quick with such an improvement. All things considered, you're a programming champ with the patience of a saint. Things are looking more clear now as to what's what.

    ISSUES: [with FF Quantum + Windows]
    The Options window is still blank when you're in Private mode on FF?

    People are right, the settings options for Custom sometimes bug out and affect others to the same settings. Not always, but it randomly happens.

    Most times NS automatically refreshes after changes are made in the drop-down, sometimes you need to hit the green refresh button for changes to take effect. But I've noticed it's mostly a matter of time; Quantum seems to take its sweet time adjusting and changes don't always refresh quickly. This issue aggregates when you've got many tabs open and the issues #57 mentions occur. The settings or changes being made in each separate tab and web site seem to get jumbled and changes either "sort of" take effect, or don't seem to take effect at all.

    Is the new NS supposed to work independently tab/tab? I.e. settings in one tab shouldn't affect settings on another? Because right now, they do. On the Plus side: the other tabs won't automatically refresh, so you won't lose anything. It's just that their settings will change as well when you're mucking about with Temporary permissions and revoking them.

    Quite a few people mention Tumblr? Get a fresh Quantum (if you're on FF) download + fresh NS installation and it should work just fine? However, I just tried it and a lot of XSS popups appear (depending on the blog and theme) - on some blogs it seems to send a request for every single image running on the blog, as soon as you just enter the blog. Whoa! (In Temp allow mode.) O_o

    Whitelist migration - works for some, not for others? In the meantime, try copying in your list in Options > check the Debug box > paste your list in Sites (if I remember correctly) > uncheck the Debug box

    Yes, the "Close" sign in the drop-down menu is broken. The image is broken but the red whatever-box is still clickable and closes the drop-down.

    The whole thing having to first Trust an individual URL and then be able to clock it as Temporarily allow feels a bit... yah? We get a bit paranoid about that when it's most likely a function that's there to save icon-clutter and space. It's a 2in1. If the cosmetics can be figured out, it would be nice to separate those two though.

  68. #68 Toodeloo says:

    My bad. Options window works in Private browsing mode in FF now. Nevermind.

  69. #69 Markus44 says:

    Well, just got my first XSS popup, so, thanks, that answers a part of my above (#61) questions. :)

  70. #70 HigherPower says:

    @ Toodeloo

    Here is a fix for the broken close sign:


  71. #71 scriptfox says:

    #63 Toodeloo
    > If the Default-customisation function were to be taken away from the dropdown menu, there'd have to be a permanent Default customisation choice in Options?

    Exactly, Default should be hidden in Options, right now some users who don't understand the UI are using the Default button in the dropdown menu as if it were one of the other buttons, to change permissions for a specific domain unaware they're actually changing the default for all unknown domains.

    Removing the option to change defaults in the dropdown would make the true purpose of the Default icon clearer: to act as a "forget this domain" toggle.

  72. #72 T says:

    I've another bug report: adding the "temporarily allow all this page" button seems to have broken the ability to allow individual scripts (temporarily or otherwise). I can allow all scripts on the page, and that works fine, but when I try to change an individual script from default to trusted, and refresh the page, it is back on default again. I cannot enable individual scripts (and cannot type them in on the preferences page, either - the "+" button is greyed out)

  73. #73 Bio says:

    Weird... is anyone else just having it not let you whitelist HBO Go?

    Every other site I can just click on noscript and set it to trusted, but when I do that on hbogo.com it just doesn't take, and if I click it again it's automatically set back to untrusted. And then, if I go and look inside the options, it shows it as set to trusted. Really weird.

  74. #74 HigherPower says:

    To fix the broken "Cancellation X" emoji install the "Symbola" font. I believe it's windows 7 users that is getting mostly the broken little image on the noscript interface.

    Visit the noscript forum for the font download or search for it on google.

  75. #75 Markus44 says:

    @HigherPower (#69)
    Thank you for your hint, I still have to make up my mind whether to install that font (huge font file of 2.3 MB). But good to know the reason, and clicking the "broken" image doesn't really hurt. Besides, just clicking _outside_ the NS GUI also does the job, it seems.

  76. #76 HigherPower says:

    The Symbola font also covers many other symbols/emojis that show up as missing on various sites/things etc

  77. #77 T says:

    @Bio #68
    Yes, me too! This is actually what I'd just described in #67 above you, but I think you described it better. (I also didn't realize it was showing up in the whitelist (which might explain why I couldn't manually add it in options?))

    If it's relevant, the site I'm fighting with at the very moment is Library and Archives Canada... But there have been a few others I couldn't get to work properly, either.

  78. #78 Markus44 says:

    @T, @Bio
    > but when I try to change an individual script from default to trusted, and refresh the page, it is back on default again.

    AFAICS, this always happens when you want to save that setting with a green padlock although that site doesn't offer https.

    Both hbogo and bac-lac don't serve their contents via https. If you click on "TRUSTED", there will automatically appear a green padlock. But since these two sites don't offer any contents via https, it wouldn't make any sense for NS to save that green setting.

    So you just have to click on the green padlock and it will change to a red padlock so you can save that http setting. It may be a little bug that the sites first appear (as intended by you) with a green padlock _on the options page_ although you cannot save that setting on the popup GUI, but after changing the padlock to red it is also corrected on the options page.

    So in my understanding what you are criticising is correct behavior by NS.

  79. #79 Bo Elam says:

    @Giorgio, as #62 detzt, I found a few sites that to be set as Untrusted, I had to set them first to trusted, then change the lock to red, and then set them to Untrusted, in order for Untrusted to stick. Otherwise, they reappear as Default in the menu even though they show as Untrusted in Options. Are you aware of this behavior? Regards, best wishes for you and your family.


  80. #80 Bo Elam says:

    #62 detzt, Nice trick you found. Good man.


  81. #81 JacksonFireX says:

    1. @ detzt , good mention (#62 comment) - I noticed this as well on several sites where applying changes to "CUSTOM" did not stick until you toggled the GREEN LOCK to RED.

    2. "Revoke Temporary Permissions" icon only seems to work if you select the "Temporarily allow ALL" button. It does not remove temporary permissions from the CUSTOM clock on individual url's - can someone confirm and check?

    3. I am still noticing many sites slipping and being allowed with this new 10.1.2 - Noscript should block everything unless it's previously whitelisted/trusted.

    4. On old Noscript, as soon as you apply a permission, it will auto-refresh the page. In this 10.x, you have to manually reload the page...
    Noscript 10.x also needs a parallel review with ublock origin - historically on older versions, NS worked perfect... I am sure others are noticing this too.

    5. More to add later, there's much to observe....

    Thanks Giorgio on these updates and I am faith and full belief that NS 10.X+ will get better....

  82. #82 T says:


    Thank you, it worked! I only encountered this problem after yesterday's update, so I assumed they were connected, but given what you've said, that doesn't seem likely after all.

    This may be correct behaviour by NS, but it's not very intuitive.

  83. #83 poke says:

    @JacksonFireX So I'm trying to replicate what you're describing on #2 and I've found something that might be your problem. So if you set a domain to a custom setting, and then you make it so that it's temporary and then you click out of the dropdown menu, when you go back to it, then clock isn't selected anymore (so it isn't temporary anymore). This might be why it doesn't revoke your custom settings. However, if you set a domain to custom, make it so it's temporary, and then click the revoke button, it'll revoke the custom permission (the only difference here is that you never leave the dropdown menu).
    Basically, this is a bug.
    @detzt Nice find. Very interesting solution.

  84. #84 Huberto says:

    Man I miss the old noscript, feels bad man.

  85. #85 Feuergretel says:

    @Giorgio molte grazie. I'm watching your unweary efforts the last days with deeply gratefullness and respect: Apparently working around-the-clock without sleeping and although being friendly and patient with all those more or less useful criticism out there AND picking up user-suggestions and optimizing your masterpiece so fast. Magnifico!

    @VIPSTEPHAN #44 site broken

    In my test and opinion it is not about scripts, but https-settings:
    O.k.: Loading https://www.tagesschau.de/ with TRUSTED setting -
    = everything unchecked besides ☑ scripts.
    Broken: Loading www.tagesschau.de with same TRUSTED setting
    O.K.: Loading www.tagesschau.de with same TRUSTED setting AND toggling the green-locked-icon to red!
    O.K.: Loading www.tagesschau.de with big clock-button "temporarily allow all this page"

    Seems, that the last option allows unsecure sites like www.tagesschau.de. So in the end it is more a mistake of tagesschau (not redirecting to https) than NoScript I think ☺.

    #all: mozilla-live-search-field does not react with NoScript

    Can someone please look, if this is only my problem (maybe some other settings are wrong): The search-function does not work, even when "temporarily allow all this page" is chosen: https://support.mozilla.org/en-US/
    My FF57 Ubuntu without NoScript has no problem with this live-search, all tested search-fields on other sites do also well *with* NoScript.

    I wonder, everyone is posting here without problems.
    I had to turn NoScript off to get the recaptcha-field in my Firefox - before I really tried every option... "Allow all" means allow all, even blacklisted, untrusted google-sites - or not?

  86. #86 Jan Dildei says:

    Thank you for your great add-on, Mr. Maone, and good job on the improved UI! Keep up the good work, it's much appreciated.

  87. #87 Bio says:

    @Markus44: Ah, you're right, clicking the padlock made it stick. Thanks. That's not how it worked on noscript before, if I said a site was trusted it would just believe me, not make me click an extra random step without telling me. Doesn't matter if it was https or not

    It makes sense, but it would probably make more sense if someone tries to whitelist a website it doesn't want them to, it at least tells them "Hey this isn't https so if you're ok with that click the green padlock" instead of just not working?

  88. #88 poke says:

    @ Feuergretel The search works for me even with everything set to "untrusted".
    Allow all means you're allowing everything that's set as default to be allowed. Everything that's blacklisted will not be allowed.
    To get the rechatcha on this site, allow google.com and hackademix.net (set as trusted).

  89. #89 Sorenzo says:

    This may a bug:

    When visiting this site: https://addons.mozilla.org/da/firefox/

    and pressing the noscript button the noscript settings page appears in stead of the pull down menu.

  90. #90 Sarina says:

    Thank you so much for all the effort you put into NoScript. I've waited till today before I installed FF Quantum because there's just no way I can use it without NoScript. I guess you are the most important person of the internet :-)

  91. #91 jacky says:

    First of all, thank you so much Giorgio for updating NoScript to be compatible with FF57!

    I'm not a programmer myself so not sure if the suggestions would be feasible, but here are my thoughts.

    1. The default whitelist should be the same as NoScript 5.x (not taking any history/bookmarks into consideration)
    2. In the NoScript options window, adding the base domain should allow both https and http traffic by default (same behavior as NoScript 5.x)
    3. Once the base domain is added in #2 above, one should not have to enable or click the "trusted" button again when visiting the site after for the first time
    4. Add a checkbox / switch for advanced users for each to "match https contents" and "match http content" should they wish to do so, user should be able to select at least one, or both options, and cannot uncheck both.

    IMHO this would make NoSCript a lot more user friendly, thanks again Giorgio, keep up the awesome work!

  92. #92 JD says:

    I'm having an issue where some sites wont let me switch from Default to Trusted? I select Trusted and after leaving the NoScript menu, it immediately switches back to Default.

  93. #93 JD says:

    Sorry for the double post, but I figured out the issue with my problem above. For anyone else that's having the same issue, you have to select Trusted AND turn off "Match HTTPS content only" (the lock icon). I'm guessing it's a security measure for sites without a HTTPS URL?

  94. #94 CGar says:

    Really pleased I can install this on firefox for android. However the UI is too small. Usable, but difficult.

  95. #95 bxing says:

    @CGar #94

    Be careful, this version of NoScript does NOT work on android, it doesn't block anything. It's basically useless, hopefully Giorgio will fix it soon.

  96. #96 Wrecked on the Tundra says:

    One last ill-informed and useless comment from me, then I'll go back to mindlessly chewing hay...

    I suddenly became aware that with this change to NS I am actually learning something, possibly several things in fact. My biggest trouble in life is that my small residual cluster of brain cells rarely informs me of much and these intellectual realizations tend to be well spaced out (pun intended) and very sporadic -- but this web extension episode is almost like a revelation, which is good -- I think. It would be nice to be aware of precisely what I am learning, but the NoScript mutation experience is definitely blazing new neural pathways inside the old brain-box. I can feel it. Feels kinda like a bus drove over my head.

    Daisy, Daisy, give me your answer do. I'm half crazy, all for the love of you.

    Many thanks for these passing moments of neural plasticity Mr Giorio. And for this terrific little bit of software!

    (Many apologies for shamelessly dangling my participles like that, and right in front of the children fer cryin' out loud)

  97. #97 Rob says:

    With the problems currently plaguging NoScript 10 I've gone back to firefox ESR and noscript5.1.7. I know that this is viable until some time in 2018. When firefox ESR upgrades to the quantum engine wil you be giving up NoScript 5 entirely, or will it still be maintained for use in the likes of other firefox based browsers (waterfox, palemoon...)? If it's the latter then I would happily change browser to keep NoScript the way I've known it, my main loyalty to FF has been it's support for NoScript and if the quantum engine makes it impossible for you to let NoScript work at a low enough level to selectively block scripts and objects the way that you used to the jumping to another NoScript supporting browser seems better for me that advancing onto a 59 based firefox where mozilla's new ideas stop NoScript working as it used to.
    And best of luck to you in any attempts you make to restore full functionalities to NoScript despite the quantum engine's interference.

    P.S. Could we have text based labels back for all the buttons rather than just pictograms, the clock and gear look so similar, text has an obvious meaning where pictures can be confusing.

  98. #98 duggulous says:

    Please allow an option for full urls in the popup window, like the previous version had. I found this feature to be very useful.

  99. #99 Rob says:

    I sat this stuff ESPECIALLY in regard to things like blocked objects where in NoScript 5 you could click on them, then get a dialog box and click through to let the object run. I have a horrid suspicion that this might be one of the hardest things to replicate in quantum, what with the way it means extensions don't get much more powers than a webpage could have.

    Good luck

  100. #100 Marco says:

    I found a list of websites and temporary permissions of websites that I visited in the last months in noscript settings. I always used the private navigation and I regularly delete cache and private data. How's that possibile and how can I delete them?

  101. #101 Brandon says:

    Hi Georgio,

    Thanks for the update. I can start to use NoScript again.

    One bug I noticed:
    -on some sites, adjusting the permissions does not have any effect. For example I visited this site (www.scholarpedia.org/) and clicked the icon to make the domain "trusted." But when the page reloads, it is still "default" and blocked. I have been able to allow the scripts using the "allow all scripts on this page" button.

    Another suggestion: it would be nice to have a "allow all this page" button, just like the old NoScript had.

    Best regards,

  102. #102 Sebastian says:

    Hi Georgio,

    great work so far, I have one suggestion:
    Invert temporary and permanent trust status, by which I mean that, when someone clicks on "trusted", they have to click again to make trusted status permanent, instead of the current approach.

    My rationale is that this way, it becomes a conscious decision to make a setting permanent, instead of maybe missing/miss-clicking and not realizing that a domain is set to trusted permanently.

  103. #103 HigherPower says:

    For some reason this newer update is not working well and running smooth like the first release. When I click trust for a site then refresh, it won't stay on trusted unless I click on temporarily allow all.

    This has to be a glitch?

    Another thing the first release when making a change like putting a site on trust, the page would automatically refresh. Now it doesn't after the newer update. :(

  104. #104 fft2000 says:

    Great :)
    One small issue: Alt+Shift+N only seems to work when the webview has focus. Cursor inside URL-bar or even closing the NoScript-popup with its cross-button will not open the popup when triggering the shortcut. No idea if you can do something against that, especially when cursor inside URL-bar?

  105. #105 DaveM says:

    really hate the new noscript/firefox upgrades.
    no script menus get truncated in portrait screen mode and i can't get at customise or site options menus. even captcha appears to be blocked, so had to turn off noscript to try to post this.
    can't work out anyway to use noscript in touch screen mode either.
    I appreciate the new firefox is probably part of the problem. any ideas how to get any of this working here?
    I cannot understand the constant need for software companies to keep changing user interfaces and menus, particularly hiding options with contextual menus.

  106. #106 DaveM says:

    Just like to add, the different status icons are too small and the tiny differences lower right of the icons are almost impossible to make out on a 10 inch screen.
    when I submit comment here, captcha pops up, the screen refreshes and my text is cleared so I have to paste it in again.
    I wonder how many people just give up? Must be good because hardly any negative comments get posted.

  107. #107 JacksonFireX says:

    [currently on 10.1.2 / FF-57 Quantum]

    1. How are you all temporarily allowing scripts for a url that shows up within the main NS list and not having it save in your whitelist once exiting the browser?

    I thought by clicking the "clock" under custom to have it zoom (not faded) and then selecting refresh, would be just a temporary instance. What is the purpose of not touching the clock and leaving it "faded"?

    What I notice is, any of those adjustments save them into our NS > options > whitelist (Under CUSTOM). I have to remove them one by one by clicking on DEFAULT. This remains even after you exit your browser fully.

    With old NS, you select temporarilyl allow x, y, z url and that's it (you could see the url in the whitelist but in italics***) - it would never stay in your NS whitelist after you exited or revoked those permissions.

    2. Agree with others about removing the "DEFAULT" from the main list.

    3. Overall, my ability to comfortably use noscript with my very limited knowledge, has dramatically declined for the worse since Quantum and how I was able to control each website from the simple allow/temp allow/forbid - With Quantum, it just feels I am just guessing and never sure if I am blocking/temporarily allowing like before - it's very evident that more urls are just going through out of the box than they did pre-Quantum.

    Still believing the updates for NS XX.XX versions will be better.

  108. #108 Oliver says:

    No problems with the gui ;-) I like it easy as long as under the hood everything works fine.
    The problem I am facing seems to be about local adresses. With NS I can not use the Interface of my router. Neither with DNS (fritz.box) nor IP ( The NS-GUI shows "default" and after changing from default to trust after reloading the Page the gui still shows default. Entering domain manually in Options with trust has no effect. Restarting browser after changing has no effect. Disable NS brings functionality back.
    have a look at it ;-)
    kind regards

  109. #109 bill says:

    thank you for the program.

    Things I really miss:
    1. able to temporarily turn on a SINGLE script or whatever from the options button on the page WITHOUT having to temporarily turn on ALL the scripts on that page. For example, I never want google or doubleclick or other ads to run. The beauty of the old NS was the ability to get the page to run without all these ads and privacy grabs. I can't see how one can temporarily run individual scripts now, it's all or nothing.

    2. the temporary permissions should end when the TAB is closed, not the browser. Who closes browsers? If I need the gstatic to run to use a 'next' button on a site, I want that permission gone as soon as I leave the tab.

  110. #110 Oliver says:

    @108 I have to correct myself. the problem ist not related to local adresses. It was just the first time I experienced the problem. So I thought it is connect to local adresses. As I see now the problem occurs randomly on various pages while with others marking them as trusted works fine.
    as I said: have look ;-)

  111. #111 CGar says:

    @bxing #95
    Thanks for the heads up. I've also noticed on my android now that it it isn't showing up anymore in the dropdown menu. Still showing up as installed though.

  112. #112 Joaquin Oakland says:

    It would be good to keep on each page like this one an in-plain-view link telling how to install the latest version. I'm guessing it may be until after post-Thanksgiving-4-day-weekend before Mozilla makes it 10.1.2 available through Tools>Add-ons. Maybe, if they need their tech-fix, until after Black Monday.

  113. #113 hors_zone says:


    Thanks for NO SCRIPT

    Two main observations (I don't know if it's intended to behave like that or not), about it so far:

    1) Before, when I visit some sites (independent.co.uk for example) I can read the article without having the video joined with it load or play. Now it does both, I tried marking everything as untrusted but it doesn't work.

    2) I'm blocking all scripts by default, most of them marked as untrusted (although some don't stay like that). Despite this, the text bubble that appear when I hover the mousse over NOSCRIPT icon says (NOSCRIPT: 14/73)

  114. #114 Giorgio says:

    @Oliver and others:
    Why sometimes the TRUSTED preset seems not to stick & the site you've juts allowed comes back as DEFAULT? they're are most likely http: (vs httpS): NoScript by default matches secure addresses only, you currently need also to toggle the lock to open/red for the preset to stick. Since I recognize this "match HTTPS only" by default is confusing to many, in next release I'm gonna make the match lenient (both HTTP & HTTPS) automatically if permissions are given while browsing an insecure site.

  115. #115 Shadow says:

    Ever since the "temporarily allows all this page" button came back, there seems to be a new problem. If I want to temporarily allow a specific domain by clicking on the "Trusted" button in the dropdown then click on the little clock on the right and press the refresh button, nothing happens, that domain is still blocked. If I go to Options I can see that that domain has been listed as temporarily allowed, but if I go back to the dropdown and check, the domain has gone back to "Default", not temporarily trusted, and the webpage is still blocked.

    Hopefully this could be fixed in the next maintenance release. Thanks for all the hard work!

  116. #116 cmoregainz says:

    When I try to add objects to the "trusted list" the objects do not get added and are still stopped. You guys really need need to fix the add permissions button to work. Also, I want to see the entire name of st script/link not just the end.

    TL;DR make it work like before. If it's not broken, don't F*ck it up.

  117. #117 Oliver says:

    @ #114 Giorgio: I got it! ;-) Works now. But the toggle-button for http / https is a complicated thing which existence is not fully clear to me. and I am not absolutly out of IT. Thanks for the answer!

  118. #118 Mustafa says:

    We need flashgot so badly. Please update it.

  119. #119 plinker says:

    Maybe I'm stupid, but I just don't understand the new GUI. Like many other (apparently) I find "Custom" very confusing. What I want to know is "is script allowed from this site or not?". "Custom" doesn't answer this question.
    One specific thing I always do on web sites that I'm just visiting maybe once is to go in and *temporarily" allow script from this site specifically. I don't want to allow it permanently, and I *never* want to "allow all" on a site, even temporarily. But I can't figure out how to do this now. If I click "custom" I can allow specific sites, but is it temporary or not? Seems it's then permanent?

  120. #120 NoScriptian says:

    For each and everyone having troubles with settings not taking affect (e.g. jumping back from Trusted to Default, changes to settings not saved etc.)


    GREEN= https URLs only
    RED = https + http URL

    If set to RED, NoScript will save all settings for the option you chose for all sites, including http (without the s).
    Maybe Gorgio you could add this issue as a reminder to your blog entry?

  121. #121 scriptfox says:

    #119 plinker:
    To allow temporarily a domain:
    1. pick "Trusted" for the domain(s) you want to allow
    2. click the clock icon on the right of the "Trusted" box
    3. if the site is NOT https, also click on the green padlock icon to make it red

    Note that the "allow all" option does NOT allow domains that you have already blacklisted (ie, marked as "Untrusted") to run, so in most cases that's the simplest way to unbreak a site.

  122. #122 plinker says:

    #121 scriptfox:

    Thanks. Then it's at least possible, but I have one issues with it: It should be the other way around. You should first allow it temporarily, and then optionally click once more to make it permanent. This will make it just one click in most cases, and reduce the risk of permanently allowing something by accident.

    Regarding "allow all"; When I go to Some Random Site once, it will often try to run scripts from a bunch of mystery sites I have never heard of, so they will not be blacklisted to begin with. (Actually, come to think of it, I don't think I have ever used "allow all" on any site, ever.)

  123. #123 Mike says:

    Yes, Giorgio please port FlashGot to Quantum!

  124. #124 scriptfox says:

    #122 plinker:

    No problem! And I completely agree with you re: 1 click for temporary, 2 clicks for permanent but it's early days still, Giorgio will certainly fine-tune the UI over time.

    For the "allow all" problem, you could try something like uMatrix/uBlock Origin in combination with NoScript.

    You first use uMatrix to (temporarily or permanently) pick which domains to allow scripts for in the current tab, then use NoScript's "temporarily allow all", knowing that only the domains that uMatrix isn't blocking will actually be allowed to run scripts.

    uMatrix also comes with hosts file subscriptions that blacklist thousands of known malware domains, so even a lazy "allow everything" policy would still give significant protection because, like in NoScript, blacklisted sites in uMatrix need to be explicitly enabled.

  125. #125 Bob says:

    Please show full URL on hoverover.

  126. #126 Jim Kirk says:

    Some anonymous Slashdot user claims Giorgio Maone is a "paid shill" of Mozilla. Like he's paid to say that Firefox is good: https://news.slashdot.org/comments.pl?sid=11403677&cid=55624843

    Is that true?

  127. #127 DLawson says:

    Highly satisfied. But I ran into an odd case.

    I had a site in my whitelist (...leevalley.com), and post-upgrade I optimistically tagged the rule as HTTPS only. Navigated to a sub-page (http://www.leevalley.com/us/Wood/page.aspx?p=49253&cat=1,42500), which did not work (order buttons) because of the HTTP. All is cool.

    Hit "allow all temp" a couple times and nothing changed. Slight disappointment, but not unreasonable. So I went to the Settings page and toggled the padlock. Everything worked.

    In a little more surfing, I did "clear all temp" and eventually was at another sub-page on the original site. And it didn't work. Looked at Settings, and the site was gone.

    Guessing that the rules in the engine are site+HTTP[s], but the temp/clear-temp are less specific?

    [irony that my post was blocked because I did not respond to the captcha that was blocked by NS.]

  128. #128 Giorgio says:

    "Revoke temporary permissions" deletes all the temporary permissions you gave so far, even on different pages. That, unless I'm missing something, is what you're describing.

  129. #129 Bounder says:

    Hi Giorgio. I'll begin by saying thanks for the excellent provision of the classic NoScript (NS-5+) branch, and may this continue to be so for the duration of the pre WebExtensions versions of Firefox and Tor Browser. To date, this has been the only extension that I've run with Firefox, and would not use Firefox without it.

    Now, if we wish to upgrade to Firefox-57+, we are subject to the WebExtension API and the effect on NS user interface (UI) properties. I realise that currently, NS-10+ is very much a work in progress, which I'm monitoring closely. I (along with no doubt many others) seek here, some basic clarifications regarding the direction of NS-10+ branch. Can you please clarify the following:

    * 1: Will the NS-10+ branch retain at the very least; all of the same functions and granularity as the old (NS-5+) branch?

    * 2: Source Code (both branches): In the interim, at the NoScript web site, while we wait for the launch of the GitHub repository; are you able to provide clear and prominent instructions to users, as to how the source code can be obtained in a human readable format?

    I look forward to your feedback, my thanks in advance.

  130. #130 Bounder says:

    ... Extra to the above post (#129): A little more detail to my request was actually posted earlier by me over at the forum:


    Cheers again and thanks.

  131. #131 Bounder says:

    Just to follow on from my comment above (#129). A little more detail on my request can be found in an earlier post by at:


    Cheers and thanks again.

  132. #132 Rob says:

    Bounder, Q2. I think that if you download the .xpi file for noscript, then use 7zip to open it as if it were a zip file you can see inside and read the code from there. I don't know if it's commented or anything, and how readable it might or might not be, but I think it is the source code in there.

    Giorgio, if NoScript 10 can't ever manage the granularity of NoScript 5*, due to the difficulties caused by the quamtum engine, will NoScript 5 keep being supported and updated for things like palemoon, waterfox,... after firefox ESR migrates to the quantum engine?

    *Especially things like being able to have specific bojects blocked then click on them to allow them while not letting other objects on the page run. For example clicking on to allow a CAPTCHA object on a page while not getting drowned by advert objects also on the page. I hear you can't necessarily do the "Temporaily allow such and such... "ok", "cancel", (always ask for confirmation)" pop-up due to the quantum engine, but can you still atleast do the clicking of blockee objects to allow them?

  133. #133 asdf says:

    1. When I open inspector with 10.1.3c1 I see boatloads of nodes being continually inserted into the DOM.

    2. The animations when you hover over stuff in in noscript are annoying. Can you not give in to that fad?

  134. #134 trouble_figuring_out_NS says:

    For me, the "untrusted" option doesn't seem to do anything. Scripts still run. I went through the list of sites in options and set them all to untrusted thinking that would block everything, but it did nothing. In the untrusted options, all the boxes are unchecked under allow.

    If I go into custom and uncheck everything, then scripts get blocked.

  135. #135 Markus44 says:

    There's a __bug with temporary settings__ that I haven't seen anybody write about so far.
    I like the new version and get along quite well with it, but this bug prevents me from fully using NS the way I would like to:

    It's the fact that the button for CUSTOM settings has a clock symbol on it, implying that temporary settings are (1) possible and (2) can be revoked by clicking the big "Revoke Temporary Permissions" button, but it __doesn't work__, contrary to the TRUSTED button's clock. The temporary CUSTOM settings are made permanent as soon as you try to save them and the clock symbol is greyed out again.

    Would be great if you could fix that bug in the next version!

  136. #136 Kuno says:

    10.1.3c2 - now its broken. It doesn't work anymore.

  137. #137 HigherPower says:


    What happened? Some sites stopped working now. No matter what I do, how much I put them on trust the sites don't load! I can't log into my bank site and I also cannot track a package on the fedex site with this newer update.

    Man this is getting very bothersome now.

  138. #138 Bo Elam says:

    @134 trouble_figuring_out_NS says. I experienced what you describe in one of my two computers. I think NoScript settings got corrupted in that computer when upgrading to Firefox 57 and NoScript 10, that caused the problem of scripts running in Untrusted domains. I solved my issue by copying the not corrupted "storage-sync.sqlite" file from my W7 and pasting it in my W10 (the computer with the issue). That file is where NoScript is saving settings. You ll find it inside your Firefox profile folder. If you dont have another computer, you could create a new profile, install NoScript, make a copy of "storage-sync.sqlite" and paste it in your current profile folder to replace the corrupted one you have now.


  139. #139 Clara says:

    Lots of websites stopped working with 10.1.3c2 even though I allow them in NoScript. Settings for frames, media, object and the others doesn't seem to get saved at all once I close the NoScript popup.

  140. #140 Guenna says:

    What about my comment? Its not there.
    If i try it again is there a message:
    Duplicate comment detected; it looks as though you've already said that!

  141. #141 poke says:

    The new update is working well for me. For anyone having problems, possibly try creating a new profile and running it? Maybe it needs a "refresh".
    Changes I see with the new update:
    - It auto refreshes again
    - The options menu has now moved to the left side with the close and refresh buttons
    - If you set something to "trust", it is now initially a temporary change and you have to UNCHECK the clock to permanently keep the site as "trusted"
    - Noscript now recognizes if a site is http or https

  142. #142 HigherPower says:


    Creating a fresh new profile/refresh did not fix the issues we are having now with update 10.1.3c2.

  143. #143 Guenna says:

    Where is my comment?
    Do not be angry. Maybe it's just a stupid mistake.
    But....Is there censorship in this forum?

  144. #144 poke says:

    @HigherPower Can you give me a site that is giving you problems as an example?

    @Guenna Certain words could be blocked. Are you trying to say something "controversial"?

  145. #145 bbl says:

    I have a weird problem - it looks like NoScript is not working at all - I have a long list of sites I block, and a very short one that I allow. But the new Firefox enables JS on sites I know I block. It looks like it is not blovking anything.

    Any suggestions?

  146. #146 HigherPower says:


    Go to google search and type dogs. Notice the link can't be click and the page don't work? At least on my end it don't work.

    I did a clean install, fresh profile. Some sites work some don't. Which is very strange.

  147. #147 Roland says:

    After disabling and re-enabling NoScript, all settings for trusted sites are gone, only "script" is checked. Please see this screenshot:


    Now, when I want that other back, I need to setup custom settings for each site.

  148. #148 poke says:

    @ HigherPower I see now. You're right. That is a problem. I think I've found the problem (no solution though). Click on the gears that pop up when you hover over the trusted icon and you'll see that only "scripts" is checked. This is what's probably causing the problem. If you go and check the others and leave the dropbox, and reenter it though, they'll be unchecked again. Another bug is guess.

  149. #149 poke says:

    @ HigherPower You won't like it, but a temp solution is to switch everything that's broken to "custom" and manually check all the boxes. That works for me.

  150. #150 HigherPower says:


    Thanks for confirming. Guess I will try the custom tip ;)

    Thanks again!

  151. #151 poke says:

    @HigherPower No problem. Just trying to help out. Hopefully @Giorgio will be able to work out this problem quickly. It's a pretty bad one. I don't even want to read the AMO reviews about it.

  152. #152 green says:

    Excuse my "Google" machine translation :-/:
    Maybe it's new to the right.
    TRUSTED Only Script enabled
    CUSTOM individually allowed what I need

  153. #153 w13d0w says:

    there is a major bug in this release: in the trusted option only "script" is ticked and changes made arent saved (other ticks you make disappear when the page is reloaded). this makes almost every website unusable. I have to deactivate the addon until this is fixed.

  154. #154 Solo says:

    Sorry Giorgio but this version is no where near as good as the old NoScript 5.X. There seems to be bugs appearing constantly. For example, a site I used under this new one and did use custom still blocks everything. There is just a blank screen or I cannot click on anything. This is really too bad because No Script WAS the best and until it is EXACTLY like the 5.X version I just cannot use this. It is very unstable and unusable!

    Does anybody know if AdBlocker Plus does the same thing as No Script? Atleast stops pop ups? Thanks.

  155. #155 A says:

    Something gping wrong in 10.1.3c3

    Every site that in NoScript I give a 'Trusted' turns up in Untrusted ... The good thing: in trusted, it is possible to click more boxes than just script now. as opposed to this morning. Furthermore: no pre-loaded trusted sites!

    "untrusted": [

  156. #156 Markus44 says:

    WOW, try the latest version 10.1.3c3
    which is a massive step in the right direction!

    Get your settings right there and it will work as expected.
    Several bugs got fixed, some new goodies such as clock symbol visible right from the beginning on the TRUSTED and CUSTOM buttons, close button fixed etc.

    Have a little patience folks, I'm positive this will be a phantastic add-on again very soon.

    Thank you Sergio!

  157. #157 Fegr says:

    Something wrong with 10.1.3c3!!!
    "TRUSTED": {
    "capabilities": [
    All rights are away and i can'T change anything in the debug (doesn't not save anything)
    Making customs for website doesn't save ever--> always change back to "script" only

  158. #158 pete says:

    Version 10.1.3c3 seems to have "broken" Facebook

    No matter how many times I ensure that everything in Facebook is "Trusted", Notifications and Messinger don't work. The Shortcuts only work if I right-click and open in a new tab.

  159. #159 Markus44 says:

    @Fegr (#157)
    "Making customs for website doesn't save ever--> always change back to "script" only"

    I cannot confirm this, works like expected here. Did you delete NS and install again afterwards?

  160. #160 Giorgio says:

    If you happened to have NoScript 10.1.3rc2 installed before rc3 (it has been out for a couple hours), please double check that ALL permissions in the TRUSTED preset are checked (you might have been left with just "script"). Everything should work much smoother after on :)

  161. #161 Fegr says:

    Tried directly on the webpage and it saved!
    But when I open the NoScript option where is the complete whitelist and change there something it doesn'T save! Always set back!

  162. #162 Chris says:

    Hi, is there a way to prevent allow toplevel domains by default?
    I Recognized that when surfing on the Web Top-Level Domains are automaticaly allowed, iwant no script to block all by default...

  163. #163 Fegr says:

    @Giorgio (#159)
    I realized it before! But I can't save the debug I changed!
    Is there even a save-button for it???
    So I need to customize every page on the whitelist to use all contents?

  164. #164 Oliver says:

    with 10.1.3.c2 Youtube video seem not to load anymore. "Temporary allow whole site" or mark all sites manually as trusted does not have any effect. Disable NS solves the problem....

  165. #165 Giorgio says:

    There's no setting like that, unelss you changed the permissions in the DEFAULT preset.

    If you're using RC3 the changes will stick, no matter if you make them from the UI (like in my screenshot) or from debug. RC2 had a bug which wiped out all the permissions except those immutable for the preset, e.g. "script" for TRUSTED.

    please upgrade to RC3 and check my comment #159 above.

  166. #166 Roland says:

    @Giorgio Not here. I think this computer was off when r2 was out. And I cannot save (even with Debug option on the end of the page) settings for having all enabled on trusted sites.

  167. #167 Markus44 says:

    @Fegr (#161):
    "Tried directly on the webpage and it saved!
    But when I open the NoScript option where is the complete whitelist and change there something it doesn'T save! Always set back!"

    I can change and save it in both places.

    When you can't save, it is often due to the fact that you have set a green lock on the options page but in the drop-down box this site is written in red. If so, you might have to toggle the green lock to red to make the settings persist.

  168. #168 Roland says:

    Okay, working again with r3.

  169. #169 Kuno says:

    Hi, I have here two PCs Win7Pro64 with NoScript10.1.3rc3. The Noscript dropdown window is empty, doesn't show any URLs. The Settings-Window is empty, I cannot change anything. My old settings still work. Just FYI, maybe it helps.

  170. #170 Larry says:

    LunkedIn is not working even if I temp allow..

  171. #171 Oliver says:

    #163 Found the reason for the youtube failure: under Trusted suddenly everything is unchecked except scripts. rechecking has no effect. after refreshing only the scripts option is checked again....

  172. #172 Fegr says:

    And now I understand how to change the setting of TRUSTED!
    1: Go to Whitelist
    2: Click on TRUSTED (not customize) and Check all ticks!
    Reload all pages!

  173. #173 Larry says:

    How can I get noscript version of 1 week ago?

  174. #174 Larry says:

    Now everything is working ok!

  175. #175 Solo says:

    So are you saying that C3 is now working like 5.x??

  176. #176 Oliver says:

    okay! rc3 saves options again ;-) without uinstalling rc2 before.
    unfortunately at first use after upgrade I had a TAB Crash after leaving options-tab and next time a browser crash after leaving options-tab. Now it works. can not reproduce it.

  177. #177 trouble_figuring_out_NS says:

    @Bo Elam, thanks, although I don't have any other machine to copy working settings from.

    Here is the process that I'm currently following to make NS work the way I expect it to (block everything by default, turn on scripts as needed), but it's a little tedious.

    1. Change the DEFAULT so all options are unchecked.

    2. Go through the list of sites in the NS settings and move them all to DEFAULT.

    3. For sites where I want "some" scripts to run, choose CUSTOM and click the lock so the icon is red and unlocked.

    4. Choose the options under CUSTOM for that particular site.

    5. Completely ignore the TRUSTED and UNTRUSTED choices for each site. Every site is either DEFAULT or CUSTOM.

    note: I've found when making changes under CUSTOM, that if I don't click the CUSTOM tab again so the checkboxes disappear, the settings don't seem to take.

  178. #178 trouble_figuring_out_NS says:

    Never mind, all the changes to DEFAULT have set themselves back to UNTRUSTED and all scripts are running again. It looks like only CUSTOM does what I want, ugh.

    I'll upgrade and see if things improve.

  179. #179 Bo Elam says:

    @177/178. Like I said to you earlier, " If you dont have another computer, you could create a new profile, install NoScript, make a copy of "storage-sync.sqlite" and paste it in your current profile folder to replace the corrupted one you have now." It should take you about 10 minutes and be over with. You ll end up with a fresh set of settings without uninstalling NoScript or deleting AppData files. It works.


  180. #180 Bo Elam says:

    @177/178. Also, make sure to update NoScript to version 10.1.3c3.


  181. #181 trouble_figuring_out_NS says:

    @Bo Elam. I upgraded to 10.1.3c3. I'm running this on a relatively new system install and the number of sites I was dealing with wasn't overwhelming, just tedious. The amount of time spent was probably slightly less than 10 minutes. Thanks for the suggestion though, I will keep it in mind when my site list eventually grows.

  182. #182 Ash says:

    With this latest version whenever I click on the NS button on my menu bar firefox goes from fullscreen to not fullscreen. Sometimes the NS popup actually show up in a new window and not the drop down like it was doing. Any thoughts on how to make firefox stay in full screen mode and give me the drop down?

  183. #183 Anon says:

    Disappointed in the XSS Warning popups - I installed Noscript to get away from those annoying things, not to get more of them. Even worse, the only "stop asking" option is the one where you always allow the request, thus encouraging compromising security to stop the security suite from bugging you, and even that doesn't stop the popups from coming if the page is spamming XSS attempts (see: Tumblr).
    If you can't do a bar under the bookmarks bar like in old Noscript, at least put XSS warnings in the Noscript menu.

Bad Behavior has blocked 576 access attempts in the last 7 days.