Open In App

HTML nonce Attribute

Improve
Improve
Like Article
Like
Save
Share
Report

The HTML nonce attribute is a global content attribute that defines a cryptographic nonce(” number used once “). It is used by Content Security Policy(it is an additional layer of security that helps to detect and mitigate certain types of attacks like data injection attacks) to check whether a given fetch will be allowed to proceed for a given element or not. Generally, the attribute nonce specifies the way by which the browser is told that inline contents of some style element or specific/particular script were not injected into the document by third parties and were put in the document intentionally by whomsoever controls the server from where the document is served.

It allows the list of specific elements such as some specific inline script or style elements. It helps to avoid the use of the CSP unsafe-inline directive that would allow-list all inline styles.

Usage of nonce attribute 

For using none, provide the script tag a nonce attribute. The value of the nonce attribute must match one in the list of trusted sources. 

Example :

Javascript




<script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
    // Some inline code that I can't remove yet, but needed
</script>


Now this nonce needs to be added to our script-src directive appended to the nonce- keyword.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

Supported Browsers:

  • Google Chrome 
  • Firefox 31.0 and above
  • Microsoft Edge 
  • Opera 
  • Safari 

Last Updated : 06 Jun, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads