@we1x : I wish we could deprecate javascript: URIs which are one of the few remaining XSS vectors for modern SPAs. Until then we can use CSP to disable javascript: URIs. Here's a prototype for a refactoring free strict & hash-based CSP that does that: github.com/google/strict-… • TwiCopy

Lukas Weichselbaum

@we1x

+ Follow

Leading @Google's web security team. Opinions are my own.
Bluesky: @webappsec.dev

ID: 239904210

linkhttp://webappsec.dev calendar_today18-01-2011 18:10:04

1,1K Tweet

2,2K Takipçi

504 Takip Edilen

Lukas Weichselbaum

@we1x

9 months ago

I wish we could deprecate javascript: URIs which are one of the few remaining XSS vectors for modern SPAs. Until then we can use CSP to disable javascript: URIs. Here's a prototype for a refactoring free strict & hash-based CSP that does that: github.com/google/strict-…

thumb_up_off_alt16

chat_bubble_outline2

repeat4

shareShare