This allows web developers, if they so choose, to try to make certain cookies more secure.

I agree NoScript is not for the casual browser, but for those tech-savvy startup dev folks wishing to protect themselves a little more, it may be an option with some of the config changes mentioned above. And while the Chief Security person over at Mozilla would love to see NoScript included, it’s that same balance of security and convenience that you mentioned.

I am curious to see to what degree NoScript could prevent simple CSRF attacks without adversely affecting the user experience.

I understand the viewpoint of “better safe than convenient”. But, I don’t think it scales to a recommendation that most people (or even most tech savvy people) can or will follow.

The browser makers obviously have some responsibility to tighten up on the vulnerabilities we face while using their products.

When I was Outlook dev manager, our frame of mind was creating the most powerful platform for users to build on top of. We were soon jolted into reality with the spread of email viruses (“I Love You” and “Melissa”) that took advantage of the gaping holes we built into the product.

If the internet is going to evolve into the best platform it can be, we need to get safety AND convenience. If current browsers are too lenient, the geeks among us should start adopting add-ins that bring the level of security up to where it should be – and then lobby to get these adopted as built-in behaviors for the main stream.

While you will get some sites that completely break, I would (personally) rather take the time to allow trusted scripts on a case-by-case basis rather than allow global script execution.

However, NoScript does allow some customization to this aspect. For example, there are options to “Temporarily allow top-level-sites by default”, which would alleviate a lot of immediate compatibility issues. NoScript also attempts to prevent suspicious cross-site requests. There are, however, still some sites that attempt to load JavaScript for 20 other places. In my personal opinion, I’m’ not a huge fan of this practice to the degree that I browse Twitter w/o the ability to add users or count characters in the update form because they source scripts from Google.

(How’s the font size now? It was bugging me as well, actually.)

What I would think to be far preferable would be to limit cross-site requests unless explicitly authorized (both POST’s across domains, and tags going to other domains … cross-site tags are a lost cost, already).

If you know of a firefox extension that does that, I’d love to get a pointer to try it out.

P.S. Being over 40 – I have a pet peeve about small fonts sizes on web pages. Do you think you could crank it up a few points here?