nonce - HTML: HyperText Markup Language | MDN (original) (raw)
Baseline
Widely available
The nonce global attributeis a content attribute defining a cryptographic nonce ("number used once") which can be used byContent Security Policy to determine whether or not a given fetch will be allowed to proceed for a given element.
Description
The nonce attribute is useful to allowlist specific elements, such as a particular inline script or style elements. It can help you to avoid using the CSP unsafe-inline directive, which would allowlist all inline scripts or styles.
**Note:**Only use nonce for cases where you have no way around using unsafe inline script or style contents. If you don't need nonce, don't use it. If your script is static, you could also use a CSP hash instead. (See usage notes on unsafe inline script.) Always try to take full advantage of CSP protections and avoid nonces or unsafe inline scripts whenever possible.