Disable browser features from the server

Question

I think it would be nice for security and performance reasons, if a server could tell the browser, in it's response:

Look browser: I'm a simple website, all I need is html and css, so please disable javascript when you show my page. Or at least disable this APIs which I don't need.

Then the browser could render that page much faster and safer because it knows it won't have to do a bunch of things. I know that certain doctypes trigger certain rendering modes, and that some metatags change browser behavior. Is there any mechanism intended for this purpose?

Answer 1

The browser would not benefit from that knowledge, because the browser's HTML parser does not invoke the JavaScript interpreter unless a <script> tag is encountered. By having the browser parse a page of HTML without any <script> tags, you are explicitly telling the browser to skip over that "rendering mode". See here for a more detailed explanation of what the browser does when parsing a document.

I have not been able to find any such meta tag or DOCTYPE declaration that limits the page from using JavaScript.

However, the security concern here revolves around the potential for malicious or insecure JavaScript ever running on your page.

• If your page already has no JavaScript, then you are safe from accidental security holes caused by poorly-written or otherwise faulty JavaScript.

• If you are still paranoid about never having any scripts on your page, consider serving that page over SSL; that way, an attacker wouldn't be able to perform man-in-the-middle attack and inject malicious code into your web page en-route to its destination.