Generate nonce also when only `default-src` policy is applied

[fritzmg]

Consider the following example:

$csp = new CSPBuilder();
$csp->setSelfAllowed('default-src', true);
$nonce = $csp->getNonce('script-src');
$csp->sendCSPHeader(false);
echo '<script nonce="'.$nonce.'">…</script>';

This will send:

Content-Security-Policy: default-src 'self'; 

<script nonce="">…</script>

Due to the default-src 'self' CSP the <script> will not be executed since there is no nonce.

This PR would also check for a default-src policy so that the response will be:

Content-Security-Policy: default-src 'self'; script-src 'nonce-cFYyNld/10nnE2MH59DvbkuL'; 

<script nonce="cFYyNld/10nnE2MH59DvbkuL">…</script>

[fritzmg]

@paragonie-security reminder for review