Skip to content

The Importance of NoScript’s Surrogate Scripts

The tradeoff between security and convenience is one that users often face when browsing the web. Those who prefer security at the expense of convenience would prefer to use the Firefox extension called NoScript, which is an extension whose name emphasizes the measures it takes to secure the browser. There are those who would say that the measures that NoScript takes in making Firefox a more secure browser are too excessive, as it blocks all scripts that are not whitelisted. Much web page content is blocked by NoScript until whitelisted. And that can be quite inconvenient, as users of my Greasemonkey script that works with embedded YouTube videos have noted on a few occasions. Some pages actually may not function correctly at all when sites such as are blocked by NoScript. As some users do not want to have to choose between allowing all scripts that a page uses and not having the page function correctly, an attempt at solving this issue is implemented in the more recent versions of NoScript. Newer versions of NoScript replace some blocked scripts with scripts that are known as surrogate scripts.

These surrogate scripts handle the situations in which 3rd party scripts from sites such as look for page content that is blocked by NoScript. These surrogate scripts cause pages to be more likely to be error-free by replacing blocked scripts with similar scripts. Some concerned “non-geeks” have wanted to know if these surrogate scripts send any data to 3rd party sites. However, those who have viewed and understand the source code in these scripts can assure these individuals that these scripts simply try to prevent web pages from being broken. There are some users of NoScript who had previously found that some pages were broken unless scripts from sites such as were allowed. I found that when scripts from were blocked, pages on appeared to be broken. However, these pages did not appear to be broken when the surrogate script for was used. I have also found that these surrogate scripts cut down on the clutter that appears in the error console, as there would be fewer errors on pages when these surrogate scripts are used.

Users who have used the more recent versions of NoScript may have used these surrogate scripts without even knowing that they used them. However, there are those who might want to more easily configure these scripts. At this time, there is no user interface for configuration of surrogate scripts, because as NoScript author Giorgio Maone says, those who would configure these scripts and options regarding them would likely not need one. Still, a UI would be convenient, as adjustments to configuration settings may sometimes be necessary. One might want to more easily adjust which sites use surrogate scripts and which ones do not. Also, one might want to be informed when sites are using these surrogate scripts. In fact, I decided to make a few adjustments to surrogate scripts so that they would display information that says surrogate scripts are being used right on these pages where they are used.

I wanted to know when the surrogate script for code from was being used. So I added a JavaScript alert statement to the surrogate script for to determine this. As those who are familiar with JavaScript know, that statement would make a pop-up window appear when that script is executed. I then decided to make that code more complex by adding code to it that would execute when the page is finished loading so that text would be added directly to pages to indicate that this surrogate script is being used with these pages. However, it would be preferable for information on when these scripts are being used to instead be in the browser UI.

Users of the web may always need to choose between security and convenience. The newer versions of NoScript make it so that less convenience would need to be sacrificed for improved security. Still, it would be more convenient for there to be a UI to work with these surrogate scripts used by NoScript. However, it is good to know that the decision to choose security over convenience when browsing the web now seems to be a less difficult one to make.