Can we add nonce support for django-csp?

[sshishov]

Describe the bug
Hi, we are trying to implement the Strict CSP policy meaning we do not allow unsafe-inline and require strict-dynamic

To Reproduce
When we are trying to render the page, we are getting:

Swagger:
- Refused to load the stylesheet 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui.css'
- Refused to load the script 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui-bundle.js'
- Refused to load the script 'https://cdn.jsdelivr.net/npm/swagger-ui-dist@latest/swagger-ui-standalone-preset.js'
- Refused to execute inline script because it violates... (inline script with 'swaggerSettings' etc)
Redoc:
- Refused to load the script 'https://cdn.jsdelivr.net/npm/redoc@latest/bundles/redoc.standalone.js'

Expected behavior
No CSP errors should happen when using strict-dynamic with support of CSP

NOTE: I have manually added it in the file using <script nonce="{{request.csp_nonce}}" ...> and it was working like a charm.
I guess nowdays if you are using CSP, it is django-csp therefore it is good to add the support for it. Also maybe in future it will become the django standard library.

NOTE: if django-csp is not used, it still should be acceptable as people will be able to add either Host-based exclusion or allow unsafe-inline alltogether.

What do you think?

[sshishov]

Additional information: redoc has added nonce support already.

Changelog: https://github.com/Redocly/redoc/blob/main/CHANGELOG.md#200-rc66-2022-03-30

PR: Redocly/redoc#1566