Add ability to expose CSP nonces/hashes to server hook for header based CSP

[hhvrc]

Describe the problem

I cannot have a dynamic environment variable control a CSP directive.
This is needed to configure the CSP on startup of the sveltekit app in a docker container, the image cannot compile the application on the deployment machine because it has a relativley weak cpu and will take a while to spin up the instance then.

This problem makes it so that people that want to self-host the frontend either need to completely re-build it and re-publish their own docker image, or the project needs to get changed to not support inline script injection protection.

Describe the proposed solution

It would be really nice to be able to get the CSP hash/nonce for a intercepted page in the hooks.server.ts to be able to append those to the header of the response.

Alternatives considered

Considered reading the file in the hook, locating the CSP meta element, reading it, removing it, and then adding the hash to the header.

Importance

i cannot make my SvelteKit app selfhostable without it

Additional Information

No response

[notramo]

This is also useful for other types of CSP manipulation.

form-action could be restricted to the server form actions of the given page.

A Typebot widget e.g. TypeBotIntegration.svelte could add dynamic values to the page only if it's rendered, so only those pages can load a Typebot that have the widget component rendered.

So, there could be 2 levels of configurability: route based (e.g. if route is /posts/, allow loading certain resources), or component-based, e.g. (add this to the style-src if this component is rendered anywhere on the page).