Last week I talked about JavaScript security at Virus Bulletin 2009 . One of the security problems with JavaScript (probably the most insidious) is Cross-site Scripting (which is usually shortened to XSS). The basic defense against XSS is to filter user input, but this has been repeatedly shown to be a nightmare. Just yesterday Reddit got hit by an XSS worm that created comments because of a bug in the implementation of markdown . I believe the answer is for sites to sign the <SCRIPT> tags that they serve up. If they signed against a key that they control then injected JavaScript could be rejected by the browser because its signature would be missing or incorrect and the entire XSS problem would disappear. For example, this site includes Google Analytics and here's the JavaScript: <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(un