w3c / webappsec-csp

WebAppSec Content Security Policy
https://w3c.github.io/webappsec-csp/
Other
210 stars 78 forks source link

Possibility to block all javascript: URLs #658

Open Sjord opened 6 months ago

Sjord commented 6 months ago

I would like to request a new feature for the CSP: the possibility to block or restrict javascript: URLs, without blocking other scripts.

dveditz commented 6 months ago

That's a hard "no" from me personally.

If the application can 100% correctly "encode all variables" and prevent XSS, why can't it correctly filter out links that don't match /^http(s)?:/.test(url) ? Either you're strictly limiting the ability of injections to run script or you're not.

One work-around—if you're really really confident in your ability to sanitize inline script and prevent any injections—is to hardcode a nonce in your policy and then just always stick that in every Githubissues.

  • Githubissues is a development platform for aggregating issues.