Allow Gatsby to run with a CSP without unsafe-inline.

[chuckharmston]

In order to use Gatsby with a CSP, the inline CSS and JavaScript it produces requires it to be run with unsafe-inline, which renders it vulnerable to a broad swath of attacks and generally makes the CSP worthless.

There are two ways to permit this:

1. By allowing generated assets to be loaded as external assets, so origins can be used to control this.
2. By using strict-dynamic and hashes of the content of each generated file or inline resource. This provides slightly better security, but is also more complex and rigid. Ideally in this case, the generated CSP is inserted as a <meta> tag and the same CSP is inserted into gatsby-plugin-netlify's generated _headers file.

I'd favor #1 as opt-in behavior for its flexibility. It would require more requests, but H/2's multiplexing reduces the penalty for that.

[ghost]

There are some related issues which go in the 2. direction:

• Hash: Generate inline script SHA for Content-Security-Policy #3427
• Nonce: Possible to add a noonce option for scripts? #3746

Ideally the CSP should be opt-out, the 2. way does not require http/2 to be efficient.

[jorispz]

Would it be terribly difficult to make option 1 work? From my (very limited) perspective it would seem the easier route, at the expense of a few requests more.

[KyleAMathews]

Due to the high volume of issues, we're closing out older ones without recent activity. Please open a new issue if you need help!

[simonlc]

The only problem with option 2 is it will not work with other deployments. In my opinion there should be an option for having zero inlined scripts/code. Option 2 is favorable however if you do have a supported host.