Debug bar broken when using CSP

[KminekMatej]

Version: 2.10.7

Bug Description

Debug bar is broken when specifying CSP rules in config.neon.
Probable cause is by loading <style class="tracy-debug">, which CSP effectively blocks, due to style-src: [nonce, *, unsafe-inline]
There is an insight in console: Content-Security-Policy: Nastavení stránky zablokovalo načítání zdroje na inline („style-src“).

Steps To Reproduce

Add to config file:

http:
    csp:
        default-src: [self]
        font-src: [self, https://fonts.gstatic.com, https://fonts.googleapis.com]
        script-src: [nonce, strict-dynamic, *, unsafe-inline]
        style-src: [nonce, *, unsafe-inline]
        frame-ancestors: [https://*.domain.ltd, http://localhost:3000]
        frame-src: [https://www.googletagmanager.com]
        report-uri: https://domain.ltd/security/csp/report

Expected Behavior

Bar dumps should look all the same as when CSP is not used

Possible Solution

<style class="tracy-debug"> must contain nonce when its configured in CSP.
However Im not sure how to propagate CSP setting from config file into phtml templates - thats why I cannot attach pull request along this issue

[dg]

Tracy does not support CSP style-src, as stated in the documentation https://github.com/nette/tracy?tab=readme-ov-file#content-security-policy.

The thing is, one aspect is Tracy's support, but all user panels, which often use custom styles, would also need to start supporting it. Besides, I don't see much useful benefit in using style-src.