[whatwg/dom] Hide `nonce` content attribute values from non-script sources. (#436) from Mike West on 2017-04-10 (public-webapps-github@w3.org from April 2017)

From: Mike West <notifications@github.com>
Date: Mon, 10 Apr 2017 05:30:02 -0700
To: whatwg/dom <dom@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/dom/pull/436@github.com>

This patch extracts the `nonce` content attribute out to a generic
definition in DOM, rather than an HTMLScriptElement-specific definition
in HTML, and defines new behavior for insertion and cloning with the
intent of reducing the risk of side-channel leakage of the nonce's
value.

The nonce value is extracted from the content attribute when the element
is inserted into the DOM, and put into an internal property. The
content attribute's value is set to the empty string.

>From then on, the property's value and the content attribute's value are
disconnected; alterations to one have no effect on the other, and
vice-versa.

The nonce's value is available to script via the `nonce` IDL attribute,
and so can be propagated just as today.

Addresses whatwg/html#2369.
You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/dom/pull/436

-- Commit Summary --

  * Hide `nonce` content attribute values from non-script sources.

-- File Changes --

    M dom.bs (42)

-- Patch Links --

https://github.com/whatwg/dom/pull/436.patch
https://github.com/whatwg/dom/pull/436.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/pull/436

Received on Monday, 10 April 2017 12:30:36 UTC