Possibility to block all javascript: URLs

[Sjord]

I would like to request a new feature for the CSP: the possibility to block or restrict javascript: URLs, without blocking other scripts.

• Legitimate use of javascript: URLs is relatively rare. Some applications don't use it at all, and it's possible to get similar behavior with event handlers.

• In applications that automatically output encode all variables, this is one of the few paths to XSS.

  In applications that don't use javascript: URLs, it would be easy to disable it altogether without compatibility issues. Injection of URLs is often the only path to XSS in applications that perform proper output encoding, and this would disable that attack vector.

[dveditz]

That's a hard "no" from me personally.

If the application can 100% correctly "encode all variables" and prevent XSS, why can't it correctly filter out links that don't match /^http(s)?:/.test(url) ? Either you're strictly limiting the ability of injections to run script or you're not.

One work-around—if you're really really confident in your ability to sanitize inline script and prevent any injections—is to hardcode a nonce in your policy and then just always stick that in every Githubissues.

Githubissues is a development platform for aggregating issues.