feat(templates): improve bit Boilerplate CSP component bitfoundation#12159 (bitfoundation#12160)

Author: yasmoradi

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/ContentSecurityPolicy.razor

@@ -4,7 +4,9 @@
    
    Note: This component renders a little bit late in Blazor Hybrid and WebAssembly Standalone, so it might be a good idea to move it to Client.Web/wwwroot/index.html and Client.Maui/wwwroot/index.html
    For Blazor Server, Auto and WebAssembly, with or without pre-rendering, it renders early enough in App.razor
-   *@
+
+   Warning: It's highly recommended to remove unsafe-inline, but to avoid degrading the dev experience, it's currently included.
+*@
 
 @if (AppEnvironment.IsDevelopment() is false)
 {

src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Layout/ContentSecurityPolicy.razor.cs

@@ -22,16 +22,15 @@ private void BuildCspString()
         var ownOrigins = new HashSet<string> { "'self'", apiUrl };
         if (string.IsNullOrWhiteSpace(webAppUrl) is false)
             ownOrigins.Add(webAppUrl);
-        var ownOriginsString = string.Join(" ", ownOrigins);
 
         // 2. Service Specific Origins
         var connectSrc = new HashSet<string>(ownOrigins);
-        var imgSrc = new HashSet<string> { ownOriginsString, "data:" };
-        var scriptSrc = new HashSet<string> { "'self'", "'unsafe-inline'", "'wasm-unsafe-eval'", "'unsafe-hashes'" };
-        var styleSrc = new HashSet<string> { "'self'", "'unsafe-inline'" };
-        var fontSrc = new HashSet<string> { "'self'", "data:" };
-        var frameSrc = new HashSet<string> { "'self'" };
-        var mediaSrc = new HashSet<string> { "'self'" };
+        var imgSrc = new HashSet<string>(ownOrigins) { "data:" };
+        var scriptSrc = new HashSet<string>(ownOrigins) { "'unsafe-inline'", "'wasm-unsafe-eval'", "'unsafe-hashes'" };
+        var styleSrc = new HashSet<string>(ownOrigins) { "'unsafe-inline'" };
+        var fontSrc = new HashSet<string>(ownOrigins) { "data:" };
+        var frameSrc = new HashSet<string>(ownOrigins);
+        var mediaSrc = new HashSet<string>(ownOrigins);
 
         //#if (appInsights == true)
         // --- Add Azure App Insights ---