Hide nonce content attribute values from non-script sources.
#436
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch extracts the `nonce` content attribute out to a generic definition in DOM, rather than an HTMLScriptElement-specific definition in HTML, and defines new behavior for insertion and cloning with the intent of reducing the risk of side-channel leakage of the nonce's value. The nonce value is extracted from the content attribute when the element is inserted into the DOM, and put into an internal property. The content attribute's value is set to the empty string. From then on, the property's value and the content attribute's value are disconnected; alterations to one have no effect on the other, and vice-versa. The nonce's value is available to script via the `nonce` IDL attribute, and so can be propagated just as today. Addresses whatwg/html#2369.
|
(If so, I'll update the HTML patch to rely on this one. If not, we should chat a bit. :) ) |
annevk
reviewed
Apr 10, 2017
I'd be fine moving this back to HTML (and finding someone to talk to about SVG) if y'all would prefer. It feels a little strange putting this in DOM, honestly, so that wouldn't make me terribly sad. |
annevk
reviewed
Apr 10, 2017
dom.bs
Outdated
| <p>If <var>inserted</var> is [=connected=], and it has a content attribute (<var>attr</var>) whose | ||
| value is not the empty string, then:</p> | ||
| <p>If <var>inserted</var> is [=connected=], and it has a content attribute (<var>attr</var>) named | ||
| [=Attr/local name=] "<code>nonce</code>" whose [=Attr/value=] is not the empty string, then:</p> |
There was a problem hiding this comment.
You want to use https://dom.spec.whatwg.org/#concept-named-attribute since this is still not precise enough.
There was a problem hiding this comment.
Trying again in 78db5fb. :)
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch extracts the
noncecontent attribute out to a genericdefinition in DOM, rather than an HTMLScriptElement-specific definition
in HTML, and defines new behavior for insertion and cloning with the
intent of reducing the risk of side-channel leakage of the nonce's
value.
The nonce value is extracted from the content attribute when the element
is inserted into the DOM, and put into an internal property. The
content attribute's value is set to the empty string.
From then on, the property's value and the content attribute's value are
disconnected; alterations to one have no effect on the other, and
vice-versa.
The nonce's value is available to script via the
nonceIDL attribute,and so can be propagated just as today.
Addresses whatwg/html#2369.
Preview | Diff