feat: Add granular nonces

[patel-vansh]

Description
This PR adds ability to have more control over whether to add nonces on style-src, style-src-elem, script-src and script-src-elem individually by introducing two new boolean variables in CSP config.

I am not sure this is the optimal solution for this feature, that's why I've made this draft PR for others to look at the implementation and provide necessary changes. That's why I haven't still updated the user guide or changelog.

Checklist:

• Securely signed commits
• Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
• Unit testing, with >80% coverage
• User guide updated
• Conforms to style guide

[michalsn]

Seems like disabling enableScriptNonce / enableStyleNonce still adds nonce="..." to the HTML tag, but no longer adds the matching 'nonce-...' value to the CSP header. As a result, those inline <script> / <style> blocks will be blocked by the browser.

[patel-vansh]

Seems like disabling enableScriptNonce / enableStyleNonce still adds nonce="..." to the HTML tag, but no longer adds the matching 'nonce-...' value to the CSP header. As a result, those inline <script> / <style> blocks will be blocked by the browser.

Done. Now both the header as well as the nonce="..." are removed from the html.

[michalsn]

Thank you. There is one place left: https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Autoloader/Autoloader.php#L541 - it still fetches nonces based only on enabled(). That feels like the last inconsistent edge case.

[patel-vansh]

Thank you. There is one place left: https://github.com/codeigniter4/CodeIgniter4/blob/develop/system/Autoloader/Autoloader.php#L541 - it still fetches nonces based only on enabled(). That feels like the last inconsistent edge case.

Done

[michalsn]

Thank you. LGTM!