diff --git a/sections/attributes.include b/sections/attributes.include index 49b875f3ef..e5726a5423 100644 --- a/sections/attributes.include +++ b/sections/attributes.include @@ -542,7 +542,7 @@ nonce - <{script}>; <{style}> + <{link}>; <{script}>; <{style}> Cryptographic nonce used in Content Security Policy checks [[CSP3]] Text diff --git a/sections/elements.include b/sections/elements.include index 5a504e7aa7..c5d447765e 100644 --- a/sections/elements.include +++ b/sections/elements.include @@ -763,6 +763,7 @@ <{link/crossorigin}>; <{link/rel}>; <{link/media}>; + <{link/nonce}>; <{link/hreflang}>; <{link/type}>; <{link/sizes}> diff --git a/sections/semantics-document-metadata.include b/sections/semantics-document-metadata.include index e11b38cef7..3e253ffe16 100644 --- a/sections/semantics-document-metadata.include +++ b/sections/semantics-document-metadata.include @@ -334,6 +334,7 @@
<{link/rel}> — Relationship of this document (or subsection/topic) to the destination resource
<{link/rev}> — Reverse link relationship of the destination resource to this document (or subsection/topic)
media — Applicable media
+
nonce — Cryptographic nonce used in Content Security Policy checks [[CSP3]]
hreflang — Language of the linked resource
type — Hint for the type of the referenced resource
sizes — Sizes of the icons (for <{link/rel}>="icon")
@@ -466,6 +467,11 @@ which indicates that the current document is the table of contents document for every chapter. + +

The nonce attribute represents a + cryptographic nonce ("number used once") which can be used by Content Security Policy + to determine whether or not an external resource specified by the link will be loaded and applied + to the document. The value is text. [[CSP3]]

The crossorigin attribute is a CORS settings attribute. It is intended for use with external resource links. @@ -490,7 +496,9 @@ url and corsAttributeState. 5. Set request's client to the <{link}> element's node document's {{Window}} object's environment settings object. - 6. Fetch request. + 6. Set request's cryptographic + nonce metadata to the current state of the <{link}> element's <{link/nonce}> content attribute. + 7. Fetch request. User agents may opt to only try to obtain such resources when they are needed, instead of pro-actively fetching all the external resources that are not applied. @@ -667,6 +675,7 @@ rel, rev, media, + nonce, hreflang, type, and sizes each must reflect the