morphir.com

One of the most modern ways of performing a malicious attack is using client side attack with javascript. What happens is, you visit a site, and that site got javascript that your browser executes. You continue to surf, while the javascript still continue to run in your browser. From there, only the imagination of the attacker stops him/her from what that malicious js should be doing. I wont elaborate the consequences, but this is a somewhat of a new trend on the internet. Specially now that firefox3 and opera both executes javascript within the blink of an eye.

So I got this idea that might be worth while hearing out.

Scenario: when Frank surfs the web, he gets infected with a client side attack using javascript. He is not aware of this, because the browser he uses got no idea what javascript should be running in his browser during the session

So here is what I'm thinking: what if jquery was shipped with a SHA1 stamp, that told the browser, that this is the code you should be running. And if that SHA1 stamp does not match the jquery code, you are most probably being attacked - or - that the browser simply halts all other code that don't match the SHA1 stamp during the session.
This would however require that the browsers supported js verification. I could foresee that this started out as a firefox plugin (prototyping).

Another solution would be, that Drupal generated that SHA1 stamp, doing so by collecting together all the javascript code..
OR that apache had a plugin (maybe a git-plugin?) OR that we simply used git on the server side and generated the SHA1 stamp. I'm just brainstorming solutions to what I consider among the most scary shit that has happened to the web ever. Because it is. Trust me.

I've enabled comments, so you can participate in the discussion.