A couple of comments in a couple different directions... Eric states that there will be implementation issues. To be nastier about it, if the browser vendors can't shut off Javascript when I hit the checkbox, why think they could do it by following an HTML directive? And to pre-hack the idea.. chances are that I'm going to be able to do something to escape the headers... i.e. I'll find a way to start a new set of headers, perhaps opening a new frame. > It would be nice if there were on an HTTP header that, if sent to the > client, would cause the client to disable javascript, vbscript, etc. for > that document only. Sites who wished to display untrusted pages (webmail > sites, web discussion forums, etc.) could then use a multi-frame layout. > Any frame that contained untrusted code would have this header included in > the delivery of its content to ensure that the scripts would not be > evaluated, regardless of the normal client settings; other frames, whose > "trusted" documents would be sent without this header, would still be able > to use scripting (if enabled on the client). I don't want to discourage the idea neccessarily, just pick on the browser vendors. Perhaps they'd have a better chance of getting it right the first time that way. On a different tangent: Several folks suggested that all tags be stripped unless they are "known safe". Doing so will kill your ability to mail around C code, unless you HTMLize it first. If you don't, all your #<includes> will dissappear, and perhaps the rest of the note if it's waiting for a #</include> :) Ryan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:35 PDT