Re: CSP instruction for disabling javascript URLs

On 2024-10-03 at 15:48 +0000, Pete Freitag wrote:
Hi Norman,

> Unless you have 'unsafe-inline' in your script-src directive
> the javascript: url will be blocked (...)

> Unless I am misunderstanding something, was there something else you
> are trying to do?


I understand Norman wants to block
        <a href="javascript:alert('This will not run when you
click')">Click Me</a>


while still allowing
        <a href="http://example.com" onclick="alert('This will still
run')">Click Me</a>


This would have been possible with the navigate-to policy, but it has
been removed from the spec a couple years ago.[1]


Regards


1- https://github.com/w3c/webappsec-csp/pull/564

Received on Friday, 4 October 2024 01:34:25 UTC