Allow usage of nonce-attributes on generated style tag (CSP Level 2)

[aKzenT]

I want to use Content Security Policy Level 2 on my website. This requires me to add a 'nonce' attribute to all <style> tags.

I'm currently using this plugin to inline some css and of course it does not produce a nonce-attribute which causes the generated <style> tag to fail.

What I would love to see is one of the following options:

1. A nonce configuration option in the plugin that I can set to any value and which is then rendered as a "nonce"-attribute on the generated style tag. I would probably use it to inject a dummy value which I would then replace server side, but in other setups this might be different. OR:
2. An option to omit the <style> tag itself and replace the token only with the css content. This would allow me to move the <style> tag with the nonce attribute to the HTML template directly. OR:
3. An option to specify a function as the 'target' which would receive the HTML and the CSS declarations as parameters and would return the rendered result, allowing for custom replacement logic.

Any of these would help a lot in this and similar scenarios. Please let me know what you think and if you have a preference for any option.

[runjuu]

Hi @aKzenT , I prefer the third option because it can handle more scenarios. 😀

[runjuu]

Hi @aKzenT , Check this PR for more details. And I also release a beta version 1.10.0-beta.0 for testing. Let me know if there are any problems. 😎

[aKzenT]

Hey,

that's awesome! Thanks a lot for the quick implementation. I tested it with my scenario and it works perfectly.

Thanks again!