* add Content Security Policy
* remove reflect-metadata on production builds to get rid of unsafe-eval
* fix baseCSP usage
* add SRI to CSP
* add blob: to media-src
* remove SRI
* CSP set to reportOnly
* adding data: to connect-src CSP
* remove block-all-mixed-content
* add report-uri support
this enables the `noImplicitAny` flag in the Typescript compiler
> When the noImplicitAny flag is true and the TypeScript compiler cannot infer the type, it still generates the JavaScript files, but it also reports an error. Many seasoned developers prefer this stricter setting because type checking catches more unintentional errors at compile time.
closes: #1131
replaces #1137
* Replace angular-cli patch with something less risky
* path.join() is needed, provide a naive implementation
* technically, webpack provided a polyfill for Buffer, we should too
* process polyfill matches webpack; peertube depends on nextTick
* polyfill for path to match webpack
* http/https polyfills as per webpack