NoScript

NoScript Configuration Guide

This is a quick run-through of configuring NoScript under Firefox. This guide assumes you already have NoScript installed in your Firefox Browser.

Click the NoScript (S) icon

We begin by clicking the NoScript (S) icon next to your URL bar in firefox and choose "Options"

Under the General Tab

The default Settings are Fine.

Under the Whitelist Tab

You should add a list of frequently visited sites that you trust (in other words create a "Whitelist"). Please note Whitelisting a site will not stop NoScript from protecting you from XSS/CSRF and ABE violations (we'll explain this more later). You will notice there are already some sites whitelisted for you. If for some reason you do not trust those sites you may highlight them and click "Remove Site" and it will no longer be in the whitelist. You should add trusted top-level sites to make it easier.

Adding a whitelisted site: Simply type the domain of the site into the "Address of Website Bar" and click "Allow" example : http://ubuntuforums.org or ubuntuforums.org

  • http://dangertux.no-ip.org/downloads/whitelist.png

After you have whitelisted the sites you commonly visit and trust you are done here.

Note : You need to weigh the probability that the site is secure when whitelisting it. For example: http://canonical.com (probably okay) http:// superleethackersecrets.ru (probably not so much). Keep in mind this is entirely subjective and unless you plan on running a vulnerability assessment against the site all you can do is trust the administration of that site.

Under the Embeddings Tab

  • http://dangertux.no-ip.org/downloads/embeddings.png

This is an important tab and we will be modifying the default settings considerably here. Outside of the default settings you probably also want to place a check in the following boxes:

  • "Forbid <IFRAME>"

  • "Forbid <FRAME>"

  • "Forbid WebGL"
  • "No placeholder objects from sites marked as untrusted"

Additionally for ease of use you may wish to choose "Collapse Blocked Objects". This doesn't add or detract security, it just makes sites displaying blocked cross site content display more clearly.

"Apply these restrictions to Whitelisted Sites" : This should probably be left unchecked unless you are super paranoid and want to break all your favorite sites.

Under the Appearance Tab

This is entirely up to you, and depends on how you want NoScript to display itself. I leave it at default, and will not discuss it further here.

Under the Notifications Tab

This is how noisy NoScript is going to be. It will not change the amount of protection NoScript gives you. However, it will tell you when NoScript alerts you or doesn't alert you to different blocked content or actions. The default settings are fine here as well.

Under the Advanced Tab

Next we will go through your advanced NoScript options and the several sub tabs it contains.

Untrusted sub-tab

  • http://dangertux.no-ip.org/downloads/untrusted.png

For untrusted sites you will wish to place a check in the following boxes:

  • "Forbid bookmarklets"
  • "Forbid META redirections inside <NOSCRIPT> tags">

Trusted sub-tab

The default settings for this sub-tab are acceptable so long as you are not "Trusting" sites that should not be trusted, refer to the same procedure as whitelisting.

XSS sub-tab

This tab allows you to configure your cross site scripting protection and whitelisting. It offers the ability for you to enter regular expressions for pattern matching of sites to trust cross site content from. By default the settings in the XSS tab are relatively secure. If you do not know regex I do not suggest attempting to learn here as a typo can lead you from trusting cross-site content from "look alike domains" like fakebook.com as opposed to facebook.com. If you wish to learn about basic regex here is a decent explanation.

HTTPS sub-tab

This sub-tab allows you to force SSL on certain sites (of your choosing) and affects SSL cookie behavior. It has two sub-sub-tabs "Behavior" and "Cookies".

Behavior sub-sub-tab

  • http://dangertux.no-ip.org/downloads/https.png

I would not recommend using "Force forbid active web content unless it comes from a HTTPS connection" as it will break the vast majority of websites. However, I do recommend forcing HTTPS for sites where you store important information and or conduct financial transactions. In my example you can see I added my banks and social networking sites. You may type them in the pane seperating them with newlines. When you have done that move to the "Cookies" sub-sub tab.

Cookies sub-sub-tab

  • http://dangertux.no-ip.org/downloads/https2.png

This sub-sub-tab allows you to force cookie encryption over SSL. All major sites should support this functionality, and as you can see from the example I added the same sites that I chose to force SSL for in the previous tab. You add them in the same manner. Once you are done we can move on to the ABE Tab.

ABE Tab

This stands for Application Boundary Enforcement. This is one of the ways NoScript prevents things like NAT Pinning and some DNS based attacks. The default settings are fine, however, its important to understand the major role this plays in your protection. I'm sure many of us know that 192.168.1.1 is a private address, meaning you might find it on your home network. Possibly your router's IP address. That being said, no internet based host should be sending anything to this address. If it is doing so it is likely attempting to use your machine as a relay to send code to another machine on your network, otherwise known as NAT pinning. That being said, if you are hosting a home server, this may cause issues if you are on the same network with the server, so don't freak out of if you get an ABE warning visiting your own website.

External Filters Tab

Again the default settings here are fine. However, I will give a brief overview of what this tab does. It allows you to create filters to block certain MIME types. For those who don't know a MIME type is, essentially it is a file type. Like we all know .jpg is an image, or .fmv is a flash movie file. This allows you to set up filters based on those file types, on a site by site basis. This allows extremely fine grained control, so much so that we're not going to cover it here. However, if you would like to try to experiment I would suggest picking a content rich site and creating filters one by one to block all the content on the site but the static html. That should get you familiar with MIME type blocking.

After you are done configuring NoScripts Options, make sure "Forbid Scripts Globally" is Enabled (this will not effect your whitelisted sites). Restart your browser and you will surf safer.

BasicSecurity/NoScript (last edited 2012-02-28 21:31:08 by ms-daisy99)