Nonce seems to be static - recommanded conf is dangerous for static website generators

[quadristan]

Description

Trying to use this plugin within a static website is opening security holes by default.
For example if we follow #53, it will add static nonces on a static website.

I would recommend to disable nonces by default, and let the user enable them on when they know that they wont pack a static website

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

slackhq/csp-html-webpack-plugin version: 5.1.0

Steps to reproduce:

1. create static website, such with as npx create-react-app my-app --template typescript
2. Install and wire the plugin npm install react-app-rewired csp-html-webpack-plugin --save-dev
3. Configure webpack overrides in config-overrides.js

const CspHtmlWebpackPlugin = require("csp-html-webpack-plugin");

module.exports = function override(config, env) {
  config.plugins.push(
    new CspHtmlWebpackPlugin({
      "script-src": "",
      "style-src": "",
    })
  );
  return config;
};

4. Build with react-app-rewired build
5. Check build/index.html file

Expected result:

Nonces are not static. At the very least, they should be generated by an inline script and injected

Actual result:

Static nonces are generated.
Uploading this to a CDN will allow anyone to grab the nunce and re-use it, bypassing the CSP

  <meta http-equiv="Content-Security-Policy"
    content="base-uri 'self'; object-src 'none'; script-src 'nonce-csu9vwLV51tCaN6biAAJFg=='; style-src 'nonce-vAVCeRTmI/cROWHcZcycQA=='">