In order to tailor certain security checks to the caller that is
attempting to load a particular piece of content, we need to be able to
attach an appropriate triggering principal to the corresponding requests.
Since most HTML content is loaded based on attribute values, this means
capturing the subject principal of the caller who sets those attributes,
which in turn means we need to make it available to `AfterSetAttr` hooks
on all relevant element types.
Apparently Mozilla completely spaced out on this when adding the CSP nonce
mechanism, potentially causing web compat issues if scripting relies on
being able to get/set nonces through DOM and/or causing CSP policy check
issues if websites try to "hide" nonces.
Since these are just interpreted comments, there's 0 impact on actual code.
This removes all lines that match /* vim: set(.*)tw=80: */ with S&R -- there are
a few others scattered around which will be removed manually in a second part.
This commit does several things:
- Moves the pref check from ScriptLoader to ns[I]Document so it can be called on
the document.
- Changes the atrribute freezing function to a better name that takes the
document as a parameter.
- Sets the proper async/defer attributes on HTML script elements based on
keywords and whether they are module scripts or not.
This patch implements:
- noModule getter/setter for HTMLScriptElement
- the nomodule attribute for HTMLScriptElement
- the logic in nsScriptLoader that denies the loading of a nomodule script
- tests
Tag #618
Moonchild
Matt A. Tobin
wolfbeast
roytam1