"Forbid META redirections inside <noscript> elements"
but then I immediately wondered, what about META redirections outside <noscript> elements? I tested this with a fresh install of Firefox and latest NoScript, and those still work. Also: To forbid meta redirections inside noscript elements you have to toggle an option, it's not standard for non-trusted sites.
Did you test the META redirection with a background tab? I'm pretty sure NoScript added an unconditional block of background redirects within a week or so of this attack being publicized.
"Forbid META redirections inside <noscript> elements"
but then I immediately wondered, what about META redirections outside <noscript> elements? I tested this with a fresh install of Firefox and latest NoScript, and those still work. Also: To forbid meta redirections inside noscript elements you have to toggle an option, it's not standard for non-trusted sites.