Hide nonce content attribute values. (#2369)
#2373
Merged
Commits on Apr 7, 2017
-
Hide 'nonce' content attributes.
This patch extracts the 'nonce' attribute out to a generic definition in the "Fetching resources" section (alongside "CORS settings attributes", etc.), and defines some new behaviors with the intent of reducing the risk of side-channel leakage of the nonce's value. In short, the nonce value is extracted from the content attribute when the element is inserted into the DOM, and put into an internal slot. The content attribute's value is set to the empty string. From then on, the slot's value and the content attribute's value are disconnected; alterations to one have no effect on the other, and vice-versa. The nonce's value is available to script via the `nonce` IDL attribute, and so can be propagated just as today. Addresses #2369.
Commits on Apr 10, 2017
Commits on May 4, 2017
Commits on May 5, 2017
Commits on May 23, 2017
Commits on May 24, 2017
Commits on May 25, 2017
Commits on Nov 15, 2017
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.