开启egg-security的CSP如何配置内联script/style的nonce

[yesongling]

求助： 项目要求开启egg框架egg-security中间件的CSP功能，启用之后框架为‘script-src’生成的nonce如何添加到内联的script标签或style标签上呢。boilerplate有相关的配置吗？或者要自己去实现相关功能？

报错： Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy. EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-rd5JCIzYZu2I6NbB'".

项目中添加的配置样例 exports.security = { // domainWhiteList, csp: { enable: true, policy: { 'default-src': 'none', 'script-src': 'self', 'style-src': 'self' } } };

[hubcarl]

@yesongling 目前只能通过 vuessr 的 afterRender 钩子处理