[joev_]

Not really. Depending on the protocol CSRFs are often an easy 1-click exploit on noscript-enabled browsers. Something like this:

    <form enctype='text/plain' method=post action='http://192.168.1.1/vulnerable'>
      <input type='hidden' name="<!--" value="--> <SOAP...>" />
      <input type='submit' value="submit" style="position:fixed;top:0;left:0;width:1200px;height:1200px;background:#000;opacity:0;" />
    </form>

Is the corresponding 1-click that works on noscript.

[icebraining]

Hmm, I thought ClearClick would catch that, but apparently it doesn't. That's unnerving. Even ABE lets it through.

That said, it would still require the victim to load the fake LinkedIn page (with the wrong domain), which is more likely to look suspicious.

And it would've loaded the router page after the POST (instead of redirecting to LinkedIn), which would definitively signal that something was wrong.

[joev_]

Nah, you just set target="iframe name" on the form and post into a (hidden) iframe. Then in 2 seconds you redirect to LinkedIn. In my experience, getting clicks from targets is easy. One simple way is to show a page with a single link that just says "Redirecting". After a moment most users will just click the link.

[meowface]

Yep. XSS on the other hand would be very hard to pull off with NoScript enabled.