Is the XSS handling a flaw?
As I understand it, XSS is using Javascript(or similar) to make objects from one domain appear to be from another. It also appears that every browser out there that supports scripting has found to be unsafe in it's handling of XSS.
So, my question is, is this a flaw in the implementation or is this how things were originally intended to work? The recent article about Google's scripts being referenced by Obama's website suggests that scripts from other domain are supposed to appear to be from the original domain and that the real problem here is that people let anyone who feels like it embed anything they like on their pages.
Secondly, using NoScript even before it's "XSS Prevention" used to prevent a lot of problems provided you whitelisted your sites correctly -- what's the difference between this and the new "XSS attack prevention"
Can anyone who knows their stuff explain?