Re: CSP instruction for disabling javascript URLs

As Pete noted in his mail, CSP already blocks "javascript:" URLs by
default; sites must explicitly turn them back on by using 'unsafe-inline'.

If you are proposing a change to make distinctions between different kinds
of inline script—a way to disallow javascript: urls but still allowing
un-nonced <script> tags—I'm afraid I can't imagine the members of this
working group or any of the implementers supporting it. They both represent
the highest level of XSS risk on sites. The CSP standard uses the prefix
'unsafe-' to discourage their use, and they were only reluctantly included
in CSP as a transitional tool; it is difficult to rewrite legacy sites to
be CSP-compliant all at once. New sites should never use 'unsafe-inline',
and existing sites should aim to remove its use as soon as possible.

CSP provides zero XSS protection to any site that uses an 'unsafe-inline'
script policy.

-Dan Veditz

On Thu, Oct 3, 2024 at 8:41 AM Norman Szigeti <northbrid@gmail.com> wrote:

> Dear group,
>
> I wanted to send an official submission to W3C, but I cannot find the
> right way to do it. I wanted to recommend extending the
> Content-Security-Policy instruction set with the ability to disable the
> "javascript:" pseudo-protocol. A properly written modern website does not
> use this kind of URLs, and also it's pretty easy to check if it's required
> for a project or not, so it can be easy to implement this security measure
> in a lot of websites. And it can be a strong protection against a lot of
> XSS attacks.
>
> Thank you in advance for taking this into consideration..
>
> Best Regards,
> Norman Szigeti
>

Received on Thursday, 3 October 2024 16:17:06 UTC