Refactored CSP j2 filter logic to python code

roles/nginx-docker-reverse-proxy/templates/headers/content_security_policy.conf.j2

@@ -1,45 +1,2 @@
-{# Create a namespace to hold the accumulated CSP parts #}
-{% set ns = namespace(csp_parts=[]) %}
-
-{# List of directives to build dynamically (except img-src) #}
-{% set directives = [
-     'default-src',
-     'connect-src',
-     'frame-ancestors',
-     'frame-src',
-     'script-src',
-     'style-src',
-     'font-src'
-] %}
-
-{# Build each directive line #}
-{% for directive in directives %}
-  {# Always start with 'self' #}
-  {% set tokens = ["'self'"] %}
-
-  {# Add any unsafe flags for this directive #}
-  {% for flag in applications | get_csp_flags(application_id, directive) %}
-    {% set tokens = tokens + [flag] %}
-  {% endfor %}
-
-  {# If Matomo is enabled, allow its script and connect endpoints #}
-  {% if applications | is_feature_enabled('matomo', application_id)
-       and directive in ['script-src', 'connect-src'] %}
-    {% set tokens = tokens + [web_protocol ~ '://' ~ domains.matomo] %}
-  {% endif %}
-
-  {# Append any extra whitelist URLs for this directive #}
-  {% for url in applications | get_csp_whitelist(application_id, directive) %}
-    {% set tokens = tokens + [url] %}
-  {% endfor %}
-
-  {# Store the completed directive line in the namespace #}
-  {% set ns.csp_parts = ns.csp_parts + [directive ~ ' ' ~ (tokens | join(' ')) ~ ';'] %}
-{% endfor %}
-
-{# Add the (static) img-src directive #}
-{% set ns.csp_parts = ns.csp_parts + ['img-src * data: blob:;'] %}
-
-{# Emit the final header and hide any upstream header #}
-add_header Content-Security-Policy "{{ ns.csp_parts | join(' ') }}" always;
+add_header Content-Security-Policy "{{ applications | build_csp_header(application_id, domains) }}" always;
 proxy_hide_header Content-Security-Policy;