Autogenerate CSP hashes for static adapter

[DylanPiercey]

Explore automatically replacing csp nonces with content hashes and an inline meta http-equiv tag (eg https://www.isaacsmith.us/blog/2022/add-csp-to-github-pages) when the static adapter is used.

This would allow csp nonce in ssr builds while still having a stricter csp in static builds.

[caseycarroll]

I'd like to call out a peculiar performance bug in chromium related to the meta CSP tag. The presence of a meta CSP tag disables the browser's preload scanner. Fortunately, this appears to be getting fixed soon.

The CSP meta tag can be a perf footgun in other ways. If, for any reason, a script tag exists before a meta CSP tag, browsers will disable the preload scanner. I'm struggling to find strong references to this behavior, but it is mentioned here by a DevRel at Google who strongly discourages the meta CSP altogether: https://rviscomi.dev/2023/07/you-probably-dont-need-http-equiv-meta-tags/#content-security-policy

Other references:

• https://issues.chromium.org/issues/40070749
• https://stackoverflow.com/questions/78114535/content-security-policy-meta-tag-preventing-preload-scanner-to-work-properly-in