enable strict csp for exported site

[dominikg]

Is your feature request related to a problem? Please describe.
html files generated by npm run export contain inline scripts (and in case of rollup these even use eval)
The documentation suggests using a runtime injected nonce via server.js but this is not applicable to export.

Describe the solution you'd like
I'd prefer no inline scripts at all. If that is not an option, hash based policies in meta could be possible. ( https://content-security-policy.com/examples/meta/ )

Describe alternatives you've considered
a) Serving with a lax csp (or none at all)
b) not using sapper export

How important is this feature to you?
deal-breaker in production environments

Additional context

[pgjones]

You can set the nonce to a placeholder value in the server and it will be present in the exported html. The server you use for the exported files can then replace the placeholder.

[dominikg]

That would mean you'd have to develop/maintain/install the nonce replacement for the webserver and it runs for every request (nonce has to be generated and inserted). This would not work well with precompressed files ( think index.html.br ), costs server resources and increases response time.

i'd prefer a solution that works out of the box without additional costs. In the mean time i went with alternative b) not using sapper export, so feel free to close this if you don't deem this important enough.

[pgjones]

@dominikg For the nonce to be effective you will need to generate a new one on every request

The server must generate a unique nonce value each time it transmits a policy.
source

Did you mean something else?

[dominikg]

no, thats exactly what i'm talking about. nonce and static export don't mix.