Scoping with INCLUDE
INCLUDE is the allow-list complement of EXCLUDE: DOMFortify activates
only on matching URLs and stays inactive everywhere else. This page keys off the query
string. ?admin is in scope, so DOMFortify claims the policy, injects the enabling
CSP, and sanitizes. The baseline URL is out of scope, so DOMFortify stands down and leaves the
page untouched.
Pick a URL
baseline (out of scope) | ?admin (in scope)
Current:
excluded = metaInjected = protected =
Same payload on both URLs
Resulting HTML: