Experiment with hiding <script>'s 'nonce' content attribute.

Experiment with hiding <script>'s 'nonce' content attribute.

Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of some
of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php.

One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).

Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..

This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.

BUG=680419
Review-Url: https://codereview.chromium.org/2628733005
Cr-Commit-Position: refs/heads/master@{#443252}
Committed: https://chromium.googlesource.com/chromium/src/+/d6fffa909e840af681a223f53a2c19dd80942a2d

[Mike West, 2017-01-11 15:49:44]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[Mike West, 2017-01-11 15:50:00]

mkwst@chromium.org changed reviewers:
+ aaj@google.com, jochen@chromium.org

[Mike West, 2017-01-11 15:50:00]

WDYT about this direction?

[commit-bot: I haz the power, 2017-01-11 15:50:07]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-11 16:08:39]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-11 16:08:39]

Dry run: Try jobs failed on following builders:
  cast_shell_android on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/cast_shell_a...)
  mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)

[lwe, 2017-01-11 16:10:54]

On 2017/01/11 15:50:00, Mike West (sloooooow) wrote:
> WDYT about this direction?

Will s.nonce in the following snippet (often used for manual nonce propagation)
still work?
var s = document.querySelectorAll('script[nonce]')[0];
var nonce = s.nonce;

[Mike West, 2017-01-11 19:26:44]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-11 19:27:28]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-11 19:46:06]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-11 19:46:07]

Dry run: Try jobs failed on following builders:
  linux_android_rel_ng on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/linux_androi...)

[Mike West, 2017-01-11 20:42:56]

On 2017/01/11 at 16:10:54, lwe wrote:
> On 2017/01/11 15:50:00, Mike West (sloooooow) wrote:
> > WDYT about this direction?
> 
> Will s.nonce in the following snippet (often used for manual nonce
propagation) still work?
> var s = document.querySelectorAll('script[nonce]')[0];
> var nonce = s.nonce;

Yes.

Though I'm wondering if we need to keep that around after execution. That is:

```
<script nonce=abc id=script>
  document.querySelector('#script').nonce // 'abc'

  window.onload = _ => {
    document.querySelector('#script').nonce // undefined
  };
</script>
```

That would prevent reusing a `<script>` tag, though now that
https://codereview.chromium.org/2618323002 landed we've closed at least one
`<script>` reuse vector... Not sure how important this is.

[Mike West, 2017-01-12 08:29:17]

Description was changed from

==========
WIP: Experiment with hiding the 'nonce' content attribute.

Just scripts right now; will expand it if we like the behavior.
==========

to

==========
Experiment with hiding <script>'s 'nonce' content attribute.

Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of attacks
like those hinted at in 

One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).

Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..

This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.

BUG=680419
==========

[jochen (gone - plz use gerrit), 2017-01-12 08:42:17]

the second sentence of the CL description is incomplete

otherwise, this lgtm

[Mike West, 2017-01-12 08:58:37]

Description was changed from

==========
Experiment with hiding <script>'s 'nonce' content attribute.

Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of attacks
like those hinted at in 

One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).

Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..

This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.

BUG=680419
==========

to

==========
Experiment with hiding <script>'s 'nonce' content attribute.

Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of some
of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php.

One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).

Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..

This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.

BUG=680419
==========

[Mike West, 2017-01-12 09:00:23]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-12 09:00:39]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-12 09:02:16]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-12 09:02:17]

Dry run: Try jobs failed on following builders:
  ios-device on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...)
  ios-device-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device-xcode-...)
  ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xco...)

[Mike West, 2017-01-12 09:51:41]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-12 09:51:51]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-12 09:53:48]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-12 09:53:49]

Dry run: Try jobs failed on following builders:
  ios-device on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...)
  ios-device-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device-xcode-...)
  ios-simulator on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...)
  ios-simulator-xcode-clang on master.tryserver.chromium.mac (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator-xco...)

[Mike West, 2017-01-12 10:51:04]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-12 10:51:16]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Mike West, 2017-01-12 12:27:03]

The CQ bit was checked by mkwst@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-01-12 12:27:11]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-12 13:58:27]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-01-12 13:58:28]

Dry run: Try jobs failed on following builders:
  win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[Mike West, 2017-01-12 14:32:28]

The CQ bit was checked by mkwst@chromium.org

[Mike West, 2017-01-12 14:32:29]

The patchset sent to the CQ was uploaded after l-g-t-m from jochen@chromium.org
Link to the patchset: https://codereview.chromium.org/2628733005/#ps140001
(title: "Ugh.")

[commit-bot: I haz the power, 2017-01-12 14:32:41]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-12 16:15:52]

CQ is committing da patch.

Bot data: {"patchset_id": 140001, "attempt_start_ts": 1484231548787410,
"parent_rev": "c104b1c42724791fc3dd69ebbea6e915cab8bedc", "commit_rev":
"d6fffa909e840af681a223f53a2c19dd80942a2d"}

[commit-bot: I haz the power, 2017-01-12 16:16:24]

Description was changed from

==========
Experiment with hiding <script>'s 'nonce' content attribute.

Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of some
of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php.

One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).

Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..

This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.

BUG=680419
==========

to

==========
Experiment with hiding <script>'s 'nonce' content attribute.

Nonces are valuable, as they allow script execution. It would be lovely if
we could raise the bar on exfiltration to reduce the effectiveness of some
of the attacks noted at http://sebastian-lekies.de/csp/bypasses.php.

One mechanism that might be effective against some kinds of exfiltration is
to stop treating the 'nonce' content attribute as the source of truth, instead
pulling the nonce value into an internal slot on the HTMLScriptElement at
parse-time. That prevents exfiltration via attribute leakage, mitigating the
effect of vectors like `[nonce^=ab]` and `content: attr(nonce)`
(http://cspnonce-test.appspot.com/exploit?reset=1 and
http://sebastian-lekies.de/csp/social_engineering.php, respectively). We also
clear the nonce after use ("number used _once_", right?) which mitigates the
style of attack hinted at in https://sirdarckcat.github.io/csp/fakexss.html
(though that specific issue is also resolved by fixing the browser bug in
https://codereview.chromium.org/2618323002).

Here, we're replacing the nonce content attribute with '[Replaced]', as that
gives developers a hint at what's going on (e.g. in devtools), but we could
pretty easily drop that in the future and just make it a devtools feature
entirely. Not sure what the right thing to do is..

This prototype just effects `<script>`; once we decide on reasonable behavior,
we can extend it to `<link>` and `<style>`.

BUG=680419

Review-Url: https://codereview.chromium.org/2628733005
Cr-Commit-Position: refs/heads/master@{#443252}
Committed:
https://chromium.googlesource.com/chromium/src/+/d6fffa909e840af681a223f53a2c...
==========

[commit-bot: I haz the power, 2017-01-12 16:16:25]

Committed patchset #8 (id:140001) as
https://chromium.googlesource.com/chromium/src/+/d6fffa909e840af681a223f53a2c...

[tkent, 2017-01-17 23:07:17]

tkent@chromium.org changed reviewers:
+ tkent@chromium.org

[tkent, 2017-01-17 23:07:18]

https://codereview.chromium.org/2628733005/diff/140001/third_party/WebKit/Lay...
File third_party/WebKit/LayoutTests/W3CImportExpectations (right):

https://codereview.chromium.org/2628733005/diff/140001/third_party/WebKit/Lay...
third_party/WebKit/LayoutTests/W3CImportExpectations:722:
imported/wpt/html/dom/reflection-misc.html [ Skip ]
Please do not skip this test, and please check in new -expected.txt.  WPT
importer removed the test, and we lost test coverage.