-
mkwst authored
Nonces are valuable, as they allow script execution. It would be lovely if we could raise the bar on exfiltration to reduce the effectiveness of some of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php. One mechanism that might be effective against some kinds of exfiltration is to stop treating the 'nonce' content attribute as the source of truth, instead pulling the nonce value into an internal slot on the HTMLScriptElement at parse-time. That prevents exfiltration via attribute leakage, mitigating the effect of vectors like `[nonce^=ab]` and `content: attr(nonce)` (http://cspnonce-test.appspot.com/exploit?reset=1 and http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also clear the nonce after use ("number used _once_", right?) which mitigates the style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html (though that specific issue is also resolved by fixing the browser bug in https://codereview.chromium.org/2618323002). Here, we're replacing the nonce content attribute with '[Replaced]', as that gives developers a hint at what's going on (e.g. in devtools), but we could pretty easily drop that in the future and just make it a devtools feature entirely. Not sure what the right thing to do is.. This prototype just effects `<script>`; once we decide on reasonable behavior, we can extend it to `<link>` and `<style>`. BUG=680419 Review-Url: https://codereview.chromium.org/2628733005 Cr-Commit-Position: refs/heads/master@{#443252}
d6fffa90
