Re: CSP instruction for disabling javascript URLs

On Thu, Oct 3, 2024 at 6:36 PM Ángel <angel@16bits.net> wrote:

> I understand Norman wants to block
>         <a href="javascript:alert('This will not run when you
> click')">Click Me</a>
>
> while still allowing
>         <a href="http://example.com" onclick="alert('This will still
> run')">Click Me</a>
>

This is easily accomplished using the script-src-attr directive
      script-src 'strict-dynamic' 'nonce-randomcode'; script-src-attr
'unsafe-inline';

Received on Friday, 4 October 2024 08:04:40 UTC