From e1fe3e9025b31978d4b4b1753b15303734c3844b Mon Sep 17 00:00:00 2001 From: Mike West Date: Fri, 7 Apr 2017 11:11:54 +0200 Subject: [PATCH 1/8] Hide 'nonce' content attributes. This patch extracts the 'nonce' attribute out to a generic definition in the "Fetching resources" section (alongside "CORS settings attributes", etc.), and defines some new behaviors with the intent of reducing the risk of side-channel leakage of the nonce's value. In short, the nonce value is extracted from the content attribute when the element is inserted into the DOM, and put into an internal slot. The content attribute's value is set to the empty string. From then on, the slot's value and the content attribute's value are disconnected; alterations to one have no effect on the other, and vice-versa. The nonce's value is available to script via the `nonce` IDL attribute, and so can be propagated just as today. Addresses whatwg/html#2369. --- source | 108 ++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 35 deletions(-) diff --git a/source b/source index 8ce79272748..1e9e0d2af8a 100644 --- a/source +++ b/source @@ -6839,6 +6839,56 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute +

Nonce attributes

+ +

A nonce content attribute represents a cryptographic nonce ("number + used once") which can be used by Content Security Policy to determine whether or not + a given fetch will be allowed to proceed. The value is text.

+ +

Elements that have a nonce content attribute ensure that the crytographic nonce is + only exposed to script (and not to side-channels like CSS attribute selectors) by extracting the + value from the content attribute, moving it into an internal slot name [[CryptographicNonce]], and + exposing it to script via the NoncedHTMLElement interface defined below:

+ + 
[NoInterfaceObject]
+interface NoncedHTMLElement {
+  [CEReactions] attribute DOMString nonce;
+};
+ +
+
element . nonce
+
+

Returns the value of the element's [[CryptographicNonce]] internal slot.

+

Can be set, to update that slot's value.

+
+
+ +

The nonce IDL attribute must, on + getting, return the value of the element's [[CryptographicNonce]]; and on setting, + set the element's [[CryptographicNonce]] to the specified new value.

+ +

When such an element that implements NoncedHTMLElement becomes + connected, the user agent must immediately execute the following steps on the + element: + +

    +
  1. +

    If element has a nonce content attribute attr whose value + is not the empty string, then:

    + +
      +
    1. Let nonce be attr's value.
      2. +
    2. Set attr's value to the empty string.
      3. +
    3. Set element.[[CryptographicNonce]] to nonce.
      4. +
    +
    2. +
+ +

The cloning steps for elements that implement + NoncedHTMLElement must set the [[CryptographicNonce]] slot on the copy + to the value of the slot on the element being cloned.

+

Common DOM interfaces

@@ -12839,7 +12889,6 @@ interface HTMLLinkElement : HTMLElement { [CEReactions] attribute RequestDestination as; // (default "") [SameObject, PutForwards=value] readonly attribute DOMTokenList relList; [CEReactions] attribute DOMString media; - [CEReactions] attribute DOMString nonce; [CEReactions] attribute DOMString integrity; [CEReactions] attribute DOMString hreflang; [CEReactions] attribute DOMString type; @@ -12849,7 +12898,9 @@ interface HTMLLinkElement : HTMLElement { [CEReactions] attribute WorkerType workerType; [CEReactions] attribute boolean useCache; }; -HTMLLinkElement implements LinkStyle; +HTMLLinkElement implements LinkStyle; +HTMLLinkElement implements NoncedHTMLElement; + @@ -12865,6 +12916,10 @@ interface HTMLLinkElement : HTMLElement { CORS settings attribute. It is intended for use with external resource links.

+

The nonce attribute is a nonce content + attribute. It is intended for use with external + resource links.

+

The types of link indicated (the relationships) are given by the value of the rel attribute, which, if present, must have a value that is a set of space-separated tokens. The allowed keywords and their @@ -12956,11 +13011,6 @@ interface HTMLLinkElement : HTMLElement {

The media attribute says which media the resource applies to. The value must be a valid media query list.

-

The nonce attribute represents a cryptographic - nonce ("number used once") which can be used by Content Security Policy to determine - whether or not an external resource specified by the - link will be loaded and applied to the document. The value is text.

-

The integrity attribute represents the integrity metadata for requests which this @@ -13078,7 +13128,6 @@ interface HTMLLinkElement : HTMLElement { hreflang, integrity, media, - nonce, rel, scope, sizes, and @@ -13220,8 +13269,8 @@ interface HTMLLinkElement : HTMLElement { environment settings object.

  • Set request's cryptographic - nonce metadata to the current value of the link element's nonce content attribute.

    • + nonce metadata to the current value of the link element's + [[CryptographicNonce]] internal slot.

  • Set request's integrity metadata to the current value of the link element's [HTMLConstructor] interface HTMLStyleElement : HTMLElement { [CEReactions] attribute DOMString media; - [CEReactions] attribute DOMString nonce; [CEReactions] attribute DOMString type; }; -HTMLStyleElement implements LinkStyle; +HTMLStyleElement implements LinkStyle; +HTMLStyleElement implements NoncedHTMLElement; @@ -14605,10 +14654,8 @@ interface HTMLStyleElement : HTMLElement { attribute is omitted, is "all", meaning that by default styles apply to all media.

    -

    The nonce attribute represents a - cryptographic nonce ("number used once") which can be used by Content Security Policy - to determine whether or not the style specified by an element will be applied to the document. The - value is text.

    +

    The nonce attribute is a nonce content + attribute.

    The title attribute on style elements defines CSS style sheet @@ -14783,8 +14830,7 @@ c-end = "-->"

    -

    The media, nonce, and The media, and type IDL attributes must reflect the respective content attributes of the same name.

    @@ -57540,10 +57586,10 @@ interface HTMLScriptElement : HTMLElement { [CEReactions] attribute boolean defer; [CEReactions] attribute DOMString? crossOrigin; [CEReactions] attribute DOMString text; - [CEReactions] attribute DOMString nonce; [CEReactions] attribute DOMString integrity; -}; +}; +HTMLScriptElement implements NoncedHTMLElement; @@ -57690,9 +57736,8 @@ interface HTMLScriptElement : HTMLElement { data-x="CORS protocol">CORS protocol for cross-origin fetching.

    The nonce attribute represents a cryptographic nonce ("number - used once") which can be used by Content Security Policy to determine whether or not - the script specified by an element will be executed. The value is text.

    + data-x="attr-script-nonce">nonce     attribute is a nonce content + attribute.

    The integrity attribute represents the HTMLScriptElement : HTMLElement {

    The IDL attributes src, type, charset, defer, integrity, and nonce, must each reflect the respective - content attributes of the same name.

    + data-x="dom-script-defer">defer    , and integrity, must each reflect the + respective content attributes of the same name.

    The crossOrigin IDL attribute must reflect the crossorigin content attribute.

    @@ -58219,14 +58263,8 @@ o............A....e
    • -
  • - -

    If the script element has a nonce - attribute, then let cryptographic nonce be that attribute's value.

    - -

    Otherwise, let cryptographic nonce be the empty string.

    - -
    • +

  • Let cryptographic nonce be the element's [[CryptographicNonce]] + internal slot's value.

  • From 84e0e9b072f17c910428d61012c1a537c5df1824 Mon Sep 17 00:00:00 2001 From: Mike West Date: Fri, 5 May 2017 11:16:45 +0200 Subject: [PATCH 2/8] fixup HTMLElement. --- source | 100 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/source b/source index 815873bf31b..0ed553dab8d 100644 --- a/source +++ b/source @@ -3746,6 +3746,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    • Content Security Policy
    • Content Security Policy directive
      • +
    • CSP list
    • The Content Security Policy syntax
    • enforce the policy
    • The parse a serialized Content Security Policy algorithm
      • @@ -3760,6 +3761,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    • The frame-ancestors directive
    • The sandbox directive
    • The Should element be blocked a priori by Content Security Policy? algorithm
      • +
    • The contains a header-delivered Content Security Policy property.
    @@ -6868,18 +6870,20 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute

    Nonce attributes

    -

    A nonce content attribute represents a cryptographic nonce ("number - used once") which can be used by Content Security Policy to determine whether or not - a given fetch will be allowed to proceed. The value is text.

    +

    A nonce content attribute represents a + cryptographic nonce ("number used once") which can be used by Content Security Policy + to determine whether or not a given fetch will be allowed to proceed. The value is text.

    -

    Elements that have a nonce content attribute ensure that the crytographic nonce is - only exposed to script (and not to side-channels like CSS attribute selectors) by extracting the - value from the content attribute, moving it into an internal slot name [[CryptographicNonce]], and - exposing it to script via the NoncedHTMLElement interface defined below:

    +

    Elements that have a nonce content attribute ensure that the + crytographic nonce is only exposed to script (and not to side-channels like CSS attribute + selectors) by extracting the value from the content attribute, moving it into an internal slot + named [[CryptographicNonce]], and exposing it to script via the + NoncedElement interface defined below:

    [NoInterfaceObject]
-interface NoncedHTMLElement {
+interface NoncedElement {
   [CEReactions] attribute DOMString nonce;
 };
    @@ -6891,18 +6895,24 @@ interface NoncedHTMLElement { -

    The nonce IDL attribute must, on +

    The nonce IDL attribute must, on getting, return the value of the element's [[CryptographicNonce]]; and on setting, set the element's [[CryptographicNonce]] to the specified new value.

    -

    When such an element that implements NoncedHTMLElement becomes +

    When such an element that implements NoncedElement becomes browsing-context connected, the user agent must immediately execute the following steps on the - element: + element:

    1. -

      If element has a nonce content attribute attr whose value - is not the empty string, then:

      +

      Let CSP list be element's shadow-including root's CSP list.

      +
      2. +
    2. +

      If CSP list contains a header-delivered Content Security Policy, and + element has a nonce content attribute + attr whose value is not the empty string, then:

      1. Let nonce be attr's value.
        2. @@ -6912,8 +6922,16 @@ interface NoncedHTMLElement {
      +

      + As each Document's CSP list is + append-only, user agents can optimize away the contains a header-delivered Content Security + Policy check by, for example, holding a flag on the Document, set during + Document + initialization. +

      +

      The cloning steps for elements that implement - NoncedHTMLElement must set the [[CryptographicNonce]] slot on the copy + NoncedElement must set the [[CryptographicNonce]] slot on the copy to the value of the slot on the element being cloned.

      @@ -9045,8 +9063,9 @@ partial interface Document { data-x="concept-fetch">fetches initiated by the Document.

      The Document has a CSP list, which is a list of Content Security Policy - objects active in this context. The list is empty unless otherwise specified.

      + data-dfn-for="Document">CSP list, which is a CSP list + containing all of the Content Security Policy objects active for the document. The + list is empty unless otherwise specified.

      The Document has a module map, which is a module map, @@ -9923,6 +9942,7 @@ interface HTMLElement : Element { HTMLElement implements GlobalEventHandlers; HTMLElement implements DocumentAndElementEventHandlers; HTMLElement implements ElementContentEditable; +HTMLElement implements NoncedElement; // Note: intentionally not [HTMLConstructor] interface HTMLUnknownElement : HTMLElement { }; @@ -11128,6 +11148,7 @@ https://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20HTML%3E%

    3. itemscope
    4. itemtype
    5. lang
      6. +
    6. nonce
    7. spellcheck
    8. style
    9. tabindex
      10. @@ -12944,7 +12965,6 @@ interface HTMLBaseElement : HTMLElement {
      crossorigin
      rel
      media
      -
      nonce
      integrity
      hreflang
      type
      @@ -12976,7 +12996,6 @@ interface HTMLLinkElement : HTMLElement { [CEReactions] attribute boolean useCache; }; HTMLLinkElement implements LinkStyle; -HTMLLinkElement implements NoncedHTMLElement; @@ -12993,10 +13012,6 @@ interface HTMLLinkElement : HTMLElement { CORS settings attribute. It is intended for use with external resource links.

      -

      The nonce attribute is a nonce content - attribute. It is intended for use with external - resource links.

      -

      The types of link indicated (the relationships) are given by the value of the rel attribute, which, if present, must have a value that is a set of space-separated tokens. The allowed keywords and their @@ -14692,7 +14707,6 @@ people expect to have work and what is necessary.

      Content attributes:
      Global attributes
      media
      -
      nonce
      type
      Also, the title attribute has special semantics on this element.
      DOM interface:
      @@ -14702,8 +14716,7 @@ interface HTMLStyleElement : HTMLElement { [CEReactions] attribute DOMString media; [CEReactions] attribute DOMString type; }; -HTMLStyleElement implements LinkStyle; -HTMLStyleElement implements NoncedHTMLElement; +HTMLStyleElement implements LinkStyle; @@ -14746,9 +14759,6 @@ interface HTMLStyleElement : HTMLElement { attribute is omitted, is "all", meaning that by default styles apply to all media.

      -

      The nonce attribute is a nonce content - attribute.

      -

      The title attribute on style elements defines CSS style sheet sets. If the style element has no title @@ -57640,7 +57650,6 @@ interface HTMLDialogElement : HTMLElement {

      async
      defer
      crossorigin
      -
      nonce
      integrity
      DOM interface:
      @@ -57656,8 +57665,7 @@ interface HTMLScriptElement : HTMLElement { [CEReactions] attribute DOMString text; [CEReactions] attribute DOMString integrity; -}; -HTMLScriptElement implements NoncedHTMLElement; +};
      @@ -57719,8 +57727,8 @@ interface HTMLScriptElement : HTMLElement { data-x="attr-script-src">src, charset, async, nomodule, defer, crossorigin, nonce - and integrity attributes must not be specified.

      + data-x="attr-script-crossorigin">crossorigin, and + integrity attributes must not be specified.

      The nomodule attribute is a boolean attribute that prevents a script from being executed in user agents that support @@ -57803,10 +57811,6 @@ interface HTMLScriptElement : HTMLElement { data-x="module script">module scripts require the use of the CORS protocol for cross-origin fetching.

      -

      The nonce attribute is a nonce content - attribute.

      -

      The integrity attribute represents the integrity metadata for requests which this @@ -57820,10 +57824,10 @@ interface HTMLScriptElement : HTMLElement { data-x="attr-script-type">type, charset, nomodule, async, defer, crossorigin, nonce - and integrity attributes dynamically has no direct - effect; these attributes are only used at specific times described below.

      + data-x="attr-script-crossorigin">crossorigin, and integrity attributes dynamically has no direct effect; these + attributes are only used at specific times described below.

      @@ -97126,8 +97130,9 @@ interface WorkerGlobalScope : EventTarget { policy (a referrer policy). It is initially the empty string.

      A WorkerGlobalScope object has an associated CSP list. It is - initially an empty list. + data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-csp-list">CSP list, which + is a CSP list containing all of the Content Security + Policy objects active for the worker. It is initially an empty list.

      A WorkerGlobalScope object has an associated module map. @@ -115770,7 +115775,6 @@ interface External { type; sizes; referrerpolicy; - nonce; integrity HTMLLinkElement @@ -116164,7 +116168,6 @@ interface External { async; defer; crossorigin; - nonce; integrity HTMLScriptElement @@ -116283,7 +116286,6 @@ interface External { varies* globals; media; - nonce; type HTMLStyleElement @@ -117611,9 +117613,7 @@ interface External { Boolean attribute nonce - link; - script; - style + HTML elements Cryptographic nonce used in Content Security Policy checks Text From ba33b18a0c87a9733e1673fca31249092c3c2197 Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 24 May 2017 11:13:41 +0200 Subject: [PATCH 3/8] fixup initial value and no CEReactions. --- source | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/source b/source index ebf6c741270..c219c38d1d4 100644 --- a/source +++ b/source @@ -6880,11 +6880,12 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute selectors) by extracting the value from the content attribute, moving it into an internal slot named [[CryptographicNonce]], and exposing it to script via the - NoncedElement interface defined below:

      + NoncedElement interface defined below. Unless otherwise specified, the slot's value + is the empty string.

      [NoInterfaceObject]
 interface NoncedElement {
-  [CEReactions] attribute DOMString nonce;
+  attribute DOMString nonce;
 };
      From 0eccfe5fbe40acff06b322f2ccc2e82be9a3bb8c Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 24 May 2017 12:17:55 +0200 Subject: [PATCH 4/8] fixup ordering --- source | 36 +++++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/source b/source index c219c38d1d4..a2621510add 100644 --- a/source +++ b/source @@ -6901,7 +6901,8 @@ interface NoncedElement { set the element's [[CryptographicNonce]] to the specified new value.

      When such an element that implements NoncedElement becomes browsing-context - connected, the user agent must immediately execute the following steps on the + connected, the user agent must immediately process the nonce attribute by executing the following steps on the element:

        @@ -14808,9 +14809,16 @@ c-end = "-->"
      1. The element is popped off the stack of open elements of an HTML parser or XML parser. -
      2. The element is not on the stack of open elements of an HTML parser - or XML parser, and it becomes connected or disconnected. +
      3. +

        The element is not on the stack of open elements of an HTML parser + or XML parser, and it becomes connected or disconnected.

        + +

        If the element becomes browsing-context connected as a result of becoming connected, the update a style block algorithm must be executed after processing its nonce attribute.

        +
      4. The element is not on the stack of open elements of an HTML parser or XML parser, and one of its child nodes is modified by a script. @@ -58033,7 +58041,14 @@ o............A....e
          -
        • The script element becomes connected.
          • +
        • +

          The script element becomes connected.

          + +

          If the element becomes browsing-context connected as a result of becoming connected, the prepare a script + algorithm must be executed after processing its + nonce attribute.

          +
        • The script element is connected and a node or document fragment is inserted into the script element, after any @@ -67115,8 +67130,15 @@ customElements.define("x-foo", class extends HTMLElement {

        • When upgraded, its constructor is run.

          • -

        • When it becomes connected, its connectedCallback is - run.

          • +
        • +

          When it becomes connected, its connectedCallback is + run.

          + +

          If the element becomes browsing-context connected as a result of becoming connected, its connectedCallback must be executed after processing its nonce attribute.

          +

        • When it becomes disconnected, its disconnectedCallback is run.

          • From 218badf3b038fb296c917614e81a9b0640c9a345 Mon Sep 17 00:00:00 2001 From: Mike West Date: Thu, 25 May 2017 08:11:18 +0200 Subject: [PATCH 5/8] fixup new approach --- source | 55 ++++++++++++++++++------------------------------------- 1 file changed, 18 insertions(+), 37 deletions(-) diff --git a/source b/source index a2621510add..a82a37750a3 100644 --- a/source +++ b/source @@ -6900,10 +6900,12 @@ interface NoncedElement { getting, return the value of the element's [[CryptographicNonce]]; and on setting, set the element's [[CryptographicNonce]] to the specified new value.

          -

          When such an element that implements NoncedElement becomes browsing-context - connected, the user agent must immediately process the nonce attribute by executing the following steps on the - element:

          +

          Whenever a NoncedElement's nonce attribute is + set or changed, set the element's [[CryptographicNonce]] to the specified new + value.

          + +

          Whenever a NoncedElement becomes browsing-context connected, the + user agent must executing the following steps on the element:

          1. @@ -6917,9 +6919,9 @@ interface NoncedElement { attr whose value is not the empty string, then:

              -
            1. Let nonce be attr's value.
              2. -
            2. Set attr's value to the empty string.
              3. -
            3. Set element.[[CryptographicNonce]] to nonce.
              4. +

            4. Set an attribute value for + element using "nonce" and the empty + string.

          @@ -12998,8 +13000,7 @@ interface HTMLLinkElement : HTMLElement { [CEReactions] attribute WorkerType workerType; [CEReactions] attribute boolean useCache; }; -HTMLLinkElement implements LinkStyle; - +HTMLLinkElement implements LinkStyle;
      @@ -14502,7 +14503,8 @@ people expect to have work and what is necessary.

    10. Let policy be the result of executing Content Security Policy's parse a serialized Content Security Policy algorithm on the meta element's - content attribute's value.

      11. + content attribute's value, with a source of "meta", + and a disposition of "enforce".

    11. Remove all occurrences of the report-uri,

    12. The element is popped off the stack of open elements of an HTML parser or XML parser. -
    13. -

      The element is not on the stack of open elements of an HTML parser - or XML parser, and it becomes connected or disconnected.

      - -

      If the element becomes browsing-context connected as a result of becoming connected, the update a style block algorithm must be executed after processing its nonce attribute.

      -
      14. +
    14. The element is not on the stack of open elements of an HTML parser + or XML parser, and it becomes connected or disconnected.
    15. The element is not on the stack of open elements of an HTML parser or XML parser, and one of its child nodes is modified by a script. @@ -58041,14 +58036,7 @@ o............A....e
        -
      • -

        The script element becomes connected.

        - -

        If the element becomes browsing-context connected as a result of becoming connected, the prepare a script - algorithm must be executed after processing its - nonce attribute.

        -
        • +
      • The script element becomes connected.
      • The script element is connected and a node or document fragment is inserted into the script element, after any @@ -67130,15 +67118,8 @@ customElements.define("x-foo", class extends HTMLElement {

      • When upgraded, its constructor is run.

        • -
      • -

        When it becomes connected, its connectedCallback is - run.

        - -

        If the element becomes browsing-context connected as a result of becoming connected, its connectedCallback must be executed after processing its nonce attribute.

        -
        • +

      • When it becomes connected, its connectedCallback is + run.

      • When it becomes disconnected, its disconnectedCallback is run.

        • From 1a789559c45e789c530497a9673574424bd03d5e Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 15 Nov 2017 13:46:10 +0100 Subject: [PATCH 6/8] fixup comment about SVGElement --- source | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source b/source index af155b233f5..683323911c2 100755 --- a/source +++ b/source @@ -7019,6 +7019,9 @@ interface NoncedElement { attribute DOMString nonce; }; + +
        element . nonce
        From 67f38c64c8ad8a5ab3db30da8c60159b1a2f6dde Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 15 Nov 2017 14:13:25 +0100 Subject: [PATCH 7/8] fixup @annevk feedback --- source | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/source b/source index 683323911c2..1c8106c24d0 100755 --- a/source +++ b/source @@ -7025,28 +7025,27 @@ interface NoncedElement {
        element . nonce
        -

        Returns the value of the element's [[CryptographicNonce]] internal slot.

        +

        Returns the value of the element's [[CryptographicNonce]] internal slot.

        Can be set, to update that slot's value.

        The nonce IDL attribute must, on - getting, return the value of the element's [[CryptographicNonce]]; and on setting, - set the element's [[CryptographicNonce]] to the specified new value.

        + getting, return the value of this element's [[CryptographicNonce]]; and on setting, + set this element's [[CryptographicNonce]] to the given value.

        Whenever a NoncedElement's nonce attribute is - set or changed, set the element's [[CryptographicNonce]] to the specified new + set or changed, set the element's [[CryptographicNonce]] to the specified new value.

        Whenever a NoncedElement becomes browsing-context connected, the user agent must executing the following steps on the element:

          -
        1. -

          Let CSP list be element's shadow-including root's CSP list.

          -
          2. +

        2. Let CSP list be element's shadow-including root's CSP + list.

          3. +

        3. If CSP list contains a header-delivered Content Security Policy, and element has a nonce content attribute @@ -7060,16 +7059,14 @@ interface NoncedElement {

        -

        - As each Document's CSP list is - append-only, user agents can optimize away the contains a header-delivered Content Security - Policy check by, for example, holding a flag on the Document, set during - Document - initialization. -

        +

        As each Document's CSP + list is append-only, user agents can optimize away the contains a header-delivered + Content Security Policy check by, for example, holding a flag on the Document, + set during Document + initialization.

        The cloning steps for elements that implement - NoncedElement must set the [[CryptographicNonce]] slot on the copy + NoncedElement must set the [[CryptographicNonce]] slot on the copy to the value of the slot on the element being cloned.

        @@ -13548,7 +13545,7 @@ interface HTMLLinkElement : HTMLElement {

      • Set request's cryptographic nonce metadata to the current value of the link element's - [[CryptographicNonce]] internal slot.

        • + [[CryptographicNonce]] internal slot.

      • Set request's integrity metadata to the current value of the link element's HTMLScriptElement : HTMLElement { defined for the format used. The src, async, nomodule, defer, crossorigin, and - integrity attributes must not be specified.

        + data-x="attr-script-crossorigin">crossorigin, and integrity attributes must not be specified.

        The nomodule attribute is a boolean attribute that prevents a script from being executed in user agents that support @@ -57902,7 +57899,7 @@ o............A....e

        • -

      • Let cryptographic nonce be the element's [[CryptographicNonce]] +

      • Let cryptographic nonce be the element's [[CryptographicNonce]] internal slot's value.

      • From d628a08707db35f705f245f9418f68d1b077679d Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 15 Nov 2017 14:55:29 +0100 Subject: [PATCH 8/8] fixup @annvk's feedback II. --- source | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source b/source index 1c8106c24d0..624ea72398c 100755 --- a/source +++ b/source @@ -7035,8 +7035,7 @@ interface NoncedElement { set this element's [[CryptographicNonce]] to the given value.

        Whenever a NoncedElement's nonce attribute is - set or changed, set the element's [[CryptographicNonce]] to the specified new - value.

        + set or changed, set this element's [[CryptographicNonce]] to the given value.

        Whenever a NoncedElement becomes browsing-context connected, the user agent must executing the following steps on the element: