Move PDF opening script from inline to a separate file

[max-moser]

As is, the JS used for opening the PDF file preview is an inline script. This will break if the admin sets a stricter CSP header for script-src (by disallowing the unsafe-inline source). Moving said script into a separate file allows a stricter CSP configuration, such as we are currently running:

APP_DEFAULT_SECURE_HEADERS = {
    "content_security_policy": {
        "default-src": [
            "'self'",
            "data:",  # fonts
            "blob:",  # for pdf preview
            "*.tuwien.ac.at",  # matomo
            "*.tuwien.at",  # matomo
        ],
        "style-src": [
            "'self'",
            "'unsafe-inline'",  # allow inline styles for CK Editor
        ],
    },
    "content_security_policy_nonce_in": ["default-src", "script-src"],
    "content_security_policy_report_only": False,
    "content_security_policy_report_uri": None,
    "force_file_save": False,
    "force_https": True,
    "force_https_permanent": False,
    "frame_options": "sameorigin",
    "frame_options_allow_from": None,
    "session_cookie_http_only": True,
    "session_cookie_secure": True,
    "strict_transport_security": True,
    "strict_transport_security_include_subdomains": True,
    "strict_transport_security_max_age": 31556926,  # One year in seconds
    "strict_transport_security_preload": False,
}

Side note: The nonce value is used in our customized landing page for the schema.org JSON-LD metadata:

{%- block tuw_metadata -%}
  {#- this is where the schema.org metadata (as fetched from datacite) is inserted, for google datasets #}
  {%- set schemaorg_metadata = tuw_create_schemaorg_metadata(record) %}

  {%- if schemaorg_metadata %}
    <script type="application/ld+json" nonce="{{ csp_nonce() }}">
      {{ schemaorg_metadata|safe }}
    </script>
  {%- endif %}
{%- endblock tuw_metadata %}