From 131fc0afc2ad959865e5ed541674563ed5743bee Mon Sep 17 00:00:00 2001 From: wbamberg Date: Mon, 21 Oct 2024 11:00:54 -0700 Subject: [PATCH] Clarify that one nonce value is set on all style/script tags --- files/en-us/web/http/csp/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md index 31c1e1c261fd905..cc2a2ef70d9e08c 100644 --- a/files/en-us/web/http/csp/index.md +++ b/files/en-us/web/http/csp/index.md @@ -144,14 +144,14 @@ Note that `'none'` cannot be combined with any other method in a particular dire #### Nonces -With a nonce, the server generates a random value for every HTTP response, and includes it in the directive: +With a nonce, the server generates a random value for every HTTP response, and includes it in a `script-src` and/or a `style-src` directive: ```http Content-Security-Policy: script-src 'nonce-416d1177-4d12-4e3b-b7c9-f6c409789fb8' ``` -It then includes the same value as the `nonce` attribute of one or more {{htmlelement("script")}} or {{htmlelement("style")}} tags in the document. +The server then includes this value as the value of the `nonce` attribute of all the {{htmlelement("script")}} and/or {{htmlelement("style")}} tags in the document. The browser compares the two values, and loads the resource only if they match. The idea is that even if an attacker can insert some JavaScript into the page, they won't know which nonce the server is going to use, so the browser will refuse to run the script.