- From: Pete Freitag <pete@foundeo.com>
- Date: Thu, 03 Oct 2024 15:48:38 +0000
- To: public-webappsec@w3.org
- Message-Id: <CAADZ8V5edY28aJx9t_oh_tPgFP=NRkJajoYAmJFUMPaonZpPhQ@mail.gmail.com>
Hi Norman, Unless you have 'unsafe-inline' in your script-src <https://content-security-policy.com/script-src/> directive the javascript: url will be blocked, see this example: <!DOCTYPE html> <html> <head> <title>script-src example</title> <meta http-equiv="Content-Security-Policy" content="script-src 'self'"> </head> <body> <a href="javascript:alert('This will not run when you click')">Click Me</a> </body> </html> *Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self'".* Unless I am misunderstanding something, was there something else you are trying to do? ------------ Pete Freitag Foundeo Inc. On Thu, Oct 3, 2024 at 11:39 AM Norman Szigeti <northbrid@gmail.com> wrote: > Dear group, > > I wanted to send an official submission to W3C, but I cannot find the > right way to do it. I wanted to recommend extending the > Content-Security-Policy instruction set with the ability to disable the > "javascript:" pseudo-protocol. A properly written modern website does not > use this kind of URLs, and also it's pretty easy to check if it's required > for a project or not, so it can be easy to implement this security measure > in a lot of websites. And it can be a strong protection against a lot of > XSS attacks. > > Thank you in advance for taking this into consideration.. > > Best Regards, > Norman Szigeti >
Received on Thursday, 3 October 2024 15:48:42 UTC