Consider recording the "duplicate-attribute" error state. · Issue #3257 · whatwg/html (original) (raw)

CSP attempts to defend against some kinds of dangling-markup attacks by preventing the execution of scripts that include "<script" in an attribute name or value. Discarding attributes during parsing makes it possible to trivially work around this defense, as described in https://crbug.com/740615. As dropping repeated attributes is also the root cause of the dangling-markup risk in the first place, it might be reasonable to dig into it a little more deeply to see if something more fundamental can be done.

One idea we (briefly) discussed at TPAC is to prevent nonced script execution for <script> elements which had duplicate-attribute parse errors. An approach to this that I'm exploring in https://chromium-review.googlesource.com/c/chromium/src/+/566822 does more or less the following:

1. Records duplicate-attribute parse errors on the tag during tokenization.
2. Persists that error bit onto the Node generated during tree-building.
3. Reads that error bit during "Is element nonceable?".

WDYT?

/cc @whatwg/security (@ckerschb, @dbates-wk, @patrickkettner in particular as folks working on CSP)