Adapt CSP for new ToastUi editor

See #2242

config/initializers/content_security_policy.rb

@@ -60,6 +60,7 @@ Rails.application.configure do
     # Currently, these include turbolinks, and vis.js.
     policy.style_src_elem       :self, :unsafe_inline, :report_sample
     # We still use some inline styles within the application, and indirectly through d3.js.
+    # Further, the ToastUi markdown editor currently requires inline styles, too.
     policy.style_src_attr       :unsafe_inline, :report_sample
     # The `style_src` directive is only a fallback for browsers not supporting `style_src_elem` and `style_src_attr`.
     policy.style_src            :self, :unsafe_inline, :report_sample

config/webpack/webpack.config.js

@@ -35,6 +35,16 @@ const envConfig = module.exports = {
                     filename: 'icons/[hash].svg'
                 },
             },
+            // Extract ToastUi's inline PNGs to actual resources, similar to Bootstrap's SVGs.
+            // This removes the requirement for `data:` URLs in our CSP
+            {
+                mimetype: 'image/png',
+                scheme: 'data',
+                type: 'asset/resource',
+                generator: {
+                    filename: 'icons/[hash].png'
+                },
+            },
             erb
         ]
     },