Menu
Is it possible to tell browsers to not run JavaScript from specific parts of an HTML document?
Like:
<div script="false"> ... It could be useful as an additional security feature. All the scripts I want are loaded in a specific part of the document. There should be no scripts in other parts of the document and if there are they should not be run.
488
Open the Sources panel in Developer Tools ( Ctrl + Shift + I **). Click the Pause button to Pause script execution.
JavaScript is a programming language that can run inside nearly all modern web browsers.
But as it evolved, JavaScript became a fully independent language with its own specification called ECMAScript, and now it has no relation to Java at all. Today, JavaScript can execute not only in the browser, but also on the server, or actually on any device that has a special program called the JavaScript engine.
YES, you can :-) The answer is: Content Security Policy (CSP).
Most modern browsers support this flag, which tells the browser only to load JavaScript code from a trusted external file and disallow all internal JavaScript code! The only downside is, you can not use any inline JavaScript in your whole page (not only for a single <div>). Although there could be a workaround by dynamically including the div from an external file with a different security policy, but I'm not sure about that.
But if you can change your site to load all JavaScript from external JavaScript files then you can disable inline JavaScript altogether with this header!
Here is a nice tutorial with example: HTML5Rocks Tutorial
If you can configure the server to send this HTTP-Header flag the world will be a better place!
187
You can block JavaScript loaded by <script>, using beforescriptexecute event:
<script> // Run this as early as possible, it isn't retroactive window.addEventListener('beforescriptexecute', function(e) { var el = e.target; while(el = el.parentElement) if(el.hasAttribute('data-no-js')) return e.preventDefault(); // Block script }, true); </script> <script>console.log('Allowed. Console is expected to show this');</script> <div data-no-js> <script>console.log('Blocked. Console is expected to NOT show this');</script> </div>Note that beforescriptexecute was defined in HTML 5.0 but has been removed in HTML 5.1. Firefox is the only major browser that implemented it.
In case you are inserting an untrusted bunch of HTML in your page, be aware blocking scripts inside that element won't provide more security, because the untrusted HTML can close the sandboxed element, and thus the script will be placed outside and run.
And this won't block things like <img onerror="javascript:alert('foo')" src="//" />.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
