Hide nonce values from the DOM

Confirmed Issue #14674810 • Assigned to Jose L.

Details

Created
Nov 15, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
  • Safari
  • Firefox
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

(Copy/pasting from Mozilla’s https://bugzilla.mozilla.org/show_bug.cgi?id=1374612)

“"”
Prevent nonce exfiltration via CSS selectors and similar tricks. By hiding the nonce from the DOM those kind of CSP policy bypasses can be prevented.

See also:
https://github.com/whatwg/html/pull/2373
https://github.com/w3c/web-platform-tests/tree/master/content-security-policy/nonce-hiding
“"”

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

      Changed Assigned To to “travil”

      Changed Assigned To from “travil” to “Jose L.”

      Changed Status to “Confirmed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in