HTML nonce Attribute
The HTML nonce attribute is a global content attribute that defines a cryptographic nonce(” number used once “). It is used by Content Security Policy(it is an additional layer of security that helps to detect and mitigate certain types of attacks like data injection attacks) to check whether a given fetch will be allowed to proceed for a given element or not. Generally, the attribute nonce specifies the way by which the browser is told that inline contents of some style element or specific/particular script were not injected into the document by third parties and were put in the document intentionally by whomsoever controls the server from where the document is served.
It allows the list of specific elements such as some specific inline script or style elements. It helps to avoid the use of the CSP unsafe-inline directive that would allow-list all inline styles.
Usage of nonce attribute
For using none, provide the script tag a nonce attribute. The value of the nonce attribute must match one in the list of trusted sources.
Now this nonce needs to be added to our script-src directive appended to the nonce- keyword.
Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
- Google Chrome
- Firefox 31.0 and above
- Microsoft Edge
Please Login to comment...