Pass cryptographic nonce metadata to Fetch #990
Conversation
|
Part 2/3. CSSOM is next. |
|
CSSOM changes require clarity around #968. Will address at some point in the future. |
| @@ -58517,6 +58518,9 @@ o............A....e | |||
| <li><p>Let <var>CORS setting</var> be the current state of the element's <code | |||
| data-x="attr-script-crossorigin">crossorigin</code> content attribute.</p></li> | |||
|
|
|||
| <li><p>Let <var>crytographic nonce metadata</var> be the current state of the element's <code | |||
| data-x="attr-script-nonce">nonce</code> content attribute.</p></li> | |||
There was a problem hiding this comment.
value, this attribute has no states.
There was a problem hiding this comment.
Changed to line up with other attribute checks in this algorithm.
|
@mikewest it seems you didn't update all call sites of the algorithms. These are also used by workers. Presumably those need to pass the empty string? |
| @@ -58574,7 +58584,8 @@ o............A....e | |||
| </li> | |||
|
|
|||
| <li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>credentials | |||
| mode</var>, "<code data-x="">script</code>", and <var>settings</var>.</p></li> | |||
| mode</var>, <var>cryptographic nonce metadata</var>, "<code data-x="">script</code>", and | |||
There was a problem hiding this comment.
typo: should be "cryptographic nonce", not "cryptographic nonce metadata". Here and above.
|
This LGTM besides the typo and the issue @annevk mentioned with the other call sites of the script fetching algorithms. |
That's "fetch a classic worker script", right? I didn't update that algorithm, as we're not currently doing anything nonce-related for Workers. If/when we do, I'd certainly throw a patch your way. |
|
Ah, I see. The Worker processing model calls into "fetch a module script tree". I need to pass in an empty string there. If only specs had compiler errors... |
In order for CSP to correctly block/allow requests, HTML needs to teach Fetch about the cryptographic nonce metadata that ought to be associated with script requests. whatwg/fetch#273
|
It was just the one, thanks. By the way, you no longer have to squash since GitHub has a new feature that allows us to use the fancy green button to do that while preserving linear history. It's like we're living in the future. |
|
I love the future! Thanks. |
In order for CSP to correctly block/allow requests, HTML needs to teach
Fetch about the cryptographic nonce metadata that ought to be associated
with script requests.
whatwg/fetch#273