NoScript: How to determine which sites/scripts to whitelist?

You could install a site advisor plugin like for example McAfee's site advisor. By doing this you can easier search the domain for any reported maliciousness.

For example I search a domain which a big newspaper is getting their adds from I get report back saying generally OK, but community reports say "Adware, spyware, or viruses (1)".

I'm sure there exists more and possibly better plugins for searching a domain for their rating aswell.

EDIT: I would like to add this snippet I found from NoScript's FAQ:

Starting with version 1.9.9.61, NoScript offers a "Site Info" page which can help you to assess the trustworthyness of the web sites shown in your NoScript menu. You can access this service by middle-clicking or shift-clicking the relevant menu item. If you're more on the technical side and you want to examine the JavaScript source code before allowing, you can help yourself with JSView.

So if you are curious if you should trust it or not just middle click the domain and it will query the following sites for information:

  • WOT Scorecard
  • McAfee SiteAdvisor®
  • Webmaster Tips Site Information
  • Safe Browsing Diagnostic on google-analytics.com

[Disclosure: I am the co-founder of the company whose product is discussed in this answer.]

In the past, I've generally just figured this out through trial and error. However, that is most definitely not the way it should be done. It leaves me vulnerable to still possibly running malicious or advertising scripts during that trial and error phase, which could lead to irrecoverable damage.

This is the problem with whitelist based security products. You really can't be sure about every item you add to the list. You just try it and hope for the best. Even if you whitelist a domain, new scripts can be added to that domain, or existing ones could be changed. To be completely sure, you would need to analyze each script before execution to look for malicious activity. I don't believe it is possible to have a generic script analysis program that can look at each script and determine if it is safe or not.

Is there an additional plug-in or other method which can be used for me to figure out which domains/scripts need to be whitelisted for me to use certain features of a website? Preferably, the method should not require knowledge of any scripting languages or require the user to interpret the sites' source code.

While not exactly what you are asking for, my company built a similar security plugin that solves your problem, but in a different way. We run all the scripts needed for a page, but we run them on a disposable cloud server. This results in the user getting full functionality of a website, without having to whitelist any scripts, and without having any scripts run on their local computer. This saves the user from needing to know scripting languages or requiring them to interpret the sites' source code. In essence, it doesn't matter if the scripts are good or bad, because by running them on our servers they can't affect your computer.

If you are interested, you can learn more on our website.


I suspect that the "right" answer would be for there to be an extension to HTML in which the website itself declared which domains were under its direct control and which were third party scripts (e.g. Stack Exchange would declare stackexchange.com, sstatic.net as under direct control, googleapis.com as an essential third-party site, and others as advertising sites).

It might seem odd - after all, the whole point of NoScript is that you don't trust the site in the first place - but when you're permitting scripts from the site itself, you have decided to trust (for example) Stack Exchange and you just want to designate all the domains it trusts.

Obviously, a site could lie and list all of the ad sites it deals with as part of its internal structure, but NoScript's UI would have to let you know what you were doing.

Mind you, proposing extensions to HTML isn't exactly a practical solution to your problem!