CSP instruction for disabling javascript URLs

Dear group,

I wanted to send an official submission to W3C, but I cannot find the right
way to do it. I wanted to recommend extending the Content-Security-Policy
instruction set with the ability to disable the "javascript:"
pseudo-protocol. A properly written modern website does not use this kind
of URLs, and also it's pretty easy to check if it's required for a project
or not, so it can be easy to implement this security measure in a lot of
websites. And it can be a strong protection against a lot of XSS attacks.

Thank you in advance for taking this into consideration.

Best Regards,
Norman Szigeti

Received on Thursday, 3 October 2024 15:38:22 UTC