Prevent [[CryptographicNonce]] from being emptied #5300
Conversation
And also clarify some prose around the nonce content attribute; fixes #5288.
There was a problem hiding this comment.
This is fine to me.
The other option would be to never update the slot when content attribute changes but only right before setting content attribute to empty string. But perhaps that isn't backwards compatible if one really wants to use setAttribute to change nonce
|
It seems that was discussed at #2373 (comment) (and might even have been the original suggestion), but it would require a "weird" IDL attribute that returns either the slot or the content attribute or some such. And insertion would also have to branch on the IDL attribute already being set or some such. So I think I'm inclined to stick with what we have here. |
For whatwg/html#5300. Supersedes #5423.
There was a problem hiding this comment.
So I think I'm inclined to stick with what we have here.
Like @annevk, I'd prefer we stick with the patch he's written here. I agree that this mechanism is somewhat odd, but it's been shipping in Chromium for ~years, and I'd rather not change it if the concerns are aesthetic.
This patch LGTM, thank you both!
|
@mikewest so @smaug---- spotted one more oddity in the specification and I just wrote a test for it. It seems that Chrome clears the IDL attribute when the |
I don't have a strong opinion about it, and would defer to y'all's preferences. I don't think there's any security implication either way. |
|
Made this use the attribute change steps and also account for removal (value will be null). |
For whatwg/html#5300. Supersedes #5423
| steps</span> are used for the <code data-x="attr-nonce">nonce</code> content attribute: | ||
|
|
||
| <ol> | ||
| <li><p>If <var>element</var> does not include <code>HTMLOrSVGElement</code>, then |
There was a problem hiding this comment.
Cross-ref https://heycam.github.io/webidl/#include ?
…testonly Automatic update from web-platform-tests nonce attribute: no longer tentative For whatwg/html#5300. Supersedes #5423 -- wpt-commits: 2ca72d0f4b39e6007ae10e78d25f352dab56b2d2 wpt-pr: 21853
…testonly Automatic update from web-platform-tests nonce attribute: no longer tentative For whatwg/html#5300. Supersedes #5423 -- wpt-commits: 2ca72d0f4b39e6007ae10e78d25f352dab56b2d2 wpt-pr: 21853 UltraBlame original commit: f6e9e0c531a648d841cd116948906c025caa4921
…testonly Automatic update from web-platform-tests nonce attribute: no longer tentative For whatwg/html#5300. Supersedes #5423 -- wpt-commits: 2ca72d0f4b39e6007ae10e78d25f352dab56b2d2 wpt-pr: 21853 UltraBlame original commit: f6e9e0c531a648d841cd116948906c025caa4921
…testonly Automatic update from web-platform-tests nonce attribute: no longer tentative For whatwg/html#5300. Supersedes #5423 -- wpt-commits: 2ca72d0f4b39e6007ae10e78d25f352dab56b2d2 wpt-pr: 21853 UltraBlame original commit: f6e9e0c531a648d841cd116948906c025caa4921
…testonly Automatic update from web-platform-tests nonce attribute: no longer tentative For whatwg/html#5300. Supersedes #5423 -- wpt-commits: 2ca72d0f4b39e6007ae10e78d25f352dab56b2d2 wpt-pr: 21853 --HG-- rename : testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html.headers => testing/web-platform/tests/content-security-policy/nonce-hiding/script-nonces-hidden.html.headers rename : testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.tentative.html.headers => testing/web-platform/tests/content-security-policy/nonce-hiding/svgscript-nonces-hidden.html.headers
And also clarify some prose around the nonce content attribute; fixes #5288.
(See WHATWG Working Mode: Changes for more details.)
💥 Error: EISDIR: illegal operation on a directory, read 💥
PR Preview failed to build. (Last tried on Feb 20, 2020, 9:07 AM UTC).
More
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.