Allow Kolibri to run without a CSP of unsafe-inline

[rtibbles]

Observed behavior

Currently Kolibri requires the unsafe-inline CSP in order to operate, because of injection of:

• Frontend messages wrapped with inline calls to the core API to register the messages
• Plugin data for the frontend, wrapped in JSON.parse calls and assigning to a global object
• Registration of async loaded modules, such as content renderers
• Django JS Reverse URLs object that exposes functions for every backend URL

This can be handled by:

Plugin data:

• Updating plugin data injection to put its JSON data into a <template> tag as the text body, with a data-plugin attribute set to the identifier of the plugin.
• The frontend kolibri-plugin-data (formerly known as plugin_data) will be updated to read data from this template tag and call JSON.parse on it.

URLs:

• Injecting Django JS Reverse JSON data into the default frontend plugin data.
• Updating the kolibri/urls module to read its JSON data from kolibri-plugin-data, add additional frontend code to handle the URL function generation.

Messages:

• Inject frontend message JSON into <template> tags with a data-i18n attribute set to the identifier of the plugin.
• Create a new Django templatetag that renders all these i18n <template> tags and use this in the <head> of base.html so that these are all injected prior to i18n initialization.
• When i18n initializes, we also register all frontend messages found in these template tags.

Content renderers:

• Inject content renderer URLs into <template> tags with a data-viewer attribute set to the identifer of the plugin.
• Update usage of the content Django templatetag so it is injected before the default frontend is loaded
• When the plugin mediator is initialized, pre-register all content renderers injected in these kinds of templates.