NoScript Quantum 10.1.4 is out, and while it might seem a fairly minor release, it does fix some performance issues under the hood and a quite annoying bug making maximized windows "jump down" when you open the NoScript UI. Talking of which, now that these back-end cleanup is done, I can finally give some more love to all the suggestion about improving usability that you kindly provided so far.

Starting with the XSS popup, which unfortunately cannot be an "old style", interactive but out of your way, notification anymore because of limitations in the WebExtensions (I cannot even open the NoScript menu programmatically, it must be reacting to user's input); but can, for instance, include an "always block requests from to" to make it less noisy.

Thank you also for all the UI prototypes and wireframes you've sent, I'm gonna start trying merging some of these ideas right away :)

24 Responses to “Time to stabilize: NoScript Quantum 10.1.4”

  1. #1 gottaadmit says:

    Thank you for your hard work! Much appreciated.

    Do you plan on bringing back separate default settings for first-party and third-party scripts? That part of functionality is impossible to recreate in v10, and I don't think I was the only user who preferred to relax NoScript settings a bit with first-party scripts temporarily allowed by default, and the rest blocked.

  2. #2 Bo Elam says:

    Hi Giorgio. With version 10.1.4, I find many domains are missing in the NoScript Drop down menu. So, sites cant load or work properly. Domains missing fall in all categories (Trusted, Untrusted and Default). I posted pictures in the thread below. NoScript is the champ. Best regards.


  3. #3 Bounder says:

    @Giorgio: What features that were available in "classic" NoScript, are currently missing or not operational in NS-10*? Secondly, with the exception of the UI, will we get all of the old features back?

    It would be really nice if you could spare just one breath and give us an answer :)

    On my investigations and estimates, with FF-57+; it would appear that one would need at least [ uMatrix + HTTPS Everywhere + Privacy Badger + * ] to almost match the features what we had in the one addon with "classic NoScript.

  4. #4 Langenscheiss says:

    Hi again.

    I don't know if you have already worked on it, but now, at least temporarily allowing all the page makes xhr possible from content scripts. This didn't work so far, but now does. Maybe this helps???

    Keep up the good work!

  5. #5 Gabriele says:

    NoScript seems to be stable and well working now.
    Thanks a lot!

  6. #6 Giorgio says:

    The main (most visible, but not the only) features of NoScript, beside script blocking, which are not present in any other security product are:

    • Its XSS filter (already in NoScript 10)
    • ClearClick (Clickjacking protection), being ported
    • ABE (Cross-Site Request Forgery protection), being ported too.

    Both ABE and ClearClick are scheduled for release in 10.2 end of December or beginning of January. And no, with uMatrix + HTTPS Everywhere + Privacy Badger you can barely match 3rd party active content blocking + HTTPS locking, but none of the above (XSS, Clickjacking and CSRF protection).

  7. #7 John says:

    Thank your for this great add-on!

    Will there ever be a option to set all domains by default to "untrusted" ? I noticed with the new Quantum extension that certain site elements are allowed by default and I have to explicitly have to set the responsible domains to untrusted to block them.

    Again, thanks for all your hard work.


  8. #8 tor says:

    Giorgio, will you backport security fixes to 5.x series?

  9. #9 Bounder says:

    Thanks for your feedback, which is most appreciated.

    Indeed; ClearClick & ABE are eagerly awaited.

    The course of my "investigations" made me appreciate even more how much of GRANULAR "one stop shop" NoScript has been. A couple of other unique examples of would be:

    * Ability to SELECTIVELY block scripts and objects within a domain (I've been lead to believe that this is not directly possible within uMatrix, and that there are no plans to implement such over there).

    * Extensive collection of Script Surrogates.

    I'm one of the crowd who prefer the granular ability to block everything and allow as required.

    As many others say: Thank you very much for all the good work.

  10. #10 Bounder says:

    Way past my bed time here. Some minor corrections to my last post would be required it seems:
    * Replace "...much of GRANULAR" with "...much of a GRANULAR".
    * Replace "...(I've been lead to believe..." with "...(I've been led to believe..."
    Cheers again.

  11. #11 Giorgio says:

    Of course, as long as the Tor Browser doesn't switch to Firefox 59 ESR (likely June 2018).

  12. #12 RandomNoScriptUsr says:

    Giorgio Maone: "I think I've spotted the culprit (some scripts are not reported, but blocked anyway). I'm gonna fix it ASAP."

    Thank you Giorgio Maone! Is there an ETA for this hotfix?
    I know you are pretty busy juggling things and still maintaining NoScript for the torproject. I wanted to know what time of day or week, in your timezone, do you release hotfixes and major releases?
    Also, how long does it take now for Mozilla to manually/automatically approve an addon update?

  13. #13 Richard says:

    10.1.4 shows up a problem with exactly this site: I removed from the trusted list. As expected, the captcha for commenting does not show up and the noscript button shows as blocking some sites with a small "2" (I assume 2 scripts blocked). If one opens the menu, only shows up as trusted but the domain is not listed at all thereby making it impossible to allow temporarily. I had to enable on the settings page to make this comment.

  14. #14 Richard says:

    To add to my previous comment (#13): Temporarily allow all on this site works neither.

  15. #15 Frank says:

    Looking at the Options page still locks Firefox solid, so still not truly useable. Removed again.

  16. #16 Jan says:

    Please, please, please add whitelist import so I can browse the web as I used to!

  17. #17 Fran says:

    @Frank: I don't see that lockup with 10.1.4 on Windows 10 in Firefox 57.0.1.

  18. #18 Tomate says:

    @all, @Giorgio
    I suggest to encourage people to use the corresponding thread in Support Forum for discussing issues/bugs.
    Here all topics are mixed up, so that many people don't seem to read the related previous posts - filling the comments section up repeatedly with (long) discussions of the same already known issues.
    Does anyone feel the same?

    This bug is already known:

  19. #19 Giorgio says:

    Just released NoScript 10.1.5.

  20. #20 Bo Elam says:

    Hi Giorgio. Thanks for the quick fix. Version 10.1.5 fixes the problem I reported. I cant reproduce it anymore. Keep them (NoScript releases) coming.


  21. #21 Sosiskin says:

    What about flashgot? When you start working on firefox quantum support?

  22. #22 Afonso says:

    Is there a way to reset the settings? My settings are such a mess right now that I would prefer to set my preferences on each site with a clean slate.

  23. #23 Giorgio says:

    I'll take on FlashGot as soon as NoScript has both ClearClick and ABE back (hopefully in one month or so).

    Closing comments here, please continue in th 10.1.5 post (bug reports in the forum, though).

  24. #24 Steve M says:

    With the 10.1.5 version when I highlight some text, right click, and then click on "Search Google for..." I always get a XSS warning, but if I do it a 2nd time, I don't.

    I don't think I should be getting a warning at all with using the "Search Google for..." feature of the context menu.

Bad Behavior has blocked 729 access attempts in the last 7 days.