Re: Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?

[Ryan.Russell () SYBASE COM (Ryan Russell)]

A couple of comments in a couple different directions...

Eric states that there will be implementation issues.

To be nastier about it, if the browser vendors can't shut off
Javascript when I hit the checkbox, why think they could
do it by following an HTML directive?

And to pre-hack the idea.. chances are that I'm going to be able
to do something to escape the headers... i.e. I'll find a way to start
a new set of headers, perhaps opening a new frame.

> It would be nice if there were on an HTTP header that, if sent to the
> client, would cause the client to disable javascript, vbscript, etc. for
> that document only. Sites who wished to display untrusted pages (webmail
> sites, web discussion forums, etc.) could then use a multi-frame layout.
> Any frame that contained untrusted code would have this header included in
> the delivery of its content to ensure that the scripts would not be
> evaluated, regardless of the normal client settings; other frames, whose
> "trusted" documents would be sent without this header, would still be able
> to use scripting (if enabled on the client).

I don't want to discourage the idea neccessarily, just pick on the
browser vendors.  Perhaps they'd have a better chance of
getting it right the first time that way.

On a different tangent:

Several folks suggested that all tags be stripped unless they are
"known safe".

Doing so will kill your ability to mail around C code, unless you
HTMLize it first.  If you don't, all your #<includes> will dissappear,
and perhaps the rest of the note if it's waiting for a #</include> :)

                         Ryan