Make use of CSP nonce for GA scripts

[jaydonkrooss]

After the quick fix required for Umich consent banner with google analytics (#1646), I discovered that we had to temporarily drop the use of CSP nonce to keep GA tracking functional in production.

The CSP nonce environment variable was added in previous versions of google analytics in this application (#1371). Ideally, for security, we should utilize CSP nonce when calling any inline scripts and re-enable it in production.

Additionally, investigate whether "unsafe-inline" is still necessary for script-src, as mentioned in this comment from that original issue.

[jonespm]

Also if we changed this from inline script to an having this in an external file we could probably also avoid the nonce stuff. Since myla_globals should be available already it should just work fine if we had this script like.

<script src="init-consent-manager.js"></script>

I think we have the unsafe-inline in here for script code in PyLTI. We could possibly calculate and include the SHA for that script but I'm not sure how to test it without removing that value from the CSP header and running it.

[jaydonkrooss]

For this release, I'm just going to move forward with the basic addition of CSP nonce to the existing Google Analytics script, even though it has no active effect for the time being.

I briefly looked into removing unsafe-inline from CSP style and script sources. Dropping it caused failures upon LTI login flow from this line in lti_new.py:

return oidc_login.enable_check_cookies().redirect(target_link_uri)

In this case the PyLTI1.3 library loads HTML from CookiesAllowedCheckPage, which includes various inline scripts and styles. We can't add a nonce here, instead a calculated SHA may be possible, but there are some dynamically generated parameters we'd have to figure out.

I'll create an issue, but it seems to me that making CSP stricter is a challenge with this library: we should check how essential the use of this enable_check_cookies method is. If it is needed, we can either do the SHA or replace this redirect entirely with our own written functionality using a nonce.