Eliminate need for unsafe-inline

[linkRace]

As shown here: https://github.com/paypal/react-engine/blob/v2.x/lib/server.js#L30 script tags are being used to generate inline code through this module. This forces developers to use an unsafe-inline CSP policy which introduces numerous security concerns.

The way lusca and other security modules get around this is by generating a nonce in the res.locals field of a response, which should then be applied to a script tag as:
<script nonce={res.locals.nonce}>

We should add an option to put a nonce called from res.locals into the template defined above to eliminate this issue.