Pass cryptographic nonce metadata to Fetch

In order for CSP to correctly block/allow requests, HTML needs to teach Fetch about the cryptographic nonce metadata that ought to be associated with script requests. See whatwg/fetch#269 for context.
whatwg · Apr 6, 2016 · 5479e07 · 5479e07
1 parent a996f3b
commit 5479e07
Showing 1 changed file with 56 additions and 25 deletions.
diff --git a/source b/source
@@ -2851,6 +2851,7 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
        <li><dfn data-noexport="" data-x-href="https://fetch.spec.whatwg.org/#unsafe-request-flag">unsafe-request flag</dfn>
        <li><dfn data-noexport="" data-x="concept-request-cache-mode" data-x-href="https://fetch.spec.whatwg.org/#concept-request-cache-mode">cache mode</dfn>
        <li><dfn data-noexport="" data-x="concept-request-redirect-mode" data-x-href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode">redirect mode</dfn>
+       <li><dfn data-noexport="" data-x="concept-request-nonce-metadata" data-x-href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</dfn>
       </ul>
     </ul>
 
@@ -58523,6 +58524,15 @@ o............A....e
    <li><p>Let <var>CORS setting</var> be the current state of the element's <code
    data-x="attr-script-crossorigin">crossorigin</code> content attribute.</p></li>
 
+   <li>
+
+    <p>If the <code>script</code> element has a <code data-x="attr-script-nonce">nonce</code>
+    attribute, then let <var>crytographic nonce</var> be that attribute's value.</p>
+
+    <p>Otherwise, let <var>cryptographic nonce</var> be the empty string.</p>
+
+   </li>
+
    <li><p>Let <var>settings</var> be the element's <span>node document</span>'s
    <code>Window</code> object's <span>environment settings object</span>.</p></li>
 
@@ -58557,7 +58567,7 @@ o............A....e
        <dt>"<code data-x="">classic</code>"</dt>
        <dd>
         <p><span>Fetch a classic script</span> given <var>url</var>, <var>CORS setting</var>,
-        <var>settings</var>, and <var>encoding</var>.</p>
+        <var>cryptographic nonce</var>, <var>settings</var>, and <var>encoding</var>.</p>
        </dd>
 
        <dt>"<code data-x="">module</code>"</dt>
@@ -58580,7 +58590,8 @@ o............A....e
          </li>
 
          <li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>credentials
-         mode</var>, "<code data-x="">script</code>", and <var>settings</var>.</p></li>
+         mode</var>, <var>cryptographic nonce</var>, "<code data-x="">script</code>", and
+         <var>settings</var>.</p></li>
         </ol>
        </dd>
       </dl>
@@ -84940,6 +84951,15 @@ interface <dfn>NavigatorOnLine</dfn> {
 
    </dd>
 
+   <dt>A <dfn data-x="concept-module-script-nonce">cryptographic nonce</dfn></dt>
+
+   <dd>
+
+    <p>A <span data-x="concept-request-nonce-metadata">cryptographic nonce</span> used to fetch
+    imported modules.</p>
+
+   </dd>
+
   </dl>
 
   <hr>
@@ -85133,9 +85153,10 @@ interface <dfn>NavigatorOnLine</dfn> {
   algorithms with its own options for the hooks. <ref spec=SW></p>
 
   <p>To <dfn>fetch a classic script</dfn> for a <code>script</code> element <var>element</var>,
-  given a <var>url</var>, a <var>CORS setting</var>, a <var>settings object</var>, and a
+  given a <var>url</var>, a <var>CORS setting</var>, a <var>cryptographic nonce</var>, a
-  <var>character encoding</var>, run these steps. The algorithm will asynchronously complete with
+  <var>settings object</var>, and a <var>character encoding</var>, run these steps. The algorithm
-  either null (on failure) or a new <span>classic script</span> (on success).</p>
+  will asynchronously complete with either null (on failure) or a new <span>classic script</span>
+  (on success).</p>
 
   <ol>
    <li><p>Let <var>request</var> be the result of <span data-x="create a potential-CORS
@@ -85144,8 +85165,10 @@ interface <dfn>NavigatorOnLine</dfn> {
 
    <li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
    <var>settings object</var>, its <span data-x="concept-request-type">type</span> to "<code
-   data-x="">script</code>", and its <span data-x="concept-request-destination">destination</span>
+   data-x="">script</code>", its <span data-x="concept-request-destination">destination</span>
-   to "<code data-x="">script</code>".</p></li>
+   to "<code data-x="">script</code>", and its <span
+   data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> to
+   <var>cryptographic nonce</var>.</p></li>
 
    <li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
    up the request</span>, perform them on <var>request</var>.</p></li>
@@ -85243,19 +85266,19 @@ interface <dfn>NavigatorOnLine</dfn> {
   </ol>
 
   <p>To <dfn>fetch a module script tree</dfn> given a <var>url</var>, a <var>credentials mode</var>,
-  a <var>destination</var>, a <var>settings object</var>, and an optional <var>ancestor list</var>,
+  a <var>cryptographic nonce</var>, a <var>destination</var>, a <var>settings object</var>, and an
-  run these steps. The algorithm will asynchronously complete with either null (on failure) or a
+  optional <var>ancestor list</var>, run these steps. The algorithm will asynchronously complete with
-  <span>module script</span> (on success).</p>
+  either null (on failure) or a <span>module script</span> (on success).</p>
 
   <ol>
    <li><p>If <var>ancestor list</var> is not given, let it be an empty list.</p></li>
 
    <li><p><span>Fetch a single module script</span> given <var>url</var>, <var>credentials
-   mode</var>, <var>destination</var>, and <var>settings object</var>. If the caller of this
+   mode</var>, <var>cryptographic nonce</var>, <var>destination</var>, and <var>settings
-   algorithm specified custom <span data-x="fetching-scripts-set-up-request">set up the
+   object</var>. If the caller of this algorithm specified custom <span
-   request</span> or <span data-x="fetching-scripts-validate-response">validate the response</span>
+   data-x="fetching-scripts-set-up-request">set up the request</span> or <span
-   steps, pass those along while <span data-x="fetch a single module script">fetching a single
+   data-x="fetching-scripts-validate-response">validate the response</span> steps, pass those along
-   module script</span>.</p>
+   while <span data-x="fetch a single module script">fetching a single module script</span>.</p>
 
    <li><p>Return from this algorithm and run the following steps when <span data-x="fetch a single
    module script">fetching a single module script</span> asynchronously completes with
@@ -85322,8 +85345,10 @@ interface <dfn>NavigatorOnLine</dfn> {
    <li>
     <p>For each <var>url</var> in <var>urls</var>, <span>fetch a module script tree</span> given
     <var>url</var>, <var>module script</var>'s <span
-    data-x="concept-module-script-credentials-mode">credentials mode</span>, <var>destination</var>,
+    data-x="concept-module-script-credentials-mode">credentials mode</span>, <var>module
-    <var>module script</var>'s <span>settings object</span>, and <var>ancestor list</var>.</p>
+    script</var>'s <span data-x="concept-module-script-nonce">cryptographic nonce</span>,
+    <var>destination</var>, <var>module script</var>'s <span>settings object</span>, and
+    <var>ancestor list</var>.</p>
 
     <p class="note">It is intentional that no custom <span
     data-x="fetching-scripts-set-up-request">set up the request</span> or <span
@@ -85341,9 +85366,9 @@ interface <dfn>NavigatorOnLine</dfn> {
   </ol>
 
   <p>To <dfn>fetch a single module script</dfn>, given a <var>url</var>, a <var>credentials
-  mode</var>, a <var>destination</var>, and a <var>settings object</var>, run these steps. The
+  mode</var>, a <var>cryptographic nonce</var>, a <var>destination</var>, and a <var>settings
-  algorithm will asynchronously complete with either null (on failure) or a <span>module
+  object</var>, run these steps. The algorithm will asynchronously complete with either null (on
-  script</span> (on success).</p>
+  failure) or a <span>module script</span> (on success).</p>
 
   <ol>
    <li><p>Let <var>module map</var> be <var>settings</var>'s <span>module map</span>.</p></li>
@@ -85364,7 +85389,8 @@ interface <dfn>NavigatorOnLine</dfn> {
    data-x="concept-request-type">type</span> is "<code data-x="">script</code>", <span
    data-x="concept-request-mode">mode</span> is "<code data-x="">cors</code>", <span
    data-x="concept-request-credentials-mode">credentials mode</span> is <var>credentials
-   mode</var>, and <span data-x="concept-request-client">client</span> is
+   mode</var>, <span data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> is
+   <var>cryptographic nonce</var>, and <span data-x="concept-request-client">client</span> is
    <var>settings object</var>.</p></li>
 
    <li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
@@ -85414,7 +85440,8 @@ interface <dfn>NavigatorOnLine</dfn> {
 
    <li><p>Let <var>module script</var> be the result of <span>creating a module script</span> given
    <var>source text</var>, <var>settings object</var>, <var>response</var>'s <span
-   data-x="concept-response-url">url</span>, and <var>credentials mode</var>.</p></li>
+   data-x="concept-response-url">url</span>, <var>credentials mode</var>, and <var>cryptographic
+   nonce</var>.</p></li>
 
    <li>
     <p>Set the value of the entry in <var>module map</var> whose key is <var>url</var> to
@@ -85458,8 +85485,8 @@ interface <dfn>NavigatorOnLine</dfn> {
   </ol>
 
   <p>To <dfn data-x="creating a module script">create a module script</dfn>, given some script
-  source, an <span>environment settings object</span>, a script base URL, and a credentials
+  source, an <span>environment settings object</span>, a script base URL, a credentials mode, and
-  mode:</p>
+  a cryptographic nonce:</p>
 
   <ol>
 
@@ -85494,6 +85521,9 @@ interface <dfn>NavigatorOnLine</dfn> {
    <li><p>Set <var>script</var>'s <span data-x="concept-module-script-credentials-mode">credentials
    mode</span> to the credentials mode provided.</p></li>
 
+   <li><p>Set <var>script</var>'s <span data-x="concept-module-script-nonce">cryptographic
+   nonce</span> to the cryptographic nonce provided.</p></li>
+
    <li><p>Return <var>script</var>.</p></li>
 
   </ol>
@@ -94662,7 +94692,8 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
 
      <dt>"<code data-x="">module</code>"</dt>
      <dd><span>Fetch a module script tree</span> given <var>url</var>, the value of the <code
-     data-x="">credentials</code> member of <var>options</var>, <var>destination</var>, and
+     data-x="">credentials</code> member of <var>options</var>, the empty string (as no
+     <var>cryptographic nonce</var> is present for workers), <var>destination</var>, and
      <var>settings object</var>.</dd>
     </dl>