feat: Add inlineSlyeNonce configuration

[marcospereira]

Description

Add new configuration to avoid CSP error for progress indicator. Users will then be able to configure the nonce as:

<meta name="htmx-config" content='{"inlineSlyeNonce":"<base64-nonce-value>"}'>

Fixes #1062.

Testing

I used a copy of the modified file in my application and tried without adding the configuration above. Then I got the following (expected) error:

htmx.js:1 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-<base64-value>'". Either the 'unsafe-inline' keyword, a hash ('sha256-bsV5JivYxvGywDAZ22EZJKBFip65Ng9xoJVLbBg7bdo='), or a nonce ('nonce-...') is required to enable inline execution.

I then added the configuration and got no errors. 🎉

Checklist

• I have read the contribution guidelines
• I have targeted this PR against the correct branch (master for website changes, dev for source changes)
• This is either a bugfix, a documentation update, or a new feature that has been explicitly approved via an issue
• I ran the test suite locally (npm run test) and verified that it succeeded

[1cg]

thank you!

[marcospereira]

Thank you, @1cg.

Do you have an ETA for when a new release that includes this change will happen?

[1ma]

For future reference, this is how to use this option to whitelist htmx's inline styles when using a CSP.

<head>
    <meta name="htmx-config" content='{"inlineStyleNonce":"wtf-htmx"}'>
    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src 'self' 'nonce-wtf-htmx';">
    <script src="/js/htmx-2.0.1.min.js"></script>
</head>