fix(@angular/build): add CSP nonce to script with src tags

[alan-agius4]

Prior to this change, script tags with the src attribute were not being assigned a CSP nonce during the build process. This is useful strict-dynamic is a Content Security Policy (CSP) directive that simplifies the management of dynamically loaded scripts while maintaining a high level of security. It allows scripts that are initially trusted (through a nonce or hash) to load other scripts without additional restrictions.

Closes #27874

[alan-agius4]

The changes were merged into the following branches: main, 18.0.x

[sagartalaviya91]

I need this change on Angular version 16. Is there any way to do this fix in Version 16 by overriding inbuilt methods?

[alan-agius4]

Version 16 is in LTS phase and only received security fixes.

For all other fixes please update to the latest version.

Please see: https://angular.dev/reference/releases#actively-supported-versions

[sagartalaviya91]

@alan-agius4 I tried same using latest version 18.1.0, but It is not adding nonce to script tags of main.js, polyfills.js etc. Could you please give the release date for this change, so that we can plan our migration accordingly? Stackblitz URL: https://stackblitz.com/edit/stackblitz-starters-wr9a9h?file=src%2Fapp%2Fapp.config.ts

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}