Angular-cli: Support for CSP Compliant Production Builds

This is really more of a feature request.

1. OS?

Mac OS // El Capitan

2. ng version?

➜  dist git:(angular2) ng --version
(node:17937) fs: re-evaluating native module sources is not supported. If you are using the graceful-fs module, please update it to a more recent version.
Could not start watchman; falling back to NodeWatcher for file system events.
Visit http://ember-cli.com/user-guide/#watchman for more info.
angular-cli: 1.0.0-beta.8
node: 6.2.2
os: darwin x64

3. Repro steps. Was this an app that wasn't created using the CLI? What change did you

ng build and ng build -prod both produce an index.html that has inline JavaScript:

  <script>
    System.import('system-config.js').then(function () {
      System.import('main');
    }).catch(console.error.bind(console));
  </script>

This makes applications built using ng build -prod incompatible with CSPs that disable unsafe content sources (e.g. unsafe-inline and unsafe-eval), having to enable these unsafe sources negates the security benefits of having a CSP.

Removing these inline scripts significantly increases the complexity of the builds (afaik) since there is no support for user-defined tasks, nor an easy way to use systemjs's bundler which is capable of creating CSP-compatible builds.

4. The log given by the failure. Normally this include a stack trace and some

N/A

5. Mention any other details that might be useful.

The desired behavior here is for angular-cli production builds to support CSP and increase application security by default.