CSP: Hardened `nonce` content attribute.

Category: DOM
Type: New or changed feature
Status: Enabled by default (Chrome 61)
Intent stage: None

Summary

We've seen some recent attacks on CSP which rely on the ability to exfiltrate nonce data via various mechanisms that can grab data from content attributes. CSS selectors are the best example. To mitigate these attacks, we'll hide the attribute from these side-channels, and only expose the value to script.

Standards & signals

Specification: https://html.spec.whatwg.org/#nonce-attributes
Firefox: No signal
Safari: No signal
Web developers: No signals
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=680419

Docs: https://github.com/whatwg/dom/pull/436

View on chromestatus.com