Quick Links

NoScript was considered, by many Firefox users, a must-have extension, and it's now available for the new Firefox Quantum. But what is NoScript, why do so many people swear by it, and should you use it?

NoScript is, essentially, a Firefox add-on that disables things like JavaScript from running on web sites you visit. So before we talk about NoScript, we should actually talk about JavaScript: the programming language that makes the web we have today possible.

What Is JavaScript?

JavaScript is a programming language commonly used on web pages (among other things). JavaScript was initially pretty basic, and was used for things like alert boxes and menus that appeared when you hovered your mouse over elements on the page. However, JavaScript has become much more than that. It’s the language that powers modern web apps, allowing web pages to dynamically load and send content in the background without page loads and do other dynamic, interactive things. Most websites use JavaScript to provide various features.

Note that JavaScript isn’t the same thing as Java. JavaScript and Java aren’t really related at all, aside from the name (which was chosen for marketing reasons). JavaScript is built into your web browser---Chrome, Firefox, Internet Explorer, Safari, and Opera all have their own JavaScript engines. It’s not an insecure plug-in produced by a single company, like Java is. JavaScript isn't the big security threat that Java was.

Why Do People Want to Disable JavaScript?

There is a small but vocal subset of users that disable JavaScript. Many of these people do so because of a perceived security benefit. There have been a few browser vulnerabilities that were exploited via JavaScript. However, this is extremely uncommon and the rare security holes in JavaScript engines have been patched very quickly. Most websites use JavaScript---it’s what makes the web we have today possible.

Disabling JavaScript also prevents some types of ads from loading. We don’t encourage blocking ads, but if you must, there are better ways to do so than disabling JavaScript altogether.

Lastly, disabling JavaScript will take up less CPU and RAM on your computer, which is to be expected. If you run something super basic, it'll take up fewer resources. But if your computer is so old that it can't handle modern websites, it may be time to upgrade it---as the web improves, it needs more resources to do what it does, just like any other program on your computer.

The Problem: Disabling JavaScript Breaks a Lot of the Web

Unfortunately, that all sounds nice, but it's much more of a hassle than it seems. If you disable JavaScript, many websites won’t work properly. This is particularly true for web apps like Gmail, Facebook, and Google Docs, but it’s also true for other websites as well (including news sites like the one you're reading right now). Disabling JavaScript may break the ability to log in, post comments, or dynamically request content, which has become incredibly common on the web today.

For example, when you perform a search on Google Images, you can keep scrolling down to view more images without having to reload the page. Google is using JavaScript to dynamically request new images and add them to the current page. When you click an image, you will see a larger in-line popup with that image. You don’t have to wait for a new web page to load---it all happens on the current web page without any obnoxious load times.

If you disabled JavaScript, you would have to click “next” over and over to view more images. When you clicked an image, you would have to load a new page entirely. The nicer interface above requires JavaScript to make its various features work.

This is just one example---many other features on websites use JavaScript. Some websites don’t even provide fallback pages that function without JavaScript.

If you disable JavaScript, you may be unable to use certain features on a website. In other cases, the website may even break completely, or you'll be stuck using an incredibly old version of the page. For example, Gmail offers a very basic plain HTML mode for people with JavaScript disabled.

NoScript Aims to Make Disabling JavaScript Easier...but It's Still a Hassle

Modern web browsers have an option to disable JavaScript entirely, just as they have the option to disable images and other web features. In Chrome, you'll find this under Settings > Privacy and Security > Content Settings > JavaScript. You can allow or block certain sites individually here if you'd rather not block JavaScript on every single site.

Firefox's options are more limited, so it requires an add-on like NoScript for more fine-grained control. NoScript creates a shortcut that allows you to selectively enable JavaScript on certain websites, as opposed to blocking it everywhere. It also claims to block plug-ins like Flash and Java, though Java isn't allowed in browsers anymore, and Flash needs to be allowed manually on each site you visit by default.

Here's the thing: NoScript might seem like a convenient compromise, since you can allow JavaScript on the sites you visit regularly. But it still breaks most of the web by default, and requires too much effort to micromanage your whitelist. So much of the internet uses JavaScript that you'll constantly be stumbling across websites that don't work properly until you whitelist them. If you end up whitelisting most of the sites you visit just to get them working, what's the point of having NoScript in the first place?

You Probably Don't Need to Disable JavaScript

With that in mind, we recommend against disabling JavaScript, unless you have a really good reason to (like your job requires it). It’s a widely used language that makes the web what it is today, allowing for websites to be more responsive, dynamic, and interactive. Disabling JavaScript takes websites back to a time when they were simple documents without any other features. While some people may long to return to that time, that’s not the web we live on anymore, and most people do not need to take such drastic action for a small perceived benefit.

There have certainly been a few cases where disabling JavaScript could have blocked a new security vulnerability from being exploited, but those have been rare and fixed quickly.

Meanwhile, there have been other cases where browsers themselves were exploited and disabling JavaScript didn’t help. To protect against such attacks, we could stop using browsers entirely, downloading web page HTML files and reading them by hand in a text editor. But we don’t. The small risk of using a web browser instead of a text editor is worth the huge improvement in usability a browser offers. The same is true for JavaScript---leaving it enabled is a very small risk for a very big benefit.

Of course, your browser is yours. You have the ability to control what it does---you could even disable all images entirely and browse the web in text format, if you want. You could disable Flash entirely and never watch videos online. You could use a text-mode browser like w3m in the terminal instead of using a graphical browser. But do you?


The choice is ultimately up to you, but we recommend you leave JavaScript enabled and don’t worry about it. Your life will be much easier. Just keep your browser up to date and run some good anti-malware software and you'll be pretty safe.