Add nonceScriptSrcElem(), remove mintedNonce()

Added nonceScriptSrcElem() to wire the request nonce into script-src-elem (valid
there per CSP3), needed when a page's script-src-elem uses 'strict-dynamic'.
Removed mintedNonce(): inspecting whether a nonce was minted anywhere is the
wrong signal for the inline viewer - the deciding factor is whether the governing
script directive uses 'strict-dynamic'; callers inspect directive() instead.

Author: claude

modules/web/web-api/src/main/java/com/enonic/xp/web/csp/ContentSecurityPolicy.java

@@ -83,6 +83,8 @@ public final class ContentSecurityPolicy
 
     private static final String SCRIPT_SRC = "script-src";
 
+    private static final String SCRIPT_SRC_ELEM = "script-src-elem";
+
     private static final String STYLE_SRC = "style-src";
 
     private static final String NONE = "'none'";
@@ -620,27 +622,23 @@ public String nonceScriptSrc()
     }
 
     /**
-     * Wires the request nonce into {@code style-src} and returns its value (for stamping on inline
-     * {@code <style nonce="...">} tags).
+     * Wires the request nonce into {@code script-src-elem} and returns its value (for stamping on a
+     * {@code <script nonce="...">} element that must satisfy a page whose {@code script-src-elem}
+     * uses {@code 'strict-dynamic'}, where {@code 'self'} and host sources are ignored). A nonce is
+     * valid on {@code script-src-elem} per CSP Level 3.
      */
-    public String nonceStyleSrc()
+    public String nonceScriptSrcElem()
     {
-        return nonceFor( STYLE_SRC );
+        return nonceFor( SCRIPT_SRC_ELEM );
     }
 
     /**
-     * The request nonce if some {@code nonce*} call already minted it during this request; empty
-     * otherwise. Passive: never mints a nonce and never touches a directive. For code late in the
-     * pipeline that injects markup and wants it to ride through a strict, nonce-based policy: stamp
-     * the nonce only when one is present — calling {@link #nonceScriptSrc()} instead would make the
-     * minted nonce the page's only {@code script-src} entry on pages whose policy has none, blocking
-     * every other script. The nonce is shared across the enforcing, report-only and added rule sets,
-     * so this answers for the whole request. It does not verify the entry is still wired into any
-     * directive (a later {@link #resetTo} drops wired entries while the value stays stable).
+     * Wires the request nonce into {@code style-src} and returns its value (for stamping on inline
+     * {@code <style nonce="...">} tags).
      */
-    public Optional<String> mintedNonce()
+    public String nonceStyleSrc()
     {
-        return Optional.ofNullable( this.nonce.value );
+        return nonceFor( STYLE_SRC );
     }
 
     /**

modules/web/web-api/src/test/java/com/enonic/xp/web/csp/ContentSecurityPolicyTest.java

@@ -834,23 +834,13 @@ void resetTo_drops_external_nonce_sources()
     }
 
     @Test
-    void mintedNonce_is_passive_and_empty_until_a_nonce_call_mints()
+    void nonceScriptSrcElem_wires_the_request_nonce_into_script_src_elem()
     {
         final ContentSecurityPolicy csp = new ContentSecurityPolicy();
-        assertThat( csp.mintedNonce() ).isEmpty();
-        assertThat( csp.serialize() ).isEmpty();
-
-        final String nonce = csp.nonceScriptSrc();
-        assertThat( csp.mintedNonce() ).contains( nonce );
-    }
-
-    @Test
-    void mintedNonce_answers_for_the_whole_request_across_rule_sets()
-    {
-        final ContentSecurityPolicy csp = new ContentSecurityPolicy();
-        final String nonce = csp.reportOnly().nonceStyleSrc();
-        assertThat( csp.mintedNonce() ).contains( nonce );
-        assertThat( csp.addPolicy().mintedNonce() ).contains( nonce );
+        final String nonce = csp.nonceScriptSrcElem();
+        assertThat( csp.serialize() ).isEqualTo( "script-src-elem 'nonce-" + nonce + "'" );
+        // shares the one request nonce with the other nonce* methods
+        assertThat( csp.nonceScriptSrc() ).isEqualTo( nonce );
     }
 
     @Test