Feat: build hashing

[tsotimus]

Build Hashing

Reason for changes

We should probably allow hashing js and css in production.

Key Changes

• Added new plugin options
• Added functionality for hashing production builds
• Removed some default policies

Approach

It looks like the browser treats our css and js as technically "external" css/js under srcipt-src-elem or style-src-elem which means if we are hashing this requires integrity hashes as documented here

For scripts looks like we need to add integrity & hashes
For styles looks like we need to add integrity & hashes also but we also need to add "self" in the policy.

How does setting integrity to javascript/css thats lazy loaded in work? -> This needs the 'self' in the policy also

Leads me to believe hashing these is pretty pointless honestly

Conclusion

Okay so for build - we actually need 'self' directives on both JS and CSS imports.
Self should be a default in both.

We should probably not be hashing these - OR we should optionally hash them with the integrity attribute added. But in both of these scenario's we should still include the 'self' directive, because its required to make the majority of SPA's work!

Other conclusion is we should probably change the name of this package, to vite-plugin-csp-guard ??

Checklist

• Tests
• Documentation