Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nonce attribute: no longer tentative #21853

Merged
merged 6 commits into from
Feb 19, 2020
Merged

nonce attribute: no longer tentative #21853

merged 6 commits into from
Feb 19, 2020

Conversation

annevk
Copy link
Member

@annevk annevk commented Feb 18, 2020

For whatwg/html#5300.

Supersedes #5423.

@annevk annevk mentioned this pull request Feb 18, 2020
Closed
@wpt-pr-bot wpt-pr-bot temporarily deployed to wpt-preview-21853 February 18, 2020 13:17 Inactive
@annevk annevk requested a review from mikewest February 18, 2020 13:24
@annevk
Copy link
Member Author

annevk commented Feb 18, 2020

I'll add at least one test to ensure this nonce attribute also works generically and then I think I've done more than my share on this feature...

@wpt-pr-bot wpt-pr-bot temporarily deployed to wpt-preview-21853 February 18, 2020 13:26 Inactive
@annevk
Copy link
Member Author

annevk commented Feb 18, 2020

Filed https://bugs.chromium.org/p/chromium/issues/detail?id=1053496 on the Chrome failures.

@wpt-pr-bot wpt-pr-bot temporarily deployed to wpt-preview-21853 February 18, 2020 13:51 Inactive
@annevk annevk mentioned this pull request Feb 18, 2020
Merged
3 tasks
mikewest
mikewest approved these changes Feb 19, 2020
View reviewed changes
Copy link
Member

@mikewest mikewest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These LGTM. Thank you for putting them together, and for filing the bug against Chromium. I really appreciate your effort.

@wpt-pr-bot wpt-pr-bot temporarily deployed to wpt-preview-21853 February 19, 2020 08:33 Inactive
@annevk
Copy link
Member Author

annevk commented Feb 19, 2020

@mikewest I'm going to assume these final changes are okay per your comments elsewhere, but happy to take more feedback. (Including after landing these.)

@annevk annevk merged commit 2ca72d0 into master Feb 19, 2020
@annevk annevk deleted the annevk/nonce branch February 19, 2020 13:41
annevk added a commit to whatwg/html that referenced this pull request Feb 20, 2020
@annevk
Prevent [[CryptographicNonce]] from being emptied
931ecf4 
Also clarify some prose around the nonce content attribute, including that it does in fact update the slot upon removal.

Tests: web-platform-tests/wpt#21853.

Fixes #5288.
@ArthurSonzogni
Copy link
Member

FYI: I updated Chrome to match with the new expectations.
https://chromium-review.googlesource.com/c/chromium/src/+/2075340

@annevk
Copy link
Member Author

annevk commented Feb 28, 2020

Thanks @ArthurSonzogni!

blueboxd pushed a commit to blueboxd/chromium-legacy that referenced this pull request Mar 4, 2020
@ArthurSonzogni
[CSP] Make SVGElement to handle "nonce" the same way as HTMLElement.
c70f383 
According to CSP, nonce are handled the same way for both HTMLElement
and SVGElement.

Both are setting the nonce when the Element is inserted, but only the
HTMLElement was supporting "modifying" a nonce.

It looks like a bug in Chrome found by annevk@:
web-platform-tests/wpt#21853

This patch fixes the issue. It was meant to fix the WPT test:
- content-security-policy/nonce-hiding/nonces.html

But it turns out it is also fixing two more tests
- content-security-policy/nonce-hiding/svgscript-nonces-hidden.html
- content-security-policy/nonce-hiding/svgscript-nonces-hidden-meta-sub.html

Bug: 1053496
Change-Id: I872cae74817bff2f5f910dcd7864fc97426c49cf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2075340
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#746774}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikewest mikewest mikewest approved these changes

@andypaicu andypaicu Awaiting requested review from andypaicu

@hillbrad hillbrad Awaiting requested review from hillbrad

Assignees

@hillbrad hillbrad

Labels
content-security-policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@annevk @ArthurSonzogni @mikewest @hillbrad @wpt-pr-bot