Clarify that one nonce value is set on all style/script tags

wbamberg · Oct 21, 2024 · 131fc0a · 131fc0a
1 parent 8f6af6d
commit 131fc0a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md
@@ -144,14 +144,14 @@ Note that `'none'` cannot be combined with any other method in a particular dire
 
 #### Nonces
 
-With a nonce, the server generates a random value for every HTTP response, and includes it in the directive:
+With a nonce, the server generates a random value for every HTTP response, and includes it in a `script-src` and/or a `style-src` directive:
 
 ```http
 Content-Security-Policy:
   script-src 'nonce-416d1177-4d12-4e3b-b7c9-f6c409789fb8'
 ```
 
-It then includes the same value as the `nonce` attribute of one or more {{htmlelement("script")}} or {{htmlelement("style")}} tags in the document.
+The server then includes this value as the value of the `nonce` attribute of all the {{htmlelement("script")}} and/or {{htmlelement("style")}} tags in the document.
 
 The browser compares the two values, and loads the resource only if they match. The idea is that even if an attacker can insert some JavaScript into the page, they won't know which nonce the server is going to use, so the browser will refuse to run the script.