Define script@nonce and style@nonce attributes

The definitions here are little more than placeholders. We need to
improve the description in CSP such that HTML can hook into reasonable
definitions of the behavior that nonces require when executing the
"prepare a script" and "update a style block" algorithms. For the
moment, defining the attributes and pointing out to the CSP spec (and
to w3c/webappsec#463) is probably Good Enough(tm).

Author: mikewest

source

@@ -12,6 +12,9 @@
  !    - element, attribute, content model, and interface indexes
  !    - adding it to the section with ARIA mappings
  !
+ !   Adding a new attribute involves editing the following sections:
+ !    - The IDL and content attributes for the relevant elements
+ !    - element and attribute indexes
  !-->
 
 <!--
@@ -14730,13 +14733,15 @@ people expect to have work and what is necessary.
    <dt><span data-x="concept-element-attributes">Content attributes</span>:</dt>
    <dd><span>Global attributes</span></dd>
    <dd><code data-x="attr-style-media">media</code></dd>
+   <dd><code data-x="attr-style-nonce">nonce</code></dd>
    <dd><code data-x="attr-style-type">type</code></dd>
    <dd><code data-x="attr-style-scoped">scoped</code></dd>
    <dd>Also, the <code data-x="attr-style-title">title</code> attribute <span data-x="attr-style-title">has special semantics</span> on this element.</dd>
    <dt><span data-x="concept-element-dom">DOM interface</span>:</dt><!--TOPIC:DOM APIs-->
    <dd>
 <pre class="idl">interface <dfn>HTMLStyleElement</dfn> : <span>HTMLElement</span> {
   attribute DOMString <span data-x="dom-style-media">media</span>;
+  attribute DOMString <span data-x="dom-style-nonce">nonce</span>;
   attribute DOMString <span data-x="dom-style-type">type</span>;
   attribute boolean <span data-x="dom-style-scoped">scoped</span>;
 };
@@ -14783,6 +14788,16 @@ people expect to have work and what is necessary.
   attribute is omitted, is "<code data-x="">all</code>", meaning that by default styles apply to all
   media.</p>
 
+  <p>The <dfn><code data-x="attr-style-nonce">nonce</code></dfn> attribute represents a
+  cryptographic nonce ("number used once") which can be used by <cite>Content Security Policy</cite>
+  to determine whether or not the style specified by an element will be applied to the document. The
+  value is text. <ref spec="CSP"></p>
+
+  <p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
+  data-x="attr-style-nonce">nonce</code> attribute needs to be integrated into the <span>update a
+  <code>style</code> block</span> algorithm. The current definition in <ref spec="CSP"> is fairly
+  vague. See <a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>
+
   <p>The <dfn><code data-x="attr-style-scoped">scoped</code></dfn> attribute is a <span>boolean
   attribute</span>. If present, it indicates that the styles are intended just for the subtree
   rooted at the <code>style</code> element's parent element, as opposed to the whole
@@ -14980,8 +14995,10 @@ own thing rather than part of the extended sentence -->
 
   <div w-nodev>
 
-  <p>The <dfn><code data-x="dom-style-media">media</code></dfn>, <dfn><code data-x="dom-style-type">type</code></dfn> and <dfn><code data-x="dom-style-scoped">scoped</code></dfn> IDL attributes must <span>reflect</span> the
-  respective content attributes of the same name.</p>
+  <p>The <dfn><code data-x="dom-style-media">media</code></dfn>, <dfn><code
+  data-x="dom-style-nonce">nonce</code></dfn>, <dfn><code data-x="dom-style-type">type</code></dfn>
+  and <dfn><code data-x="dom-style-scoped">scoped</code></dfn> IDL attributes must
+  <span>reflect</span> the respective content attributes of the same name.</p>
 
   </div>
 
@@ -58134,6 +58151,7 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
    <dd><code data-x="attr-script-async">async</code></dd>
    <dd><code data-x="attr-script-defer">defer</code></dd>
    <dd><code data-x="attr-script-crossorigin">crossorigin</code></dd>
+   <dd><code data-x="attr-script-nonce">nonce</code></dd>
    <dt><span data-x="concept-element-dom">DOM interface</span>:</dt><!--TOPIC:DOM APIs-->
    <dd>
 <pre class="idl">interface <dfn>HTMLScriptElement</dfn> : <span>HTMLElement</span> {
@@ -58144,6 +58162,7 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
   attribute boolean <span data-x="dom-script-defer">defer</span>;
   attribute DOMString? <span data-x="dom-script-crossOrigin">crossOrigin</span>;
   attribute DOMString <span data-x="dom-script-text">text</span>;
+  attribute DOMString <span data-x="dom-script-nonce">nonce</code>;
 };</pre>
    </dd>
   </dl><!--TOPIC:HTML-->
@@ -58220,11 +58239,23 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
   <span>CORS settings attribute</span>. It controls, for scripts that are obtained from other <span
   data-x="origin">origins</span>, whether error information will be exposed.</p>
 
+
+  <p>The <dfn><code data-x="attr-style-nonce">nonce</code></dfn> attribute represents a
+  cryptographic nonce ("number used once") which can be used by <cite>Content Security Policy</cite>
+  to determine whether or not the script specified by an element will be executed. The value is
+  text. <ref spec="CSP"></p>
+
+  <p class="&#x0058;&#x0058;&#x0058;">The processing model for the <code
+  data-x="attr-script-nonce">nonce</code> attribute needs to be integrated into the <span>prepare a
+  script</span> algorithm. The current definition in <ref spec="CSP"> is fairly vague. See
+  <a href="https://github.com/w3c/webappsec/issues/463">w3c/webappsec#463</a>.</p>
+
   <p>Changing the <code data-x="attr-script-src">src</code>, <code
   data-x="attr-script-type">type</code>, <code data-x="attr-script-charset">charset</code>, <code
-  data-x="attr-script-async">async</code>, <code data-x="attr-script-defer">defer</code>, and <code
-  data-x="attr-script-crossorigin">crossorigin</code> attributes dynamically has no direct effect;
-  these attribute are only used at specific times described below.</p> <!-- by implication, changes
+  data-x="attr-script-async">async</code>, <code data-x="attr-script-defer">defer</code>, <code
+  data-x="attr-script-crossorigin">crossorigin</code>, and
+  <code data-x="attr-script-nonce">nonce</code> attributes dynamically has no direct effect; these
+  attributes are only used at specific times described below.</p> <!-- by implication, changes
   to the base URL also have no effect -->
 
   <div w-nodev>
@@ -58897,7 +58928,11 @@ dictionary <dfn>RelatedEventInit</dfn> : <span>EventInit</span> {
 
   </ol>
 
-  <p>The IDL attributes <dfn><code data-x="dom-script-src">src</code></dfn>, <dfn><code data-x="dom-script-type">type</code></dfn>, <dfn><code data-x="dom-script-charset">charset</code></dfn>, <dfn><code data-x="dom-script-defer">defer</code></dfn>, each must <span>reflect</span> the respective
+  <p>The IDL attributes <dfn><code data-x="dom-script-src">src</code></dfn>, <dfn><code
+  data-x="dom-script-type">type</code></dfn>, <dfn><code
+  data-x="dom-script-charset">charset</code></dfn>, <dfn><code
+  data-x="dom-script-defer">defer</code></dfn>, and <dfn><code
+  data-x="dom-script-nonce">nonce</code></dfn>, must each <span>reflect</span> the respective
   content attributes of the same name.</p>
 
   <p>The <dfn><code data-x="dom-script-crossOrigin">crossOrigin</code></dfn> IDL attribute must
@@ -112712,7 +112747,8 @@ if (s = prompt('What is your name?')) {
          <code data-x="attr-script-charset">charset</code>;
          <code data-x="attr-script-async">async</code>;
          <code data-x="attr-script-defer">defer</code>;
-         <code data-x="attr-script-crossorigin">crossorigin</code></td>
+         <code data-x="attr-script-crossorigin">crossorigin</code>;
+         <code data-x="attr-script-nonce">nonce</code></td>
      <td><code>HTMLScriptElement</code></td>
     </tr>
 
@@ -112813,6 +112849,7 @@ if (s = prompt('What is your name?')) {
      <td>varies*</td>
      <td><span data-x="global attributes">globals</span>;
          <code data-x="attr-style-media">media</code>;
+         <code data-x="attr-style-nonce">nonce</code>;
          <code data-x="attr-style-type">type</code>;
          <code data-x="attr-style-scoped">scoped</code></td>
      <td><code>HTMLStyleElement</code></td>
@@ -114128,6 +114165,12 @@ if (s = prompt('What is your name?')) {
      <td> <code data-x="attr-param-name">param</code>
      <td> Name of parameter
      <td> <a href="#attribute-text">Text</a>
+    <tr>
+     <th> <code data-x="">nonce</code>
+     <td> <code data-x="attr-script-nonce">script</code>;
+          <code data-x="attr-style-nonce">style</code>
+     <td> Cryptographic nonce used in <code>Content Security Policy</code> checks <ref spec="CSP">
+     <td> <a href="#attribute-text">Text</a>
     <tr>
      <th> <code data-x="">novalidate</code>
      <td> <code data-x="attr-fs-novalidate">form</code>
@@ -115969,7 +116012,7 @@ INSERT INTERFACES HERE
    <dd>(Non-normative) <cite><a href="http://www.iana.org/assignments/charset-reg/CP50220">CP50220</a></cite>, Y. Naruse. IANA.</dd> <!-- really should be "NARUSE, Y." or some such, but there's a western bias to these references for consistency. sorry. -->
 
    <dt id="refsCSP">[CSP]</dt>
-   <dd>(Non-normative) <cite><a href="https://w3c.github.io/webappsec/specs/content-security-policy/">Content Security Policy</a></cite>, B. Sterne, A. Barth. W3C.</dd>
+   <dd><cite><a href="https://w3c.github.io/webappsec/specs/content-security-policy/">Content Security Policy</a></cite>, M. West, A. Barth, D. Veditz. W3C.</dd>
 
    <dt id="refsCSS">[CSS]</dt>
    <dd><cite><a href="https://drafts.csswg.org/css2/">Cascading Style Sheets Level 2 Revision 2</a></cite>, B. Bos, T. &Ccedil;elik, I. Hickson, H. Lie. W3C.</dd>