Is there an HTTP header to disable Javascript for a specific page? My site supplies custom HTML content (so I canβt just use it htmlenitities), and I would like to prevent scripting (JavaScript injection).
I already use HttpOnly cookies, which are set for authentication only in the main domain, while user content is displayed only on subdomains where the cookie cannot be read. The problem is that there are still too many possibilities for executing JavaScript - for example, using event attributes such as onclick, and Internet Explorer even has a property in CSS to enable JavaScript (expression), which I had never heard of before. Another interesting idea I read was to throw an exception in order to block the following code. Another idea would be to define a list containing all valid tags and, in addition, an array with each attribute name resolved, but this is very hard work, and I think this will not cover all possible injections.
I think that I am not the only person who has encountered this problem, and does anyone know about the possibility of using all possible malicious code - at least in modern browsers?
A simple imaginary headline, similar to X-Scripting: disabled, will make life a lot easier!
source
share