From 931ecf4395893c19e99d5a68f6329652e30d987b Mon Sep 17 00:00:00 2001
From: Anne van Kesteren Elements that have a nonce
content attribute ensure that the
crytographic nonce is only exposed to script (and not to side-channels like CSS attribute
- selectors) by extracting the value from the content attribute, moving it into an internal slot
+ selectors) by taking the value from the content attribute, moving it into an internal slot
named [[CryptographicNonce]], and exposing it to script via the
- HTMLOrSVGElement
interface mixin. Unless otherwise specified, the slot's value
- is the empty string.HTMLOrSVGElement
interface mixin, and setting the content attribute to the empty
+ string. Unless otherwise specified, the slot's value is the empty string.
nonce
Whenever an element including HTMLOrSVGElement
has its nonce
attribute is set or changed, set this element's
- [[CryptographicNonce]] to the given value.
The following attribute change
+ steps are used for the nonce
content attribute:
+
+
If element does not include HTMLOrSVGElement
, then
+ return.
If localName is not nonce
or
+ namespace is not null, then return.
Whenever an element including HTMLOrSVGElement
becomes browsing-context
- connected, the user agent must execute the following steps on the element:
If value is null, then set element's + [[CryptographicNonce]] to the empty string.
Otherwise, set element's [[CryptographicNonce]] to + value.
Whenever an element including HTMLOrSVGElement
+ becomes browsing-context connected, the user agent must execute the following steps
+ on the element:
Let CSP list be element's Set an attribute value for
element using "nonce
" and the empty
string.
Set element's [[CryptographicNonce]] to + nonce.
If element's [[CryptographicNonce]] were not restored it + would be the empty string at this point.
@@ -7178,9 +7202,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute set duringDocument
creation and initialization.
- The cloning steps for elements that include
- HTMLOrSVGElement
must set the [[CryptographicNonce]] slot on the copy
- to the value of the slot on the element being cloned.
The cloning steps for elements that
+ include HTMLOrSVGElement
must set the
+ [[CryptographicNonce]] slot on the copy to the value of the slot on the element being
+ cloned.