Tighten the content security policy (CSP)

[ThatsJustCheesy]

It could be much more strict than it currently is.

[ThatsJustCheesy]

Partially done, although script-src 'unsafe-inline' is still present. It can be removed once index.html no longer contains any inline event handlers.

[ThatsJustCheesy]

Finished in version 0.5.5