How to Tell a Browser that Your Site Has No Scripts
I have created a Tor hidden service site which has absolutely no JavaScript or other types of client-side scripts. The page consists of HTML, CSS, images, and some JSP for handling user input.
While I encourage users to use NoScript, not all users follow this advice. Unfortunately, putting a big message across the page forcing them to disable scripts is too annoying to be useful, and users tend to ignore warnings.
Is there a way I could make my site tell the user’s browser that my page has no scripts, and if it finds any on the page then to ignore them?
I am doing this as an extra precaution against XSS, which could be from malicious hackers or from investigators attempting to identify IPs of users on my site.
EDIT: Just to make it clear, I want the website to tell the browser to do this. I don’t want to have to tell each visitor how to configure their browser. Users are usually not very knowledgeable or proactive when it comes to configuring their browsers.
Solution: Harden Your Content Security Policy
A good option is to harden your Content Security Policy. This allows you to fine-tune which resources the browser will load and run, and is supported by most browsers.
Consider the following header:
Content-Security-Policy: default-src 'none'; img-src 'self'; style-src 'self';
This tells the browser to disable scripts, frames, connections, and any other objects or media. We then permit images and stylesheets to be loaded, but only from the same domain.