Change CORS headers for DC

Content-Security-Policy was extended to allow inline scripts. Cross-Origin-Resource-Policy was changed to the default same-site and the allowed origins for web-sites were set in the keycloak realm (not part of the MR). For the keycloak popup the Cross-Origin-Opener-Policy was set to unsafe-none, other settings would not allow opening the popup and redirection after closing.