Security fixes (#8081)

* use safeloader

* use json responses wherever possible

* remove CORS and add CSRF token

* formatting fixes

* add envjs back

* fix baseurl test

web/src/components/HistoryViewer/HistoryVideo.tsx

@@ -56,10 +56,10 @@ export const HistoryVideo = ({
     }
 
     video.src({
-      src: `${apiHost}/vod/event/${id}/master.m3u8`,
+      src: `${apiHost}vod/event/${id}/master.m3u8`,
       type: 'application/vnd.apple.mpegurl',
     });
-    video.poster(`${apiHost}/api/events/${id}/snapshot.jpg`);
+    video.poster(`${apiHost}api/events/${id}/snapshot.jpg`);
     if (videoIsPlaying) {
       video.play();
     }