Almost browsers prevent to XSS that is using javascript: protocol.
<a href=javascript:alert(location.origin) traget=_blank>XSS</a>Demo: https://nuvjcp.csb.app/
| Brower | Work? | Detail |
|---|---|---|
| Chrome | No | about:blank#blocked |
| Microsoft Edge(Chromium) | No | about:blank#blocked |
| Firefox | Yes | location.origin is null. It is safe. |
| Safari | No | |
| Mobile Safari | No | Show warning dialog |