Request to support random nonce generated for inline CSS in style-src-elem CSP directive

[ttacon]

Currently, the support for CSP in this module is to pass the provided CSP directly as a response header. However, in the case of using inline CSS (e.g. material-ui), we need to be able to set the inline nonce-${nonce} source for the style-src-elem. Is this functionality that you see this module taking on or should that be handled somewhere else?

Cheers!

Edit:
I felt I should add the workaround for any other folks that are encountering this - inside your specific gin handler, you can override the CSP header. So you'll need to:

1. Generate a nonce, I use v4 UUIDs for this.
2. Add the overriding header:

c.Header(
    "Content-Security-Policy",
    fmt.Sprintf(
        "default-src 'self'; style-src-elem 'self' 'nonce-%s'",
        nonce,
    ),
)

2. Ensure to pass the nonce to your HTML rendering function, as it must also be included as an meta attributed, i.e.:

<meta property="csp-nonce" content="{{ .nonce }}">

[liepumartins]

Also would like to see this feature.

Each page load should have new nonce generated.
The nonce provided in Content-Security-Policy header must match one used in <script nonce="xxx"> and <style nonce=>

@ttacon current workaround requires to do this in each route handler, correct?

[ttacon]

@liepumartins , that's how I'm doing this at the moment - in my handlers which are returning rendered HTML.