docs(csp): clarify usage of html.cspNonce and its implications for security

[abdelrhman-arnos]

Description

Docs: clarify limitations and correct usage of html.cspNonce (fixes #20531).

Adds explicit guidance that the config value is a placeholder, details required per-request server-side nonce generation and substitution, warns against static build-time nonces (security risk), explains incompatibility with immutable static SPA caching, and recommends hash-based CSP as an alternative.

Updated sections

The shared-options.md (html.cspNonce) and CSP portion of features.md (added placeholder vs runtime note and static hosting limitations tip). No code changes; docs only.

[sebastiancarlos]

It looks amazing, very clear. Thanks.

[sapphi-red]

Does this plugin work with dynamic imports? #20531 (comment)

[abdelrhman-arnos]

Yes. Hash-based CSP (like vite-plugin-csp-guard) works with dynamic import() as long as your CSP script-src still allows loading the chunk files (e.g. includes 'self' or you use a nonced/hashed entry plus 'strict-dynamic'). A hashes-only policy with neither 'self' nor 'strict-dynamic' will block dynamic imports. A nonce doesn’t conflict with long‑term cached hashed assets, just don’t give the HTML itself an immutable year-long cache or you risk version skew.

[sapphi-red]

Hash-based CSP (like vite-plugin-csp-guard) works with dynamic import() as long as your CSP script-src still allows loading the chunk files (e.g. includes 'self' or you use a nonced/hashed entry plus 'strict-dynamic').

The reproduction linked in w3c/webappsec-csp#243 (comment) does not work for me even though the code looks fine to me. Is the setup in that repro wrong? or does vite-plugin-csp-guard implement a workaround for that issue?