Which HTML elements are nonceable?

Question

In the context of Content Security Policies there can be elements that are excluded from the policy, if they have the nonce attribute as specified in the respective policy.

Obviously this works for some HTML elements, e.g. <script nonce="..."> and <style nonce="...". For some however, it does not work, for example <iframe nonce="..." >.

In the MDN Documentation is written the hint:

Note: The CSP nonce source can only be apply nonceable elements (e.g. as the <img> element has no nonce attribute, there is no way to associate it with this CSP source).

Is there a complete list of nonceable elements? MDN lists the nonce attribute for script and style tags. On the other hand the nonce attribute is not listed for the <link> element, but works anyway. Are there more elements like that?

Side question: Why are <img> and <iframe> not nonceable?

Answer 1

In the MDN Documentation is written the hint:

Note: The CSP nonce source can only be apply nonceable elements (e.g. as the <img>

Yeah, and in the same time Firefox v52.9 release 25/06/2018 supports nonces for <img>, <iframe>, <object >, <embed>, <audio> and <video>. If you have WinXP PC you can ensure that.

As the test above shows, at the moment only <style> and <script> are nonceables, even though CSP3 does not restrict the use of nonces for any HTML elements.