* Remove use of CSP_PERCENTAGE
* Move header calculation earlier
* Set a default policy and add comments
* Apply the CSP header to all responses
* Enable CSP in dev environment
* [web] set a default, strict CSP on ALL endpoints
* [misc] enable CSP in dev-env
* Only build the default policy once
* Update docker-compose.yml
* [web] webpack: set default CSP header on webpack assets
This aligns the webpack dev-server with production in nocdn=true mode.
Co-authored-by: Alf Eaton <alf.eaton@overleaf.com>
GitOrigin-RevId: 088a6082ad21c5b3f229887ba0ab3eca8d0528cd
* Add Content-Security-Policy header
* Add nonce attribute to script tags
* Use source-map for webpack devtool
* Add ng-csp attribute when CSP is enabled
* Allow overriding CSP settings with environment variables
* Hook into render and allow routes to disable the CSP header
GitOrigin-RevId: a873736a3514198165f1b2f1e18d002b65f20d30