Closed
Bug 1389421
Opened 7 years ago
Closed 5 years ago
Support nonce IDL property
Categories
(Core :: DOM: Core & HTML, enhancement, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1374612
People
(Reporter: ayg, Unassigned)
References
Details
Attachments
(1 file)
The HTML standard defines a "nonce" attribute on HTMLLinkElement, HTMLScriptElement, and HTMLStyleElement:
https://html.spec.whatwg.org/#dom-link-nonce
https://html.spec.whatwg.org/#dom-script-nonce
https://html.spec.whatwg.org/#dom-style-nonce
They don't show up in tests:
http://w3c-test.org/html/dom/interfaces.html
Do we not implement the nonce property? Or we do but we hide it? Is this specced somewhere? I couldn't find docs or discussion on this point after a bit of searching.
Reporter | ||
Updated•7 years ago
|
Flags: needinfo?(francois)
Flags: needinfo?(dveditz)
Comment 2•7 years ago
|
||
A nonce provides a mechanism which allows inline scripts, styles to comply with the page's Content Security Policy and hence provides a mechanism to safely whitelist such scripts, styles.
As far as CSP goes, we support nonces and have test coverage within dom/security/csp as well as testing/web-platform/tests/content-security-policy/
See:
https://dxr.mozilla.org/mozilla-central/search?q=nonce%3D%22&redirect=false
Nonces were introduced within CSP2 and are still speced within CSP3:
https://www.w3.org/TR/CSP/
Even though we haven't explicitly decided to hide the nonce, it's probably something we want to consider:
https://bugzilla.mozilla.org/show_bug.cgi?id=1374612
Flags: needinfo?(ckerschb)
Comment 3•7 years ago
|
||
It does seem that even if we hide the content attribute from the DOM as per that proposal (whatever that ends up being, there doesn't appear to be consensus on a direction), the IDL attribute (which this bug is about) is missing for no good reason. So we should probably add that?
Comment 4•7 years ago
|
||
(In reply to Anne (:annevk) from comment #3)
> It does seem that even if we hide the content attribute from the DOM as per
> that proposal (whatever that ends up being, there doesn't appear to be
> consensus on a direction), the IDL attribute (which this bug is about) is
> missing for no good reason. So we should probably add that?
Agreed!
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Updated•7 years ago
|
Priority: -- → P2
Reporter | ||
Comment 5•7 years ago
|
||
The problem is just that nobody updated the IDL files.
Assignee: nobody → ayg
Status: NEW → ASSIGNED
Summary: nonce attribute does not show up in tests → Support nonce IDL property
Comment hidden (mozreview-request) |
Comment 7•7 years ago
|
||
mozreview-review |
Comment on attachment 8899429 [details]
Bug 1389421 - Support nonce IDL property;
https://reviewboard.mozilla.org/r/170706/#review175902
It is a tad unclear to me what will happen to the content attributes, but I guess this implementation will then just be changed to use something else than content attributes.
Attachment #8899429 -
Flags: review?(bugs) → review+
Comment 8•7 years ago
|
||
Yeah, if at some point there's consensus on hiding the content attributes we'll change to change things around, but much more will need to change anyway at that point so that shouldn't block this.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Reporter | ||
Comment 11•7 years ago
|
||
Comment on attachment 8899429 [details]
Bug 1389421 - Support nonce IDL property;
Re-requesting review for the test changes, since it's not absolutely obvious to me that they're what we want.
Attachment #8899429 -
Flags: review+ → review?(bugs)
Comment 12•7 years ago
|
||
mozreview-review |
Comment on attachment 8899429 [details]
Bug 1389421 - Support nonce IDL property;
https://reviewboard.mozilla.org/r/170706/#review176016
I'd prefer if also ckerschb would take a look at this.
Attachment #8899429 -
Flags: review?(bugs) → review+
Comment 13•7 years ago
|
||
mozreview-review |
Comment on attachment 8899429 [details]
Bug 1389421 - Support nonce IDL property;
https://reviewboard.mozilla.org/r/170706/#review176020
thanks for adding, r=ckerschb
Attachment #8899429 -
Flags: review+
Comment 14•7 years ago
|
||
Pushed by ayg@aryeh.name:
https://hg.mozilla.org/integration/autoland/rev/2e5306010ce1
Support nonce IDL property; r=ckerschb,smaug
Comment 15•7 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Comment 16•7 years ago
|
||
The changes to the .tentative.html tests in this patch in the nonce-hiding are wrong. Those are testing a spec change proposal (hence "tentative") that decouples .nonce from the nonce attribute; see <https://github.com/whatwg/html/pull/2373>. Please make sure those changes get backed out ASAP; we want to make sure we don't upstream them.
Flags: needinfo?(ckerschb)
Flags: needinfo?(bugs)
Comment 17•7 years ago
|
||
Why are there tentative wpt tests. Makes no sense.
I guess I'll back the whole thing out.
Comment 18•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #17)
> I guess I'll back the whole thing out.
I agree, we should back out the whole changeset.
Flags: needinfo?(ckerschb)
Comment 19•7 years ago
|
||
Chatted with RyanVM on IRC, he will back out that change for us once the trees reopen.
Flags: needinfo?(ryanvm)
Comment 20•7 years ago
|
||
Backed out at Christoph's request.
https://hg.mozilla.org/integration/mozilla-inbound/rev/05944b9f04aa5f4a35a8c331170ffc343ba122f2
Assignee: ayg → nobody
Status: RESOLVED → REOPENED
status-firefox57:
fixed → ---
Flags: needinfo?(ryanvm)
Flags: needinfo?(bugs)
Resolution: FIXED → ---
Target Milestone: mozilla57 → ---
Updated•7 years ago
|
Status: REOPENED → NEW
Comment 21•7 years ago
|
||
> Why are there tentative wpt tests.
Because people want to be able to share tests for things that are still being discussed.
Comment 22•7 years ago
|
||
Why are such tests in wpt? Sure such tests could be shared in authors' own branches of wpt.
Comment 23•7 years ago
|
||
It is similar if one would push tentative code changes to production code.
Comment 24•7 years ago
|
||
The difference is that WPT has an explicit "this is not passing, and that's ok" mechanism and that the tests are clearly marked as "ok if this fails".
They're in wpt so they can be shared across browsers and used to test implementations of the proposals involved.
Comment 25•7 years ago
|
||
And to be clear, the whole changeset did not need to be backed out; just the changes to the tentative tests. Though if the proposal in https://github.com/whatwg/html/pull/2373 were implemented the implementation of .nonce would need to be changed quite a bit, of course.
Updated•6 years ago
|
Keywords: dev-doc-needed
Comment 26•6 years ago
|
||
I'd suggest we dupe this into bug 1374612? I doubt the DOM Core team has the bandwidth to take this on anytime soon, unless the priority is suddenly different than it was a year ago, and it doesn't seem like we need two bugs to track the same thing.
Comment 28•5 years ago
|
||
This issue affects jQuery as we now need to use both the property & the attribute to set nonce
properly:
https://github.com/jquery/jquery/blob/29a9544a4fb743491a42f827a6cf8627b7b99e0f/src/core/DOMEval.js#L23-L33
While the code is needed for Edge as well, jQuery 4.0 will most likely not support EdgeHTML so Firefox support will be the only blocker.
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago → 5 years ago
Resolution: --- → DUPLICATE
Comment 30•5 years ago
|
||
Anne, it might make sense to implement the property even if we don't do the hiding thing, right? See comment 28 for the reasons we might want to do that.
Flags: needinfo?(annevk)
Comment 31•5 years ago
|
||
Sure, but the other bug has a patch, is being worked on, and at this point is really what we should do if we decide to spend time on this.
Flags: needinfo?(annevk)
Updated•4 years ago
|
Keywords: dev-doc-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•