On the admin-side we have the constant TEXTPATTERN_CSP_NONCE and the \Textpattern\UI\Script and \Textpattern\UI\Style methods to output script src, script, style and link rel="stylesheet" tags with a corresponding nonce. Having just made updates to bot_wtc and glz_custom_fields, it works well.

On the forum and elsewhere here in the issue, we've discussed different ways of tapping into apache or nginx generated unique_id's for using as a nonce in the public side, but as Stef has shown, it works just as well if generated by txp and then used throughout a page template. Up to now, I've set this as a variable at the top of a page and then construct the style and script tags accordingly. For my own templates, that's fine, but when making a template, you start to build in conditionals for if it is available.

Is there mileage for have a txp:nonce tag (or whatever) for setting a csp nonce that other tags (e.g. txp:css) could 'contextually recognise' and adapt their output accordingly? See updated issue #1394.

I wonder if needs some kind of “contextual trigger”, for it to activate. In non-CSP use, it's not needed, only when csp headers have been set is it relevant. On the admin side you set that via config.php, but presumably front-end and admin-side CSP could potentially differ, so that activating flag can't be used for both.