Open Sjord opened 6 months ago
That's a hard "no" from me personally.
If the application can 100% correctly "encode all variables" and prevent XSS, why can't it correctly filter out links that don't match /^http(s)?:/.test(url)
? Either you're strictly limiting the ability of injections to run script or you're not.
One work-around—if you're really really confident in your ability to sanitize inline script and prevent any injections—is to hardcode a nonce in your policy and then just always stick that in every Githubissues.
I would like to request a new feature for the CSP: the possibility to block or restrict
javascript:
URLs, without blocking other scripts.javascript:
URLs is relatively rare. Some applications don't use it at all, and it's possible to get similar behavior with event handlers.In applications that automatically output encode all variables, this is one of the few paths to XSS.
In applications that don't use
javascript:
URLs, it would be easy to disable it altogether without compatibility issues. Injection of URLs is often the only path to XSS in applications that perform proper output encoding, and this would disable that attack vector.