csp fixes (#611)

Author: laliconfigcat

website/_headers

@@ -1,4 +1,5 @@
 # Please note that the docs is hosted under the homepage's domain, so security headers should be copied here from the homepage repository to here so CloudFlare Pages have the same security headers as it would be from an nginx hosted version.
+# IMPORTANT: A header line should not exceed 2000 characters. If we would exceed it with e.g. the Content-Security-Policy, we should consider moving to a Cloudflare header rule instead of this file.
 
 /*
   Strict-Transport-Security: max-age=31536000; includeSubDomains
@@ -8,4 +9,4 @@
   Permissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()
   Cross-Origin-Opener-Policy: same-origin
   Cross-Origin-Resource-Policy: same-origin
-  Content-Security-Policy: default-src 'none'; frame-src 'self' https://*.configcat.com https://www.google.com https://challenges.cloudflare.com https://www.youtube.com https://*.googletagmanager.com https://td.doubleclick.net; script-src 'self' 'unsafe-inline' https://*.configcat.com https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.google-analytics.com https://www.google.com https://www.gstatic.com https://challenges.cloudflare.com https://*.cloudflareinsights.com https://*.cello.so https://*.smartlook.com https://snap.licdn.com; style-src 'self' 'unsafe-inline' *.bootstrapcdn.com https://fonts.googleapis.com https://googletagmanager.com https://tagmanager.google.com https://use.typekit.net https://p.typekit.net https://www.googletagmanager.com; font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://use.typekit.net; img-src 'self' data: https://*.configcat.com https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://codecov.io https://img.shields.io https://github.com https://snyk.io https://sonarcloud.io https://data.jsdelivr.com https://maven-badges.herokuapp.com https://javadoc.io https://ci.appveyor.com https://buildstats.info https://goreportcard.com https://godoc.org https://poser.pugx.org https://badge.fury.io https://coveralls.io https://pkg.go.dev https://s3.amazonaws.com https://*.cloudfront.net https://img.youtube.com https://thepracticaldev.s3.amazonaws.com https://raw.githubusercontent.com https://blog.ladeak.net https://px.ads.linkedin.com; media-src 'self'; connect-src 'self' https://*.configcat.com https://*.googletagmanager.com https://*.google-analytics.com https://*.analytics.google.com https://*.g.doubleclick.net https://*.google.com https://*.amplitude.com https://*.cloudflareinsights.com https://*.algolia.net https://*.cello.so https://*.smartlook.com https://*.smartlook.cloud; object-src 'self'; child-src 'self' blob:; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'self'; manifest-src 'self';
+  Content-Security-Policy: default-src 'none';frame-src 'self' https://*.google.com https://challenges.cloudflare.com https://www.youtube.com https://*.googletagmanager.com https://*.doubleclick.net;script-src 'self' 'unsafe-inline' https://*.googletagmanager.com https://googletagmanager.com https://*.google.com https://*.google-analytics.com https://*.gstatic.com https://challenges.cloudflare.com https://*.cloudflareinsights.com https://*.cello.so https://*.smartlook.com https://*.licdn.com;style-src 'self' 'unsafe-inline' https://*.bootstrapcdn.com https://*.googleapis.com https://*.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://*.typekit.net;font-src 'self' data: https://fonts.gstatic.com https://fonts.googleapis.com https://use.typekit.net;img-src 'self' data: https://*.configcat.com https://*.google-analytics.com https://*.google.com https://*.googletagmanager.com https://codecov.io https://img.shields.io https://github.com https://snyk.io https://sonarcloud.io https://data.jsdelivr.com https://maven-badges.herokuapp.com https://javadoc.io https://ci.appveyor.com https://goreportcard.com https://godoc.org https://poser.pugx.org https://badge.fury.io https://coveralls.io https://pkg.go.dev https://*.cloudfront.net https://img.youtube.com https://raw.githubusercontent.com https://px.ads.linkedin.com;media-src 'self';connect-src 'self' https://*.configcat.com https://*.googletagmanager.com https://*.google-analytics.com https://*.g.doubleclick.net https://*.google.com https://*.amplitude.com https://*.cloudflareinsights.com https://*.algolia.net https://*.cello.so https://*.smartlook.com https://*.smartlook.cloud;object-src 'self';child-src 'self' blob:;frame-ancestors 'self';upgrade-insecure-requests;block-all-mixed-content;base-uri 'self';manifest-src 'self';