fix: CSP allow inline scripts

TODO.md

@@ -1,6 +1,7 @@
 @TODO
 
 - gitea rebuild website on each push -> script!!
+- sha512 to scripts for csp
 
 blog
 

src/layouts/Layout.astro

@@ -3,6 +3,7 @@ import { author } from '@/package.json';
 import { CookieBanner, Footer, Header } from '@components/index';
 import { getLangFromUrl, useTranslations } from '@i18n/utils';
 import { fileTransferURL } from '@pages/en/file-transfer.astro';
+import notificationScriptUrl from '@public/scripts/notification?url';
 import { site, siteName } from '@shared/constants';
 import { indexSuffixRegEx, type SchemaProps } from '@shared/helpers';
 import noscriptStylesUrl from '@styles/noscript.scss?url';
@@ -90,7 +91,7 @@ const mainProps = Object.keys(props).reduce((prev, curr) => {
 			import.meta.env.PROD && (
 				<meta
 					http-equiv="content-security-policy"
-					content={`default-src 'none'; script-src ${site}/_astro/ ${site}/scripts/; style-src ${site}/_astro/ 'unsafe-inline'; img-src ${site}/; font-src 'none'; connect-src ${site}/ ${fileTransferURL}; frame-src ${fileTransferURL}; object-src 'none'; media-src 'none'; worker-src 'none';`}
+					content={`default-src 'none'; script-src ${site}/_astro/ ${site}/scripts/ 'unsafe-inline'; script-src-attr 'none'; style-src ${site}/_astro/ 'unsafe-inline'; img-src ${site}/; font-src 'none'; connect-src ${site}/ ${fileTransferURL}; frame-src ${fileTransferURL}; object-src 'none'; media-src 'none'; worker-src 'none';`}
 				/>
 			)
 		}
@@ -114,7 +115,7 @@ const mainProps = Object.keys(props).reduce((prev, curr) => {
 		<link rel="canonical" href={props.canonical || Astro.url.href.replace(indexSuffixRegEx, '')} />
 		<link rel="sitemap" href="/sitemap.xml" />
 
-		<script src="/scripts/notification.js" is:inline></script>
+		<script src={notificationScriptUrl} is:inline></script>
 
 		<ClientRouter />
 	</head>