fix: allow inline scripts in CSP for Starlight functionality

The IC asset canister's "standard" security policy sets script-src 'self'
which blocks Starlight's inline scripts for mobile menu, theme toggle,
search, and sidebar state. Replace with explicit CSP headers that include
'unsafe-inline' while keeping other security protections.

Author: marc0olo

public/.ic-assets.json5

@@ -1,11 +1,16 @@
 [
   {
-    // Default: no raw access, standard security headers, no caching
+    // Default: no raw access, no caching
     "match": "**/*",
-    "security_policy": "standard",
     "allow_raw_access": false,
     "headers": {
-      "Cache-Control": "public, max-age=0, must-revalidate"
+      "Cache-Control": "public, max-age=0, must-revalidate",
+      // Starlight uses inline <script> tags for theme toggle, mobile menu,
+      // sidebar state, and search. 'unsafe-inline' is required for these.
+      "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://icp0.io https://*.icp0.io; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests",
+      "X-Content-Type-Options": "nosniff",
+      "Referrer-Policy": "strict-origin-when-cross-origin",
+      "Permissions-Policy": "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
     }
   },
   {