fix(common/http): add CSP nonce support to JsonpClientBackend by YooLCD · Pull Request #67923 · angular/angular

YooLCD · 2026-03-28T15:18:09Z

PR Checklist

Please check if your PR fulfills the following requirements:

The commit message follows our guidelines: https://github.com/angular/angular/blob/main/contributing-docs/commit-message-guidelines.md
Tests for the changes have been added (for bug fixes / features)
Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

Bugfix

What is the current behavior?

JsonpClientBackend does not set the nonce attribute on dynamically injected <script> tags. This causes JSONP requests to be blocked in applications that use Content Security Policy with strict-dynamic, since the browser requires a valid nonce on all dynamically created scripts.

All other places in Angular that create <script> or <style> elements already support CSP nonces via the CSP_NONCE injection token (e.g. SharedStylesHost, DomRendererFactory2, TransferState). JsonpClientBackend was the only exception.

Issue Number: N/A

What is the new behavior?

JsonpClientBackend now optionally injects the CSP_NONCE token and sets it as the nonce attribute on the created <script> element. The token is injected with @Optional(), so existing applications that do not provide CSP_NONCE are unaffected.

Does this PR introduce a breaking change?

Yes
No

Other information

MockScriptElement in jsonp_mock.ts has been updated to support setAttribute/getAttribute to enable nonce-related testing.

JeanMeche · 2026-03-28T23:43:11Z

Tests are failing. Can you PTAL.

YooLCD · 2026-03-29T04:11:11Z

Fixed the constructor issue (removed default = null from the nonce parameter) and updated the public API golden file.

SkyZeroZx · 2026-03-29T05:10:14Z

packages/common/http/src/jsonp.ts

  constructor(
    private callbackMap: JsonpCallbackContext,
    @Inject(DOCUMENT) private document: any,
+    @Optional() @Inject(CSP_NONCE) private readonly nonce: string | null,


Possibly for CSP_NONCE we could use

private readonly nonce = inject(CSP_NONCE , { optional: true });

Or would there be some reason not to use it?

Thanks for the suggestion! Updated to use inject(CSP_NONCE, { optional: true }) as a class field.

pullapprove bot requested a review from JeanMeche March 28, 2026 15:18

angular-robot bot added the area: common/http Issues related to HTTP and HTTP Client label Mar 28, 2026

ngbot bot added this to the Backlog milestone Mar 28, 2026

YooLCD force-pushed the main branch from ad82c48 to 76e431c Compare March 29, 2026 03:37

YooLCD force-pushed the main branch from a340b2f to 68914b0 Compare March 29, 2026 04:13

SkyZeroZx reviewed Mar 29, 2026

View reviewed changes

fix(http): add CSP nonce support to JsonpClientBackend

e88baa9

YooLCD force-pushed the main branch from 5be7850 to e88baa9 Compare March 29, 2026 05:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(common/http): add CSP nonce support to JsonpClientBackend#67923

fix(common/http): add CSP nonce support to JsonpClientBackend#67923
YooLCD wants to merge 1 commit intoangular:mainfrom
YooLCD:main

YooLCD commented Mar 28, 2026

Uh oh!

JeanMeche commented Mar 28, 2026

Uh oh!

YooLCD commented Mar 29, 2026

Uh oh!

SkyZeroZx Mar 29, 2026

Uh oh!

YooLCD Mar 29, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

YooLCD commented Mar 28, 2026

PR Checklist

PR Type

What is the current behavior?

What is the new behavior?

Does this PR introduce a breaking change?

Other information

Uh oh!

JeanMeche commented Mar 28, 2026

Uh oh!

YooLCD commented Mar 29, 2026

Uh oh!

SkyZeroZx Mar 29, 2026

Choose a reason for hiding this comment

Uh oh!

YooLCD Mar 29, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants