This PR adds a `nonce` JS configuration attribute so users can pass a nonce value to their flutter engine initialization code.
This `nonce` is used to mark all scripts/styles needed by Flutter web that are considered `unsafe-inline` by CSP. In this change, there are only two tags that benefit from this:
* canvaskit.js
* inline styles for text editing
Before this change, the most strict CSP that allows a Flutter Web app to run would look like:
```
script-src 'self' 'nonce-flutter-init-scripts' 'wasm-unsafe-eval' https://www.gstatic.com/flutter-canvaskit/;
font-src https://fonts.gstatic.com;
style-src 'unsafe-inline';
```
After this change, CSP could be tightened to:
```
script-src 'self' 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';
```
By initializing the Flutter web app with something like this:
```html
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval'; font-src https://fonts.gstatic.com; style-src 'nonce-YOUR_NONCE_VALUE';">
...
<script nonce="YOUR_NONCE_VALUE">
_flutter.loader.loadEntrypoint({
onEntrypointLoaded: async function(engineInitializer) {
let appRunner = await engineInitializer.initializeEngine({
nonce: 'YOUR_NONCE_VALUE',
});
appRunner.runApp();
}
});
</script>
```
## Issues
Fixes https://github.com/flutter/flutter/issues/126977 (does not address `flutter.js`, that's a [different story](https://github.com/flutter/flutter/issues/128061))
Helps with https://github.com/flutter/flutter/issues/80221
---
[C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
f1b51a702c