CSP_NONCE is ignored in headers?

Nextcloud version (eg, 20.0.5): Nextcloud Hub 3 (25.0.5)
Operating system and version (eg, Ubuntu 20.04): CentOS 8 Streams
Apache or nginx version (eg, Apache 2.4.25): 2.4.37
PHP version (eg, 7.4): 7.4

The issue you are facing:
All <script> tags have a nonce=... attribute based on the CSP_NONCE value generated by mod_csp_nonce but the CSP header only outputs the JsNonce value and not he CSP_NONCE value.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Upgrade from v21 to v25
  2. Check Firefox “Inspector” for CSP errors

The output of your Nextcloud log in Admin > Logging:

Warning	news	https://regimental-standard.com/feed/ read error : cURL error 7: Failed to connect to regimental-standard.com port 443: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://regimental-standard.com/feed/	
2023-04-16T13:15:15+0100
Warning	news	https://regimental-standard.com/feed/ read error : cURL error 7: Failed to connect to regimental-standard.com port 443: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://regimental-standard.com/feed/	
2023-04-16T12:00:21+0100
Warning	news	https://regimental-standard.com/feed/ read error : cURL error 7: Failed to connect to regimental-standard.com port 443: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://regimental-standard.com/feed/	
2023-04-16T10:45:14+0100

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '…',
  'passwordsalt' => '…',
  'datadirectory' => '/…',
  'dbtype' => 'mysql',
  'version' => '25.0.5.1',
  'dbname' => '…',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => '…',
  'dbpassword' => '…',
  'installed' => true,
  'forcessl' => true,
  'maintenance' => false,
  'theme' => '',
  'trusted_domains' => array (
    0 => '…',
  ),
  'mail_from_address' => '…',
  'mail_smtpmode' => 'sendmail',
  'mail_domain' => 'ibboard.co.uk',
  'secret' => '…',
  'forceSSLforSubdomains' => true,
  'loglevel' => 2,
  'trashbin_retention_obligation' => 'auto',
  'htaccess.RewriteBase' => '/',
  'updater.release.channel' => 'stable',
  'mysql.utf8mb4' => true,
  'overwrite.cli.url' => '…',
  'defaultapp' => 'apporder',
  'remember_login_cookie_lifetime' => 1296000,
  'session_lifetime' => 86400,
  'session_keepalive' => true,
  'token_auth_enforced' => false,
  'auth.bruteforce.protection.enabled' => true,
  'mail_smtpauthtype' => 'LOGIN',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'default_phone_region' => 'GB',
  'updater.secret' => '…',
  'app_install_overwrite' => array (
    0 => 'apporder',
  ),
);

If I make the following change in lib/public/AppFramework/Http/EmptyContentSecurityPolicy.php then everything works fine:

                 if (!empty($this->allowedScriptDomains) || $this->inlineScriptAllowed || $this->evalScriptAllowed) {                                         
                         $policy .= 'script-src ';
+                        $policy .= '\'nonce-'.\OC::$server->getContentSecurityPolicyNonceManager()->getNonce().'\' ';                                        
                         if (is_string($this->useJsNonce)) {    

But it feels like I shouldn’t have to make that change for the headers to work correctly. So did I miss a config value somewhere?