Chrome/Safari trim nonces #634
Comments
|
How is https://w3c.github.io/webappsec-csp/#match-nonce-to-source-list implemented? I guess the value is base64-decoded then rather than that the nonce attribute value is base64-encoded? That might yield some further differences between implementations, especially given that base64-value allows for both base64 and base64url iirc. |
|
At least Firefox just compares the raw |
|
It does look like this is an oversight. I assume the intention was for https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes to trim the value before storing it, but I think you're entirely correct that that's not currently documented. If you're willing to change Firefox's behavior, trimming the attribute value before storing it in the internal slot seems like the easiest way of remedying the spec accordingly. |
|
That's not where whitespace removal happens in WebKit, at least. Are you sure it impacts the |
|
I'm not at all sure; I haven't looked at this code in the recent past. That said, where would you expect web-visible differences to show up? |
|
Well if you have |
|
(Also, FWIW, a quick search on httparchive gives zero results of nonces padded with whitespaces.) |
|
Clearly, I should have looked at the code before guessing. Thanks, Antonio! In that case, my suggestion is a bad one, and altering the CSP algorithm might be preferable. |
|
Looks like we should also test which whitespace characters are being trimmed as Chromium at least seems to include U+000B which is incorrect. |
|
I think our behavior is the best here and we should try to align to that. Can we look into a way of shipping that, like telemetry, nightly-only, archive scan etc.? |
For some reason Chrome and Safari trim nonce strings and as far as I can tell this is not specified anywhere. Firefox doesn't and thus fails this WPT.
Unless there is a strong objection I plan on changing the test to match the specification/Firefox.
The text was updated successfully, but these errors were encountered: