purely by running (malicious) JavaScript inside the victim's browser
I've said it many times and I'll say it again: keep JS off by default and enable it only for the few trusted sites that absolutely need it. Interestingly, the authors mention disabling 3rd-party cookies as a countermeasure, but not JS.
Agreed. Surf makes that easy, CTRL-SHIFT-S to enable JS for the current page. It's downright annoying when I use another browser now. Ditching JS makes everything faster.
Yeah, tried that a bunch of time only to find it sooo annoying that I go back to JS. It's just not worth it clicking on "enable JS" for every new page you open.
It's not that simple, browser vendors don't really want you to do that. Google even outright sabotaged such behavior in chrome some time ago. You had to type in url masks manually to enable javascript for trusted sites.
Huh? Per-site Javascript is controlled through the site permissions UI like everything else in Chrome-- that's the popover that comes up when you click the page or lock icon in the address bar.
There's even an icon that appears on the right side of the address bar when Javascript is blocked, giving the option to add an exception if clicked.
I've said it many times and I'll say it again: keep JS off by default and enable it only for the few trusted sites that absolutely need it. Interestingly, the authors mention disabling 3rd-party cookies as a countermeasure, but not JS.