Support for Content-Security-Policy headers via nonce attribute of script/style tags, to avoid need for unsafe-inline CSP rule

[RudolfCardinal]

Setting the Content-Security-Policy (CSP) HTTP header (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy), which is a good thing, means that inline <script> and <style> tags will be blocked by the browser unless either the unsafe-inline CSP policy is used, which is a bad thing, or a hash or nonce is used. Of those, the nonce method is simpler. That requires <script nonce="NONCE_FOR_THIS_RESPONSE"> and <style nonce="NONCE_FOR_THIS_RESPONSE">, matching the value of the nonce set in the response CSP header.

I don't think Deform supports this at present, and so some of its scripts/styles are blocked in this security environment. Would nonce support be reasonable to add? I imagine that Form could take a nonce parameter (default None); if present, its value could be propagated through all Deform .pt templates.

[RudolfCardinal]

Improved with the new code above. However, in the Sequence widget, there are also prototype pieces of code that get cloned by Deform and evaluated ("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script...") and dynamic style rewriting by jQuery ("Refused to apply inline style because it violates the following Content Security Policy directive..."). I'm not sure how those should best be handled.

[RudolfCardinal]

Requirement for evaluating Javascript removed (along with a bugfix) in latest commit just now. The jQuery "inline style" problem remains but perhaps that will go with a later jQuery version as per https://github.com/Pylons/deform/issues/511.

[stevepiercy]

Thank you for the PR @RudolfCardinal. Please allow me a few days until I have the opportunity to review and think this over. I need to think about additional functional tests, as well as handling the sequence widgets and dynamic style rewriting.

Meanwhile if you have not yet done so, would you please sign https://github.com/Pylons/deform/blob/main/CONTRIBUTORS.txt?

Also the lint build fails on isort in CI: https://github.com/Pylons/deform/pull/513/checks?check_run_id=2499763731 and needs to pass before I can accept it.

[RudolfCardinal]

Thanks -- I've tried again via $TOX -e format and it is happy locally -- fingers crossed for the autotests. I've signed the contributors statement too.