New Tor Browser http response header, for high security websites
When someone uses Tor Browser to load a SecureDrop website, if javascript is enabled, it recommends that they disable it. But at the moment, there are some big UX problems with how it's done: It's a big scary red warning that's displayed to nearly all users, and the instructions are out-of-date (they tell you to disable JS using NoScript instead of the Tor Browser security settings slider). Overall, it's scary and confusing, and tells everyone to jump through hoops.
Here's some of the discussion about this on the SecureDrop issue tracker: https://github.com/freedomofpress/securedrop/issues/1566
The rationale behind telling users to disable javascript is because the SecureDrop server itself is part of the threat model. If someone successfully hacks a SecureDrop server, they can then serve Tor Browser exploits to all of its users to deanonymize them (similar to the Freedom Hosting attack), and high security mode reduces this attack service a lot.
I'd like to propose a new custom http response header that Tor Browser watches for: X-Tor-High-Security: 1
. If you load a website with this header set, no matter what the Tor Browser security slider is currently set to, it should treat that tab as if the slider were set to high.
This would also be very useful for anyone running websites where they include themselves in the threat model, such as Tor-based email providers.