From 98c3d7891b68a143917f89711243eeb6d87bf049 Mon Sep 17 00:00:00 2001 From: wbamberg Date: Wed, 16 Oct 2024 14:51:53 -0700 Subject: [PATCH] Boldify make unguessable nonces --- files/en-us/web/http/csp/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md index f979dfef344b769..4213b49ece0d59c 100644 --- a/files/en-us/web/http/csp/index.md +++ b/files/en-us/web/http/csp/index.md @@ -181,7 +181,8 @@ It then includes the same value as the `nonce` attribute of one or more {{htmlel The browser compares the two values, and loads the resource only if they match. The idea is that even if an attacker can insert some JavaScript into the page, they won't know which nonce the server is going to use, so the browser will refuse to run the script. For this approach to work, it must not be possible for an attacker to guess the nonce. -In practice this means that the nonce must be different for every HTTP response, and must not be predictable. + +**In practice this means that the nonce must be different for every HTTP response, and must not be predictable.** This in turn means that the server cannot serve static HTML, because it must insert a new nonce each time. Typically the server would use a templating engine to insert the nonce.