jquery: Allow style-src-attr in CSP

Restore rendering of blog posts such as
https://blog.jquerymobile.com/2011/06/14/jquery-mobile-update-week-of-june-13/

which in older posts often use style attributes to float an image,
or create some ad-hoc design element.

Compare to
https://web.archive.org/web/20230602085906/https://blog.jquerymobile.com/2011/06/14/jquery-mobile-update-week-of-june-13/

Follows-up CSP work from last year at jquery/infrastructure-puppet#54,
although this is only an issue as of today, since I am
migrating blog.jquerymobile.com from the legacy blog theme to
jquery-wp-content.

It did not affect blog.jquery.com and blog.jqueryui.com, since those
haven't migrated yet.

Ref jquery/infrastructure-puppet#17

Author: Krinkle

themes/jquery/functions.php

@@ -263,6 +263,8 @@ function jq_content_security_policy() {
 		'script-src' => "'self' 'nonce-$nonce' code.jquery.com",
 		// The nonce is here so inline scripts can be used in the theme
 		'style-src' => "'self' 'nonce-$nonce' code.jquery.com",
+		// Allow style="" attributes in blog posts and markdown.
+		'style-src-attr' => "'unsafe-inline'",
 		// data: SVG images are used in typesense
 		// Allow gravatars in wordpress admins
 		'img-src' => "'self' data: secure.gravatar.com code.jquery.com",