Re: CSP instruction for disabling javascript URLs

Hi Norman,

Unless you have 'unsafe-inline' in your script-src
<https://content-security-policy.com/script-src/> directive the javascript: url
will be blocked, see this example:

<!DOCTYPE html>
<html>
    <head>
        <title>script-src example</title>
        <meta http-equiv="Content-Security-Policy" content="script-src
'self'">
    </head>
    <body>
        <a href="javascript:alert('This will not run when you
click')">Click Me</a>
    </body>
</html>

*Refused to run the JavaScript URL because it violates the following
Content Security Policy directive: "script-src 'self'".*

Unless I am misunderstanding something, was there something else you are
trying to do?

------------
Pete Freitag
Foundeo Inc.

On Thu, Oct 3, 2024 at 11:39 AM Norman Szigeti <northbrid@gmail.com> wrote:

> Dear group,
>
> I wanted to send an official submission to W3C, but I cannot find the
> right way to do it. I wanted to recommend extending the
> Content-Security-Policy instruction set with the ability to disable the
> "javascript:" pseudo-protocol. A properly written modern website does not
> use this kind of URLs, and also it's pretty easy to check if it's required
> for a project or not, so it can be easy to implement this security measure
> in a lot of websites. And it can be a strong protection against a lot of
> XSS attacks.
>
> Thank you in advance for taking this into consideration..
>
> Best Regards,
> Norman Szigeti
>

Received on Thursday, 3 October 2024 15:48:42 UTC