[6] By default, NoScript blocks active (executable) web content, which can be wholly or partially unblocked by allowlisting a site or domain from the extension's toolbar menu or by clicking a placeholder icon.

Active content may consist of JavaScript, web fonts, media codecs, WebGL, Java applet, Silverlight and Flash.

Clicking or hovering (since version 2.0.3rc1[9]) the mouse cursor on the NoScript icon gives the user the option to allow or forbid the script's processing.

Whenever a website tries to inject HTML or JavaScript code inside a different site (a violation of the same-origin policy), NoScript filters the malicious request and neutralizes its dangerous payload.

[17] In its default configuration, NoScript's ABE provides protection against CSRF and DNS rebinding attacks aimed at intranet resources, such as routers and sensitive web applications.

[18] NoScript's ClearClick feature,[19] released on October 8, 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all types of clickjacking (i.e., from frames and plug-ins).

[33] In response, Maone stated that the change was made because Ghostery's notification obscured the donation button on the NoScript site.