Chrome/Safari trim nonces

[evilpie]

For some reason Chrome and Safari trim nonce strings and as far as I can tell this is not specified anywhere. Firefox doesn't and thus fails this WPT.

Unless there is a strong objection I plan on changing the test to match the specification/Firefox.

[annevk]

How is https://w3c.github.io/webappsec-csp/#match-nonce-to-source-list implemented? I guess the value is base64-decoded then rather than that the nonce attribute value is base64-encoded? That might yield some further differences between implementations, especially given that base64-value allows for both base64 and base64url iirc.

[evilpie]

At least Firefox just compares the raw 'nonce-foobar' (so the "foobar" part) and nonce="foobar" values. No decoding/encoding of either values is involved. We do verify that string following the 'nonce-' in the CSP matches the base64-value grammar.

[mikewest]

It does look like this is an oversight. I assume the intention was for https://html.spec.whatwg.org/multipage/urls-and-fetching.html#nonce-attributes to trim the value before storing it, but I think you're entirely correct that that's not currently documented. If you're willing to change Firefox's behavior, trimming the attribute value before storing it in the internal slot seems like the easiest way of remedying the spec accordingly.

[annevk]

That's not where whitespace removal happens in WebKit, at least. Are you sure it impacts the nonce getter/setter in Chromium? If we want to make a change there that might need some further discussion.

[mikewest]

I'm not at all sure; I haven't looked at this code in the recent past. That said, where would you expect web-visible differences to show up?

[annevk]

Well if you have <x nonce=" surrounded-by-spaces "> and then do .nonce in JS are the spaces still present or not?

[antosart]

@annevk they are.

Chrome strips whitespaces when checking whether CSP matches.

[antosart]

(Also, FWIW, a quick search on httparchive gives zero results of nonces padded with whitespaces.)

[mikewest]

Clearly, I should have looked at the code before guessing. Thanks, Antonio!

In that case, my suggestion is a bad one, and altering the CSP algorithm might be preferable.

[annevk]

Looks like we should also test which whitespace characters are being trimmed as Chromium at least seems to include U+000B which is incorrect.

[evilpie]

I think our behavior is the best here and we should try to align to that. Can we look into a way of shipping that, like telemetry, nightly-only, archive scan etc.?