Add nonce support to bootstrap scripts and external runtime (#26738)

Adds support for nonce on `bootstrapScripts`, `bootstrapModules` and the external fizz runtime

DiffTrain build for [9545e48](9545e48)

compiled/facebook-www/REVISION

@@ -1 +1 @@
-b12bea62d9cfd9a925f28cb2c93daeda3865a64e
+9545e4810c2dc8922f575b6d8f726503a7345d0c

compiled/facebook-www/ReactDOMServer-dev.classic.js

@@ -19,7 +19,7 @@ if (__DEV__) {
 var React = require("react");
 var ReactDOM = require("react-dom");
 
-var ReactVersion = "18.3.0-www-classic-40ef305a";
+var ReactVersion = "18.3.0-www-classic-b5ced452";
 
 // This refers to a WWW module.
 var warningWWW = require("warning");
@@ -2368,6 +2368,7 @@ var startInlineScript = stringToPrecomputedChunk("<script>");
 var endInlineScript = stringToPrecomputedChunk("</script>");
 var startScriptSrc = stringToPrecomputedChunk('<script src="');
 var startModuleSrc = stringToPrecomputedChunk('<script type="module" src="');
+var scriptNonce = stringToPrecomputedChunk('" nonce="');
 var scriptIntegirty = stringToPrecomputedChunk('" integrity="');
 var endAsyncScript = stringToPrecomputedChunk('" async=""></script>');
 /**
@@ -2451,6 +2452,13 @@ function createResponseState$1(
         stringToChunk(escapeTextForBrowser(src))
       );
 
+      if (nonce) {
+        bootstrapChunks.push(
+          scriptNonce,
+          stringToChunk(escapeTextForBrowser(nonce))
+        );
+      }
+
       if (integrity) {
         bootstrapChunks.push(
           scriptIntegirty,
@@ -2477,6 +2485,13 @@ function createResponseState$1(
         stringToChunk(escapeTextForBrowser(_src))
       );
 
+      if (nonce) {
+        bootstrapChunks.push(
+          scriptNonce,
+          stringToChunk(escapeTextForBrowser(nonce))
+        );
+      }
+
       if (_integrity) {
         bootstrapChunks.push(
           scriptIntegirty,
@@ -2506,7 +2521,8 @@ function createResponseState$1(
     preconnectChunks: [],
     preloadChunks: [],
     hoistableChunks: [],
-    stylesToHoist: false
+    stylesToHoist: false,
+    nonce: nonce
   };
 } // Constants for the insertion mode we're currently writing in. We don't encode all HTML5 insertion
 // modes. We only include the variants as they matter for the sake of our purposes.
@@ -6186,7 +6202,7 @@ function writePreamble(
     var _responseState$extern = responseState.externalRuntimeConfig,
       src = _responseState$extern.src,
       integrity = _responseState$extern.integrity;
-    internalPreinitScript(resources, src, integrity);
+    internalPreinitScript(resources, src, integrity, responseState.nonce);
   }
 
   var htmlChunks = responseState.htmlChunks;
@@ -7412,7 +7428,7 @@ function preinit(href, options) {
 // conform to the types because no user input is being passed in. It also assumes that it is being called as
 // part of a work or flush loop and therefore does not need to request Fizz to flush Resources.
 
-function internalPreinitScript(resources, src, integrity) {
+function internalPreinitScript(resources, src, integrity, nonce) {
   var key = getResourceKey("script", src);
   var resource = resources.scriptsMap.get(key);
 
@@ -7428,7 +7444,8 @@ function internalPreinitScript(resources, src, integrity) {
     pushScriptImpl(resource.chunks, {
       async: true,
       src: src,
-      integrity: integrity
+      integrity: integrity,
+      nonce: nonce
     });
   }
 
@@ -7618,6 +7635,7 @@ function createResponseState(
     preloadChunks: responseState.preloadChunks,
     hoistableChunks: responseState.hoistableChunks,
     stylesToHoist: responseState.stylesToHoist,
+    nonce: responseState.nonce,
     // This is an extra field for the legacy renderer
     generateStaticMarkup: generateStaticMarkup
   };

compiled/facebook-www/ReactDOMServer-dev.modern.js

@@ -19,7 +19,7 @@ if (__DEV__) {
 var React = require("react");
 var ReactDOM = require("react-dom");
 
-var ReactVersion = "18.3.0-www-modern-b7ba1a13";
+var ReactVersion = "18.3.0-www-modern-ccf9e22e";
 
 // This refers to a WWW module.
 var warningWWW = require("warning");
@@ -2368,6 +2368,7 @@ var startInlineScript = stringToPrecomputedChunk("<script>");
 var endInlineScript = stringToPrecomputedChunk("</script>");
 var startScriptSrc = stringToPrecomputedChunk('<script src="');
 var startModuleSrc = stringToPrecomputedChunk('<script type="module" src="');
+var scriptNonce = stringToPrecomputedChunk('" nonce="');
 var scriptIntegirty = stringToPrecomputedChunk('" integrity="');
 var endAsyncScript = stringToPrecomputedChunk('" async=""></script>');
 /**
@@ -2451,6 +2452,13 @@ function createResponseState$1(
         stringToChunk(escapeTextForBrowser(src))
       );
 
+      if (nonce) {
+        bootstrapChunks.push(
+          scriptNonce,
+          stringToChunk(escapeTextForBrowser(nonce))
+        );
+      }
+
       if (integrity) {
         bootstrapChunks.push(
           scriptIntegirty,
@@ -2477,6 +2485,13 @@ function createResponseState$1(
         stringToChunk(escapeTextForBrowser(_src))
       );
 
+      if (nonce) {
+        bootstrapChunks.push(
+          scriptNonce,
+          stringToChunk(escapeTextForBrowser(nonce))
+        );
+      }
+
       if (_integrity) {
         bootstrapChunks.push(
           scriptIntegirty,
@@ -2506,7 +2521,8 @@ function createResponseState$1(
     preconnectChunks: [],
     preloadChunks: [],
     hoistableChunks: [],
-    stylesToHoist: false
+    stylesToHoist: false,
+    nonce: nonce
   };
 } // Constants for the insertion mode we're currently writing in. We don't encode all HTML5 insertion
 // modes. We only include the variants as they matter for the sake of our purposes.
@@ -6186,7 +6202,7 @@ function writePreamble(
     var _responseState$extern = responseState.externalRuntimeConfig,
       src = _responseState$extern.src,
       integrity = _responseState$extern.integrity;
-    internalPreinitScript(resources, src, integrity);
+    internalPreinitScript(resources, src, integrity, responseState.nonce);
   }
 
   var htmlChunks = responseState.htmlChunks;
@@ -7412,7 +7428,7 @@ function preinit(href, options) {
 // conform to the types because no user input is being passed in. It also assumes that it is being called as
 // part of a work or flush loop and therefore does not need to request Fizz to flush Resources.
 
-function internalPreinitScript(resources, src, integrity) {
+function internalPreinitScript(resources, src, integrity, nonce) {
   var key = getResourceKey("script", src);
   var resource = resources.scriptsMap.get(key);
 
@@ -7428,7 +7444,8 @@ function internalPreinitScript(resources, src, integrity) {
     pushScriptImpl(resource.chunks, {
       async: true,
       src: src,
-      integrity: integrity
+      integrity: integrity,
+      nonce: nonce
     });
   }
 
@@ -7618,6 +7635,7 @@ function createResponseState(
     preloadChunks: responseState.preloadChunks,
     hoistableChunks: responseState.hoistableChunks,
     stylesToHoist: responseState.stylesToHoist,
+    nonce: responseState.nonce,
     // This is an extra field for the legacy renderer
     generateStaticMarkup: generateStaticMarkup
   };

compiled/facebook-www/ReactDOMServer-prod.classic.js

@@ -1627,7 +1627,8 @@ function writePreamble(
     internalPreinitScript(
       resources,
       willFlushAllSegments.src,
-      willFlushAllSegments.integrity
+      willFlushAllSegments.integrity,
+      responseState.nonce
     ));
   willFlushAllSegments = responseState.htmlChunks;
   var headChunks = responseState.headChunks,
@@ -2078,7 +2079,7 @@ function preinit(href, options) {
     }
   }
 }
-function internalPreinitScript(resources, src, integrity) {
+function internalPreinitScript(resources, src, integrity, nonce) {
   var key = "[script]" + src,
     resource = resources.scriptsMap.get(key);
   resource ||
@@ -2088,7 +2089,8 @@ function internalPreinitScript(resources, src, integrity) {
     pushScriptImpl(resource.chunks, {
       async: !0,
       src: src,
-      integrity: integrity
+      integrity: integrity,
+      nonce: nonce
     }));
 }
 function preloadAsStylePropsFromProps(href, props) {
@@ -2139,6 +2141,7 @@ function createResponseState(
     preloadChunks: [],
     hoistableChunks: [],
     stylesToHoist: !1,
+    nonce: void 0,
     generateStaticMarkup: generateStaticMarkup
   };
 }
@@ -3974,4 +3977,4 @@ exports.renderToString = function (children, options) {
     'The server used "renderToString" which does not support Suspense. If you intended for this Suspense boundary to render the fallback content on the server consider throwing an Error somewhere within the Suspense boundary. If you intended to have the server wait for the suspended component please switch to "renderToReadableStream" which supports Suspense on the server'
   );
 };
-exports.version = "18.3.0-www-classic-dcd0808f";
+exports.version = "18.3.0-www-classic-62223ba6";

compiled/facebook-www/ReactDOMServer-prod.modern.js

@@ -1625,7 +1625,8 @@ function writePreamble(
     internalPreinitScript(
       resources,
       willFlushAllSegments.src,
-      willFlushAllSegments.integrity
+      willFlushAllSegments.integrity,
+      responseState.nonce
     ));
   willFlushAllSegments = responseState.htmlChunks;
   var headChunks = responseState.headChunks,
@@ -2076,7 +2077,7 @@ function preinit(href, options) {
     }
   }
 }
-function internalPreinitScript(resources, src, integrity) {
+function internalPreinitScript(resources, src, integrity, nonce) {
   var key = "[script]" + src,
     resource = resources.scriptsMap.get(key);
   resource ||
@@ -2086,7 +2087,8 @@ function internalPreinitScript(resources, src, integrity) {
     pushScriptImpl(resource.chunks, {
       async: !0,
       src: src,
-      integrity: integrity
+      integrity: integrity,
+      nonce: nonce
     }));
 }
 function preloadAsStylePropsFromProps(href, props) {
@@ -2137,6 +2139,7 @@ function createResponseState(
     preloadChunks: [],
     hoistableChunks: [],
     stylesToHoist: !1,
+    nonce: void 0,
     generateStaticMarkup: generateStaticMarkup
   };
 }
@@ -3871,4 +3874,4 @@ exports.renderToString = function (children, options) {
     'The server used "renderToString" which does not support Suspense. If you intended for this Suspense boundary to render the fallback content on the server consider throwing an Error somewhere within the Suspense boundary. If you intended to have the server wait for the suspended component please switch to "renderToReadableStream" which supports Suspense on the server'
   );
 };
-exports.version = "18.3.0-www-modern-9c1f7368";
+exports.version = "18.3.0-www-modern-6b28dd6e";

compiled/facebook-www/ReactDOMServerStreaming-dev.modern.js

@@ -2365,6 +2365,7 @@ var startInlineScript = stringToPrecomputedChunk("<script>");
 var endInlineScript = stringToPrecomputedChunk("</script>");
 var startScriptSrc = stringToPrecomputedChunk('<script src="');
 var startModuleSrc = stringToPrecomputedChunk('<script type="module" src="');
+var scriptNonce = stringToPrecomputedChunk('" nonce="');
 var scriptIntegirty = stringToPrecomputedChunk('" integrity="');
 var endAsyncScript = stringToPrecomputedChunk('" async=""></script>');
 /**
@@ -2448,6 +2449,13 @@ function createResponseState(
         stringToChunk(escapeTextForBrowser(src))
       );
 
+      if (nonce) {
+        bootstrapChunks.push(
+          scriptNonce,
+          stringToChunk(escapeTextForBrowser(nonce))
+        );
+      }
+
       if (integrity) {
         bootstrapChunks.push(
           scriptIntegirty,
@@ -2474,6 +2482,13 @@ function createResponseState(
         stringToChunk(escapeTextForBrowser(_src))
       );
 
+      if (nonce) {
+        bootstrapChunks.push(
+          scriptNonce,
+          stringToChunk(escapeTextForBrowser(nonce))
+        );
+      }
+
       if (_integrity) {
         bootstrapChunks.push(
           scriptIntegirty,
@@ -2503,7 +2518,8 @@ function createResponseState(
     preconnectChunks: [],
     preloadChunks: [],
     hoistableChunks: [],
-    stylesToHoist: false
+    stylesToHoist: false,
+    nonce: nonce
   };
 } // Constants for the insertion mode we're currently writing in. We don't encode all HTML5 insertion
 // modes. We only include the variants as they matter for the sake of our purposes.
@@ -6193,7 +6209,7 @@ function writePreamble(
     var _responseState$extern = responseState.externalRuntimeConfig,
       src = _responseState$extern.src,
       integrity = _responseState$extern.integrity;
-    internalPreinitScript(resources, src, integrity);
+    internalPreinitScript(resources, src, integrity, responseState.nonce);
   }
 
   var htmlChunks = responseState.htmlChunks;
@@ -7419,7 +7435,7 @@ function preinit(href, options) {
 // conform to the types because no user input is being passed in. It also assumes that it is being called as
 // part of a work or flush loop and therefore does not need to request Fizz to flush Resources.
 
-function internalPreinitScript(resources, src, integrity) {
+function internalPreinitScript(resources, src, integrity, nonce) {
   var key = getResourceKey("script", src);
   var resource = resources.scriptsMap.get(key);
 
@@ -7435,7 +7451,8 @@ function internalPreinitScript(resources, src, integrity) {
     pushScriptImpl(resource.chunks, {
       async: true,
       src: src,
-      integrity: integrity
+      integrity: integrity,
+      nonce: nonce
     });
   }
 

compiled/facebook-www/ReactDOMServerStreaming-prod.modern.js

@@ -1656,7 +1656,8 @@ function writePreamble(
     internalPreinitScript(
       resources,
       willFlushAllSegments.src,
-      willFlushAllSegments.integrity
+      willFlushAllSegments.integrity,
+      responseState.nonce
     ));
   willFlushAllSegments = responseState.htmlChunks;
   var headChunks = responseState.headChunks,
@@ -2128,7 +2129,7 @@ function preinit(href, options) {
     }
   }
 }
-function internalPreinitScript(resources, src, integrity) {
+function internalPreinitScript(resources, src, integrity, nonce) {
   var key = "[script]" + src,
     resource = resources.scriptsMap.get(key);
   resource ||
@@ -2138,7 +2139,8 @@ function internalPreinitScript(resources, src, integrity) {
     pushScriptImpl(resource.chunks, {
       async: !0,
       src: src,
-      integrity: integrity
+      integrity: integrity,
+      nonce: nonce
     }));
 }
 function preloadAsStylePropsFromProps(href, props) {
@@ -3878,7 +3880,8 @@ exports.renderToStream = function (children, options) {
     preconnectChunks: [],
     preloadChunks: [],
     hoistableChunks: [],
-    stylesToHoist: !1
+    stylesToHoist: !1,
+    nonce: void 0
   };
   bootstrapModules = createFormatContext(0, null, !1);
   externalRuntimeDesc = options ? options.progressiveChunkSize : void 0;