Hello, I hope this is the right mailing-list for my mail and there is no similar suggestion mailed before.
My idea is to create an universal HTML-attribute to block cross-site-scripting –attacks for parts of a website, p. e. login-forms.
Like “httponly” for Cookies I want to have a possibility to limit the access by Javascript and other scripting-languages in the browser.
An attribute “scriptaccess” could have the values: “on”, “off”, and “read only”.
“on” would be the standard behavior, HTML-element s have nowadays and the default if “scriptaccess” is not used.
“off” would make the HTML-element invisible for Scripts.
And “read only” of course only readable for them.
“scriptaccess” should also affect child-nodes of the node with the attribute “scriptaccess”.
For child-nodes – of course – it should be possible to could change the behavior with an “scriptaccess”-attribute on it.
