Hey MS, back in the day I used to be able turn javascript off, but IE 7 certainly doesn’t have that feature and I didn’t see it in my look through IE 8.  It would be great if there was a “Paranoid” mode in IE 8, similar to the great NoScript plugin for firefox, that allows me to selectively enable javascript for sites that make heavy use of it (”Paranoid mode” might not be an overly marketable name, so feel free to change the terminology).  You could expand the functionality to granularly block other potentially dangerous functionality, like images and other requests made for offsite resources (in blog comments and forum posts I have seen plenty of XSS attacks based on this), as well as disabling ActiveX controls and other <object> tags on certain websites (considering the number of quicktime/PDF remote exploits I don’t really like the idea of autoloading media in third party players for example).  It would be even better if I could enable this functionality with either a whitelist or blacklist of sites.

In other news, kudos on finally having a decent DOM inspector and javascript debugger!

~ Joshbw

 Update: Yeah, security zones can allow me to do this sort of thing, but it is a pain in the ass.  If I want to lock down my default internet zone to disallow javascript, and then find a website that I want to enable javascript support for, I have to go through tools->internet options->security->sites and add the site to a trusted zone, which isn’t anywhere near as easy as NoScript enabling script for a certain website in FireFox.  It also changes my definition of “trusted site” from one that I trust implicitly with just about any action, including running ActiveX objects unsafe for scripting, to sites I trust to have basic JavaScript support.  I’m not saying Security Zones can’t be modified into something that fulfills this functionality and makes such use practical, but they were not designed for it originally, and would need to be heavily modified with such use in mind.