Use browser pref for javascript at High Security Level
It would be wise to set javascript.enabled to false in about:config at the high security level, in addition to having NoScript disable scripting for us. This should be an easy change, and there is no reason to exclusively depend on NoScript. NoScript could miss something, especially if the e10s transition caused a lot of upheaval.
(Similarly, Firefox could miss something, since javascript.enabled is no longer a UI-exposed pref, so we should do both, for defense in depth.)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information