开启egg-security的CSP如何配置内联script/style的nonce

[yesongling]

求助：
项目要求开启egg框架egg-security中间件的CSP功能，启用之后框架为‘script-src’生成的nonce如何添加到内联的script标签或style标签上呢。boilerplate有相关的配置吗？或者要自己去实现相关功能？

报错：
Refused to apply a stylesheet because its hash, its nonce, or 'unsafe-inline' does not appear in the style-src directive of the Content Security Policy.
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'nonce-rd5JCIzYZu2I6NbB'".

项目中添加的配置样例
exports.security = {
// domainWhiteList,
csp: {
enable: true,
policy: {
'default-src': 'none',
'script-src': 'self',
'style-src': 'self'
}
}
};

[hubcarl]

@yesongling 目前只能通过 vuessr 的 afterRender 钩子处理