I have an HTML page which contains a dropdownlist .
Chrome has a feature that can be turned off by setting this flag in your Chrome (icon) > Properties Target path:
Despite that, what you're trying will suffer from this goods:
CSP Level 2 offers backward compatibility for inline scripts by allowing you to whitelist specific inline scripts using either a cryptographic nonce (number used once) or a hash
So you might want probably to create a .json manifest with
"unsafe-inline" property that has that exact (unescaped)
script converted in SHA256
<script>alert('XSS')</script> // >> convert it to SHA256
Content-Security-Policy: script-src 'sha256-sha256-41f152968d8d75de3055b59b194f3a5a993b65b06c1586d7dda9d73be115271d'
or using a
must match your manifest's script-src:
Content-Security-Policy: script-src 'nonce-a3afdc68d2731d5187f58e833610c951'
So Chrome will not allow you to perform as you might expect with inline
<span> and it'll work!)
without you knowing exactly the madness you're doing.
BTW, no element is allowed into
option tag, escaped or not, so Chrome is really smart about it. Specially regarding XSS prevention.