Add a nonce
attribute to <script>
elements
With a nonce-based CSP, every <script>
element must have a nonce
attribute
which matches the random nonce value specified in the CSP header (all scripts
can have the same nonce). The first step is to add these attributes to all
scripts:
Blocked by CSP
<script src="/path/to/script.js"></script>
<script>foo()</script>
CSP will block these scripts, because they don't have `nonce` attributes.
Allowed by CSP
<script nonce="${NONCE}" src="/path/to/script.js"></script>
<script nonce="${NONCE}">foo()</script>
CSP will allow the execution of these scripts if `${NONCE}` is replaced with a value matching the nonce in the CSP response header. Note that some browsers will hide the `nonce` attribute when inspecting the page source.