Solution 1 :

In the MDN Documentation is written the hint:

Note: The CSP nonce source can only be apply nonceable elements (e.g. as the <img>

Yeah, and in the same time Firefox v52.9 release 25/06/2018 supports nonces for <img>, <iframe>, <object >, <embed>, <audio> and <video>. If you have WinXP PC you can ensure that.

As the test above shows, at the moment only <style> and <script> are nonceables, even though CSP3 does not restrict the use of nonces for any HTML elements.

Problem :

In the context of Content Security Policies there can be elements that are excluded from the policy, if they have the nonce attribute as specified in the respective policy.

Obviously this works for some HTML elements, e.g. <script nonce="..."> and <style nonce="...". For some however, it does not work, for example <iframe nonce="..." >.

In the MDN Documentation is written the hint:

Note: The CSP nonce source can only be apply nonceable elements (e.g. as the <img> element has no nonce attribute, there is no way to associate it with this CSP source).

Is there a complete list of nonceable elements?
MDN lists the nonce attribute for script and style tags. On the other hand the nonce attribute is not listed for the <link> element, but works anyway. Are there more elements like that?

Side question: Why are <img> and <iframe> not nonceable?

Comments

Comment posted by connexo

Binaries are too expensive to check for nonce compliance. Also some browsers deliver a reduced-quality version of images when they detect a slow connection. Those wouldn’t meet the nonce specified, obviously.

Comment posted by This Q&A

According to

Comment posted by w3c.github.io/webappsec-csp/#match-element-to-source-list

The CSP spec requires UAs to check nonces only for

By