- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 4 Oct 2024 01:04:09 -0700
- To: Ángel <angel@16bits.net>
- Cc: public-webappsec@w3.org
Received on Friday, 4 October 2024 08:04:40 UTC
On Thu, Oct 3, 2024 at 6:36 PM Ángel <angel@16bits.net> wrote:
> I understand Norman wants to block
> <a href="javascript:alert('This will not run when you
> click')">Click Me</a>
>
> while still allowing
> <a href="http://example.com" onclick="alert('This will still
> run')">Click Me</a>
>
This is easily accomplished using the script-src-attr directive
script-src 'strict-dynamic' 'nonce-randomcode'; script-src-attr
'unsafe-inline';
Received on Friday, 4 October 2024 08:04:40 UTC