Allow setting .nonce property via JavaScript on script elements.
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: robclap8, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.71 Safari/537.36
Steps to reproduce:
// Set a CSP nonce-only policy.
// Create a script and add it from a nonced script.
// In CSP nonce-only policies, it is necessary to propagate the nonce value:
let newscript = document.createElement('script');
let myscript = document.getElementById('myscriptid');
newscript.src = '/mysrc.js';
newscript.nonce = myscript.nonce;
myscript.parentNode.insertBefore(newscript,myscript);
Actual results:
The created script does not execute
Expected results:
The created script runs.
There are two main reasons this does not work:
- getting the nonce by reading the "nonce" property does not work, it's currently necessary to use myscript.getAttribute('nonce')
- setting the nonce with ".nonce" does not work, it is currently necessary to use newscript.setAttribute('nonce',myscript.nonce||myscript.getAttribute('nonce'))
Note that "myscript.nonce||" is for compatibility reasons as chrome hides nonces from the DOM to address exfiltration: https://bugs.chromium.org/p/chromium/issues/detail?id=680419&q=nonce%20idl&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified
The minimal fix would be to allow setting nonces by assigning the correct value to the ".nonce" property.
The ideal fix would be to also hide 'nonce' from the DOM.
I think this was already brought up by Artur in #1505412 but it was not addressed nor assigned a bug to track it.
|
||
Comment 3•6 years ago
|
||
I don't know how to reproduce this issue as it's to technical for me.
I'm assigning a component to get a start on this, if considered wrong, please feel free to change it to a more appropriate one.
Description
•