Make CSP easier / more secure by not making SMTP Test inline


This is a request that was concluded from the discussion here: Email doesn't work with script-src CSP - #4 by WhatAShame

In order to properly setup CSP, it is necessary to add the ‘unsafe-hashes’ tag because the SMTP test happens inline. It would be better if that inline code was moved to a file for easier ( and more secure? ) content security policy.


Then a lot of other items will also break i think.
Like toggle secrets visibility, database backup, config delete etc…
And also the actions on the user and org, and probably also the diagnostics page.

There is a lot of specific js code per page at the moment. So it will probably not only effect the smtp.