Florian Weimer wrote: >What about HTTP headers which advise user agents to disable some >features, e.g. read/write access to the document or parts of it via >scripting or other Internet Explorer interfaces? HTTP headers are arguably the wrong place, but it might make sense to have a <NOSCRIPTS> tag that would require the browser to turn off all scripting for the entire HTML document, or somesuch. For instance, application-layer proxies could add such a tag to all data crossing the firewall, and places like Hotmail prepend such a tag to all HTML-formatted email they receive before displaying it to the user. Of course, we would have to trust browsers to respect such a tag, but it could potentially give a very simple, high-assurance way to turn off dangerous features.
