Extract inline JS initialization logic and add a CSP <meta> tag to kill XSS

[joevennix]

This should mitigate any of the reported DOM-based XSS vulnerabilities in modern browsers.

[fehguy]

@joevennix I like the init.js but I don't think we can change it right now. Needs lots of documentation, etc. Can you separate the meta tag into a separate PR?

[joevennix]

@fehguy unfortunately I can't separate the two; without moving the inline script to a standalone file, the CSP policy becomes worthless as it is designed solely to prevent inline script from running.

[joevennix]

We could perhaps try putting the sha256 hash of the current <script> into the CSP policy, but I have had nothing but trouble getting hashes to work in CSP policies, and it would make customizing the script rather tedious for consumers.

[webron]

This changes the way Swagger can be integrated with sites which is a breaking change. It's made on the previous version of swagger-ui, which we don't maintain as much.

I'm going to close this PR for now - however - I imagine the issue itself might still be relevant and real. If that's the case, please file a ticket explaining the issue, especially if it also exists in the latest 3.X versions.