Allow `nonce` attribute on script/style tags

[nickclaw]

The nonce attribute is helpful in increasing the coverage of a pages Content Security Policy by allowing some script tags to be evaluated inline without enabling 'unsafe-inline' over the entire page. Right now I believe the only way to create a script tag to with the nonce attribute is to use dangerouslySetInnerHTML on a parent element.

https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/

[nickclaw]

Adding the hash attribute would be helpful for the same reasons as above.

[zpao]

Can you link to a spec or something about the hash attribute? I don't see it referenced above.

[nickclaw]

Oh whoops. It looks like there isn't a hash attribute, the browser just checks each <script> block to see if the hash matches the provided match.

http://www.w3.org/TR/CSP2/#script-src-hash-usage