>>>> From GNUcitizen's Let's Fix the Web:
Here they are:
- Allow the user to sandbox and unsandbox applications and web resources with a single click
- Sandbox by default known applications such as GMail, Yahoo Mail, etc.
- In the sandbox, mark all cookies as
secureto prevent session leaks- In the sandbox, mark none-session cookies as
httpOnlyto prevent session hijacks due to XSS- Make sure that while on HTTPS, all embedded resources are delivered over HTTPS as well.
- Provide the option to turn off JavaScript, JAVA, Flash, SilverLight, etc on per-sandbox basis
- Block any external requests to sandboxed applications
- Implement the PHPIDS signature matching mechanism in JavaScript
- If the HTML structure is heavily broken, block the page to prevent some types of persistent XSS
- Record SSL signatures on trusted network and warn if signature changes while on untrusted network