From 362ade489a0be22fccd8d625eaec42615d0723fb Mon Sep 17 00:00:00 2001
From: dimmageiras <dimmageiras@gmail.com>
Date: Fri, 19 Dec 2025 10:15:35 +0000
Subject: [PATCH 1/6] fix: pass nonce to importmap script when using
 subResourceIntegrity

When unstable_subResourceIntegrity is enabled, the importmap script tag
was missing the nonce attribute, causing CSP violations when strict
Content Security Policy is enforced without 'unsafe-inline'.

This fix ensures the nonce attribute is properly passed to the importmap
script element, allowing applications to use strict CSP policies.

Fixes #14252
---
 packages/react-router/lib/dom/ssr/components.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/react-router/lib/dom/ssr/components.tsx b/packages/react-router/lib/dom/ssr/components.tsx
index 57edd93007..9f6bf80124 100644
--- a/packages/react-router/lib/dom/ssr/components.tsx
+++ b/packages/react-router/lib/dom/ssr/components.tsx
@@ -903,6 +903,7 @@ import(${JSON.stringify(manifest.entry.module)});`;
         <script
           rr-importmap=""
           type="importmap"
+          nonce={scriptProps.nonce}
           suppressHydrationWarning
           dangerouslySetInnerHTML={{
             __html: JSON.stringify({

From 7888e17f2dd3948160c820795c28282fd59e82d7 Mon Sep 17 00:00:00 2001
From: dimmageiras <dimmageiras@gmail.com>
Date: Fri, 19 Dec 2025 10:26:15 +0000
Subject: [PATCH 2/6] docs: add dimmageiras to contributors list

---
 contributors.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contributors.yml b/contributors.yml
index e8a8cd30dd..0a88bcb7ab 100644
--- a/contributors.yml
+++ b/contributors.yml
@@ -106,6 +106,7 @@
 - developit
 - dgrijuela
 - DigitalNaut
+- dimmageiras
 - DimaAmega
 - dmitrytarassov
 - dogxii

From 70f7466ad253696f4190f00aac5b2257a08aeef2 Mon Sep 17 00:00:00 2001
From: dimmageiras <80131168+dimmageiras@users.noreply.github.com>
Date: Mon, 22 Dec 2025 20:19:53 +0000
Subject: [PATCH 3/6] fix: pass nonce to importmap script using scriptProps

---
 packages/react-router/lib/dom/ssr/components.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/react-router/lib/dom/ssr/components.tsx b/packages/react-router/lib/dom/ssr/components.tsx
index 9f6bf80124..3e9349a015 100644
--- a/packages/react-router/lib/dom/ssr/components.tsx
+++ b/packages/react-router/lib/dom/ssr/components.tsx
@@ -901,9 +901,9 @@ import(${JSON.stringify(manifest.entry.module)});`;
     <>
       {typeof manifest.sri === "object" ? (
         <script
+          {...scriptProps}
           rr-importmap=""
           type="importmap"
-          nonce={scriptProps.nonce}
           suppressHydrationWarning
           dangerouslySetInnerHTML={{
             __html: JSON.stringify({

From a68115e88c76adb3d443875b55c72bd101ec0888 Mon Sep 17 00:00:00 2001
From: dimmageiras <80131168+dimmageiras@users.noreply.github.com>
Date: Mon, 22 Dec 2025 20:29:25 +0000
Subject: [PATCH 4/6] fix: ensure nonce prop is passed to script component

---
 .changeset/little-timers-occur.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/little-timers-occur.md

diff --git a/.changeset/little-timers-occur.md b/.changeset/little-timers-occur.md
new file mode 100644
index 0000000000..725d43f556
--- /dev/null
+++ b/.changeset/little-timers-occur.md
@@ -0,0 +1,5 @@
+---
+"react-router": patch
+---
+
+This fix ensures nonce prop to be passed to the script component

From 80ab5a734d9fb03dced9383509486375e8bd5448 Mon Sep 17 00:00:00 2001
From: Matt Brophy <matt@brophy.org>
Date: Tue, 23 Dec 2025 10:24:38 -0500
Subject: [PATCH 5/6] Add e2e test

---
 integration/helpers/vite.ts |  3 ++
 integration/sri-test.ts     | 74 +++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 integration/sri-test.ts

diff --git a/integration/helpers/vite.ts b/integration/helpers/vite.ts
index 9ad644d43b..1f985a433f 100644
--- a/integration/helpers/vite.ts
+++ b/integration/helpers/vite.ts
@@ -31,6 +31,7 @@ export const reactRouterConfig = ({
   v8_middleware,
   v8_splitRouteModules,
   v8_viteEnvironmentApi,
+  unstable_subResourceIntegrity,
   routeDiscovery,
 }: {
   ssr?: boolean;
@@ -40,6 +41,7 @@ export const reactRouterConfig = ({
   v8_middleware?: boolean;
   v8_splitRouteModules?: NonNullable<Config["future"]>["v8_splitRouteModules"];
   v8_viteEnvironmentApi?: boolean;
+  unstable_subResourceIntegrity?: boolean;
   routeDiscovery?: Config["routeDiscovery"];
 }) => {
   let config: Config = {
@@ -52,6 +54,7 @@ export const reactRouterConfig = ({
       v8_middleware,
       v8_splitRouteModules,
       v8_viteEnvironmentApi,
+      unstable_subResourceIntegrity,
     },
   };
 
diff --git a/integration/sri-test.ts b/integration/sri-test.ts
new file mode 100644
index 0000000000..20a1fa477d
--- /dev/null
+++ b/integration/sri-test.ts
@@ -0,0 +1,74 @@
+import { test, expect } from "@playwright/test";
+
+import {
+  createAppFixture,
+  createFixture,
+  js,
+} from "./helpers/create-fixture.js";
+import type { AppFixture, Fixture } from "./helpers/create-fixture.js";
+import { reactRouterConfig } from "./helpers/vite.js";
+import { PlaywrightFixture } from "./helpers/playwright-fixture.js";
+
+test.describe("CSub-Resource Integrity", () => {
+  test.use({ javaScriptEnabled: false });
+
+  let fixture: Fixture;
+  let appFixture: AppFixture;
+
+  test.beforeAll(async () => {
+    fixture = await createFixture({
+      files: {
+        "react-router.config.ts": reactRouterConfig({
+          unstable_subResourceIntegrity: true,
+        }),
+        "app/root.tsx": js`
+          import { Links, Meta, Outlet, Scripts } from "react-router";
+
+          export default function Root() {
+            return (
+              <html>
+                <head>
+                  <Meta />
+                  <Links />
+                </head>
+                <body>
+                  <Outlet />
+                  <Scripts nonce="test-nonce-123" />
+                </body>
+              </html>
+            );
+          }
+        `,
+      },
+    });
+    appFixture = await createAppFixture(fixture);
+  });
+
+  test("includes an importmap", async ({ page }) => {
+    let app = new PlaywrightFixture(appFixture, page);
+    await app.goto("/");
+    let json = await page.locator('script[type="importmap"]').innerText();
+    let importMap = JSON.parse(json);
+    expect(Object.keys(importMap.integrity).length).toBeGreaterThan(0);
+    for (let key in importMap.integrity) {
+      if (key.includes("manifest")) continue;
+      let value = importMap.integrity[key];
+      expect(value).toMatch(/^sha384-/);
+
+      let linkEl = page.locator(`link[rel="modulepreload"][href="${key}"]`);
+      expect(await linkEl.getAttribute("href")).toBe(key);
+      expect(await linkEl.getAttribute("integrity")).toBe(value);
+
+      let scriptEl = page.locator(`script[type="module"]`);
+      expect(await scriptEl.innerText()).toContain(key);
+    }
+  });
+
+  test("includes a nonce on the importmap script", async ({ page }) => {
+    let app = new PlaywrightFixture(appFixture, page);
+    await app.goto("/");
+    expect(
+      await page.locator('script[type="importmap"]').getAttribute("nonce"),
+    ).toBe("test-nonce-123");
+  });
+});

From a28ae1a6604a69b709607dde9b554ca671a76dc5 Mon Sep 17 00:00:00 2001
From: Matt Brophy <matt@brophy.org>
Date: Tue, 23 Dec 2025 10:26:09 -0500
Subject: [PATCH 6/6] Apply suggestion from @brophdawg11

---
 .changeset/little-timers-occur.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.changeset/little-timers-occur.md b/.changeset/little-timers-occur.md
index 725d43f556..1626984a85 100644
--- a/.changeset/little-timers-occur.md
+++ b/.changeset/little-timers-occur.md
@@ -2,4 +2,4 @@
 "react-router": patch
 ---
 
-This fix ensures nonce prop to be passed to the script component
+[UNSTABLE] Pass `<Scripts nonce>` value through to the underlying `importmap` `script` tag when using `future.unstable_subResourceIntegrity`