Having the CSP built in a function instead of in the template makes it easier
to properly construct it. This was also the opportunity to switch from
default-src 'self' to default-src 'none', to deny everything that isn't
explicitly allowed, instead of allowing everything coming from 'self'.
Moreover, as Miniflux is shoving the content of feeds in the same origin as
itself, using self doesn't do much security-wise. It's much better to
systematically use a nonce-based policy, so that an attacker able to bypass the
sanitization will have to guess the nonce to gain arbitrary javascript
execution.
While the merge-request has been tested locally, it would still be prudent to
thoroughly test it before merging, as it has the potential to break the
user-interface should weird constructs be used.
This PR refactors the configuration parser, replacing the old parser implementation with a new, more structured approach that includes validation and improved organization.
Key changes:
- Complete rewrite of the configuration parser using a map-based structure with built-in validation
- Addition of comprehensive validator functions for configuration values
- Renamed numerous configuration getter methods for better consistency
Some Miniflux clients expect a specific version format.
For example, Flux News converts the string version to an integer.
Using `Development Version` will break some clients.
For example, seeing "Next check: 14m56.245483933s" in feeds list after force-refreshing a feed.
This rounds to the nearest second, so it'll instead be "14m56s"
Other examples from latter two test cases:
- "12.345678s" -> "12s"
- "1m27.654321s" -> "1m28s"
