"This nonce will be recomputed every time the top-level frame navigates."

[domenic]

I don't quite understand this part of the explainer.

If the top-level page does a same-document navigation, e.g. from https://example.com/ to https://example.com/#foo, then probably you do not want to change the nonce??

And if the top-level page does a cross-document navigation, e.g. from https://example.com/ to https://example.com/bar, then all iframes will be blown away as part of creating an entirely new document.

Maybe you are talking about what happens if the iframe does a cross-document navigation, and then using bfcache we return back to the original document? I guess you would reset the nonce then?

Or is the intent instead, just, generate a new nonce for every top-level document, which all anonymous iframe descendants of that document will use?

[ArthurSonzogni]

Thanks!

The nonce is page scoped. Where "page" == "top-level-document and what it contains". So, I should say "cross-document" navigation to be precise here. I will make an update to the README.

Or is the intent instead, just, generate a new nonce for every top-level document, which all anonymous iframe descendants of that document will use?

Yes, exactly.

With regards to the back-forward-cache. The previous page is displayed again. The nonce is constant per page. The old page comes back with its nonce. In the implementation, we do nothing special.

[domenic]

Sounds good! Just, while making updates, I'd caution against your usage of the word "page" here in that Chromium-specific way. It's pretty confusing to us in the web standards world, where "page" ~ "web page" ~ Document :).

Given this perspective, it sounds like the document's nonce doesn't really change on navigation. It stays the same. It's just that the new top-level document gets a new nonce. So I would not talk about the nonce changing at all; it's just the document that changes, on cross-document navigations, and as a side effect, you get a new nonce.