Closed Bug 1627263 Opened 5 years ago Closed 1 year ago

[rel=preload] Propagate "nonce" attribute from <link preload> to loaders

Categories

(Core :: DOM: Core & HTML, enhancement, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox118 --- fixed

People

(Reporter: mayhemer, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

Attachments

(4 files, 2 obsolete files)

Bug 1627263 - Provide the nonce for speculative style preloads. r?smaug
48 bytes, text/x-phabricator-request
Details | Review
Bug 1627263 - Propagate nonce attribute from <link preload> to loaders. r?smaug
48 bytes, text/x-phabricator-request
Details | Review
Bug 1627263 - Propagate nonce attribute from Link header preloads to loaders. r?smaug!,#necko-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1627263 - Add a WPT test for <link> with and without nonce. r?smaug
48 bytes, text/x-phabricator-request
Details | Review
No description provided.

The current state for CSS is: for a speculative load (which is also a link preload), we don't set 'nonce' for the CSP initial check and hence we don't even start that load. This will rule out link preload. Adding the nonce handling is an optimization. The current state doesn't impose any security issue.

The current state for script: we also add nonce only for non-speculative loads.

This bug turns to be an optimization only, but as rel=preload is, as a whole, a performance feature, this should be done as part of M3.

See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=702612#c12
Severity: normal → S3
Blocks: 1313937

By not supporting the nonce attribute for speculative <script> loads we would actually trigger CSP error reports in some cases, but bug 1505412 added a very targeted work around for that case. I don't want to replicate this workaround in bug 1313937 when more closely following the specification.

Currently I my patch exclusively supports <script src=".." nonce="..">, because it wasn't totally clear to me if the <link> element really supports nonce. Extending the patch however should be fairly straight forward.

Assignee: nobody → tschuster

Depends on D182777

Attachment #9342346 - Attachment description: WIP: Bug 1627263 - Add nonce attribute to HTML parser. → Bug 1627263 - Add nonce attribute to HTML parser.
Depends on: 1842199

So seems like these unexpected changes in the C++ code do cause problems. Additionally I am going to move this to another bug, so we don't have to leave-open this one.

Flags: needinfo?(tschuster)
Attachment #9342346 - Attachment description: Bug 1627263 - Add nonce attribute to HTML parser. → WIP: Bug 1627263 - Add nonce attribute to HTML parser.
Attachment #9342346 - Attachment is obsolete: false
Attachment #9342346 - Attachment description: WIP: Bug 1627263 - Add nonce attribute to HTML parser. → Bug 1627263 - Add nonce attribute to HTML parser.
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/24e6bd152417 Add nonce attribute to HTML parser. r=hsivonen

Backed out changeset 24e6bd152417 (Bug 1627263) as requested because it landed with the wrong bug number

Backout: https://hg.mozilla.org/integration/autoland/rev/ce73b773910f16b44bcb33f19a119d0a5bc40665

Flags: needinfo?(tschuster)

Comment on attachment 9342346 [details]
Bug 1627263 - Add nonce attribute to HTML parser.

Revision D182777 was moved to bug 1842199. Setting attachment 9342346 [details] to obsolete.

Attachment #9342346 - Attachment is obsolete: true
Flags: needinfo?(tschuster)
Depends on: 1843002
Attachment #9342347 - Attachment is obsolete: true
Depends on: 1843066
Depends on: 1607009
Attachment #9344587 - Attachment description: WIP: Bug 1627263 - Provide the nonce for speculative style preloads. → Bug 1627263 - Provide the nonce for speculative style preloads. r?smaug
Attachment #9344588 - Attachment description: WIP: Bug 1627263 - Propagate nonce attribute from <link preload> to loaders → Bug 1627263 - Propagate nonce attribute from <link preload> to loaders. r?smaug
Attachment #9344589 - Attachment description: WIP: Bug 1627263 - Propagate nonce attribute from Link header preloads to loaders → Bug 1627263 - Propagate nonce attribute from Link header preloads to loaders. r?smaug!,#necko-reviewers!
Attachment #9345749 - Attachment description: WIP: Bug 1627263 - Add a WPT test for <link> with and without nonce → Bug 1627263 - Add a WPT test for <link> with and without nonce. r?smaug
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e68b7692d21a Provide the nonce for speculative style preloads. r=smaug https://hg.mozilla.org/integration/autoland/rev/90cf5ca642be Propagate nonce attribute from <link preload> to loaders. r=smaug https://hg.mozilla.org/integration/autoland/rev/66db18e3f66d Propagate nonce attribute from Link header preloads to loaders. r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/4fe288b36d3a Add a WPT test for <link> with and without nonce. r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/41245 for changes under testing/web-platform/tests
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: