Eliminate false CSP violations

[alxndrsn]

Originally introduced in getodk/central-backend#313, there seem to be some false-positives.

Reported violations include:

• oidc: csp: style-src-elem directive violated on login #1235
• Add Content-Security-Policy for WebForms #1130
• Map violates Content Security Policy #1403
• CSP: allow google translate for all pages #1129
• App user QR code violates CSP directive #629 - Content-Security-Policy: allow images from data: URLs #772
• Blocked 'connect' from 'maps.googleapis.com' - enketo: Content-Security-Policy: relax connect-src rule for Google Maps #879
• Blocked 'image' from 'tile.openstreetmap.org' - enketo: Content-Security-Policy: allow OpenStreetMap tile images #880
• Blocked style attribute from 'inline:' - enketo: relax Content-Security-Policy for inline style attributes #771

Some reported violations may be the result of google chrome's built-in translator, or google translate.

[matthew-white]

Originally introduced in getodk/central-frontend#631

I think that PR was adding it to the nginx config in development. For production, it looks like it was added in getodk/central-backend#313.

[alxndrsn]

Some reported violations may be the result of google chrome's built-in translator, or google translate.

There are various positive reports which may be worth ignoring, either in the CSP, or in Sentry:

• various relating to gc.kis.v2.scr.kaspersky-labs.com, javascript.browser.wasscan.tenable - presumably these are some kind of security product injecting scripts into pages
• translate.google.com, translate.googleapis.com - maybe Chrome page translation
• custom fonts within central-frontend - caused by custom browser settings?