I compiled a detailed bug report for Mozilla, where I described (some of) the possible attacks and (when asked) suggested a few possible solutions.
The issue has been closed for policy (political?) reasons after 30 minutes.
Bugzilla is not a discussion forum.
Unfortunately, no one stated whether the attacks are possible or not.
To me, this means that all Firefox’s users are under a serious threat, but Mozilla won’t do anything to protect them.
Chromium’s guys were faster to say they won’t fix the issue
In less than 10 minutes he couldn’t realized that given how WHATWG Living Standards are written, filing a bug there is the proper way to “change web standards”!
Anyway, to answer your question, the solution is simple, if it’s not easy.
The execution of Web software should be opt-in, not opt-out
(if you can opt-out, given how usable are the UI to disable JavaScript).
Now, given the severity of the issue, as a first step I would release an emergency fix that disable JavaScript (and Meta Refresh) without looking at the user settings.
Then I would deploy a mid term fix so that:
- Page Refresh though META tag and JavaScript are disabled by default
- Both can be enabled on a per website basis, but
— No script or CSS is requested with Cookies or other HTTP headers
— Each script and CSS is requested through a dedicated TCP connection
— SubResource Integrity is made mandatory (at least for JavaScript)
— For each URI, record the SRI of last downloaded contents and warn the user if a page propose a different SRI for that same URI
— Warn the user about scripts served with suspect HTTP headers - On browser exit, remove from the cache all resources downloaded by pages that have Meta Refresh and/or JavaScript enabled.
- View Page Source should never fetch new versions of the page from the server (whatever the HTTP Headers provided with the page are)
Obviously all this leaves the door open for pages that:
- are visited only once
- are visited for the first time
thus I would also mark as “Not Secure” web pages visited for the first time that require JavaScript.
In the long term the problem is that mainstream operating systems (Linux, Windows, iOS, Android…) are too primitive to safely support a distributed computation for the user.
We need to go back to the design board.