Trunk should not generate nonces in static HTML assets

[rjmac]

In 0.20.2, Trunk started baking nonce attributes into the HTML files that it generates, but the security of nonces requires that they not be re-used across multiple requests. If CSP functionality is desired, Trunk should instead generate the sha256/384/512 hashes of the contents of those tags and put them someplace those hashes can be includes in the header.

(Note the insecure nature of the static nonce only matters if the html is served with a csp header that allows that nonce. If it's not then the nonce is irrelevant, but it's better not to encourage insecure practices.)

[Jelmerta]

I find this a bit annoying as well as I generate nonces for every request in nginx and now I have to remove the nonce provided by trunk from my html (which is not trivial). Wonder if this helps anyone as indeed the result of trunk is a static html.

[Jelmerta]

Additionally, trunk seems to generate code that leads to unsafe-eval with CSP header: mycode_bin.js:258 Uncaught CompileError: WebAssembly.instantiateStreaming(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-blabla'"

I'm using version 0.21.0-rc.4

Is that desired behaviour? I guess I should just add 'wasm-unsafe-eval' to CSP header?

[ctron]

It would be great if someone could come up with a PR for this.