Next Build pages on Staging have Javascript blocked by CSP

[timcosgrove]

Issue

On Staging, several scripts are blocked from loading because of incompatibility with the Content Security Policy we set in the revproxy. This causes the pages to not function correctly.

Acceptance Criteria

• Event Detail and Event Listing pages load without CSP errors

Supporting detail

Example error:

Refused to load the script 'https://staging.va.gov/generated/web-components.entry.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' 'nonce-aXZh62zsW0594p4RRQ8m0sfwVqWTzCFP' http://www.google-analytics.com https://*.uservoice.com https://dap.digitalgov.gov https://designsystem.digital.gov https://maps.googleapis.com https://standards.usa.gov https://www.google-analytics.com https://www.googletagmanager.com https://tagmanager.google.com 'unsafe-eval' https://optimize.google.com https://gateway.foresee.com https://resource.digital.voice.va.gov https://nebula-cdn.kampyle.com https://staging-va-gov-assets.s3-us-gov-west-1.amazonaws.com https://s3-us-gov-west-1.amazonaws.com https://dsva-vetsgov-scorecard-staging.s3.us-gov-west-1.amazonaws.com https://staging.va.gov https://www.youtube.com https://*.ytimg.com https://cdn.botframework.com 'strict-dynamic'". Note that 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Content Build sets nonces on all script sources. This is likely the solution for Next Build as well.