Remove unsafe-eval & unsafe-inline from script-src

[robhudson]

As mentioned in the comments, "The last inlined style was removed in #14614 and I couldn't find any more of such occurrences so hopefully the unsafes can be gone soon."

[stevejalim]

Forgive me if this is already thought of, but the Wagtail admin may well still need unsafe-eval - would you mind checking and adding to the CMS-only CSP if need be?

[robhudson]

Thanks for reminding me. And yeah, I can fire up the admin and check it.

[janbrasna]

The Wagtail-specific excludes were added in #14869 — and I have just a naïve followup question — normally the excludes would be for anything under /cms-admin/*, save for its login screen — to safeguard the actual login surface from potential injection etc. … Is that a valid concern here, and viable to address, or it's okay to allow the unsafes & ancestors even on the login page, as currently proposed in #14831?