NoScript - PitA?

[Enjay]

So, I've been using Firefox for quite some time now; three years or more, and I like it. I have a number of add-ons and things are set up pretty much how I want. I've had NoScript installed almost since the start because everyone tells me how good it is. However, most of the time it just seems to be a royal pain in the ass.

So many sites have some sort of scripting that virtually every site I visit needs to be reloaded with NoScript disabled before it will work properly. If I'm using an online shop of some sort, sooner or later I will hit a checkout page and even if I had already disabled NoScript on the main page, the store page may well need another disable and reload to get it working properly and sometimes this is enough to mess up the transaction. It's not pages that I visit frequently that are a problem (I have NoScript permanently disabled on them), it's general browsing that seems to be massively hampered by NoScript. The NoScript "I've disabled some scripts" warning sound happens so often that it's just second nature to me to middle click the icon and thereby disable NoScript and refresh the page almost reflexively when I hear the sound.

I know that there are nasties out there on teh big bad intarwebs and having an automatic "no scripts will run unless you want them to" safety net in my browser does give peace of mind but, how big is the risk versus the crippling of browsing that I experience with NoScript?

Any thoughts?

[Graf Zahl]

There's many, many websites out there that are infested with tracking software and nastier things that I wouldn't want to risk exposure.
I have whitelisted anything I visit regularly, but also have some sites that are not clean on my blacklist (a good example would be Doomworld.)

I know my brother had 3 virus infections last year because he found NoScript inconvenient but after switching it on he got none. I believe the danger from badly behaved sites far outweighs the inconvenience of having to explicitly enable scripts where they are useful. You also expose far less information to data miners.

[Big C]

There's many, many websites out there that are infested with tracking software and nastier things that I wouldn't want to risk exposure.
I have whitelisted anything I visit regularly, but also have some sites that are not clean on my blacklist (a good example would be Doomworld.)

Ach, what's happened with Doomworld?

[wildweasel]

Doomworld's ad banners tend to be pretty nasty, Flash-based nonsense that has been known to install crapware behind the scenes. AdBlock Edge/Latitude are known to mitigate most of it, but you can never be too careful. It's apparently a quirk of their hosting provider; I'm not sure why they haven't looked into finding a different host.

[Enjay]

I'm certainly all for keeping trackers and data miners away and Ad Block also serves me well on places like DoomWorld.

I also use Ghostery and that seems to be pretty good. I was using Disconnect too but that definitely caused a number of sites to not function properly and would also manifest in some unexpected ways, such as pictures hosted on certain sites not showing up on these forums with no obvious visible clue that there was even meant to be a picture in the post. It's currently installed but disabled.

[leileilol]

The only thing that annoys me is the update news page that forces itself making me read "I ASS" when I start my browser.



RequestPolicy is nice too, but sends a lot of page styles and images to hell since no one can design within a single domain anymore.

[Gez]

In my own experience I'm more often annoyed by sites that need cookies to work than by sites that need JS to work. And generally I only allow "for the session" the site itself and stuff like looks like a content delivery network, but leave facebook, tracking and advertising out.

[Siggi]

Disabling JS is impractical these days. Pretty much all the modern features that improve the user experience will rely on JS somewhere along the line. So I don't support NoScript.
I think if you're using Disconnect and Ad-blockers you should be fine.

The only privacy thing I use daily is Duck Duck Go instead of Google. The Bangs feature is also pretty useful.

If I feel the need to do some truly dubious browsing then I use Tor Browser.

[Blox]

I just deal with the major pain in the dick that is noscript+requestpolicy.
Things get interesting once in a while.

RequestPolicy is nice too, but sends a lot of page styles and images to hell since no one can design within a single domain anymore.

[sobbing intensifies]

[Graf Zahl]

Disabling JS is impractical these days. Pretty much all the modern features that improve the user experience will rely on JS somewhere along the line.

Correct. But have you ever looked into what mess 'modern' pages load externally? I'd rather control myself which parts get loaded and which don't.

Blox's image pretty much sums it up what cesspool the internet really is. I normally keep my main session clean and visit problem sites either in private mode or through Tor because the more a website relies on external Javascript (really the only problem with NoScript) the more likely there's malicious content.

[GooberMan]

Why not Adblock? The filter sets are actively updated, and I've not hit any malicious scripts on the internet in, well, at least since I've been using Adblock (I guess something like 8 years now). YMMV with malicious scripts depending on what sites you visit for example.

HTML5 basically won't work without scripting by design.

[Project Shadowcat]

I started using NoScript a LONG time ago, but when pages started failing to load earlier in the year even after they've been whitelisted, I had to look for alternatives. By recommendation of a techie I know off-forum, I've started using Hostsman to modify my HOSTS file instead of using an adblocker. My browsing is even faster and I don't get hit with any ads, nor do I have to fiddle with any whitelists. Nearly all pages load properly, too.

[Graf Zahl]

Why not Adblock? The filter sets are actively updated,

Do the filter lists contain Doomworld?
If the (expected) answer is 'no', you'll know why that approach is not sufficient. I have met my share of websites that use scripts inappropriately and prefer to decide for myself what gets through and what does not. Especially stuff like Facebook, Twitter and other 'Social' stuff is on my blacklist.

I also use the HOSTS file for stuff I don't trust at all, most importantly Google Analytics.

[GooberMan]

I browse Doomworld without ads if that answers your question. Is there any additional scripts not related to ads that Doomworld uses that are bad bad die bad?

[Marisa the Magician]

I'm somehow used to all the annoyances coming from using noscript, requestpolicy (the continued version), ublock (lighter than adblock), https everywhere, and some few custom userscripts and userstyles to selectively tweak some things I don't like.

I guess that's normal coming from someone who's also used to manually maintaining a systemd-free Arch install. I really don't know how I have it easier than other people.