Tighten CSP (#69)

Move Google Analytics to its own file and load it per guidance:

https://developers.google.com/analytics/devguides/collection/analyticsjs/#alternative_async_tracking_snippet

This in combination with PR #61 permits the following, much tighter CSP
policy:

> Content-Security-Policy "default-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'self' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com;"

This can land whenever, but the CSP policy shouldn't be updated until #61 lands.
Additionally, the CSP policy should be updated with care and tested as well as
possible before being left alone.

Author: jcjones

_includes/footer.html

@@ -66,4 +66,6 @@ <h2>Support Us</h2>
   </div>
 
   <script src="/js/main.js"></script>
+  <script src="/js/ga.js"></script>
+  <script async src='https://www.google-analytics.com/analytics.js'></script>
 </footer>

_includes/head.html

@@ -27,14 +27,4 @@
     <link rel="canonical" href="{{ page.url | replace:'index.html','' | prepend: site.baseurl | prepend: site.url }}">
 
     <link rel="alternate" href="https://letsencrypt.org/feed.xml" type="application/rss+xml" title="Let's Encrypt Blog Feed" />
-
-    <script>
-          (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
-          (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
-          m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
-          })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
-
-          ga('create', 'UA-56433935-1', 'auto');
-          ga('send', 'pageview');
-    </script>
 </head>

js/ga.js

@@ -0,0 +1,5 @@
+// Google Analytics startup, per:
+// https://developers.google.com/analytics/devguides/collection/analyticsjs/#alternative_async_tracking_snippet
+window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;
+ga('create', 'UA-56433935-1', 'auto');
+ga('send', 'pageview');