I think something else can be done for XSSAuditor.. could it be an exception to src attributes on <script> tags if the URL is in the same domain and is a single file with no querystring? Something like: <script type="text/javascript" src="/acs.js"></script> Shouldn't be disabled by an attacker doing: http://victim.com/?disable_script=<script type="text/javascript" src="/acs.js"></script> The part where I say "with no querystring" is that we shouldnt allow: <script type="text/javascript" src="/index.php?asdf=asdf&asdf=asdf"></script> Since in some weeeird cases that may be a vulnerability (its very dangerous anyway, since if you can make valid JS, you could probably make valid XML and load a crossdomain file for flash).. anyway, to be sure, only adding the exception for "/acs.js" should be safe. I ask this since if a user is already able to modify the content of a file in the same domain then he can probably make a XSS directly anyway.. and if it's not done this way, the attack of disabling essential scripts for the page will be difficult. This should reduce in some degree the attack scenario where an attacker disable scripts on the guest page.. also this should increase compatibility.. Test case: http://eaea.sirdarckcat.net/testhtml.html?disable_script=%3Cscript%20type=%22text/javascript%22%20src=%22acs.js%22%3E%3C/script%3E Greetings!!