I don't like micro managing my browser. Therefore not a fan of Noscript. I have to be fair, and give the author of Noscript the credit that his ideas are implemented in most modern browsers: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-stock.pdf and http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html XSS is a server side problem, see http://www.computerweekly.com/tip/Cross-site-scripting-explained-How-to-prevent-XSS-attacks. It is impossible to solve it on client side and keeping all functionality intact. See for instance http://blog.elevenpaths.com/2014/01/how-to-bypass-antixss-filter-in-chrome.html This iframe Poc could be easily prevented using uBlock of Gorhill and prevent third party iFrames. Anti-exploit testing Blocking only iFrames won't break functionality of 99% of the websites, while increasing security. For those wanting a granular control use uMatrix. The matrix interface of uMatrix might look complex, but the two dimensional rules matrix reduces the number of exception rules greatly (compared to a one dimensional exception list like Noscript uses for instance). For the nerds and the paranois among us (the default at Wilders I guess), there is a nice Chrome extension intended for penetration testing which can also be used to check a site for XSS vulnabilities: XSS Rays explained at http://www.thespanner.co.uk/2011/01/21/xss-rays-extension/ and https://github.com/beefproject/beef/wiki/Xss-Rays You can test a site with the default PoC: see image below: 1. Click on the X-icon when visiting a site 2. Choose SCAN from the menu 3. Click Extract links 4. Select All or the (same domain) links you would like check 5. Click Run XSS injector Have fun
