CSP (Safari-safe): merge -elem/-attr into base; respect explicit disables; no mirror-back; header only for documents/workers

- Add CSP3 support for style/script: include -elem and -attr directives
- Base (style-src, script-src) now unions elem/attr (CSP2/Safari fallback)
- Respect explicit base disables (e.g. style-src.unsafe-inline: false)
- Hashes only when 'unsafe-inline' absent in the final base tokens
- Nginx: set CSP only for HTML/worker via header_filter_by_lua_block; drop for subresources
- Remove per-location header_filter; keep body_filter only
- Update app role flags to *-attr where appropriate; extend desktop CSS sources
- Add comprehensive unit tests for union/explicit-disable/no-mirror-back

Ref: https://chatgpt.com/share/68f87a0a-cebc-800f-bb3e-8c8ab4dee8ee

roles/web-app-snipe-it/config/main.yml

@@ -13,12 +13,12 @@ server:
     aliases: []
   csp:
     flags:
-      script-src:
+      script-src-attr:
         unsafe-inline:  true
         unsafe-eval:    true
       script-src-elem:
         unsafe-inline:  true
-      style-src:
+      style-src-attr:
         unsafe-inline:  true
     whitelist:
       font-src: