I have a test web app, with the Sign In with Google button + One Tap UX configured with a data-nonce :
<div
id="g_id_onload"
data-client_id="<%=google_client_id%>"
data-context="signin"
data-ux_mode="popup"
data-login_uri="<%=site_address%>/sign-in-with-google-callback"
data-nonce="<%=idTokenNonce%>"
data-itp_support="true"
></div>
<div
class="g_id_signin"
data-type="standard"
data-shape="rectangular"
data-theme="outline"
data-text="signin_with"
data-size="large"
data-logo_alignment="left"
></div>
On Chrome (and the other non-ITP browsers) both buttons work properly and I receive the ID token (JWT) that contains a claim nonce with the nonce that I specified when rendering the page.
On Safari (ITP) with "Prevent cross-site tracking" the regular button produces a id token that has the nonce. But if I login using the One Tap (upgraded One Tap UX on ITP browsers) I get a ID token but that JWT does not contain any nonce claim.
Is there anything I could do to get the nonce to work also for the "upgraded One Tap UX on ITP browsers"?