- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Thu, 3 Oct 2024 09:16:35 -0700
- To: Norman Szigeti <northbrid@gmail.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CADYDTCDhGZYpGXLGqsEZX32a-LF+EMAt78Kemjt0UrfTPzmMUg@mail.gmail.com>
As Pete noted in his mail, CSP already blocks "javascript:" URLs by default; sites must explicitly turn them back on by using 'unsafe-inline'. If you are proposing a change to make distinctions between different kinds of inline script—a way to disallow javascript: urls but still allowing un-nonced <script> tags—I'm afraid I can't imagine the members of this working group or any of the implementers supporting it. They both represent the highest level of XSS risk on sites. The CSP standard uses the prefix 'unsafe-' to discourage their use, and they were only reluctantly included in CSP as a transitional tool; it is difficult to rewrite legacy sites to be CSP-compliant all at once. New sites should never use 'unsafe-inline', and existing sites should aim to remove its use as soon as possible. CSP provides zero XSS protection to any site that uses an 'unsafe-inline' script policy. -Dan Veditz On Thu, Oct 3, 2024 at 8:41 AM Norman Szigeti <northbrid@gmail.com> wrote: > Dear group, > > I wanted to send an official submission to W3C, but I cannot find the > right way to do it. I wanted to recommend extending the > Content-Security-Policy instruction set with the ability to disable the > "javascript:" pseudo-protocol. A properly written modern website does not > use this kind of URLs, and also it's pretty easy to check if it's required > for a project or not, so it can be easy to implement this security measure > in a lot of websites. And it can be a strong protection against a lot of > XSS attacks. > > Thank you in advance for taking this into consideration.. > > Best Regards, > Norman Szigeti >
Received on Thursday, 3 October 2024 16:17:06 UTC