Added a duplicate attribute present member to element create call

[andypaicu]

Issue: #3257

Added a flag to set during tokenizer parsing step if a duplicate attribute is found.
Changed the create an element call to pass this new flag.

---

💥 Error: Wattsi server error 💥

PR Preview failed to build. (Last tried on Jan 15, 2021, 7:58 AM UTC).

More

PR Preview relies on a number of web services to run. There seems to be an issue with the following one:

🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.

🔗 Related URL

<html>
<head><title>504 Gateway Time-out</title></head>
<body bgcolor="white">
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.

[andypaicu]

dom PR: whatwg/dom#721

[andypaicu]

@annevk Hi Anne, could I bother you to look at this PR?

[annevk]

So this approach is much more general than the issue suggested we needed. Instead of passing it off to "create an element", could we not use it if that ends up creating a script element? And then set one of the existing bits on the script element (perhaps renaming it to make more sense)?

[andypaicu]

I'm now setting it after constructing the element as you suggested. I'm not entirely sure if there's any reason to only set it on script elements though. I know the CSP algorithm only applies to script elements currently but is there any reason not to have this information on all elements?

[andypaicu]

The travis CI is failing because I now am referencing concept-element-attributes-append which is part of the DOM PR. Once that lands this should pass too.

[annevk]

I'd rather only modify script elements, as we already know they have an internal slot around this, whereas adding a new internal slot to all elements is more invasive (e.g., it requires changing DOM).

What's the reason to expose it on all elements if you can only observe it for script elements?

[andypaicu]

I'd rather only modify script elements, as we already know they have an internal slot around this, whereas adding a new internal slot to all elements is more invasive (e.g., it requires changing DOM).

This is news to me. What is this internal slot and where is documented? Or are we talking here about implementations already having this slot?

What's the reason to expose it on all elements if you can only observe it for script elements?

Well currently none really, but in the future I imagine all sorts of elements might be whitelisteable via nonces and we will probably need to have the same safeguards.

[annevk]

I assumed the slot discussed in #3257 (comment) was standardized. I'm not entirely sure it is though, but it seems this could also be done with "ready to be parser-executed".

[andypaicu]

Hmm in what way could this be done with ready to be parser-executed? I've looked at it for the first time and I don't see it working (but I'm happy to be wrong):

1. There's logic that seems to rely on ready to be parser-executed being eventually set. Algorithms spin the event loop until a script is available to be executed up to the point where the list of scripts that will execute when the document has finished parsing is empty. (https://html.spec.whatwg.org/#the-end for example).
2. (Maybe more importantly) a duplicate attribute does not actually mean that the script will never be allowed to execute because of CSP. Sure it can't be nonce blessed but other mechanisms will still allow it to execute.

I take it that changes to DOM are to be avoided if possible so perhaps a new flag similar to ready to be parser-executed on script elements is a better solution?

[annevk]

Yeah, I think I'd prefer not generalizing until the need is concrete. Also, I didn't realize it was still somewhat dynamic, in that it depends on a CSP check, in which case I agree that it needs to be a new flag of sorts.

[andypaicu]

I've updated this PR and closed the DOM PR.

[andypaicu]

There is a test for the duplicate attribute vulnerability:
https://github.com/web-platform-tests/wpt/blob/master/content-security-policy/script-src/nonce-enforce-blocked.html

And I represent implementer interest from the side of Chrome.

[annevk]

Looks good modulo nits, thanks!

[andypaicu]

Thank you @annevk I've addressed the nits

[annevk]

Thanks for driving the editorial work over the finish line. Couple other things to address before we can land this. Hope that's understandable.

Is the CSP logic yet to be written? Although maybe it's already written given there's non-tentative tests? How does that work?

Mike indicated this was discussed at TPAC, but the minutes weren't detailed enough around this particular item to discern interest from others. I'm willing to accept Henri's analysis though as meaning Mozilla would eventually adopt this.

We'll need bugs against Firefox and Safari.

[andypaicu]

The CSP logic needs to be reworded to use this flag. Currently it is written around the duplicate-attribute error and has an issue raised against it because there is no actual way to tell if this error occurred. https://w3c.github.io/webappsec-csp/#is-element-nonceable

The nonce hijacking consideration section also mentions this again with an issue raised. (https://w3c.github.io/webappsec-csp/#dangling-markup-attacks)

I should be able to spin a PR pretty quick if it's needed before this PR lands but I obviously can't land that PR in CSP before this one lands.

The reason we have the test is because it was identified as a security vulnerability and we wanted to get it patched asap in Chrome. This is currently already implemented in Chrome (version 72 which I think is just now getting to beta).

I am happy to raise bugs against Firefox and Safari. Should I raise them now or wait until this PR is part of the spec?

[annevk]

You can raise those now. And let's do the CSP cleanup PR also now (and just rerun the build after this lands) for completeness as that's what we typically do to make sure a new primitive actually meets the needs of consumers. I'll probably land this tomorrow then unless someone else gets to it first.

[andypaicu]

Safari: https://bugs.webkit.org/show_bug.cgi?id=192667
Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1513968

CSP PR: w3c/webappsec-csp#377

[annevk]

Thanks to the CSP PR I realized we need to export this. You'll need to add: data-export="" data-dfn-type="dfn" data-dfn-for="script" to the <dfn>.

[annevk]

@andypaicu did this ship in Chrome, should this still be standardized?

[zcorpan]

This flag is needed for both style and script, right?