Strengthen security practices in FF website

[dannimad]

1. Bringing back a couple of hashes to validate inline scripts in the docs build, as well as an extra step in the website deployment to validate them.
   The reason to bring these back is seeing some violations in our CREM board related to the couple of inline script docusaurus build generates which could be also the cause of M3 Strict CSP item not been resolved yet.
   This was originally removed since FF website being an static site was expelled from solving M2 Strict CSP item, but M3 S360 item could still be active as it is still seeing some violations. Adding this back should bring an extra layer of security to our website even though it's not strictly needed, remove some CREM violations and help us prepare our case with security team in case M3 keeps unsolved.

2. Use DOMPurify to sanitize HTML strings in the website. Our default trusted types policy was just accepting any string as it comes. Now we are using DOMPurify to sanitize the strings before they are used in the website. Using the minified version of it to be able to set it up in a script prior to rendering and setting the policy.

Both changes have been tested in our staging environment but setting the header as Report Only again briefly to make sure everything works as expected in prod.

[Copilot]

Pull Request Overview

This PR restores inline script hash validation in the docs build, adds a deployment step to enforce it, and switches CSP to report-only with updated hashes.

• Adds a Bash task in the deployment pipeline to run script hash checks.
• Introduces validateHashes.sh to extract and compare inline script hashes.
• Updates staticwebapp.config.json to use CSP report-only with the new hashes.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
tools/pipelines/deploy-website.yml	Added an Azure Pipelines Bash task for hash checking.
docs/validateHashes.sh	New script to extract and validate inline script hashes.
docs/static/staticwebapp.config.json	Changed CSP header to report-only and updated hashes.

[github-actions]

🔗 No broken links found! ✅

Your attention to detail is admirable.

linkcheck output

> fluid-framework-docs-site@0.0.0 ci:check-links /home/runner/work/FluidFramework/FluidFramework/docs
> start-server-and-test "npm run serve -- --no-open" 3000 check-links

1: starting server using command "npm run serve -- --no-open"
and when url "[ 'http://127.0.0.1:3000' ]" is responding with HTTP status code 200
running tests using command "npm run check-links"


> fluid-framework-docs-site@0.0.0 serve
> docusaurus serve --no-open

[SUCCESS] Serving "build" directory at: http://localhost:3000/

> fluid-framework-docs-site@0.0.0 check-links
> linkcheck http://localhost:3000 --skip-file skipped-urls.txt

Crawling...

Stats:
  224682 links
    1708 destination URLs
    1939 URLs ignored
       0 warnings
       0 errors