@adobe/helix-html-pipeline 6.24.1 → 6.24.3

package/CHANGELOG.md

@@ -1,3 +1,17 @@
+## [6.24.3](https://github.com/adobe/helix-html-pipeline/compare/v6.24.2...v6.24.3) (2025-04-07)
+
+
+### Bug Fixes
+
+* **deps:** update dependency mime to v4.0.7 ([#851](https://github.com/adobe/helix-html-pipeline/issues/851)) ([e117c04](https://github.com/adobe/helix-html-pipeline/commit/e117c0463b132b10f8754a04acd06da5b613443b))
+
+## [6.24.2](https://github.com/adobe/helix-html-pipeline/compare/v6.24.1...v6.24.2) (2025-04-02)
+
+
+### Bug Fixes
+
+* Add script nonce to <link as=script> ([#850](https://github.com/adobe/helix-html-pipeline/issues/850)) ([182f281](https://github.com/adobe/helix-html-pipeline/commit/182f2816c018ed4e68af44ff3738ca9722984455))
+
 ## [6.24.1](https://github.com/adobe/helix-html-pipeline/compare/v6.24.0...v6.24.1) (2025-03-28)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "6.24.1",
+  "version": "6.24.3",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -55,7 +55,7 @@
     "lodash.escape": "4.0.1",
     "mdast-util-to-hast": "13.2.0",
     "mdast-util-to-string": "4.0.0",
-    "mime": "4.0.6",
+    "mime": "4.0.7",
     "parse5": "7.2.1",
     "rehype-format": "5.0.1",
     "rehype-parse": "9.0.1",

package/src/steps/csp.js

@@ -111,9 +111,15 @@ function createAndApplyNonceOnAST(res, tree, metaCSP, headerCSP, headerCSPRO) {
   }
 
   visit(tree, (node) => {
-    if (scriptNonce && node.tagName === 'script' && node.properties?.nonce === 'aem') {
-      node.properties.nonce = nonce;
-      return;
+    if (scriptNonce) {
+      if (node.tagName === 'script' && node.properties?.nonce === 'aem') {
+        node.properties.nonce = nonce;
+        return;
+      }
+      if (node.tagName === 'link' && node.properties?.as === 'script' && node.properties?.nonce === 'aem') {
+        node.properties.nonce = nonce;
+        return;
+      }
     }
 
     if (styleNonce
@@ -222,14 +228,34 @@ export function contentSecurityPolicyOnCode(state, res) {
           }
         }
 
-        if (scriptNonce && tag.tagName === 'script' && tag.attrs.find((attr) => attr.name === 'nonce' && attr.value === 'aem')) {
-          chunks.push(getRawHTML(tag).replace(/nonce="aem"/i, `nonce="${nonce}"`));
-          return;
+        if (scriptNonce) {
+          if (tag.tagName === 'script' && tag.attrs.find((attr) => attr.name === 'nonce' && attr.value === 'aem')) {
+            chunks.push(getRawHTML(tag).replace(/nonce="aem"/i, `nonce="${nonce}"`));
+            return;
+          }
+
+          if (tag.tagName === 'link'
+            && tag.attrs.find((attr) => attr.name === 'as' && attr.value === 'script')
+            && tag.attrs.find((attr) => attr.name === 'nonce' && attr.value === 'aem')
+          ) {
+            chunks.push(getRawHTML(tag).replace(/nonce="aem"/i, `nonce="${nonce}"`));
+            return;
+          }
         }
 
-        if (styleNonce && (tag.tagName === 'style' || tag.tagName === 'link') && tag.attrs.find((attr) => attr.name === 'nonce' && attr.value === 'aem')) {
-          chunks.push(getRawHTML(tag).replace(/nonce="aem"/i, `nonce="${nonce}"`));
-          return;
+        if (styleNonce) {
+          if (tag.tagName === 'style' && tag.attrs.find((attr) => attr.name === 'nonce' && attr.value === 'aem')) {
+            chunks.push(getRawHTML(tag).replace(/nonce="aem"/i, `nonce="${nonce}"`));
+            return;
+          }
+
+          if (tag.tagName === 'link'
+            && tag.attrs.find((attr) => attr.name === 'rel' && attr.value === 'stylesheet')
+            && tag.attrs.find((attr) => attr.name === 'nonce' && attr.value === 'aem')
+          ) {
+            chunks.push(getRawHTML(tag).replace(/nonce="aem"/i, `nonce="${nonce}"`));
+            return;
+          }
         }
 
         chunks.push(getRawHTML(tag));