War breaks out between AdBlock Plus and NoScript

A quiet war has broken out between the authors of AdBlock Plus and NoScript and money is on the table. Both are trying to outdo each other by disabling each other's functionality.

The issue at stake is NoScript's behaviour of showing a change log window whenever it gets a new update, which of late has been updated rather frequently. And unsurprisingly, that change log window is filled with ads that generate revenue for NoScript.

AdBlock Plus on the other hand is committed to blocking ads regardless of where they are from; and this has stepped on the tail of the author of NoScript.

Disclosed in the blog of the author of AdBlock Plus are tales of deception, manipulation and trickery by NoScript, designed to subject it's users to it's ads and the race by each side to block and disable each other's technological defences.

Report a problem with article
Previous Story

BlackBerry Curve 8520 'Gemini' discovered

Next Story

Microsoft Local Impact Map launched

66 Comments

Commenting is disabled on this article.

It's not an ongoing "war", it's already been settled, and AdBlock never tried to "outdo" NoScript by disabling anything in it.

Jeez, Neowin...

I stoped using NoScript years ago when it started messing with web sites in ways it wasn't supposed to, it was supposed to stop scripts from executing, but it was modifying the way the sites were being displayed in the process, so I got rid of it and have been happy since. Now all this crap pops up about how NS works and I'm not surprised one bit

Umm...modifying the way sites were being displayed in the process? The only thing I've seen regarding that was on sites that required Flash, JavaScript, Java, etc., and you could whitelist them or temporarily enable them (or in some cases like with plugin-based content, a frame was offered for clicking to enable only that specific bit of content without enabling other things on the site such as ads).

Scandalous! Though, I really don't care if the No Script author is trying to make some money. His change log page that pops up only comes up when you update and can easily be closed one click. However, I do not approve of what he did to ensure that Adblock Plus didn't rain on his parade.

I use both ABP and NoScipt ,and I have never seen any ads on the noscript update screen, you also used to be able to disable noscript opening the page every time it has been updated, but apparently that option no longer exists.

you just type about:config in the browser bar - you'll get a warning message that you can really mess things up, continue, and then in the filter bar (top) just type noscript and it will only show the entries with "noscript" in them

Filtering is just a "find". It will show all entries with "noscript" in the FF config file. From there, you can see entries with the whitelist sites - just remove them if you still want to use the product; I don't know if they are hardcoded into the actual extension however, so this may or may not block the open sites.

I do know that the pass-thrus to google-analytics and yieldmanager don't seem to be configurable.

I recommend dumping Noscript, using adblock plus (add in element helper too), and using hostsman - a fast and simple to use hosts file program that comes with a library of over 60,000 sites which can easily be added to.

The combo of the two keeps web pages clean.

But remember, you can't and shouldn't remove all ads - support the pages you go to. The ones I don't like are the hidden things. Some pages provide information of your visit to 10's of other non-related sites. Have you ever noticed that your firewall starts pinging about intrusions when you go to certain sites? Normally your IP has been passed on and some other site taking a look at you - who knows for what reason

For those that don't think of this as a big deal, it is: it's a matter of trust, and the author of NoScript did something he should not have done. As has been mentioned on many a blog after this came to light, his unannounced and unwelcome modifications *to another addon* by NoScript itself is tantamount to NoScript being classified as malware - it installed without user knowledge (and the change log crap was useless as the specifics were obfuscated in the Javascript code - this isn't even a debatable point, it's sheer fact, period), it modified *another add-on* without user knowledge (malware-like activity, just as bad in some respects as a browser hijacker would be considered), and some other issues as well.

Once the trust has been breached, it's damned near impossible to restore. His "quick fix" doesn't mean Jack Squat to me and many others - he did something he should not have done, and the only fathomable reason he did it was to ensure income from the ads forced upon unsuspecting users, new and old, with the all too frequent updates.

400,000 new users last week looking at his front page ads... that's a considerable chunk of change, I'd say.

Regardless, he blew it, and the apology is a cop-out because he got busted for doing something he shouldn't have done in the first place. If he coded NoScript to do it's thing, that's fine, but as soon as his code altered/modified another piece of code that isn't his and did so without any particular user intervention - and let's not forget the obfuscated code buried in the Javascript, something your casual user (a big chunk of the 400,000 I might add) would never dare dream of trying to look at or even decipher - well, let's just say he pooched it very very seriously.

This is a pooch screw of absolutely epic proportions, and a damned shame, it truly is.

Ok, what should a simple Firefox user like me do? I do NOT have Ad Block Plus or Noscript installed. I want to block ADs though. I have Flashblock 1.5.10 which works very well. I also want to block popups but they still occur even with the popup blocker from FF installed. I have to allow Javascript because too many sites require it. What to do?

Agreed. Either pay for Admuncher, get a extensive HOSTS file and leave ugly boxes all over your page, or download Adblock.

If I were you, I would go with the third. Adblock is definitely the best addon for Firefox.

This is exactly the reason why I went away from both adblock and noscript and installed Privoxy. Amazing piece of coding and it does what it's supposed to.

Just updated:

"Why such a tight release schedule? Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site's install page, on this very release note page and in the FAQ. Not including a prompt asking for permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience.
-- Giorgio "

So no script modifies ad block plus so the ads on his site don't get blocked??? and for this i'm going to stop usig noscipt? The guy wants to make money for something he's offering for free. I don't mind.

ad block, blocks ads... the guy isn't above adblock or something, what he should of done is had a notification stating something along the lines of 'noscript has detected you have adblock installed, which blocks development supported ads for our addon, if you would like to support our work, consider adding a whitelist for our domain'

with the option left up to the user, would of saved him from a ****storm, seems he sees his error though... if in fact it was an error, not including this sort of notification seems intentional and probably done out of spite

It's more than just his site....google and yieldmanager are passed through too. Imagine the number of people using Noscript (last week there were over 400,000 downloads), the ads that wouldn't get passed through and how much someone might pay to have the software allow the ads through.

If the product allows these (and it now says it does for "clear-click" reasons) through, explicitly tell folks rather than hiding it.

A section: This product allows you to stop scripts from running on FF. This will, by its nature prevent many ads from loading on the webpage. However, the extension has been explicityly modified to allow:

- all ads featured on my sites to load regardless of your specific settings. This is done to support the development of the software and allow me to go for a beer or two on Friday nights.

- Google-analytics and Yieldmanager is passed through to those services after being tagged as permitted by Noscript.

Accuracy and honesty is all I want.

well i hope someone with a little know how, explores noscript fully... no doubt that will happen now with all that went on

It's not that the author had ads, it's that the author was interfering with another extensions behaviour to show those ads.

If you removed the whitelist entries in ABP, NoScript would re-add them the next time you restarted the browser (say, after an extension update)

It's worse than that though. There were 2 parts to the issue. 1) he modified adblock to allow his sites (and made the mistake of breaking it so everyone found out) and 2) this lead to the discovery of other ad-related sites being let through.

First explanation was "they were warring" - second....well Maone there hasn't said why other than a lame "clearclicks didn't work unless I allowed them". Well, google-analytics, ebay and yieldmanger aren't the only clearclick affected sites...why these ones and not the others? We wait to here the response. I have been chatting with Mr. M to point out some other flaws in noscript that allow adbrite scripts to run when called from an allowed script.

After everything that has come to light, it seems like these one-off exceptions kind-of let the ad-related info flow through directly to the intended sites. So Noscript yes blocks malicious scripts, but in no way does it block everything that it says it does.

Here's what the author of Noscript has said:

IMPORTANT UPDATE FOR ADBLOCK PLUS USERS: NoScript 1.9.2.6 automatically and permanently removes the controversial "NoScript Development Support Filterset", with no questions asked.
I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site's install page, on the release note landing page (shown on updates) and in the FAQ http://noscript.net/faq#qa3_21
Not including a prompt asking for permission beforehand from the start has been a very wrong thing to do, and I want all the ABP users who felt betrayed to know how much I'm sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience.
-- Giorgio

I have always been baffled at the popularity of NoScript. Disable JavaScript and you screw up the appearance and functionality of half the Internet.

Chugworth said,
I have always been baffled at the popularity of NoScript. Disable JavaScript and you screw up the appearance and functionality of half the Internet.

And I've always been baffled with blocking every possible ad in existence.

How do people expect to make a livlihood on the internet without ads? You know you aren't going to pay subscriptions if you can get something free...

Nothing wrong with ads there kirkburn.....it's the hidden parts that people get whipped up about, or the ad services that either deliver questionable ads, or overtly and without consent, use private info gathered. When a software developer breaches his own product for his gain, without letting folks know, it's....well....quite like the actions taken by a thief; in this case it is intellectual property taken.

I guess it would be like going to a doctor for a cold and having the doctor prescribe a drug to "cure it" and then the doctor get paid by the drug manufacturer for peddling their product. I know that happens too, but it still doesn't make it right.

Mozilla itself has even involved themselves by proposing a new AMO which can be found at: http://blog.mozilla.com/addons/2009/05/01/no-surprises/

Chugworth said,
I have always been baffled at the popularity of NoScript. Disable JavaScript and you screw up the appearance and functionality of half the Internet.

Well not really, sites function just fine once its whitelisted, and externally loaded javascript never runs but in most cases is never needed to be whitelisted unless under certain circumstances, e.g. reading lifehacker.com comments. NoScript could perhaps have an optional preference to auto-whitelist the site you click/visit to just to rid the minor annoyance.

ricksterto said,
It's the hidden parts that people get whipped up about, or the ad services that either deliver questionable ads, or overtly and without consent, use private info gathered. When a software developer breaches his own product for his gain, without letting folks know, it's....well....quite like the actions taken by a thief; in this case it is intellectual property taken.

I guess it would be like going to a doctor for a cold and having the doctor prescribe a drug to "cure it" and then the doctor get paid by the drug manufacturer for peddling their product. I know that happens too, but it still doesn't make it right.


Note how I said "every possible ad in existence" ... that is, doing it without regard for any of the above.

Oh but it's not; the new scrutiny by the community is turning up dirt like crazy. Yes, the adblock thing is done, but there is much more that needs to come now that the trust has been questioned.

what kind of new dirt? i assume on noscripts side... adblock and their easylist were just filtering ads, all ads :P maybe they were aggressive but so was noscript dev

Just do a search on the noscript controversy and how the program is allowing certain things through that it says it stops. Relates to google mostly - seems like someone is taking profits on allowing ads to go through (although I am clueless on how much this might be, I am guessing it's not a bad chunk of change given the popularity of FF and the number of downloads it has on a weekly basis). But I am just getting all of this from net reading now - how accurate it is...

..this has treaded on the tail...

Treaded? I think you are in serious need of a new dictionary for Christmas.

Try "...this has trodden on the tail..."

I just ran a test on the latest release using Javascript Deobfuscator 1.5.3 - seems that permitted scripts are allowing calls to scripts that should have been blocked. The one that caught my attention was called from http://sitenamehidden/banners:

var AdBrite_Iframe = window.top != window.self ? 2 : 1;
var AdBrite_Referrer = document.referrer == "" ? document.location : document.referrer;
AdBrite_Referrer = encodeURIComponent(AdBrite_Referrer);

Hmmmm....fixed for the adblock conflict maybe......

In addition, going through the FF config, I ran into exceptions not listed anywhere in the GUI options

noscript.clearClick.exceptions;noscript.net/getit flashgot.net/getit *.ebay.com

I would encourage everyone to about:config and filter on noscript to take a boo. The default whitelist still has his sites (so on an update they will be back). Another key noscript.xblHack doing something with another site by the author http://hackademix.net/. On further looks, this doesn't seem to be the product advertised....maybe it's always been this way and only now did I actually pay attention.

Last update on my look-see: something is going on with google-analytics and yieldmanager too. Haven't run through the code to find out what, and I guess I won't bother - this extension is not what it puts itself out as.

Thanks for the references. But even with the sites taken out of the whitelist, Noscript still allows them as exceptions anyhow without editing the config? That sounds like an extension that we should trust. For the google and yieldmanager, it appears that code is added to the pass-through and undoubtedly he is getting paid in some way for each ad that noscript allows through.

I have gone back to using Hostsman (http://www.abelhadigital.com/) and Phoenix (addon) to block scripts from specific sites....until I get the energy to write my own extension to list scripts before execution, allow me to select any I want to run, with a site exception option. Maybe the scripts being loaded can be grouped into certain categories to make the allow/block process more friendly. But again....when I have some extra programming time.

NoScript is good but if they start complaining about revenue issues n such then they should find another source of income or die.i stick to adblock plus as it does what i need.

left this on informaction forums

"i've been following this since the issue began, there is no real excuse for what the dev has done which was manipulate ABP to its advantage, yeah sure cat-and-mouse games were played on both sides but only because the noscript site had tried to avoid being blocked by ABP for so long

noscript has its purpose and ABP has theirs, and thats to block ads, yes even noscripts ads... thats the breaks, you don't mess with their addon behind the scenes, without user consent, manipulating code and breaking things in the process

sure, NOW a day later things are fixed but any person with morals would have said to themselves before hand, is this the right move? the obvious answer is no, i point that out because apparently the admin/dev hadn't known any better and likely needs it pointed out

one addon cannot screw with another, without user consent, period, end of story

we dont need a 'paid' version of an addon, that is retarded, if the admin is that hard up for cash maybe he shouldn't rely on an addon to make his living and provide for his family, something like noscript should be a hobby of his not somebodys financial backbone *shakes head

noscript is a great little addion to the browser but the author made a really stupid mistake and took things too far, i'm not leaving this in the hands of NoScript or ABP, i wont be redirected to this site each and every update (which i didn't really mind before),a lesson needs to be taught here, a hard one"

i'll be keeping noscript.firstrunredirection set to false from here on out

from ABP blog he said that NS has released a new version removing old code as well as stopped adding entries to ABP whitelist. So it looks like the matter has been solved

Bad move by NS in the first place though.

according to Maone (the developer), these sites were always included in the whitelist and were not part of the nefarious change. Perhaps you deleted at some point, the whitelist entries?

i'm all for supporting NoScript and i would have absolutely allowed their site to be whitelisted, but i don't ever remember being prompted and asked if it was ok; so i have removed them from the whitelist. and as for putting it in the FAQ, why would i ever read the FAQ after i've already installed the program? the FAQ is to find out what the program does and how it works, but you don't go reading it every time a minor change is made to the code. putting it in the FAQ is no excuse to hide behind

all that being said, i will still use NoScript, and if they actually prompt me later in the future to whitelist themselves i will happily do so

although noscript can be annoying at times
I'am still sticking with both of them

i don't want ads, and i don't want js, xss etc... running without permission

SolwayUK said,
i don't want js, xss etc... running without permission

It seems that you are forgetting that a malicious addon is far more dangerous than a malicious javascript code.

How is it not okay for js, xss to run without permission, while patching the web browser, other addons, or user preferences without permission is okay?!

SolwayUK said,
i don't want ads, and i don't want js

Errm, I have to ask, why are you guys disabling Javascript? Its not going away, its becoming more popular. Don't you have to sit there enabling it for every site in order to use it. :S

Even worse - yes the adblock fix has been made, but noscript left the sites in question whitelisted. So the noscript "filter adjustment" is gone....but those same sites in question remain whitelisted in noscript. (Yes you can manually removed them).

I don't care who started what - this extension was about not trusting sites and blocking potentially harmful content. Now this extension's integrity itself is put into question by the motives of the developer. With the recent "whoops" of facebook for example, you would have thought that upfront disclosure would have been a no-brainer; but once again someone hoped that no one would notice the change.

I myself don't use flashgot (another extension by the same author) because there are way too many attempts to read / change the registry that can't be explained by normal operation, and the number of advertising related IP addresses attempting an inbound request increase dramatically with the extension installed. I haven't noticed this on noscript (yet) but seems to be where the extension was being taken.

It is also interesting that an older version of noscript allowed you to block references (for ads) - and now it doesn't because of "performance issues". I'll put money on it (or rather someone put money into someone's pocket) to take this feature out. This action a year ago is congruent with this attempt at advertising money.

There are other extensions that are clear from these intentions and are open-source so that you can review what is going on (if you either have the ability or time).

Now I will also add that I am not opposed to having the developer being paid in some manner for the work - noscript was a great product; however, getting paid by backdoor tactics just isn't good business - and even just wrong.

I have removed noscript as an extension, and highly encourage all to do the same.

For clarification, noscript code can be viewed by editing the xpi (it's just a zip file). It's certainly not open-source, but the code can be looked at.

You're right, I'm going to uninstall NoScript because the author made a bad move ... just kidding

It reminds me of the issue with Patchou and MsgPlus. He left the checkmark to add some toolbars enabled by default, and this caused an uproar... now it's unchecked by default...

Even in NoScript (apparently) the changes were shown throughout the documentation (update page and changelogs i think)

I know the situations aren't exactly the same, but both authors made bad decisions and also realized it (apparently the NoScript author was going to address this before it made such a big splash, but that doesn't matter to people)

I don't think this actually puts into question the integrity of the program itself, and I think the author will be more careful now

Maybe he thought he could slip one past the community. Regardless, he pulled back the changes... he could've just as easily pushed forward with them and ignored the people that protest

This is open source if I remember correctly, so anyone can go over the code themselves.

Deathray, I would agree with you if this was his first "slip"; but it isn't. I guess I am a supporter of the old "fool me once..."

For the code, try taking a look at it. It is not good programming by any means; it would take a good few days just to put it in order to even start analyzing it. This spaghetti code is one of the reasons why there are so many updates needed.

You have to go back about 2 1/2 years now. Noscript used to capture and block virtually all forms of redirects to a script. The feature was removed - without any disclosure (well, until the complaints started), with the corresponding response being "that is was removed for performance related issues." Take a look at post 12 for an example of what I am trying to get at (I know I haven't been very clear on this one.)

Looks as though they've seen the light and v1.9.2.6

"...automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked."

so good news but it was a dumb move to start with.