The best security you can get in a Firefox web browser!

NoScript for Firefox

Join our mailing list

Stay up to date with latest software releases, news, software discounts, deals and more.

Download NoScript for Firefox 11.4.28

  -  512 KB  -  Open Source
  • Latest Version:

    NoScript for Firefox 11.4.28 LATEST

  • Requirements:

    Windows 7 / Windows 8 / Windows 10 / Windows 11

  • User Rating:

    Click to vote
  • Author / Product:

    Giorgio Maone / NoScript for Firefox

  • Old Versions:

  • Filename:


The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other Mozilla-based browsers: this free, open-source add-on allows JavaScript, Java, Flash, and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

NoScript Security Suite also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser. NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known, such as Meltdown or Spectre, and even not known yet!) with no loss of functionality...

When you install NoScript, JavaScript, Java, Flash Silverlight, and possibly other executable contents are blocked by default. You will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily if you're just surfing randomly, or permanently when you visit it often and you really trust it. This means that NoScript learns from your own web browser habits and tends to disappear in the background after a while, but it promptly comes back to save your day if you stumble upon a malicious web page. Install NoScript Security Suite for PC Now!

Features and Highlights

  • Exclusive protection against DNS-rebinding attacks targeted to routers, including WAN IP variants.
  • Several new Anti-anti-adblocker Surrogate Scripts to prevent pages from breaking when ads are disabled.
  • NoScript 1.10.x is the last serie supporting Firefox 2.0 and older browsers. It will be updated only if affected by serious security vulnerabilities (very unlikely). This will allow the upcoming NoScript 2.x series to be developed faster and better, by removing legacy compatibility code and fully leveraging the latest APIs and language features. li>Increased ClearClick accuracy on very complex nested pages.
  • Built-in ABE ruleset editor.
  • Better Surrogate Scripts error management and new built-in surrogates to security AMO add-ons installation against MITM attacks and improve Google search experience when scripts are disabled.
  • Faster and more compatible anti-XSS protection.
  • Full protection against Aviv Raff's scriptless tabnagging variant, by blocking refreshes triggered on unfocused untrusted tabs. See the changelog for more details.
  • Important ABE enhancements: same domain origin matching (SELF+), same base domain origin matching (SELF++), and INCLUSION pseudo-method for fine-grained subrequests matching, see the updated ABE rules specification for details.
  • Experimental external filters for plugin content (e.g. Blitzableiter to sanitize Flash applets). It requires Firefox 3.5 and above, and it can be configured from the new NoScript Options|Advanced|External Filters panel. To activate the built-in Blitzableiter support you need to enable filters, download Blitzableiter binaries and tell NoScript where the executable is. Please notice that Blitzableiter is in its early development stages, and it breaks a lot of Flash content.
  • Improved and updated Firefox Mobile (Fennec) support: NoScript's UI has been moved inside the location bar, and options have been simplified down to 4 preset configurations (you can still perform fine-grained configuration in about: config or via Weave Sync).
  • The long-awaited pluggable site info page can be opened by middle-clicking or shift+clicking on any site entry in NoScript's menus.
  • Enhanced usability of universal Flash blocking.
  • Improved HTTPS enforcing.
  • Strict Transport Security support.
  • New Import/Export buttons in the NoScript Options dialog, backup the whole NoScript configuration in a single JSON file, as a disconnected alternative to the Weave/XMark synchronization functionality (Fx 3 and above).

What's new in this version:

NoScript for Firefox 11.4.28
- Prevent URL leaks from media placeholders
- [nscl] Support for in-tree TLDs updates

NoScript for Firefox 11.4.25
- Reload extension on fatal failures
- [Android] Fixed UI styling regression
- Fixed UI inconsistencies when finer-grained contextual policies are created/imported by other means

NoScript for Firefox 11.4.24
- [XSS] Fix Base64 hash checks interfering with query string checks (thanks barbaz for reporting)
- [TabGuard] Stop exempting domains bidirectionally by default
- [TabGuard] Fix destination domain being reported as the trigger of a warning prompt when all the other tab-tied domains have been exempted (thanks barbaz for report)

NoScript for Firefox 11.4.23
- [TabGuard] Eclude non-scriptable content types from suspects
- [TabGuard] Check for chains of about:blank puppet tabs
- Mirror NoScript's badge content in the contet menu to provide more info (e.g. on SS or TG status) whenever the toolbar icon is hidden
- [TabGuard] Short circuit requests in non-anonymized tabs
- [TabGuard] Decouple tab ties cutting from one-shot authorized loads cases for same-site navigation
- [TabGuard] Load with credentials when reloading from NoScript's UI
- [TabGuard] "TG" badge on the NoScript icon when the selected tab is anonymized
- [TabGuard] Cut ties and restore authorization info on manual reloads
- [TabGuard] Remove Set-Cookie headers from anonymized requests to prevent unreversible authorization loss
- [TabGuard] Keep track of anonymized requests
- [TabGuard] Keep track of anonymized tabs
- [TabGuard] Fi "never prompt" option's label not being clickable
- [TabGuard] Introduce prompt granularity options (default: prompt only on POST requests)
- Removed invalid CSS
- Avoid unnecessary prompt resizing
- Prevent focus-related console warning when opening prompts

NoScript for Firefox 11.4.21
- Fixed mislabeled Tor Browser settings override option
- [L10n] Updated mk

NoScript for Firefox 11.4.20
- Generalized prompt safety hooks
- Better blob: URL support
- [nscl] Improved cross-window patch cascading
- [nscl] Avoid unneeded side effects when checking for zombie patched objects
- [nscl] Prompt safety hooks
- [L10n] Updated fr, fi
- Fi font family typo

NoScript for Firefox 11.4.18
- Fixed detached window UI gets closed when its decoration is clicked

NoScript for Firefox 11.4.16
- [L10n] Updated de, nl, pl, ru, sq, zh_CN
- Always open the windowed standalone UI when invoked from
- The Alt+Shift+N shortcut
- Alt+Shift+Space shortcut to toggle restrictions
- Enforcement for current tab (issue #129, thanks PF4Public For RFE)

NoScript for Firefox 11.4.15
- Use the actual browser's brand name for Tor Browser derivatives
- Always open the windowed standalone UI when invoked from the contextual menu

NoScript for Firefox 11.4.14
- Updated HTML event attributes list
- Uniformed indexed directory Firefox UI emulation to prevent a script blocking bypass on file:// resources (thanks RyotaK for reporting)
- Fixed error being logged in the console on scriptless pages when hitting [Delete] or [Backspace] (thanks barbaz for reporting)
- Work-around for background page misteriously being unloaded sometimes by Firefox
- [L10n] Updated Transifex configuration

NoScript for Firefox 11.4.13
- Ensure theme changes are synchronized across windows, including private ones (thanks barbaz for reporting)
- [UI] Ensure prompts are always centered relative to the parent window in multi-monitors setups
- Switch to "Modern Red Evil" icon contributed by fatboy
- Work-around for Chromium unable to load the placeholder icon
- Themed placeholders
- [nscl] Fixed placeholder fallback styles on Gecko embedding documents
- [L10n] New Romanian (ro) locale (thanks Simona Iacob and Inpresentia I.)

NoScript for Firefox 11.4.12
- Updated is, mk
- New Finnish (fi) locale
- New Ukrainian (uk) locale
- New Persian (fa) locale

NoScript for Firefox 11.4.11
- Fix broken NoScript dialogs when browser.privatebrowsing.autostart = true
- Avoid using fallback origins for main_frame loads

NoScript for Firefox 11.4.10
- [TabTies] Cascade and merge ties in a shared pool, to prevent them from being cut by closing a middle tab (thanks NDevTK for reporting)
- Extended origin normalization to top-level documents (thanks NDevTK for reporting)
- [TabGuard] Fixed regression in about:blank handling (thanks NDevTK for reporting)
- Better origin guess for requests from sandboxed iframes (thanks NDevTK for reporting)
- More precise tracking of implicit origins in tab URLs
- [nscl] Stricter criteria for cutting tab relations (thanks NDevTK for reporting)
- Use window.origin when fetching policies for inheriting special URLs (thanks NDevTK for reporting)
- Better build script compatibility

NoScript for Firefox 11.4.9
- [L10n] Updated pl, tr, zh_CN
- [TabGuard] Abort the load when the warning dialog is closed by any mean except the OK button
- [TabGuard] Stricter criteria for cutting tab relations

NoScript for Firefox 11.4.7
- [XSS] Fixed regression in invalid characters optimization causing false negatives
- Minor build script enhancement

NoScript for Firefox 11.4.6
- [nscl] Copy NOSCRIPT elements' attribute in emulated replacements
- [SS] Correct for concurrency in timeout checks
- [UI] Flatter preset appearance
- [UI] Focus visual feedback adjustments
- Inclusion-time TLD updates
- Updated HTML events
- [L10n] Updated pl
- Opaque white for vintage lock icons
- [L10n] Updated is

NoScript for Firefox 11.4.5
- Improved preset sizing
- Reduce toolbar bottom shaded line tickness
- [L10n] Updated he
- Various user-driven visual tweaks
- Fixed vintage icon brightness in automatic light mode
- Minor icon tweaks

NoScript for Firefox 11.4.4
- [L10n] Updated mk
- Removed "clearclick" item from default settings
- Better layout for mixed status icons

NoScript for Firefox 11.4.3
- Reversed colors in Modern Red permissive icons for better contrast
- Fixed regression causing only signed builds to complete

NoScript for Firefox 11.4.1
- Support for reverting to the "Vintage Blue" style (NoScript Options/Appearance)
- Various tweaks to the "Moder Red" dark and light themes

NoScript for Firefox 11.3.6
- Make high contrast and draggable toolbar items mutually
- Exclusive
- [Chromium] Fix high contrast option not working
- Avoid flashing empty graveyard on popup opening
- More deterministic DnD placeholder creation
- [L10n] Updated fr, es, nl, zh_CN
- Make disabled buttons draggable and hidden enabled buttons
- Interactive when the "graveyard" is open
- Close UI and reload immediately when enabling global/tab
- Restrictions or disabling them for the tab only

NoScript for Firefox 11.3.3
- Play nice with the Viewhance extension
- Avoid synchronous fetching for remote embedding documents
- Fixed typo in UI context dropdown initial selection
- Fixed wrong label for http: sites in contextual policy UI
- Fix for first party context policy ignored on first load in new tabs
- Consolidate best effort policy fetching
- Use correct context for all subresources checks
- Queries on Firefox
- [L10n] Updated de, es, he

NoScript for Firefox 11.3.2
- Prevent LAN protection from breaking webRequest blockin on the Tor Browser

NoScript for Firefox 11.2.24
- Avoid unnecessary window patching

NoScript for Firefox 11.2.21
- Better fallback for failing syncMessage
- [XSS] Simplified preemptive name sanitization

NoScript for Firefox 11.2.19
- [XSS] Faster invalidCharsRx initialization on Gecko 78 and above
- [XSS] More resilient name handling
- [nscl] Use HTTPS SyncMessage endpoint for Chromium too (works around lack of file access by default on packed extensions breaking NoScript)

NoScript for Firefox 11.2.16
- Fallback to synchronous policy fetching if the document is already loaded (e.g. on updates)
- [XSS] Interactive testing made a bit easier

NoScript for Firefox 11.2.15
- [Android] Work-around for Firefox "forgetting" tabs
- [nscl] Improved cross-frame auto-patching

NoScript for Firefox 11.2.13
- [XSS] Tweaked risky operator check prevents false positive on outbound Twitter navigation
- [XSS] Better logging for JS fragment detection
- [XSS] Fixed performance regression in invalid character ranges generation causing random XSS "DOS" false positives
- Fetch policy for baseURI if document.domain is empty
- [L10n] Updated ja, lt, pl, ru, zh_CN
- Always fetch policy synchronously, if missing
- Fixed undetermined status icon on BF cache page loads
- [nscl] Fix webgl blocking regression due to xray wrappers confusion (thanks skriptimaahinen)
- [nscl] Prevent unnecessary breakages on pages inspecting canvas.getContext when webgl is disabled
- [nscl] Reduce the risk to interfere with scripts messing with the media attribute (issue #207)

NoScript for Firefox 11.2.11
- [nscl] Fixed JavaScript access to CSS rules broken on Chromium when unrestricted CSS is disabled
- Prevent Chromium builds from being sent to AMO for signing
- [nscl] Fixed CPU/RAM overload on some pages with unrestricted CSS disabled but scripting enabled (not recommended setting)
- [nscl] Fixed CPU spikes on Chromium triggered by automatic file downloads (thanks ptheborg for report)

NoScript for Firefox 11.2.10
- Cross-browser file naming consistency, in spite of version numbering incompatibilities
- [nscl] Fix for potential race conditions on certain page transitions (issue #205)
- Handle exception when accessing navigator.serviceWorker on sandboxed frames
- MS Edge support

NoScript for Firefox 11.2.9
- [L10n] Updated de, mk
- Replace deprecated extension.getURL() with runtime.getURL()
- REUSE-compliant licensing boilerplate
- Remove unused/refactored-out files
- Relicensing as GPL3+
- [nscl] Fixed infinite recursion issue on wrappers
- Avoid treating JavaScript files as embeddings when opened as top-level documents

NoScript for Firefox 11.2.8
- Quiet down unnecessary debug logging
- [L10n] Updated he, de
- Fix meta refresh sometimes ignored on Firefox 78 ESR
- Chromium-specific build-time customizations

NoScript for Firefox 11.2.7
- Better prompt layout (no accidental scrollbar)
- [nscl] Fix regression causing media patches to break some pages

NoScript for Firefox 11.2.6
- [nscl] Various webgl blocking enhancements
- Remove also sticky-positioned elements with click+DEL on scriptless pages
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it,ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fied race condition causing eternal CSS not to be rendered sometimes when unrestricted CSS is disabled
- Avoid document rewriting for noscript meta refresh emulation in most cases
- [nscl] Fied HTML pages broken when served with application/ml MIME type and no "object" capability
- [nscl] Switch early content script configuration to use /nscl/service/DocStartInjection.js
- Configurable "unrestricted CSS" capability to for sites where the CSS PP0 mitigation should be disabled (e.g TRUSTED)
- [nscl] Fi CSS PP0 mitigation still interfering with some WebEtensions
- [SS] Increased sensitivity and specificity of risky operator pre-checks

NoScript for Firefox 11.2.4
- CSS resources prefetching as a mitigation against CSS PP0
- [L10n] Updated br, de, el, es, fr, he, is, nl, pl, pt_BR, Ru, sq, tr, zh_CN
- [nscl] Inteception of webgl context creation in OffscreenCanvas too
- Fixed configuration upgrades not applied on manual updates (thanks Nan for reporting)
- Mitigation for misbehaving pages repeating failed requests in a tight loop
- [UI] More understandable label for the cascading Restrictions option
- [nscl] More refactoring out in NoScript Commons Library
- [nscl] patchWindow improvements

NoScript for Firefox 11.2.3
- Purged non-inclusive terms from obsolete messages
- Added red halo feedback in CUSTOM preset for noscript
- Element capability
- Fixed missing red halo feedback in CUSTOM preset for
- Inline scripts and other capabilities sometimes
- Fixed race condition causing noscript elements not to be
- Rendered sometimes

NoScript for Firefox 11.2.2
- Fixed typo in version checked on noscript capability update
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW.

NoScript for Firefox 11.2
- [XSS] New UI to reveal and selectively remove permanent user choices
- [L10n] Updated de
- Webgl hook refactored on nscl/content/patchWindow.js and made Chromium-compatibile
- Updated TLDs

NoScript for Firefox 11.1.9
- Return null when webgl is not allowed
- [SS] Fied memoization bug resulting in performance degradation on some payloads
- [SS] Include call stack in debugging log output
- [SS] Skip naps when InjectionChecker runs in its own worker
- Shortcut for easier SS filter testing
- More lenient filter to add a new entry to per-sitepermissions
- [L10n] Updated de
- Replace script-embedded bitmap with css-embedded SVG as the placeholder logo
- Updated TLDs
- Remove source map reference causing console noise
- Fi per-site permissions UI glitches when base domain is added to eisting subdomain

NoScript for Firefox 11.1.8
- [XSS] Fix for old pre-screening optimization exploitable
- To bypass the filter in recent browsers
- Replace DOM-based entity decoding with the he.js pure JS Library
- Updated copyright statement
- Updated browser-polyfill.js
- Removed obsolete fastclick.js dependency [l10n] Updated de Updated TLDs

NoScript for Firefox 11.1.7
- Optimize serviceWorker tracking for heavy tabs usage
- Force placeholder visibility on Youtube embeddings
- Fixed popup opening being slowed down if options UI is
- Opened (thanks Sirus for report)
- Explicit failure for wrong settings importation formats
- Updated TLDs

NoScript for Firefox 11.1.6
- Better handling of concurrent prompts issues
- Remove z-index boosting from ancestors when placeholder is Collapsed or replaced
- Fixed permission keyboard shortcuts being triggered with Modifiers like CTRL
- More accurate blockage reporting, with better filtering of Page's own CSP effects
- [UI] Fixed bug in CUSTOM sites filtering
- Fixed bug in automatic HTML events build-time updates
- Updated HTML events
- Updated TLDs
- [L10n] Updated sv_SE Better handling 0 width / 0 height media placeholders

NoScript for Firefox 11.1.5
- Updated TLD
- Fixed potential infinite loop via DOMContentLoaded
- Work-around for Firefox 82 media redirection bug
- Updated TLDs

NoScript for Firefox 11.1.4
- Fixed sloppy CSP media blocker detection breaking MSE blob: media placeholders on Chromium
- Fixed race condition causing temporary settings not to
- Survive updates sometimes
- Updated TLDs
- [Mobile] Improved prompts appearance on Android

NoScript for Firefox 11.1.3
- Fixed regression: document media and font restrictions always cascaded (thanks BrainDedd for report)
- Remove domPolicy logging when debugging is off
- Trivial reordering from Mozilla source
- Updated TLDs

NoScript for Firefox 11.1.1
- Updated TLDs
- Better heuristic to figure out missing data while computing contetual policies
- Fied regression breaking per-tab restrictions disablement (thanks Horsefly for report)

NoScript for Firefox 11.0.46
- Updated TLDs
- [L10n] Updated is
- Fixed file:// and ftp:// specific content scripts not runnning in subdocuments
- Fixed deferred scripts in file:// pages may run twice (issue #155)
- Fixed rendering bug with scrolled file:// pages on soft reload (thanks Iouri for report)
- Fixed 11.0.44 regression: ghost media item reported on every page
- Better emulation of SVG events

NoScript for Firefox 11.0.44
- Dispatch synthetic SVGLoad event in soft load when needed
- [L10n] Updated da, es
- Fixed namespacing issues with script replacements
- Fixed media placeholder not shown when blocking Youtube
- Movies
- Work around for unpredictable content script execution
- Order
- Ensure content of NoScript prompts is always visible
- Fixed soft reload messing with non UTF-8 encodings (thanks
- "Quest" for reporting)
- Updated TLDs
- [XSS] Fixed escape detection bug causing strage false
- Positives (thanks Dave Howorth for report)

NoScript for Firefox 11.0.43
- Fix for some race conditions causing corruptions in non-HTML non-XML documents

NoScript for Firefox 11.0.42
- Avoid useless "seen" reports from onBeforeRequest()
- Catch broadcast messaging errors
- Make tag push even already created tags
- Updated TLDs
- Work-around for applying DOM CSP to non-HTML XML documents
- Document freezing to handle SVG and other XML documentsas a fallback before CSP insertion

Refactored and improved syncFetchPolicy fallback for file:
- and ftp: special cases

NoScript for Firefox 11.0.41
- More precise event suppression mechanism
- Fixed regression: events suppressed on file:// pages
- Unless scripts are allowed
- Updated TLDs

NoScript for Firefox 11.0.40
- Avoid synchronous policy fetching whenever possible (fixes multiple issues)

NoScript for Firefox 11.0.39
- Fix reload loops on broken file: HTML documents
- [XSS] Updated HTML event attributes
- Local policy fallback for file: and ftp: URLs using rather than sessionStorage
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Added "Revoke temporary permissions on NoScript updates, even if the browser is not restarted" advanced option
- Let temporary permissions survive NoScript updates (shameless hack)
- Fixed some traps around Messages abstraction
- Ignore search / hash on policy matching of domain-less URLs (e.g. file:///...)
- Updated TLDs
- Fixed automatic scrolling hampers usability on long sites lists in popup
- Better timing for event attributes removal/restore
- Work-arounds for edge cases in synchronous page loads bypassing webRequest

NoScript for Firefox 11.0.38
- Better timing for event attributes removal/restore
- Work-arounds for edge cases in synchronous page loads
- Bypassing webRequest
- [L10n] Updated bn

NoScript for Firefox 11.0.37
- Simpler and more reliable sendSyncMessage implementation and usage
- sendSyncMessage support for multiple suspension requests (should fix extension script injection issues)
- Updated TLDs

NoScript for Firefox 11.0.36
- Fixed regression: temporary permissions revocation not working anymore on privileged pages
- SendSyncMessage script execution safety net more compatible with other extensions (e.g. BlockTube)

NoScript for Firefox 11.0.35
- Avoid unnecessary reloads on temporary permissions revocation
- [UI] Removed accidental cyan background for site labels
- [L10n] Updated es
- Work-around for conflict with extensions inserting elements into content pages' DOM early
- [XSS] Updated HTML events
- Updated TLDs
- Fixed buggy policy references in the Options dialog
- More accurate NOSCRIPT element emulation
- Anticipate onScriptDisabled surrogates to first script-src none' CSP violation
- isTrusted checks for all the content events
- Improved look in mobile portrait mode
- Let SyncMessage prevent undesired script execution scheduled during suspension

NoScript for Firefox 11.0.34
- Fixed regression breaking network-based CSP injection

NoScript for Firefox 11.0.33
- Switch from HTTP to DOM event based CSP reporting in Compatible browsers
- [XSS] Updated HTML event attributes
- Updated TLDs

NoScript for Firefox 11.0.32
- [L10n] Updated it, mk, sv_SE
- Fixed setting CUSTOM permissions in private mode may cause
- The TRUSTED preset to become temporary
- Updated TLDs
- [XSS] Updated HTML 5 events support
- More compact high contrast appearance

NoScript for Firefox 11.0.31
- Focus "OK" button on dialog-mode UI
- Fixed various toolbar buttons DnD issues
- Updated TLDs
- [L10n] Updated bn, br, ca, da, de, el, es, fr, he, is, it, ja, lt, mk, ms, nb, nl, pl, pt_BR, ru, sq, sv_SE, tr, zh_CN, zh_TW
- Fixed very low contrast HTTPS-only label in High Contrast mode

NoScript for Firefox 11.0.29
- Consistent focus appearance across desktop and mobile
- Fixed regression on Firefox 68 for Android: UI cannot be closed

Join our mailing list

Stay up to date with latest software releases, news, software discounts, deals and more.