## Description

This PR adds a `nonce` parameter to flutter.js' `loadEntrypoint` method.

When set, loadEntrypoint will add a `nonce` attribute to the `main.dart.js` script tag, which allows Flutter to run in environments slightly more restricted by CSP; those that don't add `'self'` as a valid source for `script-src`.

----

### CSP directive

After this change, the CSP directive for a Flutter Web index.html can be:

```
script-src 'nonce-YOUR_NONCE_VALUE' 'wasm-unsafe-eval';
font-src https://fonts.gstatic.com;
style-src 'nonce-YOUR_NONCE_VALUE';
```

When CSP is set via a `meta` tag (like in the test accompanying this change), and to use a service worker, the CSP needs an additional directive: [`worker-src 'self';`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src)

When CSP set via response headers, the CSP that applies to `flutter_service_worker.js` is determined by its response headers. See **Web Workers API > [Content security policy](https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API/Using_web_workers#content_security_policy)** in MDN.)

----

### Initialization

If the CSP is set to disallow `script-src 'self'`, a nonce needs to also be passed to `loadEntrypoint`:

```javascript
  _flutter.loader.loadEntrypoint({
    nonce: 'SOME_NONCE',
    onEntrypointLoaded: (engineInitializer) async {
      const appRunner = await engineInitializer.initializeEngine({
        nonce: 'SOME_NONCE',
      });
      appRunner.runApp();
    },
  });
```

(`nonce` shows twice for now, because the entrypoint loader script doesn't have direct access to the `initializeEngine` call.)

----

## Tests

* Added a smoke test to ensure an app configured as described above starts.

## Issues

* Fixes https://github.com/flutter/flutter/issues/126977