I want to tell the server that the browser does not support javascript.
What's the most common approach to do that? (What header is most common?)
The HTTP protocol doesn't define any such header. So you could use a custom one. Like:
X-JAVASCRIPT-ENABLED: false
But of course you could have as well used any other header you liked. And by the way may I ask why would the server would care whether the client supports javascript or not? I mean that's the client responsibility. The <noscript>
tag is a good way to provide an alternative contents to clients not supporting javascript.
@Darin's answer used to be correct, today one would use Content-Security-Policy: sandbox (...)
i would recommend just
Content-Security-Policy: sandbox;
as the safest option, but that will disallow much more than just scripts; to allow "everything except scripts", it would probably be:
Content-Security-Policy: sandbox allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-by-user-activation;
with the only missing value being allow-scripts
(but again, i recommend just enabling all the sandboxing features, eg Content-Security-Policy: sandbox;
)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With