- From: Ángel <angel@16bits.net>
- Date: Fri, 04 Oct 2024 03:34:19 +0200
- To: public-webappsec@w3.org
On 2024-10-03 at 15:48 +0000, Pete Freitag wrote:
Hi Norman,
> Unless you have 'unsafe-inline' in your script-src directive
> the javascript: url will be blocked (...)
> Unless I am misunderstanding something, was there something else you
> are trying to do?
I understand Norman wants to block
<a href="javascript:alert('This will not run when you
click')">Click Me</a>
while still allowing
<a href="http://example.com" onclick="alert('This will still
run')">Click Me</a>
This would have been possible with the navigate-to policy, but it has
been removed from the spec a couple years ago.[1]
Regards
1- https://github.com/w3c/webappsec-csp/pull/564
Received on Friday, 4 October 2024 01:34:25 UTC