task WI-46: Setup CMS using django-csp

[chandra-tacc]

Overview

To become fully secure site, adding detailed Content Security Policy is needed.
This uses django-csp to enable csp.

Related

• WP-46
• similar to Task/wi 46 Add CSP http headers Core-Portal#829
• delayed/replaced by Task WA-46: Add CSP Policy headers Camino#32

Changes

This PR adds CSP headers for

• font src
• script src
• style src
• connect src
  Also, ensure the current script tags use nonce.
  The setup right now is in "report only" mode to allow for opt-in and fully functional app.

Testing

1. Validated the site using UI and reducing console warnings.

UI

No UI change.

Notes:

At this point, due to possibly breaking the app due to CSP, this PR is in draft mode. Other mitigations are deployed via TACC/Camino#32

[wesleyboar]

Seems important, but I have not heard a request to revisit this, so I'm marking this "medium" priority.

[wesleyboar]

Do <link> elements actually use nonce?

• W3.org states "Nonce sources require a new nonce attribute to be added to both script and style elements."
• The MDN nonce page does not mention <link>. Only <script> and <style>.

I've created a merge conflict resolution for review — #745 — but it has a bug.