Most of the time I’m on the web, I just want to read something. I think it would be nice to have a modified mode that strips out the parts of HTTP and HTML that lend themselves to abuse.

A knee-jerk response to this would be: ”If you don’t want those features, don’t use them.” That is well enough for the publisher, yet it does nothing to assure the audience. If I am a reader, and I want to know if the site I am reading is spying on me, or abusing me in some other way, I would have to carefully review the HTML, review the JavaScript, open the debugger, see what’s going on with local storage, cookies, and the like, and I still wouldn’t know if any of the image tags are being used to track me.

Some people handle this problem by manually disabling things in the browser’s settings, but that is cumbersome, and some “features” cannot be disabled. The most popular approach is to use 3rd-party privacy add-ons in the browser, but God only knows what some of those things get up to.

This protocol modification (lets make it sfwb://, for safe web) would serve as a browser-enforced contract that makes the HTTP request and the HTML document far less capable of abusing your privacy or your computer.

On an sfwb:// request (basically still HTTP), the browser will enforce the following:

  1. all plug-ins and JavaScript are disabled
  2. no cookie information is sent, all received cookie information is discarded
  3. to neuter web beacons, no linked assets (images, audio, iframes, etc.)
  4. all media assets (images, audio, etc.) to be embedded into document as base-64 data URIs (to supplement rule #3)
  5. perhaps this is paranoia, but disable caching to prevent security leaks in non-SFWB pages from inspecting the cache or history of SFWB documents

Of course the commercial content portals of the web will have nothing to do with this, but that is fine. This idea is for people who just want to publish something to share with their security and privacy conscious peers. It would also be handy for safely rendering rich e-mails inside the browser without having to resort to document scrubbing.

Leave a Reply

<a href="" title="">, <abbr title="">, <acronym title="">, <b>, <blockquote cite="">, <cite>, <code>, <del datetime="">, <em>, <i>, <q cite="">, <s>, <strike>, <strong>