HN uses x-frame-options:"DENY" to good effect which takes care of a fair number ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jacquesm on Aug 30, 2015 \| parent \| context \| favorite \| on: How widely used are security-based HTTP response h... HN uses x-frame-options:"DENY" to good effect which takes care of a fair number of click-jack tricks, it also uses strict-transport-security. But there is only so much you can do with headers, the real risks are in the documents themselves. How about a <nojs> </nojs> pair in the primary document disabling any kind of javascript execution in the space between the tags. And those tags should only work in the primary document.

dantillberg on Aug 30, 2015 | [–]

> How about a <nojs> </nojs> pair in the primary document disabling any kind of javascript execution in the space between the tags.

But wouldn't folks still be able to inject scripts by just writing `</nojs><script>alert('hi')</script><nojs>`?

JoshTriplett on Aug 30, 2015 | [–]

CSP does exactly that; you can just ban inline scripts entirely.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact