-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass cryptographic nonce metadata to Fetch #990
Conversation
Part 2/3. CSSOM is next. |
CSSOM changes require clarity around #968. Will address at some point in the future. |
@@ -58517,6 +58518,9 @@ o............A....e | |||
<li><p>Let <var>CORS setting</var> be the current state of the element's <code | |||
data-x="attr-script-crossorigin">crossorigin</code> content attribute.</p></li> | |||
|
|||
<li><p>Let <var>crytographic nonce metadata</var> be the current state of the element's <code | |||
data-x="attr-script-nonce">nonce</code> content attribute.</p></li> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
value, this attribute has no states.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to line up with other attribute checks in this algorithm.
@mikewest it seems you didn't update all call sites of the algorithms. These are also used by workers. Presumably those need to pass the empty string? |
@@ -58574,7 +58584,8 @@ o............A....e | |||
</li> | |||
|
|||
<li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>credentials | |||
mode</var>, "<code data-x="">script</code>", and <var>settings</var>.</p></li> | |||
mode</var>, <var>cryptographic nonce metadata</var>, "<code data-x="">script</code>", and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: should be "cryptographic nonce", not "cryptographic nonce metadata". Here and above.
This LGTM besides the typo and the issue @annevk mentioned with the other call sites of the script fetching algorithms. |
That's "fetch a classic worker script", right? I didn't update that algorithm, as we're not currently doing anything nonce-related for Workers. If/when we do, I'd certainly throw a patch your way. |
Ah, I see. The Worker processing model calls into "fetch a module script tree". I need to pass in an empty string there. If only specs had compiler errors... |
In order for CSP to correctly block/allow requests, HTML needs to teach Fetch about the cryptographic nonce metadata that ought to be associated with script requests. whatwg/fetch#273
It was just the one, thanks. By the way, you no longer have to squash since GitHub has a new feature that allows us to use the fancy green button to do that while preserving linear history. It's like we're living in the future. |
I love the future! Thanks. |
In order for CSP to correctly block/allow requests, HTML needs to teach
Fetch about the cryptographic nonce metadata that ought to be associated
with script requests.
whatwg/fetch#273