18Ara
CSP: Allow inline scripts while blocking javascript: in iframe src
We wan't to prevent attacks comming in from src attribute "javascript:" but still allow lnline script tags.
Currently the only option is to add sha-hash's but there are too many inline scripts to do this.
Unfortunately we can't modify external software to fix the input validation but we can add headers to it since it's self hosted via IIS.
We tried the header Content-Security-Policy: "script-src-attr 'none'; script-src-elem 'unsafe-inline'" without much luck.
Is there a way to differentiate between lineline script tags vs src url javascripts in iframes and img tags via CSP or any other way?
<html>
<body>
<!-- should run -->
<script>console.log('RUN: script tag body');</script>
<!-- should NOT run -->
<iframe src="javascript:console.log('XXXX DONT RUN iframe javascript:')"></iframe>
<img src="javascript:console.log('XXXX DONT RUN img javascript:')" />
</body>
</html>
