Limitations

Current NotScript Limitations

Current NotScript Limitations

NotScripts for Google Chrome helps you be safer and more secure on the web by limiting what third party javascript, iframes, and plugins can run when used in conjunction with Google Chrome’s built in tools. Because of the way the Google Chrome extensions API is structured, there are some limitations to NotScript and these instructions will help you understand them.

Before NotScripts, it was not possible for a Google Chrome extension to provide a workable method of script/iframe/plugin blocking with whitelisting capabilities on the same level as that of the popular “NoScript” addon that Firefox users have. Even the methods used by adblock type extensions are not good enough to avoid breaking many sites when used in this case. This is due to the asynchronous nature of Google Chrome extensions where synchronous methods are avoided for performance reasons. NotScripts changes this by cleverly using HTML5 storage caching to overcome the timing issues.

Please note that NotScripts is not a guarantee of security and users should always practice secure web surfing habits. Currently NotScripts does not provide advanced protection for things such as clickjacking and other methods found in the “NoScript” addon for Firefox and a malicious website may still be able to successfully use such techniques.

However, there are 3 main issues with NotScripts at the moment in order of importance:

[1] Blocking Deprecated <APPLET></APPLET> Elements

NotScripts can block plugins like Flash and Silverlight. However, Java applets are a special case. Java applets embedded with the standard <EMBED></EMBED> or <OBJECT></OBJECT> tags can be blocked, but Java applets embedded with the old, deprecated <APPLET></APPLET> tags cannot be blocked because Google Chrome does not fire load events for this legacy method. The current workaround is to disable Java in your browser until this can be fixed.

[2] Inline Scripts

All scripts loaded from a source location (the vast majority) can be blocked. However, inline scripts that are directly written into the HTML code of a web page cannot be blocked by NotScripts because Google Chrome does not fire load events for them.

For example: <script src=”http://example.com/aScriptFile.js”></script> can be blocked without any issues. However, <script>alert(“Hello, World!”);</script> written directly into the HTML code by the site you are visiting cannot be blocked by NotScripts because it is not loaded from anywhere, it is a direct part of the web page you view. However, these inline scripts are usually useful and are often required for a site to function properly.

If you want to, you can set Google Chrome to deny javascript for all sites and use NotScripts to selectively pick the scripts to run on sites you enable javascript on.

UPDATE: As of NotScripts V0.9.2 there is some inline script mitigation as a stop gap measure.

[3] Caching Reloads

When you visit a web site for the first time with scripting enabled, you may see NotScripts quickly reload it once as it caches the whitelist and refreshes. Subsequently, there is no reloading needed unless you happen to change a part of your whitelist that directly affects the site. This is only a minor issue and happens less and less as NotScripts learns your desired whitelist.


11 Comments »

  • Optimal Cycling Project » Blog Archive » A Possible Fix for Inline Script Blocking in NotScripts said:

    [...] you read the Limitations page for NotScripts, you will see that it mentions NotScripts can’t block inline scripts for now. [...]

  • anonymous said:

    Hi,

    I think it’s very useful that you coded this great instrument. Finally something to block unwanted scripts exists for Google Chrome too!
    Thank you!

    I have a question though: is there a way to block a single script and not every script a page loads? I mean, if a page loads five scripts for various functions, can I block them one by one or I can only allow/block the whole list of scripts from that page?

    Thanks in advance

  • ericwong said:

    @anonymous, if the scripts come from different websites then you can. Example, say you are on http://www.example.com. If example.com loads scripts from example2.com, example3.com, and example4.com, then you can chose to block from each of those sites individually.

    If you are thinking of blocking individual scripts from a single domain that loads multiple ones from the same site, like chosing individual ones from example2.com while you are on example.com, then that’s not possible right now because the whitelist could get large very quickly due to the need to record the complete url of every individual script.

  • Michael Waddell said:

    I know that NotScript is prevented from doing something as complicated as what NoScript does for clickjacking prevention, but what about incorporating something simpler?

    I’ve written the following userscript that passes all of the clickjacking examples that I can find online:

    http://userscripts.org/scripts/show/94123

    It should stop all but the most sophisticated clickjacking attempts (i.e. 99.9% of them).

    -Michael

  • 八款优秀的 Chrome 安全及隐私扩展让你过个太平春节 - Chrome.So | 专注于Google Chrome与Chrome OS said:

    [...] Chrome 对扩展的一些限定,NotScripts 也有一些限制,但他的功能已经很接近于 Firefox 上的 [...]

  • 八款优秀的 Chrome 安全及隐私扩展让你过个太平春节 « 细节的力量 said:

    [...] Chrome 对扩展的一些限定,NotScripts 也有一些限制,但他的功能已经很接近于 Firefox 上的 [...]

  • 八款优秀的 Chrome 安全及隐私扩展 | ITGeeker技术奇客 said:

    [...] Chrome 对扩展的一些限定,NotScripts 也有一些限制,但他的功能已经很接近于 Firefox 上的 [...]

  • Joan T. said:

    Eric, will the fixing of this bug allow you to improve NotScript to feature parity with NoScript?

    https://code.google.com/p/chromium/issues/detail?id=60101

    These limitations are the main reason I still won’t move to Chromium as a default browser.

    A refresh of this page based on your latest outlook would be most welcome.

  • Lon Knaebel said:

    Failure does not mean you are a failure it really means have not succeeded yet.
    Inside every working anarchy, there’s a classic Boy Network.

  • The Top 8+ Security & Privacy Extensions For The Chrome Browser | betaSir - We love software said:

    [...] has some limitations because of Google Chrome’s plug-in architecture, but it functions similarly to NoScript on [...]

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.