Sure, done in: https://github.com/LeoMcA/discourse/tree/csp-nonce-source
The code is pretty straightforward, most of the changes are just adding the nonce attribute to all the tags: https://github.com/discourse/discourse/compare/master...LeoMcA:csp-nonce-source
I’ve spun up a temporary instance to show the CSP working in practice: https://discourse-csp-nonce.mozilla.community/
(which gets an A from Mozilla Observatory! Mozilla Observatory)
Open the developer console to see the CSP in action:
Just for this proof of concept I’m not adding the nonce attribute to theme’s body_tag to show how this greatly reduces the risk of XSS.