Invalid or empty `script-nonce` values now block script execution entirely.
authorMike West <mkwst@google.com>
Tue, 10 Jul 2012 20:08:16 -0700
changeset 135ae736514341a
parent 134 b60168c4306f
child 136 bc22890d228a
Invalid or empty `script-nonce` values now block script execution entirely.

This patch addresses various bits of text that weren't clearly normative or
non-normative based on Adam's feedback to https://dvcs.w3.org/hg/content-security-policy/rev/b60168c4306f

The single normative change is to make an invalid `script-nonce` a hard failing
condition for script execution. `script-nonce;` and `script-nonce ;` are no
longer noops but instead block script execution, failing loudly and securely.
csp-specification.dev.html
     1.1 --- a/csp-specification.dev.html	Mon Jul 09 10:30:10 2012 -0700
     1.2 +++ b/csp-specification.dev.html	Tue Jul 10 20:08:16 2012 -0700
     1.3 @@ -1188,9 +1188,11 @@
     1.4  nonce             = &lt;token from RFC 2616&gt;
     1.5  </pre>
     1.6  
     1.7 -        <p>If the directive's value is empty, or consists solely of whitespace,
     1.8 -        ignore the directive. Otherwise, let the <var>script nonce</var> be the
     1.9 -        directive's value, <a href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripped
    1.10 +        <p>If the directive's value is empty, consists solely of whitespace, or
    1.11 +        contains invalid characters, let the <var>script nonce</var> be the empty
    1.12 +        string. Otherwise, let the <var>script nonce</var> be the directive's
    1.13 +        value, <a
    1.14 +        href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripped
    1.15          of leading and trailing whitespace</a>.</p>
    1.16  
    1.17          <p>If the policy contains a <code>script-nonce</code> directive, the
    1.18 @@ -1203,8 +1205,9 @@
    1.19          <ul>
    1.20              <li>Whenever the user agent would execute a script from a
    1.21              <code>script</code> element, the user agent MUST NOT execute
    1.22 -            the script unless that script element contains a
    1.23 -            <code>nonce</code> attribute whose value, after <a
    1.24 +            the script unless the <var>script nonce</var> is non-empty, and
    1.25 +            that script element contains a <code>nonce</code> attribute whose
    1.26 +            value, after <a
    1.27              href="http://www.whatwg.org/specs/web-apps/current-work/#strip-leading-and-trailing-whitespace">stripping
    1.28              leading and trailing whitespace</a>, is a case-sensitive match
    1.29              for the <var>script nonce</var>.</li>
    1.30 @@ -1212,19 +1215,37 @@
    1.31              event handler, instead the user agent MUST NOT execute the
    1.32              script.</li>
    1.33              <li>Whenever the user agent would execute script contained in a
    1.34 -            javascript URI, instead the user agent MUST NOT execute the
    1.35 -            script.</li>
    1.36 +            <code>javascript</code> URI, instead the user agent MUST NOT execute
    1.37 +            the script.</li>
    1.38          </ul>
    1.39          </p>
    1.40 -  
    1.41 -        <p>Note: If both <code>script-nonce</code> and <code>script-src</code>
    1.42 -        directives are present, then script is required to satisfy <em>both</em>
    1.43 -        directives in order to be executed. If a nonce is required, then inline
    1.44 -        event handlers and javascript URIs will not execute, even if
    1.45 -        <code>'unsafe-inline'</code> is an accepted source of script. Likewise,
    1.46 -        a <code>script</code> element will not execute if the script's source is
    1.47 -        not allowed, even if it contains a matching <code>nonce</code>
    1.48 -        attribute.</p>
    1.49 +
    1.50 +        <section class="informative">
    1.51 +          <h5>Interaction with the <code>script-src</code> directive</h5>
    1.52 +          <p>The <code>script-nonce</code> and <code>script-src</code>
    1.53 +          directives' restrictions on code execution are non-exclusive: script
    1.54 +          will not execute unless it satisfies <em>both</em> directives. For
    1.55 +          example, inline event handlers will not execute given the following
    1.56 +          policy:</p>
    1.57 +          <pre>Content-Security-Policy: script-src 'self' 'unsafe-inline';
    1.58 +                         script-nonce <em>nonce_value</em>;</pre>
    1.59 +          <p>The <code>script-src</code> directive allows
    1.60 +          <code>'unsafe-inline'</code>, but the event handler's execution is
    1.61 +          blocked by the presence of the <code>script-nonce</code>
    1.62 +          directive.</p>
    1.63 +          <p>Similarly, script will not be executed given the following
    1.64 +          policy:</p>
    1.65 +          <pre>Content-Security-Policy: script-src https://cdn.example.com;
    1.66 +                         script-nonce <em>nonce_value</em>;</pre>
    1.67 +          <p>and the following <code>script</code> element:</p>
    1.68 +          <pre>&lt;script nonce="<em>nonce_value</em>" src="https://not.example.com/script.js"&gt;&lt;/script&gt;</pre>
    1.69 +          <p>The nonce value matches, but the source isn't included in the
    1.70 +          <code>script-src</code> directive's source list. If the
    1.71 +          <code>script</code> element was loading script from
    1.72 +          <code>https://cdn.example.com/</code> instead, it would execute, as
    1.73 +          its execution would violate neither the <code>script-nonce</code> nor
    1.74 +          <code>script-src</code> directives.</p>
    1.75 +        </section>
    1.76        </section>
    1.77  
    1.78        <section>