From 5479e07a6f6e01062b85b5fe6799752b0370336c Mon Sep 17 00:00:00 2001 From: Mike West Date: Wed, 6 Apr 2016 10:46:29 +0200 Subject: [PATCH] Pass cryptographic nonce metadata to Fetch In order for CSP to correctly block/allow requests, HTML needs to teach Fetch about the cryptographic nonce metadata that ought to be associated with script requests. See https://github.com/whatwg/fetch/issues/269 for context. --- source | 81 ++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 56 insertions(+), 25 deletions(-) diff --git a/source b/source index 589796ed68d..92d5204d008 100644 --- a/source +++ b/source @@ -2851,6 +2851,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
  • unsafe-request flag
  • cache mode
  • redirect mode +
  • cryptographic nonce metadata @@ -58523,6 +58524,15 @@ o............A....e

  • Let CORS setting be the current state of the element's crossorigin content attribute.

    • +
  • + +

    If the script element has a nonce + attribute, then let crytographic nonce be that attribute's value.

    + +

    Otherwise, let cryptographic nonce be the empty string.

    + +
    • +

  • Let settings be the element's node document's Window object's environment settings object.

    • @@ -58557,7 +58567,7 @@ o............A....e
    "classic"

    Fetch a classic script given url, CORS setting, - settings, and encoding.

    + cryptographic nonce, settings, and encoding.

    "module"
    @@ -58580,7 +58590,8 @@ o............A....e

  • Fetch a module script tree given url, credentials - mode, "script", and settings.

    • + mode, cryptographic nonce, "script", and + settings.

    @@ -84940,6 +84951,15 @@ interface NavigatorOnLine { +
    A cryptographic nonce
    + +
    + +

    A cryptographic nonce used to fetch + imported modules.

    + +
    +
    @@ -85133,9 +85153,10 @@ interface NavigatorOnLine { algorithms with its own options for the hooks.

    To fetch a classic script for a script element element, - given a url, a CORS setting, a settings object, and a - character encoding, run these steps. The algorithm will asynchronously complete with - either null (on failure) or a new classic script (on success).

    + given a url, a CORS setting, a cryptographic nonce, a + settings object, and a character encoding, run these steps. The algorithm + will asynchronously complete with either null (on failure) or a new classic script + (on success).

    1. Let request be the result of client to settings object, its type to "script", and its destination - to "script".

      2. + data-x="">script", its destination + to "script", and its cryptographic nonce metadata to + cryptographic nonce.

    2. If the caller specified custom steps to set up the request, perform them on request.

      3. @@ -85243,19 +85266,19 @@ interface NavigatorOnLine {

    To fetch a module script tree given a url, a credentials mode, - a destination, a settings object, and an optional ancestor list, - run these steps. The algorithm will asynchronously complete with either null (on failure) or a - module script (on success).

    + a cryptographic nonce, a destination, a settings object, and an + optional ancestor list, run these steps. The algorithm will asynchronously complete with + either null (on failure) or a module script (on success).

    1. If ancestor list is not given, let it be an empty list.

    2. Fetch a single module script given url, credentials - mode, destination, and settings object. If the caller of this - algorithm specified custom set up the - request or validate the response - steps, pass those along while fetching a single - module script.

      + mode, cryptographic nonce, destination, and settings + object. If the caller of this algorithm specified custom set up the request or validate the response steps, pass those along + while fetching a single module script.

    3. Return from this algorithm and run the following steps when fetching a single module script asynchronously completes with @@ -85322,8 +85345,10 @@ interface NavigatorOnLine {

    4. For each url in urls, fetch a module script tree given url, module script's credentials mode, destination, - module script's settings object, and ancestor list.

      + data-x="concept-module-script-credentials-mode">credentials mode, module + script's cryptographic nonce, + destination, module script's settings object, and + ancestor list.

      It is intentional that no custom set up the request or NavigatorOnLine {

    To fetch a single module script, given a url, a credentials - mode, a destination, and a settings object, run these steps. The - algorithm will asynchronously complete with either null (on failure) or a module - script (on success).

    + mode, a cryptographic nonce, a destination, and a settings + object, run these steps. The algorithm will asynchronously complete with either null (on + failure) or a module script (on success).

    1. Let module map be settings's module map.

      2. @@ -85364,7 +85389,8 @@ interface NavigatorOnLine { data-x="concept-request-type">type is "script", mode is "cors", credentials mode is credentials - mode, and client is + mode, cryptographic nonce metadata is + cryptographic nonce, and client is settings object.

    2. If the caller specified custom steps to set @@ -85414,7 +85440,8 @@ interface NavigatorOnLine {

    3. Let module script be the result of creating a module script given source text, settings object, response's url, and credentials mode.

      4. + data-x="concept-response-url">url, credentials mode, and cryptographic + nonce.

    4. Set the value of the entry in module map whose key is url to @@ -85458,8 +85485,8 @@ interface NavigatorOnLine {

    To create a module script, given some script - source, an environment settings object, a script base URL, and a credentials - mode:

    + source, an environment settings object, a script base URL, a credentials mode, and + a cryptographic nonce:

      @@ -85494,6 +85521,9 @@ interface NavigatorOnLine {

    1. Set script's credentials mode to the credentials mode provided.

      2. +

    2. Set script's cryptographic + nonce to the cryptographic nonce provided.

      3. +

    3. Return script.

    @@ -94662,7 +94692,8 @@ interface WorkerGlobalScope : EventTarget {
    "module"
    Fetch a module script tree given url, the value of the credentials member of options, destination, and + data-x="">credentials member of options, the empty string (as no + cryptographic nonce is present for workers), destination, and settings object.