What's

NoScript Mobile UI NoScript Anywhere (NSA) is the nickname for the next major iteration of the NoScript security add-on (NoScript 3), whose guts are being turned upside down in order to match Mozilla's Electrolysis multiprocessing architecture and implement a porting for Firefox Mobile, available on Android and Maemo smartphones and tablets.

This open source (GPL) effort has started in the very beginning of 2011, and is partially funded by the NLNet Foundation.

NoScript 3 alpha 9, available on Firefox Mobile for Android and Maemo, offers all the the major security features of "classic" NoScript:

  1. Easy per-site active content permissions management.
  2. The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
  3. ClearClick, the one and only effective client-side protection against Clickjackings available on the client side.
  4. ABE (App Boundaries Enforcer), a true webapp firewall inside your mobile browser to protect your router and web applications against CSRF and DNS rebinding attacks.
ClearClick anti-Clickjacking protection on Android NoScript 3.x is implemented as a restartless add-on for Firefox Mobile, meant to explore the issues and the challenges posed by the Electrolysis multiprocessing architecture to a NoScript porting.

It also features a new page permission editing UI, specifically redesigned for smartphone usage and easily accessible by tapping on a navigation bar icon.

Once installed (with no need to restart the browser), it blocks every script and embedded object (plugin content and iframes) unless the loading resource is whitelisted.

NSA's whitelist is implemented as a JSON map, having domains or URL prepath components as its keys and custom permission sets (or reference to the TRUSTED and UNTRUSTED predefined permission sets) as its values (references are serialized as 0 for UNTRUSTED and 1 for TRUSTED).

When a domain (noscript.net) and a related subdomain (e.g. www.noscript.net) or full URL prepath (http://noscript.net) are present, the most specific entry is picked for permission matching. NoScript's XSS Filter on Android

The sample default policy, in its serialized form, looks like:


{
  "UNTRUSTED":{}, // empty permission set
  "TRUSTED":{
    "js": true,
    "java": true,
    "flash": true,
    "silverlight": true,
    "plugin": true,
    "frame": true,
    "font": true},
  "DEFAULT":{"frames": true}, // default deny except for frames
  "mozilla.org":1, // reference to TRUSTED 
  "mozilla.com":1,
  "mozilla.net":1,
  "noscript.net":1,
  "flashgot.net":1,
  "mail.google.com":{ // custom
    "js":true,
    "flash":true,
    "frame":true}, 
  "doubleclick.net":0 // ref. to UNTRUSTED
}

Configuration presets This is a very flexible format, which allows fine-grained permission management to a much higher degree than current desktop NoScript.

However the mobile-focused UI is focused on making "normal" usage as easy as it is now in NoScript at least, whereas more advanced options (per-site granular permissions, hierachical permissions depending on the hosting page and so on) will be available in the desktop UI and synchronizable with mobile device via Firefox Sync.

NoScript 3.x also introduces convenient Permissions Presets, which are offered for choice on first run and can be switched at any time:

Download

Download NSA (NoScript 3 alpha) for Firefox Mobile.

Roadmap

Milestone Start Date End Date
  1. Architectural assessments & prototyping
 2011-01-03 2011-02-02
  1. Scripting Permissions Management
 2011-02-02 2011-03-03
  1. UI design and implementation
 2011-03-03 2011-01-04
  1. XSS Filter
 2011-01-04 2011-02-05
  1. Content (Un)blocking UI (Placeholders)
 2011-02-05 2011-05-31
  1. ClearClick
 2011-05-31 2011-06-24
  1. Mobile-friendly Setup Interface
 2011-06-24 2011-08-24
  1. Remote Synchronization
 2011-08-01 2011-09-19
  1. ABE and beyond (Script Surrogates, toStaticHTML, links emulation...)
 2011-08-15 2011-10-14