3) Right - and I guess "fingerprinting" goes slightly beyond cookies - but when people say "execute arbitrary code" they typically imply something has free-reign, which JavaScript generally doesn't.
4) True, although it's my understanding that the exploits are hard to implement, doubly-so from an abstracted layer like JavaScript.
> trickery, manipulation...like trying to embed a frame from Facebook and steal user credentials or so on
This falls under "cookies-based", and I'm pretty sure no JavaScript is necessary for these kinds of attacks.
4) True, although it's my understanding that the exploits are hard to implement, doubly-so from an abstracted layer like JavaScript.
> trickery, manipulation...like trying to embed a frame from Facebook and steal user credentials or so on
This falls under "cookies-based", and I'm pretty sure no JavaScript is necessary for these kinds of attacks.