I think any solution that relies on information inside, or obtainable by, the client browser is doomed to failure. That should include client certs, unless the user has to type in a password for each use.
What I would like to know is if there is a method inside javascript of turning off or disabling javascript. Maybe certain operations can be removed. You can do this in TCL, by renaming, etc.
This would allow a very simple solution to the problem: just include a javascript in the header that disables javascript. Then, unless the user with privliges is complicit, nothing will happen behind the scenes.
