[feat] Add nonce placeholders in rendered pages.

[Karlinator]

Related to #93

Adds a CSP nonce placeholder to all script and style tags if config.kit.noncePlaceholders is true. This allows a hook to easily replace them with a nonce alongside where they are likely already inserting the CSP headers themselves.

As currently configured this supports 'strict-dynamic' (that's why the nonce is added to all scripts, not just the inline init script).

Note that this only works on dynamic hosts. Nonces can't be used in a static environment.

This will need documentation somewhere; I'm open to doing that if someone points me to where to place it :) Particularly an example of a CSP hook would be good.

Before submitting the PR, please make sure you do the following

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpx changeset and following the prompts. All changesets should be patch until SvelteKit 1.0

[changeset-bot]

🦋 Changeset detected

Latest commit: cc1618b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[benmccann]

Thanks for this! Can you add some docs in https://github.com/sveltejs/kit/tree/master/documentation/docs showing how it would be used?

[Karlinator]

Sure! I'll write it up!

I'm not sure if I'm really in love with this solution though. Would it be better to do something more akin to what Sapper did and generate the nonce in Kit itself and make it available to hooks in request.locals.nonce? That feels a bit cleaner than making the hook do a regex string replacement. However, trying that gives this error when building a project:

[vite]: Rollup failed to resolve import "node:crypto" from "node_modules/@sveltejs/kit/dist/ssr.js".
This is most likely unintended because it can break your application at runtime.
If you do want to externalize this module explicitly add it to
`build.rollupOptions.external`
[vite]: Rollup failed to resolve import "node:crypto" from "node_modules/@sveltejs/kit/dist/ssr.js".
This is most likely unintended because it can break your application at runtime.
If you do want to externalize this module explicitly add it to
`build.rollupOptions.external`

Should we not be using built-in node modules in this part of the app? It works in adapter-node at least if I do as the error suggests, but I worry that might break some environments?

[Karlinator]

I've created an alternative at #2394 which generates and inserts nonces instead of just a placeholder. It seems like a better overall solution to me, but I'm keeping both PRs open so maintainers can choose the best option.

[Karlinator]

I'm closing this in favour of #2394. We can come back to this concept if that one doesn't work out.