add csp-nonce meta tag

* don't need nonce on scripts, just loading 'self'
* add csp-nonce meta tag
* manual chunk of emotion_sheet to make backend easily able to modify code to inject the meta nonce

see: gregtwallace/certwarden-backend@f127749

index.html

@@ -7,6 +7,8 @@
       content="width=device-width, initial-scale=1, shrink-to-fit=no"
     />
 
+    <meta property="csp-nonce" nonce="{SERVER-CSP-NONCE}" />
+
     <link rel="stylesheet" href="/fonts/roboto.css" />
 
     <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />

vite.config.js

@@ -3,6 +3,20 @@ import react from '@vitejs/plugin-react-swc';
 
 // https://vitejs.dev/config/
 export default defineConfig({
+  build: {
+    rollupOptions: {
+      output: {
+        manualChunks: (id) => {
+          if (id.includes('node_modules')) {
+            // if emotion/sheet
+            if (id.includes('emotion/sheet')) {
+              return 'emotion_sheet';
+            }
+          }
+        },
+      },
+    },
+  },
   plugins: [
     react(),
     // add preload attribute and nonce place holder
@@ -15,11 +29,11 @@ export default defineConfig({
           // add nonce?
           if (
             p1 === 'style' ||
-            p1 === 'script' ||
+            // p1 === 'script' ||
             // if link, only nonce for stylesheet and modulepreload
             (p1 === 'link' &&
-              (p2.includes('rel="stylesheet"') ||
-                p2.includes('rel="modulepreload"')))
+              p2.includes('rel="stylesheet"'))
+              //  || p2.includes('rel="modulepreload"')
           ) {
             p2 = `nonce="{SERVER-CSP-NONCE}" ${p2}`;
           }