- From: Jim Manico <jim.manico@owasp.org>
- Date: Tue, 9 Jul 2024 12:14:04 +0200
- To: Norman Szigeti <nszigeti@cmtelematics.com>
- Cc: public-webappsec@w3.org
I endorse this because it’s extremely trivial for a developer to implement a dedicated response center to disable JavaScript URLs. And looking at Google’s research, 1/3 or more of successful attacks are from JavaScript URLs. I think a dedicated response header to disable JavaScript URL’s is a simple and fantastic idea that will be easy to implement and dramatically improve XSS defense. CSP is great, but it’s extremely not trivial to implement strict CSP in legacy websites. I also recommend not adding this specifically to CSP because it’s already overloaded. Perhaps: X-JavaScript-URI : deny - Jim Manico > On Jul 9, 2024, at 11:59 AM, Norman Szigeti <nszigeti@cmtelematics.com> wrote: > > > Dear group, > > I wanted to send an official submission to W3C, but I cannot find the right way to do it. I wanted to recommend extending the Content-Security-Policy instruction set with the ability to disable the "javascript:" pseudo-protocol. A properly written modern website does not use this kind of URLs, and also it's pretty easy to check if it's required for a project or not, so it can be easy to implement this security measure in a lot of websites. And it can be a strong protection against a lot of XSS attacks. > > Thank you in advance for taking this into consideration. > > Best Regards, > Norman Szigeti
Received on Tuesday, 9 July 2024 10:14:21 UTC