CSP: Hardened `nonce` content attribute.
We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example. To mitigate these attacks, we'll hide the attribute from these side-channels, and only expose the value to script.
Documentation
Status in Chromium
Blink>SecurityFeature>ContentSecurityPolicy
In development (launch bug)
Consensus & Standardization
- Mixed public signals
- No public signals
- No public signals
- No signals
Owner
Last updated on 2017-06-14