feat: add CSP via <meta> tag

* <meta> doesn't support frame-ancestors directive
  * '*--curben.netlify.com' is invalid
  * add localhost
  * block-all-mixed-content works with localhost

netlify.toml

@@ -8,7 +8,7 @@
     X-Frame-Options = "DENY"
     X-XSS-Protection = "1; mode=block"
     X-Content-Type-Options = "nosniff"
-    Content-Security-Policy = "default-src https; script-src https://cdnjs.cloudflare.com https://curben.netlify.com https://*--curben.netlify.com 'unsafe-inline'; style-src https://cdnjs.cloudflare.com https://curben.netlify.com https://*--curben.netlify.com; block-all-mixed-content; form-action 'none'; frame-ancestors 'none'"
+    Content-Security-Policy = "default-src https localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; frame-ancestors 'none'; block-all-mixed-content;"
     Referrer-Policy = "no-referrer"
     Strict-Transport-Security = "max-age=31536000"
     Feature-Policy = "accelerometer 'none'; autoplay 'none'; camera 'none'; document.domain 'none'; display-capture 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'"

themes/typing/layout/_partial/head.ejs

@@ -2,6 +2,8 @@
 <html lang="<%= theme.language %>">
 <head>
   <meta charset="utf-8">
+  <%/* CSP */%>
+  <meta http-equiv="Content-Security-Policy" content="default-src https localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; form-action 'none'; block-all-mixed-content;">
   <%
   let title = page.title