CSP guidance updates w/nonce & SRI examples

[guardrex]

Fixes #35017
Fixes #34351

cc: @Rick-Anderson ... You asked about this going up. I'll finish it on Monday, but the bones 🦴 are here.

Thanks @akurone @PascalVorwerk 🎸 ... Thanks for your issue and discussion. It led to a nice set of updates!

@akurone ... Could let me know what CSP you were using that resulted in the policy violation for the ImportMap component? For some reason, ME Edge doesn't flag it with my baseline policy. I'm not sure why, but I'd like to compare notes on that with you.

Notes

• I'm adding content here for both the nonce-source and hash-source (SRI) approaches, using the ImportMap component's rendered inline <script> as an example, per Javier's advice.
• There's new content on ...
  • Setting a more restrictive frame-ancestors directive (to "'none'") with ContentSecurityFrameAncestorsPolicy.
  • Setting a value at all for Blazor Server apps using middleware, which never did so OOB.
• I'm also cleaning up and updating our baseline starting point CSP policies and adding additional MDN resource cross-links.
• Also providing guidance on using 'unsafe-hashes' with a hash for the inline JS event handler in NavMenu.

I'm going to sleep on this PR over the weekend 🛌💤 and put final touches on it on Monday, and then I'll need a security review for sure on it.

NOTE TO REVIEWER

The framework seems like it's keeping it's inline JS event handler in NavMenu, but it seems like the interwebs security gurus and HTML spec remarks are saying to get all inline JS event handlers out. The content here is going to cover 'unsafe-hashes' with a hash for now. I opened Remove the inline JS event handler in the NavMenu component? (dotnet/aspnetcore #61075) to ask the PU about removing it in an upcoming release.

---

Internal previews

📄 File	🔗 Preview link
aspnetcore/blazor/fundamentals/startup.md	aspnetcore/blazor/fundamentals/startup
aspnetcore/blazor/fundamentals/static-files.md	aspnetcore/blazor/fundamentals/static-files
aspnetcore/blazor/security/content-security-policy.md	aspnetcore/blazor/security/content-security-policy

[akurone]

hi @guardrex,
i have a detailed comment on #34351 but for short my CSP is like this: object-src 'none'; block-all-mixed-content; script-src 'self' 'wasm-unsafe-eval', this is enough for Chrome DEV (136.0.7064.0) to complain about presence of ImportMap on the page. i have laid out my steps in commits of this repo.

[guardrex]

Awesome @akurone .... Thanks for that detailed information. I see what you mean about using a lib and needing a special approach to solve it in that case. I agree that we won't cover that ... at least not right now ... at least not without more developers asking for coverage on that scenario.

I'm taking off for the weekend right now, but I'll be back on Monday morning. I'll analyze further and respond then. Have a great weekend! 🏖️