>>>> From GNUcitizen's Let's Fix the Web:
Here they are:
- Allow the user to sandbox and unsandbox applications and web resources with a single click
- Sandbox by default known applications such as GMail, Yahoo Mail, etc.
- In the sandbox, mark all cookies as
secureto prevent session leaks
- In the sandbox, mark none-session cookies as
httpOnlyto prevent session hijacks due to XSS
- Make sure that while on HTTPS, all embedded resources are delivered over HTTPS as well.
- Block any external requests to sandboxed applications
- If the HTML structure is heavily broken, block the page to prevent some types of persistent XSS
- Record SSL signatures on trusted network and warn if signature changes while on untrusted network