A couple of comments in a couple different directions...
Eric states that there will be implementation issues.
To be nastier about it, if the browser vendors can't shut off
Javascript when I hit the checkbox, why think they could
do it by following an HTML directive?
And to pre-hack the idea.. chances are that I'm going to be able
to do something to escape the headers... i.e. I'll find a way to start
a new set of headers, perhaps opening a new frame.
> It would be nice if there were on an HTTP header that, if sent to the
> client, would cause the client to disable javascript, vbscript, etc. for
> that document only. Sites who wished to display untrusted pages (webmail
> sites, web discussion forums, etc.) could then use a multi-frame layout.
> Any frame that contained untrusted code would have this header included in
> the delivery of its content to ensure that the scripts would not be
> evaluated, regardless of the normal client settings; other frames, whose
> "trusted" documents would be sent without this header, would still be able
> to use scripting (if enabled on the client).
I don't want to discourage the idea neccessarily, just pick on the
browser vendors. Perhaps they'd have a better chance of
getting it right the first time that way.
On a different tangent:
Several folks suggested that all tags be stripped unless they are
"known safe".
Doing so will kill your ability to mail around C code, unless you
HTMLize it first. If you don't, all your #<includes> will dissappear,
and perhaps the rest of the note if it's waiting for a #</include> :)
Ryan
