Ubuntu No Script Configuration Guide

This is a quick run-through of configuring NoScript under Firefox. You can get NoScript here

Click the NoScript (S) icon next to your URL bar in firefox and choose “Options”

General Tab

Default Settings are Fine

Whitelist Tab

You should add a list of frequently visited sites that you trust. Please note Whitelisting a site will not stop NoScript from protecting you from XSS/CSRF and ABE violations (we’ll explain this more later). You will notice there are already some sites whitelisted for you. If for some reason you do not trust those sites you may highlight them and click “Remove Site” and it will no longer be in the whitelist. You should add trusted top-level sites to make it easier.

Adding a whitelisted site

Simply type the domain of the site into the “Address of Website Bar” and click “Allow” example : http://ubuntuforums.org or ubuntuforums.org

After you have whitelisted the sites you commonly visit and trust you are done here.

Note : You need to weight the probability that the site is secure when whitelisting it. For example: http://canonical.com (probably okay) http://superleethackersecrets.ru (probably not so much) Keep in mind this is entirely subjective and unless you plan on running a vulnerability assessment against the site all you can do is trust the administration of that site.

Embeddings Tab

This is an important tab and we will be modifying the default settings considerably here. Outside of the default settings you probably also want to place a check in the boxes (“Forbid

“Apply these restrictions to Whitelisted Sites” : This should probably be left unchecked unless you are super paranoid and want to break all your favorite sites.

Appearance Tab

This is entirely up to you, and depends on how you want NoScript to display itself. I leave it at default, and will not discuss it further here.

Notifications Tab

This is how noisy NoScript is going to be. It will not change the amount of protection NoScript gives you, however it will tell you when NoScript alerts you or doesn’t alert you to different blocked content or actions. The default settings are fine here as well.

Advanced Tab

These are your advanced NoScript options and contain several sub tabs which we will go through now.

Untrusted sub-tab

For untrusted sites you will wish to place a check in the following boxes (“Forbid bookmarklets”, “Forbid META redirections inside

Trusted sub-tab

The default settings for this sub tab are acceptable so long as you are not “Trusting” sites that should not be trusted, refer to the same procedure as whitelisting.

XSS sub-tab

This tab allows you to configure your cross site scripting protection and whitelisting. It offers the ability for you to enter regular expressions for pattern matching of sites to trust cross site content from. By default the settings in the XSS tab are relatively secure. If you do not know regex I do not suggest attempting to learn here as a typo can lead you from trusting cross-site content from “look alike domains” like fakebook.com as opposed to facebook.com. If you wish to learn about basic regex here is a decent explanation : http://linuxreviews.org/beginner/tao_of_regular_expressions/

HTTPS sub-tab

This subtab allows you to force SSL on certain sites (of your choosing) as well as affect SSL cookie behavior. It has two sub-sub-tabs “Behavior” and “Cookies”

Behavior sub-sub-tab

I would not recommend using “Force forbid active web content unless it comes from a HTTPS connection” as it will break the vast majority of websites. However I do recommend forcing HTTPS for sites where you store important information and or conduct financial transactions. In my example you can see I added my banks and social networking sites. You may type them in the pane seperating them with newlines. When you have done that move to the “Cookies” sub-sub tab.

Cookies sub-sub-tab

This sub sub tab allows you to force cookie encryption over SSL. All major sites should support this functionality, and as you can see from the example I added the same sites that I chose to force SSL for in the previous tab. You add them in the same manner. Once you are done we can move on to the ABE Tab


This stands for Application Boundary Enforcement. This is one of the ways NoScript prevents things like NAT Pinning and some DNS based attacks. The default settings are fine, however its important to understand the major role this plays in your protection. I’m sure many of us know that is a private address, meaning you might find it on your home network. Possibly your router’s IP address. That being said, no internet based host should be sending anything to this address. If it is doing so it is likely attempting to use your machine as a relay to send code to another machine on your network, otherwise known as NAT pinning. That being said, if you are hosting a home server, this may cause issues if you are on the same network with the server, so don’t freak out of if you get an ABE warning visiting your own website.

External Filters Tab

Again the default settings here are fine. However, a brief overview of what this tab does, it allows you to create filters to block certain MIME types. For those who don’t know a MIME type is essentially a file type. Like we all know .jpg is an image, or .fmv is a flash movie file. This allows you to set up filters based on those file types, on a site by site basis. This allows extremely fine grained control, so much so that we’re not going to cover it here however if you would like to try to experiment I would suggest picking a content rich site and creating filters one by one to block all the content on the site but the static html. That should get you familiar with MIME type blocking.

After you are done configuring NoScripts Options, make sure “Forbid Scripts Globally” is Enabled (this will not effect your whitelisted sites). Restart your browser and surf safer 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s