Almost browsers prevent to XSS that is using javascript: protocol.
<a href=javascript:alert(location.origin) traget=_blank>XSS</a>Demo: https://nuvjcp.csb.app/
| Brower | Work? | Detail |
|---|---|---|
| Chrome | No | about:blank#blocked |
| Microsoft Edge(Chromium) | No | about:blank#blocked |
| Firefox | Yes | location.origin is null. It is safe. |
| Safari | No | |
| Mobile Safari | No | Show warning dialog |
This attack scenario doesn't seem to work in any modern browser. It doesn't work on Firefox anymore(still works in version 141 via CTRL+CLICK, but was patched in 142). It doesn't work in Safari 18(latest version to date) as well.