Scriptlock 2.1

The code execution prevention system for JavaScript


How valuable is your data?

Someday soon a hacker will get past your cross site scripting (XSS) filters / measures and successfully inject JavaScript onto your website.

Once in, they can use JavaScript to manipulate your website and extract valuable information, putting your business, reputation and users at risk.


Harden your website with Scriptlock!

Scriptlock is the original password/nonce based code execution prevention mechanism for JavaScript that hardens your pages against the effects of Reflected, Persistent and Self-XXS.

Scriptlock disarms JavaScript preventing unwanted code from modifying your pages.

Scriptlock augments Content Security Policy (CSP) level 1 and Pre-CSP browsers to provide CSP 2.0 nonce functionality.

Scriptlock is ideal for protecting pages with user submitted active content.

Scriptlock is simple to implement and works on all browsers from IE 10, IE 11, Edge 12, Safari 6, Chrome 18.0, Firefox 6.0, Opera 10.5 right up to the latest versions meaning virtually 100% of your users can benefit from enhanced protection*.


How it works

Scriptlock 2.1 builds on our original patented password protection mechanism to emulate the CSP2.0 nonce on pre-CSP and CSP1.0 browsers. It works in three modes:

  • On pre-CSP browsers the system targets and wraps dead-locked security around the vulnerable parts of the JavaScript language and DOM that would otherwise permit hackers to modify your webpages or transmit data from your website. A stack-trace based algorithm allows the system to determine URL and nonce origins during code execution and prevent execution from untrusted origins.
  • On CSP1.0 browsers the system parses blocked "unsafe-inline" SCRIPT elements and executes them if they have a valid nonce attribute, effectively emulating the CSP2.0 nonce. A synchronisation script is used to ensure that inline script executes in the correct sequence when mixed with external script.
  • On CSP2.0 browsers the system downgrades gracefully to allow the CSP2.0 nonce to work as normal.

Scriptlock 2.1 provides additional measures on all browsers including:

  • Extension of the CSP2.0 standard to provide nonce support for inline event handlers, allowing you the freedom to code how you want and making it quicker and easier to apply CSP protection to existing systems.
  • A password protected to eval function as an alternate to blocking "unsafe-eval".
  • Alternate semantics that are less vulnerable to dangling mark-up vulnerabilities.
  • 'nonce' sanitising for older CSP2.0 browsers that have not implemented sanitisation.
  • 'data-csp-nonce' sanitising for PayPal™ enabled websites.

Bring peace of mind to your users

Scriptlock is free to use if you are a non-profit making organisation, so there is no reason to delay in bringing peace of mind to yourself and your users.

Find out more now:


©2011 - 2021 Datawing Limited

Family picture © 4774344sean / Stock Photography

* Current browser market share statistics, source: - 22 Jun 2021