- From: Krzysztof Kotowicz <koto@google.com>
- Date: Fri, 4 Oct 2024 10:05:21 +0200
- To: Ángel <angel@16bits.net>
- Cc: public-webappsec@w3.org
- Message-ID: <CAJCw+vtN=a8QDHD9qHsJysjk0+CGQ79h5MEsOEPY6DsoOqRo8w@mail.gmail.com>
require-trusted-types-for 'script' blocks the navigation to javascript: <https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-pre-navigation-check>, while the inline event handler would work (if it was just included in the server's HTML response). This setting controls much more however (i.e. many other things might be blocked, depending on what your page JS is doing), so YMMV. On Fri, Oct 4, 2024 at 3:36 AM Ángel <angel@16bits.net> wrote: > On 2024-10-03 at 15:48 +0000, Pete Freitag wrote: > Hi Norman, > > > Unless you have 'unsafe-inline' in your script-src directive > > the javascript: url will be blocked (...) > > > Unless I am misunderstanding something, was there something else you > > are trying to do? > > > I understand Norman wants to block > <a href="javascript:alert('This will not run when you > click')">Click Me</a> > > > while still allowing > <a href="http://example.com" onclick="alert('This will still > run')">Click Me</a> > > > This would have been possible with the navigate-to policy, but it has > been removed from the spec a couple years ago.[1] > > > Regards > > > 1- https://github.com/w3c/webappsec-csp/pull/564 > > > > -- koto@ / Krzysztof Kotowicz
Received on Friday, 4 October 2024 08:05:41 UTC