[TASK] Add CSP nonce helper for inline styles in lit-element templates

When using Content-Security-Policy for `style-src` with a `nonce-...`
value, it requires that inline styles (those using a `<style>` element)
have to be granted with a corresponding `nonce="..."` attribute.

Note: 'unsafe-inline' is ignored when using a nonce or hashes.
This behavior is decribed in CSP L3 in section 6.7.3.2.:2.1
(https://w3c.github.io/webappsec-csp/#allow-all-inline)
> If expression matches the nonce-source or hash-source grammar,
> return "Does Not Allow".

Even if `<style>` usages in lit-element templates are static in most
cases, it is considered a "inline style" in the scope of CSP.

This change introduces a work-around, exposing `window.litNonce`
in the global JavaScript context. In case a malicous script manages
to retrieve this information, it does not really matter, since the
malicious script was already executed with a valid nonce before...

Resolves: #100140
Releases: main
Change-Id: I53c2967f2c80c0f862145a4c94d75a5fc1349205
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78231


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>