I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:
- It's really scary
- NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
- For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.
I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.
Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.