Content security policy should block inline styles

[happy-river]

Allowing inline styles in HTML is a security vulnerability. If we were to add a Content Security Policy to block inline styles now, it would break many things in the UI because inline styles are used in about 100 places in the templates, and also used by the code that hides and shows page elements. These places should be changed to use classes or accomplish their task some other way.

The other inline CSS comes from the sub stylesheets which are inlined into each page render. These could continue be included inline under a more restrictive CSP with a hash or nonce, or could be saved to storage and served by the same server that does the media files, which would take advantage of browser caching.