The main difference between XSS and CSRF is the perspective:
- XSS: takes advantage of the trust the user has in a particular website
- CSRF: takes advantage of the trust the website has for the user's browser
XSS has a dependency on javascript yes, but it is not limited to that scope. What I mean is that you need javascript for the payload, but payloads have been known be executed by not only JS itself, but also activeX, flash, VBScript and html to name a few. It all depends on what the site will allow users to change on the site itself. So noscript is a great way to stop higher level scripts from running (think <script>attackmeplease()</script>) but depending on the site someone can get really clever inserting it into say flash media that the user allows to run because its a video sharing site (a crude example but you get the idea, social engineering plays a part).
CSRF has no such dependency on javascript and is designed to send a request to other websites without the users knowledge. It is highly dependent on the browsers ability to get and execute the attack package. Another difference is it can come in more forms such as HTML image tags, javascript image objects, word documents, movies, emails etc... The request itself cannot be blocked if the package is executed no, but the site can validate the request.
Some other differences are the requirements for instantiation, in one the user must visit a specific site, in the other they must use a tainted media that can come from a variety of sources, not just a site. The final point of failure is also different, in XSS the user is the last point of failure, while in CSRF the server is.
Another large difference is that a site that is vulnerable to XSS is almost certainly vulnerable to CSRF, while being protected from XSS even completely does not mean you are protected from CSRF.
