2

We wan't to prevent attacks comming in from src attribute "javascript:" but still allow lnline script tags.

Currently the only option is to add sha-hash's but there are too many inline scripts to do this.

Unfortunately we can't modify external software to fix the input validation but we can add headers to it since it's self hosted via IIS.

We tried the header Content-Security-Policy: "script-src-attr 'none'; script-src-elem 'unsafe-inline'" without much luck.

Is there a way to differentiate between lineline script tags vs src url javascripts in iframes and img tags via CSP or any other way?

  <html>
  <body>

  <!-- should run -->
  <script>console.log('RUN: script tag body');</script>

  <!-- should NOT run -->
  <iframe src="javascript:console.log('XXXX DONT RUN iframe javascript:')"></iframe>
  <img src="javascript:console.log('XXXX DONT RUN img javascript:')" />

  </body>
  </html>
Improve this question
2
  • Welcome to the community. I would suggest not using outdated and EoL software like IIS if that's possible. Commented Dec 18, 2023 at 21:07
  • @SirMuffington Nothing in the question suggests OP is using an EoL version of IIS. Per se IIS is still supported. Commented Dec 25, 2023 at 12:45

1 Answer 1

Reset to default
0

This is not currently possible.

I created an issue to request it: Possibility to block all javascript: URLs · Issue #658 · w3c/webappsec-csp

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.