Implement Policy Alter event in other modules

I'm not sure if CDN could need to make alterations for certain configurations.

Thank you for opening those issues and creating patches.

----

The end result is the same, but in other modules instead of using a service provider to conditionally register the event handler service, I've defined the service in YML and then conditionally registered for the event:

  public static function getSubscribedEvents() {
    if (!class_exists(CspEvents::class)) {
      return [];
    }

    $events[CspEvents::POLICY_ALTER] = ['onCspPolicyAlter'];
    return $events;
  }

Matomo and Blazy make global alterations to the policy, so don't require additional services, but defining the the event subscriber in YML is likely preferable in cases where other services need to be injected.

Yeah, I broke things with that commit because I didn't test a site without CSP enabled first 😬

There isn't yet a documentation page.

CSP's handling for Drupal Core and the listed modules in this issue currently provide examples of a few use cases:
- A global alteration to the policy
- Alterations based on enabled modules
- Alterations based on libraries attached to the page
- Registering alterations based on render element attributes

First, there are some important considerations about using hashes or nonces to authorize scripts:
- nonces can only be used to authorize <script> or <style> elements, not attributes on other elements.
- hashes can only be used to authorize attributes in browsers that support CSP Level 3, in combination with the 'unsafe-hashes' directive
- hashes can only authorize external scripts in browsers that support CSP Level 3
- Using a hash or nonce will override 'unsafe-inline' (ckeditor relies on script-src-attr 'unsafe-inline'; AJAX responses may need to add additional script elements on the page, which currently relies on script-src-elem 'unsafe-inline')

For an example, the Attach Inline module uses hashes by default to authorize its scripts, but can optionally configured to use a nonce instead.
- The module retrieves a nonce from the module's CSP Event Subscriber, adds the nonce attribute to the element being rendered, and registers the necessary directives (https://git.drupalcode.org/project/attachinline/-/blob/8.x-1.x/src/Asset...)
- The event subscriber then alters the registered directives to include the nonce, with consideration for the presence of 'unsafe-inline' (https://git.drupalcode.org/project/attachinline/-/blob/8.x-1.x/src/Event...)

The most restrictive policy possible with an inline script element and a nonce will depend on page content:

With only CKEditor:

  script-src 'self' 'unsafe-inline';
  script-src-attr 'unsafe-inline';
  script-src-elem 'self' 'nonce-abcdef'

with only AJAX:

  script-src 'self' 'unsafe-inline';
  script-src-attr 'none';
  script-src-elem 'self' 'unsafe-inline'

with both:

  script-src 'self' 'unsafe-inline';
  script-src-attr 'self' 'unsafe-inline';
  script-src-elem 'self' 'unsafe-inline'

Attach Inline will only add hashes to a directive if it or a fallback directive is enabled in configuration, and the directive does not include 'unsafe-inline'.
Any page with the Drupal AJAX library attached currently requires style-src 'unsafe-inline'; style-src-elem 'unsafe-inline', but enabling the CSP Extras module added in CSP 8.x-1.13 will override core to remove this requirement.

I think this issue has finished its usefulness - the most notable modules I'm aware of have support.

Feel free to ping me in Slack or open another issue for help supporting a particular module :)