nonceis a randomly generated token that should be used only one time.
nonce is one of the easiest ways to allow the execution of inline scripts in a Content Security Policy (CSP). Here's how one might use it with the CSP
NOTE: We are using the phrase: r@nd0m to denote a random value. You should use a cryptographically secure random token generator to generate a nonce value. The random nonce value should only be used for a single HTTP request.
Now we can allow an inline
<script> tag to execute by adding our random nonce value in the
nonce attribute of the
<script nonce="r@nd0m"> doWhatever(); </script>
nonce source list directive was added to CSP Level 2. This means that support has existed since 2015 in Chrome and Firefox, Safari 10+ or Edge 15+.
It is not supported at all in Internet Explorer, you need to use the Edge browser instead.