security: avoid CSP conflict with sha/nonce during dev & add support for 'style-src-elem'

[MathiasWP]

this is a continuation from #11485, which solved sveltekit related problems to CSP.

after updating sveltekit i tried to remove unsafe-inline from script-src-elem, style-src-attr & style-src-elem. it worked on script-src-elem, but style-src-attr and style-src-elem are not working. this is because of how svelte works with csp (sveltejs/svelte#7800).

to combat some the style-src-elem i've extended CSP so it automatically adds the SHA for the /* empty */ value if not already added to style-src-elem.

i'm not quite sure how style-src-attr should be fixed, i believe this has to be done via Svelte with CSSOM.

extra: i've also made it so that CSP removes hashes and nonces from style-src, style-src-attr or style-src-elem during dev when adding the "unsafe-inline" to solve this error message:

i noticed this after adding the hash myself on my app when trying to solve the style-src-elem bug.

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

• It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC: https://github.com/sveltejs/rfcs
• This message body should clearly illustrate what problems it solves.
• Ideally, include a test that fails without this PR but passes with it.

Tests

• Run the tests with pnpm test and lint the project with pnpm lint and pnpm check

Changesets

• If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

Edits

Please ensure that 'Allow edits from maintainers' is checked. PRs without this option may be closed.

[changeset-bot]

🦋 Changeset detected

Latest commit: 98271f7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sveltejs/kit	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Rich-Harris]

thank you!

[bcaller]

If unsafe-inline is added to the CSP directives, nonces/hashes will break that. We should avoid messed-up CSPs in prod as well as dev. Would it be acceptable to apply this logic everywhere rather than just dev?