Remove in-line script from header

[davidgs]

Issue

An in-line script is added to the header, which cannot be executed if the Content-Security policy is anything but unsafe-inline. unsafe-inline should never be allowed.

This PR adds the script to the main application.js script, which is hashed, and so removes the issue.

fixes #1002

Description

Removes the in-line script

<script>
      theme = localStorage.getItem('theme-scheme') || localStorage.getItem('darkmode:color-scheme') || 'light';
      if (theme == 'system') {
        if (window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches) {
          theme = 'dark';
        } else {
          theme = 'light';
        }
      }
      document.documentElement.setAttribute('data-theme', theme);
    </script>

from baseof.html and adds it to the `application.js script.

Test Evidence

prior to change:

davidgs.com/:68 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https://app.posthog.com/ *.googletagmanager.com https://cdn.userfront.com https://commento.davidgs.com:8088  *.unpkg.com apis.google.com *.googleapis.com cdn.polyfill.io https://buttons.github.io  cdn.jsdelivr.net *.zencdn.net https://cdnjs.cloudflare.com https://*.google-analytics.com https://*.statcounter.com". Either the 'unsafe-inline' keyword, a hash ('sha256-WiE2LPSnZlTiP9NnrQN14OnMKI2ild8fGH0n+PhofS0='), or a nonce ('nonce-...') is required to enable inline execution.

After change: no error.

[netlify]

✅ Deploy Preview for toha-ci ready!

Name	Link
🔨 Latest commit	0c816bc
🔍 Latest deploy log	https://app.netlify.com/sites/toha-ci/deploys/674c6cbc45d9620008a3c59c
😎 Deploy Preview	https://deploy-preview-1004--toha-ci.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[hossainemruz]

Hi @davidgs! Thank you for the PR. However, this inline script is necessary. Otherwise, when you are in dark mode and click on a new page, it will flash white background and then turn into dark mode again.

[hossainemruz]

@davidgs Found a solution. We can set the script in-line with integrity hash. I have updated the PR. Please, check and let me know if that works for you.

[davidgs]

That's great news, thanks!