It seems both NoScript and AdBlock Plus have become really permissive as of late regarding their whitelists. While ABP is a bit shady with their 'acceptable ads' deals, I believe in NoScript's case it's probably due to not wanting to break things too badly for less technically minded users.
Regardless, I've replaced both extensions with uBlock Origin. While UB in default deny mode is not as fine grained as NS, it does the job and doesn't compromise on default whitelists at the expense of a little breakage (gorhill is very adamant on this point).
I did the same, but with ublock origin in advanced mode and umatrix, which gives me even more control on what request goes where.
This is probably overkill for the average person, but after so many years of using noscript+requestpolicy I am used to sites being broken by default and having to fix them if needed, to me this is an acceptable tradeoff for the increased security.
The only exception to this rule for me is when I order something on a website, in that case I find it too risky to run with tight blocking (due to redirections to the payment site and so on) and just run a completely default firefox in its own vm that I snapshot before and revert to after.
Why was this downvoted? I'm always interested in current perspectives on best practices in browser security. I don't know whether onosendai's description https://news.ycombinator.com/item?id=9795193 is correct, but, even if it isn't, a rebuttal would be more helpful (to me and to onosendai both) than a silent downvote.
NoScript's feature set goes way beyond just selectively blocking scripts based on domain, so nothing in the uBlock family is really a replacement for NoScript, just a replacement for NoScript's most basic feature.
My approach was to start by combining SomeoneWhoCares' and MVPS' hosts files with `uniq`, which rendered such browser addons largely, though not entirely, unnecessary. The down side is you can only do that on machines where you have root access.
Hosts files only work for redirecting known bad actors down the memory hole. A noscript style blocker is needed to catch malicious js from new sources not tracked in a hosts database.
Regardless, I've replaced both extensions with uBlock Origin. While UB in default deny mode is not as fine grained as NS, it does the job and doesn't compromise on default whitelists at the expense of a little breakage (gorhill is very adamant on this point).