About 10 years ago I started using the Noscript browser extension to block undesirable JavaScript. The problem was that it tends to block a lot more JavaScript than that and after a few years, I gave up on the constant attention it required. After my AWS attack I returned to it. I learned that if Noscript makes the internet not worthwhile, well, it’s not worthwhile. The internet is definitely a stinking cesspit of unsavory JavaScript, much of it coming from large search engine and social media companies.

Fortunately although Noscript is more obligatory than ever, I find that it is a bit easier to use. The web has sorted itself out into major players that are "doing no evil" and the ones just saying that. I find that for most sites I care about, only the primary domain name needs to be free to run code in your browser. Leaving the other ten sources of JavaScript banned usually just results in the ads and privacy invasions not working. I’ll look at ads, but I won’t run predatory advertising code. I feel that’s a fair compromise. In practice, this means I see essentially no ads whatsoever.

Every once in a while I need to enable a CDN or an auxiliary site to the main one, e.g. ssl-images-amazon.com, but overall, it’s quite manageable these days. I feel that Noscript takes an utterly hopeless situation and takes back quite a bit of control. I wholeheartedly recommend that everyone who uses a web browser use it.

I wish that could be the end of the post.

Unfortunately, I recently noticed something unnerving and I tested it conclusively today with version 2.9.5.2. When I install the extension I find that it creates this file (yours may be slightly different).

~/.mozilla/firefox/when43ib.default/extensions/{73a6fe32-594d-459b-a921-fcc0c8e43233}.xpi

This is actually a zip file (bloody hell). Inside the archive I find the file noscript.js which contains this configuration setting (breaks added for readability).

pref("noscript.default", "about:blank about:pocket-signup
about:pocket-saved addons.mozilla.org persona.org mozilla.net
google.com gstatic.com ajax.googleapis.com  maps.googleapis.com
paypal.com paypalobjects.com securecode.com securesuite.net
firstdata.com firstdata.lv yahoo.com yimg.com yahooapis.com
youtube.com ytimg.com googlevideo.com netflix.com nflxext.com
nflximg.com nflxvideo.net noscript.net hotmail.com passport.com
passport.net passportimages.com live.com live.net outlook.com afx.ms
gfx.ms sfx.ms wlxrs.com ajax.aspnetcdn.com bootstrapcdn.com
code.jquery.com yandex.st tinymce.cachefly.net");

What the hell is all that? To find out you can click on the Noscript icon, choose Options and then select the Whitelist tab. A new install of Noscript allows JavaScript from these sources by default! What a rotten sneaky trick. I’m pretty disappointed about that. Fortunately, it’s easy to clear those out. It’s just sad that even this extremely high quality tool designed to empower your authority and control over your browser is simultaneously designed to sell you out to Bank of America’s Latvia division or whatever that is.

Still, don’t forget — sad as that is, I wholeheartedly recommend everyone who uses a graphical browser install Noscript. The web is that bad.

UPDATE 2021-08-16 -

I just came across this post about the topic by a security researcher that found this problem even before I did. He went one step farther by doing something quite hilarious. He checked all the domains in the list and found one that was not even registered! So he registered it! And then added some little JavaScript based exploit that NoScript natively misses. To the credit of NoScript, this did prompt a fast correction. You can see that in my post (some months later) where the offending URL, zendcdn.net, is not whitelisted. It’s a mess out there — trust nothing!