CSP could be more strict

[Changaco]

Reticketing from https://github.com/liberapay/liberapay.com/pull/498#pullrequestreview-83973507.

• [x] replace all inline scripts and drop 'unsafe-inline' from script-src
• [x] replace all inline styles and drop 'unsafe-inline' from style-src
• [x] add form-action 'self'
• [x] restrict connect-src to 'self' %(main_domain)s *.liberapay.org *.mangopay.com *.payline.com
• [ ] restrict img-src (requires #504)

[Changaco]

Related story: I’m harvesting credit card numbers and passwords from your site. Here’s how.

[Changaco]

Current CSP of GitHub (homepage):

default-src 'none';
base-uri 'self';
child-src render.githubusercontent.com;
connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com;
form-action 'self' github.com gist.github.com;
frame-ancestors 'none';
img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com;
media-src 'none';
script-src assets-cdn.github.com;
style-src 'unsafe-inline' assets-cdn.github.com