- From: Mike West <notifications@github.com>
- Date: Mon, 10 Apr 2017 05:30:02 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 10 April 2017 12:30:36 UTC
This patch extracts the `nonce` content attribute out to a generic definition in DOM, rather than an HTMLScriptElement-specific definition in HTML, and defines new behavior for insertion and cloning with the intent of reducing the risk of side-channel leakage of the nonce's value. The nonce value is extracted from the content attribute when the element is inserted into the DOM, and put into an internal property. The content attribute's value is set to the empty string. >From then on, the property's value and the content attribute's value are disconnected; alterations to one have no effect on the other, and vice-versa. The nonce's value is available to script via the `nonce` IDL attribute, and so can be propagated just as today. Addresses whatwg/html#2369. You can view, comment on, or merge this pull request online at: https://github.com/whatwg/dom/pull/436 -- Commit Summary -- * Hide `nonce` content attribute values from non-script sources. -- File Changes -- M dom.bs (42) -- Patch Links -- https://github.com/whatwg/dom/pull/436.patch https://github.com/whatwg/dom/pull/436.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/pull/436
Received on Monday, 10 April 2017 12:30:36 UTC