The CSP nonce remains in the DOM after being read by Angular

[Guerric-P]

Which @angular/* package(s) are the source of the bug?

core

Is this a regression?

No

Description

When I use the ngCspNonce attribute in order to inject a nonce that is used by the framework to meet the browser's criteria for script and style tags, I expect it to disappear from the DOM after the framework has retrieved it.

As an attacker, its very easy for me to detect if an application is built with Angular, and retrieve the nonce in the DOM. It would be much harder for me if the nonce was encapsulated into JavaScript closures with no global reference to it.

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in (run ng version)

Angular CLI: 16.2.9
Node: 20.9.0 (Unsupported)
Package Manager: npm 10.1.0
OS: win32 x64

Angular: 16.2.12
... animations, common, compiler, compiler-cli, core, forms
... localize, platform-browser, platform-browser-dynamic, router

Package                            Version
------------------------------------------------------------
@angular-devkit/architect          0.1602.9
@angular-devkit/build-angular      16.2.9
@angular-devkit/core               16.2.9
@angular-devkit/schematics         16.2.9
@angular/cdk                       16.2.11
@angular/cli                       16.2.9
@angular/material                  16.2.11
@angular/material-moment-adapter   16.2.11
@schematics/angular                16.2.9
rxjs                               7.8.1
typescript                         5.1.6
zone.js                            0.13.3

Anything else?

No response

[JoostK]

The idea of the CSP nonce is that it cannot be guessed, not that it's private. How would an attacker perform the detection in an automated way to extract the CSP nonce for any user?