<script nonce=””>
Sep 6, 2018 · 1 min read
As a web developer myself, sometimes, I like to open dev tool when I am surfing the Internet.
And I just saw this for Paypal:

Nice styling on console output!
So what’s it about? XSS!
Conclusion
It’s telling the browser that this script is actually from the same origin. nonce value is from backend, set in response header like this:
content-security-policy:script-src nonce-b2bNUmTbKz2lXQNduuFscdATzf9Fo6tNRqpi2l48m0peZDQ+'.
Note that every time the server should return a different unguessable nonce value (cause you don’t want others to use that value to inject a script and maybe a bunch of other nasty attacks).
