9

In the context of Content Security Policies there can be elements that are excluded from the policy, if they have the nonce attribute as specified in the respective policy.

Obviously this works for some HTML elements, e.g. <script nonce="..."> and <style nonce="...". For some however, it does not work, for example <iframe nonce="..." >.

In the MDN Documentation is written the hint:

Note: The CSP nonce source can only be apply nonceable elements (e.g. as the <img> element has no nonce attribute, there is no way to associate it with this CSP source).

Is there a complete list of nonceable elements? MDN lists the nonce attribute for script and style tags. On the other hand the nonce attribute is not listed for the <link> element, but works anyway. Are there more elements like that?

Side question: Why are <img> and <iframe> not nonceable?

Streamfighter
  • 454
  • 4
  • 15
  • Binaries are too expensive to check for nonce compliance. Also some browsers deliver a reduced-quality version of images when they detect a slow connection. Those wouldn't meet the nonce specified, obviously. – connexo Jan 12 '21 at 22:46
  • 1
    According to [**This Q&A**](https://stackoverflow.com/questions/42922784/what-s-the-purpose-of-the-html-nonce-attribute-for-script-and-style-elements) it appears only `Script`/`Style` elements are nonceable, and with the number of viewers and upvotes on this question I would hope that if it wasn't true someone would have noticed and commented by now..... – Martin Jan 12 '21 at 22:53
  • 1
    The CSP spec requires UAs to check nonces only for `script` & `style` elements. In the algorithm at https://w3c.github.io/webappsec-csp/#match-element-to-source-list, see step 2: *If type is "script" or "style", and § 6.6.3.1 Is element nonceable? returns "Nonceable"…* And at https://w3c.github.io/webappsec-csp/#is-element-nonceable, the *Is element nonceable?* algorithm itself doesn’t check just for `script` & `style` elements — but currently the spec only calls that algorithm for `script` & `style` elements. So if you put a nonce on any other element, the spec requires browsers to ignore it – sideshowbarker Jan 13 '21 at 02:39

1 Answers1

2

In the MDN Documentation is written the hint:

Note: The CSP nonce source can only be apply nonceable elements (e.g. as the <img>

Yeah, and in the same time Firefox v52.9 release 25/06/2018 supports nonces for <img>, <iframe>, <object >, <embed>, <audio> and <video>. If you have WinXP PC you can ensure that.

As the test above shows, at the moment only <style> and <script> are nonceables, even though CSP3 does not restrict the use of nonces for any HTML elements.

granty
  • 7,234
  • 1
  • 14
  • 21