From 6b8c0cc0e5a7092efb1f01a7b5612863f0834d3e Mon Sep 17 00:00:00 2001 From: stevefaulkner Date: Thu, 29 Sep 2016 11:05:13 +0100 Subject: [PATCH 1/4] ported nonce on link refer to https://github.com/whatwg/html/pull/1820 --- sections/attributes.include | 2 +- sections/semantics-document-metadata.include | 11 ++++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/sections/attributes.include b/sections/attributes.include index 49b875f3ef..e5726a5423 100644 --- a/sections/attributes.include +++ b/sections/attributes.include @@ -542,7 +542,7 @@ nonce - <{script}>; <{style}> + <{link}>; <{script}>; <{style}> Cryptographic nonce used in Content Security Policy checks [[CSP3]] Text diff --git a/sections/semantics-document-metadata.include b/sections/semantics-document-metadata.include index e11b38cef7..d386c3b81b 100644 --- a/sections/semantics-document-metadata.include +++ b/sections/semantics-document-metadata.include @@ -334,6 +334,7 @@
<{link/rel}> — Relationship of this document (or subsection/topic) to the destination resource
<{link/rev}> — Reverse link relationship of the destination resource to this document (or subsection/topic)
media — Applicable media
+
nonce — Cryptographic nonce used in Content Security Policy checks [[CSP3]]
hreflang — Language of the linked resource
type — Hint for the type of the referenced resource
sizes — Sizes of the icons (for <{link/rel}>="icon")
@@ -466,6 +467,11 @@ which indicates that the current document is the table of contents document for every chapter. + +

The nonce attribute represents a + cryptographic nonce ("number used once") which can be used by Content Security Policy + to determine whether or not an external resource specified by the link will be loaded and applied + to the document. The value is text. [[CSP3]]

The crossorigin attribute is a CORS settings attribute. It is intended for use with external resource links. @@ -490,7 +496,9 @@ url and corsAttributeState. 5. Set request's client to the <{link}> element's node document's {{Window}} object's environment settings object. - 6. Fetch request. + 6. Set request's cryptographic + nonce metadata to the current state of the <{link}> element's nonce content attribute. + 7. Fetch request. User agents may opt to only try to obtain such resources when they are needed, instead of pro-actively fetching all the external resources that are not applied. @@ -667,6 +675,7 @@ rel, rev, media, + nonce, hreflang, type, and sizes each must reflect the From 847884d6adadff1886b97b41fb7603fdeb537455 Mon Sep 17 00:00:00 2001 From: stevefaulkner Date: Thu, 29 Sep 2016 11:10:31 +0100 Subject: [PATCH 2/4] fixed link/nonce dfn --- sections/semantics-document-metadata.include | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sections/semantics-document-metadata.include b/sections/semantics-document-metadata.include index d386c3b81b..723ba5518e 100644 --- a/sections/semantics-document-metadata.include +++ b/sections/semantics-document-metadata.include @@ -468,7 +468,7 @@ -

The nonce attribute represents a +

The nonce attribute represents a cryptographic nonce ("number used once") which can be used by Content Security Policy to determine whether or not an external resource specified by the link will be loaded and applied to the document. The value is text. [[CSP3]]

From 0c19bb3512a21310778044c0393502bfc276695f Mon Sep 17 00:00:00 2001 From: stevefaulkner Date: Thu, 29 Sep 2016 11:17:20 +0100 Subject: [PATCH 3/4] code error forgot to close --- sections/semantics-document-metadata.include | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sections/semantics-document-metadata.include b/sections/semantics-document-metadata.include index 723ba5518e..3dc41989f5 100644 --- a/sections/semantics-document-metadata.include +++ b/sections/semantics-document-metadata.include @@ -497,7 +497,7 @@ 5. Set request's client to the <{link}> element's node document's {{Window}} object's environment settings object. 6. Set request's cryptographic - nonce metadata to the current state of the <{link}> element's nonce content attribute. + nonce metadata to the current state of the <{link}> element's nonce content attribute. 7. Fetch request. User agents may opt to only try to obtain such resources when they are needed, instead of From 0dec2c4f8816c1fcf3617907fb27224bdb5e6951 Mon Sep 17 00:00:00 2001 From: stevefaulkner Date: Thu, 29 Sep 2016 15:26:18 +0100 Subject: [PATCH 4/4] updated nonce after mw review https://github.com/w3c/html/pull/604#pullrequestreview-2120500 --- sections/elements.include | 1 + sections/semantics-document-metadata.include | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/sections/elements.include b/sections/elements.include index 5a504e7aa7..c5d447765e 100644 --- a/sections/elements.include +++ b/sections/elements.include @@ -763,6 +763,7 @@ <{link/crossorigin}>; <{link/rel}>; <{link/media}>; + <{link/nonce}>; <{link/hreflang}>; <{link/type}>; <{link/sizes}> diff --git a/sections/semantics-document-metadata.include b/sections/semantics-document-metadata.include index 3dc41989f5..3e253ffe16 100644 --- a/sections/semantics-document-metadata.include +++ b/sections/semantics-document-metadata.include @@ -334,7 +334,7 @@
<{link/rel}> — Relationship of this document (or subsection/topic) to the destination resource
<{link/rev}> — Reverse link relationship of the destination resource to this document (or subsection/topic)
media — Applicable media
-
nonce — Cryptographic nonce used in Content Security Policy checks [[CSP3]]
+
nonce — Cryptographic nonce used in Content Security Policy checks [[CSP3]]
hreflang — Language of the linked resource
type — Hint for the type of the referenced resource
sizes — Sizes of the icons (for <{link/rel}>="icon")
@@ -497,7 +497,7 @@ 5. Set request's client to the <{link}> element's node document's {{Window}} object's environment settings object. 6. Set request's cryptographic - nonce metadata to the current state of the <{link}> element's nonce content attribute. + nonce metadata to the current state of the <{link}> element's <{link/nonce}> content attribute. 7. Fetch request. User agents may opt to only try to obtain such resources when they are needed, instead of @@ -675,7 +675,7 @@ rel, rev, media, - nonce, + nonce, hreflang, type, and sizes each must reflect the