Skip to content

Commit

Permalink
Add javascripot: URLs
Browse files Browse the repository at this point in the history
  • Loading branch information
@wbamberg
wbamberg committed Oct 22, 2024
1 parent ae79382 commit 6f3cd1b
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions files/en-us/web/http/csp/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,12 @@ If sanitization does fail, there are various forms the injected malicious code c
<img onmouseover="console.log(`You've been hacked!`)" />
```

- A `javascript:` URL:

```html
<iframe src="javascript:console.log(`You've been hacked!`)"></iframe>
```

- A string argument to an unsafe API like [`eval()`](/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval):

```js
Expand All @@ -95,6 +101,7 @@ A CSP can provide protection against all of these. With a CSP, you can:
- disable inline script tags
- allow only script tags which have the correct nonce or hash set
- disable inline event handlers
- disable `javascript:` URLs
- disable dangerous APIs like `eval()`

In the next section we'll go over the tools CSP provides to do these things.
Expand Down

0 comments on commit 6f3cd1b

Please sign in to comment.