I wondering if there is any desire to add CSP nonce support to the .toml – similar to something like CSP Nonce support in Nginx. Essentially, a nonce would automatically be generated and be attached to the CSP header. Any inline script in the index.html with a predefined string (ie
CSP_NONCE) would then be replaced with the nonce when the file was served.
This seems to be the prescribed solution for google tag manager (Using Google Tag Manager with a Content Security Policy), which is a pretty common inline script. Having something like this supported out of the box in the .toml would be awesome. I assume the same objective could be accomplished with a lambda but was hoping to avoid that if possible.