Reduce gruntjs.com third-party dependencies

[Krinkle]

Over at jquery/infrastructure-puppet#54, we're adding CSP headers at the server level for all sites hosted in jQuery Infra. We've applied these to https://stage.gruntjs.com/ in staging (report-only, we're not blocking any requests!).

We've started with a fairly narrow set of rules to see what we actually need to allow:

Content-Security-Policy-Report-Only:
	default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';

It looks like we might need these exemptions (drafted in jquery/infrastructure-puppet#61 by @timmywil):

• script-src revive.bocoup.com
• script-src www.google-analytics.com
• style-src 'self' fonts.googleapis.com

Questions:

• Google Analytics
  • Is the Grunt Team still using Google Analytics? Who has access to it? Do you want to keep it? Or would access to CDN stats suffice?
• Ads by Bocoup
  • It appears this service no longer exists. Based on the Internet Archive, revive.bocoup.com was shutdown in 2017. Is this okay to remove?
• Google Fonts
  • Is used to load 1 font: Lato:400,700, mainly used for the "Grunt" wordmark on the home page, to match the official logo art (https://github.com/openjs-foundation/artwork/tree/main/projects/grunt).
  • We could load this as an SVG instead, with alt text, and use the system font for the other headings.
  • Alternatively, I'd be willing to write a patch to self-host the Lato font, and use that instead of Google Fonts API.

What do you think?

/cc @vladikoff @XhmikosR @shama