DEV Community

Discussion on: What happens when you type 'google.com' into a browser and press Enter?

View post
Collapse
 
antogarand profile image
Antony Garand • Edited

The nonce attribute on a script tag is a CSP-related attribute:

developers.google.com/web/fundamen...

To use a nonce, give your script tag a nonce attribute. Its value must match one in the list of trusted sources. For example:

<script nonce=EDNnf03nceIOfn39fn3e9h3sdfa>
  //Some inline code I cant remove yet, but need to asap.
</script>

Now, add the nonce to your script-src directive appended to the nonce- keyword.

Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfn39fn3e9h3sdfa'

Remember that nonces must be regenerated for every page request and they must be unguessable.

It does prevent unsafe script from being executed on the webpage if you have an XSS vulnerability. As the nonce must be present in the CSP header, even if you could inject a script tag it wouldn't be executed.

Also note that it does not always default to http and port 80: If your website is in a HSTS preload list. In the case of google.com, it isn't, but many big websites will.

If a website enforces HSTS, it will only default to HTTPS.

Collapse
 
antonfrattaroli profile image
Anton Frattaroli

I like how that's nested under "fundamentals".