Add support for strict Content-Security-Policy to flask-admin

[pogliamarci]

Flask-admin can't be used with "strict" content security policy (https://csp.withgoogle.com/docs/strict-csp.html), i.e., with content-security-policy headers that allow scripts based on a nonce rather than on a whitelist of origins. Given that nonce-based CSPs are the recommended way to use CSP, it would be nice if flask-admin supported them.

To be compatible, it needs:

• a way to specify a nonce to be added to <script> tags.
  The nonce is generated at every request by the extension that handles the CSP header (e.g., flask-talisman sets the csp_nonce attribute in flask.request and defines a function csp_nonce() in the jinja globals).
• to remove inline javascript and event handlers. I cursorily looked at those, and it seems that at least for the bootstrap3 template, there are just a handful of <a href="javascript:void(0)"> that could be migrated to <a href="#">

This is related to #1135 (both refer to Content-Security-Policy compatibility), this addresses a different problem (compatibility with nonce-based CSPs, rather than removal of inline Javascript).

I may work at a PR for this (no guarantee).

[samuelhwilliams]

Thanks for reporting this issue. As there are a few issues open on the topic of CSP, I'm go to close this one in favour of #2344, so that we can keep conversation in one place.