Use style nonce for styles instead of script nonce.

RELNOTES: n/a PiperOrigin-RevId: 367386347
google · Apr 8, 2021 · a33a9c8 · a33a9c8
1 parent f13f1c3
commit a33a9c8
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 12 deletions.
diff --git a/closure/goog/cssom/cssom.js b/closure/goog/cssom/cssom.js
@@ -22,6 +22,7 @@ goog.provide('goog.cssom.CssRuleType');
 goog.require('goog.array');
 goog.require('goog.dom');
 goog.require('goog.dom.TagName');
+goog.require('goog.dom.safe');
 
 
 /**
@@ -373,7 +374,7 @@ goog.cssom.addCssText = function(cssText, opt_domHelper) {
   var cssNode = domHelper.createElement(goog.dom.TagName.STYLE);
 
   // If a CSP nonce is present, propagate it to style blocks
-  var nonce = goog.getScriptNonce();
+  const nonce = goog.dom.safe.getStyleNonce();
   if (nonce) {
     cssNode.setAttribute('nonce', nonce);
   }

diff --git a/closure/goog/style/style.js b/closure/goog/style/style.js
@@ -20,6 +20,7 @@ goog.require('goog.asserts');
 goog.require('goog.dom');
 goog.require('goog.dom.NodeType');
 goog.require('goog.dom.TagName');
+goog.require('goog.dom.safe');
 goog.require('goog.dom.vendor');
 goog.require('goog.html.SafeStyleSheet');
 goog.require('goog.math.Box');
@@ -1331,7 +1332,7 @@ goog.style.installSafeStyleSheet = function(safeStyleSheet, opt_node) {
       body.parentNode.insertBefore(head, body);
     }
     var el = dh.createDom(goog.dom.TagName.STYLE);
-    var nonce = goog.getScriptNonce();
+    const nonce = goog.dom.safe.getStyleNonce();
     if (nonce) {
       el.setAttribute('nonce', nonce);
     }

diff --git a/closure/goog/style/style_test.js b/closure/goog/style/style_test.js
@@ -26,6 +26,7 @@ const googDom = goog.require('goog.dom');
 const googObject = goog.require('goog.object');
 const googStyle = goog.require('goog.style');
 const jsunit = goog.require('goog.testing.jsunit');
+const safe = goog.require('goog.dom.safe');
 const testSuite = goog.require('goog.testing.testSuite');
 const testing = goog.require('goog.html.testing');
 const userAgent = goog.require('goog.userAgent');
@@ -118,9 +119,9 @@ testSuite({
     mockUserAgent = new MockUserAgent();
     mockUserAgent.install();
 
-    if (!goog.getScriptNonce()) {
+    if (!safe.getStyleNonce()) {
       /** @suppress {visibility} suppression added to enable type checking */
-      goog.cspNonce_ = 'thisIsANonce';
+      safe.cspStyleNonce_ = 'thisIsANonce';
     }
   },
 
@@ -1023,9 +1024,9 @@ testSuite({
         googStyle.installSafeStyleSheet(testing.newSafeStyleSheetForTest(''));
 
     const styles = document.head.querySelectorAll('style[nonce]');
-    assert(styles.length > 0);
+    assert(styles.length > 1);
     assertEquals(
-        goog.cspNonce_, styles[styles.length - 1].getAttribute('nonce'));
+        safe.cspStyleNonce_, styles[styles.length - 1].getAttribute('nonce'));
 
     googStyle.uninstallStyles(result);
   },

diff --git a/closure/goog/style/style_test_dom.html b/closure/goog/style/style_test_dom.html
@@ -1,8 +1,3 @@
-<!--
-
-  When changing this, make sure that style_quirks_test.html is kept in sync.
-
--->
 <!--
 Copyright The Closure Library Authors. All Rights Reserved.
 
@@ -11,7 +6,7 @@
 -->
 <meta name="viewport" content="width=device-width, initial-scale=1.0,
     maximum-scale=1.0, minimum-scale=1.0, user-scalable=0">
-<style>
+<style nonce="NONCE">
 
 i {
   font-family: Times, sans-serif;