What kind of change does this PR introduce? (check at least one)

• Bugfix
• Feature
• Code style update
• Refactor
• Build-related changes
• Other, please describe:

Does this PR introduce a breaking change? (check one)

• Yes
• No

If yes, please describe the impact and migration path for existing applications:

The PR fulfills these requirements:

• It's submitted to thedev branch for v2.x (or to a previous version branch),not themaster branch
• When resolving a specific issue, it's referenced in the PR's title (e.g.fix #xxx[,#xxx], where "xxx" is the issue number)
• All tests are passing:https://github.com/vuejs/vue/blob/dev/.github/CONTRIBUTING.md#development-setup
• New/updated tests are included

Other information:

CSPv3 allows simple nonce based policies and directives such asstict-dynamic. Declaring a policy such as:

Content-Security-Policy:  object-src 'none';  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;  base-uri 'none';  report-uri https://your-report-collector.example.com/

Would not work with current nonce support with features such as resource hints. This policy creates errors such as

Refused to load the script 'http://localhost:8082/manifest.js' because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-68f9bed4d31fcde221e7b5e871860ff2' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' http:". 'strict-dynamic' is present, so host-based allowlisting is disabled. Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

This is because not all rendered elements have an associated nonce.

To support stricter policies that only work scripts / resource hinting addnonce attribute to all element that could be affected via a nonce based policy.