Remember that nonces must be regenerated for every page request and they must be unguessable.
It does prevent unsafe script from being executed on the webpage if you have an XSS vulnerability. As the nonce must be present in the CSP header, even if you could inject a script tag it wouldn't be executed.
Also note that it does not always default to http and port 80: If your website is in a HSTS preload list. In the case of google.com, it isn't, but many big websites will.
If a website enforces HSTS, it will only default to HTTPS.
The nonce attribute on a script tag is a CSP-related attribute:
developers.google.com/web/fundamen...
It does prevent unsafe script from being executed on the webpage if you have an XSS vulnerability. As the nonce must be present in the CSP header, even if you could inject a
script
tag it wouldn't be executed.Also note that it does not always default to http and port 80: If your website is in a HSTS preload list. In the case of google.com, it isn't, but many big websites will.
If a website enforces HSTS, it will only default to HTTPS.
I like how that's nested under "fundamentals".