Implement strict-dynamic alongside URL allowlists

[akashdotsrivastava]

Feature Requests

Adding a new CSP directive

Now I'm not sure if it's a new directive

I'm talking about implementing strict-dynamic in script_src alongside a list of known URLs.
Basically using nonce-specified inline scripts from my own views, alongside few URLs like jsdelivr

Of course using strict-dynamic blocks all external scripts.

https://csp.withgoogle.com/docs/faq.html#strict-dynamic-with-whitelists suggests a way to do that, specifying two csp headers.

Not sure how I'd replicate that in the initializer I use for SecureHeaders config.
Needless to say, setting scripts_src twice inside csp, generates a duplicate key warning

[oreoshake]

This is related to #323.

A hacky workaround is to supply , script-src as one of your values. This has the same effect as setting two headers. See https://twitter.com/mikewest/status/841892857736765443 for discussion on this.

[oreoshake]

I believe this has been resolved with strict-dynamic support