Change CSP definition file to be closer to upstream

[ClearlyClaire]

Pitch

Change config/initializers/content_security_policy.rb to be closer to upstream.

This is about changing how the file is factored, not about changing the CSP headers (at least in production): our CSP headers are slightly stricter and that's not a bad thing.

Our development headers are not good, though, they cause some things to break.

Motivation

Fix issues in development mode, and decrease differences with upstream.

[ThaMunsta]

I've seen posts containing URLs load a preview card image from cache and then seemingly tries to fetch the remote file, and fails. When it fails the image goes away making a very janky scrolling experience.

Is this related or do I have a different issue on my hands? It started for me a while ago but I don't remember exactly when. I'm using docker. Thanks!

-- edit:
Just realized I was using the vanilla flavour (mostly for BirdUI by @[email protected] compatibility). I don't see the same CSP issues when using the glitch flavour - but the BirdUI looks super jank so I think I'm going to just pick my poison on this one.

[ClearlyClaire]

Closing as this was addressed in #2536.

@ThaMunsta I'm not sure what the BirdUI changes involve, but feel free to open a new issue with more details on that.