Add CSP nonce to Vite reactRefresh inline script (#44816)

Author: andyvenus

src/Illuminate/Foundation/Vite.php

@@ -575,17 +575,22 @@ public function reactRefresh()
             return;
         }
 
+        $attributes = $this->parseAttributes([
+            'nonce' => $this->cspNonce()
+        ]);
+
         return new HtmlString(
             sprintf(
                 <<<'HTML'
-                <script type="module">
+                <script type="module" %s>
                     import RefreshRuntime from '%s'
                     RefreshRuntime.injectIntoGlobalHook(window)
                     window.$RefreshReg$ = () => {}
                     window.$RefreshSig$ = () => (type) => type
                     window.__vite_plugin_react_preamble_installed__ = true
                 </script>
                 HTML,
+                implode(' ', $attributes),
                 $this->hotAsset('@react-refresh')
             )
         );

tests/Foundation/FoundationViteTest.php

@@ -170,6 +170,25 @@ public function testItCanSpecifyCspNonceWithManifest()
         );
     }
 
+    public function testReactRefreshWithNoNonce()
+    {
+        $this->makeViteHotFile();
+
+        $result = app(Vite::class)->reactRefresh();
+
+        $this->assertStringNotContainsString('nonce', $result);
+    }
+
+    public function testReactRefreshNonce()
+    {
+        $this->makeViteHotFile();
+
+        $nonce = ViteFacade::useCspNonce('expected-nonce');
+        $result = app(Vite::class)->reactRefresh();
+
+        $this->assertStringContainsString(sprintf('nonce="%s"', $nonce), $result);
+    }
+
     public function testItCanInjectIntegrityWhenPresentInManifest()
     {
         $buildDir = Str::random();