This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Specification: http://www.whatwg.org/specs/web-apps/current-work/multipage/semantics.html Multipage: http://www.whatwg.org/C#the-style-element Complete: http://www.whatwg.org/c#the-style-element Referrer: http://www.whatwg.org/specs/web-apps/current-work/multipage/ Comment: Consider defining or mentioning the nonce attribute Posted from: 77.57.114.66 by annevk@annevk.nl User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0
It's in https://w3c.github.io/webappsec/specs/content-security-policy/#script-src-the-nonce-attribute on <style> and <script>. Having HTML attributes defined in HTML seems better. We should at least keep a complete list somewhere outside of browsers.
what are the authoring and UA conformance requirements?
I'm not sure. Just trying to keep the list of HTML attributes we support in a single place. Mike or Daniel should know.
Could it be defined by external reference to the CSP spec? I agree it would help authors to have a complete list of attributes in one place but I don't think we want duplicate definitions.
The definition should only be in one place, certainly.
It's currently defined at http://www.w3.org/TR/CSP2/#script-src-the-nonce-attribute What should we add to that to make the requirements clear?
Pointing to that is probably sufficient, though maybe we should move the IDL stuff from CSP to HTML entirely, since that's not really what CSP is about anyway.
Looking at this more closely, I realise that this integrates pretty closely with the <script> processing algorithm. It seems like the right solution here would be to put the logic in the HTML spec, and have the CSP spec provide a hook by which the nonce and hash values can be obtained for checking. Is that a plausible plan?
(In reply to Ian 'Hixie' Hickson from comment #8) > Looking at this more closely, I realise that this integrates pretty closely > with the <script> processing algorithm. It seems like the right solution > here would be to put the logic in the HTML spec, and have the CSP spec > provide a hook by which the nonce and hash values can be obtained for > checking. Is that a plausible plan? Sure. Happy to make that change in the CSP spec.
Sorry, hit submit too quickly: what would you like such a hook to provide? Just a sequence of string values you could compare against?
Yeah, probably. There's no attempt to map specific elements to specific strings right? There's just a list of nonces and a list of hashes?
(In reply to Ian 'Hixie' Hickson from comment #11) > Yeah, probably. There's no attempt to map specific elements to specific > strings right? There's just a list of nonces and a list of hashes? I think you'll need the following: * Valid nonces for script * Valid nonces for style * Pairs of (algorithm, hash) for script * Pairs of (algorithm, hash) for style See https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-valid-nonces and https://w3c.github.io/webappsec/specs/content-security-policy/#source-list-valid-hashes for the currently defined algorithms for nonces and hashes respectively.
I think for now I'm going to punt on this. The way it's specified works, this would just be editorial.
Let me know if there's an important reason to prioritise this earlier.
Moved to https://github.com/whatwg/html/pull/49