Re: CSP instruction for disabling javascript URLs

require-trusted-types-for 'script' blocks the navigation to javascript:
<https://w3c.github.io/trusted-types/dist/spec/#require-trusted-types-for-pre-navigation-check>,
while the inline event handler would work (if it was just included in the
server's HTML response). This setting controls much more however (i.e. many
other things might be blocked, depending on what your page JS is doing), so
YMMV.



On Fri, Oct 4, 2024 at 3:36 AM Ángel <angel@16bits.net> wrote:

> On 2024-10-03 at 15:48 +0000, Pete Freitag wrote:
> Hi Norman,
>
> > Unless you have 'unsafe-inline' in your script-src directive
> > the javascript: url will be blocked (...)
>
> > Unless I am misunderstanding something, was there something else you
> > are trying to do?
>
>
> I understand Norman wants to block
>         <a href="javascript:alert('This will not run when you
> click')">Click Me</a>
>
>
> while still allowing
>         <a href="http://example.com" onclick="alert('This will still
> run')">Click Me</a>
>
>
> This would have been possible with the navigate-to policy, but it has
> been removed from the spec a couple years ago.[1]
>
>
> Regards
>
>
> 1- https://github.com/w3c/webappsec-csp/pull/564
>
>
>
>

-- 
koto@ / Krzysztof Kotowicz

Received on Friday, 4 October 2024 08:05:41 UTC