I saw that NoScript + Firefox combination blocks all "dynamic content" (especially those spammy ads). I really like that. It reduces the chances of being exploited.
But, chrome only asks me to allow flash and some other plugins for some sites. It looks like FF + NS is much better than chrome.
Is that really the case ?
For starters, Chrome has better security features and a larger security effort than Firefox.
It's true that JavaScript can be involved in exploitation and exploit kits use JS to hide exploits and profile the browser for exploitation. But disabling JS should not be considered a silver bullet for browser security.
More than just blocking JS, NoScript brings to Firefox security features which Chrome already has, like XSS protection. And features that Chrome lacks, like Clickjacking protection and protection against plugin based attacks. Take into consideration that NoScript will also increase the attack surface.
There isn't a clear winner here considering that the security of Firefox + NoScript depends on the user configuring NoScript and the usability trade-off.
For more about browser security read the Browser Security Handbook by Michal Zalewski. His book, The Tangled Web: A Guide to Securing Modern Web Applications extends this handbook.
I don't know the specifics, but Chrome goes through a great length to sandbox JavaScript, and to isolate one site from the others. That is unique among browsers AFAIK, making it very hard to exploit any vulnerability found in it (which do exist nonetheless). See this question for more info. Chrome is also one of the few that already supports iframe sandboxing, that should help making sites that embed third-party contents a lot safer (though I dunno how often that's used in practice, one well-known example is Facebook apps).
What's notable about NoScript, however, is that is allows you to selectively enable/disable JavaScript and other dynamic contents on a per-domain basis. That is also a unique feature AFAIK, since most browsers either allow you to disable all scripts in a page, or enable all them, no middle-ground supported. This allows you, for instance, to activate only the scripts necessary to access the desired contents, but leave all the rest disabled (in particular the ad scripts from wildly different sources that are usually present in a given page - and which represent a good percentage of the security risks).
That makes it hard to determine "which one is better". My gut feeling is that Chrome is better at protecting your computer, while NoScript is better at protecting the data you enter in the different sites. Since one can't reasonably expect every site out there to have decent XSS protection and to be kept up-to-date with the most recent attack vectors discovered, by minimizing the amount of untrusted code that runs in the same page context (something that Chrome's sandboxing can't do anything about) the chances of private data being leaked from one domain to another is decreased as well.
There are plans to port NoScript to Chrome, which I believe would be ideal, but unfortunatly it's been held back by the lack of support to synchronous access to the page assets by individual extensions. That means one can't inspect a script before it's already executed, making many of NoScript's features unfeasible (and also meaning alternatives such as NotScripts will never achieve a similar level of security).
The very same protection of NoScript in Firefox is available as "ScriptNo" Google it.
I would have provided a link but I am currently using Firefox and Google prevented me from accessing the portal where it resides without Chrome.
I change my browsers and use the most up to date one available all of the time, switching back and forth between Firefox and Chrome.
