{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《What’s the purpose of the HTML “nonce” attribute f》','https://www.manongdao.com/q-108078.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
W3C says there is a new attribute in HTML5.1 called nonce for style and script that can be used by the Content Security Policy of a website.
I googled about it but finally didn't get it what actually this attribute do and what changes when using it?
The
nonceattribute enables you to “whitelist” certain inlinescriptandstyleelements, while avoiding use of the CSPunsafe-inlinedirective (which would allow all inlinescript/style), so that you still retain the key CSP feature of disallowing inlinescript/stylein general.So the
nonceattribute is way of telling browsers that the inline contents of a particular script or style element were not injected into the document by some (malicious) third party, but were instead put into the document intentionally by whoever controls the server the document is served from.https://developers.google.com/web/fundamentals/security/csp/#if_you_absolutely_must_use_it gives a good example of how to use the
nonceattribute, which comes down to the following steps:For every request your Web server receives for a particular document, have your backend generate a random base64-encoded string of at least 128 bits of data from a cryptographically secure random number generator; e.g.,
EDNnf03nceIOfn39fn3e9h3sdfa. That’s your nonce.Take the nonce generated in step 1, and for any inline
script/styleyou want to “whitelist”, make your backend code insert anonceattribute into the document before it’s sent over the wire, with that nonce as the value:Take the nonce generated in step 1, prepend
nonce-to it, and make your backend generate a CSP header with that among the values of the source list forscript-srcorstyle-src:So the mechanism of using a nonce is an alternative to instead having your backend generate a hash of the contents of the inline
scriptorstyleyou want to allow, and then specifying that hash in the appropriate source list in your CSP header.Note that because browsers don’t (can’t) check that the nonce value sent changes between page requests, it’s possible—though totally inadvisable—to skip 1 above and not have your backend do anything dynamically for the nonce, in which case you could just put a
nonceattribute with a static value into the HTML source of your doc, and send a static CSP header with that same nonce value.But the reason you’d not want to use a static nonce in that way is, it’d pretty much defeat the entire purpose of using the nonce at all to begin with—because, if you were to use a static nonce like that, at that point you might as well just be using
unsafe-inline.