Add note about the importance of preventing nonce exfiltration/reuse

[arturjanc]

Implementing nonce-source and features such as 'strict-dynamic' makes it possible for authors to deploy policies based on nonces; however, for the mechanism to be useful the browser has to additionally implement protections against exfiltration and reuse of nonces.

The two features that are critical here are:

1. Hiding nonce attribute values from the DOM (Hide nonce content attribute values. (#2369) whatwg/html#2373) to prevent exfiltration via CSS injection and related techniques.
2. Preventing nonce hijacking by detecting <script or <style substrings in attributes of <script> elements as described in https://w3c.github.io/webappsec-csp/#is-element-nonceable and Prevent nonce stealing by looking for "<script" in attributes of nonced scripts #98

We should add a section which summarizes the extra work that has to be done in the user-agent to prevent nonce exfiltration and reuse attacks, and thus allow nonce-based policies to be effective. This should likely be referenced somewhere close to https://w3c.github.io/webappsec-csp/#strict-dynamic-usage or https://w3c.github.io/webappsec-csp/#directive-script-src (where nonces are first mentioned), or both.

[andypaicu]

There are notes in https://w3c.github.io/webappsec-csp/#security-considerations, do you feel strongly that they need to be around the two sections mentioned above @arturjanc?

[andypaicu]

I think this is fine to close as is, if you disagree feel free to re-open.

[arturjanc]

Sorry, I completely missed this earlier and I can't re-open the issue myself...

I would still at least add a section about nonce exfiltration using CSS and the necessity to hide nonce attributes (whatwg/html#2373) to mitigate this. Currently the "Nonce Stealing" section only talks about dangling markup attacks, rather than the exfiltration vector addressed in the HTML spec.

Similarly, for the dangling markup exfiltration vector it's not obvious from the spec right now that the browser would also need to check for duplicate attributes, as discussed in https://bugs.chromium.org/p/chromium/issues/detail?id=740615

So, to boil it down to specific changes to the spec, I'd propose to:

1. Rename "7.2 Nonce stealing" to "Nonce hijacking".
2. Add a sentence or two about the duplicate attribute fix to that section (https://bugs.chromium.org/p/chromium/issues/detail?id=740615).
3. Add a short section called "Nonce exfiltration" that points to the change discussed in Hide nonce content attribute values. (#2369) whatwg/html#2373 and explains why it's needed (possibly with a link to http://sirdarckcat.blogspot.ch/2016/12/how-to-bypass-csp-nonces-with-dom-xss.html).