Description
Which @angular/* package(s) are the source of the bug?
Don't known / other
Is this a regression?
No
Description
There was a previous bug raised and fixed for InlineCritical and nonce that fixed the issue when the nonce is provided as an attribute on the app element. It has not been fixed when the nonce is provided as an injection token.
The documentation states that either way of providing a nonce is fine. Neither are depricated or discouraged.
https://angular.dev/best-practices/security#content-security-policy
Here is the original issue and the PR for the fix
angular/angular-cli#20864
angular/angular-cli#24903
You can see the fix for the original issue it only runs if it finds a nonce as an attribute.
https://github.com/angular/angular-cli/blob/d6ea6b09f182433f859a78d4a4d38a9db521e593/packages/angular/build/src/utils/index-file/inline-critical-css.ts#L199
I have recreated the issue with a boilerplate project. When the project is built (ng build not ng serve so the loading optimisations are applied) then the background-color: red styles are not loaded and there will be a CSP message in the browser console.
This should either be fixed for when the nonce is injected only or it should be clear in the documentation that the attribute must be provided.
Please provide a link to a minimal reproduction of the bug
https://github.com/moefinley/angular-broken-csp
Please provide the exception or error you saw
Please provide the environment you discovered this bug in (run ng version)
Angular 19
Anything else?
No response