Skip to content

Commit

Permalink
Hide 'nonce' content attributes.
Browse files Browse the repository at this point in the history 
This patch extracts the 'nonce' attribute out to a generic definition in
the "Fetching resources" section (alongside "CORS settings attributes",
etc.), and defines some new behaviors with the intent of reducing the
risk of side-channel leakage of the nonce's value.

In short, the nonce value is extracted from the content attribute when
the element is inserted into the DOM, and put into an internal slot. The
content attribute's value is set to the empty string.

From then on, the slot's value and the content attribute's value are
disconnected; alterations to one have no effect on the other, and
vice-versa.

The nonce's value is available to script via the `nonce` IDL attribute,
and so can be propagated just as today.

Addresses #2369.
  • Loading branch information
@mikewest
mikewest committed Apr 7, 2017
1 parent 2c997f4 commit e1fe3e9
Showing 1 changed file with 73 additions and 35 deletions.
108 changes: 73 additions & 35 deletions source
View file
Expand Up @@ -6839,6 +6839,56 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
</ol>
</div>

<h4>Nonce attributes</h4>

<p>A <dfn data-export="">nonce content attribute</dfn> represents a cryptographic nonce ("number
used once") which can be used by <cite>Content Security Policy</cite> to determine whether or not
a given fetch will be allowed to proceed. The value is text. <ref spec="CSP"></p>

<p>Elements that have a <span>nonce content attribute</span> ensure that the crytographic nonce is
only exposed to script (and not to side-channels like CSS attribute selectors) by extracting the
value from the content attribute, moving it into an internal slot name <dfn data-export=""
data-dfn-for="NoncedHTMLElement" data-dfn-type="attribute">[[CryptographicNonce]]</dfn>, and
exposing it to script via the <code>NoncedHTMLElement</code> interface defined below:</p>

<pre class="idl">[NoInterfaceObject]
interface <dfn>NoncedHTMLElement</dfn> {
[<span>CEReactions</span>] attribute DOMString nonce;
};</pre>

<dl class="domintro">
<dt><var>element</var> . <code data-x="">nonce</code></dt>
<dd>
<p>Returns the value of the element's <code>[[CryptographicNonce]]</code> internal slot.</p>
<p>Can be set, to update that slot's value.</p>
</dd>
</dl>

<p>The <dfn><code data-x="dom-NoncedHTMLElement-nonce">nonce</code></dfn> IDL attribute must, on
getting, return the value of the element's <code>[[CryptographicNonce]]</code>; and on setting,
set the element's <code>[[CryptographicNonce]]</code> to the specified new value.</p>

<p>When such an element that implements <code>NoncedHTMLElement</code> <span>becomes
connected</span>, the user agent must <span>immediately</span> execute the following steps on the
<var>element</var>:

<ol>
<li>
<p>If <var>element</var> has a <span>nonce content attribute</span> <var>attr</var> whose value
is not the empty string, then:</p>

<ol>
<li>Let <var>nonce</var> be <var>attr</var>'s value.</li>
<li>Set <var>attr</var>'s value to the empty string.</li>
<li>Set <var>element</var>.<code>[[CryptographicNonce]]</code> to <var>nonce</var>.</li>
</ol>
</li>
</ol>

<p>The <span data-x="concept-node-clone-ext">cloning steps</span> for elements that implement
<code>NoncedHTMLElement</code> must set the <code>[[CryptographicNonce]]</code> slot on the copy
to the value of the slot on the element being cloned.</p>


<h3>Common DOM interfaces</h3>

Expand Down Expand Up @@ -12839,7 +12889,6 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
[<span>CEReactions</span>] attribute <span>RequestDestination</span> <span data-x="dom-link-as">as</span>; // (default "")
[SameObject, PutForwards=<span data-x="dom-DOMTokenList-value">value</span>] readonly attribute <span>DOMTokenList</span> <span data-x="dom-link-relList">relList</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-media">media</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-nonce">nonce</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-integrity">integrity</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-hreflang">hreflang</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-type">type</span>;
Expand All @@ -12849,7 +12898,9 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
[<span>CEReactions</span>] attribute <span>WorkerType</span> <span data-x="dom-link-workertype">workerType</span>;
[<span>CEReactions</span>] attribute boolean <span data-x="dom-link-useCache">useCache</span>;
};
<span>HTMLLinkElement</span> implements <span>LinkStyle</span>;</pre>
<span>HTMLLinkElement</span> implements <span>LinkStyle</span>;
<span>HTMLLinkElement</span> implements <span>NoncedHTMLElement</span>;
</pre>
</dd>
</dl><!--TOPIC:HTML-->

Expand All @@ -12865,6 +12916,10 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
<span>CORS settings attribute</span>. It is intended for use with <span data-x="external resource
link">external resource links</span>.</p>

<p>The <dfn><code data-x="attr-link-nonce">nonce</code></dfn> attribute is a <span>nonce content
attribute</span>. It is intended for use with <span data-x="external resource link">external
resource links</span>.</p>

<p>The types of link indicated (the relationships) are given by the value of the <dfn><code
data-x="attr-link-rel">rel</code></dfn> attribute, which, if present, must have a value that is a
<span>set of space-separated tokens</span>. The <a href="#linkTypes">allowed keywords and their
Expand Down Expand Up @@ -12956,11 +13011,6 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
<p>The <dfn><code data-x="attr-link-media">media</code></dfn> attribute says which media the
resource applies to. The value must be a <span>valid media query list</span>.</p>

<p>The <dfn><code data-x="attr-link-nonce">nonce</code></dfn> attribute represents a cryptographic
nonce ("number used once") which can be used by <cite>Content Security Policy</cite> to determine
whether or not an <span data-x="external resource link">external resource specified by the
link</span> will be loaded and applied to the document. The value is text. <ref spec="CSP"></p>

<p>The <dfn data-export="" data-dfn-for="link" data-dfn-type="element-attr"><code
data-x="attr-link-integrity">integrity</code></dfn> attribute represents the <span
data-x="concept-request-integrity-metadata">integrity metadata</span> for requests which this
Expand Down Expand Up @@ -13078,7 +13128,6 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
<dfn><code data-x="dom-link-hreflang">hreflang</code></dfn>,
<dfn><code data-x="dom-link-integrity">integrity</code></dfn>,
<dfn><code data-x="dom-link-media">media</code></dfn>,
<dfn><code data-x="dom-link-nonce">nonce</code></dfn>,
<dfn><code data-x="dom-link-rel">rel</code></dfn>,
<dfn><code data-x="dom-link-scope">scope</code></dfn>,
<dfn><code data-x="dom-link-sizes">sizes</code></dfn>, and
Expand Down Expand Up @@ -13220,8 +13269,8 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
<span>environment settings object</span>.

<li><p>Set <var>request</var>'s <span data-x="concept-request-nonce-metadata">cryptographic
nonce metadata</span> to the current value of the <code>link</code> element's <code
data-x="attr-link-nonce">nonce</code> content attribute.</p></li>
nonce metadata</span> to the current value of the <code>link</code> element's
<code>[[CryptographicNonce]]</code> internal slot.</p></li>

<li><p>Set <var>request</var>'s <span data-x="concept-request-integrity-metadata">integrity
metadata</span> to the current value of the <code>link</code> element's <code
Expand Down Expand Up @@ -14559,10 +14608,10 @@ people expect to have work and what is necessary.
<pre class="idl">[<span>HTMLConstructor</span>]
interface <dfn>HTMLStyleElement</dfn> : <span>HTMLElement</span> {
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-style-media">media</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-style-nonce">nonce</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-style-type">type</span>;
};
<span>HTMLStyleElement</span> implements <span>LinkStyle</span>;</pre>
<span>HTMLStyleElement</span> implements <span>LinkStyle</span>;
<span>HTMLStyleElement</span> implements <span>NoncedHTMLElement</span>;</pre>
</dd>
</dl><!--TOPIC:HTML-->

Expand Down Expand Up @@ -14605,10 +14654,8 @@ interface <dfn>HTMLStyleElement</dfn> : <span>HTMLElement</span> {
attribute is omitted, is "<code data-x="">all</code>", meaning that by default styles apply to all
media.</p>

<p>The <dfn><code data-x="attr-style-nonce">nonce</code></dfn> attribute represents a
cryptographic nonce ("number used once") which can be used by <cite>Content Security Policy</cite>
to determine whether or not the style specified by an element will be applied to the document. The
value is text. <ref spec="CSP"></p>
<p>The <dfn><code data-x="attr-style-nonce">nonce</code></dfn> attribute is a <span>nonce content
attribute</span>.</p>

<p id="title-on-style">The <dfn><code data-x="attr-style-title">title</code></dfn> attribute on
<code>style</code> elements defines <span data-x="CSS style sheet set">CSS style sheet
Expand Down Expand Up @@ -14783,8 +14830,7 @@ c-end = "-->"</pre>

<div w-nodev>

<p>The <dfn><code data-x="dom-style-media">media</code></dfn>, <dfn><code
data-x="dom-style-nonce">nonce</code></dfn>, and <dfn><code
<p>The <dfn><code data-x="dom-style-media">media</code></dfn>, and <dfn><code
data-x="dom-style-type">type</code></dfn> IDL attributes must <span>reflect</span> the respective
content attributes of the same name.</p>

Expand Down Expand Up @@ -57540,10 +57586,10 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
[<span>CEReactions</span>] attribute boolean <span data-x="dom-script-defer">defer</span>;
[<span>CEReactions</span>] attribute DOMString? <span data-x="dom-script-crossOrigin">crossOrigin</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-text">text</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-nonce">nonce</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-integrity">integrity</span>;

};</pre>
};
<span>HTMLScriptElement</span> implements <span>NoncedHTMLElement</span>;</pre>
</dd>
</dl><!--TOPIC:HTML-->

Expand Down Expand Up @@ -57690,9 +57736,8 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
data-x="CORS protocol">CORS protocol</span> for cross-origin fetching.</p>

<p>The <dfn data-export="" data-dfn-for="script" data-dfn-type="element-attr"><code
data-x="attr-script-nonce">nonce</code></dfn> attribute represents a cryptographic nonce ("number
used once") which can be used by <cite>Content Security Policy</cite> to determine whether or not
the script specified by an element will be executed. The value is text. <ref spec="CSP"></p>
data-x="attr-script-nonce">nonce</code></dfn> attribute is a <span>nonce content
attribute</span>.</p>

<p>The <dfn data-export="" data-dfn-for="script" data-dfn-type="element-attr"><code
data-x="attr-script-integrity">integrity</code></dfn> attribute represents the <span
Expand All @@ -57717,10 +57762,9 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
<p>The IDL attributes <dfn><code data-x="dom-script-src">src</code></dfn>, <dfn><code
data-x="dom-script-type">type</code></dfn>, <dfn><code
data-x="dom-script-charset">charset</code></dfn>, <dfn><code
data-x="dom-script-defer">defer</code></dfn>, <dfn><code
data-x="dom-script-integrity">integrity</code></dfn>, and <dfn><code
data-x="dom-script-nonce">nonce</code></dfn>, must each <span>reflect</span> the respective
content attributes of the same name.</p>
data-x="dom-script-defer">defer</code></dfn>, and <dfn><code
data-x="dom-script-integrity">integrity</code></dfn>, must each <span>reflect</span> the
respective content attributes of the same name.</p>

<p>The <dfn><code data-x="dom-script-crossOrigin">crossOrigin</code></dfn> IDL attribute must
<span>reflect</span> the <code data-x="attr-script-crossorigin">crossorigin</code> content attribute.</p>
Expand Down Expand Up @@ -58219,14 +58263,8 @@ o............A....e
</dl>
</li>

<li>

<p>If the <code>script</code> element has a <code data-x="attr-script-nonce">nonce</code>
attribute, then let <var>cryptographic nonce</var> be that attribute's value.</p>

<p>Otherwise, let <var>cryptographic nonce</var> be the empty string.</p>

</li>
<li><p>Let <var>cryptographic nonce</var> be the element's <code>[[CryptographicNonce]]</code>
internal slot's value.</p></li>

<li>

Expand Down

0 comments on commit e1fe3e9

Please sign in to comment.