Content Security Policy support #809
Description
We're trying to implement a CSP with Turbo.JS enabled. We're running into issues with new DOMParser().parseFromString(html, "text/html"), called from the PageSnapshot -> fromHTMLString
Is CSP supported officially by Turbo? If so, how can we implement this? We can disable the nonce to allow unsafe-inline on the style side which works, but not perfect.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-x5vJxhLYnMk87cAFBQAZyQengQlkiLU0IV56zb9q' 'unsafe-eval' https://rsms.me/inter/inter.css". Either the 'unsafe-inline' keyword, a hash ('sha256-Zt/lJRM6BFxPXh6Z2Wd3uSMAEMQJFCEyHj3wv0AnITY='), or a nonce ('nonce-...') is required to enable inline execution.
parseHTMLDocument @ app.aeffb485.js:423
fromHTMLString @ app.aeffb485.js:1594
(anonymous) @ app.aeffb485.js:1803
render @ app.aeffb485.js:1981