Modern browsers restrict the amount of information available to the global event handler (`window.onerror`) when the scripts are loaded from a different origin. In order to mitigate this, the script tags need to set `crossorigin` attribute and the server needs to enable CORS to establish mutual trust.
The script loader will use load metadata to set script properties. This allows what is in the script tag to be set in meta.
There are two primary use cases: CSP nonce and subresource integrity.
Users of SystemJS wanting to take advantage of CSP can set a "nonce" value in their CSP config. Setting the meta attribute "nonce" for plugins and formats that cannot use CSP allows safely bypassing CSP. Note that this will only work in places where "document" is available. See the test-csp-inline.html file for a full example.
In addition, subresource checking mentions in #639 is also implemented. In the same way setting "integrity" in the meta should make this possible. See test-csp.html for a full example.
Post Rebase Notes:
* Corrected indention.
* Fix load.metadata issue.
* Fixed test-csp-inline.html stuff.
* White-list correct properties.
* Reword error messages.
