The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...

You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.

Usable security
Operating NoScript is really simple.
When you install NoScript, JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default. You will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you're just surfing randomly, or permanently, when you visit it often and you really trust it. This means that NoScript learns from your own browser habits and tends to disappear in the background after a while, but it promptly comes back to save your day if you stumble upon a malicious web page.
When you browse a site containing blocked scripts a notification, similar to those issued by popup blocker, is shown.

Site matching
For each site you can decide to allow the exact address, or the exact domain, or a parent domain. If you enable a domain (e.g. mozilla.org), you're implicitly enabling all its subdomains (e.g. www.mozilla.org, addons.mozilla.org and so on) with every possible protocol (e.g. http and https). If you enable an address (protocol://host, e.g. http://www.mozilla.org, you're enabling its subdirectories (e.g. http://www.mozilla.org/firefox and http://www.mozilla.org/thunderbird), but not its domain ancestors nor its siblings, i.e. mozilla.org and addons.mozilla.org will not be automatically enabled.
By default only the 2nd level (base) domain is shown (e.g. mozilla.org) is shown in the menus, but you can configure appearance to show full domains and full addresses as well.

Java, Silverlight, Flash and other plugins

While its primary aim is preventing malicious JavaScript from running, NoScript can effectively block Java™, Silverlight™, Flash® and other plugins on untrusted sites. Java Applets, Flash movies/applications, Quicktime clips, PDF documents and other content won't be even downloaded from sites where you consider them annoyances or dangers, saving your bandwidth and increasing your navigation speed. While in early NoScript versions only JavaScript and Java were blocked by default, this restriction has been extended to Flash and the other plugins, in order to prevent Flash-based XSS and other plugin-based attacks. Anyway you can configure the kinds of content you want to forbid using the NoScript Options|Embeddings panel. The status bar tooltip and the message bar display the total count of detected plugin objects ("OBJECT") next to the "script" count. Keep in mind that some sites use Java applets, Silverlight embedded objects or Flash movies to deliver rich content and applications, hence if you meet some web page you need to use but you find some functionality is missing, consider the possibility that you're blocking some essential applet or movie.

On a non-whitelisted site you can still temporarily allow an individual plugin object with just one left click on its placeholder (screenshot). The movie/applet/clip will stay enabled until the end of the session or until you Revoke Temporary Permissions.
Middle clicking on a Java/Silverlight/Flash/Plugin object placeholder opens it in a window of its own.
Right clicking on a Java/Silverlight/Flash/Plugin object placeholder opens the context menu for links, allowing you to save the content with Save Link As....
Holding down the Shift key and clicking on a Java/Silverlight/Flash/Plugin object placeholder temporarily hides it.

You can also use the Blocked Objects menu to find out which plugin content instances you're blocking even if their placeholder is not easily visible, and/or enable them individually, per site or per type.

Untrusted blacklist

Some sites, especially those serving ads, can appear in your "Allow ..." menu more often than you like, making it too much long and noisy.

If you know you don't want to allow a certain site now and in the foreseeable future, you can permanently mark it as untrusted: just click the NoScript icon, open the Untrusted menu and select the Mark bad-site.com as Untrusted menu item.

NoScript won't even propose you to allow it again and your NoScript will be even more clean and usable.

If you later change your mind, don't worry: just open the Untrusted menu again (on the same page), and you'll find the Allow bad-site.com command there.

This feature is especially useful if you decided to use the (not recommended) NoScript Options|General|Temporarily allow top level sites by default mode, because sites marked as untrusted won't be allowed anyway.

Advanced users: even though the untrusted sites blacklist has no listing UI of its own, you can mass-edit it either modifying the noscript.untrusted about:config preference or using the Import/Export functionality of the NoScript Options|Whitelist panel, knowing that the untrusted entries are exported under an [UNTRUSTED] header.

Anti-XSS protection

Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).

This kind of vulnerability, often overlooked, is very widespread and becoming highly popular among hackers: someone even bothered to write a JavaScript-based bot, called Jikto, turning your browser into a zombie which relentlessly sends automated XSS attacks all around. Of course this tool has been built "for research purpose", but its code unfortunately appears to be leaked in the wild, so anybody can take advantage of it, now...

NoScript XSS notification and its menu NoScript features unique Anti-XSS counter-measures against XSS Type 0 (DOM based) and XSS Type 1 (Reflective, absolutely the most common) attacks targeted to whitelisted sites.

Whenever a certain site tries to inject JavaScript code inside a different trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load.