[EE] Add support for Content-Security-Policy
To support this, we need to change all
%script throughout our HAML to store JSON and other text,
but since this doesn't execute, browsers don't appear to block
this content from being used and require the nonce value there.