The state of security on the web is pathetic. The best/only real indicator we give users that a site is supposedly secure is an HTTPS indicator, possibly with a basically meaningless EV indicator. In reality those are no indication that the site itself is safe.

So what if browsers supported an HTML Secure Mode subset which disallowed any JavaScript, iframes and other potentially problematic behaviors (such as form submissions to different domains, etc.) This would work like JavaScript strict, where the page itself would indicate it is made to this specification and the browser should hold it to it and throw errors/not display otherwise.

This could be used for sites where security is more important than bells and whistles. Like banking websites, government websites like electronic voting, etc.

Granted this is not a perfect solution, and it doesn't guarantee that the server side is any better, but it at least might be a step in the right direction. If browsers supported it and we made sites to the specification, it could give indication to users that there's a large swath of potential exploits that are not possible.

Does this idea have any potential or am I just thinking about this too early in the day?

EDIT: I realize that graceful failing is a key tenant of the web, so maybe it would just fail like HTTPS does and indicate to the user "This site said it was secure but it isn't." If it passes Safe Mode validation then it gets some kind of special, really obvious to the user indicator.

The idea here is to make a mode where a) you can be sure everything on the page is coming from the site you thought you were talking to and thus b) that the server itself would have to be compromised for the page to be compromised.

This mode could also have additional effects like indicating when a link on the page would take you away from this site, etc.