CSP: Remove unsafe-eval & unsafe-inline from script-src

[robhudson]

One-line summary

Remove unsafe-eval & unsafe-inline from script-src

NOTE
This also changes webpack to use devtool: 'source-map' which may result in slightly slower build times. This is needed to satisfy the CSP requirements locally (not use eval) so devs can spot any breaking CSP being added. On my machine it was a negligible difference but I'd be interested to hear about other experiences.

Issue / Bugzilla link

#14828

Testing

I tested locally by clicking around with the console open looking for CSP violations, including the wagtail admin in my checks.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Project coverage is 77.34%. Comparing base (9f3ba2f) to head (0951a6f).
Report is 17 commits behind head on main.

Files	Patch %	Lines
bedrock/settings/__init__.py	0.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14831      +/-   ##
==========================================
- Coverage   77.34%   77.34%   -0.01%     
==========================================
  Files         161      161              
  Lines        8321     8334      +13     
==========================================
+ Hits         6436     6446      +10     
- Misses       1885     1888       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[alexgibson]

Thanks for taking a look at this one @robhudson! It would really be great to make these improvements.

One area that might be worth investigating is GA4. In particular, I see in their CSP docs there is mention of needing 'unsafe-eval' if we use any custom JavaScript variables.

I might be mistaken (and maybe @stephaniehobson can confirm?), but we might use a couple still that need removing:

• Replace GTM variable {{CJS - data-cta-type (filtered for GA4)}} with non-JS version #13951
• Replace GTM variable {{CJS - combine data-link position and group }} with non-JS version #14054

[stephaniehobson]

Yeah, we are still using those but they can be removed now that GA3 is gone. We just have to make some changes bedrock side first.

[robhudson]

This updates the PR to only remove these from the report-only policy so we can see how it does there and we should get CSP reports in sentry, but it won't break anything since it's not enforced.