From 11482ed9c420ba6661d2216b9083eb4abfce6c93 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 18 Feb 2020 11:45:02 +0100
Subject: [PATCH 1/3] Prevent [[CryptographicNonce]] from being emptied

And also clarify some prose around the nonce content attribute; fixes #5288.
---
 source | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/source b/source
index 31b314f586f..ca07f791909 100644
--- a/source
+++ b/source
@@ -7118,11 +7118,11 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
   <p>Elements that have a <code data-x="attr-nonce">nonce</code> content attribute ensure that the
   crytographic nonce is only exposed to script (and not to side-channels like CSS attribute
-  selectors) by extracting the value from the content attribute, moving it into an internal slot
+  selectors) by taking the value from the content attribute, moving it into an internal slot
   named <dfn data-export="" data-dfn-for="HTMLOrSVGElement"
-  data-dfn-type="attribute">[[CryptographicNonce]]</dfn>, and exposing it to script via the
-  <code>HTMLOrSVGElement</code> interface mixin. Unless otherwise specified, the slot's value
-  is the empty string.</p>
+  data-dfn-type="attribute">[[CryptographicNonce]]</dfn>, exposing it to script via the
+  <code>HTMLOrSVGElement</code> interface mixin, and setting the content attribute to the empty
+  string. Unless otherwise specified, the slot's value is the empty string.</p>
 
   <dl class="domintro">
    <dt><var>element</var> . <code data-x="">nonce</code></dt>
@@ -7148,7 +7148,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   introduced.</p>
 
   <p>Whenever an element including <code>HTMLOrSVGElement</code> has its <code
-  data-x="attr-nonce">nonce</code> attribute is set or changed, set this element's
+  data-x="attr-nonce">nonce</code> content attribute is set or changed, set this element's
   <span>[[CryptographicNonce]]</span> to the given value.</p>
 
   <p>Whenever an element including <code>HTMLOrSVGElement</code> <span>becomes browsing-context
@@ -7165,10 +7165,19 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <var>attr</var> whose value is not the empty string, then:</p>
 
     <ol>
+     <li><p>Let <var>nonce</var> be <var>element</var>'s
+     <span>[[CryptographicNonce]]</span>.</p></li>
+
      <li><p><span data-x="concept-element-attributes-set-value">Set an attribute value</span> for
      <var>element</var> using "<code data-x="attr-nonce">nonce</code>" and the empty
      string.</p></li>
+
+     <li><p>Set <var>element</var>'s <span>[[CryptographicNonce]]</span> to
+     <var>nonce</var>.</p></li>
     </ol>
+
+    <p class="note">If <var>element</var>'s <span>[[CryptographicNonce]]</span> were not restored it
+    would be the empty string at this point.</p>
    </li>
   </ol>
 

From b43d1e81f8a1e7446f86537128acd86a5128d1a3 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 19 Feb 2020 14:07:28 +0100
Subject: [PATCH 2/3] use attribute change steps

---
 source | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/source b/source
index ca07f791909..56b1d0518cc 100644
--- a/source
+++ b/source
@@ -7147,9 +7147,22 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   <a href="https://github.com/whatwg/html/issues/2369">issue #2369</a>, where this behavior was
   introduced.</p>
 
-  <p>Whenever an element including <code>HTMLOrSVGElement</code> has its <code
-  data-x="attr-nonce">nonce</code> content attribute is set or changed, set this element's
-  <span>[[CryptographicNonce]]</span> to the given value.</p>
+  <p>The following <span data-x="concept-element-attributes-change-ext">attribute change
+  steps</span> are used for the <code data-x="attr-nonce">nonce</code> content attribute:
+
+  <ol>
+   <li><p>If <var>element</var> does not include <code>HTMLOrSVGElement</code>, then
+   return.</p></li>
+
+   <li><p>If <var>localName</var> is not <code data-x="attr-nonce">nonce</code> or
+   <var>namespace</var> is not null, then return.</p></li>
+
+   <li><p>If <var>value</var> is null, then set <var>element</var>'s
+   <span>[[CryptographicNonce]]</span> to the empty string.</p></li>
+
+   <li><p>Otherwise, set <var>element</var>'s <span>[[CryptographicNonce]]</span> to
+   <var>value</var>.</p></li>
+  </ol>
 
   <p>Whenever an element including <code>HTMLOrSVGElement</code> <span>becomes browsing-context
   connected</span>, the user agent must execute the following steps on the <var>element</var>:</p>

From aed568ab4d6b9697b951a5c04a0e3e61d72674b6 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 20 Feb 2020 10:07:29 +0100
Subject: [PATCH 3/3] include

---
 source | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/source b/source
index 56b1d0518cc..a40b1e838c8 100644
--- a/source
+++ b/source
@@ -2824,6 +2824,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-legacy-platform-object">legacy platform object</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-primary-interface">primary interface</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-interface-object">interface object</dfn></li>
+     <li><dfn data-x-href="https://heycam.github.io/webidl/#include">include</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-interface-prototype-object">interface prototype object</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#es-platform-objects">[[Realm]] field of a platform object</dfn></li>
      <li><dfn data-x-href="https://heycam.github.io/webidl/#dfn-callback-context">callback context</dfn></li>
@@ -7151,7 +7152,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   steps</span> are used for the <code data-x="attr-nonce">nonce</code> content attribute:
 
   <ol>
-   <li><p>If <var>element</var> does not include <code>HTMLOrSVGElement</code>, then
+   <li><p>If <var>element</var> does not <span>include</span> <code>HTMLOrSVGElement</code>, then
    return.</p></li>
 
    <li><p>If <var>localName</var> is not <code data-x="attr-nonce">nonce</code> or
@@ -7164,8 +7165,9 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    <var>value</var>.</p></li>
   </ol>
 
-  <p>Whenever an element including <code>HTMLOrSVGElement</code> <span>becomes browsing-context
-  connected</span>, the user agent must execute the following steps on the <var>element</var>:</p>
+  <p>Whenever an element <span data-x="include">including</span> <code>HTMLOrSVGElement</code>
+  <span>becomes browsing-context connected</span>, the user agent must execute the following steps
+  on the <var>element</var>:</p>
 
   <ol>
    <li><p>Let <var>CSP list</var> be <var>element</var>'s <span data-x="shadow-including
@@ -7200,9 +7202,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
   set during <span data-x="create-the-document-object"><code data-x="">Document</code>
   creation and initialization</span>.</p>
 
-  <p>The <span data-x="concept-node-clone-ext">cloning steps</span> for elements that include
-  <code>HTMLOrSVGElement</code> must set the <span>[[CryptographicNonce]]</span> slot on the copy
-  to the value of the slot on the element being cloned.</p>
+  <p>The <span data-x="concept-node-clone-ext">cloning steps</span> for elements that
+  <span>include</span> <code>HTMLOrSVGElement</code> must set the
+  <span>[[CryptographicNonce]]</span> slot on the copy to the value of the slot on the element being
+  cloned.</p>
 
   <h4>Lazy loading attributes</h4>