Generate CSP headers for prerendered pages

[tlaundal]

This is just an initial stab at implementing #106 to start the discussion and see if it is viable.

From my tests it is working, though not locally with swa because of Azure/static-web-apps-cli#646.

For this to be ready for merge, we would need to add

• [ ] Documentation
• [ ] Tests

We should discuss if a config option for this should be opt-in or opt-out. If there is no http-equiv="content-security-policy" meta tag in a html file, no headers will be generated. I'm not sure there is a usecase where you would want CSP meta tags but not headers?

We might also want to consider adding support for turning any http-equiv meta tag into a header.

I entertained the thought of making a PR to SvelteKit for exposing any headers returned for pages during pre-rendering in builder.prerendered to the adapters, but I think this solution here is a better first step.

What do you think , @geoffrich?

[geoffrich]

What is the advantage of having the CSP in a header as opposed to the meta tag? Won't they have the same effect?

The implementation seems relatively straightforward. Re: opt-in vs opt-out -- my only concern would be the impact on build speed, since you have to read each file to determine if they set a CSP.

[tlaundal]

I was inspired by this note from google pagespeed:

you should define a CSP in an HTTP response header if you can. An injection before the meta tag will bypass the CSP. Additionally, frame-ancestors, sandbox and reporting are not supported in meta tag CSPs.

I'm sure in most cases it doesn't make too much of a difference, but I think it would be nice to have.