While blocking javascript and cookies by default is a great security measure, there is still a wide room left for phishing attacks which usually work through social engineering. For example, passwords for googles.com can be collected by moogles.com, if the user is not paying attention to the URL. (Intentionally simplified example).
While sophisticated techniques like tab-nabbing can be avoided by disabling JS, simple techniques, such as the above URL hack, can be achieved with a simple HTML form.
Proposal
There could be a number of ways to disable forms on unknown websites:
Disable the form action and note it in the request manager when the action is attempted.
Disable the form entirely (greyed out inputs) a-priori by checking the action as soon as it is known to the DOM model.
The former is simpler to code so could be taken up first.
Background
While blocking javascript and cookies by default is a great security measure, there is still a wide room left for phishing attacks which usually work through social engineering. For example, passwords for googles.com can be collected by moogles.com, if the user is not paying attention to the URL. (Intentionally simplified example).
While sophisticated techniques like tab-nabbing can be avoided by disabling JS, simple techniques, such as the above URL hack, can be achieved with a simple HTML form.
Proposal
There could be a number of ways to disable forms on unknown websites:
The former is simpler to code so could be taken up first.