Strict CSP breaks ngx‑bootstrap: inline `style` attributes & `javascript:void(0)` links still present

[ytchenak]

A strict Content‑Security‑Policy that omits 'unsafe-inline' (and doesn’t add style-src-attr) blocks several ngx‑bootstrap widgets:

• Positioning engine (libs/util/positioning…) sets inline style="…".
• Components such as Modal, Popover, Datepicker use host: { style: '…' }.
• Templates for Carousel / Timepicker / Tabs include href="javascript:void(0)".

Resulting console errors:

Refused to apply inline style … "style-src 'self'"
Refused to execute inline script … "script-src 'self'"

Please refactor to:

• Replace setAttribute('style', …) with property assignments or CSS classes.
• Remove javascript: anchors (use <button> or role="button").

This will let ngx‑bootstrap run under a modern CSP without unsafe-inline.