Update nonceable attribute checks for link elements#810
Update nonceable attribute checks for link elements#810
Conversation
This PR adds `<link` to the blocklist for nonceable elements. If we're going to keep this algorithm, it should cover all nonceable elements, not just the script and style tags.
annevk
left a comment
annevk
left a comment
There was a problem hiding this comment.
This makes it go out-of-sync with the note here:
https://w3c.github.io/webappsec-csp/#match-element-to-source-list
|
I think you're pointing at:
This seems like it's already out of date in light of the nonce attribute work we did in HTML. Skimming the doc, there are probably a few other places we should change (https://w3c.github.io/webappsec-csp/#dangling-markup-attacks for one, and we should probably point to I'll try to wrap those changes up in a slightly larger PR. |
|
Ah okay, I didn’t realize that. This change seems okay, but it would be good if it was all consistent. |
2 participants
This PR adds
<linkto the blocklist for nonceable elements. If we're going to keep this algorithm, it should cover all nonceable elements, not just the script and style tags.Preview | Diff