Confirming. If you load the [frame by itself](http://www.usersnapdemo.com/akna/csp-styles/iframe.html)—which has the same CSP—adding the node to the document works fine with the nonce specified as a DOM property rather than a parsed attribute. The `nonce` property is being stripped when the node is moved to the parent document. Of course they're different documents and might have had different nonces (***should*** have, IRL). If we're enforcing nonces on script-added style tags we want to make sure we're checking the right nonce. From a quick scan the only place I see removing the nonce is https://searchfox.org/mozilla-central/rev/ef0aa879e94534ffd067a3748d034540a9fc10b0/dom/html/nsGenericHTMLElement.cpp#762-774 ( SVG equivalent https://searchfox.org/mozilla-central/rev/ef0aa879e94534ffd067a3748d034540a9fc10b0/dom/svg/SVGElement.cpp#344-356 ) Added in bug 1374612 which wanted to hid the nonce from the DOM. That code is hiding the Attribute, though, not the DOM property, and I can confirm that happens if you set the attribute rather than the DOM property. Concerned about the `HasCSPDeliveredThroughHeader` check. It makes some sense given that a <meta> CSP could just be read from the document. That flag is used in BindToTree. We certainly don't want to copy that value between documents though. the other document—even if same origin—might not have a header CSP or might have a completely different nonce even if it does. Also a document can have multiple CSP and might or might not use a nonce in the header CSP specifically. Chrome behaves as the reporter expects.
Bug 1804210 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Confirming. If you load the [frame by itself](http://www.usersnapdemo.com/akna/csp-styles/iframe.html)—which has the same CSP—adding the node to the document works fine with the nonce specified as a DOM property rather than a parsed attribute. The `nonce` property is being stripped when the node is moved to the parent document. Of course they're different documents and might have had different nonces (***should*** have, IRL). If we're enforcing nonces on script-added style tags we want to make sure we're checking the right nonce. From a quick scan the only place I see removing the nonce is https://searchfox.org/mozilla-central/rev/ef0aa879e94534ffd067a3748d034540a9fc10b0/dom/html/nsGenericHTMLElement.cpp#762-774 ( SVG equivalent https://searchfox.org/mozilla-central/rev/ef0aa879e94534ffd067a3748d034540a9fc10b0/dom/svg/SVGElement.cpp#344-356 ) Added in bug 1374612 which wanted to hide the nonce from the DOM. That code is hiding the nonce Attribute, though, not the DOM property, and I can confirm that happens if you set the attribute rather than the DOM property. Concerned about the `HasCSPDeliveredThroughHeader` check which is used in BindToTree. It makes some sense to worry more about a header policy given that a <meta> CSP could just be read from the document. That's if you have script capability, though, and the bug 1374612 mitigation was aimed at non-scripted CSS attribute games. We certainly don't want to copy that internal flag value between documents though. the other document—even if same origin—might not have a header CSP or might have a completely different nonce even if it does. Also a document can have multiple CSP and might or might not use a nonce in the header CSP specifically. Chrome behaves as the reporter expects.