Skip to content
Permalink
Browse files

Pass cryptographic nonce metadata to Fetch

In order for CSP to correctly block/allow requests, HTML needs to teach
Fetch about the cryptographic nonce metadata that ought to be associated
with script requests.

See whatwg/fetch#269 for context.
  • Loading branch information...
mikewest authored and annevk committed Apr 6, 2016
1 parent a996f3b commit 5479e07a6f6e01062b85b5fe6799752b0370336c
Showing with 56 additions and 25 deletions.
  1. +56 −25 source
81 source
<li><dfn data-noexport="" data-x-href="https://fetch.spec.whatwg.org/#unsafe-request-flag">unsafe-request flag</dfn>
<li><dfn data-noexport="" data-x="concept-request-cache-mode" data-x-href="https://fetch.spec.whatwg.org/#concept-request-cache-mode">cache mode</dfn>
<li><dfn data-noexport="" data-x="concept-request-redirect-mode" data-x-href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode">redirect mode</dfn>
<li><dfn data-noexport="" data-x="concept-request-nonce-metadata" data-x-href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</dfn>
</ul>
</ul>

<li><p>Let <var>CORS setting</var> be the current state of the element's <code
data-x="attr-script-crossorigin">crossorigin</code> content attribute.</p></li>

<li>

<p>If the <code>script</code> element has a <code data-x="attr-script-nonce">nonce</code>
attribute, then let <var>crytographic nonce</var> be that attribute's value.</p>

<p>Otherwise, let <var>cryptographic nonce</var> be the empty string.</p>

</li>

<li><p>Let <var>settings</var> be the element's <span>node document</span>'s
<code>Window</code> object's <span>environment settings object</span>.</p></li>

<dt>"<code data-x="">classic</code>"</dt>
<dd>
<p><span>Fetch a classic script</span> given <var>url</var>, <var>CORS setting</var>,
<var>settings</var>, and <var>encoding</var>.</p>
<var>cryptographic nonce</var>, <var>settings</var>, and <var>encoding</var>.</p>
</dd>

<dt>"<code data-x="">module</code>"</dt>
</li>

<li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>credentials
mode</var>, "<code data-x="">script</code>", and <var>settings</var>.</p></li>
mode</var>, <var>cryptographic nonce</var>, "<code data-x="">script</code>", and
<var>settings</var>.</p></li>
</ol>
</dd>
</dl>

</dd>

<dt>A <dfn data-x="concept-module-script-nonce">cryptographic nonce</dfn></dt>

<dd>

<p>A <span data-x="concept-request-nonce-metadata">cryptographic nonce</span> used to fetch
imported modules.</p>

</dd>

</dl>

<hr>
algorithms with its own options for the hooks. <ref spec=SW></p>

<p>To <dfn>fetch a classic script</dfn> for a <code>script</code> element <var>element</var>,
given a <var>url</var>, a <var>CORS setting</var>, a <var>settings object</var>, and a
<var>character encoding</var>, run these steps. The algorithm will asynchronously complete with
either null (on failure) or a new <span>classic script</span> (on success).</p>
given a <var>url</var>, a <var>CORS setting</var>, a <var>cryptographic nonce</var>, a
<var>settings object</var>, and a <var>character encoding</var>, run these steps. The algorithm
will asynchronously complete with either null (on failure) or a new <span>classic script</span>
(on success).</p>

<ol>
<li><p>Let <var>request</var> be the result of <span data-x="create a potential-CORS

<li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
<var>settings object</var>, its <span data-x="concept-request-type">type</span> to "<code
data-x="">script</code>", and its <span data-x="concept-request-destination">destination</span>
to "<code data-x="">script</code>".</p></li>
data-x="">script</code>", its <span data-x="concept-request-destination">destination</span>
to "<code data-x="">script</code>", and its <span
data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> to
<var>cryptographic nonce</var>.</p></li>

<li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
up the request</span>, perform them on <var>request</var>.</p></li>
</ol>

<p>To <dfn>fetch a module script tree</dfn> given a <var>url</var>, a <var>credentials mode</var>,
a <var>destination</var>, a <var>settings object</var>, and an optional <var>ancestor list</var>,
run these steps. The algorithm will asynchronously complete with either null (on failure) or a
<span>module script</span> (on success).</p>
a <var>cryptographic nonce</var>, a <var>destination</var>, a <var>settings object</var>, and an
optional <var>ancestor list</var>, run these steps. The algorithm will asynchronously complete with
either null (on failure) or a <span>module script</span> (on success).</p>

<ol>
<li><p>If <var>ancestor list</var> is not given, let it be an empty list.</p></li>

<li><p><span>Fetch a single module script</span> given <var>url</var>, <var>credentials
mode</var>, <var>destination</var>, and <var>settings object</var>. If the caller of this
algorithm specified custom <span data-x="fetching-scripts-set-up-request">set up the
request</span> or <span data-x="fetching-scripts-validate-response">validate the response</span>
steps, pass those along while <span data-x="fetch a single module script">fetching a single
module script</span>.</p>
mode</var>, <var>cryptographic nonce</var>, <var>destination</var>, and <var>settings
object</var>. If the caller of this algorithm specified custom <span
data-x="fetching-scripts-set-up-request">set up the request</span> or <span
data-x="fetching-scripts-validate-response">validate the response</span> steps, pass those along
while <span data-x="fetch a single module script">fetching a single module script</span>.</p>

<li><p>Return from this algorithm and run the following steps when <span data-x="fetch a single
module script">fetching a single module script</span> asynchronously completes with
<li>
<p>For each <var>url</var> in <var>urls</var>, <span>fetch a module script tree</span> given
<var>url</var>, <var>module script</var>'s <span
data-x="concept-module-script-credentials-mode">credentials mode</span>, <var>destination</var>,
<var>module script</var>'s <span>settings object</span>, and <var>ancestor list</var>.</p>
data-x="concept-module-script-credentials-mode">credentials mode</span>, <var>module
script</var>'s <span data-x="concept-module-script-nonce">cryptographic nonce</span>,
<var>destination</var>, <var>module script</var>'s <span>settings object</span>, and
<var>ancestor list</var>.</p>

<p class="note">It is intentional that no custom <span
data-x="fetching-scripts-set-up-request">set up the request</span> or <span
</ol>

<p>To <dfn>fetch a single module script</dfn>, given a <var>url</var>, a <var>credentials
mode</var>, a <var>destination</var>, and a <var>settings object</var>, run these steps. The
algorithm will asynchronously complete with either null (on failure) or a <span>module
script</span> (on success).</p>
mode</var>, a <var>cryptographic nonce</var>, a <var>destination</var>, and a <var>settings
object</var>, run these steps. The algorithm will asynchronously complete with either null (on
failure) or a <span>module script</span> (on success).</p>

<ol>
<li><p>Let <var>module map</var> be <var>settings</var>'s <span>module map</span>.</p></li>
data-x="concept-request-type">type</span> is "<code data-x="">script</code>", <span
data-x="concept-request-mode">mode</span> is "<code data-x="">cors</code>", <span
data-x="concept-request-credentials-mode">credentials mode</span> is <var>credentials
mode</var>, and <span data-x="concept-request-client">client</span> is
mode</var>, <span data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> is
<var>cryptographic nonce</var>, and <span data-x="concept-request-client">client</span> is
<var>settings object</var>.</p></li>

<li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set

<li><p>Let <var>module script</var> be the result of <span>creating a module script</span> given
<var>source text</var>, <var>settings object</var>, <var>response</var>'s <span
data-x="concept-response-url">url</span>, and <var>credentials mode</var>.</p></li>
data-x="concept-response-url">url</span>, <var>credentials mode</var>, and <var>cryptographic
nonce</var>.</p></li>

<li>
<p>Set the value of the entry in <var>module map</var> whose key is <var>url</var> to
</ol>

<p>To <dfn data-x="creating a module script">create a module script</dfn>, given some script
source, an <span>environment settings object</span>, a script base URL, and a credentials
mode:</p>
source, an <span>environment settings object</span>, a script base URL, a credentials mode, and
a cryptographic nonce:</p>

<ol>

<li><p>Set <var>script</var>'s <span data-x="concept-module-script-credentials-mode">credentials
mode</span> to the credentials mode provided.</p></li>

<li><p>Set <var>script</var>'s <span data-x="concept-module-script-nonce">cryptographic
nonce</span> to the cryptographic nonce provided.</p></li>

<li><p>Return <var>script</var>.</p></li>

</ol>

<dt>"<code data-x="">module</code>"</dt>
<dd><span>Fetch a module script tree</span> given <var>url</var>, the value of the <code
data-x="">credentials</code> member of <var>options</var>, <var>destination</var>, and
data-x="">credentials</code> member of <var>options</var>, the empty string (as no
<var>cryptographic nonce</var> is present for workers), <var>destination</var>, and
<var>settings object</var>.</dd>
</dl>

0 comments on commit 5479e07

Please sign in to comment.
You can’t perform that action at this time.