Add HTML global attribute nonce

[Elchi3]

Helping out on #7303 by adding the global attribute nonce.
mdn/content PR: mdn/content#1318

• Firefox:
  • Initial support for nonce attribute happened here: https://bugzilla.mozilla.org/show_bug.cgi?id=979580
  • Hiding was implemented when the IDL property got implemented https://bugzilla.mozilla.org/show_bug.cgi?id=1374612
• Chromiums:
  • Initial support: ?
  • Hiding support: Need to figure out the version from this https://groups.google.com/a/chromium.org/g/blink-dev/c/wu_fMIYkyaQ/m/85j16Cg6BAAJ (chromestatus seems outdated: https://www.chromestatus.com/feature/5685968463986688). 61 it is: https://storage.googleapis.com/chromium-find-releases-static/7bc.html#7bcb9ee52f2600bafddabaed884ccfea52916753

[Elchi3]

Marking as ready, I'm not sure what the story for initial nonce support is here. Probably sometime around the initial CSP support.

[foolip]

This was enabled in Chromium 36.

Longer version:

I failed to determine when support for the content attribute was shipped from source code archeology, and the tests in WPT didn't run going back to very old Chrome, so I wrote this test:

<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'">
<pre>nonce test passes if one PASS and no FAIL logged:

</pre>
<script nonce=abc>
function log(msg) {
  document.querySelector('pre').textContent += '\n' + msg;
}
log('PASS script with correct nonce ran');
</script>
<script nonce=xyz>log('FAIL script with wrong nonce ran');</script>

Using that I bisected support to introduced in Chrome 36. In Chrome 35 there's a console message saying that the nonce-abc bit isn't recognized, so I'm pretty confident.

Chrome 36 was shipped on 2014-07-16 so the timing matched Intent to Ship: CSP 1.1 [script/style]-[hash/nonce], but I couldn't pinpoint the commit.

[foolip]

As for Safari, it was implemented in WebKit in https://trac.webkit.org/changeset/197944/webkit, behavior and reflected IDL attributes at the same time. (The content attribute was already in the code, probably left over after https://trac.webkit.org/changeset/121883/webkit.)

That was WebKit trunk 602.1.22 which would be Safari 10, matching api.HTMLElement.nonce.

Testing Safari 9.1 and 10.1 on BrowserStack is consistent with this, it's not supported in Safari 9.1 but is in 10.1.

[foolip]

One more thing came up when looking at WebKit. WebKit also has nonce in HTMLLinkElement.idl and behavior in HTMLLinkElement.cpp added in https://trac.webkit.org/changeset/197944/webkit. So at least in WebKit, nonce might also be supported on stylesheets loaded with <link>.

[foolip]

I see whatwg/html#1820 added <link rel=stylesheet nonce> to the spec, and it's now in https://html.spec.whatwg.org/#fetch-and-process-the-linked-resource. But I'm not sure how to test for it. @sideshowbarker do you know CSP well enough to test this?

[sideshowbarker]

I see whatwg/html#1820 added <link rel=stylesheet nonce> to the spec, and it's now in html.spec.whatwg.org/#fetch-and-process-the-linked-resource.

aha — grrr, I really wish we didn’t split stuff across specs like that

But I'm not sure how to test for it. @sideshowbarker do you know CSP well enough to test this?

yeah I can — I’ll post a comment after trying it

[sideshowbarker]

I see whatwg/html#1820 added <link rel=stylesheet nonce> to the spec, and it's now in html.spec.whatwg.org/#fetch-and-process-the-linked-resource.

OK, after walking through the following:

1. https://html.spec.whatwg.org/#fetch-and-process-the-linked-resource
2. https://html.spec.whatwg.org/#default-fetch-and-process-the-linked-resource
3. https://html.spec.whatwg.org/#create-a-potential-cors-request
4. https://fetch.spec.whatwg.org/#concept-request-nonce-metadata
5. https://w3c.github.io/webappsec-csp/#match-nonce-to-source-list

…I find that I can’t actually locate a call site where that Does nonce match source list? algorithm gets called for link elements. I find call sites for style-src and style-src-elem and for CSP script directives. But I don’t find where it ever would get called for link elements.

To put it in other terms, it’s clear that steps 1 to 4 above — the HTML spec and Fetch spec steps — cause the right “cryptographic nonce metadata” from the nonce attribute to be set for the request; but it’s not clear to me where CSP states that “cryptographic nonce metadata” would get consumed/evaluated in the case of link elements.

(P.S. I’ve still not actually tested browsers for link nonce support.)

[foolip]

Hmm, sounds like there might be some dead code in the spec here. The code I found in WebKit also strikes me as unlikely to ever cause a request to be blocked, so maybe this feature was only ever half finished?

Testing the behavior would be great too, that's what I couldn't figure out how to do.

[Elchi3]

I couldn't find much in WPT on nonce, it is used here though:
https://github.com/web-platform-tests/wpt/blob/master/preload/link-header-preload-nonce.html.headers
(results: https://wpt.fyi/results/preload/link-header-preload-nonce.html?label=master&label=experimental&aligned)

I believe the Link header is supposed to be semantically identical to <link>.

[ddbeck]

I've read this through this a couple of times and I admit I'm still a bit confused. What questions remain to be answered to make this ready to be merged?

[Elchi3]

I think we were figuring out if we need additional notes but actually I think we should merge this as is and follow up if needed.

[sideshowbarker]

I think we were figuring out if we need additional notes but actually I think we should merge this as is and follow up if needed.

I agree. I’ve been planning to test but I’ve not managed to make time to do that yet — but I don’t think that should block this from being merged. I’ve opened #8919 to track that task.

[Elchi3]

Forced pushed so CI runs and allows me to merge.