- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 4 Oct 2024 01:04:09 -0700
- To: Ángel <angel@16bits.net>
- Cc: public-webappsec@w3.org
Received on Friday, 4 October 2024 08:04:40 UTC
On Thu, Oct 3, 2024 at 6:36 PM Ángel <angel@16bits.net> wrote: > I understand Norman wants to block > <a href="javascript:alert('This will not run when you > click')">Click Me</a> > > while still allowing > <a href="http://example.com" onclick="alert('This will still > run')">Click Me</a> > This is easily accomplished using the script-src-attr directive script-src 'strict-dynamic' 'nonce-randomcode'; script-src-attr 'unsafe-inline';
Received on Friday, 4 October 2024 08:04:40 UTC