Content Security Policy blocks execution of Turbolinks

[sjaustirni]

Describe the bug
Turbolinks execution is being blocked by CSP. Fortunately, thanks to graceful Turbolinks degradation, this does not break the functionality of the site, but it does offer a degraded experience.

To Reproduce
Steps to reproduce the behavior:

1. Load any HuntersKeepers URL, fx. https://hunters-keepers.herokuapp.com/playbooks
2. Click on any link on the page, fx. https://hunters-keepers.herokuapp.com/playbooks/8
3. Open your Developer Console
4. See the errors

Expected behavior
Turbolinks will succesfully manipulate the DOM without complaining in the Developer Console.

Actual behavior
Turbolinks will not work at all and the Developer Console will contain errors like:

• (in Chromium): Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https: blob: 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-kNsc6jGDQTbFAcGltvS/pj7jJV5lsm2kMt2bm8elDP0='), or a nonce ('nonce-...') is required to enable inline execution.
• (in Chromium): turbolinks.js:559 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' https: 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-HjRaSleBeGtYg1lEvII0j27Iw0w3TWo4+qNLlFD0zJ0='), or a nonce ('nonce-...') is required to enable inline execution.
• (in Firefox): Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src").

Desktop:

• OS: tested on Ubuntu Linux, but potentially all major OSes are affected
• Browser: tested on Chromium and Firefox, but potentially all major browsers are affected
• Version: potentially all new versions of major browsers are affected

Additional context
Since this is not a critical bug, it might be clever to solve this problem when/if the project moves on to Turbo, as Turbolinks is deprecated.