Harden devconsole content security policy

The changes to angular.json are to disable inline critical CSS, which
breaks without "script-src 'unsafe-inline'" (which we obviously don't
want to have). See
angular/angular-cli#20864 for details.

Author: lberrymage

ansible/nginx/devconsole.conf

@@ -79,7 +79,7 @@ http {
         root /srv/staging.dev.accrescent.app;
 
         include security.conf;
-        add_header Content-Security-Policy "trusted-types angular; require-trusted-types-for 'script';" always;
+        add_header Content-Security-Policy "default-src 'self'; font-src https://fonts.gstatic.com; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; sandbox allow-downloads allow-forms allow-same-origin allow-scripts; base-uri 'self'; trusted-types angular; require-trusted-types-for 'script';" always;
 
         gzip_static on;
 

web/angular.json

@@ -48,6 +48,14 @@
                   "with": "src/environments/environment.prod.ts"
                 }
               ],
+              "optimization": {
+                "scripts": true,
+                "styles": {
+                  "minify": true,
+                  "inlineCritical": false
+                },
+                "fonts": true
+              },
               "outputHashing": "all"
             },
             "development": {