CSP: Hardened `nonce` content attribute.

DOM

We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example. To mitigate these attacks, we'll hide the attribute from these side-channels, and only expose the value to script.

Documentation

https://github.com/whatwg/dom/pull/436

Status in Chromium

Blink components: Blink>SecurityFeature>ContentSecurityPolicy

In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Mixed public signals
Edge: No public signals
Safari: No public signals
Web Developers: No signals

Owner

mkwst@chromium.org

Last updated on 2020-03-25