remove unsafe-inline for script-src

Requires applying our patch to Flarum for splitting the JSON payload
from the script tag.

nginx/snippets/security-headers.conf

@@ -3,7 +3,7 @@ add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer" always;
 add_header Cross-Origin-Opener-Policy "same-origin" always;
 add_header Cross-Origin-Embedder-Policy "require-corp" always;
-add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
+add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self' 'sha256-/EpI8KnybjL+Nr74PZCKr6RjFdz9ZTYI9k7FmBUHsL0=' 'sha256-LPH3sskAOz2Arvw8RMnxs/omWH+RFNl4CGea/pvCq4g='; style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
 add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
 
 # obsolete when client system time is correct