From e0df80588f6a10ec226937c4a1eedc833e03d89d Mon Sep 17 00:00:00 2001
From: Andrei Tuicu <tuicu@adobe.com>
Date: Fri, 13 Dec 2024 11:58:44 +0100
Subject: [PATCH 1/2] feat: add nonce to the live reload scripts

---
 src/server/utils.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/server/utils.js b/src/server/utils.js
index 8b13d3773..d8b23044b 100644
--- a/src/server/utils.js
+++ b/src/server/utils.js
@@ -89,9 +89,11 @@ const utils = {
     if (match) {
       const { index } = match;
       // eslint-disable-next-line no-param-reassign
+      const nonceMatch = body.match(/nonce="([a-zA-Z0-9+/=]+)"/);
+      const nonce = nonceMatch ? ` nonce="${nonceMatch[1]}"` : '';
       let newbody = body.substring(0, index);
       if (process.env.CODESPACES === 'true') {
-        newbody += `<script>
+        newbody += `<script ${nonce}>
 window.LiveReloadOptions = { 
   host: new URL(location.href).hostname.replace(/-[0-9]+\\.preview\\.app\\.github\\.dev/, '-35729.preview.app.github.dev'), 
   port: 443,
@@ -99,9 +101,9 @@ window.LiveReloadOptions = {
 };
 </script>`;
       } else {
-        newbody += `<script>window.LiveReloadOptions={port:${server.port},host:location.hostname,https:${server.scheme === 'https'}};</script>`;
+        newbody += `<script ${nonce}>window.LiveReloadOptions={port:${server.port},host:location.hostname,https:${server.scheme === 'https'}};</script>`;
       }
-      newbody += '<script src="/__internal__/livereload.js"></script>';
+      newbody += `<script ${nonce} src="/__internal__/livereload.js"></script>`;
       newbody += body.substring(index);
       return newbody;
     }

From ef3b730aec11379a222e9b5d4b9fade062056abf Mon Sep 17 00:00:00 2001
From: Andrei Tuicu <tuicu@adobe.com>
Date: Thu, 16 Jan 2025 16:59:24 +0100
Subject: [PATCH 2/2] feat: add nonce support

---
 src/server/HeadHtmlSupport.js | 6 ++++++
 src/server/utils.js           | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/server/HeadHtmlSupport.js b/src/server/HeadHtmlSupport.js
index f41d7c184..bb4c45292 100644
--- a/src/server/HeadHtmlSupport.js
+++ b/src/server/HeadHtmlSupport.js
@@ -31,6 +31,12 @@ export default class HeadHtmlSupport {
     const update = (obj, keys) => {
       keys.sort();
       for (const k of keys) {
+        if (k === 'nonce') {
+          // ignore nonce attribute, because it can change on every request
+          // eslint-disable-next-line no-continue
+          continue;
+        }
+
         let v = obj[k];
         if (v !== undefined) {
           if (Array.isArray(v)) {
diff --git a/src/server/utils.js b/src/server/utils.js
index d8b23044b..8895f4549 100644
--- a/src/server/utils.js
+++ b/src/server/utils.js
@@ -93,7 +93,7 @@ const utils = {
       const nonce = nonceMatch ? ` nonce="${nonceMatch[1]}"` : '';
       let newbody = body.substring(0, index);
       if (process.env.CODESPACES === 'true') {
-        newbody += `<script ${nonce}>
+        newbody += `<script${nonce}>
 window.LiveReloadOptions = { 
   host: new URL(location.href).hostname.replace(/-[0-9]+\\.preview\\.app\\.github\\.dev/, '-35729.preview.app.github.dev'), 
   port: 443,
@@ -101,9 +101,9 @@ window.LiveReloadOptions = {
 };
 </script>`;
       } else {
-        newbody += `<script ${nonce}>window.LiveReloadOptions={port:${server.port},host:location.hostname,https:${server.scheme === 'https'}};</script>`;
+        newbody += `<script${nonce}>window.LiveReloadOptions={port:${server.port},host:location.hostname,https:${server.scheme === 'https'}};</script>`;
       }
-      newbody += `<script ${nonce} src="/__internal__/livereload.js"></script>`;
+      newbody += `<script${nonce} src="/__internal__/livereload.js"></script>`;
       newbody += body.substring(index);
       return newbody;
     }