Set the `ng-csp` attribute on the document body on app startup before
Angular is loaded to avoid triggering warnings when app.html is served
with Content Security Policy headers.

This used to be done via an `ng-csp` attribute on the <body> tag in the
app.html file served by the `h` service but this moves it to client code
to avoid the service needing to know this implementation detail of the
client app.