kukla wrote:since almost any SSL site I might go to, such as banking or making a purchase, would require that JavaScript be enabled.
JavaScript and plugins need to be allowed
on the site of the attacker for the attack to succeed.
Of course if the victim site uses a mixed SSL policy (i.e. it's NOT forced to HTTPS neither by HSTS, nor by NoScript's explicit HTTPS enforcement, something which shouldn't be condoned to any financial institution) the attacker might be able to inject its code directly inside the unencrypted victim pages, but in order to do that he must already control your DNS and/or your network (i.e. he's your internet provider or you're behind a hostile proxy).
In such extreme (and rather uncommon) situations you should raise your
NoScript Option|Advanced|Forbid active web content unless it comes from a secure (HTTPS) connection setting to the appropriate level, even though this means browsing non-HTTPS website may become quite painful.