Nonce seems to be static - recommanded conf is dangerous for static website generators

Description

Trying to use this plugin within a static website is opening security holes by default. For example if we follow https://github.com/slackhq/csp-html-webpack-plugin/issues/53, it will add static nonces on a static website.

I would recommend to disable nonces by default, and let the user enable them on when they know that they wont pack a static website

What type of issue is this? (place an `x` in one of the `[ ]`)

[x] bug
[ ] enhancement (feature request)
[x] question
[ ] documentation related
[ ] testing related
[ ] discussion

Requirements (place an `x` in each of the `[ ]`)

[x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
[x] I've read and agree to the Code of Conduct.
[x] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackhq/csp-html-webpack-plugin version: 5.1.0

Steps to reproduce:

create static website, such with as npx create-react-app my-app --template typescript
Install and wire the plugin npm install react-app-rewired csp-html-webpack-plugin --save-dev

Configure webpack overrides in config-overrides.js


const CspHtmlWebpackPlugin = require("csp-html-webpack-plugin");

module.exports = function override(config, env) { config.plugins.push( new CspHtmlWebpackPlugin({ "script-src": "", "style-src": "", }) ); return config; };

4. Build with `react-app-rewired build`
5. Check `build/index.html` file

#### Expected result:

Nonces are not static. At the very least, they should be generated by an inline script and injected

#### Actual result:

Static nonces are generated.
Uploading this to a CDN will allow anyone to grab the nunce and re-use it, bypassing the CSP

```html
  <meta http-equiv="Content-Security-Policy"
    content="base-uri 'self'; object-src 'none'; script-src 'nonce-csu9vwLV51tCaN6biAAJFg=='; style-src 'nonce-vAVCeRTmI/cROWHcZcycQA=='">

slackhq / csp-html-webpack-plugin