### Background<p>As readers here would be aware, many online threats can be mitigated by disabling Javascript and cookies on untrusted websites. However, phishing can still be achieved with a static HTML page that masquerades as the target page. All that is required is CSS to style the page, and an HTML form where the user types their password.<p>In the thread discussing Exploratirum's phishing attack today, a few ideas to mitigate phishing threats were mentioned / proposed:<p><pre><code> * Two factor authentication
* A browser extension that checks whether a known
password is being used on an unknown website.
* Browser extensions such as lastpass can prevent
phishing indirectly because the password is based on
window.location.origin
* Security images, which are not very effective as per [1]
</code></pre>
I had an idea which seems simple, effective and easy to implement by the browser vendor.<p>### Idea: Block forms by default<p>Much like the option of blocking cookies and/or javascript by default, if browsers prevented form actions by default then a majority of phishing attacks could be prevented.<p>User might type in the password on an unknown site, but if the form action was prevented (in addition to javascript), the site wouldn't receive the password and the user would be alerted to it.<p>Thoughts?<p><pre><code> [1]: http://security.stackexchange.com/questions/19155/</code></pre>
It's an interesting idea, but attackers would switch to using javascript. And I don't think it's realistic for typical users to have javascript default off.