[whatwg/fetch] The CSP hooks for `<script src='...' nonce='...'>` are broken. (#269) from Mike West on 2016-04-04 (public-webapps-github@w3.org from April 2016)

From: Mike West <notifications@github.com>
Date: Mon, 04 Apr 2016 05:03:33 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/269@github.com>

The hooks I wrote for HTML and Fetch are a bit broken for nonces. In short: `<script src='https://example.com/' nonce='abcde'>` should be allowed by `script-src 'nonce-abcde'`, even though `example.com` isn't whitelisted.

Chrome handles this by setting a flag on the outgoing request during script loading ([in `ScriptLoader.cpp`](https://blink.lc/chromium/tree/third_party/WebKit/Source/core/dom/ScriptLoader.cpp#n376)), which I suppose we could replicate in HTML's "prepare a script".

@annevk: how do you feel about an "Already passed CSP checks so please don't do more" flag on Fetch's `request`?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/269

Received on Monday, 4 April 2016 12:04:00 UTC