Read the csp meta's tag nonce attribute and fallback to the content attribute

This PR allows Turbo to support rails/rails#51729 to allow using the `nonce` attribute as well as the `content` attribute.

As described in rails/rails#51580 (comment) this makes it harder to extract the nonce value.

Author: codergeek121

src/core/drive/progress_bar.js

@@ -1,4 +1,4 @@
-import { unindent, getMetaContent } from "../../util"
+import { unindent, getCspNonce } from "../../util"
 
 export const ProgressBarID = "turbo-progress-bar"
 
@@ -108,8 +108,9 @@ export class ProgressBar {
     const element = document.createElement("style")
     element.type = "text/css"
     element.textContent = ProgressBar.defaultCSS
-    if (this.cspNonce) {
-      element.nonce = this.cspNonce
+    const cspNonce = getCspNonce()
+    if (cspNonce) {
+      element.nonce = cspNonce
     }
     return element
   }
@@ -119,8 +120,4 @@ export class ProgressBar {
     element.className = "turbo-progress-bar"
     return element
   }
-
-  get cspNonce() {
-    return getMetaContent("csp-nonce")
-  }
 }

src/util.js

@@ -5,7 +5,7 @@ export function activateScriptElement(element) {
     return element
   } else {
     const createdScriptElement = document.createElement("script")
-    const cspNonce = getMetaContent("csp-nonce")
+    const cspNonce = getCspNonce()
     if (cspNonce) {
       createdScriptElement.nonce = cspNonce
     }
@@ -173,6 +173,15 @@ export function getMetaContent(name) {
   return element && element.content
 }
 
+export function getCspNonce() {
+  const element = getMetaElement("csp-nonce")
+
+  if (element) {
+    const { nonce, content } = element
+    return nonce == "" ? content : nonce
+  }
+}
+
 export function setMetaContent(name, content) {
   let element = getMetaElement(name)