feat(web): add content security policy (CSP)

[meesfrensel]

Description

Adds CSP config to svelte config which in turn generates and adds the Content-Security-Policy header.

Fixes #23261
Closes #24633

Related discussion on how to setup CSP and other security measures on the proxy side: #13043

(not sure what to do about the docker build failure)

How Has This Been Tested?

• Navigate to all pages within Immich checking the console for CSP errors, including the map, hovering over all types of assets, opening the asset viewer for all types of assets (e.g. photo sphere viewer does some weird blob loading), etc.
• Service worker loads
• Justified layout wasm loads
• Enable Google cast support which requires the gstatic.com domain
• UNTESTED: custom map styles

Please describe to which degree, if any, an LLM was used in creating this pull request.

None

[github-actions]

Deploying preview environment to https://pr-25389.preview.internal.immich.build/

[meesfrensel]

The script might need to be externalized or hashed because the adapter-static prerenders the html.

[jrasm91]

The svelte web server only responds to http requests in dev, not in production. In production the CSP headers need to be added by nodejs/nestjs/express. Did you test this with a production build or just the dev server?

[meesfrensel]

Ah, I didn't realize that. Will test/check/update and report back later!

[jrasm91]

I'm like 99% sure this will require code changes on the nodejs side, so feel free to open a new PR if you get around to implementing that.