[security]: automatically add nonce or hash to script-src-elem, style-src-attr & style-src-elem csp directive if necessary

[MathiasWP]

This PR adds functionality for automatically adding CSP-directives that are required only if they're used:

• script-src-elem
• style-src-attr
• style-src-elem

error thrown because of missing nonce/hash when script-src-elem is used:

error thrown because of missing nonce/hash if style-src-attr and/or style-src-elem is used:

style-src-attr and style-src-elem is also automatically added during dev so things work locally.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

[changeset-bot]

🦋 Changeset detected

Latest commit: 1d961f1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Rich-Harris]

thank you!