Right. Wrong. No browser "has it" yet. Only NoScript provides very effective anti-XSS protection. It's so effective that IE8 will "borrow" it's more visible concepts, but it's already clear that Microsoft's "version" will not be nearly as effective as NoScript.