The nonce property of the HTMLOrForeignElement mixin returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.

In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).


Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

let nonce = script['nonce'] || script.getAttribute('nonce');

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps preventing that attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this:

script[nonce~=whatever] {
  background: url("");


HTML Living Standard
The definition of 'nonce' in that specification.

Browser compatibility

BCD tables only load in the browser

See also