fix(platform-server): add nonce attribute to event record script (angular#55495)

This commit fixes an issue where the nonce attribute was not added when `CSP_NONCE` token was provided. PR Close angular#55495

Author: alan-agius4

packages/platform-server/src/transfer_state.ts

@@ -21,9 +21,17 @@ export const TRANSFER_STATE_SERIALIZATION_PROVIDERS: Provider[] = [
 ];
 
 /** TODO: Move this to a utils folder and convert to use SafeValues. */
-export function createScript(doc: Document, textContent: string) {
+export function createScript(
+ doc: Document,
+ textContent: string,
+ nonce: string | null,
+): HTMLScriptElement {
  const script = doc.createElement('script');
  script.textContent = textContent;
+ if (nonce) {
+ script.setAttribute('nonce', nonce);
+ }
+
  return script;
 }
 
@@ -39,7 +47,11 @@ function serializeTransferStateFactory(doc: Document, appId: string, transferSto
  return;
  }
 
- const script = createScript(doc, content);
+ const script = createScript(
+ doc,
+ content,
+ null /** nonce is not required for 'application/json' */,
+ );
  script.id = appId + '-state';
  script.setAttribute('type', 'application/json');
 

packages/platform-server/src/utils.ts

@@ -19,6 +19,7 @@ import {
  ɵIS_HYDRATION_DOM_REUSE_ENABLED as IS_HYDRATION_DOM_REUSE_ENABLED,
  ɵSSR_CONTENT_INTEGRITY_MARKER as SSR_CONTENT_INTEGRITY_MARKER,
  ɵwhenStable as whenStable,
+ CSP_NONCE,
 } from '@angular/core';
 
 import {PlatformState} from './platform_state';
@@ -96,13 +97,14 @@ function insertEventRecordScript(
  appId: string,
  doc: Document,
  eventTypesToBeReplayed: Set<string>,
-) {
+ nonce: string | null,
+): void {
  const events = Array.from(eventTypesToBeReplayed);
  // This is defined in packages/core/primitives/event-dispatch/contract_binary.ts
  const replayScript = `window.__jsaction_bootstrap('ngContracts', document.body, ${JSON.stringify(
  appId,
  )}, ${JSON.stringify(events)});`;
- const script = createScript(doc, replayScript);
+ const script = createScript(doc, replayScript, nonce);
  doc.body.insertBefore(script, doc.body.firstChild);
 }
 
@@ -113,12 +115,17 @@ async function _render(platformRef: PlatformRef, applicationRef: ApplicationRef)
  await whenStable(applicationRef);
 
  const platformState = platformRef.injector.get(PlatformState);
- if (applicationRef.injector.get(IS_HYDRATION_DOM_REUSE_ENABLED, false)) {
+ if (environmentInjector.get(IS_HYDRATION_DOM_REUSE_ENABLED, false)) {
  const doc = platformState.getDocument();
  appendSsrContentIntegrityMarker(doc);
  const eventTypesToBeReplayed = annotateForHydration(applicationRef, doc);
  if (eventTypesToBeReplayed) {
- insertEventRecordScript(environmentInjector.get(APP_ID), doc, eventTypesToBeReplayed);
+ insertEventRecordScript(
+ environmentInjector.get(APP_ID),
+ doc,
+ eventTypesToBeReplayed,
+ environmentInjector.get(CSP_NONCE, null),
+ );
  } else {
  // No events to replay, we should remove inlined event dispatch script
  // (which was injected by the build process) from the HTML.

packages/platform-server/test/event_replay_spec.ts

@@ -105,6 +105,27 @@ describe('event replay', () => {
  expect(ssrContents).toContain('<div jsaction="click:"><div jsaction="blur:"></div></div>');
  });
 
+ it(`should add 'nonce' attribute to event record script when 'ngCspNonce' is provided`, async () => {
+ @Component({
+ standalone: true,
+ selector: 'app',
+ template: `
+ <div (click)="onClick()">
+ <div (blur)="onClick()"></div>
+ </div>
+ `,
+ })
+ class SimpleComponent {
+ onClick() {}
+ }
+
+ const doc = `<html><head></head><body><app ngCspNonce="{{nonce}}"></app></body></html>`;
+ const html = await ssr(SimpleComponent, {doc});
+ expect(getAppContents(html)).toContain(
+ '<script nonce="{{nonce}}">window.__jsaction_bootstrap',
+ );
+ });
+
  describe('event dispatch script', () => {
  it('should not be present on a page if there are no events to replay', async () => {
  @Component({