How to Tell a Browser that Your Site Has No Scripts

I have created a Tor hidden service site which has absolutely no JavaScript or other types of client-side scripts. The page consists of HTML, CSS, images, and some JSP for handling user input.

While I encourage users to use NoScript, not all users follow this advice. Unfortunately, putting a big message across the page forcing them to disable scripts is too annoying to be useful, and users tend to ignore warnings.

Is there a way I could make my site tell the user’s browser that my page has no scripts, and if it finds any on the page then to ignore them?

I am doing this as an extra precaution against XSS, which could be from malicious hackers or from investigators attempting to identify IPs of users on my site.

EDIT: Just to make it clear, I want the website to tell the browser to do this. I don’t want to have to tell each visitor how to configure their browser. Users are usually not very knowledgeable or proactive when it comes to configuring their browsers.

Solution: Harden Your Content Security Policy

A good option is to harden your Content Security Policy. This allows you to fine-tune which resources the browser will load and run, and is supported by most browsers.

Consider the following header:

Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self';

This tells the browser to disable scripts, frames, connections, and any other objects or media. We then permit images and stylesheets to be loaded, but only from the same domain.

Leave a Reply

Your email address will not be published. Required fields are marked *