nonceis a randomly generated token that should be used only one time.
nonce can be defined as a word or phrase that is intended for use only once. If you were a spy, you might come up with a nonce as a code word to authenticate a rendezvous.
The important thing to remember for nonces with respect to (CSP) is that we only use our nonce once (for one request), and they should be so random that no one could guess it.
nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP
NOTE: We are using the phrase: rAnd0m to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request.
Now we can allow an inline
<script> tag to execute by adding our random nonce value in the
nonce attribute of the
<script nonce="rAnd0m"> doWhatever(); </script>
So why do we need a to add a csp nonce to every inline script block when we use CSP? The short answer is that when you enable CSP it will disable inline script tags, so code like the following will not execute:
<script> thisWillNotExecute(); </script>
intend for the user to execute vs code that an attacker has injected into the page (for example via an XSS vulnerability).
These inline script blocks are dangerous, and the nonce lets the browser know that the server intended on serving this script block if and only if
the nonce attribute in the script tag matches the nonce value in the
If you are outputting variables inside a nonce protected
script tag, you could cancel out the XSS protection that CSP is giving you.
For example assume you have a URL such as
/example/?id=123 and you are outputting that
id value from the URL in your script block:
<script nonce="#request.nonce#"> var id = #url.id# </script>
In the above example assume that the variable token
#url.id# is the
id value from the query string. Now an attacker could request the URL:
/example/?id=doSomethingBad(), and your application would send back:
<script nonce="rAnd0m"> var id = doSomethingBad() </script>
As you can see we just threw away all of the cross site scripting protections of CSP by improperly using the nonce.
In some situations using a nonce doesn't make sense, in those cases you can use a CSP hash instead of a nonce.
There is one other workaround to this problem called unsafe-inline, but as its name suggests it is not really a good idea to use it (except in specific conditions).
nonce source list directive was added to CSP Level 2. This means that support has existed since 2015 in Chrome and Firefox, Safari 10+ or Edge 15+.
Nonces are not supported at all in Internet Explorer, you need to use the Edge browser for nonce support instead.