- From: Ángel <angel@16bits.net>
- Date: Fri, 04 Oct 2024 03:34:19 +0200
- To: public-webappsec@w3.org
On 2024-10-03 at 15:48 +0000, Pete Freitag wrote: Hi Norman, > Unless you have 'unsafe-inline' in your script-src directive > the javascript: url will be blocked (...) > Unless I am misunderstanding something, was there something else you > are trying to do? I understand Norman wants to block <a href="javascript:alert('This will not run when you click')">Click Me</a> while still allowing <a href="http://example.com" onclick="alert('This will still run')">Click Me</a> This would have been possible with the navigate-to policy, but it has been removed from the spec a couple years ago.[1] Regards 1- https://github.com/w3c/webappsec-csp/pull/564
Received on Friday, 4 October 2024 01:34:25 UTC