From 30c4468755670520422fa7271993cb4fd63e210a Mon Sep 17 00:00:00 2001 From: wbamberg Date: Mon, 21 Oct 2024 11:07:07 -0700 Subject: [PATCH] Clarify 'intend to include' --- files/en-us/web/http/csp/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md index cc2a2ef70d9e08c..04b20d7c9952f8e 100644 --- a/files/en-us/web/http/csp/index.md +++ b/files/en-us/web/http/csp/index.md @@ -151,7 +151,7 @@ Content-Security-Policy: script-src 'nonce-416d1177-4d12-4e3b-b7c9-f6c409789fb8' ``` -The server then includes this value as the value of the `nonce` attribute of all the {{htmlelement("script")}} and/or {{htmlelement("style")}} tags in the document. +The server then includes this value as the value of the `nonce` attribute of all the {{htmlelement("script")}} and/or {{htmlelement("style")}} tags that they intend to include in the document. The browser compares the two values, and loads the resource only if they match. The idea is that even if an attacker can insert some JavaScript into the page, they won't know which nonce the server is going to use, so the browser will refuse to run the script.