🔒️ fix(header): reposition include of CSP partial

Per the CSP spec on delivering policy using the meta element
https://www.w3.org/TR/CSP/#meta-element):

> Authors are strongly encouraged to place meta elements as early in
> the document as possible, because policies in meta elements are not
> applied to content which precedes them. In particular, note that
> resources fetched or prefetched using the Link HTTP response header
> field, and resources fetched or prefetched using link and script
> elements which precede a meta-delivered policy will not be blocked.

Move the CSP close to the top of <head> to protect additional resources.

templates/partials/header.html

@@ -1,5 +1,10 @@
 <head>
     <meta charset="UTF-8">
+
+    {%- if macros_settings::evaluate_setting_priority(setting="enable_csp", page=page | default(value=""), section=section | default(value=""), default_global_value="true") == "true" -%}
+        {%- include "partials/content_security_policy.html" -%}
+    {%- endif -%}
+
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="base" content="{{ config.base_url | safe }}">
 
@@ -130,10 +135,6 @@
 
     <meta property="og:site_name" content="{{ config.title }}">
 
-    {%- if macros_settings::evaluate_setting_priority(setting="enable_csp", page=page | default(value=""), section=section | default(value=""), default_global_value="true") == "true" -%}
-        {%- include "partials/content_security_policy.html" -%}
-    {%- endif -%}
-
     {%- if config.extra.theme_switcher and config.extra.theme_switcher == true -%}
         {# If JavaScript is disabled, hide the button. #}
         <noscript><link rel="stylesheet" href="{{ get_url(path='no_js.css') | safe }}"/></noscript>