Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is-element-nonceable should check if the attribute's name |contains| <script or <style> #636

Merged
merged 1 commit into from
Jan 15, 2024
Merged

Is-element-nonceable should check if the attribute's name |contains| <script or <style> #636

merged 1 commit into from
Jan 15, 2024

Conversation

evilpie
Copy link
Contributor

@evilpie evilpie commented Jan 12, 2024

  1. Chrome/Safari both seem to check if <style/</script is contained in the attribute's name, not just an exact match.
  2. @mikewest mentioned this here Prevent nonce stealing by looking for "<script" in attributes of nonced scripts #98 (comment)

(I am actually not quite sure if this is specified correctly, because https://infra.spec.whatwg.org/#ascii-case-insensitive seems to talk about exact matches only?)

annevk
annevk approved these changes Jan 15, 2024
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you're correct that Infra should probably define an operation for this. Could you file an issue on that against Infra?

At the same time, this is probably clear enough to proceed for now and we can improve it even more later on.

index.bs Outdated Show resolved Hide resolved
@mozfreddyb mozfreddyb merged commit 459f886 into w3c:main Jan 15, 2024
2 checks passed
github-actions bot added a commit that referenced this pull request Jan 15, 2024
@evilpie @github-actions
Is-element-nonceable should check if the attribute's name |contains| …
cc9a860 
…<script/<style> (#636)

SHA: 459f886
Reason: push, by mozfreddyb

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@evilpie @annevk @mozfreddyb