Add Content Security Policy nonce support

[alehuo]

This pull requests adds support for nonce-based Content Security Policies used in strict CSP environments. In case the 'strict-dynamic' CSP-rule is not used, third-party scripts are blocked to create new script tags. I have updated the README.md accordingly with an example on how to use the new nonce configuration variable.

Do we also need to add the nonce parameter to styles generated by the browser-update -script, in update.show.js? The documentation at https://browser-update.org/customize.html would need to be updated also.

[josselex]

Thanks. This seems very good.

Do we also need to add the nonce parameter to styles generated by the browser-update -script, in update.show.js? The documentation at https://browser-update.org/customize.html would need to be updated also.

There I do not no the standard. There are no external styles referenced. Is the nonce needed for inline styles?

[alehuo]

If the unsafe-inline CSP rule is used, inline styles are not allowed to load, unless the inline style has the nonce attribute explicitly set. Possible solutions:

• Add a nonce-attribute to the style-tag itself, e.g. <style nonce="...">, if the nonce is detected to be available.
• Compute SHA256 hash of the inline style elements and add them to the CSP header. This makes maintaining the library very hard, so I don't recommend it.