Acidus wrote:
If John Q. Man-in-the-Middle is playing with you having your XSS filter is the *least& of your worries ;-)

No doubt. One of these days, my foot will grow to be too big to fit into my mouth.

Acidus wrote:
Keep in mind this is an IE only feature, so NoScript will keep on working no problem.

Right. That wasn't what I was driving at with my question. Lemmy rephrase it.

a) Why is a server operator- or web publisher-driven "XSS protect off" switch considered -from a security standpoint- superior to a client- (or Domain Administrator)-driven whitelist?
b) If there is simply no reason for anyone to ever use this switch, why does it exist? Shouldn't it be welded in the "Secure" position?

RE: Memo To Google: Stop Screwing with IE Security!