Angular 18.1.1 is not adding CSP nonce attribute to script tags generated during build(main.ts,polyfills.js etc...)

[sagartalaviya91]

Command

build

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

No response

Description

I want to implement strict CSP policy for my project, so replaced unsafe-eval and unsafe-inline with nonce-dynamicnonce.
But Angular version 18.1.1 is not adding nonce to script tags of main.js, polyfills.js etc.
Because of that it is considering this scripts tags as unsafe and browser is blocking its execution.
In below stackblitz I used 18.1.1 and added nonce using CSP_NONCE and ngCspNonce. But it is not adding nonce to script tags. Please inspect and check in Dom.
Stackblitz URL: https://stackblitz.com/edit/stackblitz-starters-wr9a9h?file=src%2Fapp%2Fapp.config.ts

As per below merged Issue, It should work in 18.1.1. But it is not working.
#27875

Kindly check!!
Thanks in advanced!

Minimal Reproduction

1. apply nonce using ngCspNonce and CSP_NONCE provider
2. using dev tools check script tags in DOM.
3. It is not adding nonce to script tags of main.js,polyfills.js etc..

Exception or Error

No response

Your Environment

18.1.1

Anything else relevant?

No response

[JoostK]

When running ng build, it does copy the ngCspNonce attribute value to style and script elements as nonce attribute. This is unlike ng serve, which doesn't at the moment.

Note that using both ngCspNonce and providing CSP_NONCE is superfluous; the former will be used to provide CSP_NONCE by default.