Add CSP header to webapp

[timroes]

What

This adds CSP headers for the webapp in development mode and into the built docker image.

The used CSP headers are at the moment: script-src: * 'unsafe-inline';. This will prevent unsafe-eval execution, which will prevent executing any form of eval, new Function, etc. where code is executed from a string. This will increase security slightly.

We unfortunately can't go much beyond this, since several third-party libraries we're using are injecting script directly into HTML (and thus require unsafe-inline). Given that we have no pre-processing web server, we can't leverage dynamically generated nounces, to make those inline scripts potentially safer.

Another problem is, that we're using Google Tag Manager and Segment, which might pull in scripts dynamically configured in those systems. To keep those scripts working (and allow our Go-To-Market team to further use and add more scripts), we can't limit the source to more than *, since we'd otherwise need a new release for every new script/tool embedded via Google Tag Manager, which would defy the whole purpose of using tools like Google Tag Manager. Since all those libraries can or already do pull in styles we can't narrow that down any further.

[krishnaglick]

Makes sense to me. Seems like we won't be able to go further, ever, as long as we have gtm and segment.

[davinchia]

Discussed offline: we want to do this for OSS users. This will also provide short term cover on Cloud.

Long term we want to turn this on on the CDN headers when we finally move this to a CDN.