I have an inline script in my index.html. Something like:
<script type="text/javascript">
console.log('something');
</script>
When I add ngCspNonce="somenonce" to my root component I also see nonce="somenonce" added to my inline script.
My understanding was that that should happen only for inline style and not script.
Cannot find anything in docs about it.
Is this expected behavior?
Yes, this is expected.
Angular applies it to inline scripts as well, as part of its effort to ensure that both inline scripts and styles are handled consistently when enforcing a CSP.
This behavior ensures that Angular works in environments where a CSP is enabled, and it prevents inline scripts and styles from being blocked