Someone seems to be still convinced that changing our beloved NoScript UI has been a whimsical (and suicidal) decision of mine, entirely avoidable.

The ones who know better about recent history of Firefox and of its add-ons ecosystem are aware, though, that the UI couldn't stay the same simply because the technical foundation (XUL/XPCOM) for the "old" one is not there anymore, and NoScript has been forced into being completely rewritten as a WebExtension (and therefore its UI as pure HTML) or just die.

Since it was anyway impossible to replicate exactly the well known user experience provided by NoScript 5.x (which, BTW, is still actively maintained and available here), I've tried to find a silver lining in the forced rewrite, taking it as a chance to incorporate user feedback collected over more than 12 years, especially about making the permissions system more customizable.

And indeed, the old concepts are all still there, but the way they are implemented is more flexible and amenable to customization, albeit admittedly less discoverable and, for long time users, surely confusing at least initially.

Bugs aside, I think the biggest problem with the transition, which I'm truly sorry for, is me not having found the time yet to write any proper user-oriented documentation for NoScript 10; but maybe we can start here by providing a minimalistic overview, mapping the new "Quantum" UI onto the "Legacy" (I actually prefer to call it "Classic") one:

  • In the NoScript 10 we've got 3 presets (DEFAULT, UNTRUSTED and TRUSTED): you can assign one of them to any site, and the sites with the same preset share the same set of (configurable) permissions
  • For sites that don't fit in any of the 3 aforementioned presets, you can choose to use CUSTOM permissions: CUSTOM is not a preset, but a way to give very specific permissions to a site, applying to that site only
  • Back to presets, DEFAULT is the set of permissions that any unknown site has. So if you don't touch NoScript, beside a handful of websites (the "old" default whitelist) pre-assigned with the TRUSTED preset, all the sites on the Web have the permissions of the DEFAULT preset (i.e. almost none).
  • "Temporary allow" maps to clicking the TRUSTED preset on the row.
  • "Allow" (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means "Temporary"), to disable it (and make the preset assignment "Permanent")
  • "Forbid" maps to clicking the DEFAULT preset, which actually means deleting the site from the internal "whitelist". In facts, if you do it in the general Options panel, next time you open the panel (or refresh it) the site is not even listed there anymore. It doesn't disappear right away for convenience, to give you the chance to change your mind or correct mistakes.
  • "Mark as untrusted" maps to clicking the UNTRUSTED preset, which contains no permission at all and is meant to collect and remember the "known bad sites" in a permanent blacklist.
  • And then CUSTOM, which is new to NoScript 10 and lets you fine tune just a certain website with its own specific permissions, either more restrictive than DEFAULT or more permissive than TRUSTED ; this tuning is either permanent (by default, the clock shaped icon in this case comes disabled) or temporary, by additionally clicking the clock-shaped icon.
  • Each and all the presets can be freely customized to your own needs, with the convenience constraint that you cannot remove the "script" permission from TRUSTED, and you cannot add it to UNTRUSTED. However, the factory presets are very similar to the "old" NoScript experience.

What about the "Match HTTPS only" green/red lock toggle? If green (locked), the toggle makes base domain entries (e.g. "") match themselves and all their subdomains, but only if their protocol is HTTPS (and therefore the traffic encrypted and not easily tampered with). Otherwise, if red and unlocked, both HTTP and HTTPS match: this has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy, but is unfortunately needed for some sites to work. NoScript tries to gives you the "smartest" default for each site, i.e. green if the page is already served on HTTPS, red otherwise.

A lot more needs to be written yet, but these are the bare bones.
If you find bugs or need support, rather than using in the blog comments or, even worse, the AMO review system as a way to communicate with developers, please submit to the support forum here.

And if you want to help me with development, please install latest development build, which is released even more often than the stable and ships earlier both bug fixes and new features. And please keep providing feedback, as especially the UI is still a work in progress and I'm eager to make it better than before, by merging as much as possible of your valuable contributions.

Thank you all!

226 Responses to “NoScript, "Quantum" vs "Legacy" in a nutshell”

  1. #1 Allan says:

    I've returned to FF 52.5.0 ESR until the dust settles a bit...

    What I would like to know is this: before I open any website with 57 will I be able to -globally- turn all my previous NS permissions to Default and delete all my previous NS history?

    Thanks for all you do!

  2. #2 Scote says:

    Thanks for all the work you are doing.

    Part of the problem for me is that it takes more clicks to do the same thing, and the paradigm has changed. I'm used to "allow" rather than "trust". I don't actually trust anything I only temporarily allow, so there is a bit of a mental disconnect for me in using the new UI.

    For temporary allow, I think an hourglass might be more intuitive to me than a clock with an explanation point.

  3. #3 sam says:

    Is there an equivalent to the old SHIFT-RIGHT-CLICK which allowed us check up on a script by submitting it to Virustotal, etc>?

  4. #4 PM says:

    I use
    Here on this page where I write, there are two Trusted, one Temporary other Permanent.
    If I drag the mouse, there is no difference in the subtitle that appears.
    If the clock is color and big, is the Permanent?

  5. #5 Giorgio says:

    You can already do it either clearing them one by one (a new thing in 10 which wasn't there in 5 is that the text box to insert new sites is also a search box filtering the ones in the list on the fly), or bulk edit their JSON representation if you go in "debug" mode by selecting the checkbox on the bottom. I'm gonna add some visual bulk-edit option ASAP, though.

    It's arriving in stable :)

    The big solid clock (currently default for TRUSTED) means temporary (clocked), when it's faded it means the clock doesn't apply (permission is permanent).
    You're right, having different tooltips for different states would be better, trying to stuff it in too.

  6. #6 john says:

    Any timetable for a working version for android? Many NS users upgraded to FF57 thinking that the new version of NS would work (it was briefly listed among the FF android add-ons on Mozilla's website, before being removed), now they cannot switch back. Keep in mind that there's no FF ESR for android.

  7. #7 Giorgio says:

    I've got just to figure out what's preventing the UI from being populated with the current site data, and I'm sure it must be something stupid. I hope to have it by the end of this week, because I'm a NSA user myself :(

  8. #8 Jose says:

    Thank you for the constant updates... it feels smooth now.

    I would suggest a preference option: Previously on NS 10.1.3rc(2-3) clicking on NoScript UI will open a new window with websites preferencies, this was reported by most users like a 'annoying' bug, but some others perceive it like a feature... why? because if you 'hide' the NoScript button inside 'More tools' menu, the resulting UI is forcing the user to scroll right and left several times only to know what is going to block and/or allow: Demo:

  9. #9 Solo says: when do you think you will have the right version that will be equal to the original or as you like to call it "Classic"?

  10. #10 pijulius says:

    Hi Giorgio, first of all thanks for the hard work you put in and agree with everyone about the confusing interface but I also do understand the reason behind it.

    Two notes if I may:

    1. Please please bring back the context menu (if possible with the new firefox as unfortunately I have no clue if it's possible at all) as it would fix so much of the troubles people are having. The context menu was an easy way to enable scripts especially with the two separate options (permanent and temporary) as the rest wasn't even needed in my opinion :)

    2. Having the old noscript icon in the new firefox toolbar is totally different than the whole firefox icons, so or please do a simple black icon that we can put on toolbar or please test it by putting the icon into the "More tools ..." toolbar icon (the two >> arrows) and you will see because the setup takes up a big space it will require you to scroll in that popup.

    On the rest for me everything is good and all the customization you had in the old version can come in later on with time as the most important is already there (disabling scripts which disables a bunch of ads and also speeds up page loads with a lot) so with the context menu in my opinion everything would be like 95% done and with the rest time will tell how and when to accomplish :)

    Thanks again for everything you do!

  11. #11 Shaun says:

    Thanks Giorgio for your fantastic addon, and for this v helpful quick bit of documentation. I now feel I understand the basics of the new interface.

    One further question though. For me, the "default" preset appears to have all boxes ticked except "fetch". That doesn't seem right, but I'm not sure of:

    a) Why it's like that for me
    b) How to change the preset
    c) What the factory preset is supposed to be for "default"? You mention that it is "almost none", so I'm pretty sure mine is non-standard. I'm happy to use your factory preset, once I know what it should be :)


  12. #12 Giorgio says:


    a) you probably changed them by accident, or when you used NoScript 5.x last time you were in \Allow scripts globally\ mode (which during the migration translates in giving script permissions to DEFAULT and keeping UNTRUSTED to blacklist sites).

    b) Just click the preset twice and uncheck all the presets except for \fetch\ (needed for some extensions to work), \frame\ and \other\

    c) \fetch\, \frame\ and \other\ checked (see above)

  13. #13 JD says:

    For me, Default seems to have media, frame, font, webgl, and other checked. I'm not sure if leaving all those checked is still safe when visiting potentially unsafe sites. Is it mainly the scripts permission that poses a safety issue?

    Also, an option to change all default presets at once to desired permissions would be nice or a way to reset them all to the "factory default".

    Thank you and keep up the good work!

  14. #14 aocab says:

    Saw Shaun's comment about "default" presets and was curious so I checked the settings in mine.
    If I understand correctly the "default" presets are: \fetch\, \frame\, and \other\.
    I must have accdently messed up the settings in mine because they are not the same.
    Plus I am curious to know what the meaning is of the highlighted options (see screenshots).


  15. #15 Gareth says:

    I wouldn't even use it, It asked to upgrade to NS10 so I reverted to older firefox

  16. #16 John says:

    what does it mean when there's 2 of every site? for example ( and then right below it (… this is the happening with most sites I use.

  17. #17 Gill says:

    "...that the UI couldn't stay the same..."

    Respectfully, Giorgio, I think you may be missing the point.

    I don't believe most people are upset because the old UI isn't identical to the new one; they're upset because the new UI isn't anywhere near as user friendly as the old one. And in a previous thread on this site, I saw a mock-up of a UI (one that IS compatible with FF57) that I (and others that commented) thought was superior. So it's not as impossible to create a new UI as we're being led to believe. It is, however, time consuming and I'm not going to make a judgment on whether your time is better spent creating a new UI or fixing the existing bugs.

    Just trying to let you know that the problem of the UI is not as simple as the straw man you've set up (i.e., people hate the new UI just because they don't understand the old UI can't be exported into FF57).

  18. #18 crazy says:

    Thank you Giorgo for creating, maintaining and updating a Firefox extension that has become such an essential tool that so many of us feel naked on the web without it. I appreciate the predicament you face in transitioning from the classic UI we are all comfortable with to the Quantum UI many of us are having difficulty grasping. I've followed the development and deployment of NS10 closely and am gaining a better understanding of what each feature of the new UI is intended to do but it's going to take more time for users like me to get it. Maybe it's a generational thing, but the "everything on one page" style overwhelms my 60+ year old brain leaving me too confused to understand what I've changed per site, per session and how to get back. The genius of the classic interface was the "less is more" style of the browser icon and the granular detail available by choosing options. As you continue development of NS10 the more you can tweak the new UI to the simplicity of the classic design philosophy the more I'm sure old and new users alike would appreciate it. Thank you for incorporating so much of the user feedback in such a short period of time and thank you for such an essential browser extension.

  19. #19 PM says:


    I haven"t icon in 'More tools' menu.
    Private and Noscript on the left.
    14 icon on the right (FF and Ghostery, ADP and others ).

    Noscript icon is blue S.
    Ghostery, ADP, Https Ewerywhere, S3. translator are colors.
    I don't like black and white FF icons.

  20. #20 Ray says:

    Although getting used to a new UI is always annoying, I rather like the increased flexibility. I usually had "Apply these restrictions to whitelisted sites too" set for embeddings, since I don't want things like Silverlight or Java running by default even if I trust the site. But that meant that fonts and media got blocked at the same time. Being able to allow specific requests from specific sites without messing with about:config/noscript.allowedMimeRegExp is a nice change.

    My stance is actually the exact opposite of a few I've seen here; rather than switching to an older Firefox to keep the old NoScript version, the new NoScript features are the *only* reason I haven't downgraded or switched to Pale Moon or another Firefox fork that didn't break half my extensions. The prior lack of documentation for NS10 was the only real issue.

    One thing that would be nice to have added to the documentation is an explanation of what the various settings cover: in particular, "fetch" and "other". I'm also unsure of what it means when one of the checkboxes has a red background (seems to have something to do with setting https only).

  21. #21 Layman_User1 says:

    Thank you for incorporating the feedback on the UI that you have so far, it has made NoScript far more usable.

    Is this GUI not compatible for some reason?

    It seems to achieve the goals you had in implementing changes to the UI, still feels similar to the classic version, and uses words to associate meaning to symbols so tools feel more 'discover-able.'

    Allowing multiple clicks on the custom permissions button to cycle between custom permissions being permanent or temporary would give users the same abilities with the same number of clicks I think.

    I think this sort of UI would still work and feel great with the colorful icons you use now.

    What amounts to a matrix with columns giving info about items in each row may be 'easy' and 'simple' for some people, but for others it can seem overly 'technical,' 'intimating', and 'daunting.' From this perspective making it colorful just makes everything seem more chaotic. I know the two are arguably the same thing, but I think a lot of people's comments/feelings about the UI center on the fact that it went from being based on a list, to being based on a matrix.

  22. #22 Fran says:

    Is it a problem when a page works with "Scripts Globally Allowed" checked, but the page doesn't work when every domain is marked TRUSTED? That is the case with this page:

    If I check every checkbox in the DEFAULT scope, NoScript shows domain being blocked, but it is not shown when I trust every domain with no checkboxes checked in the DEFAULT scope. So in normal usage NoScript is blocking a domain without showing it in the popup.

  23. #23 Jose says:


    You have to add an icon to show 'More tools' panel. The method will be as follows: Click on the hamburguer icon > Customize > drag NoScript icon inside the fish/dragon panel & click Done:

  24. #24 Jose says:

    To be clear, I'm suggesting an extra option, an option (inside NS preferences) to change NoScript UI from popup to window. I agree with the present default configuration.

  25. #25 Tarja Halonen says:


    Any update on the Noscript for Android Firefox mobile?

  26. #26 PM says:

    #23 Jose
    I don't want hide any icon.
    The URL space too long and one click is enough and does not bounce Noscript what you show in #8.

  27. #27 Fran says:

    Unless I'm missing something, there is no visual feedback that I have clicked "Temporarily allow all this page". So I don't know that I may need to click "Revoke Temporary Permissions".

    Also, thanks, Giorgio, for all your hard work on NoScript.

  28. #28 Fran says:

    Please ignore my previous comment (#27). I just realize that the clock icons become solid when I click "Temporarily allow all this page".

  29. #29 Jesse P. says:


    I've been using NoScript for many years and, of course, updated to NoScript 10.x once it was publicly available. The UI is quite a difference (not in a good way, in my opinion) but it is not "difficult" to understand (for the most part). What annoys me about it, and is cause for me to effectively not use it (not in its full capacity, at least), is that it seems to randomly behave differently from one moment to the next. For example, I get XSS attack warnings (even up to when going to sites such as IMDB, alerting me that there's an XSS attack between itself and Facebook, when I never did in the previous version of NoScript. Maybe XSS was not functioning the same way but, what makes it stranger is that I don't get the alerts every time - only some of the time. Also, the options page interface is horribly slow, especially when you have a large whitelist, on top of many of the features not being available to users yet - understandably, they will come in future updates.

    Personally, I currently allow scripts globally and only use NoScript for XSS filtering, while then relying on uMatrix for the script blocking and such, and will remain doing so until I feel that NoScript 10.x has become polished enough to remove uMatrix.

    As comment #17 (Gill) alluded to, there are other addons that use menu-based UIs and look very much how NoScript 5.x did (one example is 1Password). Yes, it has been WebExtensions based either since the beginning or at least for a while but, it looks just like a pre-FF57 addon would have. You had to convert your code to WebExtensions - nobody is questioning that, I don't think - but could you not have done the same thing that 1Password does, and use menus to keep it looking like the same old NoScript we all loved?

  30. #30 Barry says:


  31. #31 Fran says:

    Please ignore my problem report in comment #27 above. It is no longer happening with And thanks again for all your work on NoScript!

  32. #32 Rob says:

    I understand that having to use HTML for the new interface has caused you to be unable to replicate the old Noscript 5.x.x UI but I still can't understand why the new UI has so few options where the old one had so many. There seem to be a lot of features missing from NoScript 10 just because the HTML page for the settings has so few options on it, why does it not have, in HTML, all the options that were in NoScript 5's dialog boxes?

    Also, as far as having blocked objects show up as an orange placeholder that can be clicked to allow them, is there some difficulty in implementing this for NoScript 10? It was such a useful feature to let a specific object on a page run but not have to allow all others from the same domain at the time. Can this be made to work again please.

    Thank you

    P.S. any hope of text on the buttons "temporarily allow" rather than a clock, "settings"/"options" rather than tiny cogs and cross-spanners? Text shows up better than little graphics for small screens, screens a distance from your chair or poor eyesight.

    Also, shouldn't "default" block the scripts? Only when I last looked (I've taken refuge in ESR until the commotion ends), although NoScript 10 may have changed since, sites on the "defeault" setting blocked objects and such but not scripts, which felt a bit risky to me. The philosohpy of NoScript always used to be "block it unless the user says allow" not "allow it until the user says block".

  33. #33 Joe says:

    Hi. Love NoScript.

    I had it pre-FF 57 and installed the version 10 on FF Quantum.

    One thing I have been unable to find, and hope you can implement.

    When you close the tab for a website which you have allowed some scripts for, then you click the NoSCript toolbar button, you see the list of scripts still allowed. How to mass delete all of them at once?

    The only way I have found is to individually click each and every one on the "Default" icon (first item on every line). If you have some dozens of scripts allowed (because that is what te website needed to operate correctly), it is a pain to click every since one.

    You have a mass script delete if the website is still displayed. Please add mass script delete even if the website tab has been closed.

    Thank you!

  34. #34 Sokolas says:

    Could you please add a more visible way to indicate that the TRUSTED setting is permanent? For example, there is that clock (or stopwatch?) icon that appears near the NoScript icon when I hover over the site in the list; it would be awesome to not bind it to hover but always show for temporary trusted sites and hide for permanently trusted.

  35. #35 Bo Elam says:

    @#32. Rob, you can make Default block all you want. By default, the Default preset comes with scripts forbidden (box unticked) but there are users that made changes to the preset without realizing what this changes were and that they were globally applied. With the end result being that they saw scripts running and couldn't understand why, complained about it and blamed NoScript.

    In NoSCript 10, we can set Default as we wish, something we could t do in version 5. There was no option for it. In my opinion, this is an improvement of the new version. Personally, I have set up Default more restricted than it was in version 5. Good stuff.


  36. #36 Scote says:

    I hadn't heard of uMatrix before reading this thread, but after having installed it I must say that the UI is what the new version of NoScript needs. It is quick and intuitive to understand, quick to use and find what needs to be unblocked to make a page work
    , and minimal yet informationally rich.

  37. #37 Jose says:

    @#21 Layman_User1. I would like to see this UI on NS10, totally perfect in UX terms, and fits very well with Firefox Quantum UI.

  38. #38 tor says:

    "Legacy" (I actually prefer to call it "Classic")
    "Classic" is something that works, but mosilla killed it, therefore "Legacy".

    could you backport to 5.x:
    x Fixed potential fingerprinting through placeholder icon
    (thanks Rob Wu for reporting)
    x Fixed background requests from other WebExtensions being
    x Fixed some blocked items not reported in the UI (thanks Bo
    Elam for reporting)
    and others that are applicable to 5.x

  39. #39 Giorgio says:

    None of those are applicable to 5.x. Only the XSS filter one is.

    @everybody: thanks for the mockups, all very interesting. DUring the next weeks, while fixing bugs and adding back options and features, I'll experiment merging back those which seems most popular and making most sense.

  40. #40 Znrl says:

    I was nearly going to edit noscript to make my mockup a working demo.
    But I'm not really into developping addons and I noticed it would take too much time to get into you code since I would need to change some things...
    Here is my latest update:

    Your explanations about how it currently works is good and we do understand how you thought while programming it.
    But people who use it think different. And from experience people probably won't read documentations and stuff. There are just too many thing that aren't intuitive right know.

    For example that customizing "default" is global. Like 99% of the people who do and will try NoScript won't get this and documentations doesn't help, well they would but there are way too less people reading it.

    I still think that the "temp" option should be seperated because it makes it a lot more obvious whats going on.
    This and when I say I don't need the "default" button you don't have to change how it internally works. I am aware the "default" state makes sense but (except from customizing it, which should be done in options like anythng that is set globally) it doesn't really provide anything but an additional button for me as a user.

    The one posted in #21 also looks nice .

    It would also be doable to rebuild the old UI at least that list (old "popup" with just "Temporarily allow" (like it was in private mode) and optionally with the line to "allow" things (don't know about the recently bocked etc.) .
    It has a lot less options but there could be a setting in options to choose between UI themes.
    - "Classic" (limited)
    - Modern UI
    The only thing would be that presets are customizable in options the rest would mainly be CSS.
    But I would understand that is isn't really the preferred way to go.

  41. #41 Steve says:

    Just wanted to say thanks for all your work getting NS migrated over to Quantum. I wouldn't update to FF57 until there was a stable version of NS. Glad I found this thread, I was wondering how to make permissions permanent, problem solved. Thanks again!

  42. #42 Jesse P. says:

    The change logs posted on as well as Mozilla's add-on site are outdated. Please update them with the release of each update, so we know what has changed. Thanks.

  43. #43 yelow says:

    Alternatives search "Startpage, Ixquick' does not work in FF57 for Linux Mint. Related to NoScript 10.1.5?

  44. #44 Werner says:

    Thank you for this great tool.
    Some issues are triggered by the firefox activity tracking.
    Greetings from Germany

  45. #45 NoTwo says:

    Got somehow disappointed about the sudden complexity NoScript evolved to.

    At current state, fiddeling around with some settings, i realized that NoScipt is even more powerful than before (or i missed it b4).
    A perfect ad-/popupblocking addition, i can even block stuff, ABP and uBlock cannot :D

    It's just a "must get familiar" with NoScript quantum to have such a great freedom now

    The only thing im worried about is how strong or weak is default setting when visiting a site the first time.
    I would rather deactivate everything yet unknown and switch on 1 by 1.

    Fucking gread work! You da man ;)

  46. #46 Andrey says:


    I have a problem with the XSS warning. When I choose permission "Always allow document requests from ...... to ......" (both sites are trusted), then everything works fine. But after rebooting Firefox, the permission should be selected again.

  47. #47 MichaelG says:

    Not as friendly as old ui. I am no longer using Firefox or no script for shopping.

  48. #48 Jesse P. says:

    NoScript 10.1.6 is listed in the changelog on but the newest release is still everywhere, including Was there something wrong with 10.1.6 that kept it from being released, so we're likely to see or 10.1.7 instead?

  49. #49 Jesse P. says:

    Oops. Meant, not 10.1.6; or 10.1.6, not or 10.1.7.

  50. #50 PM says:

    The Noscript button not works well on this site (the window too big).

  51. #51 George K says:

    I don't want tablet only UI on desktop thanks

  52. #52 Giorgio says:

    Thanks for reporting, it's going to be fixed in

    @Jesse P.: is not released yet, there's just RC1 out and RC2 in the makin. The entry in the main changelog was just a fluke and has been removed, thanks for noticing.
    The stable release needs to be coordinated with AMO admins because there are backports to 5.x and a special procedure is required to ensure both classic and quantum users get properly updated.

  53. #53 Vince says:

    As several others have said, the fact you had to convert to WebExtensions does NOT mean that the UI (and UX) has to be horrid. And they are both still horrid.

    There are plenty of WebExtensions out there that aren't incomprehensible. This one is, and the above explanation doesn't solve the problem. Look at this:
    "Temporary allow" maps to clicking the TRUSTED preset on the row.
    "Allow" (permanently) maps to clicking the clock-shaped icon onto the TRUSTED preset (which means "Temporary"), to disable it (and make the preset assignment "Permanent")

    Those make *no* sense, and are at odds with any sensible UI of the entire GUI era. The second one makes no sense even after ten readings.

    There's no reason to use icons that don't mean anything to anyone. Use words (e.g., Permanent and Temporary, or Perm and Temp), where one state means Not Allowed (greyed) and one state means allowed (not greyed). It's clear and makes sense to everyone. Have four buttons at the top/bottom for the combinations of [Dis]Allow Everything Permanently and [Dis]Allow Everything Temporarily.

    This is free software. You've done a HUGE service to everyone for many years now, and we truly appreciate it. This also means you are free to do whatever you want, and we also understand that. But if you actually want to meet the needs of your users (and it's clear you do), then AFAIC you need to admit that the entire new UI was a bad decision and start over. Forget the icons, forget having to click five things where one thing would do, forget pictures when words are so much clearer. I picked up the old NoScript without ever reading a manual, and my guess is most other people did, too. This one is incomprehensible even AFTER reading the "manual", i.e. the above.

  54. #54 Dave says:

    Totally redesign is a bust. It's just not user-friendly anymore for most of us. As far as Firefox Quantum? It's as bad of a roll out as Win 10 was. All i see at this point is 6 to 10 months of non-compatibility. Will check back next year. Meanwhile, I'm stuck using Edge as a browser.

  55. #55 Elias says:

    I think the new Ui is amazing, more flexible than the old one.

    I'm just waiting for the "enable top level scripts *" feature.

  56. #56 Giorgio says:

    Please check latest dev build, :)

  57. #57 Benny says:

    I don't like the new UI with all the icons instead of text; it is just not as intuitive (to me) as the old version. I much prefer to READ things rather than trying to interpret oversized icons.
    I also prefered NoScript to be on the bottom of my page in it's own "panel". I don't recall physically doing this with the old version so assume it was the default.
    This used to be my favourite plugin but I am now on the verge of removing it, along with Firefox. Might be time to look for a new browser.

  58. #58 Oleg says:

    I agree with Benny... Also, I have problems in the setting panel with over 750 records.

  59. #59 Andrey says:


    Thank you for your response.

    I have already adapted to the new UI, and I like it more and more. Usually I need to give the necessary permanent permissions to maximize the functionality of sites that I often visit (about two or three dozen). With other sites, I get around the temporary permissions. It seemed to me that with the new UI I managed to configure it better (less unnecessary permissions).
    I have some wishes. When I look at the list of permissions in the settings panel, then to some permissions I have a question - when I chose these permissions and why. Perhaps I chose them wrongly, and they are dangerous.
    I would like, if possible, that the settings panel had the date and time when I chose this permission, as well as the domain name of the site that was opened when this permission was selected. Insert a comment, too, would be nice. And of course the ability to sort the rows by date, time, domain name of the site. Maybe other users will find this useful.
    Good luck in your very useful work.

  60. #60 Jon says:

    One more thing has confused me about the UI.

    When a site is default, the "Trusted", "Untrusted" and "Custom" icons are grey-looking. Yet you can click on them. I know this is probably because theyr'e toggle buttons. The clock icon on trusted sites is also a toggle. However, I think removing the grey-look and putting green checkmarks on enabled toggles is a better option. This is just a minor UI thing because I'm not a very modern user like most of the people here. In the old days, a grey button was typically unusable, whereas a toggle option used checkmarks.

  61. #61 Jauncy says:

    Huh. That was easy. I feel like a real idiot for not figuring that out for myself. Ultra Thanks! The following is my briefer notes from the above. Feel free to use them if they are accurate.
    There are 3 presets: DEFAULT, UNTRUSTED,TRUSTED. You assign one of them to any site. These factory presets are very similar to the "old" NoScript experience.
    Sites with the same preset share the same set of (configurable) permissions
    You can choose to use CUSTOM permissions: CUSTOM is not a preset, but a way to give very specific permissions to that site only

    DEFAULT is the set of permissions that any unknown site has. Apart from a handful of websites (the "old" default whitelist) pre-assigned TRUSTED, all sites have the permissions of DEFAULT (i.e. almost none).
    Clicking the TRUSTED preset on the row is equivalent to the old "Temporary allow". The icon changes to a clock.

    Clicking the TRUSTED Clock icon changes permissions to permanent.

    The first, leftmost icon changes permissions to DEFAULT & is used to Forbid It`s deleted from the internal whitelist & the site will disappear from the dropdown list on the next browser restart.

    Clicking UNTRUSTED, the 3rd icon ( red S with bar ), grants no permission at all, is used to collect and remember the "known bad sites" in a permanent blacklist.

    CUSTOM, new to NoScript 10, lets you fine tune a website`s specific permissions, either more restrictive than DEFAULT or more permissive than TRUSTED, initially temporary (Clock icon), then permanently by clicking again.

    Every preset can be freely customized to your own needs, but you cannot remove the "script" permission from TRUSTED, and you cannot add it to UNTRUSTED.

  62. #62 Jayson Black says:

    I DO NOT UNDERSTAND NO SCRIPT ANYMORE. I WILL NOT BE spending hours reading and learning how to use this because on a whim the developer just decided some shit. No script was fine, no script was great. NO ITS NOT! I would even pay a small fee for no script (how it used to be) BUt I will pay nothing, I will even campaign against no script if I even get a wiff that this was some ploy to back us all into a corner forcing us to pay a premium to get back the old style no script. in other words. I suspect No script Devs are splitting No script into to Programs. A lite version (Free) and a paid version Pro. The pro version will probably be an updated version of the old no script. If this is true YOU ARE committing suicide. Coz not only will I live after such manipulation. I will heavily campaign against anyone I think is playing silly buggers with my wallet. (Ever heard saying "If it aint broke, dont fix it")? Well i think it very much applies. THERE IS NOT EVEN A RIGHT CLICK MENU ANYMROE WTF!!!! Also, WTF am I even doing here? No ones gonna read this. No one gives a Flying Fat Fuck! Esp the developer. Why is there such a head up arse mentality amongst developers and their companies? WTF WTF WTF!!!

  63. #63 oldguy says:

    snag there; really dislike FF57 so sticking with (last known half-good) 56, here it comes.. updated to latest 5.x NS (legacy enabled of course), all options blank. setting them manually does not work, set, click OK, no change.
    trying to get latest 10.x NS bad luck. requires the cursed FF57.
    how to make FF work with a -working- NS either last 5.x or the new one? also the old settings have been ok, but are gone with the update to somehow. also. making a button toggle everything with one clíck imo neglects the purpose of NS. too risky to accidentally click the button instead of the dropdown.

  64. #64 HigherPower says:

    @Jayson Black

    Step away from the computer and go outside to breathe some air. You taking this way too seriously man. Pure comedy when I read your post. There is more to life than living 24hrs a day on the internet.

  65. #65 Benny says:

    I sense some frustration int Jayson's comments and I agree with them, just not to the extent he expresses.
    I agree with the "if it ain't broke don't fix it" approach, but if you must try something new and radical, at least give the rest of us who were happy with the old UI keep it.
    I am more upset and frustrated because I actually contributed to the project not that long ago :-(
    Don't think I'll be doing that again in a hurry.

  66. #66 Oliver says:

    The pop-up scales in rc4 with the magnifing factor of the window and is from 110% on bad readable.
    else everything runs smoothly so far ;-)

  67. #67 Bencyc says:

    I thought that If I check a site all untrusted, I cannot see the page at all.
    However I can see and read it almost without a problem. Unless some scripts required for a special purposes.
    Is that the way it should be?

  68. #68 Giorgio says:

    Yes, UNTRUSTED is meant to render documents as a plain HTML, with no active content being loaded or ran, but not to prevent them from being shown at all.

  69. #69 Giorgio says:

    It was a work around for for - I removed it from RC5 after reading your comment and checking what was going on with custom zoom levels :(
    Thank you!

  70. #70 User101 says:

    I see why the change in the UI was necessary and I really appreciate your work but still I think it is overly confusing for simple users. I and I think most people just want an on/off switch for harmful content on websites and do not use most of the new options. When updating to NoScript 10, I heard about a lot of people who simply don't know what "object", "media", "frame", "font" etc are even supposed to mean in the preset menu. Many people don't understand why they should use the green and red locks either. Having a lot of buttons you don't understand around you makes it confusing and frustrating. A very good solution I think would be an "I am an advanced user" option like in ublock, which unlocks all the options.

  71. #71 JD says:

    Permission settings for certain sites aren't saving at all. I have to keep changing Google back to Trusted because it keeps going back to Default.

  72. #72 nac says:

    Sadly, I couldn't get NoScript to work... it behaved erratic and sometimes crashed, so I tried uBlock Origin. There is a bit of of a learning curve, but it is worth every minute, and it works flawlessly. It can also allow/block other domains on a domain basis.

    That being said, I am VERY grateful to you Giorgio for your hard work over the years, and I will check back on NoScript later and see if it has been stabilized.

  73. #73 JD says:

    Ok, seems like permission settings aren't saving for me at all anymore (Default -> Trusted). I have to manually add sites to the whitelist through the options menu.

  74. #74 PM says:

    #50 I wrote, this is still bad on 23" monitor.

  75. #75 GG says:

    Hi, what is the purpose of the "Match HTTPS content only" toggle? In what situation do we use it?

  76. #76 oldguy says:

    truly settings "sometimes" not saving with "classic", i tick "show" to context menu, allow temp, revoke temp, then click OK and some like "show recently blocked", "mark as untrusted" and others aren't saved. haven't spent too much time in reproducing it. next up clean reinstall of everything.. 2 days+
    the 10.x is not backward to FF56 right? i don't like at all the "either click and allow all or click again and block all" behaviour, somehow this was not the case in the prev.. would like to keep sticking with NS but without a big change from the old gotten-used-to.
    on the other hand i do have the option to just turn from the web ;) lucky me.

  77. #77 George Hazard says:

    I still get the pop-up regarding XSS, even after the new update but only on one website. I can get it to go away after several attempts but it doesn't stay that way for long.

  78. #78 Victor says:

    The window NoScript for me doesn't have scrolls and doesn't fit all the scripts found on page. Thus can't see what else should I enable/disable. - screenshot

  79. #79 Nobody's Business says:

    I've been a loyal NoScript user for years; however, when I enable it now, my browser performance goes into the abyss (trust me: it takes a lot to overwhelm 3.6GHz and 24GB RAM) and the content of every tab turns black. Also, when I want to adjust my preferences and manage my sites (accumulated from several years of using NoScript), something as simple as deleting a site from the list isn't obvious (giveway: I cut my teeth on Mosaic, so I'm not a newbie). I can adjust to new UIs, so that's a non-issue, but an unusable app or extension is untenable.

  80. #80 allan says:

    I am patiently waiting for improvements and am sure giorgio and helpers will get there, but this seems really buggy .. when I open and get to "noscript options page" it seems to list all my old whitelisted sites but this page freezes my browser .. I can close it and reopen the browser but it takes a long time. Some sites I am clicking tempo allow all again and again but they will just not load or take forever to load.

  81. #81 LREKing says:

    Like so many, I've been using NoScipt for quite some time, and also like so many, I have found the recent rebuild to be essentially unusable.
    There are some people who just want to get into their cars and drive (most of us), and there are some people who want to tear their engines apart to see how they work (fewer of us).
    As far as I can tell, you have made the typical programmer's mistake of creating for the mechanic rather than the driver.
    The awful decision regarding the red/green color issue aside, I cannot for the life of me figure out how to use NoScript any more. Yes, I probably could spend half a day at various sites learning it, but I don't have time for that. Properly written, the basic NoScript should just _work_ in a clear concise way.
    What I want is to go to a site, temporarily allow all script needed to make the site work, use the site, disable the scripts (a timer would be useful) and then leave.
    I appreciate all the hard work that goes into the constant uphill battle of what you're doing. Really, I do. But it's all for naught if fewer people use NoScript. Also, I should point out that you will get the bulk of your feedback from mechanics, not drivers. When most drivers find the app too annoying to use, they will simply sigh, shrug, and delete it, and you will never know.

  82. #82 J says:

    To all whiners and bashers, Giorgio is providing a FREE software for all of us to use and protect ourselves. No one forces you to use NoScript, if it doesn't work for you or if you don't like it, DON'T use it. A lot of developers left the great projects because of you folks who endlessly complains and feel a sense of entitlement for a FREE service.

    I figured out how to use NoScript 10 in about 15 minutes, yes it's not perfect as we're all accustomed to NoScript 5, but the new UI and functionality is still very easy to pick up.

    My sincere appreciation to Giorgio for keeping NoScript alive with all the changes in Firefox 57! Thank you!

  83. #83 Gill says:


    Here we go again: another "it's free so they can do whatever they want" argument.

    What about all the people who donated? Screw them, right?

    And STDs are often free - why don't you go ahead and get some? Free things are great, right? Sleeping on the street is often free. Go find a curb and have a nap.

    I'm sick of seeing the "free" argument. Free does not imply useful or good. And a lot of people donated to NoScript based on what it WAS, not what it IS. That's an important distinction.

    I can create something free but it doesn't mean anyone will want it or should donate to me based on it. People donated because, like myself, they were amazed by how amazing NoScript WAS. Now people are frustrated and leaving because of what it has become.

    What Giorgio created was useful and amazing enough that a lot of people are upset and what has happened with NoScript 10. But why don't you sit on your soap box perched on your ivory tower and tell us more about how stupid, ungrateful and wrong we are for not liking what's been handed to us?

  84. #84 Giorgio says:

    If you like NoScript "as it WAS", i.e. NoScript 5 (and perhaps donated for it), you'll be happy to hear that it's still there and I've even updated it multiple times this week. Not an easy feat, BTW: AMO admins told me I'm the only author actively maintaining both a legacy and a WebExtension version and parallel updates were completely untested.

  85. #85 Sylvester Riel says:

    Thank you for this wonderful extension I am finding the new version confusing but I am learning. I have a question. I can't seem to get it to work.

    I have set as trusted. Why does it not automatically set and to trusted as well? doesn't even show as an option to trust when I click on the noscript icon.

    Any advice would be greatly appreciated. Thank you.

  86. #86 Gill says:


    I'm aware and I thank you for that. You've done a lot of good in creating NoScript. And the fact that you're still updating the old NS is commendable.

    My ire wasn't directed towards you. I'm very bothered by the "free" argument, as if something being free directly relates to its quality. It doesn't. NoScript is free and desirable; being run over by a diesel locomotive is also free but not desirable. Free =/= good.

    The reason people donate to you is because they like the free thing you've put out and want to a) show their appreciation and b) help to ensure you continue keeping it current and usable. That latter part is really important because essentially it's payment for work getting done.

    Anyway, NoScript 5 was great. Almost everyone agrees on that point. NoScript 10 is, at best, questionable - this is evidenced by the fact that there are many disagreements on it (far more than NS 5). And all I'm saying is that the fact that it's "free" should not factor into the argument of whether or not NoScript 10 is worthwhile EVER. As outlined logically above, it is NOT relevant.

  87. #87 Fred says:

    Please fix the xss pop up routine so it learns. I click always block and the next time I visit the same site, I have to redo the same xss pop ups for the same sites. Makes browsing worse than ever!

  88. #88 Peter 123 says:

    Giorgio, many thanks for all your phanatastic work and all your efforts.

    But after reading your above post I see that my impression was right:

    You mixed inevitable changes (caused by Firefox Quantum) with modifications that were not absolutely necessary (now).

    This was for many users an overkill. (For me too). I have also written about it in the Forum:

    By no means I criticize your work. On the contrary! I appreciate it. But the timing was not good.

  89. #89 Marc says:

    XSS popup is hell. Allowing all requests doesn't help, it pops up again and again. Is there an option to switch it off completely, or to treat it like other allow/deny requests in the menu dropdown?

  90. #90 Giorgio says:


    You should be able to select "Always block" or "Always allow", and your choices should stick across sessions (there was actually a bug making NoScript forget about them when you closed the browser, but it's been fixed in

    If that doesn't happen, could you please point me out to a reproducible test case? Thanks.

  91. #91 wa1975 says:

    Still not working with FF57 on my Android 7 tablet. No settings are visible and therefore some sites can not be used the way i want it. Everything is blocked and i can not change it. After version 10.1.2 (which i still use) noscript is useless for me.

  92. #92 Graham says:

    Re: Giorgio's info (#82) on how the old NoScript is still available is excellent news. As someone's who donated twice in the past, and who hopes to again in the future, I'd sadly just about given up. And btw it's a shame that many folks will not have seen this hackademix page and will be blaming Giorgio when it's not his fault. In the general scheme of things I guess it's nobody's fault really.

  93. #93 John says:

    Hi there!
    How it is possible to forbid meta-redirection?
    How it is possible to forbid/allow scripts, which are dependent on the particular one? I mean, if I allow google, then I want to allow/forbid other scripts to which google refers. Such option was in the nice old add-on, just forgot how it was called.
    And thanks for your excellent add-on. Hopefully, I'll get used to its new interface.

  94. #94 Bill Johnson says:

    What does "Match HTTPS Content only" toggle do???

  95. #95 Bencyc says:

    How do I get an image of a page settings? (As in the beginning of this section)

    When I try with various software the setting image disappears immediately when I
    click the screencapture software.

    I would like to pass on some of my settings.

    Using Ff 57 and Ubuntu 16.04.

  96. #96 Giorgio says:

    Both the options are not ported yet, but they will be sooner or later (the latter made much simple to do than before).

    @Bill Johnson:
    If green (locked), the toggle makes base domain entries (e.g. "") match themselves and all their subdomains, but only if their protocol is HTTPS. Otherwise both HTTP and HTTPS match (which has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy).

    In order to let the WebExtensions' popup stick, you need to open about:config and set the ui.popup.disable_autohide preference to false.

  97. #97 Wolfgang says:

    Can I have my donation back? I´m not good in english and there ist nothing easy to understand. "I'm truly sorry for, is me not having found the time yet to write any proper user-oriented documentation for NoScript 10" is a bad joke. Interesting - all scripts works on new websites. There have been times everyone could see that no script was in "dangerous" mode. I didn´t change anything. Nice update... And the extrem popup xss warning - do you want us to do fingersport? How often shall I click "Always block...". Yes my english is bad, but I know what always means. Not that, what noscript interprets. Shurely there are reasons for, but why must I click 5 times and more that no Info (on the same site) about facebook doesn´t appears any more? So please make it as easy to understand as it was. Translate the information and I will give again a donation. First time I´m really disappointed about this product.

  98. #98 Jon says:

    Are permission settings not saving for anyone else? Every time I change one to Trusted, it reverts back to Default later whenever I reopen Firefox. It was working just fine until a few days ago.

  99. #99 Giorgio says:

    just email me your Paypal address and I'll refund your donation.

    The TRUSTED preset is temporary (big solid clock) by default, just click on the clock (it fades away) to make it permanent.

  100. #100 asdf says:

    Hello Giorgio, first of all thank you very much for all your dedicated work on NoScript.

    I have been using NoScript for years and feel quite naked in Quantum as I currently have it deactivated. I understand that the Quantum/Webextension architecture needs to be blamed for the new menu which is quite disliked by me and many other users I am afraid.

    I have been looking at a lot of alternative addons since Quantum was introduced. One of the new(?) addons I run is undoclosed tabs which serves as an insufficient replacement for TabMixPlus, not intended as complaint though. Yet this addon actually offers a menu similar to the classic NoScript on rightclick, maybe it could serve as an inspiration for an alternative NoScript menu, similar to the old one?

    Sorry if my ignorance regarding coding is too big, but maybe you could take a look at

    Anyway, thank you once again for your continued work on NoScript :)

  101. #101 Sylvester Riel says:

    "I have set as trusted. Why does it not automatically set and to trusted as well? doesn't even show as an option to trust when I click on the noscript icon." from #83

    How about this?

  102. #102 nowe20 says:

    "ones who know better about recent history of Firefox and of its add-ons ecosystem [...] the UI couldn't stay the same simply because"

    OK, but changings in the GUI api-system should be 'betterment'.
    The new GUI for addons looks more .....artistry?
    Mozilla decides and all users/programmers must suffer; especially the users.
    I will miss the good intuitive legacy GUI in the new FF.

  103. #103 Eric says:

    Your new UI is pure cancer. I've moved to umatrix. Umatrix's UI HELPS YOU figure out what to unblock to get the things you want working, working (e.g. video playback, comments loading, embedded content loading).

    Your new UI takes minutes instead of seconds. You need to completely rethink your UI rewrite. Focus way more on usability and the feedback the user needs in order to get the bits of a page he wants to work while still blocking the insidious crap.

    Just copy Umatrix if you can't see a better way.

  104. #104 Jon says:

    I see what's happening now. By default, when I first set something to Trusted, it's temporary. I changed a bunch of permissions to Trusted and it's doing it for all of them. Is this a recent change? If so, I'm not sure it's a good one. The alignment of the Trusted button also happens to practically overlap the Temporarily Allow clock icon.

  105. #105 Subhasis says:

    The one feature I am missing in the new version of noscript is the ability to stop all scripts midway. In the past I could STOP all scripts from running with the click of a button. But in the current version, if I click "revoke temporary permissions" the page instantly goes blank. This happens because the current version of noscript cannot stop script from running. it can only stop scripts from loading.

    In my opinion, not allowing scripts to load is a pointless rfeature because most modern websites do not even load (I get a blank screen) without scripts.

    I am not saying the current version of Noscript does not add anything vital. The ability to selectively load scripts is very useful, and that is why I used to keep umatrix running in parallel with noscript. However, theonly feature that both umatrix and ublock origin lack is the ability to stop scripts mid-execution. That is why I sued to have noscript in the first place. Please add the ability to stop scripts midway if possible. If not, please continue to develop classic noscript for Pale Moon.

  106. #106 punny says:

    I hope the old Design will come back soon. We all know it was better. :(

  107. #107 Subhasis says:

    It seems that Noscript had lost its touch long before NPAPI fallout. Right now I am using the classic version in Pale Moon, and it is allowing scripts to slip through it even when it is set to block everything. What is happening?

  108. #108 Subhasis says:

    Okay I just discovered what is happening. I just tested this by disabling JS from about:config. It is not Noscript that has deterriorated, it is the web that has advanced. Noscript cannot help us anymore.

  109. #109 Giorgio says:

    NoScript does prevent scripts both from loading AND from running (e.g. if they're embedded in the page, hence no extra loading would be needed).
    Could you show me exactly what you're observing and where (by email, maybe)?
    Perhaps what you're seeing is annoying (like some kind of CSS-only animation) but not a script and definitely not a security threat.

  110. #110 Tarja Halonen says:


    Ready to release the mobile version?

  111. #111 Tim says:

    Thanks for all the work you're putting into this. Now, in the FAQ it says that I can change how the XSS information is presented in Noscript Options|Notifications|XSS preference but there is no notifications option in the options...?

    Also, NoScript seems to still forget the XSS preferences (always allow / block) in some instances even after the update. IMDB -> Facebook is such an example for me.

  112. #112 Giorgio says:

    @Tarja Halonen:
    Nope, I'm starting to actually test what's wrong on Android this very afternoon.
    I've been very busy with the XSS filter, both in the Quantum and the Classic version: in facts, I've just released and, the latter also restoring Export and Import functionality, backward compatible with NoScript 5 formats (both textual lists and JSON preferences).

    Unfortunately the FAQ applies almost entirely to NoScript 5 "classic" only.
    I still need to figure out a way to sanely support both in documentation until June 2018, when NoScript 5 will definitely be phased out together with Firefox ESR 52. In the meanwhile I should probably set up two separate sites, but I'm giving priority to 10 vs 5 feature parity first.

    Regarding XSS warnings on IMDB, could you please grab latest dev build from and send me the actual details (they can be copypasted) from the XSS prompts you get? Thanks!

  113. #113 RayG says:

    Can I echo thanks for the work you put in on NoScript. One problem I have is that when I hover the mouse over the NoScript Icon it tells me how many items (Scripts/Fonts etc.) are on the page and how many have been allowed. What I cannot see at this point is which of these is required from which site. This makes it difficult to see which sites I should allow what on. Is it possible to list the sites in some order of priority or indicate in some way what is being requested for each site.

    I have also not yet worked out what the "Brown" coloring means when you look at some custom tabs.

  114. #114 q says:

    It looks ugly and absolutely not like the old NoScript.

  115. #115 Jim says:

    Great, dedicated work Giorgio, thank you.

    The Default icon comes with Frame, Fetch and Other enabled for all sites. Is there a reason those are initially globally trusted? Having all of the Default entries explained in the guide would help.

    Is it possible to have a larger NoScript window so that sites with more than 20 entries don’t have to be scrolled to be completely seen? Thanks.

  116. #116 Oliver says:

    maybe a suggestion for better readability: If possible sort the domains in the pop up not in alphabetical order but in order of the permissions. Trusted, untrusted and default. It seems easier for me to read because I can focus then on the permissions itselves (don't even look at trusted domains but check directly under default section for example) and not first on the domain and examine then which permission it has and go so on to the end of the list. It serves a better and faster overview in my opinion. Maybe also color the sections directly in light green, yellow and red... Think about it ;-).

  117. #117 FranL says:

    Giorgio wrote this about the "Match HTTPS content only" lock icon:

    "If green (locked), the toggle makes base domain entries (e.g. "") match themselves and all their subdomains, but only if their protocol is HTTPS. Otherwise both HTTP and HTTPS match (which has bad security implications especially on "hostile" networks where injecting malicious scripts directly in the unencrypted traffic is relatively easy)."

    Does this mean it is best to change the lock to green/locked when the domain name is red (meaning it is accessed via HTTP and/or HTTPS)?

  118. #118 Langenscheiss says:


    The "set top-level domains to TRUSTED" option makes my extension work again. Can you comment on what exactly this does (I have an idea of course), and how save it is to use it?


  119. #119 Shaun says:

    When I try to update to v. Firefox warns me that updating means giving permission for NoScript to "download files and read and modify the browser's download history".

    Presuming that this is genuine and intended, why does Noscript now require such permissions?

    I trust you Giorgio, but that sounds quite a serious permission to grant without understanding why. I imagine it might put off others too who may not go to the trouble of asking you what's behind it.

    Thanks for the essential addon,

    ps Thanks too for your help with my comment #11 above, which resolved my issue (seemingly shared by several other people too!)

  120. #120 Giorgio says:

    Those are the permissions "unknown" sites already had by default in NoScript "classic".

    Whenever you open a new document, the "main" site (the one you can see in the navigation bar) gets automatically set to the TRUSTED preset until the end of the session, while 3rd party scripts are left with the permissions they have. What's the broken extension, again?

    WebExtensions cannot interact with the local filesystem freely as "legacy" add-ons do. The download permission is required to "download" the exported configuration (i.e. for you to save it on your disk).

  121. #121 Langenscheiss says:


    I am talking about my own extension (which I have most recently moved to AMO with my name, so you can find it ;)), and any other extension that is using xhr in content scripts (Zotero apparently, at least judging from what I have seen in your support forum).

    Thanks for your explanation, that is what I expected, and is enough to fix the problem.

    On a different note: I am surfing/developing on Ubuntu 16.04 with Firefox 57.0.1, and your option page is really sluggish on this setup, and sometimes even crashes the browser. Works fine on my windows 7 machine though.

  122. #122 Sylvester Riel says:

    May I know why you are avoiding my question? I did not think it was offensive in anyway. If you do not wish to answer it, at least let me know.

  123. #123 Giorgio says:

    @Sylvester Riel:
    Sorry, I've just missed your question, twice it seems :(
    On the other hand, for me (and the wonderful staff of volunteer moderators there) it would much easier to give support and answer technical answers on forum ;)

    Anyway, the answer is pretty simple, even if a bit counter-intuitive: Google managed to make be listed as a "public suffix", i.e. just like ".com" or "", in order to provide better insulation to wildly different APIs, which are also presumably developed by different team which not necessarily trust each other or know every single security implication of each API.

    Therefore "" and "" are considered two different top-level domains, and not - as you might assume without knowing the details above - two subdomains of the same TLD.

  124. #124 Tarkus says:

    Previously, I could open a list of all the rules noscript had, select them all and delete them, so that noscript had default rules for every site. Is there any chance of restoring this capability now?

  125. #125 Sylvester Riel says:

    Thank you!

  126. #126 Richard says:

    Firefox 57.0.2 (64-bit) Not blocking popups and no longer blocking scripts.

    Perhaps it is blocking some top level domain scrips but 100% it no longer is blocking other scripts on the site (The ones you actually want to block).

    This is like a must have for me on firefox for many years and I hope its fixed soon right now its just unusable and does nothing.

    I do like the new crosssite tracking block though (if it actually works)

    Appreciate all your work on this addon and hope it becomes useful again.

  127. #127 Nicola C. says:

    how can I remove entries from NS v10?
    I have to delete a huge list of "" imported from the previous version... thank you!

  128. #128 Michael J says:

    Who'd be a developer? Keep up the good work and don't let us whinging users get you down.

  129. #129 Giorgio says:

    @Tarkus & @Nicola C.:
    ATM the easiest way is exporting, editing them out and reimporting.
    Otherwise you can filter the entries by entering 127. into the text box and set them to DEFAULT one by one.
    Bulk editing capabilities will arrive soon, I hope.

    Could you please show me an actual site where it happens, even better emailing me your exported configuration? Thanks!

  130. #130 Bryan Bruns says:

    Thanks for NoScript, which I've appreciated using over the years. I have donated. However, I need a simple intuitive way to allow sites to use javascript, cookies, etc., and can't find it in your new interface. So, I'll have to go without NoScript, and maybe check back someday to see if you've come up with something, visible onscreen, contextual menu or wherever.
    Best Regards

  131. #131 Lesley says:

    Thanks for writing this explanation of the new GUI. I wasn't entirely confident with it but it makes much more sense to me now.

    Thanks for your efforts with NoScript over the years.

  132. #132 beachbubba says:

    Love the new NoScript. Excellent work. I'm still getting used to it. But, you did a great job!

  133. #133 Emma says:

    First off, I am glad you are around to let us know about updates and explanations. And I really appreciate that you have been explaining why things had to change. I have been taking it in stride and I'm definitely glad that NOScript is still around.

    1) I constantly keep wishing I had way to search/sort by feature, for example — so I could see list of all that I have allowed to be in permanently trusted or untrusted position for example. (Ok, I just updated to latest version and noticed an ability to search by site name, so partway there — thank you!)

    2) Sorry if this is a stupid Q: I understand that the green lock is indicating HTTPS only but is it also, OR is there still a function/option to force a certain site to HTTPS - like when I used *.website.* ? Or is that basically also happening with this new green lock toggle? If not, I would hope to see the feature return later on if possible.

    3) May I suggest: I think we need a 2nd way of distinguishing between Temp Trusted and Perm Trusted setting. Because at this point they both share the same word indication of "Trusted". Although I did finally pick up on the distinction with the coloured and faded clock icon, it really could be more and better distinguished between. I would suggest renaming Temp Trusted to Allowed. Thus your 3 presets becoming 4: (DEFAULT, UNTRUSTED, TRUSTED, ALLOWED). I really think this would be a benefit.

    (Also, personally it took me weeks to realize that the clock icon itself was the way to adjust between temp and permanent. I really had thought that there was no-more of a permanent setting for that. So essentially I guess I also wish for there to be more visual indicators that there are other options & how-to.)

    Anyway, thanks for the hard work and for still keeping up with NoScript all these years.

  134. #134 Emma says:

    Another Question: Looking over the custom settings area you have checkbox option for multiple things and then a box for "Other". - What does this "Other" equal?
    (I would say this custom area can definitely be fleshed out with more info & options.)

  135. #135 Giorgio says:

    @beachbubba, thank you :)

    Thanks for your feedback.
    2) I purposely omitted the function to force sites to HTTPS because HTTPS Everywhere does a much better job at this, by including rules to redirect to different domains/paths when necessary and avoid locks and malfunctioning on sites which have bad HTTPS support. Rather than replicating HTTPS Everywhere (which, ironically, was initially based on NoScript's HTTPS forcing code), I preferred to better surface the "lock permissions to HTTPS" feature, which was previously quite hidden and used mainly by the Tor Browser (where both NoScript and HTTPS Everywhere are built-in).
    3) That's a good suggestion, thank you.
    4) "Other" is the internal "catch all" request type used by Firefox and Chrome to label loads that are not categorized yet (e.g. because specified by a new HTML standard).

  136. #136 pijulius says:

    Hi Guys,

    If you are interested here is a quick modification to the popup that should make things a bit more easier to understand and use:

    This modification removes the untrust and custom options (as if you disable everything globally I don't really see any reason for them anyway) and also it will print you clearly that script is denied, allowed or allowed temporarily.


  137. #137 Tim says:

    TL;DR all comments

    Bug: clicking on a domain in the NoScript popup sometimes gives a confirmation dialog asking if I want to query the domain at NoScript. Clicking either Ok or Cancel both take me to the NoScript page. When the dialog does not show up, I automatically get taken to the NoScript page.

    The trusted with a clock thing is weird. I'd prefer another clear preset for temporarily allow versus always allow. This save me a click and makes things clearer.

    The UI is very big. I'm on a 12 inch laptop and value my screen real estate. Can you make it more compact or provide some options to adjust the size of it, e.g. reduce the massive icons, text size and drop a lot of the white space.

    Thanks for updating this essential extension for Quantum and all the hard work you put in! Looking forward to the Quantum dust to settle.

  138. #138 DMiller says:


    Great explanation. I couldn't figure out the new permanent/temporary thing until reading this post!

    Basically, you can click the clock to toggle (didn't realize) and when the clock is grayed out, it's permanent (non-intuitive, but now I know, yay!).

  139. #139 Charlie says:

    I despise FF Quantum. So, I upgraded FF to 52.5.x. Now, NoScript doesn't work. Upon attempting to upgrade NS, I find it doesn't work with v52.5.x of FF. Not cool. I hate to abandon NS, but FF Quantum sucks and I won't be forced by my favorite add-on to endure using the slowest browser since IE4.

    So, what is the deal on making NS compatible with FF 52?

  140. #140 Charlie says:

    Addendum to #138 above -- Due to living in a rural area with no broadand providers, my Internet connection is completely cellular based -- and SLOW. Some software that looks for a faster Internet connection times out. I assume that is why Quantum is so slow and unusable - not bc FF is a bad browser.

    Also, NoScript is my favorite Add-On. It has saved me useless data (by blocking ad domains) and given me much protection against hackers/hijackers. Keep up the great work!

  141. #141 PM says:

    This error I wrote #50 and #74.
    Now Noscript button not works well on this site (the window too big, icons and URL in two rows).

    Noscript not updated automatic to two days ago.

  142. #142 Giorgio says:

    If you're using Firefxo 52, you need to install NoScript 5 "Classic".

  143. #143 Charlie says:

    Awesome Giorgio! Thank you for supporting FF 52. Best Add-On ever made for browsers.

  144. #144 AC says:

    OK, I tried it again.

    Opening the NoScript options page freezes the browser. Completely unresponsive. Had to kill the browser. Known bug on Linux, apparently. Still not working. Unusable.

    The temporary permissions are also not working. When temporary permissions are revoked, the sites given temporary trusted status appear to retain trusted status permanently rather than reverting to default. This is unexpected and undesirable.

    Back to 52.x ESR.

    I'll try again in week or two and complain more. :)

  145. #145 EpicSlayer7 says:

    to use the internet with out noscript is like doing underwater exploration in your underwear and no air tanks! tho a only have 2 complains, 1 i tried to make and .net blocked and it always seems to pop the crosslink site pop up in crunchy roll and the second complaint is that popup has always allow and such but no always block... also maybe make a separate box with those permissions even if they end up in the "main window" to track them more effectively! this way any one who would put accept or block by accident don't need to search the whole list. also i end up using accept globally in crunchyroll since accepting all sites don't make the video play so some sites even tho all accepted seems to be missed in the list available... and all i want to block on that site is facebook and i never was able to block it even with all the different ways i wrote it(additional to the 2 present in the list!).

    short version, black listing is hard and i want a "always block" choice in the XSS popup!

  146. #146 Steve says:

    First of all - NoScript is amazing. Been browsing with it for years, and have been much more secure for it.

    Like others, though, I'm having difficulty adapting to the new UI. Simple question: What happened to 'temporarily allow' option per script? Do I have to mark a script as trusted - I don't want to do that.. My comment/issue is really the same as #2 which didn't get response: "..the paradigm has changed. I'm used to "allow" rather than "trust". I don't actually trust anything I only temporarily allow"
    Those are my sentiments exactly.

    The bulleted list says only :
    "Temporary allow" maps to clicking the TRUSTED preset on the row.

    But I don't want to trust it. How do I just temporarily allow it like I used to inthe old UI?

    Please help!

    Thanks Again,

  147. #147 PM says:

    Thank you Giorgio!

    FF Quantum's the number of users is increasing:
    If you see the site, please click the Noscript icon and you will see two rows instead one.
    Please make redesign versions and we will vote.

  148. #148 S. T. says:

    While I appreciate all the work put forth for this free program, I cant say I am happy with how this turned out. I liked how simple it was to allow and disallow scripts along with the temporary allow script system.

    With the previous system it was so intuitive I figured it out without having to look anything up at all. Now it feels like I need a tutorial just to allow a single script. Why do I now have to jump through hoops when before only two clicks got me exactly what I wanted?

    Its gotten to the point that I am seriously considering straight up uninstalling noscript because its no longer the reasonably simple process to do simple actions.

    I do hope you give those of us who are not entirely tech savvy the simpler interface back, but I understand if you feel like we are no longer worth it as this is a free addon.

    Best of luck,
    S. T.

  149. #149 Jesse P. says:

    @Steve (#144): Clicking on Trust only allows it temporarily, unless you go back and click the little clock symbol/icon on that same item afterward, to make the permissions permanent.

  150. #150 Jeff Creston says:

    I understood the old UI. I have no idea what the new UI is doing. Trying to adjust settings seems to produce an ever more confusing situation. Pages that the old UI blocked now seem to load in full. Hats off to the creators for trying to deal with a difficult problem. But if the old UI did work, was it necessary to reveal this extra complexity?

  151. #151 Jose Cena says:

    This new UI is pretty poor.

    I suspect a new no-script alternative will now pop up with a more simple UI since there is now a demand for it.

  152. #152 Brian Cranston says:

    Thank you for re-writing this great Addon as a Web Extention

    My problem is that the 'Default' setting seems to Allow everything. I want the default to Deny everything until I decide to allow it.

  153. #153 bo elam says:

    Brian #149. To get what you want, untick all boxes for the Default preset. and keep it that way. That will give you a more restricted experience than you had with version 5.


  154. #154 Brian Cranston says:

    Thanks Bo,

    The problem with that approach is that you have to go to the (sometimes dodgy) website unprotected the first time you visit.

    Plus, with the old noscript 5.x I would often reset all settings to start fresh. This would no longer be a viable option with the amount I would need to customise after every reset.


  155. #155 bo elam says:

    Hi Brian. You said, "The problem with that approach is that you have to go to the (sometimes dodgy) website unprotected the first time you visit."

    I dont think so. Actually, with that approach you are protected more than before, likely a lot more than needed. With this approach (all boxes unticked for the Default preset), I find some webpages that are completely blank, when before they loaded some minor stuff. So, the protection is a few notches higher if you untick all boxes..

    You also said that you, "... often reset all settings to start fresh". If you dont white list or black list sites, I guess that's viable. In you do this, that should give you about the same protection as before with version 5 when you visit dodgy websites. Scripts are not ticked by default for Default, but make sure you dont tick it by mistake. Only Fonts, Fetch and Others come preticked for Default when you reset version 10. That should be about the same level of protection we got in version 5 with default domains.


  156. #156 Blargstrom says:

    This new UI is so bloody cumbersome and disgusting to use. It's confusing and everything is so goddamn huge. So you're saying there was _no_ possible way of making it even remotely like the old one instead of this horrible mess it's now? Well, I guess it was to be expected since this quantum release of firefox is pure cancer, so naturally it infects and ruins everything good with it.

  157. #157 dc says:

    I must say it took a few tries to get used to new UI but now, since introduction of "temporary set all top-level sites to TRUSTED" option I prefer the new one over Classic one. Good work, thx!

  158. #158 AC says:

    Re: #138 Charlie says: " I upgraded FF to 52.5.x. Now, NoScript doesn't work."

    You have to first uninstall NoScript, then re-install it. After updating to 52.x ESR (retrograding? whatever) from 57, version 10.X of NoScript is still installed but is non-functional on 52.X.

    To get version 5.x of NoScript (which will work with 52.X), you must remove NoScript and then install NoScript.

  159. #159 pijulius says:

    Hi Giorgio,

    I'm sure you saw my latest changes trough userContent.css in any case what I try to achieve is to make things a bit more user friendly and cleaner (at least for myself)

    For this reason would it be possible to add a change like this:

    1. In NoScript settings page adding something like a checkbox called "Don't include toplevel domains"
    2. If above checkbox is checked then in the popup simply hide (or totally remove) the toplevel domains like and just show like

    The reason i would find this change useful is that right now the list of entries can become quite large in some cases for e.g.:

    And with this quick change the list would be exactly cut in half :)

    Also at least in my opinion/experience I never want to allow full domain (unless explicitly adding one in the settings page) to a trusted source, I just want to allow script to run a specified website that I'm visiting and need to test it's code but that's all so 99.99% of times I always allow only the exact domain/subdomain the script is run from and not the whole toplevel domain.

    Hope you will consider/find this change useful.

    Thanks for your hard work/time as always and giving us this for free!!! with this small change I would consider the new NoScript 10 perfectly done and new ui works just fine for me and quicker to allow multiple scripts at once than with a context menu so don't plan to ask you for any future requests :)


  160. #160 Brian Cranston says:

    Thanks again Bo for your help. Sorry, I'm trying to get my head around the new Noscript. I've only just realised where the temporarily allow 'clock icon' is ( next to the word Trusted on the trusted Tab).

    I think I can explain where my confusion is coming from. Starting from a fresh install of noscript, when I visit a site, as you said only frame, fetch and other are pre-ticked for the default tab. This is good although I'll prob untick those too now I know how this works.

    I had been ticking script on the Default tab not realising this was allowing the scripts for every URL listed (not what I wanted). I now realise I have to select the Trusted or Custom tab for the entry I want to allow and then tick script so that it only allows the script for that particular URL.

    I'm back in business :) and feel I have more control than ever now.

  161. #161 Bob says:

    I like the new interface, but it is not intuitive at all. Tapping the clock twice to turn it small is not intuitive at all. I kept clicking it thinking I was approving a script, but the browser kept forgetting. Having to click it twice is odd. It was infuriating to have NoScript seemingly forget what I selected. Maybe four buttons: Trust, TempTrust, NoTrust, Custom. Also -the green/red locks are not intuitive. When I click a lock, it indicates to me that I've locked a setting. This is how OSx/MacOS settings work. So, when I clicked the lock and it turned green, I thought: "Well, OK, now I've locked the setting and it will remember the setting" but it would forget the setting because clicking the clock twice is the "lock"... haha.

    So - now that I know the interface, I like it more than the old interface. But wow, man. It's not intuitive. Great extension though! The best! But maybe you should find a friend who has done interface design and buy him a cup of coffee and ask him to give you some feedback on improving the layout and buttons and text. Even just adding tool-tips so that when you click a button, some text is there saying (for the clock, for example) "Script temporarily approved, click again to permanently approve" or something like that.

    Merry Xmas & etc.

  162. #162 Kuromi says:

    Giorgio, first i want to say want to apologize to people who gives NoScript 1star at AMO blaming you for this change, but in same time i can understand why they so pissed off. First time i seen NoScript 10 i was pretty much WTF too. And i was on Nightly, so i know about things going on and general public arrived to 57 mostly not knowing about that will happen.

    But still, new UI is much less intuitive then it was previously. For example, making some site trusted (temporally) and then clicked again to be trusted permanently...this is not seems logical. And yes, lack of clear "this was this way, now you you it this way" tutorial is not good either. Peoples need to relearn completely and its hurts a lot.

  163. #163 Major Payne says:

    Sorry, really, because I'm sure you had the best intentions, but I had to uninstall this version - UI or UX are awful. This addon was an epic disaster from a usability perspective, and whatever you posted on this Web page for instructions, is horrid. I wouldn't even call it "instructions."

    Wish you the best. Peace.

  164. #164 John says:

    Oh My. These instruction... the confusing UI... the lack of usability....
    I just have to uninstall this addon. It's UI is so intuitive, so un-user friendly, I can' not work it out. (and I even poured over your above tutorial several times.

    Sites just don'e "fully" work, no matter what options are pressed/toggled.
    The Clocks and Padlocks.... ??? WTF is that all about.

    While I apreciate the effort to make such a helpful addon, this could be much better. I'm sorry to be so negative. Please don't take it as a personal hit against you. I'm just talking about the addon.

  165. #165 nomos says:

    it is a hard piece of work to set noscript for a page - unfortunately after restarting the browser the work is gone again - I don't understand the buttons and settings: (

    Isn't it possible to make a setting "Simple" vs."Expert"?

    For most pages, the buttons "Secure" (Permanant) and "I try it" (temporary) are enough for me - the rest can be fine-tuned for experts.

  166. #166 Aart says:

    Happy with the update but 2 small things I'd like to mention/discuss:
    1. why is the 'permanent' a clock? it totally goes against my idea of permanence because i associate a clock with a timer and hence with a 'temporary' trust.
    2. downloads: i noticed that you need to see my downloads (or at least that's what firefox mentioned in the add on permission section)... why do you need download information at all?


  167. #167 Jay says:

    Liked the prior version, dislike this new version, because: No explanation of each symbol, or how to use each. No apparent way to delete all or selected history/lines (some are years old). No way to revert to the prior version. This is a change which is not an improvement.

  168. #168 joe says:

    Changes should ONLY be made when/where they are NEEDED. "Allow" is a MUCH more accurate word, in this case, than "Trusted", and it's shorter...easier to fit. When unnecessary changes cause this much confusion, it's got to tell you, that either A)everybody are morons (not the case); OR B) the changes weren't great or even good.

  169. #169 ChrisH says:

    Recently switched to Quantum, and I am still really hating the new NoScript UI, even after reading this guide. The old UI wasn't perfect, but this new one is much too complex, fiddly & unclear. Apart from being much harder to use, I no-longer trust that my list of permissions are even correct. My problems are:

    1. It's not at all obvious whether a domain is temporarily or permanently trusted (the tiny clock is only slightly faded if it's permanent), and so it's also incredibly easy to accidentally change it's trust state without realising.

    Much of this could be avoided by simply doing what the old NoScript did:
    (a) Make the temporary permissions use italic text. There is not reason to NOT do this!
    (b) Put all the (applied) temporary permissions in a separate section (e.g. at the top of the list). So then if you apply a temporary permission, it'll be in the wrong part of the list (until applied), so I can undo it quickly.

    (c) It would also greatly help to make the "not temporary" icon (faded clock) much more visually different, e.g. by having a diagonal red line through it (in bright red, unlike the rest of the faded icon). And maybe make the "temporary" icon (bright clock) bigger.

    2. Additionally, it's not at all clear how I can UNDO an accidental click, unless I remember what it was before. The old NoScript had only 3 states (trusted, temp trusted, untrusted), so it was usually pretty easy to remember what it was showing before. But now NoScript has doubled that to 6 states (default, temp trusted, trusted, untrusted, temp custom, custom), and the visual differences between are really small (the grey 'highlight' starts & stops at slightly different horizontal positions).

    I would happily use options to hide "Untrusted" & "Custom" options, as that would immediately reduce the visual clutter. I'd even suggest this should be the default, and leave it to "power users" to enable those extra options.

    I'd also suggest that "DEFAULT" should be changed to "DEFAULT (untrusted)" (or whatever is appropriate).

    The domain names are also red or black at seeming random, and there is no indication of what that means.

  170. #170 ChrisH says:

    I wasn't happy with my previous post, so I've rewritten it (and fixed a few small errors) :

    I recently switched to FF Quantum, and although I am very happy you spent ages rewriting NoScript for Quantum, I am also really hating the new NoScript UI, even after reading your guide & trying to persevere with it. The old UI wasn't perfect, but this new one is much too complex, fiddly & unclear. I no-longer even trust that my list of permissions are still correct, after I make any changes. My main problems are:

    1. It's not at all obvious whether a domain is temporarily or permanently trusted (the tiny clock is only slightly faded if it's permanent), and so it's also incredibly easy to accidentally change it's trust state without realising. There are a number of ways to improve this:

    (a) Make the temporary permissions use italic text for the whole line. There is not reason to NOT do this!
    (b) Put all the domains with (applied) temporary permissions in a separate section (e.g. at the top of the list). So then if you apply a temporary permission, it'll visibly be in the 'wrong' part of the list (until applied), so I can undo it quickly.
    (c) It would also greatly help to make the "not temporary" icon (i.e. faded clock) much more visually different, e.g. by having a diagonal red line through it (in bright red, unlike the rest of the faded icon). And make the "temporary" icon (i.e. bright clock) bigger.
    (d) Since the clock is a button (but doesn't look like it), make it's appearance change (slightly?) when you hover the mouse over it. Something half-way between it's two normal states.

    2. It's not at all clear how I can UNDO an accidental click, unless I remember what trust state it was before. The old NoScript had only 2 main states (trusted & default/untrusted), with clear visual differences, so it was usually pretty easy to remember what it was showing before (and even what I clicked on to cause that change).

    But now NoScript has doubled that to 4 main states (default, trusted, untrusted & custom), and the visual differences between them are really small (the grey 'background highlight' starts & stops at slightly different horizontal positions, and a bit of similar-looking text changes). There are a number of ways to improve this:

    (a) I would happily use a preference to hide "Untrusted" & "Custom" options, as that would immediately reduce the visual clutter. I'd even suggest this should be the default, and leave it to "power users" to enable those extra options. I'd also suggest that "DEFAULT" should be changed to "DEFAULT (untrusted)" (or whatever is appropriate), so it's extra clear.
    (b) Use a different colour 'background highlight' (rather than grey) for different trust states. e.g. Greenish-grey for trusted, Reddish-grey to untrusted, and perhaps Yellowish-grey for custom. And leaving it as Grey for default.
    (c) After changing a domain's trust state, a big green "undo" arrow should appear, both to indicate that a change has been made (but not applied yet), and also to provide an easy way to undo that change. (And if you're going to keep all those 4 options visible, then this is a MUST!)

    3. The colour of domain names doesn't seem tied to the padlock state. An unlocked padlock always has red text, but black text is used both for locked padlocks & for no padlock at all. This is confusing. Either the text colour should be tied to the padlock state, or the text colour should not change at all. I'd suggest the latter, since I find it makes the red text grab my attention away the important parts of the UI (the state of the domain name), and we already have a red padlock anyway.

  171. #171 Fabio says:

    Guys give it a break, please.

    Giorgio has explained extensively that the old interface was written with one technology and the new interface has had to be entirely rewritten in a different technology.

    Whether you like it or not, that's really not the point. Whether it does the same job or not is all that matters.

    Giorgio has explained that this version allows you to customize functionality even better.

    Most users don't like change and like to keep things the way they are - if that were the case we would still be operating Windows 95.

  172. #172 ChrisH says:

    I'd also suggest looking at Privacy Badger's UI. It's not perfect, but it's much clearer than NS's new UI, despite tackling a similar problem.

  173. #173 ChrisH says:

    There is NO need to "give it a break":
    1. There are clear design flaws in the UI, which are little to do with the different UI technology of Quantum.
    2. The enhanced customisability certainly contributes to the mess that is the UI mess, but there are solutions apart from removing that customisability (although I'd certainly be happy to loose that customisability).

    Just look a Privacy Badger for an example of how much clearer the UI could be. And it doesn't take much imagination to see how it could be extended for NoScript's purpose.

  174. #174 Langenscheiss says:


    I doubt that HTML is really the limiting factor here. Yeah, you can't have nice menus anymore that look like the browser itself, but still HTML+javascript offers many possibilities to create a very simple UI with good workflow. Blaming this on the webext API is a lame excuse here. What is imo really the limiting factor in the API is just the amount of access and hooks you get in interfering with web requests. That's where I believe all the work has gone, and this is what needs to be praised already now, but the UI, come on, there are better examples out there. It's not bad, but there is definite room for improvement, even within the constraints of webextensions.

    I mean, given that this is for free and published under GPL, Giorgio is not responsible to anyone. It's our choice to use it or not, and be happy with it or not, but if you, as a developer, want people to use it, you better listen to criticism. As an example, up to, the UI basically made it very hard to use NoScript on popular Linux distros. Granted, this was not Giorgio's fault and he fixed it, but work flow should really be the priority here. First of all, it has to work, and it has to work nicely for the potential users. Afterwards, you can think about making it look fancy.

  175. #175 Fabio says:

    What I have always found is that it is far easier to criticise someone else's work than rolling up your sleeves and contribute.

  176. #176 David Smith says:

    I want to say that I have used noscript for a long time, and I really like the new UI. It is much faster to allow just the sites I want in the way I want and see what sites are trying to run scripts. Much cleaner than the old view.
    Thank you for the blog post, I was struggling a bit with what did what but this gave me enough to understand the method and I'm much happier with the viability and control I have now directly through the UI.

  177. #177 John D says:

    I like the concepts, but I think it will work better a bit simpler, instead of clickakble image icons which are not immediately obvious as controls I think plain text and form widgets would get less user revolt.

    if the page opens with a list of domaions and each has a checkbox labelled temporary, a radio group for default, trusted, untrusted, custom, etc they will know what those items do because those items havbe looked 90% the same for 25 years.

  178. #178 Esther says:

    I don't mind the new UI at all, if only it could remember my settings! After a week of re-telling noscript my settings every single time I visit a web-page, I had finally enough and uninstalled it.

    I read somewhere that you had to click on the round red padlock so I tried that. I set it to red, I set it to green, no matter what; noscript doesn't seem to keep a single setting. With the new UI this results into a click-fest for my 7-10 web-pages I visit regularly.

    For me noscript has always been the most useful addon available for Firefox, in that regard I thank you for your hard work you put into this and I hope you can solve this programs problems soon.

  179. #179 Rich says:

    Like many other long time users listed here I am finding the new version of NS much more complicated and non intuitive versus the classic version. I only care about three permission levels: Allow, Do not Allow, Temporarily Allow. I want it simple and quick. Perhaps a Lite version can be created that meets the needs of many of us who want simple and quick vs. comprehensive and time consuming.

  180. #180 chris says:

    Monumental Frustration! After searching the web for hours on how to block all scripts by default in Noscript, I've come up with nothing! Just others having the same problem. Is there no Faq available on how to do this? I liked the old noscript I used with Firefox because I could globally block all scripts by default and then on a site I would manually allow only the scripts I wanted running as this was the safest way to browse. Once I upgraded to the new Firefox browser every script is allowed by Noscript. WTF? Now it seems Noscript wants your internet browsing to be unsafe by default. This is terrible. Give us a way to toggle to disallow all scripts by default PLEASE!!!!!!!!!!!!!!

  181. #181 Giorgio says:

    All the scripts are blocked by default, just like it was before. There's nothing you need to do to "block all scripts by default".
    The DEFAULT preset (assigned to all the sites by default) has no script permissions, by default. You can configure it otherwise (just like you could "Allow scripts globally" in the old NoScript), but unless you touched it, there should be no "scritp" permission: just double click "DEFAULT", and see if the relevant checkboxes are off.

    See also this forum thread, where users figure out creative ways to use the presets and custom settings which were not possible in the "old" NoScript.

  182. #182 chris says:

    The default setting buttons on pages I visit have every box checked except "other" when I go to a a page I have not previously manually disallowed by making them "untrusted". Am I missing something?

  183. #183 chris says:

    Giorgio, perhaps I now have Noscript correctly working? After hitting reset and uninstalling and reinstalling it as an add on in Firefox, the default button setting has the "frame", "fetch" and "other" boxes checked by default. Before I reset and uninstalled everything was checked except "other". I am not sure how that happened?

  184. #184 Giorgio says:

    Yes, that's the way it's supposed to be.
    As I said, it's fully configurable now (those users who preferred a "blacklisting" mode now can implement it by giving extra permissions to the DEFAULT preset and revoking them by assinging the UNTRUSTED one), so most likely you accidentally misconfigured DEFAULT while experimenting with the new UI.
    I should probably remove the configurability (except for CUSTOM) from the popup and keeping it in the Options panel, and also give some kind of warning first time you change a preset.

  185. #185 Milind says:

    This is nothing short of insane. I couldn't even follow the explanation. Let alone use it without it. You need a freaking truth table to figure this out.

    I only need 2 settings. Temporarily allow it (as in the current session only) and trusted (every time I visit the site through browser restarts). The old UI did it beautifully. If you were to provide that with a single click that's all I need. If people need more granular control, provide that through an overflow menu.

    I don't know what the challenges are in doing this through a WebExtension. You are clearly an accomplished developer so possibly not possible. But on the surface, I have trouble understanding why using a HTML UI this should be a problem.

  186. #186 Giorgio says:


    I only need 2 settings.
    Temporarily allow it (as in the current session only)

    Just click the TRUSTED icon, the preset is temporary by default.

    and trusted (every time I visit the site through browser restarts)

    ... then click the clock icon to fade it away (making the TRUSTED preset permanent for that site).

    Really, it's a click for case 1, a double click for case 2, and it spares you the "make temporary permissions permanent" and/or the "Temporarily allow -> Forbid -> Allow" dance if you're just checking what permissions you actually need, which I hear is the most common usage pattern.

  187. #187 Allen says:

    I've used NS since 2009. It has been a trusted highly valuable asset surfing the net these many years. The UI was fairly straightforward and user friendly. I gave NS's new 10.x build a chance. I don't like it at all. It's just a pain in the rear to use. I'm currently using FF 52.x ESR and classic NS which works great together. NS 10 UI needs a makeover with unambiguous labels and less over-thinking the the UI. I look forward to fixes in those directions. Thanks!

  188. #188 Kyle McKenna says:

    It's actually much improved from just two weeks ago. I had almost given up hope, and noscript is nearly my favorite thing in the world. There are still some UI visibility issues in high-contrast modes but most of it's visible and usable now and that's big progress from early December. Happy Christmas and thanks again for everything you do.

  189. #189 hawran.diskuse says:

    THANK you VERY MUCH for this description!
    (even though a short one)

    Hopefully, I'll be able to set my settings permanent now.
    (beside me I've noticed a lot of issues on the "NoScript does not remember my settings" theme)

    However, I've been experiencing a big (and annoying) issue recently:

    PS I REALLY appreciate your effort rewriting this "must-have" add-on for that webextensions sh...e.

  190. #190 hawran.diskuse says:

    PPS According to other comments, I'd say making the "TRUSTED" setting from the "TEMPORARY" via that strange, little "clock" icon is rather confusing...

  191. #191 hawran.diskuse says:


    Have you really deleted my opinion?
    (it was #188)


  192. #192 Giorgio says:

    Nope, it had just gone in the moderation queue automatically because it contained a link.
    It's approved now, and it's #189, actually.

  193. #193 Lule_NZ says:

    Is there still a way to have all objects require individual approval even on a "Trusted" (white-listed) site? If not now, is this a feature you are considering porting into the new version at some point?

    Thank you for your continued development of the one extension I consider a "must have".

  194. #194 hawran.diskuse says:

    @ #192 Giorgio

    OK, I apologise.

    PS And a happy new year!

  195. #195 Giorgio says:

    Yes, just remove the "object" and "media" capability from the TRUSTED preset, or if you want this on a certain site only, do it in its CUSTOM permissions set.

  196. #196 Lule_NZ says:

    @ #195 Giorgio:

    Thanks Giorgio, unfortunately that doesn't seem to work. Youtube seemed like a decent site for a quick test so the following is based on using that site.

    The advised settings don't result in a placeholder but instead still allow the video to play automatically. I see the videos are fetched from a different domain (googlevideo) so I tried with various custom settings across the youtube and googlevideo entries that showed in the NoScript UI but nothing resulted in a clickable place holder object that could selectively enable a script or video - instead the video would either play or not.
    Selectively enabling a single video in one tab is tricky due to the number of what appears to be partially randomly generated more specific URLs used for each video within the googlevideo domain.

    In the old (5.x) version of NoScript it was possible to set restrictions to apply to white-listed sites as well and this would result in a clickable object on the page which, when clicked, gave the user the option of selectively enabling that one thing for the session.

    If it would be helpful I can install the ER version of Firefox and the latest 5.x version of NoScript and grab some screenshots of settings and websites which might do a far better job of explaining than I have just now : )

  197. #197 Giorgio says:

    Unfortunately Youtube is NOT a good place to test this, because rather than feeding its HTML5 media element with network resources, it produces and streams the bytes on the fly using the MSE technique.
    This is not a major security concern, because this can work only if you already trust the site to run arbitrary JavaScript, and on the other hand is very difficult to catch and discriminate, even though desirable from an annoyance-blocking standpoint. In facts, NoScript 5.x uses quite an elaborate technique to handle it, and this is completely out of reach for the WebExtensions API in their current state, but some work is being done in that direction, so hopefully placeholders for MSE first-party HTML5 media will come back around Firefox 59 or 60.

  198. #198 Lule_NZ says:


    Okay, thank you very much for the response : )

    Have a great New Year!

  199. #199 NRGFOX says:

    Ciao Giorgio spero che continuerai a sviluppare anche la versione classica per tutti quelli che come me a causa dei cambiamenti e dell'andazzo che Firefox ha preso preferiscono utilizzare Waterfox...

    Waterfox supporta tutt'ora tutte le vecchie legacy extensions e inoltre viene aggiornato anche con gli update di sicurezza aggiunti da firefox 57 in su

    Buon 2018

  200. #200 Marie says:

    The new UI is not my favorite...

    I used noscript for a long time and the 5.x UI that asked me to allow things has been easy to use for me me.

    in 10.x I can not see things i have allowed that easily because there are icons used that sometimes are not easy to see. Maybe there should be a second option for that new UI that reduces the amount graphical things... maybe a beginner mode and and a normal mode.

  201. #201 NS User says:

    Wow - just discovered that default is editable.

    Couldn't figure out why scripts were running when set to default!

    This is incredibly dangerous - default in my opinion should block everything - the title of this app is NoScript, so it seems obvious that the default should be No Scripts and no way to enable them.

    Almost was hacked by a malicious site that I am trying to fix.

    Took ages to figure out why scripts were still running - because the defaults can be overridden and they are GLOBAL.

    True I might have done this by accident - it certainly was not intentional. And I trusted that it was only changing the defaults for *that* page, not for everything, GLOBALLY.

    I think any change to the default should pop up a HUGE WARNING - as it stands I was almost hacked as a result of this.

    Very disappointing.

    I never would have made that mistake in prior versions.

  202. #202 Giorgio says:

    @NS User:
    Editability of presets has moved in a dedicated section of the Options panel in for exactly this reason.
    You can grab a from or wait it to be released as stable in one day or two.

  203. #203 INNOCENT BYSTANDER says:

    NoScript is actually so severely broken that I am posting this here using Chrome because even when allowing scripts globally this page would not load properly (The ReCaptcha didn't load at all).

    There are MASSIVE problems with the useability of the new NoScript addon, and I hope they get addressed.

    Key problems are:

    1) Where are all the options from my menu in the previous versions? I don't use Firefox because it's fast, I use it because I want CONTROL. This add-on takes away the CONTROL that was THE WHOLE REASON I USE NOSCRIPT AND FIREFOX ITSELF IN THE FIRST PLACE. I'm really hoping this is just buried somewhere in the UI that I haven't noticed yet, as opposed to being removed, in the style of Windows "upgrades" that actually make the software objectively worse for the user.

    2) The RIGHT CLICK MENU... I cannot emphasize this enough: THE RIGHT CLICK MENU WITH A NOSCRIPT BUTTON WAS A FUNDAMENTAL FEATURE. It's gone. I might be able to find a workaround by swapping to a tab with the options menu, but that just makes it horribly painful to use.

  204. #204 Giorgio says:

    1. NoScript is working just fine with ReCaptcha: you just need to double check that, if the parent site is TRUSTED, the same must be also If the parent site is not allowed to run scripts, the scriptless ReCaptcha fallback will work as well (I've used both the systems to comment on this very thread, and I'm doing it right now).

    2. In order to open the contextual UI where the browser action icon is not available (e.g. chrome-less popups) you can already use the shortcut ALT+SHIFT+N. This doesn't mean that I won't consider adding a contextual menu item, but I'm not sure the extra clutter is necessary, if the only reason is this.

  205. #205 oldguy says:

    several re-installs later :) if you try not-most-recent FF versions and end up with new NS 10.x not working, the way back to "classic" 5.x -MUST BE- a clean install of the old version, both FF and NS. did some back and forth still on FF 56.0b4, last version i found to still run older add-ons (some few things, like compat check disabled). simply thworing the 5.x NS over the newer one, and even just removing the new and install the old, leads to somewhat random behaviour, like settings not saving and/or UI not showing properly and/or some options not showing in Options and/or right click changes to sites not taking hold.. i'll be sticking to the "classic" NS as long as it gets supported, may have to manually update for a while.. after that might look for a different browser. *sigh* been a long road from FF 1.5 ..

  206. #206 INNOCENT BYSTANDER says:

    First, let me apologize: the above post was a moment of frustration. I also was absolutely not expecting the actual developer/team to be reading let alone responding to comments. I'm not in the habit of giving people a faceful of rage due to my own passing irritation.

    That being said, right now, NoScript is an essential part of how I use the internet because it prevents wasted time, and--in my opinion, far more importantly--wasted attention and thought. I mean this as a compliment. Regardless of the future, your software has served very well for several years. Thank you.

    Right now, I've re-installed a previous version of Firefox and NoScript, however I'm still posting in Chrome. I will poke around with the Trusted settings if that is the issue with ReCaptcha.

    The right-click menu is important if users are like me: I would rather gouge my own eyes out than have another advertisement crammed down my throat. Due to circumstances, I'm also on a connection that has a data limit. This compounds the annoyance because those advertisements are literally costing me money when they load. So, I don't even bother leaving anything on the whitelist. If I want to visit a site, I deliberately allow (temporarily) only the particular scripts I absolutely need for whatever purpose. This takes longer; sometimes it takes a reload or two, but it yields an experience with very few distractions, and in the long run, the extra ten to twenty seconds loading actually saves a lot of time that might have been wasted by those distractions. In an era of militant distraction, NoScript has been a welcome suit of armour.

    This is why the right-click menu was important; it's a feature that I use constantly. I can't speak for anyone else, but that's my own experience. Obviously, if there's a keyboard shortcut and it's convenient to use, that could work just fine. Right now, the right-click menu makes script selection a lot faster and more convenient. I don't know if I would bite the bullet and start letting random scripts through just because I have to open a menu, but I'd definitely have to consider solutions and decide from there.

  207. #207 Jason says:

    NoScript 10 looks great, but I'd really like to have the context menu back.
    Thanks so much for continuing to work on NoScript, an addon I consider to be a prerequisite for browsing the web.

  208. #208 Bill says:

    What happened to middle-click ... which used to let you investigate a site's "safety" by choosing any of several options like VirusTotal, Mcafee safe-site thing, and more - WAS working in NS Quantum until a day or two ago, now :( BIG loss! How can I back up to earlier-this-week's NoScript 10?

  209. #209 Giorgio says:

    The feature is still there: just left-click (not middle, not shift) the site address label (if you hover it, you'll see the cursor becomes a question mark suggesting that).

  210. #210 Benny says:

    I ditched NS because I couldn't understand it and found an alternative on another forum. I've been using the new one for a few weeks now and I'm really liking it; It took me literally seconds to learn how to use it without documentation or any "how to's". Kind of takes me back to when I was introduced to NS many man years ago.
    After thinking about why this is so, I believe the BIG problem with NS now is the icons. They are open to interpretation (or misinterpretation) and their size means they take up far too much screen real estate.
    I haven't communicated in pictures since I was in kindergarten, where I learnt how to read and write.
    Now I may be in the minority here, but text based menus are simple, clear and concise and there is no doubt what they mean. You can get A LOT more text on a single page which means a menu tree doesn't have to be as deep so there is less clicking and scrolling for users.
    Just thought I'd provide some feedback before I leave this forum for good.

  211. #211 David says:


    A bug I found is that if your msft windows global scale and layout text setting is above 100% then the clock on the right side disappears from the window because the text is too big. This makes NS almost impossible to use for temporary script permissions

  212. #212 Chris says:

    I really appreciate all your work on this, it is my most valuable addon, and the main reason why I never left Firefox. Change is a fact of life, for good and bad, and I have seen improvements as well as confusing UI changes.

    I just want to point out that the parent domain entry does not work for IP addresses. For example, works if you trust all subdomains, but ...0.1 doesn't. Logging into home routers these days requires scripting, but in this instance it is not intuitive for the average user that should be selected instead.

  213. #213 Derek Mann says:

    It's great that you can provide an exhaustive list of reasons why the UI had to change but it doesn't change the fact that the new UI you came up with is unacceptable. You singlehandedly killed my use of Firefox, regardless of how great your reasons were. I've been using NoScript for so many years that I had gotten used to have a functional web browser, but that's gone now and I am rawdogging it. Thanks for all of your hard work on this new version of NoScript that I have no intenntion of ever using again. Time well spent.

  214. #214 Syntaxxx Err0r says:

    Well sadly i must refrain from using your once HIGHLY recommended app, which i have used for many years. In fact i think i was probably even one of your first users and biggest advertiser to just about everyone i knew and beyond.. I understand that your having to change the UI was not entirely a willing change.. In fact, ive found a lot of Mozillas changes recently are just .. YUCK... i seem to be like many origonal and or long term users of Linux, if it isnt BROKEN, dont fix it. most linux users have this preference too. we like our OS being consistenly the same forever, once we set it like we want it. we dont like to change from the practice we set things as.. it goes hand in hand with that concept of SIMPLICITY.. but the new webapp BS with Firefox has not gone over well with me, and it is very likely that iwill remain with chromium. While both browsers, and evne opera has its use where the other two do not... .. firefox just isnt as powerful to me as it had been in previous deviations. its beginning to go the way of the Dodo bird or in the techno animal kingdowm.. the way of the Windows OS..

  215. #215 allan says:

    The site safety check only works for me if I have trusted the site I want to look up. If I try to check an untrusted site I get a popup box saying submitting request to but when I clic ok the request goes nowhere.

  216. #216 oldguy says:

    auto update to (prev .8.3) fails if you decided -not- to have the latest FF (me stubborn remaining on 56.xx) but the mains still offers one-click update, which worked flawless. thank you.

  217. #217 Mark says:

    Before update everything fine. After update, Facebook doesn't work, says something about enable javascript. There is no longer any javascript option in Firefox. And NoScript is beyond confusing. Which is to say, it is dangerous to release something as half-baked as this. The only solution I found to getting Facebook/javascript running again is to disable NoScript completely.

  218. #218 Giorgio says:

    Which update are you talking about? Did you just switch to Quantum, or you upgraded from to
    Either way, Facebook is working just fine here (as long as and are both set to TRUSTED).

  219. #219 zap says:

    Thank you for working on this wonderful addon Giorgio
    Don't let the haters get you down, this addon is fantastic, I look forward to when firefox esr uses web extensions too, and I just thank you for maintaining both legacy and web extension versions.
    As for the new ui, I don't really have a huge problem with it confusing it may be, but you are awesome for making such a great contribution to the free software community.

    ps, used your noscript addon since 2012. Back when I still used that awful winblows os...

    I now use Hyperbola and as always use noscript with iceweasel... :)

    I will donate to you later when I can.

  220. #220 Chase says:

    Reason that this needs a primer to understand the functions is the conclusion of your downfall. You made a bad choice. Time to learn from your mistakes and feedback given. Good luck and rise up like a phoenix.

  221. #221 Jom says:

    I guess we should not show blocked resource count on marked as "Untrusted" sites like the UX of the legacy that it doesn't show notifications.

  222. #222 Jom says:

    As the behavior of the legacy version, the icon should also have no hint of blocked resources in the quantum version if every permission in the page is either "Trusted" of "Untrusted". That is it should only show the "Trusted" icon because everything is cleared out.

  223. #223 Jom says:

    ...either "Trusted" or* "Untrusted"...

  224. #224 Steve says:

    Deleting sites is non-intuitive by clicking "Default" and reloading the page for the list to update. Can you please add an option to use the Delete key, like NoScript 5 supports, or does the new Firefox prevent this?

    Selecting multiple entries with the Command and Shift keys, for deletion or changing to Trusted etc, would also help.

    The guides are lacking information on how to delete entries, so it took me a while to figure this out. Thanks.

  225. #225 andy says:

    I still have no idea what red text vs. black text means and if it relates to red vs. green locks

  226. #226 DeLob says:

    Thanks for all you do for NoScript.
    I have so much protecting me, I forgot to check them before attempting to send this and it failed.

    This version is a bit tougher to figure but fine. My and apparently other peoples brains need a bit of a workout so this version helps that.

    Let's see if I can actually submit this now.
    Had to turn off Umatrix for the reCaptcha to show. Hah. Stumbling over my own security feet!

Bad Behavior has blocked 576 access attempts in the last 7 days.