Make JS and CSS URLs work when Jenkins 2.539+ enforce CSP protections

[daniel-beck]

This allows loading admin-specified JS and CSS URLs from anywhere by allowing the specific configured URLs for the respective kind of element.

Resolves #280.

Testing done

Interactively played with it, URLs loaded, log output and header values are as expected.

A known limitation of this is is that any transitive inclusions in the specified files would not be allowed, as well as any other *-src required to work. Examples:

• The included JS cannot do eval, that would still require 'unsafe-eval'.
• The included CSS cannot do url(…) for a bunch of CSS directives (unless they point back to 'self' I guess).

There's always CSP plugin to allow your directives through configuration. And of course, writing a custom theme plugin is also doable. But this should take care of the folks who have fairly modest theming needs.

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests that demonstrate the feature works or the issue is fixed

[daniel-beck]

Another limitation is that if the resource files are hosted in /userContent, this will not work with Resource Root URL enabled (since the URLs serving the content are on a different domain). jenkinsci/jenkins#26164 tracks this.