On a sidenote, does anyone have a good setup for browsing securely to avoid issues like this? I ran with JS restricted to a whitelist for a while, but many random websites that I have to use require it these days.

Can you use something like Ghostery to allow any site to do its own JS but not external JS, besides whitelisted sites/externals?

> Can you use something like Ghostery to allow any site to do its own JS but not external JS, besides whitelisted sites/externals?

That's exactly what noscript does. Use the option "Temporarily allow top-level sites by default->Base 2nd level Domains".

Thanks! This looks like exactly the behavior I want.

Run your browser in private mode, or create a separate user account and run the browser under that. Or just use a different browser for the "secure stuff" (E.g. your online banking etc.). Then it doesn't matter what kind of xss trickery they throw at you, cause your cookies aren't accessible to the browser.

I suppose it might be useful with a browser extension/feature that allowed you to lock access to certain site's cookies until you have explicitly granted use. Sort of like how the keychain works on os x.