The NoScript Controversy

by on 05/06/2009 in Security, Security Info & Tips

The NoScript controversy has become a full blown siege now. The author of the add-on, Giorgio Maone of Palermo, Italy, has not only responded, but also admitted to making an error (and some believe it was less than an honest error) in his coding that allowed the ads on his NoScript website to remain in view despite users reliance on Adblock Plus to block them.

The issue came to light when Wladimir Palant, the author of Adblock Plus, wrote an exposé, on May 1st, on his blog at alleging that Maone had used “tricks” to prevent ABP from blocking ads on the NoScript domain. Maone made a reply to the charges on his blog at

But whether you come down on the side of ADP or NoScript, the fact is that Maone has lost credibility . . . hence his public apology on both the NoScript site and his own blog.

It is a full blown siege now, because the most recent entrant into the fray, the Ghostery add-on, claims that NoScript blocks the Ghostery notification window, an essential element of the add-on

Maone has disturbed some of his colleagues, and even Mozilla has gotten into the act, redoing its extension publishing policy to reflect a more thorough review.

How many other add-ons are going to make similar claims is anybody’s guess, but Maone has given his detractors essentially a free pass to allege wrongdoing because of the hit he has taken to his trustworthiness. Some even claim Maone may insert malware into his code . . . which I think is stretching this credibility flaw much too far. But before all this is resolved, I think you’ll hear many more claims like that, no matter how absurd or divorced from reality they may be.

Like it or not, Maone has suffered a mortal wound to his credibility. But it was his own doing, and he admitted so. He shot himself in his foot.

The real question now is, will NoScript survive this feud. And if it does, will it be in a form we recognize?

2 Responses to “The NoScript Controversy”

  1. Colin

    May 6th, 2009

    Hi BJ,

    Maone has done more than just shot himself in the foot, he has lost his credibility and his apology won’t repair that.

    Many users depend on NoScript not only to block scripts and frames but also protection against clickjacking, but now this is all called into question by coding NoScript to work around ABP and prevent it from blocking ads on NoScript… long before that code is exploited to prevent other ads elsewhere to be unblocked forcibly?

    Not a smart move at all, but now we have to wait for the feeding frenzy to die down and see what happens next.

  2. BJ

    May 6th, 2009

    Hey Colin,

    Yes, I said that Maone ruined his credibiilty, but I didn’t want to say that his apology “won’t repair that” because I didn’t want to say anything that inferred techjaws came down on one side or the other. I wanted to leave that for the comments.

    So now that you’ve “opened” that up . . . yes, I certainly agree that Maone’s public mea culpa “won’t reair that”.

    As I said on the WOT board, I think Maone would be more than stupid to try any more shenanigans. But whether he does that or not, the damage has already been done.

    The damage is as you said . . . everything “will be called into question”. Maone would be well advised to go over his code anyway, and insure that there’s nothing else “goofy in there.

    You raise an interesting question though . . . will the code now be “exploited” by others?