<script nonce=””>

Code Alchemist
Sep 6, 2018 · 1 min read

As a web developer myself, sometimes, I like to open dev tool when I am surfing the Internet.

And I just saw this for Paypal:

Nice styling on console output!

So what’s it about? XSS!

Conclusion

It’s telling the browser that this script is actually from the same origin. nonce value is from backend, set in response header like this:

content-security-policy:script-src nonce-b2bNUmTbKz2lXQNduuFscdATzf9Fo6tNRqpi2l48m0peZDQ+'.

Note that every time the server should return a different unguessable nonce value (cause you don’t want others to use that value to inject a script and maybe a bunch of other nasty attacks).

Code Alchemist

Written by

Explore things… https://stackblitz.com/@Qi-Z

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade