CSP: Get and pass jss nonce to options if it exists

[seromenho]

Seems the integrations is using inline styles (having CSP violation only in mobile. desktop works fine) meaning that CSP style-src rule need to allow unsafe-inline.
This PR is a suggestion on how we can use the nonce technique for the style-src rule.
This nonce will then need to be captured and set on link-initialize.js.

Please let me know what do you think, or if there's some other alternative.

Thanks

#118 is kinda related

[skylarmb]

hi @seromenho we have an internal ticket to track this and #118. Thanks! I'll make sure to update here if there is anything to share.

Merging your PR as-is would not do anything as Link does not accept a nonce parameter, so leaving this PR open until we implement that or another solution to the unsafe-inline issue.

[seromenho]

Hey @skylarmb thanks for letting me know. 👍 (maybe internal ticket was opened by me or not 🙂 because #118 have some time now)
I know Link doesn't accept a nonce param, and like I've mentioned on the PR description this would only work if the needed changes are also applied to Link but for that one I haven't found a repo.
Needed changes with this approach would be capture the nonce and then apply to any inline styles.
I've found no other way so far, can you confirm me that Link as it is only works allowing unsafe-inline?

Thank you

[roypearce]

Any update on this @skylarmb ?

Companies shouldn't have to lower the security of their style CSP to unsafe-inline just to integrate Plaid into their product.

Defining a static nonce isn't great, but it's better than the alternative of unsafe-inline.

A more preferable alternative would be to have Plaid host the stylesheet so cdn.plaid.com could be defined a a style-src.