Does it say nonce worked below this line?


From Content Security Policy 1.1 - W3C Working Draft 04 June 2013
4.10.1 Usage This section is non-normative. The script-src directive lets developers specify exactly which script elements on a page were intentionally included for execution. Ideally, developers would avoid inline script entirely and whitelist scripts by URL. However, in some cases, removing inline scripts can be difficult or impossible. For those cases, developers can whitelist scripts using a randomly generated nonce. Usage is straightforward. For each request, the server generates a unique value at random, and includes it in the Content-Security-Policy header: Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-$RANDOM' This same value is then applied as a nonce attribute to each script element that ought to be executed. For example, if the server generated the random value Nc3n83cnSAd3wc3Sasdfn939hc3, the server would send the following policy: Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-Nc3n83cnSAd3wc3Sasdfn939hc3' Script elements can then execute either because their src URLs are whitelisted or because they have an appropriate nonce: <script> alert("Blocked because the policy doesn't have 'unsafe-inline'.") </script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa"> alert("Still blocked because nonce is wrong.") </script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3"> alert("Allowed because nonce is valid.") </script> <script src=""></script> <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src=""></script> <script nonce="Nc3n83cnSAd3wc3Sasdfn939hc3" src=""></script> Note that the nonce's value is not a hash or signature that verifies the contents of the script resources. It's quite simply a random string that informs the user agent which scripts were intentionally included in the page. Script elements with the proper nonce execute, regardless of whether they're inline or external. Script elements without the proper nonce don't execute unless their URLs are whitelisted. Even if an attacker is able to inject markup into the protected resource, the attack will be blocked by the attacker's inability to guess the random value.