
NoScript Not Available for Latest Firefox - Amezarak
https://noscript.net/
======
0xcde4c3db
It's probably better to go straight to the blog post about the migration:

[https://hackademix.net/2017/11/14/double-
noscript/](https://hackademix.net/2017/11/14/double-noscript/)

Basically, the work to adapt NoScript and correspondingly expand the
WebExtensions API has been going on for years, the original plan was to have a
smooth transition when Firefox 57 came out, but there were some delays in the
final days leading up to the release. Not recommended to stay on Firefox 56
because it won't get security patches; move to 52 ESR instead.

~~~
shock
Moving to Firefox 52 isn't really an option for me because it's a pig compared
to 55/56 (it consumes almost 5GBs of RAM compared to 1GB for 56).

~~~
sp332
I think you can switch to an unbranded build of 57, and enable legacy addons.
[https://wiki.mozilla.org/Add-
ons/Extension_Signing#Latest_Bu...](https://wiki.mozilla.org/Add-
ons/Extension_Signing#Latest_Builds) You could also install the Developer
Edition or a Nightly build. They're slightly less stable (usually pretty good
for me) but they have the same option. [https://www.mozilla.org/en-
US/firefox/channel/desktop/](https://www.mozilla.org/en-
US/firefox/channel/desktop/)

~~~
sebazzz
> enable legacy addons

Does that mean the XPCOM system has just been flagged as disabled, but not
been removed yet?

~~~
bzbarsky
Various stuff has been removed. Other things have not been removed yet. You
can see
[https://bugzilla.mozilla.org/showdependencytree.cgi?id=13475...](https://bugzilla.mozilla.org/showdependencytree.cgi?id=1347507&hide_resolved=1)
for a non-exhaustive list of things that can definitely be removed but haven't
been yet.

------
amenod
I upgraded to Firefox 57 only to find all 4 of my extensions missing... I can
live without others, but being without NoScript felt like walking on streets
naked. So the first thing I did was downgrade to Firefox ESR, then I started
looking for alternatives. Turns out that uMatrix fills this role perfectly
(for me of course). Not only can I block/allow JS, CSS and similar resources,
but I can do it based on domain / 3rd party domain matrix... Nice, I always
hated that when I allow `gstatic.com` in NoScript for some domain it is
allowed globally (for all domains). I will test uMatrix for a few more days
just to see if I feel comfortable without NoScript, then I'll upgrade back to
FF 57. It looks like this might have a silver lining after all. :)

(for the record: I hate it that they broke compatibility with older
extensions, and I hate that they changed UI, but if that gives FF greater
market share, then I'm all for it)

~~~
jchw
Killing the old extension API is a painful, but important, step.

From a security standpoint, WebExtensions are a lot better, since they are
sandboxed and require explicit permissions to be granted for many things.

From a developer standpoint, they are easier to deal with, being JavaScript,
and since Chrome and Edge support similar APIs, developers will no longer need
multiple codebases to support their extensions on multiple browsers.

They also work better with a highly concurrent browser. They use asynchronous
APIs that don't directly call into browser APIs. FFs old extensions were known
for leaking memory, which is a lot less of an issue with WebExtensions.

Compatibility is another huge thing. With old Firefox extensions,
compatibility was just an extension author saying, "Yep, the APIs still work
the way I'm using them." They often broke in subtle ways and you could get
them partially working by overriding the versions supported in the extension
manifest. Not so great imo. WebExtension APIs are more or less like JavaScript
APIs and compatibility is mostly going to be limited by support for
capabilities. Like, I'm sure Firefox does not support the USB API that Chrome
does.

There's so much to be gained from getting rid of the old extension system for
concurrency, extension compatibility, and the health of the ecosystem and
individual browser installations. Many will be angry and stick to ESRs and
others will be mildly upset but I think in the long run this will have been
one of the better Mozilla decisions that make Quantum a success.

~~~
eadmund
> From a security standpoint, WebExtensions are a lot better, since they are
> sandboxed

In a sandbox even I, as the owner of the computer, can't let them out of.
That's not cool.

> From a developer standpoint, they are easier to deal with, being JavaScript,
> and since Chrome and Edge support similar APIs, developers will no longer
> need multiple codebases to support their extensions on multiple browsers.

In the sense that it's no longer possible to do the things one could do with a
Firefox codebase.

I own my computer, and my browser; Mozilla have taken away the ability for me
to extend my computing environment (without reïmplementing it all myself).

~~~
jchw
>In a sandbox even I, as the owner of the computer, can't let them out of.
That's not cool.

Good software doesn't easily let you shoot yourself in the foot. It turns out
if you allow it, people will do it. There exists software that does let you
shoot yourself in the foot, but Firefox is designed for the mass market, not a
specific niche. It's the only serious competitor to Chrome.

NPAPI is also gone. Not behind a flag, the code to support it is gone. It was
broken, and so was the old extension API. It's about time for the majority of
users to move on.

>In the sense that it's no longer possible to do the things one could do with
a Firefox codebase.

This doesn't make any sense. You can do the same things you could do with the
Firefox codebase before: download it, modify it, redistribute it. The runtime
is what you're thinking of, and you were never guaranteed any abilities with
regards to the runtime; you just got used to them, then they changed. This
happened a few times with Firefox before, so it's not really clear how this
update is much different.

>I own my computer, and my browser; Mozilla have taken away the ability for me
to extend my computing environment (without reïmplementing it all myself).

Firefox is not your "computing environment." You're free to remove Firefox
from your computing environment, or use an ESR release of Firefox and still
get security updates with your old extensions, or use a fork of Firefox, of
which there are a few to choose from.

Even so, it's depressing that every time a breaking change happens, even one
like this that's 2 years in the making, the same responses happen: weird
arguments about entitlement and a lot of looking toward the past.

Why not look toward the future? If you relied on an extension and now it's not
possible with WebExtensions, it would help a lot of people out if bugs were
filed and features were requested to bridge the gap. It's clear that there's
overwhelming reasons to continue down the WebExtensions path, and whether
people like it or not it's definitely going to be the only option in the
browser you use in a few short years. So it's in our best interests to push
for WebExtensions to meet the needs of extensions rather than make pointless
arguments for decisions that were made a long time ago and have no chance of
being reverted.

------
user98793728364
The correct title should be "NoScript Not YET Available for Latest Firefox"

~~~
el_benhameen
Yeah, when I saw the title and that the link was to the noscript site, I
thought there must be some bad blood or something between Mozilla and
noscript. Instead it’s just a polite “hey everyone, working hard!”. Which is
great, but not really what the title indicates.

------
vesinisa
uMatrix is a replacement extension from the creator, and compatible with,
uBlock. uMatrix migrated to Quantum leveraging the existing Chrome codebase
already about a month ago:
[https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

Some learning curve is required compared to NoScript since uMatrix allows even
finer grained control (not just scripts, but images, cookies, iframes and XHR
as well), but I personally migrated about a year ago successfully. Very happy
with uMatrix so far with the latest Firefox.

~~~
forapurpose
To add some important points:

> uMatrix is a replacement extension from the creator, and compatible with,
> uBlock.

To avoid any confusion, I think the parent means, 'from the creator _of_ ...
uBlock'. uMatrix is not by the creator of NoScript.

Also, blocking just JavaScript is quicker and easier in uMatrix (at least
easier than the current NoScript; I don't know about the upcoming version).
The UI is far more efficient, and you configure it by origin/remote pairs
(e.g., on foo.example.com allow googleapis.com; on other example.com hosts,
block it; on example.org allow it everywhere).

But NoScript does far more than block JavaScript; it's a sophisticated
firewall, in some ways. Look through the options menus and lookup the
features, such as ABE; it's impressive. uMatrix doesn't replace much of that
functionality.

~~~
vesinisa
Thank you, dropped an _of_ there indeed.

For me personally, #1 reason for using NoScript was controlling which domains
can execute JS. uMatrix delivers that superbly, and more.

Sadly, ever since NoScript started pushing malware[1] to users with every
update, I lost all confidence with the author for securing my browsing
experience.

[1]:
[https://liltinkerer.surge.sh/noscript.html](https://liltinkerer.surge.sh/noscript.html)

------
mrich
The plugin breakage is the only downside of the new Firefox, the rest is just
awesome.

I'm still looking for a new auto form filler that can have multiple profiles
and fills in all fields at once with a hotkey. This is useful for filling in
bugzilla bug reports where some fields always get the same data.

~~~
Endy
"The only downside" Sure. Aside from the number of other extensions that
simply won't work in new Firefox. And the lack of any user control to make the
browser not work like or look like Chrome.

~~~
babuskov
And the fact that today was the first time I have seen Firefox crash after 3+
years of heavy everyday usage. Luckily I didn't "upgrade" Firefox on my main
machine. I'm staying away from 57 until they get it together.

------
old-gregg
I've always used YesScript, it has a much simpler UI -> basically a single
button which remembers if JS is on/off for a given site. It's always been
puzzling to me why YesScript is less popular... And yes, it's available for
the latest FF as YesScript2 [1]

[1] [https://addons.mozilla.org/en-
US/firefox/addon/yesscript2/](https://addons.mozilla.org/en-
US/firefox/addon/yesscript2/)

~~~
TheDong
"YesScript" is significantly less secure and powerful.

Most importantly, with NoScript I can block tracking and ad-related javascript
while still running the page's first-party javascript.

With yesscript, I don't get that granularity.

Perhaps that's why it's less popular. I also believe that it came out later
and thus hasn't had the time to gather such a following as noscript has
(though who would use a worse version of noscript instead?)

~~~
log69
Hi, I'm the developer of YesScript2 and I've just released a new version with
3 state blocking that makes it even better alternative I believe because you
have 3 options: 1) no blocking (grey icon) 2) half blocking (allowing internal
scripts and blocking external, blue icon, so you can allow now first-party
Javascript as you mentioned) and full blocking (blocking internal and external
scripts too, red icon).

------
Asdfbla
While I can understand that the switch to the new system was necessary, I hope
they improve the new extension functionality a bit further.

One negative thing that I noticed that extensions don't seem to be able to
interact with the tabs before those have largely (or completely?) loaded - for
instance I can't use mouse gestures in a tab that's currently loading or
interact with the vimperator replacement (Vim Vixen). Is that inherent to the
new system with the extension system having lower priority than the page
rendering or is it just those specific extensions I use?

Another thing that would be nice to fix is extensions (at least those that I
have tested) seemingly not working in Firefox-internal pages like
about:addons.

------
ryuuchin
uBlock Origin and uMatrix can both do the same thing and are compatible.

This is just my opinion but both have better and more intuitive interfaces as
well.

~~~
forapurpose
They do some of the same things, but there's a lot they don't do.

[https://news.ycombinator.com/item?id=15730800](https://news.ycombinator.com/item?id=15730800)

------
mnl
And no MAFF nor MHTML support in Quantum... as MAFF is/was great, now I have
to keep yet another browser just to read my old files.

------
benjaminjackman
Anyone know if xmarks is going to end up working with it? It works in Chrome
and has for a long time, so it should be pretty straightforward to port,
though xmarks doesn't get a lot of development at all (not even sure it needs
it).

If not is there an alternative sync bookmarks between chrome and firefox
solution anyone can recommend?

------
staticassertion
I just use uMatrix.

------
ufo
BTW, is anyone here knowledgeable enough about NoScript's development to know
whether their "until the end of this week" prediction is solid or if it is
more vague like ValveTime?

------
seba_dos1
And it's available now:
[https://noscript.net/getit](https://noscript.net/getit)

------
Crontab
Yeah, I leapt right in, and had to revert to Firefox ESR when I realized that
RequestPolicy Continued doesn't yet work.

(BTW - thanks to @fghtr for letting me know about it this extension.)

------
K0nserv
I use UBlock Origin to achieve pretty much the same behaviour as NoScript.
Haven't found a reason to use NoScript since I started doing that.

~~~
jszymborski
I've used NoScript for quite a while, and was sad to let it go when I switched
to Quantum in Beta a while back.

I tried using uMatrix, which is from the same folks that made uBlock Origin,
and I have to say I'm supperr happy with it. It applies the same heuristics
that I usually apply manually (namely, allow 1st-party scripts automatically,
allow 3rd-party manually as required).

I'm going to install NoScript when the WebExt version comes out, mainly for
the excellent XSS/Canvas/misc. support. It remains to be seen which I'll use
for blocking scripts, but I'm glad to have options.

------
Master_of_Lemon
Seamonkey is thankfully not affected by this. Running the latest Seamonkey
with NoScript still working

------
gdulli
The utility of the long tail of Firefox plugins was what gave it its value.
I've been using a hybrid of Pale Moon and Firefox since the last round of
losing plugins and now don't see a reason to keep Firefox at all.

~~~
pbhjpbhj
I'd value a resource with a simple explanation of the changes that prevent a
compatibility layer from enabling all the old plugins?

~~~
majewsky
In one sentence, the move to more aggressive multithreading and sandboxing.
The old extension model conflicts with the boundaries that had to be
established for both these things.

~~~
noisem4ker
They used to provide shims to ease making old addons compatible with
multiprocessing, although with serious performance implications.

------
smegel
> NoScript's unique whitelist based pre-emptive script blocking approach

Is that unique apart from what Chrome has built in by default? (obviously you
still need to opt-in).

------
akerro
Brave Browser has "Shield" mechanism where you can block ads/trackers and JS.
It's built-in feature, you can set it up to be enabled by default or per-
domain.

~~~
majewsky
Switching browsers just because some extension does not work for a few days
after an upgrade seems like blowing it waaaay out of proportion.

~~~
digi_owl
People stuck with Firefox because of the old, potent, extension framework.

Now they have no reason to stick with Firefox because the extension framework
is just another Chrome clone, so why not switch to an actual Chrome clone?

~~~
majewsky
Because I trust Mozilla more than both Google and $random_developer.

~~~
akerro
Brave Browser is a product from Brendan Eich, ex-CEO of Mozilla and creator of
JS.

------
andrei_says_
The title of this post is incorrect.

Seems like it _is_ available, just in the old extension format.

From the noscript site:

> Please be patient: if you feel naked while you're waiting for the "brand
> new" NoScript, you can still use the "regular" NoScript 5.x (and all the
> other extensions of yours) on Firefox 52 ESR, which will receive security
> updates until June 2018. See you soon!

Edit: my statement is incorrect, the noscript page refers to the ESR version
of firefox.

> authors suggest to use ESR, which is Extended Support Release, not the
> latest firefox.

~~~
ycmbntrthrwaway
It is not, authors suggest to use ESR, which is Extended Support Release, not
the latest firefox.

~~~
andrei_says_
I see, my bad.

