- From: Pete Freitag <pete@foundeo.com>
- Date: Thu, 03 Oct 2024 15:48:38 +0000
- To: public-webappsec@w3.org
- Message-Id: <CAADZ8V5edY28aJx9t_oh_tPgFP=NRkJajoYAmJFUMPaonZpPhQ@mail.gmail.com>
Hi Norman,
Unless you have 'unsafe-inline' in your script-src
<https://content-security-policy.com/script-src/> directive the javascript: url
will be blocked, see this example:
<!DOCTYPE html>
<html>
<head>
<title>script-src example</title>
<meta http-equiv="Content-Security-Policy" content="script-src
'self'">
</head>
<body>
<a href="javascript:alert('This will not run when you
click')">Click Me</a>
</body>
</html>
*Refused to run the JavaScript URL because it violates the following
Content Security Policy directive: "script-src 'self'".*
Unless I am misunderstanding something, was there something else you are
trying to do?
------------
Pete Freitag
Foundeo Inc.
On Thu, Oct 3, 2024 at 11:39 AM Norman Szigeti <northbrid@gmail.com> wrote:
> Dear group,
>
> I wanted to send an official submission to W3C, but I cannot find the
> right way to do it. I wanted to recommend extending the
> Content-Security-Policy instruction set with the ability to disable the
> "javascript:" pseudo-protocol. A properly written modern website does not
> use this kind of URLs, and also it's pretty easy to check if it's required
> for a project or not, so it can be easy to implement this security measure
> in a lot of websites. And it can be a strong protection against a lot of
> XSS attacks.
>
> Thank you in advance for taking this into consideration..
>
> Best Regards,
> Norman Szigeti
>
Received on Thursday, 3 October 2024 15:48:42 UTC