[CSP] Factorize SVGElement & MHTMLElement nonce hiding.

According to: https://github.com/whatwg/html/pull/2373 html and svg Element are hiding their nonce when there are at least one Content-Security-Policy defined from an HTTP header. The two implementation: - HTMLElement::InsertedInto - SVGElement::InsertedInto were hidding the nonce slightly differently. To prevent further divergence, factorize this implementation into Element::HideNonce() and call it from both places. Bug: 1053496 Change-Id: I3cbad88f70c61591bef060d4188c82388e6001d2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2078536 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#746837}

[CSP] Factorize SVGElement & MHTMLElement nonce hiding.
According to: https://github.com/whatwg/html/pull/2373 html and svg Element are hiding their nonce when there are at least one Content-Security-Policy defined from an HTTP header. The two implementation: - HTMLElement::InsertedInto - SVGElement::InsertedInto were hidding the nonce slightly differently. To prevent further divergence, factorize this implementation into Element::HideNonce() and call it from both places. Bug: 1053496 Change-Id: I3cbad88f70c61591bef060d4188c82388e6001d2 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2078536 Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#746837}
8b2cf556 · arthursonzogni · Commit Bot · 4c9f5da8 · 8b2cf556 · 8b2cf556
Commit 8b2cf556 authored Mar 04, 2020 by arthursonzogni Committed by Commit Bot Mar 04, 2020
5 changed files
--- a/third_party/blink/renderer/core/dom/element.cc
+++ b/third_party/blink/renderer/core/dom/element.cc
@@ -4805,6 +4805,16 @@ Node* Element::InsertAdjacent(const String& where,
  return nullptr;
 }
+void Element::HideNonce() {
+  const AtomicString& nonce_value = FastGetAttribute(html_names::kNonceAttr);
+  if (nonce_value.IsEmpty())
+    return;
+  if (!InActiveDocument())
+    return;
+  if (GetDocument().GetContentSecurityPolicy()->HasHeaderDeliveredPolicy())
+    setAttribute(html_names::kNonceAttr, g_empty_atom);
+}
 ElementIntersectionObserverData* Element::IntersectionObserverData() const {
  if (HasRareData())
    return GetElementRareData()->IntersectionObserverData();

--- a/third_party/blink/renderer/core/dom/element.h
+++ b/third_party/blink/renderer/core/dom/element.h
@@ -1013,6 +1013,17 @@ class CORE_EXPORT Element : public ContainerNode, public Animatable {
  virtual void ParserDidSetAttributes() {}
+  // The "nonce" attribute is hidden when:
+  // 1) The Content-Security-Policy is delivered from the HTTP headers.
+  // 2) The Element is part of the active document.
+  // See https://github.com/whatwg/html/pull/2373
+  //
+  // This applies to the element of the HTML and SVG namespaces.
+  //
+  // This function clears the "nonce" attribute whenever conditions (1) and (2)
+  // are met.
+  void HideNonce();
 private:
  void ScrollLayoutBoxBy(const ScrollToOptions*);
  void ScrollLayoutBoxTo(const ScrollToOptions*);

--- a/third_party/blink/renderer/core/html/html_element.cc
+++ b/third_party/blink/renderer/core/html/html_element.cc
@@ -1213,11 +1213,8 @@ Node::InsertionNotificationRequest HTMLElement::InsertedInto(
  // Process the superclass first to ensure that `InActiveDocument()` is
  // updated.
  Element::InsertedInto(insertion_point);
+  HideNonce();
-  if (GetDocument().GetContentSecurityPolicy()->HasHeaderDeliveredPolicy() &&
-      InActiveDocument() && FastHasAttribute(html_names::kNonceAttr)) {
-    setAttribute(html_names::kNonceAttr, g_empty_atom);
-  }
  if (IsFormAssociatedCustomElement())
    EnsureElementInternals().InsertedInto(insertion_point);

--- a/third_party/blink/renderer/core/svg/svg_element.cc
+++ b/third_party/blink/renderer/core/svg/svg_element.cc
@@ -296,16 +296,8 @@ AffineTransform SVGElement::CalculateTransform(
 Node::InsertionNotificationRequest SVGElement::InsertedInto(
    ContainerNode& root_parent) {
  Element::InsertedInto(root_parent);
+  HideNonce();
  UpdateRelativeLengthsInformation();
-  const AtomicString& nonce_value = FastGetAttribute(html_names::kNonceAttr);
-  if (!nonce_value.IsEmpty()) {
-    setNonce(nonce_value);
-    if (InActiveDocument() &&
-        GetDocument().GetContentSecurityPolicy()->HasHeaderDeliveredPolicy()) {
-      setAttribute(html_names::kNonceAttr, g_empty_atom);
-    }
-  }
  return kInsertionDone;
 }

--- a/third_party/blink/web_tests/external/wpt/content-security-policy/nonce-hiding/nonces.html
+++ b/third_party/blink/web_tests/external/wpt/content-security-policy/nonce-hiding/nonces.html
@@ -3,30 +3,62 @@
 <script src="/resources/testharnessreport.js"></script>
 <div id=log></div>
 <script>
-[["meh", ""],
+  const namespace_url= {
- ["div", ""],
+    "HTML": "http://www.w3.org/1999/xhtml",
- ["script", ""],
+    "SVG": "http://www.w3.org/2000/svg",
- ["meh", "http://www.w3.org/2000/svg"],
+  }
- ["svg", "http://www.w3.org/2000/svg"],
+  const test_cases = [
- ["script", "http://www.w3.org/2000/svg"]].forEach(([localName, namespace]) => {
+    ["meh"    , "HTML"],
+    ["div"    , "HTML"],
+    ["script" , "HTML"],
+    ["meh"    , "SVG"],
+    ["svg"    , "SVG"],
+    ["script" , "SVG"],
+  ];
+  test_cases.forEach(([localName, namespace]) => {
    test(t => {
-    const element = namespace === "" ? document.createElement(localName) : document.createElementNS(namespace, localName);
+      const element = document.createElementNS(namespace_url[namespace], localName);
      t.add_cleanup(() => element.remove());
      assert_equals(element.nonce, "", "Initial IDL attribute value");
+      assert_equals(element.getAttribute("nonce"), null, "Initial content attribute");
      element.setAttribute("nonce", "x");
      assert_equals(element.nonce, "x", "IDL attribute is modified after content attribute set");
      assert_equals(element.getAttribute("nonce"), "x", "Content attribute is modified after content attribute set");
      document.body.appendChild(element);
      assert_equals(element.nonce, "x", "IDL attribute is unchanged after element insertion");
      assert_equals(element.getAttribute("nonce"), "", "Content attribute is changed after element insertion");
-  }, `Basic nonce tests for ${localName} in ${namespace === "" ? "HTML" : "SVG"} namespace`);
+    }, `Basic nonce tests for ${localName} in ${namespace} namespace`);
    test(t => {
-    const element = namespace === "" ? document.createElement(localName) : document.createElementNS(namespace, localName);
+      const element = document.createElementNS(namespace_url[namespace], localName);
+      t.add_cleanup(() => element.remove());
      element.setAttribute("nonce", "x");
      assert_equals(element.nonce, "x", "IDL attribute is modified after content attribute set");
      element.removeAttribute("nonce");
      assert_equals(element.nonce, "", "IDL attribute is empty after content attribute removal");
-  }, `Ensure that removal of content attribute does not affect IDL attribute for ${localName} in ${namespace === "" ? "HTML" : "SVG"} namespace`);
+    }, `Ensure that removal of content attribute does not affect IDL attribute for ${localName} in ${namespace} namespace`);
-});
+    test(t => {
+      const element = document.createElementNS(namespace_url[namespace], localName);
+      t.add_cleanup(() => element.remove());
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), null);
+      element.setAttribute("nonce", "");
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), "");
+      document.body.appendChild(element);
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), "");
+      element.removeAttribute("nonce");
+      assert_equals(element.nonce, "");
+      assert_equals(element.getAttribute("nonce"), null);
+    }, `Test empty nonces for ${localName} in ${namespace} namespace`);
+  });
 </script>