Using Gulp browserSync with Content Security Policy

[jamacoe]

I'm using gulp browserSync. Now I need to implement and test a CSP policy.
BrowserSync itself injects a script on the fly into my HTML code, starting with a <script> tag just below :

<script id="__bs_script__">

This tag doesn't include a nonce needed for CSP.

This is my browserSync config in the gulpfile.js:

browserSync.init({ 
    server: { 
        baseDir: "../",
        middleware: [
            function(req, res, next) {
                res.setHeader(
                    'Content-Security-Policy',
                    "default-src 'self'; script-src 'self' 'nonce-1';  img-src 'self' data:; style-src 'self' data:; object-src 'none';"
                );
                next();
            }
        ]
    }, 
    online: false 
});

Using a policy like script-src 'unsafe-inline' would work, but that couteracts the whole point of testing out nonces and hashes. So I guess I'd need a nonce or a hash in browserSync's <script> tag, but I don't have control over it. Now how can that be done? Or are there other solutions?