From 11482ed9c420ba6661d2216b9083eb4abfce6c93 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren Elements that have a nonce
content attribute ensure that the
crytographic nonce is only exposed to script (and not to side-channels like CSS attribute
- selectors) by extracting the value from the content attribute, moving it into an internal slot
+ selectors) by taking the value from the content attribute, moving it into an internal slot
named [[CryptographicNonce]], and exposing it to script via the
- HTMLOrSVGElement
interface mixin. Unless otherwise specified, the slot's value
- is the empty string.HTMLOrSVGElement
interface mixin, and setting the content attribute to the empty
+ string. Unless otherwise specified, the slot's value is the empty string.
nonce
Whenever an element including HTMLOrSVGElement
has its nonce
attribute is set or changed, set this element's
+ data-x="attr-nonce">nonce content attribute is set or changed, set this element's
[[CryptographicNonce]] to the given value.
Whenever an element including HTMLOrSVGElement
becomes browsing-context
@@ -7165,10 +7165,19 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
attr whose value is not the empty string, then:
Let nonce be element's + [[CryptographicNonce]].
Set an attribute value for
element using "nonce
" and the empty
string.
Set element's [[CryptographicNonce]] to + nonce.
If element's [[CryptographicNonce]] were not restored it + would be the empty string at this point.
From b43d1e81f8a1e7446f86537128acd86a5128d1a3 Mon Sep 17 00:00:00 2001 From: Anne van KesterenWhenever an element including HTMLOrSVGElement
has its nonce
content attribute is set or changed, set this element's
- [[CryptographicNonce]] to the given value.
The following attribute change
+ steps are used for the nonce
content attribute:
+
+
If element does not include HTMLOrSVGElement
, then
+ return.
If localName is not nonce
or
+ namespace is not null, then return.
If value is null, then set element's + [[CryptographicNonce]] to the empty string.
Otherwise, set element's [[CryptographicNonce]] to + value.
Whenever an element including HTMLOrSVGElement
becomes browsing-context
connected, the user agent must execute the following steps on the element:
nonce
content attribute:
If element does not include HTMLOrSVGElement
, then
+
If element does not include HTMLOrSVGElement
, then
return.
If localName is not nonce
or
@@ -7164,8 +7165,9 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
value.
Whenever an element including HTMLOrSVGElement
becomes browsing-context
- connected, the user agent must execute the following steps on the element:
Whenever an element including HTMLOrSVGElement
+ becomes browsing-context connected, the user agent must execute the following steps
+ on the element:
Let CSP list be element's Document
creation and initialization.
The cloning steps for elements that include
- HTMLOrSVGElement
must set the [[CryptographicNonce]] slot on the copy
- to the value of the slot on the element being cloned.
The cloning steps for elements that
+ include HTMLOrSVGElement
must set the
+ [[CryptographicNonce]] slot on the copy to the value of the slot on the element being
+ cloned.