From 931ecf4395893c19e99d5a68f6329652e30d987b Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 20 Feb 2020 10:51:02 +0100
Subject: [PATCH] Prevent [[CryptographicNonce]] from being emptied

Also clarify some prose around the nonce content attribute, including that it does in fact update the slot upon removal.

Tests: https://github.com/web-platform-tests/wpt/pull/21853.

Fixes #5288.
---
 source | 49 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 12 deletions(-)

diff --git a/source b/source
index f8035642ae6..d030c6e0e8d 100644
--- a/source
+++ b/source
@@ -2824,6 +2824,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-legacy-platform-object">legacy platform object</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-primary-interface">primary interface</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</dfn></li>
+     <li><dfn data-x-href="https://heycam.github.io/webidl/#include">include</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-interface-prototype-object">interface prototype object</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#es-platform-objects">[[Realm]] field of a platform object</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-callback-context">callback context</dfn></li>
@@ -7118,11 +7119,11 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
   <p>Elements that have a <code data-x="attr-nonce">nonce</code> content attribute ensure that the
   crytographic nonce is only exposed to script (and not to side-channels like CSS attribute
-  selectors) by extracting the value from the content attribute, moving it into an internal slot
+  selectors) by taking the value from the content attribute, moving it into an internal slot
   named <dfn data-export="" data-dfn-for="HTMLOrSVGElement"
-  data-dfn-type="attribute">[[CryptographicNonce]]</dfn>, and exposing it to script via the
-  <code>HTMLOrSVGElement</code> interface mixin. Unless otherwise specified, the slot's value
-  is the empty string.</p>
+  data-dfn-type="attribute">[[CryptographicNonce]]</dfn>, exposing it to script via the
+  <code>HTMLOrSVGElement</code> interface mixin, and setting the content attribute to the empty
+  string. Unless otherwise specified, the slot's value is the empty string.</p>
 
   <dl class="domintro">
    <dt><var>element</var> . <code data-x="">nonce</code></dt>
@@ -7147,12 +7148,26 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   <a href="https://github.com/whatwg/html/issues/2369">issue #2369</a>, where this behavior was
   introduced.</p>
 
-  <p>Whenever an element including <code>HTMLOrSVGElement</code> has its <code
-  data-x="attr-nonce">nonce</code> attribute is set or changed, set this element's
-  <span>[[CryptographicNonce]]</span> to the given value.</p>
+  <p>The following <span data-x="concept-element-attributes-change-ext">attribute change
+  steps</span> are used for the <code data-x="attr-nonce">nonce</code> content attribute:
+
+  <ol>
+   <li><p>If <var>element</var> does not <span>include</span> <code>HTMLOrSVGElement</code>, then
+   return.</p></li>
+
+   <li><p>If <var>localName</var> is not <code data-x="attr-nonce">nonce</code> or
+   <var>namespace</var> is not null, then return.</p></li>
 
-  <p>Whenever an element including <code>HTMLOrSVGElement</code> <span>becomes browsing-context
-  connected</span>, the user agent must execute the following steps on the <var>element</var>:</p>
+   <li><p>If <var>value</var> is null, then set <var>element</var>'s
+   <span>[[CryptographicNonce]]</span> to the empty string.</p></li>
+
+   <li><p>Otherwise, set <var>element</var>'s <span>[[CryptographicNonce]]</span> to
+   <var>value</var>.</p></li>
+  </ol>
+
+  <p>Whenever an element <span data-x="include">including</span> <code>HTMLOrSVGElement</code>
+  <span>becomes browsing-context connected</span>, the user agent must execute the following steps
+  on the <var>element</var>:</p>
 
   <ol>
    <li><p>Let <var>CSP list</var> be <var>element</var>'s <span data-x="shadow-including
@@ -7165,10 +7180,19 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <var>attr</var> whose value is not the empty string, then:</p>
 
     <ol>
+     <li><p>Let <var>nonce</var> be <var>element</var>'s
+     <span>[[CryptographicNonce]]</span>.</p></li>
+
      <li><p><span data-x="concept-element-attributes-set-value">Set an attribute value</span> for
      <var>element</var> using "<code data-x="attr-nonce">nonce</code>" and the empty
      string.</p></li>
+
+     <li><p>Set <var>element</var>'s <span>[[CryptographicNonce]]</span> to
+     <var>nonce</var>.</p></li>
     </ol>
+
+    <p class="note">If <var>element</var>'s <span>[[CryptographicNonce]]</span> were not restored it
+    would be the empty string at this point.</p>
    </li>
   </ol>
 
@@ -7178,9 +7202,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   set during <span data-x="create-the-document-object"><code data-x="">Document</code>
   creation and initialization</span>.</p>
 
-  <p>The <span data-x="concept-node-clone-ext">cloning steps</span> for elements that include
-  <code>HTMLOrSVGElement</code> must set the <span>[[CryptographicNonce]]</span> slot on the copy
-  to the value of the slot on the element being cloned.</p>
+  <p>The <span data-x="concept-node-clone-ext">cloning steps</span> for elements that
+  <span>include</span> <code>HTMLOrSVGElement</code> must set the
+  <span>[[CryptographicNonce]]</span> slot on the copy to the value of the slot on the element being
+  cloned.</p>
 
   <h4>Lazy loading attributes</h4>