Content Security Policy

[richardebeling]

See #2099.

• Add django-csp
• All html script tags should be annotated with a nonce (nonce="{{ CSP_NONCE }}"), then we can enforce nonces for scripts. For template tags, we probably have to manually forward the context . CSP Configuration should then look something like this.
• To fix CSS, we need to figure out how we can handle dynamically generated colors. Using attr() in CSS doesn't work with current browsers, at least for colors. The only workaround I currently see is having custom javascript that translates data-X helper attributes for color into "inline" style (using the .style attribute) -- seems a bit ugly to me
• To fix images, we'd need to move the data: images we currently have (3 svg paths in CSS files) into separate files. These are currently inlined into CSS to use our color definitions.
• Consider setting up CSP failure reporting, maybe using some external service that tracks / aggregates them for us? Would leak user data though. mozilla-django-csp at least had a report-view in the past, but the documentation looks they don't want to maintain that anymore