Since so many sites are dynamically generated and can create their own headers, and since so many of these sites have XSS vulnerabilities, how about a header that tells the browser the domain scope for scripts?
IE - the header could tell the browser that the page does not use any scripts, only uses scripts served from the same host, or only uses scripts served from the same domain (those who use scripts from other domains could just not send the header). That way if a web developer wants to inform the users client that the page does not use any third party scripts, and his app has an XSS vulnerability, the browser can refuse to execute the code. I know about (and use) NoScript but I still think the ability of web developers to send a header for those who don't have something like NoScript installed would be a good idea. Even with NoScript it would be a good idea - IE a site I'm currently working on uses JS for form validation, but doesn't use it anywhere else, including pages that display data users submitted. The ability to have those pages send a header saying no scripts should be processed for those pages would be a good thing (IMHO). Just a thought. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
