Hide 'nonce' content attributes.

This patch extracts the 'nonce' attribute out to a generic definition in the "Fetching resources" section (alongside "CORS settings attributes", etc.), and defines some new behaviors with the intent of reducing the risk of side-channel leakage of the nonce's value. In short, the nonce value is extracted from the content attribute when the element is inserted into the DOM, and put into an internal slot. The content attribute's value is set to the empty string. From then on, the slot's value and the content attribute's value are disconnected; alterations to one have no effect on the other, and vice-versa. The nonce's value is available to script via the `nonce` IDL attribute, and so can be propagated just as today. Addresses #2369.
whatwg · Apr 7, 2017 · e1fe3e9 · e1fe3e9
1 parent 2c997f4
commit e1fe3e9
Showing 1 changed file with 73 additions and 35 deletions.
diff --git a/source b/source
@@ -6839,6 +6839,56 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    </ol>
   </div>
 
+  <h4>Nonce attributes</h4>
+
+  <p>A <dfn data-export="">nonce content attribute</dfn> represents a cryptographic nonce ("number
+  used once") which can be used by <cite>Content Security Policy</cite> to determine whether or not
+  a given fetch will be allowed to proceed. The value is text. <ref spec="CSP"></p>
+
+  <p>Elements that have a <span>nonce content attribute</span> ensure that the crytographic nonce is
+  only exposed to script (and not to side-channels like CSS attribute selectors) by extracting the
+  value from the content attribute, moving it into an internal slot name <dfn data-export=""
+  data-dfn-for="NoncedHTMLElement" data-dfn-type="attribute">[[CryptographicNonce]]</dfn>, and
+  exposing it to script via the <code>NoncedHTMLElement</code> interface defined below:</p>
+
+  <pre class="idl">[NoInterfaceObject]
+interface <dfn>NoncedHTMLElement</dfn> {
+  [<span>CEReactions</span>] attribute DOMString nonce;
+};</pre>
+
+  <dl class="domintro">
+   <dt><var>element</var> . <code data-x="">nonce</code></dt>
+   <dd>
+    <p>Returns the value of the element's <code>[[CryptographicNonce]]</code> internal slot.</p>
+    <p>Can be set, to update that slot's value.</p>
+   </dd>
+  </dl>
+
+  <p>The <dfn><code data-x="dom-NoncedHTMLElement-nonce">nonce</code></dfn> IDL attribute must, on
+  getting, return the value of the element's <code>[[CryptographicNonce]]</code>; and on setting,
+  set the element's <code>[[CryptographicNonce]]</code> to the specified new value.</p>
+
+  <p>When such an element that implements <code>NoncedHTMLElement</code> <span>becomes
+  connected</span>, the user agent must <span>immediately</span> execute the following steps on the
+  <var>element</var>:
+
+  <ol>
+   <li>
+    <p>If <var>element</var> has a <span>nonce content attribute</span> <var>attr</var> whose value
+    is not the empty string, then:</p>
+
+    <ol>
+     <li>Let <var>nonce</var> be <var>attr</var>'s value.</li>
+     <li>Set <var>attr</var>'s value to the empty string.</li>
+     <li>Set <var>element</var>.<code>[[CryptographicNonce]]</code> to <var>nonce</var>.</li>
+    </ol>
+   </li>
+  </ol>
+
+  <p>The <span data-x="concept-node-clone-ext">cloning steps</span> for elements that implement
+  <code>NoncedHTMLElement</code> must set the <code>[[CryptographicNonce]]</code> slot on the copy
+  to the value of the slot on the element being cloned.</p>
+
 
   <h3>Common DOM interfaces</h3>
 
@@ -12839,7 +12889,6 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute <span>RequestDestination</span> <span data-x="dom-link-as">as</span>; // (default "")
   [SameObject, PutForwards=<span data-x="dom-DOMTokenList-value">value</span>] readonly attribute <span>DOMTokenList</span> <span data-x="dom-link-relList">relList</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-media">media</span>;
-  [<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-nonce">nonce</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-integrity">integrity</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-hreflang">hreflang</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-link-type">type</span>;
@@ -12849,7 +12898,9 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute <span>WorkerType</span> <span data-x="dom-link-workertype">workerType</span>;
   [<span>CEReactions</span>] attribute boolean <span data-x="dom-link-useCache">useCache</span>;
 };
-<span>HTMLLinkElement</span> implements <span>LinkStyle</span>;</pre>
+<span>HTMLLinkElement</span> implements <span>LinkStyle</span>;
+<span>HTMLLinkElement</span> implements <span>NoncedHTMLElement</span>;
+</pre>
    </dd>
   </dl><!--TOPIC:HTML-->
 
@@ -12865,6 +12916,10 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   <span>CORS settings attribute</span>. It is intended for use with <span data-x="external resource
   link">external resource links</span>.</p>
 
+  <p>The <dfn><code data-x="attr-link-nonce">nonce</code></dfn> attribute is a <span>nonce content
+  attribute</span>. It is intended for use with <span data-x="external resource link">external
+  resource links</span>.</p>
+
   <p>The types of link indicated (the relationships) are given by the value of the <dfn><code
   data-x="attr-link-rel">rel</code></dfn> attribute, which, if present, must have a value that is a
   <span>set of space-separated tokens</span>. The <a href="#linkTypes">allowed keywords and their
@@ -12956,11 +13011,6 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   <p>The <dfn><code data-x="attr-link-media">media</code></dfn> attribute says which media the
   resource applies to. The value must be a <span>valid media query list</span>.</p>
 
-  <p>The <dfn><code data-x="attr-link-nonce">nonce</code></dfn> attribute represents a cryptographic
-  nonce ("number used once") which can be used by <cite>Content Security Policy</cite> to determine
-  whether or not an <span data-x="external resource link">external resource specified by the
-  link</span> will be loaded and applied to the document. The value is text. <ref spec="CSP"></p>
-
   <p>The <dfn data-export="" data-dfn-for="link" data-dfn-type="element-attr"><code
   data-x="attr-link-integrity">integrity</code></dfn> attribute represents the <span
   data-x="concept-request-integrity-metadata">integrity metadata</span> for requests which this
@@ -13078,7 +13128,6 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
   <dfn><code data-x="dom-link-hreflang">hreflang</code></dfn>,
   <dfn><code data-x="dom-link-integrity">integrity</code></dfn>,
   <dfn><code data-x="dom-link-media">media</code></dfn>,
-  <dfn><code data-x="dom-link-nonce">nonce</code></dfn>,
   <dfn><code data-x="dom-link-rel">rel</code></dfn>,
   <dfn><code data-x="dom-link-scope">scope</code></dfn>,
   <dfn><code data-x="dom-link-sizes">sizes</code></dfn>, and
@@ -13220,8 +13269,8 @@ interface <dfn>HTMLLinkElement</dfn> : <span>HTMLElement</span> {
    <span>environment settings object</span>.
 
    <li><p>Set <var>request</var>'s <span data-x="concept-request-nonce-metadata">cryptographic
-   nonce metadata</span> to the current value of the <code>link</code> element's <code
-   data-x="attr-link-nonce">nonce</code> content attribute.</p></li>
+   nonce metadata</span> to the current value of the <code>link</code> element's
+   <code>[[CryptographicNonce]]</code> internal slot.</p></li>
 
    <li><p>Set <var>request</var>'s <span data-x="concept-request-integrity-metadata">integrity
    metadata</span> to the current value of the <code>link</code> element's <code
@@ -14559,10 +14608,10 @@ people expect to have work and what is necessary.
 <pre class="idl">[<span>HTMLConstructor</span>]
 interface <dfn>HTMLStyleElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-style-media">media</span>;
-  [<span>CEReactions</span>] attribute DOMString <span data-x="dom-style-nonce">nonce</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-style-type">type</span>;
 };
-<span>HTMLStyleElement</span> implements <span>LinkStyle</span>;</pre>
+<span>HTMLStyleElement</span> implements <span>LinkStyle</span>;
+<span>HTMLStyleElement</span> implements <span>NoncedHTMLElement</span>;</pre>
    </dd>
   </dl><!--TOPIC:HTML-->
 
@@ -14605,10 +14654,8 @@ interface <dfn>HTMLStyleElement</dfn> : <span>HTMLElement</span> {
   attribute is omitted, is "<code data-x="">all</code>", meaning that by default styles apply to all
   media.</p>
 
-  <p>The <dfn><code data-x="attr-style-nonce">nonce</code></dfn> attribute represents a
-  cryptographic nonce ("number used once") which can be used by <cite>Content Security Policy</cite>
-  to determine whether or not the style specified by an element will be applied to the document. The
-  value is text. <ref spec="CSP"></p>
+  <p>The <dfn><code data-x="attr-style-nonce">nonce</code></dfn> attribute is a <span>nonce content
+  attribute</span>.</p>
 
   <p id="title-on-style">The <dfn><code data-x="attr-style-title">title</code></dfn> attribute on
   <code>style</code> elements defines <span data-x="CSS style sheet set">CSS style sheet
@@ -14783,8 +14830,7 @@ c-end         = "-->"</pre>
 
   <div w-nodev>
 
-  <p>The <dfn><code data-x="dom-style-media">media</code></dfn>, <dfn><code
-  data-x="dom-style-nonce">nonce</code></dfn>, and <dfn><code
+  <p>The <dfn><code data-x="dom-style-media">media</code></dfn>, and <dfn><code
   data-x="dom-style-type">type</code></dfn> IDL attributes must <span>reflect</span> the respective
   content attributes of the same name.</p>
 
@@ -57540,10 +57586,10 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute boolean <span data-x="dom-script-defer">defer</span>;
   [<span>CEReactions</span>] attribute DOMString? <span data-x="dom-script-crossOrigin">crossOrigin</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-text">text</span>;
-  [<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-nonce">nonce</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-script-integrity">integrity</span>;
 
-};</pre>
+};
+<span>HTMLScriptElement</span> implements <span>NoncedHTMLElement</span>;</pre>
    </dd>
   </dl><!--TOPIC:HTML-->
 
@@ -57690,9 +57736,8 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   data-x="CORS protocol">CORS protocol</span> for cross-origin fetching.</p>
 
   <p>The <dfn data-export="" data-dfn-for="script" data-dfn-type="element-attr"><code
-  data-x="attr-script-nonce">nonce</code></dfn> attribute represents a cryptographic nonce ("number
-  used once") which can be used by <cite>Content Security Policy</cite> to determine whether or not
-  the script specified by an element will be executed. The value is text. <ref spec="CSP"></p>
+  data-x="attr-script-nonce">nonce</code></dfn> attribute is a <span>nonce content
+  attribute</span>.</p>
 
   <p>The <dfn data-export="" data-dfn-for="script" data-dfn-type="element-attr"><code
   data-x="attr-script-integrity">integrity</code></dfn> attribute represents the <span
@@ -57717,10 +57762,9 @@ interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
   <p>The IDL attributes <dfn><code data-x="dom-script-src">src</code></dfn>, <dfn><code
   data-x="dom-script-type">type</code></dfn>, <dfn><code
   data-x="dom-script-charset">charset</code></dfn>, <dfn><code
-  data-x="dom-script-defer">defer</code></dfn>, <dfn><code
-  data-x="dom-script-integrity">integrity</code></dfn>, and <dfn><code
-  data-x="dom-script-nonce">nonce</code></dfn>, must each <span>reflect</span> the respective
-  content attributes of the same name.</p>
+  data-x="dom-script-defer">defer</code></dfn>, and <dfn><code
+  data-x="dom-script-integrity">integrity</code></dfn>, must each <span>reflect</span> the
+  respective content attributes of the same name.</p>
 
   <p>The <dfn><code data-x="dom-script-crossOrigin">crossOrigin</code></dfn> IDL attribute must
   <span>reflect</span> the <code data-x="attr-script-crossorigin">crossorigin</code> content attribute.</p>
@@ -58219,14 +58263,8 @@ o............A....e
     </dl>
    </li>
 
-   <li>
-
-    <p>If the <code>script</code> element has a <code data-x="attr-script-nonce">nonce</code>
-    attribute, then let <var>cryptographic nonce</var> be that attribute's value.</p>
-
-    <p>Otherwise, let <var>cryptographic nonce</var> be the empty string.</p>
-
-   </li>
+   <li><p>Let <var>cryptographic nonce</var> be the element's <code>[[CryptographicNonce]]</code>
+   internal slot's value.</p></li>
 
    <li>