Support for the Strictest CSP with Nonce for Scripts

[Mogost]

When you use the strictest Content Security Policy (CSP) configuration, Django REST Framework scripts may be blocked.

To prevent this blocking, each script that is loaded must include a nonce. Adding self, domain, or other sources to the policy is insufficient because strict-dynamic disallows them.

Example of a CSP violation report:

[Report Only] Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "script-src ... 'strict-dynamic' 'unsafe-eval' 'nonce-J7Q4+1H1yqr9X+9tkiqBNw=='". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Rel: #7960, #8783

[tomchristie]

Thanks for this. I'm going to start by closing this off initially, since we're generally not accepting feature PRs for REST framework at this point in time, other than tracking necessary changes to support newer versions of Django.

If you'd like support for this you'll need to explicitly override the templates in your project.

If you'd still like to proceed could we start with a design discussion.... For example... reference what Django uses within it's HTML templates?