What’s described in the question is actually expected behavior — required per the HTML spec: https://html.spec.whatwg.org/multipage/#nonce-attributes:attr-nonce Elements that have a nonce content attribute ensure that the crytographic nonce is only exposed to script (and not to side-channels like CSS attribute selectors) by extracting the value from the content attribute, moving it into an internal slot … Read more
Just to confirm that indeed this does work in NodeJS for CSP nonces const crypto = require(‘crypto’); let nonce = crypto.randomBytes(16).toString(‘base64’);
The timestamp is used for allowing the server to optimize their storage of nonces. Basically, consider the read nonce to be the combination of the timestamp and random string. But by having a separate timestamp component, the server can implement a time-based restriction using a short window (say, 15 minutes) and limit the amount of … Read more
It’s actually quite easy to do… There are some libraries out there to do it for you: PHP Nonce Library OpenID Nonce Library Or if you want to write your own, it’s pretty simple. Using the WikiPedia page as a jumping off point, In pseudo-code: On the server side, you need two client callable functions … Read more
The nonce attribute lets you to “whitelist” certain inline script and style elements, while avoiding use of the CSP unsafe-inline directive (which would allow all inline script and style), so you still retain the key CSP feature of disallowing inline script/style in general. So the nonce attribute is way to tell browsers the inline contents … Read more