More gloom and doom here:

http://www.bbc.co.uk/news/technology-29241563

What's a little scary is that it would be so easy to be taken in - I've certainly had the experience of eBay demanding a fresh log-in when I've tried to do something, and it would be all too easy to simply sigh and enter one's details on an authentic looking but thoroughly malicious page.

In a sense, villains are actually being assisted by the site's enthusiasm - probably well-intentioned - for signing us out following a period of inactivity. You've only to look at the occasional moans from folk who've been poised ready to snipe, only to be asked to sign in again on trying to bid in the final seconds of an auction.

What should be an extra layer of security - the request to log in afresh following inactivity - might actually have conditioned users to uncritically enter their credentials on what appears to be a genuine log-in page, even though it is in fact a malicious imitation. QA sense of urgency during an auction would work on the attacker's behalf.

NoScript told me the other day that it had warded off a cross site scripting attempt. I was distracted by something and forgot to try to replicate it - I really wouldn't know what I was looking for anyway, to be honest.

NoScript seems a very valuable element of protection against XSS vulnerabilities, but I assume that it is not invulnerable. Assuming there will be some concern shown as people spot the BBC article, it would be useful to know just what to suggest to folk to reduce the risk of XSS attacks.

Abandon any transaction which redirects you to a fresh log-in? Examine the URL of the fresh log-in page? Would that help, or are the URLs easily "spoofed"? And so on and forth.

Heck, I'd really like to know, myself. For the moment, I'll certainly stick with NoScript and allow only the very minimum javascript necessary for the site to work at all - but there must be other means of self defence.

Suggestions, please!