
Ask HN: Could browsers prevent phishing by blocking HTML form actions? - hrjet
### Background<p>As readers here would be aware, many online threats can be mitigated by disabling Javascript and cookies on untrusted websites. However, phishing can still be achieved with a static HTML page that masquerades as the target page. All that is required is CSS to style the page, and an HTML form where the user types their password.<p>In the thread discussing Exploratirum&#x27;s phishing attack today, a few ideas to mitigate phishing threats were mentioned &#x2F; proposed:<p><pre><code>  * Two factor authentication
  * A browser extension that checks whether a known
    password is being used on an unknown website.
  * Browser extensions such as lastpass can prevent
    phishing indirectly because the password is based on
    window.location.origin
  * Security images, which are not very effective as per [1]
</code></pre>
I had an idea which seems simple, effective and easy to implement by the browser vendor.<p>### Idea: Block forms by default<p>Much like the option of blocking cookies and&#x2F;or javascript by default, if browsers prevented form actions by default then a majority of phishing attacks could be prevented.<p>User might type in the password on an unknown site, but if the form action was prevented (in addition to javascript), the site wouldn&#x27;t receive the password and the user would be alerted to it.<p>Thoughts?<p><pre><code>  [1]: http:&#x2F;&#x2F;security.stackexchange.com&#x2F;questions&#x2F;19155&#x2F;</code></pre>
======
DanielDent
It's an interesting idea, but attackers would switch to using javascript. And
I don't think it's realistic for typical users to have javascript default off.

~~~
hrjet
Yeah, indeed, this idea is not meant for typical users; only those who have
script blockers and the like installed in their browsers. At present, even
such security concious users can be deceived with layout and URL masquerades.

