Here's an idea I came up with, when reading about html injection scams... The page can be viewed at http://www.alhem.net/valid_sites/
Proposal for a HTML security enhancement (a.k.a no more phishing) The problem is phishing scams. Evil HTML code is injected in valid pages, making them look legitimate. With this proposal, webmasters and companies would be able to increase the security of their web sites. Solution one The browser will only enable connections to sites listed in the current html document, such as links to other pages, images and forms. This should only be applied to html code directly from the originating web server. Code generated by javascript is not to be trusted, even if the script itself comes from the correct server. Solution two The webmaster can include a list of valid site in the header of the html document, thereby telling the browser which sites are valid to connect. This adds a bit more work to keep a site updated. Perhaps by adding a new <meta... tag in the <head> section of a page: <meta name="valid-sites" content="www.alhem.net,213.199.75.18">If the user tries to follow a link to a site that is not on this list, a warning will be displayed and the request cancelled. External resources and html forms linking to other sites than the approved list must be ignored. ---------------------------------------------------------------------------- ---- Page, code, and content Copyright (C) 2004 by Anders Hedstr�m _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
