fix(csp): skip restrictive CSP on Wagtail/Django admin paths

The SecurityHeadersMiddleware applied a strict style-src policy to all
responses, blocking inline styles that Wagtail admin relies on for
layout. Skip the custom CSP for /cms/ and /django-admin/ paths.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

apps/core/middleware.py

@@ -18,10 +18,14 @@ class SecurityHeadersMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
+    ADMIN_PREFIXES = ("/cms/", "/django-admin/")
+
     def __call__(self, request):
         nonce = secrets.token_urlsafe(16)
         request.csp_nonce = nonce
         response = self.get_response(request)
+        if request.path.startswith(self.ADMIN_PREFIXES):
+            return response
         response["Content-Security-Policy"] = (
             f"default-src 'self'; "
             f"script-src 'self' 'nonce-{nonce}'; "