[_0w8t]

A typical assumption behind NoScript and similar blocking browser extensions is that it is executable code that is responsible for most of the bugs in the browser so disabling those reduces the attack surface. But with the complexity of modern CSS this is no longer a priory true. It could be that blocking CSS while allowing JS to execute minimize the attack more that the other way around.

[Freak_NL]

Complexity in CSS itself does not significantly increase the attack surface if the complexity is contained to rendering and layout. There are potential privacy issues in CSS (such as the loading of assets from external URLs, e.g., fonts with @font-face), and I expect there are extensions that block any attempt to perform HTTP requests from CSS to prevent browser fingerprinting.

But JavaScript can do a lot more, even if you disallow it to make HTTP requests; it has access to all of the modern APIs included in the browser. CSS on the other hand is still mostly a declarative language that does not allow for much dynamic cleverness.

[manrajsingh]

Agreed. More damage can be done through JavaScript than CSS.