Security: Add CSP to Tauri webview

Content Security Policy was missing.

Context: The Tauri app ships with "csp": null, meaning zero Content Security Policy in the production webview. Any XSS vector gives an attacker unrestricted script execution with full access to Tauri IPC commands
— file system operations, network shares, everything.

Problem: A file manager handles untrusted filenames, network paths, and renders file metadata. Without CSP, a single injection point (for example, a crafted filename rendered without escaping) escalates to full
app control.

Solution: Added a restrictive CSP:
- default-src 'self' — blocks everything not explicitly allowed
- script-src 'self' — no inline scripts, no eval
- style-src 'self' 'unsafe-inline' — needed for dynamic inline styles (virtual scrolling, dialog positioning, slider ticks, CSS custom properties via setProperty)
- img-src 'self' data: — needed for base64-encoded file/app icons from the Rust backend
- connect-src 'self' https://getcmdr.com — updater endpoint (likely Rust-side, but included defensively)
- frame-src 'none'; object-src 'none' — no iframes or plugins
- base-uri 'self'; form-action 'self' — prevents base tag hijacking and form exfiltration

Author: vdavid

apps/desktop/src-tauri/tauri.conf.json

@@ -29,7 +29,7 @@
       }
     ],
     "security": {
-      "csp": null
+      "csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://getcmdr.com; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'"
     }
   },
   "plugins": {