workaround pyLTI1.3 to remove `unsafe-inline` from CSP

[jaydonkrooss]

MyLA currently enables unsafe-inline for CSP Style and Script sources, which is not a safe security policy for production, especially since we have a nonce ready for use. This has been in place to call on the PyLTI library in lti_new.py, since this library redirects to a page with styles and scripts without the option to pass in a nonce.

Since we can't use nonce with this library, investigate two options: 1. replace the PyLTI redirect with our own in-house solution, or 2. find a way to calculate a hash value (SHA) to add to the header. I briefly looked into this found the relevant line of code in lti_new.py:

return oidc_login.enable_check_cookies().redirect(target_link_uri)

The PyLTI1.3 library loads HTML from CookiesAllowedCheckPage, which includes various inline scripts and styles. We can't add a nonce here, instead a calculated SHA may be possible, but there are some dynamically generated parameters we'd have to figure out.

I'll create an issue, but it seems to me that making CSP stricter is a challenge with this library: we should check how essential the use of this enable_check_cookies method is. If it is needed, we can either do the SHA or replace this redirect entirely with our own written functionality using a nonce.

Originally posted by @jaydonkrooss in #1649

[jonespm]

Right, I think this might be hard to fix without forking the library and having these methods take nonce as a parameter to pass to the script, since it's dynamically generated.

I'd mentioned on Slack that this cookie check code might not even be needed in the near future once CHIPS is fully supported but that would also require a fork and fix to remove this.

We could also possibly just override this locally but that's not ideal either. There isn't really a great fix for this at the moment, which this unsupported library. It is something that would be nice to have fixed or removed eventually though.