Re: [EXTERNAL] Re: CSP instruction for disabling javascript URLs from Abdulrahman Alqabandi on 2024-07-09 (public-webappsec@w3.org from July 2024)

From: Abdulrahman Alqabandi <Abdulrahman.Alqabandi@microsoft.com>
Date: Tue, 9 Jul 2024 21:41:11 +0000
To: Jim Manico <jim.manico@owasp.org>, Norman Szigeti <nszigeti@cmtelematics.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <PH7PR00MB183793869F7F5B73B931FF1AF5DB2@PH7PR00MB1837.namprd00.prod.outlook.com>

Seems to have been brought up at Possibility to block all javascript: URLs · Issue #658 · w3c/webappsec-csp · GitHub<https://github.com/w3c/webappsec-csp/issues/658>

My understanding is that you'd like to be able to specifically block 'javascript:' JS executions but not other dangerous sinks for compatibility with legacy code. There was a suggestion in the github link of using static nonces and that seems like a viable solution for such a scenario.

Abdul
[cid:dd03050c-cc26-46fe-b29c-a7e9ff561d31]
________________________________
From: Jim Manico <jim.manico@owasp.org>
Sent: Tuesday, July 9, 2024 3:14 AM
To: Norman Szigeti <nszigeti@cmtelematics.com>
Cc: public-webappsec@w3.org <public-webappsec@w3.org>
Subject: [EXTERNAL] Re: CSP instruction for disabling javascript URLs

[You don't often get email from jim.manico@owasp.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

I endorse this because it’s extremely trivial for a developer to implement a dedicated response center to disable JavaScript URLs. And looking at Google’s research, 1/3 or more of successful attacks are from JavaScript URLs. I think a dedicated response header to disable JavaScript URL’s is a simple and fantastic idea that will be easy to implement and dramatically improve XSS defense.

CSP is great, but it’s extremely not trivial to implement strict CSP in legacy websites.

I also recommend not adding this specifically to CSP because it’s already overloaded.

Perhaps:

X-JavaScript-URI : deny

- Jim Manico

> On Jul 9, 2024, at 11:59 AM, Norman Szigeti <nszigeti@cmtelematics.com> wrote:
>
> 
> Dear group,
>
> I wanted to send an official submission to W3C, but I cannot find the right way to do it. I wanted to recommend extending the Content-Security-Policy instruction set with the ability to disable the "javascript:" pseudo-protocol. A properly written modern website does not use this kind of URLs, and also it's pretty easy to check if it's required for a project or not, so it can be easy to implement this security measure in a lot of websites. And it can be a strong protection against a lot of XSS attacks.
>
> Thank you in advance for taking this into consideration.
>
> Best Regards,
> Norman Szigeti

Attachments

image/png attachment: Outlook-ojimrcli.png

Received on Tuesday, 9 July 2024 21:41:23 UTC