

Ask HN: Is it time for a Secure HTML subset? - ebbv

The stories about the Tor site exploits made me think; why are people who are running Tor and supposedly concerned with security leaving JavaScript and iframes enabled?<p>The state of security on the web is pathetic. The best&#x2F;only real indicator we give users that a site is supposedly secure is an HTTPS indicator, possibly with a basically meaningless EV indicator. In reality those are no indication that the site itself is safe.<p>So what if browsers supported an HTML Secure Mode subset which disallowed any JavaScript, iframes and other potentially problematic behaviors (such as form submissions to different domains, etc.) This would work like JavaScript strict, where the page itself would indicate it is made to this specification and the browser should hold it to it and throw errors&#x2F;not display otherwise.<p>This could be used for sites where security is more important than bells and whistles. Like banking websites, government websites like electronic voting, etc.<p>Granted this is not a perfect solution, and it doesn&#x27;t guarantee that the server side is any better, but it at least might be a step in the right direction. If browsers supported it and we made sites to the specification, it could give indication to users that there&#x27;s a large swath of potential exploits that are not possible.<p>Does this idea have any potential or am I just thinking about this too early in the day?<p>EDIT: I realize that graceful failing is a key tenant of the web, so maybe it would just fail like HTTPS does and indicate to the user &quot;This site said it was secure but it isn&#x27;t.&quot; If it passes Safe Mode validation then it gets some kind of special, really obvious to the user indicator.<p>The idea here is to make a mode where a) you can be sure everything on the page is coming from the site you thought you were talking to and thus b) that the server itself would have to be compromised for the page to be compromised.<p>This mode could also have additional effects like indicating when a link on the page would take you away from this site, etc.
======
richbradshaw
This does exist for iframes:
[http://www.html5rocks.com/en/tutorials/security/sandboxed-
if...](http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/)

The sandbox attribute can contain any of these values:

allow-forms allows form submission.

allow-popups allows (shock!) popups.

allow-pointer-lock allows (surprise!) pointer lock.

allow-same-origin allows the document to maintain its origin; pages loaded
from [https://example.com/](https://example.com/) will retain access to that
origin’s data.

allow-scripts allows JavaScript execution, and also allows features to trigger
automatically (as they’d be trivial to implement via JavaScript).

allow-top-navigation allows the document to break out of the frame by
navigating the top-level window.

~~~
ebbv
Good point. But it's just one small piece of what would be needed. And of
course there's no indicator to users saying "This page is made to be more
secure and passes validation."

