The nonce property of the HTMLOrForeignElement interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.

In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).


Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

let nonce = script['nonce'] || script.getAttribute('nonce');

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps preventing that attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this:

script[nonce~=whatever] {
  background: url("");


HTML Living Standard
The definition of 'nonce' in that specification.

Browser Compatibility

Update compatibility data on GitHub
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
nonceChrome Full support 61Edge Full support 79Firefox Full support 75IE No support NoOpera Full support YesSafari Full support 10WebView Android Full support 61Chrome Android Full support 61Firefox Android No support NoOpera Android Full support YesSafari iOS Full support 10Samsung Internet Android Full support 8.0


Full support  
Full support
No support  
No support

See also