FEATURE: Implement nonces for Google Tag Manager integration (PR #12531)

Uses the recommended approach by generating a nonce server-side and passing it to both the content security policy headers and the GTM script tag. In practice, this means that most sites using GTM can now remove the 'unsafe-inline' CSP directive (depending on implementation, some sites might still need that directive).


This is pretty cool.

This pull request has been mentioned on Discourse Meta. There might be relevant details there: