From 7082c032882e1c979e5b0abd999d06169417336a Mon Sep 17 00:00:00 2001
From: Mildred Ki'Lya <mildred@users.noreply.github.com>
Date: Wed, 11 Feb 2026 11:44:52 +0100
Subject: [PATCH] Fix activateScriptElement to set the CSP nonce correctly

The `activateScriptElement` function did not correctly set the CSP nonce on occasions. When the element to duplicate has been stripped from its CSP nonce in `elementWithoutNonce`, the nonce attribute is set to an empty string and would overwrite the correct nonce.
---
 src/util.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/util.js b/src/util.js
index 5a9024a1f..55857f80e 100644
--- a/src/util.js
+++ b/src/util.js
@@ -4,12 +4,12 @@ export function activateScriptElement(element) {
   } else {
     const createdScriptElement = document.createElement("script")
     const cspNonce = getCspNonce()
-    if (cspNonce) {
-      createdScriptElement.nonce = cspNonce
-    }
     createdScriptElement.textContent = element.textContent
     createdScriptElement.async = false
     copyElementAttributes(createdScriptElement, element)
+    if (cspNonce && !createdScriptElement.nonce) {
+      createdScriptElement.nonce = cspNonce
+    }
     return createdScriptElement
   }
 }