XSS will fire if a site which hasn't been whitelisted injects code into the page of one that has been whitelisted by the user. NoScript doesn't attempt to evaluate whether a site is legit, i.e. non-malicious. On the other hand, if the content of the injection looks like it may be dangerous, it will sanitize the code even if both sites are whitelisted. As you say, David, this part isn't an exact science. I wasn't sure if this is what you meant, so I thought I'd clarify how it works.