[v2.x] add nonce to the script tag for unsafe-inline

[kumarrishav]

Fix: #193

[kumarrishav]

@linkRace review?

[linkRace]

This would be the general idea, yes. Just curious where the nonce would get added to the data attribute.

[kumarrishav]

@linkRace yup it will. part of data objectnonce: 'XCOuVO2tFc4PeKhx0ZlWWfABwsLjnzRaIhim3iTFLRZ2IUCB', _csrf: 'cZzTfhRzUK97Zj0qHI0V3p8R8iOQgUflcAS9g=',
Similar way we have context, locale too in data object.

I checked in the console.log of data

[kumarrishav]

https://github.com/paypal/react-engine/blob/v2.x/lib/server.js#L99

[kumarrishav]

so, all the props of kraken comes into react-engine via options arg which get merged into data https://github.com/kumarrishav/react-engine/blob/aea30c81ddee4a163ace234db4d96c066efdae39/lib/server.js#L71
. i will replace data with options which makes more sense :).

[samsel]

just curious, are you still using v2?

[kumarrishav]

yeah, when the project was started v2.x was available that time. Probably this quarter we might do the update.

[kumarrishav]

@samsel done.