Web security improvements

[divergentdave]

Motivated by Mozilla's HTTP observatory, here are some security improvements for the site. This boosts the grade from a C- to an A+ so far.

This still needs a little more testing, and I have a phantom CSP error to track down. In Firefox, but not Chromium, I get the following message.

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src https://staging.oversight.garden https://www.google-analytics.com").

The Chosen library seems to be generating CSP errors too; I'll see if those are fixed upstream.

[divergentdave]

This is running into brianblakely/nodep-date-input-polyfill#4 and harvesthq/chosen#2423 on the reports pgae for now.

[divergentdave]

I added unsafe-inline to the style-src rules, this is a pretty good compromise for now. I'll keep an eye on the above-mentioned issues. We can tighten the style-src policy later after fixing or replacing the libraries in question.

[divergentdave]

FYI Pushed a couple more things and redeployed to https://staging.oversight.garden/

[konklone]

This is super solid.

[konklone]

Also cc-ing @marumari for her enjoyment.

[april]

Awesome! Looks great and fantastic work. Glad you've found the Observatory to be helpful!